Skip to content

fix: handle 'role does not exist' error for PG gateway connection test#5802

Merged
saifsmailbox98 merged 3 commits intomainfrom
devin/1774440250-handle-role-not-exist-error
Mar 25, 2026
Merged

fix: handle 'role does not exist' error for PG gateway connection test#5802
saifsmailbox98 merged 3 commits intomainfrom
devin/1774440250-handle-role-not-exist-error

Conversation

@devin-ai-integration
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration bot commented Mar 25, 2026
edited
Loading

Context

When adding a PAM resource via gateway, we test connectivity to the target PostgreSQL database using a dummy role infisical-gateway-connection-test. The test intentionally expects an auth failure as proof that the DB is reachable.

However, PostgreSQL returns different errors depending on the pg_hba.conf auth method for the matching connection rule:

Auth method Error returned Previously handled?
scram-sha-256 password authentication failed for user "..." ✅ Yes
md5 / password / trust role "..." does not exist ❌ No — caused resource creation to fail

The difference is that scram-sha-256 doesn't reveal whether a role exists, while md5/password/trust looks up the role first and returns the "does not exist" error before attempting authentication.

This was hitting users who run the gateway and DB on the same host (matching a trust or md5 rule in pg_hba.conf for localhost connections).

Fix: Add role "..." does not exist as an additional accepted error across all three Postgres error-handling paths in sql-resource-factory.ts:

  1. connectOnly=true (connection validation) — treat the error as proof of connectivity, same as "password authentication failed"
  2. validateAccountCredentials — map to friendly "Account credentials invalid: Username or password incorrect" message
  3. rotateAccountCredentials — map to friendly "Management credentials invalid: Username or password incorrect" message

Steps to verify the change

  1. Set up a PostgreSQL instance with md5 or trust auth in pg_hba.conf for the connecting host
  2. Add a PAM resource through the gateway pointing to that PG instance
  3. Confirm the connection test succeeds (previously it would fail with "role does not exist")
  4. Try adding account credentials with a non-existent PG username — confirm you get the friendly "Username or password incorrect" error instead of the raw PG error

Human review checklist

  • Verify the PG error message string role "..." does not exist matches the actual PostgreSQL error format across supported PG versions (9.x through 16+)
  • Confirm the connectOnly=true path still does not allow real auth failures to pass silently
  • Confirm validateAccountCredentials and rotateAccountCredentials correctly surface the friendly error for both "password auth failed" and "role does not exist" cases
  • Note: this fix was not tested against a live PG instance — string matching is based on known PG error formats

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

Link to Devin session: https://app.devin.ai/sessions/b0c07121154642f288d196702da9503a

@devin-ai-integration
fix: handle 'role does not exist' error for gateway connection test
b9a7094 
When testing DB connectivity via gateway with a dummy role, PostgreSQL
returns different errors depending on the pg_hba.conf auth method:
- md5/password/trust: 'role does not exist' (was NOT handled)
- scram-sha-256: 'password authentication failed' (was already handled)

Both errors confirm successful connectivity to the target database.
Added handling for the 'role does not exist' case so connection
validation succeeds regardless of the PG auth configuration.

Co-Authored-By: saif <[email protected]>
@devin-ai-integration
Copy link
Copy Markdown
Contributor Author

devin-ai-integration bot commented Mar 25, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@maidul98
Copy link
Copy Markdown
Collaborator

maidul98 commented Mar 25, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 25, 2026
edited
Loading

Greptile Summary

This PR fixes a narrow but impactful bug: when testing Postgres connectivity via the PAM gateway, the code previously only accepted password authentication failed for user "..." as proof of reachability, but PostgreSQL returns role "..." does not exist instead when the pg_hba.conf auth method is md5, password, or trust (since those methods look up the role before attempting auth). The single-line addition correctly extends the accepted error set for the connectOnly=true path only, leaving real credential validation entirely unaffected.

  • Change is minimal and correctly scoped: guarded by connectOnly &&, so validateAccountCredentials (connectOnly=false) is not touched.
  • Exact string match is appropriate: TEST_CONNECTION_USERNAME is a hardcoded constant, so there is no way for user input to influence the comparison.
  • No security concerns: the dummy username is fixed; the check cannot be weaponized to bypass real authentication.
  • Minor consistency gap (not introduced by this PR): the validateAccountCredentials handler does not yet translate role "..." does not exist into the friendly "credentials invalid" message, which will affect users on the same auth setups when providing a non-existent username — worth a follow-up.

Confidence Score: 5/5

  • Safe to merge — the fix is minimal, correctly scoped to the connectOnly path, and introduces no regression risk.
  • Single-line targeted fix with no logic changes outside the guarded connectOnly=true branch. Exact string matching against a hardcoded constant eliminates any input-manipulation risk. The only follow-up is a pre-existing UX gap in validateAccountCredentials that is out of scope for this bug fix.
  • No files require special attention.

Important Files Changed

Filename Overview
backend/src/ee/services/pam-resource/shared/sql/sql-resource-factory.ts Adds role "..." does not exist as an accepted error in the connectOnly=true validation path for Postgres, properly scoped behind the existing connectOnly guard. The fix is minimal, correct, and does not affect real credential validation.

Comments Outside Diff (1)

  1. backend/src/ee/services/pam-resource/shared/sql/sql-resource-factory.ts, line 347-351 (link)

    P2 validateAccountCredentials missing role does not exist handling

    This fix correctly handles role "..." does not exist in the connectOnly=true path, but the validateAccountCredentials handler (used when connectOnly=false) doesn't cover this case. If a user provides credentials for a PostgreSQL role that doesn't exist, the error will fall through to the generic "Unable to validate account credentials for..." message rather than the friendlier "Account credentials invalid: Username or password incorrect" message.

    Consider adding a symmetric handler here:

    This isn't a bug in the current PR (which is purely about the connectOnly path), but it's a consistency gap that would affect users on md5/password/trust auth setups when their entered username doesn't exist.

Reviews (1): Last reviewed commit: "fix: handle 'role does not exist' error ..." | Re-trigger Greptile

devin-ai-integration bot and others added 2 commits March 25, 2026 12:28
@devin-ai-integration
fix: also handle 'role does not exist' in validateAccountCredentials …
e080710 
…and rotateAccountCredentials

Extends the role-not-exist error handling to the credential validation
and rotation paths, so users on md5/password/trust PG auth configs get
the friendly 'Username or password incorrect' / 'Management credentials
invalid' messages instead of a generic error.

Co-Authored-By: saif <[email protected]>
@devin-ai-integration
style: fix prettier formatting in rotateAccountCredentials
8f5b014 
Co-Authored-By: saif <[email protected]>
@saifsmailbox98 saifsmailbox98 merged commit 7f1f7bb into main Mar 25, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sheensantoscapadngan sheensantoscapadngan sheensantoscapadngan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@maidul98 @sheensantoscapadngan @saifsmailbox98