Handle secondary TLS port 8443 as https by default

[Spikhalskiy]

Description

Before 0.334.0, both login@password:host:443 and login@password:host:8443 URLs were handled as HTTPS because the connection string contained a password, and https was enforced by Trino in such situations.

#530 removed this enforcement. And all connection strings without an explicitly specified additional schema parameter were treated as http.

#564 added a fix for the 443 port. And 443 port only.

Meanwhile, 8443 is a secondary HTTPS/TLS port, just as 8080 is a secondary port for port 80. Even trino TLS documentation uses 8443 by default: https://trino.io/docs/current/security/tls.html

This PR adds handling of 8443 port as HTTPS by default.

Non-technical explanation

Connection strings with 8443 port should be handled as HTTPS by default.

Release notes

( x ) Release notes are required, with the following suggested text:

* 8443 port is handled as HTTPS by default (#580)

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Add support for treating port 8443 as HTTPS by default by introducing a secondary TLS port constant, updating the connection parsing logic to recognize it, and expanding unit tests to cover this behavior.

Entity relationship diagram for port constants

erDiagram
    CONSTANTS {
        int DEFAULT_PORT
        int DEFAULT_TLS_PORT
        int SECONDARY_TLS_PORT
    }

Loading

Class diagram for updated connection scheme handling in dbapi

classDiagram
    class DBAPIConnection {
        http_scheme: str
        __init__(...)
    }
    class Constants {
        DEFAULT_PORT: int = 8080
        DEFAULT_TLS_PORT: int = 443
        SECONDARY_TLS_PORT: int = 8443
        HTTP: str
        HTTPS: str
    }
    DBAPIConnection --|> Constants: uses

Loading

File-Level Changes

Change	Details	Files
Introduce secondary TLS port constant	Define SECONDARY_TLS_PORT with value 8443	trino/constants.py
Extend HTTPS scheme detection to include port 8443	Update conditional in connection initializer to treat constants.SECONDARY_TLS_PORT as HTTPS	trino/dbapi.py
Expand unit tests for secondary TLS port	Add test case to verify HTTPS inference on port constants.SECONDARY_TLS_PORT	tests/unit/test_dbapi.py

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `tests/unit/test_dbapi.py:328` </location>
<code_context>
         ("http://mytrinoserver.domain:9999", None, None, constants.HTTP),
         # Infer from port
         ("mytrinoserver.domain", constants.DEFAULT_TLS_PORT, None, constants.HTTPS),
+        ("mytrinoserver.domain", constants.SECONDARY_TLS_PORT, None, constants.HTTPS),
         ("mytrinoserver.domain", constants.DEFAULT_PORT, None, constants.HTTP),
         # http_scheme parameter has higher precedence than port parameter
</code_context>

<issue_to_address>
**suggestion (testing):** Consider adding tests for connection strings with explicit 'http' and 'https' schemes using port 8443.

Adding these tests will verify that explicit scheme declarations take precedence over port-based inference for port 8443, mirroring the approach used for port 443.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Spikhalskiy]

CLA submitted

[hashhar]

The Trino docs do use 8443 as the default TLS port so I understand the motivation. Hardcoding specific ports is fragile though and there is no limit to ports. The better approach would be to detect the presence of
credentials/auth and infer HTTPS from that (as the client did before #530). That would cover 8443 and any other port without needing special cases. Note that Trino can accept credentials
over HTTP too, so even credential detection isn't perfect, but it's a much better heuristic than port numbers.

As-is, this change risks silently breaking users running HTTP on 8443 who don't pass http_scheme explicitly.

[hashhar]

Also current behaviour is intentionally aligned to JDBC driver so that all clients behave similarly.