From 555746e7715e011f51d1b908fb39f57fbc8ca91e Mon Sep 17 00:00:00 2001 From: James Elliott Date: Mon, 25 Apr 2022 21:11:56 +1000 Subject: [PATCH] refactor: exclude id from sqlite3 migration (#3242) * refactor: exclude id from sqlite3 table recreate * docs: add migration docs --- docs/configuration/storage/migrations.md | 15 +++++------ .../V0005.ConsentSubjectNULL.mysql.up.sql | 1 + .../V0005.ConsentSubjectNULL.postgres.up.sql | 1 + .../V0005.ConsentSubjectNULL.sqlite.up.sql | 25 ++++++++++--------- 4 files changed, 23 insertions(+), 19 deletions(-) diff --git a/docs/configuration/storage/migrations.md b/docs/configuration/storage/migrations.md index 4d9787f82..6666fedb2 100644 --- a/docs/configuration/storage/migrations.md +++ b/docs/configuration/storage/migrations.md @@ -18,10 +18,11 @@ This means all Authelia versions between two schema versions use the first schem For example for version pre1, it is used for all versions between it and the version 1 schema, so 4.0.0 to 4.32.2. In this instance if you wanted to downgrade to pre1 you would need to use an Authelia binary with version 4.33.0 or higher. -| Schema Version | Authelia Version | Notes | -|:--------------:|:----------------:|:-------------------------------------------------------------------------------------------------:| -| pre1 | 4.0.0 | Downgrading to this version requires you use the --pre1 flag | -| 1 | 4.33.0 | Initial migration managed version | -| 2 | 4.34.0 | Webauthn - added webauthn_devices table, altered totp_config to include device created/used dates | -| 3 | 4.34.2 | Webauthn - fix V2 migration kid column length and provide migration path for anyone on V2 | -| 4 | 4.35.0 | Added OpenID Connect storage tables and opaque user identifier tables | +| Schema Version | Authelia Version | Notes | +|:--------------:|:----------------:|:--------------------------------------------------------------------------------------------------:| +| pre1 | 4.0.0 | Downgrading to this version requires you use the --pre1 flag | +| 1 | 4.33.0 | Initial migration managed version | +| 2 | 4.34.0 | Webauthn - added webauthn_devices table, altered totp_config to include device created/used dates | +| 3 | 4.34.2 | Webauthn - fix V2 migration kid column length and provide migration path for anyone on V2 | +| 4 | 4.35.0 | Added OpenID Connect storage tables and opaque user identifier tables | +| 5 | 4.35.1 | Fixed the oauth2_consent_session table to accept NULL subjects for users who are not yet signed in | diff --git a/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.up.sql b/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.up.sql index 657db06b2..72399fa12 100644 --- a/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.up.sql +++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.up.sql @@ -1,5 +1,6 @@ DELETE FROM oauth2_consent_session WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect')); DELETE FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect'); +DELETE FROM user_opaque_identifier WHERE service <> 'openid'; ALTER TABLE oauth2_consent_session MODIFY subject CHAR(36) NULL DEFAULT NULL; ALTER TABLE oauth2_consent_session DROP FOREIGN KEY oauth2_consent_subject_fkey, diff --git a/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.up.sql b/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.up.sql index 50cc4d22a..b68f381be 100644 --- a/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.up.sql +++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.up.sql @@ -1,5 +1,6 @@ DELETE FROM oauth2_consent_session WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect')); DELETE FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect'); +DELETE FROM user_opaque_identifier WHERE service <> 'openid'; ALTER TABLE oauth2_consent_session ALTER COLUMN subject DROP NOT NULL; ALTER TABLE oauth2_consent_session ALTER COLUMN subject SET DEFAULT NULL; ALTER TABLE oauth2_consent_session RENAME CONSTRAINT oauth2_consent_subject_fkey TO oauth2_consent_session_subject_fkey; diff --git a/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql b/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql index 8f0a08f01..a40a79c2e 100644 --- a/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql +++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql @@ -4,6 +4,7 @@ BEGIN TRANSACTION; DELETE FROM oauth2_consent_session WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect')); DELETE FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect'); +DELETE FROM user_opaque_identifier WHERE service <> 'openid'; ALTER TABLE oauth2_consent_session RENAME TO _bkp_UP_V0005_oauth2_consent_session; @@ -28,8 +29,8 @@ CREATE TABLE IF NOT EXISTS oauth2_consent_session ( REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); -INSERT INTO oauth2_consent_session (id, challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, expires_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience) -SELECT id, challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, expires_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience +INSERT INTO oauth2_consent_session (challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, expires_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience) +SELECT challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, expires_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience FROM _bkp_UP_V0005_oauth2_consent_session ORDER BY id; @@ -66,8 +67,8 @@ CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); -INSERT INTO oauth2_authorization_code_session (id, challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) -SELECT id, challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +INSERT INTO oauth2_authorization_code_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data FROM _bkp_UP_V0005_oauth2_authorization_code_session ORDER BY id; @@ -108,8 +109,8 @@ CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); -INSERT INTO oauth2_access_token_session (id, challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) -SELECT id, challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +INSERT INTO oauth2_access_token_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data FROM _bkp_UP_V0005_oauth2_access_token_session ORDER BY id; @@ -150,8 +151,8 @@ CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); -INSERT INTO oauth2_refresh_token_session (id, challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) -SELECT id, challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +INSERT INTO oauth2_refresh_token_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data FROM _bkp_UP_V0005_oauth2_refresh_token_session ORDER BY id; @@ -192,8 +193,8 @@ CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); -INSERT INTO oauth2_pkce_request_session (id, challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) -SELECT id, challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +INSERT INTO oauth2_pkce_request_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data FROM _bkp_UP_V0005_oauth2_pkce_request_session ORDER BY id; @@ -234,8 +235,8 @@ CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); -INSERT INTO oauth2_openid_connect_session (id, challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) -SELECT id, challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +INSERT INTO oauth2_openid_connect_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data FROM _bkp_UP_V0005_oauth2_openid_connect_session ORDER BY id;