Fix org_id inconsistency in baseline migration

- Remove server_default="0" from api_key.org_id (id=0 is not a valid FK)
- Seed an "Uncategorized" catch-all organization (arange: 0.0.0.0/0 ::/0)
  during migration to serve as a valid placeholder for existing rows
- Backfill NULL org_id on all affected tables (flowspec4, flowspec6, RTBH,
  api_key, machine_api_key) with the catch-all org's real id
- Update migrate_v0x_to_v1.py to look up the catch-all org by name
  instead of filtering on the hardcoded org_id=0
- Add migration tests: catchall org created, correct arange, no NULL
  org_id remains after upgrade from real 2019 backup

Author: jirivrany

flowapp/migrations/versions/001_baseline.py

@@ -254,12 +254,7 @@ def upgrade():
         if not _column_exists("api_key", "org_id"):
             op.add_column(
                 "api_key",
-                sa.Column(
-                    "org_id",
-                    sa.Integer(),
-                    nullable=True,
-                    server_default="0",
-                ),
+                sa.Column("org_id", sa.Integer(), nullable=True),
             )
 
     if not _table_exists("machine_api_key"):
@@ -505,6 +500,40 @@ def upgrade():
             ],
         )
 
+    # Ensure the catch-all organization exists.
+    # Used as a temporary placeholder for rules/keys that have no org_id yet
+    # (added in v1.0). Run migrate_v0x_to_v1.py afterwards to reassign them.
+    conn = op.get_bind()
+    catchall_name = "Uncategorized"
+    result = conn.execute(
+        sa.text("SELECT id FROM organization WHERE name = :name"),
+        {"name": catchall_name},
+    )
+    catchall_row = result.fetchone()
+    if catchall_row is None:
+        conn.execute(
+            sa.text(
+                "INSERT INTO organization (name, arange, limit_flowspec4, limit_flowspec6, limit_rtbh)"
+                " VALUES (:name, :arange, 0, 0, 0)"
+            ),
+            {"name": catchall_name, "arange": "0.0.0.0/0 ::/0"},
+        )
+        result = conn.execute(
+            sa.text("SELECT id FROM organization WHERE name = :name"),
+            {"name": catchall_name},
+        )
+        catchall_row = result.fetchone()
+    catchall_id = catchall_row[0]
+
+    # Backfill NULL org_id on existing rows with the catch-all org id.
+    # migrate_v0x_to_v1.py will reassign these to the real organization.
+    for tbl in ("flowspec4", "flowspec6", "RTBH", "api_key", "machine_api_key"):
+        if _table_exists(tbl) and _column_exists(tbl, "org_id"):
+            conn.execute(
+                sa.text(f"UPDATE {tbl} SET org_id = :cid WHERE org_id IS NULL"),  # noqa: S608
+                {"cid": catchall_id},
+            )
+
     if _seed_communities and not _table_has_data("community"):
         op.bulk_insert(
             community_table,

scripts/migrate_v0x_to_v1.py

@@ -17,11 +17,13 @@
 from os import environ
 
 from flowapp import create_app, db
-from flowapp.models import Flowspec4, Flowspec6, RTBH, ApiKey, MachineApiKey
+from flowapp.models import Flowspec4, Flowspec6, RTBH, ApiKey, MachineApiKey, Organization
 from sqlalchemy import text
 
 import config
 
+CATCHALL_ORG_NAME = "Uncategorized"
+
 
 def migrate_org_data():
     exafs_env = environ.get("EXAFS_ENV", "Production").lower()
@@ -43,23 +45,28 @@ def migrate_org_data():
             """
         )
         try:
-            result = db.session.execute(update_statement)
+            db.session.execute(update_statement)
             db.session.commit()
-            print(f"  Updated organization limits.")
+            print("  Updated organization limits.")
         except Exception as e:
             db.session.rollback()
             print(f"  Error updating organizations: {e}")
             return
 
-        # Step 2: Assign rules with org_id=0 to user's organization
-        print("\nAssigning rules with org_id=0 to user organizations...")
+        # Step 2: Assign rules belonging to the catch-all org to the user's real organization
+        catchall = Organization.query.filter_by(name=CATCHALL_ORG_NAME).first()
+        if catchall is None:
+            print(f"\nNo '{CATCHALL_ORG_NAME}' organization found — nothing to reassign.")
+            return
+
+        print(f"\nAssigning rules with org_id={catchall.id} ('{CATCHALL_ORG_NAME}') to user organizations...")
         models = [Flowspec4, Flowspec6, RTBH, ApiKey, MachineApiKey]
         users_with_multiple_orgs = {}
         total_updated = 0
 
         for model in models:
             model_name = model.__name__
-            data_records = model.query.filter(model.org_id == 0).all()
+            data_records = model.query.filter(model.org_id == catchall.id).all()
 
             if not data_records:
                 print(f"  {model_name}: no records with org_id=0")
@@ -98,6 +105,8 @@ def migrate_org_data():
             print("\nPlease manually assign org_id for rules belonging to these users.")
         else:
             print("\nAll records assigned successfully.")
+            print(f"\nYou may now delete the '{CATCHALL_ORG_NAME}' organization")
+            print("from the admin interface if no records remain assigned to it.")
 
 
 if __name__ == "__main__":

tests/test_migration.py

@@ -986,12 +986,29 @@ def test_all_expected_columns(self, migration_db):
         app, db_uri = migration_db
         _run_migration(app)
         for table_name, expected_cols in EXPECTED_COLUMNS.items():
-            actual_cols = _get_columns(db_uri,table_name)
+            actual_cols = _get_columns(db_uri, table_name)
             for col in expected_cols:
                 assert col in actual_cols, (
                     f"Missing column {table_name}.{col}"
                 )
 
+    def test_creates_catchall_organization(self, migration_db):
+        app, db_uri = migration_db
+        _run_migration(app)
+        count = _query_scalar(
+            db_uri, "SELECT COUNT(*) FROM organization WHERE name = 'Uncategorized'"
+        )
+        assert count == 1
+
+    def test_catchall_organization_covers_all_addresses(self, migration_db):
+        app, db_uri = migration_db
+        _run_migration(app)
+        arange = _query_scalar(
+            db_uri, "SELECT arange FROM organization WHERE name = 'Uncategorized'"
+        )
+        assert "0.0.0.0/0" in arange
+        assert "::/0" in arange
+
 
 class TestIdempotent:
     """Test that running migration twice doesn't fail."""
@@ -1418,6 +1435,26 @@ def test_alembic_version_updated(self, migration_db):
             db_uri, "SELECT version_num FROM alembic_version"
         ) == "001_baseline"
 
+    def test_org_id_backfilled_with_catchall(self, migration_db):
+        """Existing rules with no org_id should be assigned the catchall org after migration."""
+        _, db_uri = self._setup_and_migrate(migration_db)
+        catchall_id = _query_scalar(
+            db_uri, "SELECT id FROM organization WHERE name = 'Uncategorized'"
+        )
+        assert catchall_id is not None
+        # No NULLs anywhere
+        for table in ("flowspec4", "flowspec6", "RTBH", "api_key", "machine_api_key"):
+            null_count = _query_scalar(
+                db_uri, f"SELECT COUNT(*) FROM {table} WHERE org_id IS NULL"
+            )
+            assert null_count == 0, f"NULL org_id found in {table} after migration"
+        # Tables that have rows in the 2019 backup should point to catchall
+        for table in ("flowspec4",):
+            catchall_count = _query_scalar(
+                db_uri, f"SELECT COUNT(*) FROM {table} WHERE org_id = {catchall_id}"
+            )
+            assert catchall_count > 0, f"Expected rows in {table} to be assigned to catchall org"
+
     def test_fails_without_clearing_old_revision(self, migration_db):
         """Migration should fail if old alembic_version is not cleared first."""
         app, db_uri = migration_db