From 7637d7df453a6c570ed674207fc9c5bc74e28d03 Mon Sep 17 00:00:00 2001 From: Cory Hawklvelt Date: Wed, 28 Jan 2026 14:20:48 +1030 Subject: [PATCH] migrations --- migrations/versions/001_base.py | 357 ++++++++++++++++++ migrations/versions/002_add_totp_support.py | 53 +++ .../003_create_oidc_jwks_keys_table.py | 50 +++ migrations/versions/004_policies.py | 122 ++++++ ...7c5_add_application_wide_external_auth_.py | 69 ++++ migrations/versions/a4d4a17a5d15_.py | 86 +++++ 6 files changed, 737 insertions(+) create mode 100644 migrations/versions/001_base.py create mode 100644 migrations/versions/002_add_totp_support.py create mode 100644 migrations/versions/003_create_oidc_jwks_keys_table.py create mode 100644 migrations/versions/004_policies.py create mode 100644 migrations/versions/4edc2fce47c5_add_application_wide_external_auth_.py create mode 100644 migrations/versions/a4d4a17a5d15_.py diff --git a/migrations/versions/001_base.py b/migrations/versions/001_base.py new file mode 100644 index 0000000..3625854 --- /dev/null +++ b/migrations/versions/001_base.py @@ -0,0 +1,357 @@ +"""empty message + +Revision ID: 0abed208e728 +Revises: None +Create Date: 2026-01-11 16:07:05.491356 + +""" +from alembic import op +import sqlalchemy as sa + + +# revision identifiers, used by Alembic. +revision = '001' +down_revision = None +branch_labels = None +depends_on = None + + +def upgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.create_table('organizations', + sa.Column('name', sa.String(length=255), nullable=False), + sa.Column('slug', sa.String(length=255), nullable=False), + sa.Column('description', sa.Text(), nullable=True), + sa.Column('logo_url', sa.String(length=512), nullable=True), + sa.Column('is_active', sa.Boolean(), nullable=False), + sa.Column('settings', sa.JSON(), nullable=True), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id') + ) + op.create_index(op.f('ix_organizations_slug'), 'organizations', ['slug'], unique=True) + op.create_table('users', + sa.Column('email', sa.String(length=255), nullable=False), + sa.Column('email_verified', sa.Boolean(), nullable=False), + sa.Column('full_name', sa.String(length=255), nullable=True), + sa.Column('avatar_url', sa.String(length=512), nullable=True), + sa.Column('status', sa.Enum('ACTIVE', 'INACTIVE', 'SUSPENDED', 'PENDING', name='userstatus'), nullable=False), + sa.Column('last_login_at', sa.DateTime(), nullable=True), + sa.Column('last_login_ip', sa.String(length=45), nullable=True), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id') + ) + op.create_index(op.f('ix_users_email'), 'users', ['email'], unique=True) + op.create_index(op.f('ix_users_status'), 'users', ['status'], unique=False) + op.create_table('audit_logs', + sa.Column('user_id', sa.String(length=36), nullable=True), + sa.Column('action', sa.Enum('USER_LOGIN', 'USER_LOGOUT', 'USER_REGISTER', 'USER_UPDATE', 'USER_DELETE', 'PASSWORD_CHANGE', 'PASSWORD_RESET', 'ORG_CREATE', 'ORG_UPDATE', 'ORG_DELETE', 'ORG_MEMBER_ADD', 'ORG_MEMBER_REMOVE', 'ORG_MEMBER_ROLE_CHANGE', 'SESSION_CREATE', 'SESSION_REVOKE', 'AUTH_METHOD_ADD', 'AUTH_METHOD_REMOVE', name='auditaction'), nullable=False), + sa.Column('resource_type', sa.String(length=50), nullable=True), + sa.Column('resource_id', sa.String(length=36), nullable=True), + sa.Column('organization_id', sa.String(length=36), nullable=True), + sa.Column('ip_address', sa.String(length=45), nullable=True), + sa.Column('user_agent', sa.Text(), nullable=True), + sa.Column('request_id', sa.String(length=36), nullable=True), + sa.Column('extra_data', sa.JSON(), nullable=True), + sa.Column('description', sa.Text(), nullable=True), + sa.Column('success', sa.Boolean(), nullable=False), + sa.Column('error_message', sa.Text(), nullable=True), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['user_id'], ['users.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id') + ) + op.create_index('idx_audit_org', 'audit_logs', ['organization_id', 'created_at'], unique=False) + op.create_index('idx_audit_resource', 'audit_logs', ['resource_type', 'resource_id'], unique=False) + op.create_index('idx_audit_user_action', 'audit_logs', ['user_id', 'action'], unique=False) + op.create_index(op.f('ix_audit_logs_action'), 'audit_logs', ['action'], unique=False) + op.create_index(op.f('ix_audit_logs_organization_id'), 'audit_logs', ['organization_id'], unique=False) + op.create_index(op.f('ix_audit_logs_request_id'), 'audit_logs', ['request_id'], unique=False) + op.create_index(op.f('ix_audit_logs_resource_id'), 'audit_logs', ['resource_id'], unique=False) + op.create_index(op.f('ix_audit_logs_resource_type'), 'audit_logs', ['resource_type'], unique=False) + op.create_index(op.f('ix_audit_logs_user_id'), 'audit_logs', ['user_id'], unique=False) + op.create_table('authentication_methods', + sa.Column('user_id', sa.String(length=36), nullable=False), + sa.Column('method_type', sa.Enum('PASSWORD', 'GOOGLE', 'GITHUB', 'MICROSOFT', 'SAML', 'OIDC', name='authmethodtype'), nullable=False), + sa.Column('password_hash', sa.String(length=255), nullable=True), + sa.Column('provider_user_id', sa.String(length=255), nullable=True), + sa.Column('provider_data', sa.JSON(), nullable=True), + sa.Column('is_primary', sa.Boolean(), nullable=False), + sa.Column('verified', sa.Boolean(), nullable=False), + sa.Column('last_used_at', sa.DateTime(), nullable=True), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['user_id'], ['users.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id'), + sa.UniqueConstraint('user_id', 'method_type', 'provider_user_id', name='uix_user_method_provider') + ) + op.create_index('idx_user_method', 'authentication_methods', ['user_id', 'method_type'], unique=False) + op.create_index(op.f('ix_authentication_methods_method_type'), 'authentication_methods', ['method_type'], unique=False) + op.create_index(op.f('ix_authentication_methods_user_id'), 'authentication_methods', ['user_id'], unique=False) + op.create_table('oidc_clients', + sa.Column('organization_id', sa.String(length=36), nullable=False), + sa.Column('name', sa.String(length=255), nullable=False), + sa.Column('client_id', sa.String(length=255), nullable=False), + sa.Column('client_secret_hash', sa.String(length=255), nullable=False), + sa.Column('redirect_uris', sa.JSON(), nullable=False), + sa.Column('grant_types', sa.JSON(), nullable=False), + sa.Column('response_types', sa.JSON(), nullable=False), + sa.Column('scopes', sa.JSON(), nullable=False), + sa.Column('logo_uri', sa.String(length=512), nullable=True), + sa.Column('client_uri', sa.String(length=512), nullable=True), + sa.Column('policy_uri', sa.String(length=512), nullable=True), + sa.Column('tos_uri', sa.String(length=512), nullable=True), + sa.Column('is_active', sa.Boolean(), nullable=False), + sa.Column('is_confidential', sa.Boolean(), nullable=False), + sa.Column('require_pkce', sa.Boolean(), nullable=False), + sa.Column('access_token_lifetime', sa.Integer(), nullable=False), + sa.Column('refresh_token_lifetime', sa.Integer(), nullable=False), + sa.Column('id_token_lifetime', sa.Integer(), nullable=False), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id') + ) + op.create_index(op.f('ix_oidc_clients_client_id'), 'oidc_clients', ['client_id'], unique=True) + op.create_index(op.f('ix_oidc_clients_organization_id'), 'oidc_clients', ['organization_id'], unique=False) + op.create_table('organization_members', + sa.Column('user_id', sa.String(length=36), nullable=False), + sa.Column('organization_id', sa.String(length=36), nullable=False), + sa.Column('role', sa.Enum('OWNER', 'ADMIN', 'MEMBER', 'GUEST', name='organizationrole'), nullable=False), + sa.Column('invited_by_id', sa.String(length=36), nullable=True), + sa.Column('invited_at', sa.DateTime(), nullable=True), + sa.Column('joined_at', sa.DateTime(), nullable=True), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['invited_by_id'], ['users.id'], ), + sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ), + sa.ForeignKeyConstraint(['user_id'], ['users.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id'), + sa.UniqueConstraint('user_id', 'organization_id', name='uix_user_org') + ) + op.create_index(op.f('ix_organization_members_organization_id'), 'organization_members', ['organization_id'], unique=False) + op.create_index(op.f('ix_organization_members_user_id'), 'organization_members', ['user_id'], unique=False) + op.create_table('sessions', + sa.Column('user_id', sa.String(length=36), nullable=False), + sa.Column('token', sa.String(length=255), nullable=False), + sa.Column('status', sa.Enum('ACTIVE', 'EXPIRED', 'REVOKED', name='sessionstatus'), nullable=False), + sa.Column('ip_address', sa.String(length=45), nullable=True), + sa.Column('user_agent', sa.Text(), nullable=True), + sa.Column('device_info', sa.JSON(), nullable=True), + sa.Column('expires_at', sa.DateTime(), nullable=False), + sa.Column('last_activity_at', sa.DateTime(), nullable=False), + sa.Column('revoked_at', sa.DateTime(), nullable=True), + sa.Column('revoked_reason', sa.String(length=255), nullable=True), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['user_id'], ['users.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id') + ) + op.create_index(op.f('ix_sessions_token'), 'sessions', ['token'], unique=True) + op.create_index(op.f('ix_sessions_user_id'), 'sessions', ['user_id'], unique=False) + op.create_table('oidc_audit_logs', + sa.Column('event_type', sa.String(length=100), nullable=False), + sa.Column('client_id', sa.String(length=255), nullable=True), + sa.Column('user_id', sa.String(length=36), nullable=True), + sa.Column('success', sa.Boolean(), nullable=False), + sa.Column('error_code', sa.String(length=100), nullable=True), + sa.Column('error_description', sa.Text(), nullable=True), + sa.Column('ip_address', sa.String(length=45), nullable=True), + sa.Column('user_agent', sa.Text(), nullable=True), + sa.Column('request_id', sa.String(length=36), nullable=True), + sa.Column('event_metadata', sa.JSON(), nullable=True), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['client_id'], ['oidc_clients.id'], ), + sa.ForeignKeyConstraint(['user_id'], ['users.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id') + ) + op.create_index(op.f('ix_oidc_audit_logs_client_id'), 'oidc_audit_logs', ['client_id'], unique=False) + op.create_index(op.f('ix_oidc_audit_logs_event_type'), 'oidc_audit_logs', ['event_type'], unique=False) + op.create_index(op.f('ix_oidc_audit_logs_ip_address'), 'oidc_audit_logs', ['ip_address'], unique=False) + op.create_index(op.f('ix_oidc_audit_logs_request_id'), 'oidc_audit_logs', ['request_id'], unique=False) + op.create_index(op.f('ix_oidc_audit_logs_success'), 'oidc_audit_logs', ['success'], unique=False) + op.create_index(op.f('ix_oidc_audit_logs_user_id'), 'oidc_audit_logs', ['user_id'], unique=False) + op.create_table('oidc_authorization_codes', + sa.Column('client_id', sa.String(length=255), nullable=False), + sa.Column('user_id', sa.String(length=36), nullable=False), + sa.Column('code_hash', sa.String(length=255), nullable=False), + sa.Column('redirect_uri', sa.String(length=512), nullable=False), + sa.Column('scope', sa.JSON(), nullable=True), + sa.Column('nonce', sa.String(length=255), nullable=True), + sa.Column('code_verifier', sa.String(length=255), nullable=True), + sa.Column('expires_at', sa.DateTime(), nullable=False), + sa.Column('used_at', sa.DateTime(), nullable=True), + sa.Column('is_used', sa.Boolean(), nullable=False), + sa.Column('ip_address', sa.String(length=45), nullable=True), + sa.Column('user_agent', sa.Text(), nullable=True), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['client_id'], ['oidc_clients.id'], ), + sa.ForeignKeyConstraint(['user_id'], ['users.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id') + ) + op.create_index(op.f('ix_oidc_authorization_codes_client_id'), 'oidc_authorization_codes', ['client_id'], unique=False) + op.create_index(op.f('ix_oidc_authorization_codes_expires_at'), 'oidc_authorization_codes', ['expires_at'], unique=False) + op.create_index(op.f('ix_oidc_authorization_codes_user_id'), 'oidc_authorization_codes', ['user_id'], unique=False) + op.create_table('oidc_refresh_tokens', + sa.Column('client_id', sa.String(length=255), nullable=False), + sa.Column('user_id', sa.String(length=36), nullable=False), + sa.Column('token_hash', sa.String(length=255), nullable=False), + sa.Column('access_token_id', sa.String(length=36), nullable=True), + sa.Column('scope', sa.JSON(), nullable=True), + sa.Column('expires_at', sa.DateTime(), nullable=False), + sa.Column('revoked_at', sa.DateTime(), nullable=True), + sa.Column('revoked_reason', sa.String(length=255), nullable=True), + sa.Column('previous_token_hash', sa.String(length=255), nullable=True), + sa.Column('rotation_count', sa.Integer(), nullable=False), + sa.Column('ip_address', sa.String(length=45), nullable=True), + sa.Column('user_agent', sa.Text(), nullable=True), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['access_token_id'], ['sessions.id'], ), + sa.ForeignKeyConstraint(['client_id'], ['oidc_clients.id'], ), + sa.ForeignKeyConstraint(['user_id'], ['users.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id') + ) + op.create_index(op.f('ix_oidc_refresh_tokens_access_token_id'), 'oidc_refresh_tokens', ['access_token_id'], unique=False) + op.create_index(op.f('ix_oidc_refresh_tokens_client_id'), 'oidc_refresh_tokens', ['client_id'], unique=False) + op.create_index(op.f('ix_oidc_refresh_tokens_expires_at'), 'oidc_refresh_tokens', ['expires_at'], unique=False) + op.create_index(op.f('ix_oidc_refresh_tokens_token_hash'), 'oidc_refresh_tokens', ['token_hash'], unique=True) + op.create_index(op.f('ix_oidc_refresh_tokens_user_id'), 'oidc_refresh_tokens', ['user_id'], unique=False) + op.create_table('oidc_sessions', + sa.Column('user_id', sa.String(length=36), nullable=False), + sa.Column('client_id', sa.String(length=255), nullable=False), + sa.Column('state', sa.String(length=255), nullable=False), + sa.Column('nonce', sa.String(length=255), nullable=True), + sa.Column('redirect_uri', sa.String(length=512), nullable=False), + sa.Column('scope', sa.JSON(), nullable=True), + sa.Column('code_challenge', sa.String(length=255), nullable=True), + sa.Column('code_challenge_method', sa.String(length=10), nullable=True), + sa.Column('expires_at', sa.DateTime(), nullable=False), + sa.Column('authenticated_at', sa.DateTime(), nullable=True), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['client_id'], ['oidc_clients.id'], ), + sa.ForeignKeyConstraint(['user_id'], ['users.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id') + ) + op.create_index(op.f('ix_oidc_sessions_client_id'), 'oidc_sessions', ['client_id'], unique=False) + op.create_index(op.f('ix_oidc_sessions_expires_at'), 'oidc_sessions', ['expires_at'], unique=False) + op.create_index(op.f('ix_oidc_sessions_state'), 'oidc_sessions', ['state'], unique=False) + op.create_index(op.f('ix_oidc_sessions_user_id'), 'oidc_sessions', ['user_id'], unique=False) + op.create_table('oidc_token_metadata', + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('client_id', sa.String(length=255), nullable=False), + sa.Column('user_id', sa.String(length=36), nullable=False), + sa.Column('token_type', sa.String(length=50), nullable=False), + sa.Column('token_jti', sa.String(length=255), nullable=False), + sa.Column('expires_at', sa.DateTime(), nullable=False), + sa.Column('revoked_at', sa.DateTime(), nullable=True), + sa.Column('revoked_reason', sa.String(length=255), nullable=True), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['client_id'], ['oidc_clients.id'], ), + sa.ForeignKeyConstraint(['user_id'], ['users.id'], ), + sa.PrimaryKeyConstraint('id') + ) + op.create_index(op.f('ix_oidc_token_metadata_client_id'), 'oidc_token_metadata', ['client_id'], unique=False) + op.create_index(op.f('ix_oidc_token_metadata_expires_at'), 'oidc_token_metadata', ['expires_at'], unique=False) + op.create_index(op.f('ix_oidc_token_metadata_token_jti'), 'oidc_token_metadata', ['token_jti'], unique=False) + op.create_index(op.f('ix_oidc_token_metadata_user_id'), 'oidc_token_metadata', ['user_id'], unique=False) + # ### end Alembic commands ### + + +def downgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.drop_index(op.f('ix_oidc_token_metadata_user_id'), table_name='oidc_token_metadata') + op.drop_index(op.f('ix_oidc_token_metadata_token_jti'), table_name='oidc_token_metadata') + op.drop_index(op.f('ix_oidc_token_metadata_expires_at'), table_name='oidc_token_metadata') + op.drop_index(op.f('ix_oidc_token_metadata_client_id'), table_name='oidc_token_metadata') + op.drop_table('oidc_token_metadata') + op.drop_index(op.f('ix_oidc_sessions_user_id'), table_name='oidc_sessions') + op.drop_index(op.f('ix_oidc_sessions_state'), table_name='oidc_sessions') + op.drop_index(op.f('ix_oidc_sessions_expires_at'), table_name='oidc_sessions') + op.drop_index(op.f('ix_oidc_sessions_client_id'), table_name='oidc_sessions') + op.drop_table('oidc_sessions') + op.drop_index(op.f('ix_oidc_refresh_tokens_user_id'), table_name='oidc_refresh_tokens') + op.drop_index(op.f('ix_oidc_refresh_tokens_token_hash'), table_name='oidc_refresh_tokens') + op.drop_index(op.f('ix_oidc_refresh_tokens_expires_at'), table_name='oidc_refresh_tokens') + op.drop_index(op.f('ix_oidc_refresh_tokens_client_id'), table_name='oidc_refresh_tokens') + op.drop_index(op.f('ix_oidc_refresh_tokens_access_token_id'), table_name='oidc_refresh_tokens') + op.drop_table('oidc_refresh_tokens') + op.drop_index(op.f('ix_oidc_authorization_codes_user_id'), table_name='oidc_authorization_codes') + op.drop_index(op.f('ix_oidc_authorization_codes_expires_at'), table_name='oidc_authorization_codes') + op.drop_index(op.f('ix_oidc_authorization_codes_client_id'), table_name='oidc_authorization_codes') + op.drop_table('oidc_authorization_codes') + op.drop_index(op.f('ix_oidc_audit_logs_user_id'), table_name='oidc_audit_logs') + op.drop_index(op.f('ix_oidc_audit_logs_success'), table_name='oidc_audit_logs') + op.drop_index(op.f('ix_oidc_audit_logs_request_id'), table_name='oidc_audit_logs') + op.drop_index(op.f('ix_oidc_audit_logs_ip_address'), table_name='oidc_audit_logs') + op.drop_index(op.f('ix_oidc_audit_logs_event_type'), table_name='oidc_audit_logs') + op.drop_index(op.f('ix_oidc_audit_logs_client_id'), table_name='oidc_audit_logs') + op.drop_table('oidc_audit_logs') + op.drop_index(op.f('ix_sessions_user_id'), table_name='sessions') + op.drop_index(op.f('ix_sessions_token'), table_name='sessions') + op.drop_table('sessions') + op.drop_index(op.f('ix_organization_members_user_id'), table_name='organization_members') + op.drop_index(op.f('ix_organization_members_organization_id'), table_name='organization_members') + op.drop_table('organization_members') + op.drop_index(op.f('ix_oidc_clients_organization_id'), table_name='oidc_clients') + op.drop_index(op.f('ix_oidc_clients_client_id'), table_name='oidc_clients') + op.drop_table('oidc_clients') + op.drop_index(op.f('ix_authentication_methods_user_id'), table_name='authentication_methods') + op.drop_index(op.f('ix_authentication_methods_method_type'), table_name='authentication_methods') + op.drop_index('idx_user_method', table_name='authentication_methods') + op.drop_table('authentication_methods') + op.drop_index(op.f('ix_audit_logs_user_id'), table_name='audit_logs') + op.drop_index(op.f('ix_audit_logs_resource_type'), table_name='audit_logs') + op.drop_index(op.f('ix_audit_logs_resource_id'), table_name='audit_logs') + op.drop_index(op.f('ix_audit_logs_request_id'), table_name='audit_logs') + op.drop_index(op.f('ix_audit_logs_organization_id'), table_name='audit_logs') + op.drop_index(op.f('ix_audit_logs_action'), table_name='audit_logs') + op.drop_index('idx_audit_user_action', table_name='audit_logs') + op.drop_index('idx_audit_resource', table_name='audit_logs') + op.drop_index('idx_audit_org', table_name='audit_logs') + op.drop_table('audit_logs') + op.drop_index(op.f('ix_users_status'), table_name='users') + op.drop_index(op.f('ix_users_email'), table_name='users') + op.drop_table('users') + op.drop_index(op.f('ix_organizations_slug'), table_name='organizations') + op.drop_table('organizations') + # ### end Alembic commands ### diff --git a/migrations/versions/002_add_totp_support.py b/migrations/versions/002_add_totp_support.py new file mode 100644 index 0000000..3f01f31 --- /dev/null +++ b/migrations/versions/002_add_totp_support.py @@ -0,0 +1,53 @@ +"""Database migration: Add TOTP support to authentication_methods table. + +Revision ID: 002 +Revises: 0abed208e728 +Create Date: 2026-01-11 00:00:00 + +This migration adds TOTP (Time-based One-Time Password) support to the +authentication_methods table by adding three new columns: +- totp_secret: Stores the TOTP secret key +- totp_backup_codes: Stores backup codes for account recovery +- totp_verified_at: Tracks when TOTP was verified +""" + +from alembic import op +import sqlalchemy as sa +from sqlalchemy.dialects import postgresql + +# Revision identifiers +revision = '002' +down_revision = '001' +branch_labels = None +depends_on = None + + +def upgrade(): + """Add TOTP columns to authentication_methods table.""" + + # Add TOTP secret column + op.add_column( + 'authentication_methods', + sa.Column('totp_secret', sa.String(32), nullable=True) + ) + + # Add TOTP backup codes column (JSON type for PostgreSQL) + op.add_column( + 'authentication_methods', + sa.Column('totp_backup_codes', postgresql.JSON, nullable=True) + ) + + # Add TOTP verified at column + op.add_column( + 'authentication_methods', + sa.Column('totp_verified_at', sa.DateTime, nullable=True) + ) + + +def downgrade(): + """Remove TOTP columns from authentication_methods table.""" + + # Remove TOTP columns in reverse order of addition + op.drop_column('authentication_methods', 'totp_verified_at') + op.drop_column('authentication_methods', 'totp_backup_codes') + op.drop_column('authentication_methods', 'totp_secret') diff --git a/migrations/versions/003_create_oidc_jwks_keys_table.py b/migrations/versions/003_create_oidc_jwks_keys_table.py new file mode 100644 index 0000000..2ad89b0 --- /dev/null +++ b/migrations/versions/003_create_oidc_jwks_keys_table.py @@ -0,0 +1,50 @@ +"""Database migration: Create oidc_jwks_keys table. + +Revision ID: 002 +Revises: 001 +Create Date: 2024-01-01 00:00:00 + +This migration creates the oidc_jwks_keys table for persisting OIDC signing keys. +""" + +from alembic import op +import sqlalchemy as sa + +# Revision identifiers +revision = '003' +down_revision = '002' +branch_labels = None +depends_on = None + + +def upgrade(): + """Create oidc_jwks_keys table.""" + + op.create_table( + 'oidc_jwks_keys', + sa.Column('id', sa.Integer, primary_key=True), + sa.Column('created_at', sa.DateTime, nullable=False), + sa.Column('updated_at', sa.DateTime, nullable=False), + sa.Column('expires_at', sa.DateTime, nullable=True), + sa.Column('deleted_at', sa.DateTime, nullable=True), + sa.Column('kid', sa.String(255), nullable=False), + sa.Column('key_type', sa.String(50), nullable=False), + sa.Column('private_key', sa.Text, nullable=False), + sa.Column('public_key', sa.Text, nullable=False), + sa.Column('algorithm', sa.String(50), nullable=False), + sa.Column('is_active', sa.Boolean, default=True, nullable=False), + sa.Column('is_primary', sa.Boolean, default=False, nullable=False), + ) + + # Create unique index on kid + op.create_index('ix_oidc_jwks_keys_kid', 'oidc_jwks_keys', ['kid'], unique=True) + + # Create index on is_active for filtering active keys + op.create_index('ix_oidc_jwks_keys_is_active', 'oidc_jwks_keys', ['is_active']) + + +def downgrade(): + """Drop oidc_jwks_keys table.""" + op.drop_index('ix_oidc_jwks_keys_is_active', table_name='oidc_jwks_keys') + op.drop_index('ix_oidc_jwks_keys_kid', table_name='oidc_jwks_keys') + op.drop_table('oidc_jwks_keys') \ No newline at end of file diff --git a/migrations/versions/004_policies.py b/migrations/versions/004_policies.py new file mode 100644 index 0000000..476d3bd --- /dev/null +++ b/migrations/versions/004_policies.py @@ -0,0 +1,122 @@ +"""empty message + +Revision ID: 5d99e6d4cdc6 +Revises: 003 +Create Date: 2026-01-16 15:31:36.288933 + +""" +from alembic import op +import sqlalchemy as sa + + +# revision identifiers, used by Alembic. +revision = '004' +down_revision = '003' +branch_labels = None +depends_on = None + + +def upgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.create_table('mfa_policy_compliance', + sa.Column('user_id', sa.String(length=36), nullable=False), + sa.Column('organization_id', sa.String(length=36), nullable=False), + sa.Column('status', sa.Enum('NOT_APPLICABLE', 'PENDING', 'IN_GRACE', 'COMPLIANT', 'PAST_DUE', 'SUSPENDED', name='mfacompliancestatus'), nullable=False), + sa.Column('policy_version', sa.Integer(), nullable=False), + sa.Column('applied_at', sa.DateTime(), nullable=True), + sa.Column('deadline_at', sa.DateTime(), nullable=True), + sa.Column('compliant_at', sa.DateTime(), nullable=True), + sa.Column('suspended_at', sa.DateTime(), nullable=True), + sa.Column('last_notified_at', sa.DateTime(), nullable=True), + sa.Column('notification_count', sa.Integer(), nullable=False), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ), + sa.ForeignKeyConstraint(['user_id'], ['users.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id'), + sa.UniqueConstraint('user_id', 'organization_id', name='uix_user_org_compliance') + ) + op.create_index(op.f('ix_mfa_policy_compliance_organization_id'), 'mfa_policy_compliance', ['organization_id'], unique=False) + op.create_index(op.f('ix_mfa_policy_compliance_user_id'), 'mfa_policy_compliance', ['user_id'], unique=False) + op.create_table('organization_security_policies', + sa.Column('organization_id', sa.String(length=36), nullable=False), + sa.Column('mfa_policy_mode', sa.Enum('DISABLED', 'OPTIONAL', 'REQUIRE_TOTP', 'REQUIRE_WEBAUTHN', 'REQUIRE_TOTP_OR_WEBAUTHN', name='mfapolicymode'), nullable=False), + sa.Column('mfa_grace_period_days', sa.Integer(), nullable=False), + sa.Column('notify_days_before', sa.Integer(), nullable=False), + sa.Column('policy_version', sa.Integer(), nullable=False), + sa.Column('updated_by_user_id', sa.String(length=36), nullable=True), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ), + sa.ForeignKeyConstraint(['updated_by_user_id'], ['users.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id') + ) + op.create_index(op.f('ix_organization_security_policies_organization_id'), 'organization_security_policies', ['organization_id'], unique=True) + op.create_table('user_security_policies', + sa.Column('user_id', sa.String(length=36), nullable=False), + sa.Column('organization_id', sa.String(length=36), nullable=False), + sa.Column('mfa_override_mode', sa.Enum('INHERIT', 'REQUIRED', 'EXEMPT', name='mfarequirementoverride'), nullable=False), + sa.Column('force_totp', sa.Boolean(), nullable=False), + sa.Column('force_webauthn', sa.Boolean(), nullable=False), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ), + sa.ForeignKeyConstraint(['user_id'], ['users.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id'), + sa.UniqueConstraint('user_id', 'organization_id', name='uix_user_org_policy') + ) + op.create_index(op.f('ix_user_security_policies_organization_id'), 'user_security_policies', ['organization_id'], unique=False) + op.create_index(op.f('ix_user_security_policies_user_id'), 'user_security_policies', ['user_id'], unique=False) + + # Use batch operations for SQLite-compatible column type changes + with op.batch_alter_table('audit_logs', schema=None) as batch_op: + batch_op.alter_column('action', + existing_type=sa.VARCHAR(length=22), + type_=sa.Enum('USER_LOGIN', 'USER_LOGOUT', 'USER_REGISTER', 'USER_UPDATE', 'USER_DELETE', 'PASSWORD_CHANGE', 'PASSWORD_RESET', 'ORG_CREATE', 'ORG_UPDATE', 'ORG_DELETE', 'ORG_MEMBER_ADD', 'ORG_MEMBER_REMOVE', 'ORG_MEMBER_ROLE_CHANGE', 'SESSION_CREATE', 'SESSION_REVOKE', 'AUTH_METHOD_ADD', 'AUTH_METHOD_REMOVE', 'TOTP_ENROLL_INITIATED', 'TOTP_ENROLL_COMPLETED', 'TOTP_VERIFY_SUCCESS', 'TOTP_VERIFY_FAILED', 'TOTP_DISABLED', 'TOTP_BACKUP_CODE_USED', 'TOTP_BACKUP_CODES_REGENERATED', 'WEBAUTHN_REGISTER_INITIATED', 'WEBAUTHN_REGISTER_COMPLETED', 'WEBAUTHN_REGISTER_FAILED', 'WEBAUTHN_LOGIN_INITIATED', 'WEBAUTHN_LOGIN_SUCCESS', 'WEBAUTHN_LOGIN_FAILED', 'WEBAUTHN_CREDENTIAL_DELETED', 'WEBAUTHN_CREDENTIAL_RENAMED', 'ORG_SECURITY_POLICY_UPDATE', 'USER_SECURITY_POLICY_OVERRIDE_UPDATE', 'MFA_POLICY_USER_SUSPENDED', 'MFA_POLICY_USER_COMPLIANT', name='auditaction'), + existing_nullable=False) + + op.drop_index(op.f('ix_oidc_jwks_keys_is_active'), table_name='oidc_jwks_keys') + op.add_column('sessions', sa.Column('is_compliance_only', sa.Boolean(), nullable=False)) + + with op.batch_alter_table('users', schema=None) as batch_op: + batch_op.alter_column('status', + existing_type=sa.VARCHAR(length=9), + type_=sa.Enum('ACTIVE', 'INACTIVE', 'SUSPENDED', 'PENDING', 'COMPLIANCE_SUSPENDED', name='userstatus'), + existing_nullable=False) + # ### end Alembic commands ### + + +def downgrade(): + # ### commands auto generated by Alembic - please adjust! ### + with op.batch_alter_table('users', schema=None) as batch_op: + batch_op.alter_column('status', + existing_type=sa.Enum('ACTIVE', 'INACTIVE', 'SUSPENDED', 'PENDING', 'COMPLIANCE_SUSPENDED', name='userstatus'), + type_=sa.VARCHAR(length=9), + existing_nullable=False) + op.drop_column('sessions', 'is_compliance_only') + op.create_index(op.f('ix_oidc_jwks_keys_is_active'), 'oidc_jwks_keys', ['is_active'], unique=False) + + with op.batch_alter_table('audit_logs', schema=None) as batch_op: + batch_op.alter_column('action', + existing_type=sa.Enum('USER_LOGIN', 'USER_LOGOUT', 'USER_REGISTER', 'USER_UPDATE', 'USER_DELETE', 'PASSWORD_CHANGE', 'PASSWORD_RESET', 'ORG_CREATE', 'ORG_UPDATE', 'ORG_DELETE', 'ORG_MEMBER_ADD', 'ORG_MEMBER_REMOVE', 'ORG_MEMBER_ROLE_CHANGE', 'SESSION_CREATE', 'SESSION_REVOKE', 'AUTH_METHOD_ADD', 'AUTH_METHOD_REMOVE', 'TOTP_ENROLL_INITIATED', 'TOTP_ENROLL_COMPLETED', 'TOTP_VERIFY_SUCCESS', 'TOTP_VERIFY_FAILED', 'TOTP_DISABLED', 'TOTP_BACKUP_CODE_USED', 'TOTP_BACKUP_CODES_REGENERATED', 'WEBAUTHN_REGISTER_INITIATED', 'WEBAUTHN_REGISTER_COMPLETED', 'WEBAUTHN_REGISTER_FAILED', 'WEBAUTHN_LOGIN_INITIATED', 'WEBAUTHN_LOGIN_SUCCESS', 'WEBAUTHN_LOGIN_FAILED', 'WEBAUTHN_CREDENTIAL_DELETED', 'WEBAUTHN_CREDENTIAL_RENAMED', 'ORG_SECURITY_POLICY_UPDATE', 'USER_SECURITY_POLICY_OVERRIDE_UPDATE', 'MFA_POLICY_USER_SUSPENDED', 'MFA_POLICY_USER_COMPLIANT', name='auditaction'), + type_=sa.VARCHAR(length=22), + existing_nullable=False) + + op.drop_index(op.f('ix_user_security_policies_user_id'), table_name='user_security_policies') + op.drop_index(op.f('ix_user_security_policies_organization_id'), table_name='user_security_policies') + op.drop_table('user_security_policies') + op.drop_index(op.f('ix_organization_security_policies_organization_id'), table_name='organization_security_policies') + op.drop_table('organization_security_policies') + op.drop_index(op.f('ix_mfa_policy_compliance_user_id'), table_name='mfa_policy_compliance') + op.drop_index(op.f('ix_mfa_policy_compliance_organization_id'), table_name='mfa_policy_compliance') + op.drop_table('mfa_policy_compliance') + # ### end Alembic commands ### \ No newline at end of file diff --git a/migrations/versions/4edc2fce47c5_add_application_wide_external_auth_.py b/migrations/versions/4edc2fce47c5_add_application_wide_external_auth_.py new file mode 100644 index 0000000..38f2cc1 --- /dev/null +++ b/migrations/versions/4edc2fce47c5_add_application_wide_external_auth_.py @@ -0,0 +1,69 @@ +"""Add application-wide external auth provider config tables + +Revision ID: 4edc2fce47c5 +Revises: a4d4a17a5d15 +Create Date: 2026-01-20 16:02:34.196815 + +""" +from alembic import op +import sqlalchemy as sa + + +# revision identifiers, used by Alembic. +revision = '4edc2fce47c5' +down_revision = 'a4d4a17a5d15' +branch_labels = None +depends_on = None + + +def upgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.create_table('application_provider_configs', + sa.Column('provider_type', sa.String(length=50), nullable=False), + sa.Column('client_id', sa.String(length=255), nullable=False), + sa.Column('client_secret_encrypted', sa.String(length=512), nullable=True), + sa.Column('is_enabled', sa.Boolean(), nullable=False), + sa.Column('default_redirect_url', sa.String(length=2048), nullable=True), + sa.Column('additional_config', sa.JSON(), nullable=True), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id') + ) + op.create_index(op.f('ix_application_provider_configs_provider_type'), 'application_provider_configs', ['provider_type'], unique=True) + op.create_table('organization_provider_overrides', + sa.Column('organization_id', sa.String(length=36), nullable=False), + sa.Column('provider_type', sa.String(length=50), nullable=False), + sa.Column('client_id', sa.String(length=255), nullable=True), + sa.Column('client_secret_encrypted', sa.String(length=512), nullable=True), + sa.Column('is_enabled', sa.Boolean(), nullable=False), + sa.Column('redirect_url_override', sa.String(length=2048), nullable=True), + sa.Column('additional_config', sa.JSON(), nullable=True), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id'), + sa.UniqueConstraint('organization_id', 'provider_type', name='uix_org_provider_type') + ) + op.create_index(op.f('ix_organization_provider_overrides_organization_id'), 'organization_provider_overrides', ['organization_id'], unique=False) + op.create_index(op.f('ix_organization_provider_overrides_provider_type'), 'organization_provider_overrides', ['provider_type'], unique=False) + op.add_column('oauth_states', sa.Column('return_url', sa.String(length=2048), nullable=True)) + op.drop_index(op.f('ix_oauth_states_user_id'), table_name='oauth_states') + # ### end Alembic commands ### + + +def downgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.create_index(op.f('ix_oauth_states_user_id'), 'oauth_states', ['user_id'], unique=False) + op.drop_column('oauth_states', 'return_url') + op.drop_index(op.f('ix_organization_provider_overrides_provider_type'), table_name='organization_provider_overrides') + op.drop_index(op.f('ix_organization_provider_overrides_organization_id'), table_name='organization_provider_overrides') + op.drop_table('organization_provider_overrides') + op.drop_index(op.f('ix_application_provider_configs_provider_type'), table_name='application_provider_configs') + op.drop_table('application_provider_configs') + # ### end Alembic commands ### diff --git a/migrations/versions/a4d4a17a5d15_.py b/migrations/versions/a4d4a17a5d15_.py new file mode 100644 index 0000000..31014aa --- /dev/null +++ b/migrations/versions/a4d4a17a5d15_.py @@ -0,0 +1,86 @@ +"""empty message + +Revision ID: a4d4a17a5d15 +Revises: 004 +Create Date: 2026-01-20 14:30:36.898886 + +""" +from alembic import op +import sqlalchemy as sa + + +# revision identifiers, used by Alembic. +revision = 'a4d4a17a5d15' +down_revision = '004' +branch_labels = None +depends_on = None + + +def upgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.create_table('external_provider_configs', + sa.Column('organization_id', sa.String(length=36), nullable=False), + sa.Column('provider_type', sa.String(length=50), nullable=False), + sa.Column('client_id', sa.String(length=255), nullable=False), + sa.Column('client_secret_encrypted', sa.String(length=512), nullable=True), + sa.Column('auth_url', sa.String(length=2048), nullable=False), + sa.Column('token_url', sa.String(length=2048), nullable=False), + sa.Column('userinfo_url', sa.String(length=2048), nullable=True), + sa.Column('jwks_url', sa.String(length=2048), nullable=True), + sa.Column('scopes', sa.JSON(), nullable=False), + sa.Column('redirect_uris', sa.JSON(), nullable=False), + sa.Column('settings', sa.JSON(), nullable=True), + sa.Column('is_active', sa.Boolean(), nullable=False), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id'), + sa.UniqueConstraint('organization_id', 'provider_type', name='uix_org_provider_type') + ) + op.create_index('idx_provider_config_org', 'external_provider_configs', ['organization_id', 'provider_type'], unique=False) + op.create_index(op.f('ix_external_provider_configs_organization_id'), 'external_provider_configs', ['organization_id'], unique=False) + op.create_index(op.f('ix_external_provider_configs_provider_type'), 'external_provider_configs', ['provider_type'], unique=False) + op.create_table('oauth_states', + sa.Column('state', sa.String(length=64), nullable=False), + sa.Column('flow_type', sa.String(length=50), nullable=False), + sa.Column('user_id', sa.String(length=36), nullable=True), + sa.Column('organization_id', sa.String(length=36), nullable=True), + sa.Column('provider_type', sa.String(length=50), nullable=False), + sa.Column('nonce', sa.String(length=128), nullable=True), + sa.Column('code_verifier', sa.String(length=128), nullable=True), + sa.Column('code_challenge', sa.String(length=128), nullable=True), + sa.Column('redirect_uri', sa.String(length=2048), nullable=True), + sa.Column('extra_data', sa.JSON(), nullable=True), + sa.Column('expires_at', sa.DateTime(), nullable=False), + sa.Column('used', sa.Boolean(), nullable=False), + sa.Column('id', sa.String(length=36), nullable=False), + sa.Column('created_at', sa.DateTime(), nullable=False), + sa.Column('updated_at', sa.DateTime(), nullable=False), + sa.Column('deleted_at', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['organization_id'], ['organizations.id'], ), + sa.ForeignKeyConstraint(['user_id'], ['users.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('id') + ) + op.create_index(op.f('ix_oauth_states_expires_at'), 'oauth_states', ['expires_at'], unique=False) + op.create_index(op.f('ix_oauth_states_organization_id'), 'oauth_states', ['organization_id'], unique=False) + op.create_index(op.f('ix_oauth_states_state'), 'oauth_states', ['state'], unique=True) + op.create_index(op.f('ix_oauth_states_user_id'), 'oauth_states', ['user_id'], unique=False) + # ### end Alembic commands ### + + +def downgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.drop_index(op.f('ix_oauth_states_user_id'), table_name='oauth_states') + op.drop_index(op.f('ix_oauth_states_state'), table_name='oauth_states') + op.drop_index(op.f('ix_oauth_states_organization_id'), table_name='oauth_states') + op.drop_index(op.f('ix_oauth_states_expires_at'), table_name='oauth_states') + op.drop_table('oauth_states') + op.drop_index(op.f('ix_external_provider_configs_provider_type'), table_name='external_provider_configs') + op.drop_index(op.f('ix_external_provider_configs_organization_id'), table_name='external_provider_configs') + op.drop_index('idx_provider_config_org', table_name='external_provider_configs') + op.drop_table('external_provider_configs') + # ### end Alembic commands ###