Merge pull request #279 from datlechin/feat/pgpass-pre-connect-hook

feat: add ~/.pgpass file support and pre-connect script

Author: datlechin

CHANGELOG.md

@@ -19,6 +19,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Copy as INSERT/UPDATE SQL statements from data grid context menu
 - Plugin download count display in Browse Plugins — fetched from GitHub Releases API and cached for 1 hour
 - MSSQL query cancellation (`cancelQuery`) and lock timeout (`applyQueryTimeout`) support
+- `~/.pgpass` file support for PostgreSQL/Redshift connections with live validation in the connection form
+- Pre-connect script: run a shell command before each connection (e.g., to refresh credentials or update ~/.pgpass)
 
 ### Fixed
 

TablePro/Core/Database/DatabaseDriver.swift

@@ -319,14 +319,23 @@ enum DatabaseDriverFactory {
             host: connection.host,
             port: connection.port,
             username: connection.username,
-            password: ConnectionStorage.shared.loadPassword(for: connection.id) ?? "",
+            password: resolvePassword(for: connection),
             database: connection.database,
             additionalFields: buildAdditionalFields(for: connection, plugin: plugin)
         )
         let pluginDriver = plugin.createDriver(config: config)
         return PluginDriverAdapter(connection: connection, pluginDriver: pluginDriver)
     }
 
+    private static func resolvePassword(for connection: DatabaseConnection) -> String {
+        if connection.usePgpass
+            && (connection.type == .postgresql || connection.type == .redshift)
+        {
+            return ""
+        }
+        return ConnectionStorage.shared.loadPassword(for: connection.id) ?? ""
+    }
+
     private static func buildAdditionalFields(
         for connection: DatabaseConnection,
         plugin: any DriverPlugin

TablePro/Core/Database/DatabaseManager.swift

@@ -138,6 +138,19 @@ final class DatabaseManager {
             throw error
         }
 
+        // Run pre-connect hook if configured (only on explicit connect, not auto-reconnect)
+        if let script = connection.preConnectScript,
+           !script.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty
+        {
+            do {
+                try await PreConnectHookRunner.run(script: script)
+            } catch {
+                activeSessions.removeValue(forKey: connection.id)
+                currentSessionId = nil
+                throw error
+            }
+        }
+
         // Create appropriate driver with effective connection
         let driver = try DatabaseDriverFactory.createDriver(for: effectiveConnection)
 
@@ -411,7 +424,8 @@ final class DatabaseManager {
             username: connection.username,
             type: connection.type,
             sshConfig: SSHConfiguration(),
-            sslConfig: tunnelSSL
+            sslConfig: tunnelSSL,
+            additionalFields: connection.additionalFields
         )
     }
 

TablePro/Core/Services/Infrastructure/PreConnectHookRunner.swift

@@ -0,0 +1,111 @@
+//
+//  PreConnectHookRunner.swift
+//  TablePro
+//
+
+import Foundation
+import os
+
+/// Runs a shell script before establishing a database connection.
+/// Non-zero exit aborts the connection with an error.
+enum PreConnectHookRunner {
+    private static let logger = Logger(subsystem: "com.TablePro", category: "PreConnectHookRunner")
+
+    enum HookError: LocalizedError {
+        case scriptFailed(exitCode: Int32, stderr: String)
+        case timeout
+
+        var errorDescription: String? {
+            switch self {
+            case let .scriptFailed(exitCode, stderr):
+                let message = stderr.trimmingCharacters(in: .whitespacesAndNewlines)
+                if message.isEmpty {
+                    return String(localized: "Pre-connect script failed with exit code \(exitCode)")
+                }
+                return String(localized: "Pre-connect script failed (exit \(exitCode)): \(message)")
+            case .timeout:
+                return String(localized: "Pre-connect script timed out after 10 seconds")
+            }
+        }
+    }
+
+    /// Run a shell script before connecting. Throws on non-zero exit or timeout.
+    /// Executes on a background thread to avoid blocking the MainActor.
+    static func run(script: String, environment: [String: String]? = nil) async throws {
+        logger.info("Running pre-connect script")
+
+        try await Task.detached {
+            let process = Process()
+            process.executableURL = URL(fileURLWithPath: "/bin/bash")
+            process.arguments = ["-c", script]
+
+            var env = ProcessInfo.processInfo.environment
+            if let environment {
+                for (key, value) in environment {
+                    env[key] = value
+                }
+            }
+            process.environment = env
+
+            let stderrPipe = Pipe()
+            process.standardError = stderrPipe
+            process.standardOutput = FileHandle.nullDevice
+
+            // Drain stderr on a background thread to prevent pipe deadlock.
+            // If the child writes >64KB to stderr without the parent reading,
+            // the pipe buffer fills and the child blocks on write — deadlocking
+            // with waitUntilExit() on the parent side.
+            let stderrCollector = StderrCollector()
+            stderrPipe.fileHandleForReading.readabilityHandler = { handle in
+                let chunk = handle.availableData
+                if !chunk.isEmpty {
+                    stderrCollector.append(chunk)
+                }
+            }
+
+            try process.run()
+
+            // 10-second timeout on a separate detached task
+            let timeoutTask = Task.detached {
+                try await Task.sleep(nanoseconds: 10_000_000_000)
+                if process.isRunning {
+                    process.terminate()
+                }
+            }
+
+            process.waitUntilExit()
+            timeoutTask.cancel()
+
+            stderrPipe.fileHandleForReading.readabilityHandler = nil
+            let stderr = stderrCollector.result
+
+            if process.terminationReason == .uncaughtSignal {
+                throw HookError.timeout
+            }
+
+            if process.terminationStatus != 0 {
+                throw HookError.scriptFailed(exitCode: process.terminationStatus, stderr: stderr)
+            }
+        }.value
+
+        logger.info("Pre-connect script completed successfully")
+    }
+}
+
+/// Thread-safe collector for stderr output from a child process.
+private final class StderrCollector: @unchecked Sendable {
+    private let lock = NSLock()
+    private var data = Data()
+
+    func append(_ chunk: Data) {
+        lock.lock()
+        data.append(chunk)
+        lock.unlock()
+    }
+
+    var result: String {
+        lock.lock()
+        defer { lock.unlock() }
+        return String(data: data, encoding: .utf8) ?? ""
+    }
+}

TablePro/Core/Utilities/Connection/PgpassReader.swift

@@ -0,0 +1,87 @@
+//
+//  PgpassReader.swift
+//  TablePro
+//
+
+import Foundation
+import os
+
+/// Reads and parses the standard PostgreSQL ~/.pgpass file
+enum PgpassReader {
+    private static let logger = Logger(subsystem: "com.TablePro", category: "PgpassReader")
+
+    /// Whether ~/.pgpass exists
+    static func fileExists() -> Bool {
+        let path = NSHomeDirectory() + "/.pgpass"
+        return FileManager.default.fileExists(atPath: path)
+    }
+
+    /// Whether ~/.pgpass has correct permissions (0600). libpq silently ignores the file otherwise.
+    static func filePermissionsAreValid() -> Bool {
+        let path = NSHomeDirectory() + "/.pgpass"
+        guard let attrs = try? FileManager.default.attributesOfItem(atPath: path),
+              let posixPerms = attrs[.posixPermissions] as? Int
+        else {
+            return false
+        }
+        return posixPerms == 0o600
+    }
+
+    /// Resolve a password from ~/.pgpass per PostgreSQL spec.
+    /// Returns the password from the first matching entry, or nil if no match.
+    /// Format: hostname:port:database:username:password
+    /// Wildcard `*` matches any value in a field. First match wins.
+    static func resolve(host: String, port: Int, database: String, username: String) -> String? {
+        let path = NSHomeDirectory() + "/.pgpass"
+        guard let contents = try? String(contentsOfFile: path, encoding: .utf8) else {
+            logger.debug("Could not read ~/.pgpass")
+            return nil
+        }
+
+        for line in contents.components(separatedBy: .newlines) {
+            let trimmed = line.trimmingCharacters(in: .whitespaces)
+            if trimmed.isEmpty || trimmed.hasPrefix("#") { continue }
+
+            let fields = parseFields(from: trimmed)
+            guard fields.count == 5 else { continue }
+
+            if matches(fields[0], value: host)
+                && matches(fields[1], value: String(port))
+                && matches(fields[2], value: database)
+                && matches(fields[3], value: username)
+            {
+                return fields[4]
+            }
+        }
+
+        return nil
+    }
+
+    /// Parse a pgpass line into fields, handling escaped colons (\:) and backslashes (\\)
+    private static func parseFields(from line: String) -> [String] {
+        var fields: [String] = []
+        var current = ""
+        var escaped = false
+
+        for char in line {
+            if escaped {
+                current.append(char)
+                escaped = false
+            } else if char == "\\" {
+                escaped = true
+            } else if char == ":" {
+                fields.append(current)
+                current = ""
+            } else {
+                current.append(char)
+            }
+        }
+        fields.append(current)
+        return fields
+    }
+
+    /// Match a pgpass field value against an actual value. Wildcard "*" matches anything.
+    private static func matches(_ pattern: String, value: String) -> Bool {
+        pattern == "*" || pattern == value
+    }
+}

TablePro/Models/Connection/DatabaseConnection.swift

@@ -436,6 +436,16 @@ struct DatabaseConnection: Identifiable, Hashable {
         set { additionalFields["oracleServiceName"] = newValue ?? "" }
     }
 
+    var usePgpass: Bool {
+        get { additionalFields["usePgpass"] == "true" }
+        set { additionalFields["usePgpass"] = newValue ? "true" : "" }
+    }
+
+    var preConnectScript: String? {
+        get { additionalFields["preConnectScript"]?.nilIfEmpty }
+        set { additionalFields["preConnectScript"] = newValue ?? "" }
+    }
+
     init(
         id: UUID = UUID(),
         name: String,