From aa80c09144f45ec103948d4dc280f1bf47801711 Mon Sep 17 00:00:00 2001
From: Yogesh Mahajan <yogesh.mahajan@enterprisedb.com>
Date: Thu, 18 Dec 2025 13:19:33 +0530
Subject: [PATCH] Ensure saved shared server passwords are re-encrypted om
 password change.#9258

---
 .../browser/server_groups/servers/utils.py    | 56 +++++++++++--------
 1 file changed, 32 insertions(+), 24 deletions(-)

diff --git a/web/pgadmin/browser/server_groups/servers/utils.py b/web/pgadmin/browser/server_groups/servers/utils.py
index 604bc27955a..9c6b6d4a85c 100644
--- a/web/pgadmin/browser/server_groups/servers/utils.py
+++ b/web/pgadmin/browser/server_groups/servers/utils.py
@@ -19,7 +19,7 @@
     KEY_RING_DESKTOP_USER, SSL_MODES, RESTRICTION_TYPE_DATABASES,
     RESTRICTION_TYPE_SQL)
 from pgadmin.utils.crypto import encrypt, decrypt
-from pgadmin.model import db, Server
+from pgadmin.model import db, Server, SharedServer
 from flask import current_app
 from pgadmin.utils.master_password import set_masterpass_check_text
 from pgadmin.utils.driver import get_driver
@@ -440,37 +440,45 @@ def migrate_saved_passwords(master_key, master_password):
     return passwords_migrated, error
 
 
-def reencrpyt_server_passwords(user_id, old_key, new_key):
-    """
-    This function will decrypt the saved passwords in SQLite with old key
-    and then encrypt with new key
-    """
+def __reencrpyt_server_password(server, old_key, new_key):
     from pgadmin.utils.driver import get_driver
     driver = get_driver(config.PG_DEFAULT_DRIVER)
 
-    for server in Server.query.filter_by(user_id=user_id).all():
-        manager = driver.connection_manager(server.id)
-        _password_check(server, manager, old_key, new_key)
+    manager = driver.connection_manager(server.id)
+    _password_check(server, manager, old_key, new_key)
 
-        if server.tunnel_password is not None:
-            tunnel_password = decrypt(server.tunnel_password, old_key)
-            if isinstance(tunnel_password, bytes):
-                tunnel_password = tunnel_password.decode()
+    if server.tunnel_password is not None:
+        tunnel_password = decrypt(server.tunnel_password, old_key)
+        if isinstance(tunnel_password, bytes):
+            tunnel_password = tunnel_password.decode()
 
-            tunnel_password = encrypt(tunnel_password, new_key)
-            setattr(server, 'tunnel_password', tunnel_password)
-            manager.tunnel_password = tunnel_password
-        elif manager.tunnel_password is not None:
-            tunnel_password = decrypt(manager.tunnel_password, old_key)
+        tunnel_password = encrypt(tunnel_password, new_key)
+        setattr(server, 'tunnel_password', tunnel_password)
+        manager.tunnel_password = tunnel_password
+    elif manager.tunnel_password is not None:
+        tunnel_password = decrypt(manager.tunnel_password, old_key)
 
-            if isinstance(tunnel_password, bytes):
-                tunnel_password = tunnel_password.decode()
+        if isinstance(tunnel_password, bytes):
+            tunnel_password = tunnel_password.decode()
 
-            tunnel_password = encrypt(tunnel_password, new_key)
-            manager.tunnel_password = tunnel_password
+        tunnel_password = encrypt(tunnel_password, new_key)
+        manager.tunnel_password = tunnel_password
 
-        db.session.commit()
-        manager.update_session()
+    db.session.commit()
+    manager.update_session()
+
+
+def reencrpyt_server_passwords(user_id, old_key, new_key):
+    """
+    This function will decrypt the saved passwords in SQLite with old key
+    and then encrypt with new key
+    """
+    for server in Server.query.filter_by(user_id=user_id).all():
+        __reencrpyt_server_password(server, old_key, new_key)
+
+    # Ensure saved shared server passwords are re-encrypted.
+    for server in SharedServer.query.filter_by(user_id=user_id).all():
+        __reencrpyt_server_password(server, old_key, new_key)
 
 
 def remove_saved_passwords(user_id):