From ce74fdf0a3ea6f2d9a42eb11da2e28955d9719f3 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Mon, 15 Apr 2024 10:55:46 +0200
Subject: [PATCH] don't allow null in managed_by_auth

---
 .../versions/4621fec11365_manage_roles.py        | 16 +++++++++++++++-
 jupyterhub/orm.py                                |  4 ++--
 jupyterhub/tests/test_db.py                      |  7 +++++++
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/jupyterhub/alembic/versions/4621fec11365_manage_roles.py b/jupyterhub/alembic/versions/4621fec11365_manage_roles.py
index fb6e07da..3675877a 100644
--- a/jupyterhub/alembic/versions/4621fec11365_manage_roles.py
+++ b/jupyterhub/alembic/versions/4621fec11365_manage_roles.py
@@ -22,9 +22,23 @@ def upgrade():
     for table in ['group_role_map', 'roles', 'service_role_map', 'user_role_map']:
         if table not in tables:
             continue
-        op.add_column(table, sa.Column('managed_by_auth', sa.Boolean(), nullable=True))
+        # create column and assign existing rows with False
+        # since they are not managed
+        op.add_column(
+            table,
+            sa.Column(
+                'managed_by_auth',
+                sa.Boolean(),
+                server_default=sa.sql.False_(),
+                nullable=False,
+            ),
+        )
 
 
 def downgrade():
+    engine = op.get_bind().engine
+    tables = sa.inspect(engine).get_table_names()
     for table in ['group_role_map', 'roles', 'service_role_map', 'user_role_map']:
+        if table not in tables:
+            continue
         op.drop_column(table, 'managed_by_auth')
diff --git a/jupyterhub/orm.py b/jupyterhub/orm.py
index e7f605bc..b690ed14 100644
--- a/jupyterhub/orm.py
+++ b/jupyterhub/orm.py
@@ -183,7 +183,7 @@ for entity in (
             ForeignKey('roles.id', ondelete='CASCADE'),
             primary_key=True,
         ),
-        Column('managed_by_auth', Boolean, default=False),
+        Column('managed_by_auth', Boolean, default=False, nullable=False),
     )
 
     _role_associations[entity] = type(
@@ -206,7 +206,7 @@ class Role(Base):
     )
     groups = relationship('Group', secondary='group_role_map', back_populates='roles')
 
-    managed_by_auth = Column(Boolean, default=False)
+    managed_by_auth = Column(Boolean, default=False, nullable=False)
 
     def __repr__(self):
         return f"<{self.__class__.__name__} {self.name} ({self.description}) - scopes: {self.scopes}>"
diff --git a/jupyterhub/tests/test_db.py b/jupyterhub/tests/test_db.py
index d9941ea1..6d696a5b 100644
--- a/jupyterhub/tests/test_db.py
+++ b/jupyterhub/tests/test_db.py
@@ -92,3 +92,10 @@ async def test_upgrade(tmpdir, hub_version):
     for token in query:
         assert token.scopes, f"Upgraded token {token} has no scopes"
         _check_scopes_exist(token.scopes)
+
+    # make sure migrated roles are not managed or null
+    for role in db.query(orm.Role):
+        assert role.managed_by_auth is False
+    for assignment_table in orm._role_associations.values():
+        for assignment in db.query(assignment_table):
+            assert assignment.managed_by_auth is False