From 5e98bf96bc9f888463a6ba6367b27d12899f1cf8 Mon Sep 17 00:00:00 2001
From: Yogesh Mahajan <yogesh.mahajan@enterprisedb.com>
Date: Mon, 31 Oct 2022 17:59:31 +0530
Subject: [PATCH] Ensure that the appropriate permissions are set on the key
 file before trying an SSL connection with the server in server mode. #5424

---
 web/pgadmin/utils/driver/psycopg2/connection.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/web/pgadmin/utils/driver/psycopg2/connection.py b/web/pgadmin/utils/driver/psycopg2/connection.py
index 0c1f507ce..a15d6df92 100644
--- a/web/pgadmin/utils/driver/psycopg2/connection.py
+++ b/web/pgadmin/utils/driver/psycopg2/connection.py
@@ -315,6 +315,14 @@ class Connection(BaseConnection):
             os.environ['PGAPPNAME'] = '{0} - {1}'.format(
                 config.APP_NAME, conn_id)
 
+            ssl_key = get_complete_file_path(manager.sslkey)
+            if ssl_key and manager.ssl_mode in \
+                    ['require', 'verify-ca', 'verify-full']:
+                ssl_key_file_permission = \
+                    int(oct(os.stat(ssl_key).st_mode)[-3:])
+                if ssl_key_file_permission > 600:
+                    os.chmod(ssl_key, 0o600)
+
             with ConnectionLocker(manager.kerberos_conn):
                 pg_conn = psycopg2.connect(
                     host=manager.local_bind_host if manager.use_ssh_tunnel
@@ -330,7 +338,7 @@ class Connection(BaseConnection):
                     passfile=get_complete_file_path(passfile),
                     sslmode=manager.ssl_mode,
                     sslcert=get_complete_file_path(manager.sslcert),
-                    sslkey=get_complete_file_path(manager.sslkey),
+                    sslkey=ssl_key,
                     sslrootcert=get_complete_file_path(manager.sslrootcert),
                     sslcrl=get_complete_file_path(manager.sslcrl),
                     sslcompression=True if manager.sslcompression else False,