Use ServerManager's passfile in connect() credential gate.

[m000]

Checking for a passfile is done by using the value returned by the ServerManager, which will also be used when constructing the connection string.

The ServerManager supplied passfile is preferred over (a) any specified passexec, (b) any passfile kwarg passed to Connection::connect(). This is probably the desired behaviour, but it is still different from the previous version. For this, warnings are emitted when:

• passexec has been specified but is ignored in favor of the ServerManager passfile,
• a passfile kwarg is supplied to Connection::connect() but is ignored in favor of the ServerManager passfile.

Use PassFile to retrieve a password when one is not retrieved by other means. The PassFile setting was already passed to connect() but was never read.

Summary by CodeRabbit

• Bug Fixes
  • Credential resolution flow updated: passfile from the manager is always considered and local passfile input no longer forces early fallback; external password executor is used only when no credentials or passfile are present.
  • Added a warning when a provided passfile differs from the manager's passfile.
  • PassFile reading now reports explicit I/O or encoding failures with a localized error message.

[coderabbitai]

Walkthrough

Reordered credential fallback in psycopg3 connection: passfile is no longer extracted early; manager-provided passfile is always retrieved later, manager.passexec is consulted for password only when password, encpass, and passfile are all unset, and a warning is logged if kwarg and manager passfile differ.

Changes

Cohort / File(s)

Summary

Psycopg3 connection logic web/pgadmin/utils/driver/psycopg3/connection.py

Removed early extraction of passfile from kwargs and unused copy import; always retrieve manager.get_connection_param_value('passfile') as a fallback; only use manager.passexec.get() when password, encpass, and passfile are all unset and manager.passexec exists; log a warning if the passfile kwarg and manager-provided passfile differ; adjusted control flow so kwarg passfile no longer participates in the earlier decryption fallback.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Use ServerManager's passfile in connect() credential gate' accurately summarizes the main change: using the ServerManager's passfile for credential management in the connect() method.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@web/pgadmin/utils/driver/psycopg3/connection.py`:
- Around line 317-320: The current logic creates a Path for kwargs['passfile']
and calls passfile.read_text() without validating that the value is non-empty
and points to a regular readable file; update the code around the passfile
handling so that if kwargs['passfile'] is an empty string it is treated as None,
then verify passfile.exists() and passfile.is_file() before calling
passfile.read_text(), and wrap the read_text() call in a try/except that catches
IsADirectoryError, FileNotFoundError, PermissionError, and UnicodeDecodeError
(and convert or re-raise them as a clear connection error or log appropriately)
so that reading failures do not propagate uncaught from the code that sets the
password variable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 340f95c2-cfcc-42e7-a15f-f262c72b2620

📥 Commits

Reviewing files that changed from the base of the PR and between d8a078a and 98234b0.

📒 Files selected for processing (1)

• web/pgadmin/utils/driver/psycopg3/connection.py

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@web/pgadmin/utils/driver/psycopg3/connection.py`:
- Around line 316-317: The code constructs Path(kwargs['passfile']) whenever the
'passfile' key exists, which raises TypeError if its value is None; change the
guard so you only call Path(...) when the retrieved value is not None/empty
(e.g., use val = kwargs.get('passfile') and then passfile = Path(val) only if
val is truthy), ensuring the variable passfile remains None otherwise so
downstream exception handling around connect() or the passfile logic can run
safely.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a364471d-0bf2-4720-9580-b8a79cbfc2c3

📥 Commits

Reviewing files that changed from the base of the PR and between 50a03d5 and 7c9be2d.

📒 Files selected for processing (1)

• web/pgadmin/utils/driver/psycopg3/connection.py

[asheshv]

Thanks @adityatoshniwal

[asheshv]

The check-python-style CI job is failing because line 326 is 80 characters (limit is 79):

web/pgadmin/utils/driver/psycopg3/connection.py:326: [E501] line too long (80 > 79 characters)

Please replace the .format() call with an f-string to fix it:

            current_app.logger.warning(
                f"Using the first of two specified"
                f" passfiles: {passfile!r}, {passfile_kwarg!r}"
            )

[m000]

@asheshv fixed. Thanks!

I also updated the PR text to match the changes.

[asheshv]

LGTM

[asheshv]

Thanks @m000 — the cleanup makes sense, the kwarg passfile was effectively dead before. A few things before merge:

1. With both a passfile and passexec_cmd configured, this silently flips precedence: passexec used to run, now it's skipped because the manager's passfile is truthy. Probably the right call, but please mention it in the PR description so we can capture it in the release notes.

2. The warning message ("Using the first of two specified passfiles: ...") is hard to parse — could you reword to make it clear which one wins, e.g. f'passfile kwarg {passfile_kwarg!r} differs from connection_params {passfile!r}; using the latter.'?

3. The comment above the if still reads like the old gate — worth adding "...only when no passfile is configured" so the precedence is obvious.

Also, the title's a bit stale now — something like "Use ServerManager's passfile in connect() credential gate" fits the final shape better.

[asheshv]

Please fix this comment: #9810 (comment)

[m000]

Please fix this comment: #9810 (comment)

Done. You're right, ignoring passexec may come as a surprise to some users. Not sure how common this config may be, so I also added an extra warning message for the case.

Let me know if anything else is needed.