diff --git a/lemur/migrations/versions/3307381f3b88_.py b/lemur/migrations/versions/3307381f3b88_.py index 191b16ee..e4da96a6 100644 --- a/lemur/migrations/versions/3307381f3b88_.py +++ b/lemur/migrations/versions/3307381f3b88_.py @@ -1,4 +1,9 @@ -"""empty message +""" +Refactor authority columns and associates an authorities root certificate with a certificate stored in the +certificate tables. + +Migrates existing authority owners to associated roles. +Migrates existing certificate owners to associated role. Revision ID: 3307381f3b88 Revises: 412b22cb656a @@ -20,7 +25,7 @@ def upgrade(): ### commands auto generated by Alembic - please adjust! ### op.alter_column('authorities', 'owner', existing_type=sa.VARCHAR(length=128), - nullable=False) + nullable=True) op.drop_column('authorities', 'not_after') op.drop_column('authorities', 'bits') op.drop_column('authorities', 'cn') @@ -31,7 +36,7 @@ def upgrade(): nullable=False) op.alter_column('certificates', 'owner', existing_type=sa.VARCHAR(length=128), - nullable=False) + nullable=True) op.drop_constraint(u'certificates_authority_id_fkey', 'certificates', type_='foreignkey') op.create_foreign_key(None, 'certificates', 'authorities', ['authority_id'], ['id'], ondelete='CASCADE') op.create_foreign_key(None, 'certificates', 'authorities', ['root_authority_id'], ['id'], ondelete='CASCADE') @@ -39,7 +44,10 @@ def upgrade(): # link existing certificate to their authority certificates conn = op.get_bind() - for id, body in conn.execute(text('select id, body from authorities')): + for id, body, owner in conn.execute(text('select id, body, owner from authorities')): + if not owner: + owner = "lemur@nobody" + # look up certificate by body, if duplications are found, pick one stmt = text('select id from certificates where body=:body') stmt = stmt.bindparams(body=body) @@ -49,6 +57,57 @@ def upgrade(): stmt = stmt.bindparams(root_authority_id=id, id=root_certificate[0]) op.execute(stmt) + # link owner roles to their authorities + stmt = text('select id from roles where name=:name') + stmt = stmt.bindparams(name=owner) + owner_role = conn.execute(stmt).fetchone() + + if not owner_role: + stmt = text('insert into roles (name, description) values (:name, :description)') + stmt = stmt.bindparams(name=owner, description='Lemur generated role or existing owner.') + op.execute(stmt) + + stmt = text('select id from roles where name=:name') + stmt = stmt.bindparams(name=owner) + owner_role = conn.execute(stmt).fetchone() + + stmt = text('select * from roles_authorities where role_id=:role_id and authority_id=:authority_id') + stmt = stmt.bindparams(role_id=owner_role[0], authority_id=id) + exists = conn.execute(stmt).fetchone() + + if not exists: + stmt = text('insert into roles_authorities (role_id, authority_id) values (:role_id, :authority_id)') + stmt = stmt.bindparams(role_id=owner_role[0], authority_id=id) + op.execute(stmt) + + # link owner roles to their certificates + for id, owner in conn.execute(text('select id, owner from certificates')): + if not owner: + owner = "lemur@nobody" + + stmt = text('select id from roles where name=:name') + stmt = stmt.bindparams(name=owner) + owner_role = conn.execute(stmt).fetchone() + + if not owner_role: + stmt = text('insert into roles (name, description) values (:name, :description)') + stmt = stmt.bindparams(name=owner, description='Lemur generated role or existing owner.') + op.execute(stmt) + + # link owner roles to their authorities + stmt = text('select id from roles where name=:name') + stmt = stmt.bindparams(name=owner) + owner_role = conn.execute(stmt).fetchone() + + stmt = text('select * from roles_certificates where role_id=:role_id and certificate_id=:certificate_id') + stmt = stmt.bindparams(role_id=owner_role[0], certificate_id=id) + exists = conn.execute(stmt).fetchone() + + if not exists: + stmt = text('insert into roles_certificates (role_id, certificate_id) values (:role_id, :certificate_id)') + stmt = stmt.bindparams(role_id=owner_role[0], certificate_id=id) + op.execute(stmt) + def downgrade(): ### commands auto generated by Alembic - please adjust! ###