95 lines
4.4 KiB
Python
95 lines
4.4 KiB
Python
"""add_registration_tokens_and_agent_secret_hash
|
|
|
|
Revision ID: add_registration_tokens
|
|
Revises: add_agent_fields
|
|
Create Date: 2025-12-06 10:00:00.000000
|
|
|
|
This migration adds:
|
|
1. registration_tokens table for secure agent registration
|
|
2. secret_hash column to agents for new auth scheme
|
|
3. registration_token_id FK in agents to track token usage
|
|
"""
|
|
from typing import Sequence, Union
|
|
import hashlib
|
|
|
|
from alembic import op
|
|
import sqlalchemy as sa
|
|
from sqlalchemy.dialects import postgresql
|
|
|
|
|
|
# revision identifiers, used by Alembic.
|
|
revision: str = 'add_registration_tokens'
|
|
down_revision: Union[str, None] = 'add_agent_fields'
|
|
branch_labels: Union[str, Sequence[str], None] = None
|
|
depends_on: Union[str, Sequence[str], None] = None
|
|
|
|
|
|
def upgrade() -> None:
|
|
# 1. Create registration_tokens table
|
|
op.create_table(
|
|
'registration_tokens',
|
|
sa.Column('id', sa.UUID(), nullable=False),
|
|
sa.Column('tenant_id', sa.UUID(), nullable=False),
|
|
sa.Column('token_hash', sa.String(length=64), nullable=False, comment='SHA-256 hash of the registration token'),
|
|
sa.Column('description', sa.String(length=255), nullable=True, comment='Human-readable description for the token'),
|
|
sa.Column('max_uses', sa.Integer(), nullable=False, server_default='1', comment='Maximum number of uses (0 = unlimited)'),
|
|
sa.Column('use_count', sa.Integer(), nullable=False, server_default='0', comment='Current number of times this token has been used'),
|
|
sa.Column('expires_at', sa.DateTime(timezone=True), nullable=True, comment='Optional expiration timestamp'),
|
|
sa.Column('revoked', sa.Boolean(), nullable=False, server_default='false', comment='Whether this token has been manually revoked'),
|
|
sa.Column('created_by', sa.String(length=255), nullable=True, comment='Identifier of who created this token (for audit)'),
|
|
sa.Column('created_at', sa.DateTime(timezone=True), nullable=False, server_default=sa.func.now()),
|
|
sa.Column('updated_at', sa.DateTime(timezone=True), nullable=False, server_default=sa.func.now()),
|
|
sa.PrimaryKeyConstraint('id'),
|
|
sa.ForeignKeyConstraint(['tenant_id'], ['tenants.id'], ondelete='CASCADE'),
|
|
)
|
|
op.create_index(op.f('ix_registration_tokens_tenant_id'), 'registration_tokens', ['tenant_id'], unique=False)
|
|
op.create_index(op.f('ix_registration_tokens_token_hash'), 'registration_tokens', ['token_hash'], unique=False)
|
|
|
|
# 2. Add secret_hash column to agents (for new auth scheme)
|
|
# Initialize with empty string, will be populated during agent migration
|
|
op.add_column(
|
|
'agents',
|
|
sa.Column('secret_hash', sa.String(length=64), nullable=False, server_default='', comment='SHA-256 hash of the agent secret')
|
|
)
|
|
|
|
# 3. Add registration_token_id FK to agents
|
|
op.add_column(
|
|
'agents',
|
|
sa.Column('registration_token_id', sa.UUID(), nullable=True)
|
|
)
|
|
op.create_foreign_key(
|
|
'fk_agents_registration_token_id',
|
|
'agents', 'registration_tokens',
|
|
['registration_token_id'], ['id'],
|
|
ondelete='SET NULL'
|
|
)
|
|
op.create_index(op.f('ix_agents_registration_token_id'), 'agents', ['registration_token_id'], unique=False)
|
|
|
|
# 4. Migrate existing agent tokens to secret_hash
|
|
# For existing agents, we'll hash their current token and store it as secret_hash
|
|
# This allows backward compatibility during the transition period
|
|
connection = op.get_bind()
|
|
agents = connection.execute(sa.text("SELECT id, token FROM agents WHERE token != ''"))
|
|
for agent in agents:
|
|
if agent.token:
|
|
hashed = hashlib.sha256(agent.token.encode()).hexdigest()
|
|
connection.execute(
|
|
sa.text("UPDATE agents SET secret_hash = :hash WHERE id = :id"),
|
|
{"hash": hashed, "id": agent.id}
|
|
)
|
|
|
|
|
|
def downgrade() -> None:
|
|
# Drop registration_token_id FK and index from agents
|
|
op.drop_index(op.f('ix_agents_registration_token_id'), table_name='agents')
|
|
op.drop_constraint('fk_agents_registration_token_id', 'agents', type_='foreignkey')
|
|
op.drop_column('agents', 'registration_token_id')
|
|
|
|
# Drop secret_hash column from agents
|
|
op.drop_column('agents', 'secret_hash')
|
|
|
|
# Drop registration_tokens table
|
|
op.drop_index(op.f('ix_registration_tokens_token_hash'), table_name='registration_tokens')
|
|
op.drop_index(op.f('ix_registration_tokens_tenant_id'), table_name='registration_tokens')
|
|
op.drop_table('registration_tokens')
|