codeant-ai-for-open-source[bot] commented on code in PR #38443:
URL: https://github.com/apache/superset/pull/38443#discussion_r3454008523
##########
superset/db_engine_specs/gsheets.py:
##########
@@ -365,8 +380,14 @@ def validate_parameters(
engine = create_engine(
"gsheets://",
- service_account_info=encrypted_credentials,
- subject=subject,
+ connect_args={
+ "adapter_kwargs": {
+ "gsheetsapi": {
+ "service_account_info": encrypted_credentials,
+ "subject": subject,
+ }
+ }
+ },
Review Comment:
**Suggestion:** `service_account_info` is now always injected into
`connect_args` even when the connection is OAuth2-based. For OAuth2 flows,
credentials are often absent and this can force shillelagh down the
service-account auth path (with `{}`), causing `engine.connect()` to fail
before the later OAuth2 skip logic runs. Build the engine args conditionally:
only include `service_account_info` for service-account validation, and avoid
connecting at all for OAuth2-only validation paths. [incorrect condition logic]
<details>
<summary><b>Severity Level:</b> Critical 🚨</summary>
```mdx
- ❌ `/api/v1/database/validate_parameters` fails for GSheets OAuth2 setups.
- ❌ Admins cannot validate new OAuth2-only Google Sheets databases.
- ⚠️ Users see misleading credential errors despite valid OAuth2 config.
- ⚠️ Blocks adoption of OAuth2 flows for Google Sheets engine.
```
</details>
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Trigger the database-parameter validation API by POSTing to
`/api/v1/database/validate_parameters/` (implemented in
`superset/databases/api.py:2006-2062`) with payload matching
`DatabaseValidateParametersSchema` (`superset/databases/schemas.py:392-55`),
setting
`"engine": "gsheets"` and `configuration_method` appropriately.
2. In the request JSON, configure an OAuth2-only Google Sheets connection:
omit
`parameters.service_account_info`, provide a catalog (either in
`parameters.catalog` or
top-level `catalog`), and include OAuth2 client config in
`masked_encrypted_extra` under
`"oauth2_client_info"` (as described by the `oauth2_client_info` field in
`superset/db_engine_specs/gsheets.py:5-16`).
3. `DatabasesApi.validate_parameters` constructs and runs
`ValidateDatabaseParametersCommand`
(`superset/commands/database/validate.py:40-55`),
which resolves the engine spec for `"gsheets"` and calls
`GSheetsEngineSpec.validate_parameters(self._properties)`
(`superset/db_engine_specs/gsheets.py:353-357`).
4. Inside `GSheetsEngineSpec.validate_parameters`, `encrypted_credentials =
parameters.get("service_account_info") or "{}"` (`gsheets.py:368`) becomes
`"{}"` and is
`json.loads` to `{}` (`gsheets.py:372-373); this empty dict is always
injected as
`"service_account_info"` into `connect_args` in the
`create_engine("gsheets://",
connect_args={...})` call (`gsheets.py:381-387`), so `engine.connect()`
(`gsheets.py:143`)
attempts service-account auth with `{}` and raises before the subsequent
OAuth2 detection
and skip logic (`is_oauth2_conn` at `gsheets.py:148-152` and the `if
is_oauth2_conn:
continue` at `gsheets.py:177-178`) can run, causing validation of
OAuth2-based GSheets
connections to fail.
```
</details>
[](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=7e0720bbe930485d924cd591114629dc&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
[](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=7e0720bbe930485d924cd591114629dc&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** superset/db_engine_specs/gsheets.py
**Line:** 383:390
**Comment:**
*Incorrect Condition Logic: `service_account_info` is now always
injected into `connect_args` even when the connection is OAuth2-based. For
OAuth2 flows, credentials are often absent and this can force shillelagh down
the service-account auth path (with `{}`), causing `engine.connect()` to fail
before the later OAuth2 skip logic runs. Build the engine args conditionally:
only include `service_account_info` for service-account validation, and avoid
connecting at all for OAuth2-only validation paths.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F38443&comment_hash=7f8cc0f497c6efea16ff3667cb9df9e3435240bd61231ce80ba30a79514c9a92&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F38443&comment_hash=7f8cc0f497c6efea16ff3667cb9df9e3435240bd61231ce80ba30a79514c9a92&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
