Read password from PassFile when connecting.

[m000]

Use PassFile to retrieve a password when one is not retrieved by other means. The PassFile setting was already passed to connect() but was never read.

Summary by CodeRabbit

• Bug Fixes
  • Credential resolution flow updated: passfile from the manager is always considered and local passfile input no longer forces early fallback; external password executor is used only when no credentials or passfile are present.
  • Added a warning when a provided passfile differs from the manager's passfile.
  • PassFile reading now reports explicit I/O or encoding failures with a localized error message.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 53fafc75-0da7-4842-bd54-ffc5136b3aba

📥 Commits

Reviewing files that changed from the base of the PR and between 7c9be2d and c1ffe0d.

📒 Files selected for processing (1)

• web/pgadmin/utils/driver/psycopg3/connection.py

---

Walkthrough

Reordered credential fallback in psycopg3 connection: passfile is no longer extracted early; manager-provided passfile is always retrieved later, manager.passexec is consulted for password only when password, encpass, and passfile are all unset, and a warning is logged if kwarg and manager passfile differ.

Changes

Cohort / File(s)

Summary

Psycopg3 connection logic web/pgadmin/utils/driver/psycopg3/connection.py

Removed early extraction of passfile from kwargs and unused copy import; always retrieve manager.get_connection_param_value('passfile') as a fallback; only use manager.passexec.get() when password, encpass, and passfile are all unset and manager.passexec exists; log a warning if the passfile kwarg and manager-provided passfile differ; adjusted control flow so kwarg passfile no longer participates in the earlier decryption fallback.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Read password from PassFile when connecting' directly matches the main objective of the PR, which is to add logic for reading passwords from PassFile settings during connection establishment.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@web/pgadmin/utils/driver/psycopg3/connection.py`:
- Around line 317-320: The current logic creates a Path for kwargs['passfile']
and calls passfile.read_text() without validating that the value is non-empty
and points to a regular readable file; update the code around the passfile
handling so that if kwargs['passfile'] is an empty string it is treated as None,
then verify passfile.exists() and passfile.is_file() before calling
passfile.read_text(), and wrap the read_text() call in a try/except that catches
IsADirectoryError, FileNotFoundError, PermissionError, and UnicodeDecodeError
(and convert or re-raise them as a clear connection error or log appropriately)
so that reading failures do not propagate uncaught from the code that sets the
password variable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 340f95c2-cfcc-42e7-a15f-f262c72b2620

📥 Commits

Reviewing files that changed from the base of the PR and between d8a078a and 98234b0.

📒 Files selected for processing (1)

• web/pgadmin/utils/driver/psycopg3/connection.py

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@web/pgadmin/utils/driver/psycopg3/connection.py`:
- Around line 316-317: The code constructs Path(kwargs['passfile']) whenever the
'passfile' key exists, which raises TypeError if its value is None; change the
guard so you only call Path(...) when the retrieved value is not None/empty
(e.g., use val = kwargs.get('passfile') and then passfile = Path(val) only if
val is truthy), ensuring the variable passfile remains None otherwise so
downstream exception handling around connect() or the passfile logic can run
safely.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a364471d-0bf2-4720-9580-b8a79cbfc2c3

📥 Commits

Reviewing files that changed from the base of the PR and between 50a03d5 and 7c9be2d.

📒 Files selected for processing (1)

• web/pgadmin/utils/driver/psycopg3/connection.py

[adityatoshniwal]

passfile is read by psycopg driver. We just need to pass the args in connection.

[m000]

You're right! It turns out that passfile is indeed passed to psycopg. What was confusing is that psycopg won't emit any warnings if the format is invalid. In my case it was a docker secret containing only the password, which of course failed (silently).

So I guess that the initially proposed changes are not needed.

But the logic built around passfile in connect() was still funny: A potential passfile kwarg is used for a check, but then the connection is created by whatever passfile is picked up internally by ServerManager, ignoring the kwarg.

I tried to clean up the logic, so that the value used by ServerManager is also used for the checks in connect(), and warn if a kwarg is supplied and is different than that. (This probably won't happen with the current code AFAICT, but updates may change that.)

Let me know what you think and, if the changes look ok, whether I should update the description of this PR or close it and create a new one.