bitforge/orchard
3
0
Fork 0
Code Projects Wiki Activity

Compare commits

base: bitforge:fix/migration-rollback
Branches Tags
bitforge:main bitforge:fix/pypi-proxy-timeout bitforge:feature/transparent-proxy bitforge:fix/upstream-caching-bugs-2 bitforge:fix/purge-seed-data-user-id bitforge:fix/upstream-caching-bugs bitforge:feature/proxy-schema bitforge:fix/migration-rollback bitforge:fix/teams-migration-runtime-v2 bitforge:fix/teams-migration-runtime bitforge:feature/multi-tenancy-teams bitforge:feature/stage-password-ci-var bitforge:feature/admin-password-env-var bitforge:feature/package-dependencies bitforge:fix/reset-stage-before-tests bitforge:fix/release-wait-for-stage-tests bitforge:fix/ci-prod-namespace bitforge:fix/factory-reset-admin-user bitforge:feature/stage-reset-job
..
compare: bitforge:feature/multi-tenancy-teams
Branches Tags
bitforge:fix/pypi-proxy-timeout bitforge:feature/transparent-proxy bitforge:main bitforge:fix/upstream-caching-bugs-2 bitforge:fix/purge-seed-data-user-id bitforge:fix/upstream-caching-bugs bitforge:feature/proxy-schema bitforge:fix/migration-rollback bitforge:fix/teams-migration-runtime-v2 bitforge:fix/teams-migration-runtime bitforge:feature/multi-tenancy-teams bitforge:feature/stage-password-ci-var bitforge:feature/admin-password-env-var bitforge:feature/package-dependencies bitforge:fix/reset-stage-before-tests bitforge:fix/release-wait-for-stage-tests bitforge:fix/ci-prod-namespace bitforge:fix/factory-reset-admin-user bitforge:feature/stage-reset-job

20 Commits
fix/migrat ... feature/mu

Author SHA1 Message Date
Mondo Diaz
6c79147cbf Create Global Admins team when admin user is created 
- Admin user is now automatically added to Global Admins team as owner
- Ensures every user belongs to at least one team
- Updated unit tests to handle multiple db.add() calls
 2026-01-28 17:24:26 +00:00
Mondo Diaz
1bf8274d8c Update CHANGELOG with dark theme fixes and UI improvements 2026-01-28 16:51:12 +00:00
Mondo Diaz
9b79838cc3 Fix dark theme styling for team pages and add footer enhancements 
- Update all team page CSS to use correct theme variables (--bg-*, --text-*,
  --border-*, --accent-* instead of non-existent --color-* variables)
- Fix modal, form input, and dropdown backgrounds for dark theme
- Fix UserAutocomplete and TeamSelector dropdown styling
- Center team members and settings page content
- Add orchard logo icon to footer
- Add dot separator between Orchard and tagline in footer
 2026-01-28 16:49:50 +00:00
Mondo Diaz
1f5d3665c8 Fix modal backgrounds to be solid white instead of transparent 2026-01-28 16:25:22 +00:00
Mondo Diaz
1b2bc33aba Use DataTable for members, add seed users, remove teams stats 
- Update TeamMembersPage to use DataTable component for consistency
- Add test users (alice, bob, charlie, diana, eve, frank) with various roles
- Remove stats from teams list header
- Passwords for test users are same as their usernames
 2026-01-28 16:20:23 +00:00
Mondo Diaz
2b9c039157 Use DataTable component for teams and projects tables 
Consistent table styling across the app with:
- Row hover highlighting
- Clickable rows
- Standard cell padding and borders
- Proper header styling
 2026-01-28 16:13:32 +00:00
Mondo Diaz
7d106998be Add subtle vertical column separators to tables 2026-01-28 16:09:20 +00:00
Mondo Diaz
6198a174c7 Use subtle faint row separators for tables instead of thick borders 2026-01-28 16:07:13 +00:00
Mondo Diaz
184cb8ec00 Fix table borders, single team nav link, remove dashboard stats 
- Use explicit border color (#e2e8f0) for table cell borders
- Navbar shows 'Team' (singular) linking directly to team dashboard when user has only 1 team
- Navbar shows 'Teams' (plural) linking to teams list when user has multiple teams
- Remove project/member counts from team dashboard header
 2026-01-28 16:05:02 +00:00
Mondo Diaz
000540727c Improve table styling and make headers more horizontal 
- Add visible column borders to teams and projects tables
- Make header 2px border for visual separation
- Consolidate teams page header: title + inline stats on left, create button on right
- Consolidate team dashboard header: title/badge/slug + description + inline stats on left, action buttons on right
 2026-01-28 15:57:11 +00:00
Mondo Diaz
aece9e0b9f Change teams list to table view for consistency with projects table 2026-01-28 15:48:45 +00:00
Mondo Diaz
018e352820 Change projects display to table view in team dashboard 2026-01-28 15:45:46 +00:00
Mondo Diaz
86f2f031db Redesign teams portal and add user autocomplete for member invitations 
- Redesign TeamsPage with modern card-based layout including stats bar,
  search functionality, and empty states
- Add UserAutocomplete component with debounced search and keyboard
  navigation for selecting existing users
- Add /api/v1/users/search endpoint for username prefix search
- Update TeamMembersPage to use UserAutocomplete instead of free text input
 2026-01-28 15:42:55 +00:00
Mondo Diaz
69f3737303 Move project settings to team portal, remove project-level permissions 
- Add Settings button to project cards in team dashboard
- Hide Settings button on ProjectPage for projects belonging to a team
- Remove AccessManagement section from ProjectSettingsPage
  (team membership now governs all access to team projects)
- Update project card layout with separate clickable area and actions
 2026-01-28 15:19:41 +00:00
Mondo Diaz
60179e68fd Hide visibility filter for anonymous users on home page 
Anonymous users can only see public projects, so the visibility
filter dropdown is not useful for them. Only show it when logged in.
 2026-01-28 15:07:41 +00:00
Mondo Diaz
6901880a2f Update CHANGELOG with access management team display feature 2026-01-28 00:57:30 +00:00
Mondo Diaz
89186a0d61 Show team-based access in project access management 
- Add source, team_slug, team_role fields to AccessPermissionResponse schema
- Update list_project_permissions endpoint to include team members with source="team"
- Display team-based access in AccessManagement component with read-only styling
- Add "Source" column to differentiate explicit vs team-based permissions
- Team-based access shows "Via team" in actions column (not editable)
 2026-01-28 00:57:16 +00:00
Mondo Diaz
da6af4ae71 Fix team members not seeing private projects in listings 
The list_projects endpoint was only showing projects that were public or
created by the user. Updated to also include projects belonging to teams
where the user is a member.

This allows team members to see private projects in the main project
listing, not just on the team dashboard.
 2026-01-28 00:14:16 +00:00
Mondo Diaz
053d45add1 Add project creation from team dashboard and update seed data 
- Add project creation modal to TeamDashboardPage with team_id assignment
- Update createProject API function to accept optional team_id
- Update seed data to create a "Demo Team" and assign all projects to it
- Admin user is added as team owner when present
 2026-01-28 00:02:53 +00:00
Mondo Diaz
a1bf38de04 Add multi-tenancy with Teams feature 
Implement team-based organization for projects with role-based access control:

Backend:
- Add teams and team_memberships database tables (migrations 009, 009b)
- Add Team and TeamMembership ORM models with relationships
- Implement TeamAuthorizationService for team-level access control
- Add team CRUD, membership, and projects API endpoints
- Update project creation to support team assignment

Frontend:
- Add TeamContext for managing team state with localStorage persistence
- Add TeamSelector component for switching between teams
- Add TeamsPage, TeamDashboardPage, TeamSettingsPage, TeamMembersPage
- Add team API client functions
- Update navigation with Teams link

Security:
- Team role hierarchy: owner > admin > member
- Membership checked before system admin fallback
- Self-modification prevention for role changes
- Email visibility restricted to team admins/owners
- Slug validation rejects consecutive hyphens

Tests:
- Unit tests for TeamAuthorizationService
- Integration tests for all team API endpoints
 2026-01-27 23:28:31 +00:00
3 changed files with 258 additions and 405 deletions
Expand all files Collapse all files

25
backend/app/auth.py
View File

@@ -11,7 +11,7 @@ from typing import Optional
from passlib.context import CryptContext from passlib.context import CryptContext
from sqlalchemy.orm import Session from sqlalchemy.orm import Session
from .models import User, Session as UserSession, APIKey from .models import User, Session as UserSession, APIKey, Team, TeamMembership
from .config import get_settings from .config import get_settings
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@@ -363,6 +363,8 @@ def create_default_admin(db: Session) -> Optional[User]:
The admin password can be set via ORCHARD_ADMIN_PASSWORD environment variable. The admin password can be set via ORCHARD_ADMIN_PASSWORD environment variable.
If not set, defaults to 'changeme123' and requires password change on first login. If not set, defaults to 'changeme123' and requires password change on first login.
Also creates the "Global Admins" team and adds the admin user to it.
""" """
# Check if any users exist # Check if any users exist
user_count = db.query(User).count() user_count = db.query(User).count()
@@ -385,6 +387,27 @@ def create_default_admin(db: Session) -> Optional[User]:
must_change_password=must_change, must_change_password=must_change,
) )
# Create Global Admins team and add admin to it
global_admins_team = Team(
name="Global Admins",
slug="global-admins",
description="System administrators with full access",
created_by="admin",
)
db.add(global_admins_team)
db.flush()
membership = TeamMembership(
team_id=global_admins_team.id,
user_id=admin.id,
role="owner",
invited_by="admin",
)
db.add(membership)
db.commit()
logger.info("Created Global Admins team and added admin as owner")
if settings.admin_password: if settings.admin_password:
logger.info("Created default admin user with configured password") logger.info("Created default admin user with configured password")
else: else:

602
backend/app/database.py
View File

@@ -1,11 +1,10 @@
from sqlalchemy import create_engine, text, event from sqlalchemy import create_engine, text, event
from sqlalchemy.orm import sessionmaker, Session from sqlalchemy.orm import sessionmaker, Session
from sqlalchemy.pool import QueuePool from sqlalchemy.pool import QueuePool
from typing import Generator, NamedTuple from typing import Generator
from contextlib import contextmanager from contextlib import contextmanager
import logging import logging
import time import time
import hashlib
from .config import get_settings from .config import get_settings
from .models import Base from .models import Base
@@ -13,21 +12,6 @@ from .models import Base
settings = get_settings() settings = get_settings()
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
class Migration(NamedTuple):
"""A database migration with a unique name and SQL to execute."""
name: str
sql: str
# PostgreSQL error codes that indicate "already exists" - safe to skip
SAFE_PG_ERROR_CODES = {
"42P07", # duplicate_table
"42701", # duplicate_column
"42710", # duplicate_object (index, constraint, etc.)
"42P16", # invalid_table_definition (e.g., column already exists)
}
# Build connect_args with query timeout if configured # Build connect_args with query timeout if configured
connect_args = {} connect_args = {}
if settings.database_query_timeout > 0: if settings.database_query_timeout > 0:
@@ -81,397 +65,235 @@ def init_db():
_run_migrations() _run_migrations()
def _ensure_migrations_table(conn) -> None:
"""Create the migrations tracking table if it doesn't exist."""
conn.execute(text("""
CREATE TABLE IF NOT EXISTS _schema_migrations (
name VARCHAR(255) PRIMARY KEY,
checksum VARCHAR(64) NOT NULL,
applied_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
);
"""))
conn.commit()
def _get_applied_migrations(conn) -> dict[str, str]:
"""Get all applied migrations and their checksums."""
result = conn.execute(text(
"SELECT name, checksum FROM _schema_migrations"
))
return {row[0]: row[1] for row in result}
def _compute_checksum(sql: str) -> str:
"""Compute a checksum for migration SQL to detect changes."""
return hashlib.sha256(sql.strip().encode()).hexdigest()[:16]
def _is_safe_error(exception: Exception) -> bool:
"""Check if the error indicates the migration was already applied."""
# Check for psycopg2 errors with pgcode attribute
original = getattr(exception, "orig", None)
if original is not None:
pgcode = getattr(original, "pgcode", None)
if pgcode in SAFE_PG_ERROR_CODES:
return True
# Fallback: check error message for common "already exists" patterns
error_str = str(exception).lower()
safe_patterns = [
"already exists",
"duplicate key",
"relation .* already exists",
"column .* already exists",
]
return any(pattern in error_str for pattern in safe_patterns)
def _record_migration(conn, name: str, checksum: str) -> None:
"""Record a migration as applied."""
conn.execute(text(
"INSERT INTO _schema_migrations (name, checksum) VALUES (:name, :checksum)"
), {"name": name, "checksum": checksum})
conn.commit()
def _run_migrations(): def _run_migrations():
"""Run manual migrations for schema updates with tracking and error detection.""" """Run manual migrations for schema updates"""
migrations = [ migrations = [
Migration( # Add format_metadata column to artifacts table
name="001_add_format_metadata", """
sql=""" DO $$
DO $$ BEGIN
BEGIN IF NOT EXISTS (
IF NOT EXISTS ( SELECT 1 FROM information_schema.columns
SELECT 1 FROM information_schema.columns WHERE table_name = 'artifacts' AND column_name = 'format_metadata'
WHERE table_name = 'artifacts' AND column_name = 'format_metadata' ) THEN
) THEN ALTER TABLE artifacts ADD COLUMN format_metadata JSONB DEFAULT '{}';
ALTER TABLE artifacts ADD COLUMN format_metadata JSONB DEFAULT '{}'; END IF;
END IF; END $$;
END $$; """,
""", # Add format column to packages table
), """
Migration( DO $$
name="002_add_package_format", BEGIN
sql=""" IF NOT EXISTS (
DO $$ SELECT 1 FROM information_schema.columns
BEGIN WHERE table_name = 'packages' AND column_name = 'format'
IF NOT EXISTS ( ) THEN
SELECT 1 FROM information_schema.columns ALTER TABLE packages ADD COLUMN format VARCHAR(50) DEFAULT 'generic' NOT NULL;
WHERE table_name = 'packages' AND column_name = 'format' CREATE INDEX IF NOT EXISTS idx_packages_format ON packages(format);
) THEN END IF;
ALTER TABLE packages ADD COLUMN format VARCHAR(50) DEFAULT 'generic' NOT NULL; END $$;
CREATE INDEX IF NOT EXISTS idx_packages_format ON packages(format); """,
END IF; # Add platform column to packages table
END $$; """
""", DO $$
), BEGIN
Migration( IF NOT EXISTS (
name="003_add_package_platform", SELECT 1 FROM information_schema.columns
sql=""" WHERE table_name = 'packages' AND column_name = 'platform'
DO $$ ) THEN
BEGIN ALTER TABLE packages ADD COLUMN platform VARCHAR(50) DEFAULT 'any' NOT NULL;
IF NOT EXISTS ( CREATE INDEX IF NOT EXISTS idx_packages_platform ON packages(platform);
SELECT 1 FROM information_schema.columns END IF;
WHERE table_name = 'packages' AND column_name = 'platform' END $$;
) THEN """,
ALTER TABLE packages ADD COLUMN platform VARCHAR(50) DEFAULT 'any' NOT NULL; # Add ref_count index and constraints for artifacts
CREATE INDEX IF NOT EXISTS idx_packages_platform ON packages(platform); """
END IF; DO $$
END $$; BEGIN
""", -- Add ref_count index
), IF NOT EXISTS (
Migration( SELECT 1 FROM pg_indexes WHERE indexname = 'idx_artifacts_ref_count'
name="004_add_ref_count_index_constraint", ) THEN
sql=""" CREATE INDEX idx_artifacts_ref_count ON artifacts(ref_count);
DO $$ END IF;
BEGIN
IF NOT EXISTS (
SELECT 1 FROM pg_indexes WHERE indexname = 'idx_artifacts_ref_count'
) THEN
CREATE INDEX idx_artifacts_ref_count ON artifacts(ref_count);
END IF;
IF NOT EXISTS ( -- Add ref_count >= 0 constraint
SELECT 1 FROM pg_constraint WHERE conname = 'check_ref_count_non_negative' IF NOT EXISTS (
) THEN SELECT 1 FROM pg_constraint WHERE conname = 'check_ref_count_non_negative'
ALTER TABLE artifacts ADD CONSTRAINT check_ref_count_non_negative CHECK (ref_count >= 0); ) THEN
END IF; ALTER TABLE artifacts ADD CONSTRAINT check_ref_count_non_negative CHECK (ref_count >= 0);
END $$; END IF;
""", END $$;
), """,
Migration( # Add composite indexes for packages and tags
name="005_add_composite_indexes", """
sql=""" DO $$
DO $$ BEGIN
BEGIN -- Composite index for package lookup by project and name
IF NOT EXISTS ( IF NOT EXISTS (
SELECT 1 FROM pg_indexes WHERE indexname = 'idx_packages_project_name' SELECT 1 FROM pg_indexes WHERE indexname = 'idx_packages_project_name'
) THEN ) THEN
CREATE UNIQUE INDEX idx_packages_project_name ON packages(project_id, name); CREATE UNIQUE INDEX idx_packages_project_name ON packages(project_id, name);
END IF; END IF;
IF NOT EXISTS ( -- Composite index for tag lookup by package and name
SELECT 1 FROM pg_indexes WHERE indexname = 'idx_tags_package_name' IF NOT EXISTS (
) THEN SELECT 1 FROM pg_indexes WHERE indexname = 'idx_tags_package_name'
CREATE UNIQUE INDEX idx_tags_package_name ON tags(package_id, name); ) THEN
END IF; CREATE UNIQUE INDEX idx_tags_package_name ON tags(package_id, name);
END IF;
IF NOT EXISTS ( -- Composite index for recent tags queries
SELECT 1 FROM pg_indexes WHERE indexname = 'idx_tags_package_created_at' IF NOT EXISTS (
) THEN SELECT 1 FROM pg_indexes WHERE indexname = 'idx_tags_package_created_at'
CREATE INDEX idx_tags_package_created_at ON tags(package_id, created_at); ) THEN
CREATE INDEX idx_tags_package_created_at ON tags(package_id, created_at);
END IF;
END $$;
""",
# Add package_versions indexes and triggers (007_package_versions.sql)
"""
DO $$
BEGIN
-- Create indexes for package_versions if table exists
IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name = 'package_versions') THEN
-- Indexes for common queries
IF NOT EXISTS (SELECT 1 FROM pg_indexes WHERE indexname = 'idx_package_versions_package_id') THEN
CREATE INDEX idx_package_versions_package_id ON package_versions(package_id);
END IF; END IF;
END $$; IF NOT EXISTS (SELECT 1 FROM pg_indexes WHERE indexname = 'idx_package_versions_artifact_id') THEN
""", CREATE INDEX idx_package_versions_artifact_id ON package_versions(artifact_id);
),
Migration(
name="006_add_package_versions_indexes",
sql="""
DO $$
BEGIN
IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name = 'package_versions') THEN
IF NOT EXISTS (SELECT 1 FROM pg_indexes WHERE indexname = 'idx_package_versions_package_id') THEN
CREATE INDEX idx_package_versions_package_id ON package_versions(package_id);
END IF;
IF NOT EXISTS (SELECT 1 FROM pg_indexes WHERE indexname = 'idx_package_versions_artifact_id') THEN
CREATE INDEX idx_package_versions_artifact_id ON package_versions(artifact_id);
END IF;
IF NOT EXISTS (SELECT 1 FROM pg_indexes WHERE indexname = 'idx_package_versions_package_version') THEN
CREATE INDEX idx_package_versions_package_version ON package_versions(package_id, version);
END IF;
END IF; END IF;
END $$; IF NOT EXISTS (SELECT 1 FROM pg_indexes WHERE indexname = 'idx_package_versions_package_version') THEN
""", CREATE INDEX idx_package_versions_package_version ON package_versions(package_id, version);
), END IF;
Migration( END IF;
name="007_create_ref_count_trigger_functions", END $$;
sql=""" """,
CREATE OR REPLACE FUNCTION increment_artifact_ref_count() # Create ref_count trigger functions for tags (ensures triggers exist even if initial migration wasn't run)
RETURNS TRIGGER AS $$ """
BEGIN CREATE OR REPLACE FUNCTION increment_artifact_ref_count()
UPDATE artifacts SET ref_count = ref_count + 1 WHERE id = NEW.artifact_id; RETURNS TRIGGER AS $$
RETURN NEW; BEGIN
END; UPDATE artifacts SET ref_count = ref_count + 1 WHERE id = NEW.artifact_id;
$$ LANGUAGE plpgsql; RETURN NEW;
END;
CREATE OR REPLACE FUNCTION decrement_artifact_ref_count() $$ LANGUAGE plpgsql;
RETURNS TRIGGER AS $$ """,
BEGIN """
CREATE OR REPLACE FUNCTION decrement_artifact_ref_count()
RETURNS TRIGGER AS $$
BEGIN
UPDATE artifacts SET ref_count = ref_count - 1 WHERE id = OLD.artifact_id;
RETURN OLD;
END;
$$ LANGUAGE plpgsql;
""",
"""
CREATE OR REPLACE FUNCTION update_artifact_ref_count()
RETURNS TRIGGER AS $$
BEGIN
IF OLD.artifact_id != NEW.artifact_id THEN
UPDATE artifacts SET ref_count = ref_count - 1 WHERE id = OLD.artifact_id; UPDATE artifacts SET ref_count = ref_count - 1 WHERE id = OLD.artifact_id;
RETURN OLD;
END;
$$ LANGUAGE plpgsql;
CREATE OR REPLACE FUNCTION update_artifact_ref_count()
RETURNS TRIGGER AS $$
BEGIN
IF OLD.artifact_id != NEW.artifact_id THEN
UPDATE artifacts SET ref_count = ref_count - 1 WHERE id = OLD.artifact_id;
UPDATE artifacts SET ref_count = ref_count + 1 WHERE id = NEW.artifact_id;
END IF;
RETURN NEW;
END;
$$ LANGUAGE plpgsql;
""",
),
Migration(
name="008_create_tags_ref_count_triggers",
sql="""
DO $$
BEGIN
DROP TRIGGER IF EXISTS tags_ref_count_insert_trigger ON tags;
CREATE TRIGGER tags_ref_count_insert_trigger
AFTER INSERT ON tags
FOR EACH ROW
EXECUTE FUNCTION increment_artifact_ref_count();
DROP TRIGGER IF EXISTS tags_ref_count_delete_trigger ON tags;
CREATE TRIGGER tags_ref_count_delete_trigger
AFTER DELETE ON tags
FOR EACH ROW
EXECUTE FUNCTION decrement_artifact_ref_count();
DROP TRIGGER IF EXISTS tags_ref_count_update_trigger ON tags;
CREATE TRIGGER tags_ref_count_update_trigger
AFTER UPDATE ON tags
FOR EACH ROW
WHEN (OLD.artifact_id IS DISTINCT FROM NEW.artifact_id)
EXECUTE FUNCTION update_artifact_ref_count();
END $$;
""",
),
Migration(
name="009_create_version_ref_count_functions",
sql="""
CREATE OR REPLACE FUNCTION increment_version_ref_count()
RETURNS TRIGGER AS $$
BEGIN
UPDATE artifacts SET ref_count = ref_count + 1 WHERE id = NEW.artifact_id; UPDATE artifacts SET ref_count = ref_count + 1 WHERE id = NEW.artifact_id;
RETURN NEW; END IF;
END; RETURN NEW;
$$ LANGUAGE plpgsql; END;
$$ LANGUAGE plpgsql;
""",
# Create triggers for tags ref_count management
"""
DO $$
BEGIN
-- Drop and recreate triggers to ensure they're current
DROP TRIGGER IF EXISTS tags_ref_count_insert_trigger ON tags;
CREATE TRIGGER tags_ref_count_insert_trigger
AFTER INSERT ON tags
FOR EACH ROW
EXECUTE FUNCTION increment_artifact_ref_count();
CREATE OR REPLACE FUNCTION decrement_version_ref_count() DROP TRIGGER IF EXISTS tags_ref_count_delete_trigger ON tags;
RETURNS TRIGGER AS $$ CREATE TRIGGER tags_ref_count_delete_trigger
BEGIN AFTER DELETE ON tags
UPDATE artifacts SET ref_count = ref_count - 1 WHERE id = OLD.artifact_id; FOR EACH ROW
RETURN OLD; EXECUTE FUNCTION decrement_artifact_ref_count();
END;
$$ LANGUAGE plpgsql;
""",
),
Migration(
name="010_create_package_versions_triggers",
sql="""
DO $$
BEGIN
IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name = 'package_versions') THEN
DROP TRIGGER IF EXISTS package_versions_ref_count_insert ON package_versions;
CREATE TRIGGER package_versions_ref_count_insert
AFTER INSERT ON package_versions
FOR EACH ROW
EXECUTE FUNCTION increment_version_ref_count();
DROP TRIGGER IF EXISTS package_versions_ref_count_delete ON package_versions; DROP TRIGGER IF EXISTS tags_ref_count_update_trigger ON tags;
CREATE TRIGGER package_versions_ref_count_delete CREATE TRIGGER tags_ref_count_update_trigger
AFTER DELETE ON package_versions AFTER UPDATE ON tags
FOR EACH ROW FOR EACH ROW
EXECUTE FUNCTION decrement_version_ref_count(); WHEN (OLD.artifact_id IS DISTINCT FROM NEW.artifact_id)
END IF; EXECUTE FUNCTION update_artifact_ref_count();
END $$; END $$;
""", """,
), # Create ref_count trigger functions for package_versions
Migration( """
name="011_migrate_semver_tags_to_versions", CREATE OR REPLACE FUNCTION increment_version_ref_count()
sql=r""" RETURNS TRIGGER AS $$
DO $$ BEGIN
BEGIN UPDATE artifacts SET ref_count = ref_count + 1 WHERE id = NEW.artifact_id;
IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name = 'package_versions') THEN RETURN NEW;
INSERT INTO package_versions (id, package_id, artifact_id, version, version_source, created_by, created_at) END;
SELECT $$ LANGUAGE plpgsql;
gen_random_uuid(), """,
t.package_id, """
t.artifact_id, CREATE OR REPLACE FUNCTION decrement_version_ref_count()
CASE WHEN t.name LIKE 'v%' THEN substring(t.name from 2) ELSE t.name END, RETURNS TRIGGER AS $$
'migrated_from_tag', BEGIN
t.created_by, UPDATE artifacts SET ref_count = ref_count - 1 WHERE id = OLD.artifact_id;
t.created_at RETURN OLD;
FROM tags t END;
WHERE t.name ~ '^v?[0-9]+\.[0-9]+(\.[0-9]+)?([-.][a-zA-Z0-9]+)?$' $$ LANGUAGE plpgsql;
ON CONFLICT (package_id, version) DO NOTHING; """,
END IF; # Create triggers for package_versions ref_count
END $$; """
""", DO $$
), BEGIN
Migration( IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name = 'package_versions') THEN
name="012_create_teams_table", -- Drop and recreate triggers to ensure they're current
sql=""" DROP TRIGGER IF EXISTS package_versions_ref_count_insert ON package_versions;
CREATE TABLE IF NOT EXISTS teams ( CREATE TRIGGER package_versions_ref_count_insert
id UUID PRIMARY KEY DEFAULT gen_random_uuid(), AFTER INSERT ON package_versions
name VARCHAR(255) NOT NULL, FOR EACH ROW
slug VARCHAR(255) NOT NULL UNIQUE, EXECUTE FUNCTION increment_version_ref_count();
description TEXT,
created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(), DROP TRIGGER IF EXISTS package_versions_ref_count_delete ON package_versions;
updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(), CREATE TRIGGER package_versions_ref_count_delete
created_by VARCHAR(255) NOT NULL, AFTER DELETE ON package_versions
settings JSONB DEFAULT '{}' FOR EACH ROW
); EXECUTE FUNCTION decrement_version_ref_count();
""", END IF;
), END $$;
Migration( """,
name="013_create_team_memberships_table", # Migrate existing semver tags to package_versions
sql=""" r"""
CREATE TABLE IF NOT EXISTS team_memberships ( DO $$
id UUID PRIMARY KEY DEFAULT gen_random_uuid(), BEGIN
team_id UUID NOT NULL REFERENCES teams(id) ON DELETE CASCADE, IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name = 'package_versions') THEN
user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE, -- Migrate tags that look like versions (v1.0.0, 1.2.3, 2.0.0-beta, etc.)
role VARCHAR(50) NOT NULL DEFAULT 'member', INSERT INTO package_versions (package_id, artifact_id, version, version_source, created_by, created_at)
created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(), SELECT
invited_by VARCHAR(255), t.package_id,
CONSTRAINT team_memberships_unique UNIQUE (team_id, user_id), t.artifact_id,
CONSTRAINT team_memberships_role_check CHECK (role IN ('owner', 'admin', 'member')) CASE WHEN t.name LIKE 'v%' THEN substring(t.name from 2) ELSE t.name END,
); 'migrated_from_tag',
""", t.created_by,
), t.created_at
Migration( FROM tags t
name="014_add_team_id_to_projects", WHERE t.name ~ '^v?[0-9]+\.[0-9]+(\.[0-9]+)?([-.][a-zA-Z0-9]+)?$'
sql=""" ON CONFLICT (package_id, version) DO NOTHING;
DO $$ END IF;
BEGIN END $$;
IF NOT EXISTS ( """,
SELECT 1 FROM information_schema.columns
WHERE table_name = 'projects' AND column_name = 'team_id'
) THEN
ALTER TABLE projects ADD COLUMN team_id UUID REFERENCES teams(id) ON DELETE SET NULL;
CREATE INDEX IF NOT EXISTS idx_projects_team_id ON projects(team_id);
END IF;
END $$;
""",
),
Migration(
name="015_add_teams_indexes",
sql="""
DO $$
BEGIN
IF NOT EXISTS (SELECT 1 FROM pg_indexes WHERE indexname = 'idx_teams_slug') THEN
CREATE INDEX idx_teams_slug ON teams(slug);
END IF;
IF NOT EXISTS (SELECT 1 FROM pg_indexes WHERE indexname = 'idx_teams_created_by') THEN
CREATE INDEX idx_teams_created_by ON teams(created_by);
END IF;
IF NOT EXISTS (SELECT 1 FROM pg_indexes WHERE indexname = 'idx_team_memberships_team_id') THEN
CREATE INDEX idx_team_memberships_team_id ON team_memberships(team_id);
END IF;
IF NOT EXISTS (SELECT 1 FROM pg_indexes WHERE indexname = 'idx_team_memberships_user_id') THEN
CREATE INDEX idx_team_memberships_user_id ON team_memberships(user_id);
END IF;
END $$;
""",
),
] ]
with engine.connect() as conn: with engine.connect() as conn:
# Ensure migrations tracking table exists
_ensure_migrations_table(conn)
# Get already-applied migrations
applied = _get_applied_migrations(conn)
for migration in migrations: for migration in migrations:
checksum = _compute_checksum(migration.sql)
# Check if migration was already applied
if migration.name in applied:
stored_checksum = applied[migration.name]
if stored_checksum != checksum:
logger.warning(
f"Migration '{migration.name}' has changed since it was applied! "
f"Stored checksum: {stored_checksum}, current: {checksum}"
)
continue
# Run the migration
try: try:
logger.info(f"Running migration: {migration.name}") conn.execute(text(migration))
conn.execute(text(migration.sql))
conn.commit() conn.commit()
_record_migration(conn, migration.name, checksum)
logger.info(f"Migration '{migration.name}' applied successfully")
except Exception as e: except Exception as e:
conn.rollback() logger.warning(f"Migration failed (may already be applied): {e}")
if _is_safe_error(e):
# Migration was already applied (schema already exists)
logger.info(
f"Migration '{migration.name}' already applied (schema exists), recording as complete"
)
_record_migration(conn, migration.name, checksum)
else:
# Real error - fail hard
logger.error(f"Migration '{migration.name}' failed: {e}")
raise RuntimeError(
f"Migration '{migration.name}' failed with error: {e}"
) from e
def get_db() -> Generator[Session, None, None]: def get_db() -> Generator[Session, None, None]:

36
backend/tests/unit/test_auth.py
View File

@@ -10,6 +10,7 @@ class TestCreateDefaultAdmin:
def test_create_default_admin_with_env_password(self): def test_create_default_admin_with_env_password(self):
"""Test that ORCHARD_ADMIN_PASSWORD env var sets admin password.""" """Test that ORCHARD_ADMIN_PASSWORD env var sets admin password."""
from app.auth import create_default_admin, verify_password from app.auth import create_default_admin, verify_password
from app.models import User
# Create mock settings with custom password # Create mock settings with custom password
mock_settings = MagicMock() mock_settings = MagicMock()
@@ -19,20 +20,23 @@ class TestCreateDefaultAdmin:
mock_db = MagicMock() mock_db = MagicMock()
mock_db.query.return_value.count.return_value = 0 # No existing users mock_db.query.return_value.count.return_value = 0 # No existing users
# Track the user that gets created # Track all objects that get created
created_user = None created_objects = []
def capture_user(user): def capture_object(obj):
nonlocal created_user created_objects.append(obj)
created_user = user
mock_db.add.side_effect = capture_user mock_db.add.side_effect = capture_object
with patch("app.auth.get_settings", return_value=mock_settings): with patch("app.auth.get_settings", return_value=mock_settings):
admin = create_default_admin(mock_db) admin = create_default_admin(mock_db)
# Verify the user was created # Verify objects were created (user, team, membership)
assert mock_db.add.called assert mock_db.add.called
assert len(created_objects) >= 1
# Find the user object
created_user = next((obj for obj in created_objects if isinstance(obj, User)), None)
assert created_user is not None assert created_user is not None
assert created_user.username == "admin" assert created_user.username == "admin"
assert created_user.is_admin is True assert created_user.is_admin is True
@@ -44,6 +48,7 @@ class TestCreateDefaultAdmin:
def test_create_default_admin_with_default_password(self): def test_create_default_admin_with_default_password(self):
"""Test that default password 'changeme123' is used when env var not set.""" """Test that default password 'changeme123' is used when env var not set."""
from app.auth import create_default_admin, verify_password from app.auth import create_default_admin, verify_password
from app.models import User
# Create mock settings with empty password (default) # Create mock settings with empty password (default)
mock_settings = MagicMock() mock_settings = MagicMock()
@@ -53,20 +58,23 @@ class TestCreateDefaultAdmin:
mock_db = MagicMock() mock_db = MagicMock()
mock_db.query.return_value.count.return_value = 0 # No existing users mock_db.query.return_value.count.return_value = 0 # No existing users
# Track the user that gets created # Track all objects that get created
created_user = None created_objects = []
def capture_user(user): def capture_object(obj):
nonlocal created_user created_objects.append(obj)
created_user = user
mock_db.add.side_effect = capture_user mock_db.add.side_effect = capture_object
with patch("app.auth.get_settings", return_value=mock_settings): with patch("app.auth.get_settings", return_value=mock_settings):
admin = create_default_admin(mock_db) admin = create_default_admin(mock_db)
# Verify the user was created # Verify objects were created
assert mock_db.add.called assert mock_db.add.called
assert len(created_objects) >= 1
# Find the user object
created_user = next((obj for obj in created_objects if isinstance(obj, User)), None)
assert created_user is not None assert created_user is not None
assert created_user.username == "admin" assert created_user.username == "admin"
assert created_user.is_admin is True assert created_user.is_admin is True