Skip to content

Ensure saved shared server passwords are re-encrypted on password change.#9258 #9475

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
akshay-joshi merged 1 commit into from
Jan 6, 2026
Merged

Ensure saved shared server passwords are re-encrypted on password change.#9258 #9475

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 32 additions & 24 deletions web/pgadmin/browser/server_groups/servers/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
KEY_RING_DESKTOP_USER, SSL_MODES, RESTRICTION_TYPE_DATABASES,
RESTRICTION_TYPE_SQL)
from pgadmin.utils.crypto import encrypt, decrypt
from pgadmin.model import db, Server
from pgadmin.model import db, Server, SharedServer
from flask import current_app
from pgadmin.utils.master_password import set_masterpass_check_text
from pgadmin.utils.driver import get_driver
Expand Down Expand Up @@ -440,37 +440,45 @@ def migrate_saved_passwords(master_key, master_password):
return passwords_migrated, error


def reencrpyt_server_passwords(user_id, old_key, new_key):
"""
This function will decrypt the saved passwords in SQLite with old key
and then encrypt with new key
"""
def __reencrpyt_server_password(server, old_key, new_key):
from pgadmin.utils.driver import get_driver
driver = get_driver(config.PG_DEFAULT_DRIVER)

for server in Server.query.filter_by(user_id=user_id).all():
manager = driver.connection_manager(server.id)
_password_check(server, manager, old_key, new_key)
manager = driver.connection_manager(server.id)
_password_check(server, manager, old_key, new_key)

if server.tunnel_password is not None:
tunnel_password = decrypt(server.tunnel_password, old_key)
if isinstance(tunnel_password, bytes):
tunnel_password = tunnel_password.decode()
if server.tunnel_password is not None:
tunnel_password = decrypt(server.tunnel_password, old_key)
if isinstance(tunnel_password, bytes):
tunnel_password = tunnel_password.decode()

tunnel_password = encrypt(tunnel_password, new_key)
setattr(server, 'tunnel_password', tunnel_password)
manager.tunnel_password = tunnel_password
elif manager.tunnel_password is not None:
tunnel_password = decrypt(manager.tunnel_password, old_key)
tunnel_password = encrypt(tunnel_password, new_key)
setattr(server, 'tunnel_password', tunnel_password)
manager.tunnel_password = tunnel_password
elif manager.tunnel_password is not None:
tunnel_password = decrypt(manager.tunnel_password, old_key)

if isinstance(tunnel_password, bytes):
tunnel_password = tunnel_password.decode()
if isinstance(tunnel_password, bytes):
tunnel_password = tunnel_password.decode()

tunnel_password = encrypt(tunnel_password, new_key)
manager.tunnel_password = tunnel_password
tunnel_password = encrypt(tunnel_password, new_key)
manager.tunnel_password = tunnel_password

db.session.commit()
manager.update_session()
db.session.commit()
manager.update_session()


def reencrpyt_server_passwords(user_id, old_key, new_key):
"""
This function will decrypt the saved passwords in SQLite with old key
and then encrypt with new key
"""
for server in Server.query.filter_by(user_id=user_id).all():
__reencrpyt_server_password(server, old_key, new_key)

# Ensure saved shared server passwords are re-encrypted.
for server in SharedServer.query.filter_by(user_id=user_id).all():
__reencrpyt_server_password(server, old_key, new_key)


def remove_saved_passwords(user_id):
Expand Down
Loading