# -*- coding: utf-8 -*- ########################################################################## # # pgAdmin 4 - PostgreSQL Tools # # Copyright (C) 2013 - 2024, The pgAdmin Development Team # This software is released under the PostgreSQL Licence # # config.py - Core application configuration settings # ########################################################################## import builtins import logging import os import sys from collections import OrderedDict # We need to include the root directory in sys.path to ensure that we can # find everything we need when running in the standalone runtime. root = os.path.dirname(os.path.realpath(__file__)) if sys.path[0] != root: sys.path.insert(0, root) # The config database connection pool size. # Setting this to 0 will remove any limit. CONFIG_DATABASE_CONNECTION_POOL_SIZE = 5 # The number of connections allowed to overflow beyond # the connection pool size. CONFIG_DATABASE_CONNECTION_MAX_OVERFLOW = 100 from pgadmin.utils import env, IS_WIN, fs_short_path from version import APP_VERSION, APP_RELEASE, APP_REVISION, APP_SUFFIX, \ APP_VERSION_INT from branding import APP_NAME, APP_ICON, APP_COPYRIGHT, APP_PATH, \ APP_WIN_PATH, APP_SHORT_NAME, APP_DEFAULT_EMAIL ########################################################################## # Misc stuff ########################################################################## # Path to the online help. HELP_PATH = '../../../docs/en_US/_build/html/' # Languages we support in the UI LANGUAGES = { 'en': 'English', 'zh': 'Chinese (Simplified)', 'cs': 'Czech', 'fr': 'French', 'de': 'German', 'id': 'Indonesian', 'it': 'Italian', 'ja': 'Japanese', 'ko': 'Korean', 'pl': 'Polish', 'pt_BR': 'Portuguese (Brazilian)', 'ru': 'Russian', 'es': 'Spanish', } # DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING! # List of modules to skip when dynamically loading MODULE_BLACKLIST = ['test'] # DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING! # List of treeview browser nodes to skip when dynamically loading NODE_BLACKLIST = [] ########################################################################## # Server settings ########################################################################## # The server mode determines whether or not we're running on a web server # requiring user authentication, or desktop mode which uses an automatic # default login. # # DO NOT DISABLE SERVER MODE IF RUNNING ON A WEBSERVER!! # # We only set SERVER_MODE if it's not already set. That's to allow the # runtime to force it to False. # # NOTE: If you change the value of SERVER_MODE or DATA_DIR in an included # config file, you may also need to redefine any values below that are # derived from it, notably various paths such as LOG_FILE, SQLITE_PATH, # SESSION_DB_PATH, STORAGE_DIR, KERBEROS_CCACHE_DIR, and # AZURE_CREDENTIAL_CACHE_DIR if (not hasattr(builtins, 'SERVER_MODE')) or builtins.SERVER_MODE is None: SERVER_MODE = True else: SERVER_MODE = builtins.SERVER_MODE # HTTP headers to search for CSRF token when it is not provided in the form. # Default is ['X-CSRFToken', 'X-CSRF-Token'] WTF_CSRF_HEADERS = ['X-pgA-CSRFToken'] # User ID (email address) to use for the default user in desktop mode. # The default should be fine here, as it's not exposed in the app. DESKTOP_USER = APP_DEFAULT_EMAIL # This option allows the user to host the application on a LAN # Default hosting is on localhost (DEFAULT_SERVER='localhost'). # To host pgAdmin4 over LAN set DEFAULT_SERVER='0.0.0.0' (or a specific # adaptor address. # # NOTE: This is NOT recommended for production use, only for debugging # or testing. Production installations should be run as a WSGI application # behind Apache HTTPD. DEFAULT_SERVER = '127.0.0.1' # The default port on which the app server will listen if not set in the # environment by the runtime DEFAULT_SERVER_PORT = 5050 # This param is used to override the default web server information about # the web technology and the frameworks being used in the application # An attacker could use this information to fingerprint underlying operating # system and research known exploits for the specific version of # software in use WEB_SERVER = 'Python' # Enable X-Frame-Option protection. # Set to one of "SAMEORIGIN", "ALLOW-FROM origin" or "" to disable. # Note that "DENY" is NOT supported (and will be silently ignored). # See https://tools.ietf.org/html/rfc7034 for more info. X_FRAME_OPTIONS = "SAMEORIGIN" # The Content-Security-Policy header allows you to restrict how resources # such as JavaScript, CSS, or pretty much anything that the browser loads. # see https://content-security-policy.com/#source_list for more info # e.g. "default-src https: data: 'unsafe-inline' 'unsafe-eval';" CONTENT_SECURITY_POLICY = "default-src ws: http: data: blob: 'unsafe-inline'" \ " 'unsafe-eval';" # STRICT_TRANSPORT_SECURITY_ENABLED when set to True will set the # Strict-Transport-Security header STRICT_TRANSPORT_SECURITY_ENABLED = False # The Strict-Transport-Security header tells the browser to convert all HTTP # requests to HTTPS, preventing man-in-the-middle (MITM) attacks. # e.g. 'max-age=31536000; includeSubDomains' STRICT_TRANSPORT_SECURITY = "max-age=31536000; includeSubDomains" # The X-Content-Type-Options header forces the browser to honor the response # content type instead of trying to detect it, which can be abused to # generate a cross-site scripting (XSS) attack. # e.g. nosniff X_CONTENT_TYPE_OPTIONS = "nosniff" # The browser will try to prevent reflected XSS attacks by not loading the # page if the request contains something that looks like JavaScript and the # response contains the same data. e.g. '1; mode=block' X_XSS_PROTECTION = "1; mode=block" # This param is used to validate ALLOWED_HOSTS for the application # This will be used to avoid Host Header Injection attack # ALLOWED_HOSTS = ['225.0.0.0/8', '226.0.0.0/7', '228.0.0.0/6'] # ALLOWED_HOSTS = ['127.0.0.1', '192.168.0.1'] # if ALLOWED_HOSTS= [] then it will accept all ips (and application will be # vulnerable to Host Header Injection attack) ALLOWED_HOSTS = [] # Hashing algorithm used for password storage SECURITY_PASSWORD_HASH = 'pbkdf2_sha512' # Minimum password length PASSWORD_LENGTH_MIN = 6 # Reverse Proxy parameters # You must tell the middleware how many proxies set each header # so it knows what values to trust. # See https://tinyurl.com/yyg7r9av # for more information. # Number of values to trust for X-Forwarded-For PROXY_X_FOR_COUNT = 1 # Number of values to trust for X-Forwarded-Proto. PROXY_X_PROTO_COUNT = 1 # Number of values to trust for X-Forwarded-Host. PROXY_X_HOST_COUNT = 0 # Number of values to trust for X-Forwarded-Port. PROXY_X_PORT_COUNT = 1 # Number of values to trust for X-Forwarded-Prefix. PROXY_X_PREFIX_COUNT = 0 # NOTE: CSRF_SESSION_KEY, SECRET_KEY and SECURITY_PASSWORD_SALT are no # longer part of the main configuration, but are stored in the # configuration databases 'keys' table and are auto-generated. # COMPRESSION COMPRESS_MIMETYPES = [ 'text/html', 'text/css', 'text/xml', 'text/javascript', 'application/json', 'application/javascript' ] COMPRESS_LEVEL = 9 COMPRESS_MIN_SIZE = 500 # Set the cache control max age for static files in flask to 1 year SEND_FILE_MAX_AGE_DEFAULT = 31556952 # This will be added to static urls as url parameter with value as # APP_VERSION_INT for cache busting on version upgrade. If the value is set as # None or empty string then it will not be added. # eg - http:localhost:5050/pgadmin.css?intver=3.13 APP_VERSION_PARAM = 'ver' # Add the internal version param to below extensions only APP_VERSION_EXTN = ('.css', '.js', '.html', '.svg', '.png', '.gif', '.ico') # Data directory for storage of config settings etc. This shouldn't normally # need to be changed - it's here as various other settings depend on it. # On Windows, we always store data in %APPDATA%\$(APP_WIN_PATH). On other # platforms, if we're in server mode we use /var/lib/$(APP_PATH), # otherwise ~/.$(APP_PATH) if IS_WIN: # Use the short path on windows DATA_DIR = os.path.realpath( os.path.join(fs_short_path(env('APPDATA')), APP_WIN_PATH) ) else: if SERVER_MODE: DATA_DIR = os.path.join('/var/lib/', APP_PATH) else: DATA_DIR = os.path.realpath( os.path.expanduser('~/' + '.' + APP_PATH + '/') ) # An optional login banner to show security warnings/disclaimers etc. at # login and password recovery etc. HTML may be included for basic formatting, # For example: # LOGIN_BANNER = "

Authorised Users Only!

" \ # "Unauthorised use is strictly forbidden." LOGIN_BANNER = "" ########################################################################## # Log settings ########################################################################## # Debug mode? DEBUG = False # Application log level - one of: # CRITICAL 50 # ERROR 40 # WARNING 30 # SQL 25 # INFO 20 # DEBUG 10 # NOTSET 0 CONSOLE_LOG_LEVEL = logging.WARNING FILE_LOG_LEVEL = logging.WARNING # Log format. JSON_LOGGER = False CONSOLE_LOG_FORMAT_JSON = OrderedDict([ ("time", "asctime"), ("message", "message"), ("level", "levelname") ]) FILE_LOG_FORMAT_JSON = OrderedDict([ ("time", "asctime"), ("message", "message"), ("level", "levelname") ]) CONSOLE_LOG_FORMAT = '%(asctime)s: %(levelname)s\t%(name)s:\t%(message)s' FILE_LOG_FORMAT = '%(asctime)s: %(levelname)s\t%(name)s:\t%(message)s' # Log file name. This goes in the data directory, except on non-Windows # platforms in server mode. if SERVER_MODE and not IS_WIN: LOG_FILE = os.path.join('/var/log', APP_PATH, APP_SHORT_NAME + '.log') else: LOG_FILE = os.path.join(DATA_DIR, APP_SHORT_NAME + '.log') # Log rotation setting # Log file will be rotated considering values for LOG_ROTATION_SIZE # & LOG_ROTATION_AGE. Rotated file will be named in format # - LOG_FILE.Y-m-d_H-M-S LOG_ROTATION_SIZE = 10 # In MBs LOG_ROTATION_AGE = 1440 # In minutes LOG_ROTATION_MAX_LOG_FILES = 90 # Maximum number of backups to retain ########################################################################## # Server Connection Driver Settings ########################################################################## # The default driver used for making connection with PostgreSQL PG_DEFAULT_DRIVER = 'psycopg3' # Maximum allowed idle time in minutes before which releasing the connection # for the particular session. (in minutes) MAX_SESSION_IDLE_TIME = 60 ########################################################################## # External Database Settings # # All configuration settings are stored by default in the SQLite database. # In order to use external databases like PostgreSQL sets the value of # CONFIG_DATABASE_URI like below: # dialect+driver://username:password@host:port/database # # PostgreSQL: # postgresql://username:password@host:port/database # Specify Schema Name # postgresql://username:password@host:port/database?options=-csearch_path=pgadmin # Using PGPASS file # postgresql://username@host:port?options=-csearch_path=pgadmin ########################################################################## CONFIG_DATABASE_URI = '' ########################################################################## # User account and settings storage ########################################################################## # The default path to the SQLite database used to store user accounts and # settings. This default places the file in the same directory as this # config file, but generates an absolute path for use througout the app. SQLITE_PATH = env('SQLITE_PATH') or \ os.path.join(DATA_DIR, APP_SHORT_NAME + '.db') # SQLITE_TIMEOUT will define how long to wait before throwing the error - # OperationError due to database lock. On slower system, you may need to change # this to some higher value. # (Default: 500 milliseconds) SQLITE_TIMEOUT = 500 # Allow database connection passwords to be saved if the user chooses. # Set to False to disable password saving. ALLOW_SAVE_PASSWORD = True # Maximum number of history queries stored per user/server/database MAX_QUERY_HIST_STORED = 20 ########################################################################## # Server-side session storage path # # SESSION_DB_PATH (Default: $HOME/.pgadmin4/sessions) ########################################################################## # # We use SQLite for server-side session storage. There will be one # SQLite database object per session created. # # Specify the path used to store your session objects. # # If the specified directory does not exist, the setup script will create # it with permission mode 700 to keep the session database secure. # # On certain systems, you can use shared memory (tmpfs) for maximum # scalability, for example, on Ubuntu: # # SESSION_DB_PATH = '/run/shm/pgAdmin4_session' # ########################################################################## SESSION_DB_PATH = os.path.join(DATA_DIR, 'sessions') SESSION_COOKIE_NAME = 'pga4_session' ########################################################################## # Mail server settings ########################################################################## # These settings are used when running in web server mode for confirming # and resetting passwords etc. # See: http://pythonhosted.org/Flask-Mail/ for more info MAIL_SERVER = 'localhost' MAIL_PORT = 25 MAIL_USE_SSL = False MAIL_USE_TLS = False MAIL_USERNAME = '' MAIL_PASSWORD = '' MAIL_DEBUG = False # Flask-Security overrides Flask-Mail's MAIL_DEFAULT_SENDER setting, so # that should be set as such: SECURITY_EMAIL_SENDER = 'no-reply@localhost' ########################################################################## # Mail content settings ########################################################################## # These settings define the content of password reset emails SECURITY_EMAIL_SUBJECT_PASSWORD_RESET = "Password reset instructions for %s" \ % APP_NAME SECURITY_EMAIL_SUBJECT_PASSWORD_NOTICE = "Your %s password has been reset" \ % APP_NAME SECURITY_EMAIL_SUBJECT_PASSWORD_CHANGE_NOTICE = \ "Your password for %s has been changed" % APP_NAME ########################################################################## # Email address validation ########################################################################## CHECK_EMAIL_DELIVERABILITY = False SECURITY_EMAIL_VALIDATOR_ARGS = \ {"check_deliverability": CHECK_EMAIL_DELIVERABILITY} ########################################################################## # Upgrade checks ########################################################################## # Check for new versions of the application? UPGRADE_CHECK_ENABLED = True # Where should we get the data from? UPGRADE_CHECK_URL = 'https://www.pgadmin.org/versions.json' # What key should we look at in the upgrade data file? UPGRADE_CHECK_KEY = 'pgadmin4' # Which CA file should we use? # Default to cacert.pem in the same directory as config.py et al. CA_FILE = os.path.join(os.path.dirname(os.path.realpath(__file__)), "cacert.pem") # Check if the detected browser is supported CHECK_SUPPORTED_BROWSER = True ########################################################################## # Storage Manager storage url config settings # If user sets STORAGE_DIR to empty it will show all volumes if platform # is Windows, '/' if it is Linux, Mac or any other unix type system. # For example: # 1. STORAGE_DIR = get_drive("C") or get_drive() # return C:/ by default # where C can be any drive character such as "D", "E", "G" etc # 2. Set path manually like # STORAGE_DIR = "/path/to/directory/" ########################################################################## STORAGE_DIR = os.path.join(DATA_DIR, 'storage') ########################################################################## # Default locations for binary utilities (pg_dump, pg_restore etc) # # These are intentionally left empty in the main config file, but are # expected to be overridden by packagers in config_distro.py. # # A default location can be specified for each database driver ID, in # a dictionary. Either an absolute or relative path can be specified. # # Version-specific defaults can also be specified, which will take priority # over un-versioned paths. # # In cases where it may be difficult to know what the working directory # is, "$DIR" can be specified. This will be replaced with the path to the # top-level pgAdmin4.py file. For example, on macOS we might use: # # $DIR/../../SharedSupport # ########################################################################## DEFAULT_BINARY_PATHS = { "pg": "", "pg-12": "", "pg-13": "", "pg-14": "", "pg-15": "", "pg-16": "", "ppas": "", "ppas-12": "", "ppas-13": "", "ppas-14": "", "ppas-15": "", "ppas-16": "" } ########################################################################## # Test settings - used primarily by the regression suite, not for users ########################################################################## # The default path for SQLite database for testing TEST_SQLITE_PATH = os.path.join(DATA_DIR, 'test_pgadmin4.db') ########################################################################## # Allows flask application to response to the each request asynchronously ########################################################################## THREADED_MODE = True ########################################################################## # Do not allow SQLALCHEMY to track modification as it is going to be # deprecated in future ########################################################################## SQLALCHEMY_TRACK_MODIFICATIONS = False ########################################################################## # Number of records to fetch in one batch in query tool when query result # set is large. ########################################################################## ON_DEMAND_RECORD_COUNT = 1000 ########################################################################## # Allow users to display Gravatar image for their username in Server mode ########################################################################## SHOW_GRAVATAR_IMAGE = True ########################################################################## # Set cookie path and options ########################################################################## COOKIE_DEFAULT_PATH = '/' COOKIE_DEFAULT_DOMAIN = None SESSION_COOKIE_DOMAIN = None SESSION_COOKIE_SAMESITE = 'Lax' SESSION_COOKIE_SECURE = False SESSION_COOKIE_HTTPONLY = True ######################################################################### # Skip storing session in files and cache for specific paths ######################################################################### SESSION_SKIP_PATHS = [ '/misc/ping' ] ########################################################################## # Session expiration support ########################################################################## # SESSION_EXPIRATION_TIME is the interval in Days. Session will be # expire after the specified number of *days*. SESSION_EXPIRATION_TIME = 1 # Make SESSION_EXPIRATION_TIME to 1 week in DESKTOP mode if not SERVER_MODE: SESSION_EXPIRATION_TIME = 7 # CHECK_SESSION_FILES_INTERVAL is interval in Hours. Application will check # the session files for cleanup after specified number of *hours*. CHECK_SESSION_FILES_INTERVAL = 24 # USER_INACTIVITY_TIMEOUT is interval in Seconds. If the pgAdmin screen is left # unattended for seconds then the user will # be logged out. When set to 0, the timeout will be disabled. # If pgAdmin doesn't detect any activity in the time specified (in seconds), # the user will be forcibly logged out from pgAdmin. Set to zero to disable # the timeout. # Note: This is applicable only for SERVER_MODE=True. USER_INACTIVITY_TIMEOUT = 0 # OVERRIDE_USER_INACTIVITY_TIMEOUT when set to True will override # USER_INACTIVITY_TIMEOUT when long running queries in the Query Tool # or Debugger are running. When the queries complete, the inactivity timer # will restart in this case. If set to False, user inactivity may cause # transactions or in-process debugging sessions to be aborted. OVERRIDE_USER_INACTIVITY_TIMEOUT = True ########################################################################## # SSH Tunneling supports only for Python 2.7 and 3.4+ ########################################################################## SUPPORT_SSH_TUNNEL = True # Allow SSH Tunnel passwords to be saved if the user chooses. # Set to False to disable password saving. ALLOW_SAVE_TUNNEL_PASSWORD = False ########################################################################## # Master password is used to encrypt/decrypt saved server passwords # Applicable for desktop mode only ########################################################################## MASTER_PASSWORD_REQUIRED = True ########################################################################## # pgAdmin encrypts the database connection and ssh tunnel password using a # master password or pgAdmin login password (for other authentication sources) # before storing it in the pgAdmin configuration database. # # Below setting is used to allow the user to specify the path to a script # or program that will return an encryption key which will be used to # encrypt the passwords. This setting is used only in server mode when # auth sources are oauth, Kerberos, and webserver. # # You can pass the current username as an argument to the external script # by specifying %u in config value. # E.g. - MASTER_PASSWORD_HOOK = '/passwdgen_script.sh %u' ########################################################################## MASTER_PASSWORD_HOOK = None ########################################################################## # Allows pgAdmin4 to create session cookies based on IP address, so even # if a cookie is stolen, the attacker will not be able to connect to the # server using that stolen cookie. # Note: This can cause problems when the server is deployed in dynamic IP # address hosting environments, such as Kubernetes or behind load # balancers. In such cases, this option should be set to False. ########################################################################## ENHANCED_COOKIE_PROTECTION = True ########################################################################## # External Authentication Sources ########################################################################## # Default setting is internal # External Supported Sources: ldap, kerberos, oauth2 # Multiple authentication can be achieved by setting this parameter to # ['ldap', 'internal'] or ['oauth2', 'internal'] or # ['webserver', 'internal'] etc. # pgAdmin will authenticate the user with ldap/oauth2 whatever first in the # list, in case of failure the second authentication option will be considered. AUTHENTICATION_SOURCES = ['internal'] ########################################################################## # MAX_LOGIN_ATTEMPTS which sets the number of failed login attempts that # are allowed. If this value is exceeded the account is locked and can be # reset by an administrator. By setting the variable to the value zero # this feature is deactivated. ########################################################################## MAX_LOGIN_ATTEMPTS = 3 ########################################################################## # Only consider password to check the failed login attempts, email is # excluded from this check LOGIN_ATTEMPT_FIELDS = ['password'] ########################################################################## # LDAP Configuration ########################################################################## # After ldap authentication, user will be added into the SQLite database # automatically, if set to True. # Set it to False, if user should not be added automatically, # in this case Admin has to add the user manually in the SQLite database. LDAP_AUTO_CREATE_USER = True # Connection timeout LDAP_CONNECTION_TIMEOUT = 10 # Server connection details (REQUIRED) # example: ldap://: or ldap://: LDAP_SERVER_URI = 'ldap://:' # The LDAP attribute containing user names. In OpenLDAP, this may be 'uid' # whilst in AD, 'sAMAccountName' might be appropriate. (REQUIRED) LDAP_USERNAME_ATTRIBUTE = '' ########################################################################## # 3 ways to configure LDAP as follows (Choose anyone): # 1. Dedicated User binding # LDAP Bind User DN Example: cn=username,dc=example,dc=com # Set this parameter to allow the connection to bind using a dedicated user. # After the connection is made, the pgadmin login user will be further # authenticated by the username and password provided # at the login screen. LDAP_BIND_USER = None # LDAP Bind User Password LDAP_BIND_PASSWORD = None # OR #################### # 2. Anonymous Binding # Set this parameter to allow the anonymous bind. # After the connection is made, the pgadmin login user will be further # authenticated by the username and password provided LDAP_ANONYMOUS_BIND = False # OR #################### # 3. Bind as pgAdmin user # BaseDN (REQUIRED) # AD example: # (&(objectClass=user)(memberof=CN=MYGROUP,CN=Users,dc=example,dc=com)) # OpenLDAP example: CN=Users,dc=example,dc=com LDAP_BASE_DN = '' # Configure the bind format string # Default: LDAP_BIND_FORMAT=" # {LDAP_USERNAME_ATTRIBUTE}={LDAP_USERNAME},{LDAP_BASE_DN}" # The current available options are: # LDAP_USERNAME_ATTRIBUTE, LDAP_USERNAME, LDAP_BASE_DN # Example: LDAP_BIND_FORMAT="myldapuser@sales.example.com" # LDAP_BIND_FORMAT="NET\\myldapuser" LDAP_BIND_FORMAT = '{LDAP_USERNAME_ATTRIBUTE}={LDAP_USERNAME},{LDAP_BASE_DN}' ########################################################################## # Search ldap for further authentication (REQUIRED) # It can be optional while bind as pgAdmin user LDAP_SEARCH_BASE_DN = '' # The LDAP attribute indicates whether the DN (Distinguished Names) # are case sensitive or not LDAP_DN_CASE_SENSITIVE = False # Filter string for the user search. # For OpenLDAP, '(cn=*)' may well be enough. # For AD, you might use '(objectClass=user)' (REQUIRED) LDAP_SEARCH_FILTER = '(objectclass=*)' # Search scope for users (one of BASE, LEVEL or SUBTREE) LDAP_SEARCH_SCOPE = 'SUBTREE' # Use TLS? If the URI scheme is ldaps://, this is ignored. LDAP_USE_STARTTLS = False # TLS/SSL certificates. Specify if required, otherwise leave empty LDAP_CA_CERT_FILE = '' LDAP_CERT_FILE = '' LDAP_KEY_FILE = '' ########################################################################## # Some flaky LDAP servers returns malformed schema. If True, no exception # will be raised and schema is thrown away but authentication will be done. # This parameter should remain False, as recommended. LDAP_IGNORE_MALFORMED_SCHEMA = False ########################################################################## # Kerberos Configuration ########################################################################## KRB_APP_HOST_NAME = DEFAULT_SERVER # If the default_keytab_name is not set in krb5.conf or # the KRB_KTNAME environment variable is not set then, explicitly set # the Keytab file KRB_KTNAME = '' # After kerberos authentication, user will be added into the SQLite database # automatically, if set to True. # Set it to False, if user should not be added automatically, # in this case Admin has to add the user manually in the SQLite database. KRB_AUTO_CREATE_USER = True KERBEROS_CCACHE_DIR = os.path.join(DATA_DIR, 'krbccache') ############################################################################# # Create local directory to store azure credential cache ############################################################################# AZURE_CREDENTIAL_CACHE_DIR = os.path.join(DATA_DIR, 'azurecredentialcache') ########################################################################## # OAuth2 Configuration ########################################################################## # Multiple OAUTH2 providers can be added in the list like [{...},{...}] # All parameters are required OAUTH2_CONFIG = [ { # The name of the of the oauth provider, ex: github, google 'OAUTH2_NAME': None, # The display name, ex: Google 'OAUTH2_DISPLAY_NAME': '', # Oauth client id 'OAUTH2_CLIENT_ID': None, # Oauth secret 'OAUTH2_CLIENT_SECRET': None, # URL to generate a token, # Ex: https://github.com/login/oauth/access_token 'OAUTH2_TOKEN_URL': None, # URL is used for authentication, # Ex: https://github.com/login/oauth/authorize 'OAUTH2_AUTHORIZATION_URL': None, # server metadata url might optional for your provider 'OAUTH2_SERVER_METADATA_URL': None, # Oauth base url, ex: https://api.github.com/ 'OAUTH2_API_BASE_URL': None, # Name of the Endpoint, ex: user 'OAUTH2_USERINFO_ENDPOINT': None, # Oauth scope, ex: 'openid email profile' # Note that an 'email' claim is required in the resulting profile 'OAUTH2_SCOPE': None, # The claim which is used for the username. If the value is empty the # email is used as username, but if a value is provided, # the claim has to exist. 'OAUTH2_USERNAME_CLAIM': None, # Font-awesome icon, ex: fa-github 'OAUTH2_ICON': None, # UI button colour, ex: #0000ff 'OAUTH2_BUTTON_COLOR': None, # The additional claims to check on user ID Token or Userinfo response. # This is useful to provide additional authorization checks # before allowing access. # Example for GitLab: allowing all maintainers teams, and a specific # developers group to access pgadmin: # 'OAUTH2_ADDITIONAL_CLAIMS': { # 'https://gitlab.org/claims/groups/maintainer': [ # 'kuberheads/applications', # 'kuberheads/dba', # 'kuberheads/support' # ], # 'https://gitlab.org/claims/groups/developer': [ # 'kuberheads/applications/team01' # ], # } # Example for AzureAD: # 'OAUTH2_ADDITIONAL_CLAIMS': { # 'groups': ["0760b6cf-170e-4a14-91b3-4b78e0739963"], # 'wids': ["cf1c38e5-3621-4004-a7cb-879624dced7c"], # } 'OAUTH2_ADDITIONAL_CLAIMS': None, # Set this variable to False to disable SSL certificate verification # for OAuth2 provider. # This may need to set False, in case of self-signed certificates. # Ref: https://github.com/psf/requests/issues/6071 'OAUTH2_SSL_CERT_VERIFICATION': True, # set this variable to invalidate the session of the oauth2 provider # Example for keycloak: # 'OAUTH2_LOGOUT_URL': # 'https://example.com/realms/master/protocol/openid-connect/logout?post_logout_redirect_uri={redirect_uri}&id_token_hint={id_token}' 'OAUTH2_LOGOUT_URL': None } ] # After Oauth authentication, user will be added into the SQLite database # automatically, if set to True. # Set it to False, if user should not be added automatically, # in this case Admin has to add the user manually in the SQLite database. OAUTH2_AUTO_CREATE_USER = True ########################################################################## # Webserver Configuration ########################################################################## WEBSERVER_AUTO_CREATE_USER = True # REMOTE_USER variable will be used to check the environment variable # is set or not first, if not available, # request header will be checked for the same. # Possible values: REMOTE_USER, HTTP_X_FORWARDED_USER, X-Forwarded-User WEBSERVER_REMOTE_USER = 'REMOTE_USER' ########################################################################## # Two-factor Authentication Configuration ########################################################################## # Set it to True, to enable the two-factor authentication MFA_ENABLED = True # Set it to True, to ask the users to register forcefully for the # two-authentication methods on logged-in. MFA_FORCE_REGISTRATION = False # pgAdmin supports Two-factor authentication by either sending an one-time code # to an email, or using the TOTP based application like Google Authenticator. MFA_SUPPORTED_METHODS = ["email", "authenticator"] # NOTE: Please set the 'Mail server settings' to use 'email' as two-factor # authentication method. # Subject for the email verification code # Default: - Verification Code # e.g. pgAdmin 4 - Verification Code MFA_EMAIL_SUBJECT = None ########################################################################## # PSQL tool settings ########################################################################## # This will enable PSQL tool in pgAdmin when running in server mode. # PSQL is always enabled in Desktop mode, however in server mode it is # disabled by default because users can run arbitrary commands on the # server through it. ENABLE_PSQL = False ########################################################################## # ENABLE_BINARY_PATH_BROWSING setting is used to enable the browse button # while selecting binary path for the database server in server mode. # In Desktop mode it is always enabled and setting is of no use. ########################################################################## ENABLE_BINARY_PATH_BROWSING = False ########################################################################## # In server mode, the SHARED_STORAGE setting is used to enable shared storage. # Specify the name, path, and restricted_access values that should be shared # between users. When restricted_access is set to True, non-admin users cannot # upload/add, delete, or rename files/folders in shared storage, only admins # can do that. Users must provide the absolute path to the folder, and the name # can be anything they see on the user interface. # [{ 'name': 'Shared 1', 'path': '/shared_folder', # 'restricted_access': True/False}] ########################################################################## SHARED_STORAGE = [] ############################################################################# # AUTO_DISCOVER_SERVERS setting is used to enable the pgAdmin to discover the # database server automatically on the local machine. # When it is set to False, pgAdmin will not discover servers installed on # the local machine. ############################################################################# AUTO_DISCOVER_SERVERS = True ############################################################################# # SERVER_HEARTBEAT_TIMEOUT is used to send the server heartbeat to server # from the client. This will resolve the orphan database issue once # browser tab is closed. ############################################################################# SERVER_HEARTBEAT_TIMEOUT = 30 # In seconds ############################################################################# # ENABLE_SERVER_PASS_EXEC_CMD is used to enable/disable Password exec command # field in server properties. This is used to specify a shell command to be # executed to retrieve a password to be used for server authentication. # This setting is applicable only for server mode. ############################################################################# ENABLE_SERVER_PASS_EXEC_CMD = False ############################################################################# # Patch the default config with custom config and other manipulations ############################################################################# from pgadmin.evaluate_config import evaluate_and_patch_config locals().update(evaluate_and_patch_config(locals()))