don't allow null in managed_by_auth

2025-10-15 05:53:00 +00:00 · 2024-04-15 10:55:46 +02:00
parent d5e9e3a632
commit ce74fdf0a3
3 changed files with 24 additions and 3 deletions
--- a/jupyterhub/alembic/versions/4621fec11365_manage_roles.py
+++ b/jupyterhub/alembic/versions/4621fec11365_manage_roles.py
@@ -22,9 +22,23 @@ def upgrade():
    for table in ['group_role_map', 'roles', 'service_role_map', 'user_role_map']:
        if table not in tables:
            continue
-        op.add_column(table, sa.Column('managed_by_auth', sa.Boolean(), nullable=True))
+        # create column and assign existing rows with False
+        # since they are not managed
+        op.add_column(
+            table,
+            sa.Column(
+                'managed_by_auth',
+                sa.Boolean(),
+                server_default=sa.sql.False_(),
+                nullable=False,
+            ),
+        )


 def downgrade():
+    engine = op.get_bind().engine
+    tables = sa.inspect(engine).get_table_names()
    for table in ['group_role_map', 'roles', 'service_role_map', 'user_role_map']:
+        if table not in tables:
+            continue
        op.drop_column(table, 'managed_by_auth')
--- a/jupyterhub/orm.py
+++ b/jupyterhub/orm.py
@@ -183,7 +183,7 @@ for entity in (
            ForeignKey('roles.id', ondelete='CASCADE'),
            primary_key=True,
        ),
-        Column('managed_by_auth', Boolean, default=False),
+        Column('managed_by_auth', Boolean, default=False, nullable=False),
    )

    _role_associations[entity] = type(
@@ -206,7 +206,7 @@ class Role(Base):
    )
    groups = relationship('Group', secondary='group_role_map', back_populates='roles')

-    managed_by_auth = Column(Boolean, default=False)
+    managed_by_auth = Column(Boolean, default=False, nullable=False)

    def __repr__(self):
        return f"<{self.__class__.__name__} {self.name} ({self.description}) - scopes: {self.scopes}>"
--- a/jupyterhub/tests/test_db.py
+++ b/jupyterhub/tests/test_db.py
@@ -92,3 +92,10 @@ async def test_upgrade(tmpdir, hub_version):
    for token in query:
        assert token.scopes, f"Upgraded token {token} has no scopes"
        _check_scopes_exist(token.scopes)
+
+    # make sure migrated roles are not managed or null
+    for role in db.query(orm.Role):
+        assert role.managed_by_auth is False
+    for assignment_table in orm._role_associations.values():
+        for assignment in db.query(assignment_table):
+            assert assignment.managed_by_auth is False