add create-admin script, update docs

jirivrany · jirivrany · commit 9d7a9548360c · 2026-02-19T10:24:41.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,19 +5,22 @@ All notable changes to ExaFS will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [1.2.2] - 2026-02-16
+## [1.2.2] - 2026-02-19
 
 ### Changed
 - **Database migrations now tracked in git** — `migrations/` removed from `.gitignore`
 - Replaced `db-init.py` with migration-based initialization (`flask db upgrade`)
 - Removed one-time `/admin/set-org-if-zero` endpoint, replaced with standalone `scripts/migrate_v0x_to_v1.py`
 - Fixed Flask-SQLAlchemy deprecation warning in Alembic `env.py`
 - Template URLs changed to use `url_for` helper, removed unused `rule.html` template
+- **`db-init.py` and `create-admin.py` moved to `scripts/`** — all setup scripts now live under `scripts/`
 
 ### Added
 - Idempotent baseline migration (`001_baseline`) that brings any ExaFS database (from v0.4+ to current) to the v1.2.2 schema
 - Optional `scripts/migrate_v0x_to_v1.py` helper for v0.x to v1.0+ data migration (org_id backfill)
-- `db-init.py --reset` flag for development database reset
+- `scripts/create-admin.py` — interactive script to create the first admin user and organization (replaces manual SQL inserts)
+- `scripts/db-init.py --reset` flag for development database reset
+- Migration test suite (`tests/test_migration.py`) — 46 tests covering fresh install, idempotency, upgrade from v0.4/v0.8/v1.0 schemas, and real 2019 production backup upgrade
 - `PYTHONPATH` set in Docker dev container for easier development
 
 ## [1.2.1] - 2026-01-30
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -115,8 +115,9 @@ exafs/
 ├── config.example.py         # Configuration template
 ├── instance_config_override.example.py # Dashboard override template
 ├── run.example.py            # Application run script template
-├── db-init.py                # Database initialization (runs flask db upgrade)
 ├── scripts/
+│   ├── db-init.py            # Database initialization (runs flask db upgrade)
+│   ├── create-admin.py       # Interactive first admin user setup
 │   └── migrate_v0x_to_v1.py  # Optional v0.x to v1.0+ migration helper
 ├── pyproject.toml            # Project metadata and dependencies
 ├── setup.cfg                 # Setup configuration
@@ -286,7 +287,10 @@ cp run.example.py run.py
 # Edit config.py with database credentials and settings
 
 # Initialize database (runs flask db upgrade)
-python db-init.py
+python scripts/db-init.py
+
+# Create the first admin user and organization
+python scripts/create-admin.py
 
 # Run tests
 pytest
@@ -795,8 +799,9 @@ flask db upgrade                       # Apply migrations
 flake8 .                              # Lint code
 
 # Database
-python db-init.py                      # Initialize database (runs migrations)
-python db-init.py --reset              # Drop all tables and recreate (dev only)
+python scripts/db-init.py             # Initialize database (runs migrations)
+python scripts/db-init.py --reset     # Drop all tables and recreate (dev only)
+python scripts/create-admin.py        # Create first admin user interactively
 flask db stamp 001_baseline            # Mark existing DB as baseline
 flask db current                       # Show current migration
 flask db history                       # Show migration history
diff --git a/docs/DB_MIGRATIONS.md b/docs/DB_MIGRATIONS.md
@@ -13,7 +13,7 @@ flask db upgrade
 Or use the init script:
 
 ```bash
-python db-init.py
+python scripts/db-init.py
 ```
 
 ## Upgrading Between Versions
@@ -102,7 +102,7 @@ Commit the migration file to git so other deployments can apply it.
 To completely reset the database during development:
 
 ```bash
-python db-init.py --reset
+python scripts/db-init.py --reset
 ```
 
 This drops all tables and recreates them from scratch. **Do not use in production.**
diff --git a/docs/INSTALL.md b/docs/INSTALL.md
@@ -126,26 +126,19 @@ You can skip this section if you are using a different deployment method, such a
 
 #### Final steps - as deploy user
 
-1. Copy config.example.py to config.py and fill out the DB credetials. 
+1. Copy config.example.py to config.py and fill out the DB credentials.
 
-2. Create and populate database tables.
+2. Create and populate database tables (roles, actions, rule states):
 ```
 cd ~/www
 source venv/bin/activate
-python db-init.py
+python scripts/db-init.py
 ```
-DB-init script inserts default roles, actions, rule states and two organizations (TUL and Cesnet). But no users.
-
-3. Before start, **use your favorite mysql admin tool and insert some users into database**. 
-The **uuid** of user should be set the **eppn** value provided by Shibboleth. 
-
-You can use following MYSQL commands to insert the user, give him role 'admin' and add him to the the organization 'Cesnet'.
 
+3. Create the first admin user and organization using the interactive setup script:
 ```
-insert into user (uuid,email,name) values ('example@cesnet.cz', 'example@cesnet.cz', 'Mr. Example Admin');
-insert into user_role (user_id,role_id) values (1, 3);
-insert into user_organization (user_id,organization_id) values (1, 2);
-``` 
-You can also modify the models.py for your own default values for db-init.
+python scripts/create-admin.py
+```
+The script will prompt you for the admin's UUID (Shibboleth eppn), name, email, phone, and then create or select an organization with its network address range. It assigns the admin role automatically.
 
 The application is installed and should be working now. The next step is to configure ExaBGP and connect it to the ExaAPI application. We also provide simple service called guarda to reload all the rules in case of ExaBGP restart.
diff --git a/scripts/create-admin.py b/scripts/create-admin.py
@@ -0,0 +1,167 @@
+"""
+Create the initial admin user and organization for ExaFS.
+
+Run this once after 'python db-init.py' to set up the first administrator
+and their organization. Without at least one admin user, the application
+cannot be managed through the web interface.
+
+Usage:
+    python create-admin.py
+"""
+
+import sys
+from os import environ
+
+from flowapp import create_app, db
+from flowapp.models import Organization, Role, User
+
+import config
+
+
+def prompt(label, required=True, default=None):
+    """Prompt for input, optionally with a default value."""
+    if default:
+        display = f"{label} [{default}]: "
+    else:
+        display = f"{label}: "
+
+    while True:
+        value = input(display).strip()
+        if not value and default:
+            return default
+        if value:
+            return value
+        if not required:
+            return ""
+        print(f"  {label} is required.")
+
+
+def create_admin():
+    exafs_env = environ.get("EXAFS_ENV", "Production").lower()
+    if exafs_env in ("devel", "development"):
+        app = create_app(config.DevelopmentConfig)
+    else:
+        app = create_app(config.ProductionConfig)
+
+    db.init_app(app)
+
+    with app.app_context():
+        # Verify migrations have been run
+        admin_role = Role.query.filter_by(name="admin").first()
+        if not admin_role:
+            print("Error: roles not found in database.")
+            print("Please run 'python db-init.py' first.")
+            sys.exit(1)
+
+        print()
+        print("ExaFS initial admin setup")
+        print("=" * 40)
+
+        # --- User ---
+        print()
+        print("Admin user")
+        print("-" * 20)
+        print("UUID is the unique identifier used for authentication.")
+        print("For SSO (Shibboleth), this is typically the eppn attribute.")
+        print("For local auth, use any unique string (e.g. email address).")
+        print()
+
+        while True:
+            uuid = prompt("UUID (e.g. user@example.edu)")
+            existing = User.query.filter_by(uuid=uuid).first()
+            if existing:
+                print(f"  A user with UUID '{uuid}' already exists.")
+                overwrite = input("  Update this user's roles and org? (yes/no): ").strip().lower()
+                if overwrite == "yes":
+                    user = existing
+                    break
+                continue
+            user = None
+            break
+
+        name = prompt("Full name", required=False)
+        email = prompt("Email", default=uuid if "@" in uuid else None)
+        phone = prompt("Phone", required=False)
+
+        # --- Organization ---
+        print()
+        print("Organization")
+        print("-" * 20)
+        print("Address ranges (arange) are whitespace-separated CIDR prefixes.")
+        print("Example: 192.0.2.0/24 2001:db8::/32")
+        print()
+
+        orgs = Organization.query.all()
+        if orgs:
+            print("Existing organizations:")
+            for org in orgs:
+                print(f"  [{org.id}] {org.name}")
+            print()
+            choice = input("Use existing organization ID, or press Enter to create new: ").strip()
+            if choice.isdigit():
+                org = Organization.query.get(int(choice))
+                if not org:
+                    print(f"  Organization {choice} not found, creating new.")
+                    org = None
+            else:
+                org = None
+        else:
+            org = None
+
+        if org is None:
+            org_name = prompt("Organization name")
+            org_arange = prompt("Address ranges (CIDR, space-separated)")
+            org = Organization(name=org_name, arange=org_arange)
+            db.session.add(org)
+            db.session.flush()  # get org.id before commit
+            print(f"  Created organization: {org.name}")
+
+        # --- Confirm ---
+        print()
+        print("Summary")
+        print("=" * 40)
+        print(f"  UUID:         {uuid}")
+        print(f"  Name:         {name or '(not set)'}")
+        print(f"  Email:        {email or '(not set)'}")
+        print(f"  Phone:        {phone or '(not set)'}")
+        print(f"  Role:         admin")
+        print(f"  Organization: {org.name}")
+        print()
+
+        confirm = input("Create admin user? (yes/no): ").strip().lower()
+        if confirm != "yes":
+            print("Aborted.")
+            db.session.rollback()
+            sys.exit(0)
+
+        # --- Create or update user ---
+        if user is None:
+            user = User(uuid=uuid, name=name or None, email=email or None, phone=phone or None)
+            db.session.add(user)
+        else:
+            if name:
+                user.name = name
+            if email:
+                user.email = email
+            if phone:
+                user.phone = phone
+
+        # Assign admin role (avoid duplicates)
+        if not user.role.filter_by(name="admin").first():
+            user.role.append(admin_role)
+
+        # Assign organization (avoid duplicates)
+        if not user.organization.filter_by(id=org.id).first():
+            user.organization.append(org)
+
+        db.session.commit()
+
+        print()
+        print(f"Admin user '{uuid}' created successfully.")
+        print(f"Organization: {org.name}")
+        print()
+        print("You can now log in and manage ExaFS through the web interface.")
+
+
+if __name__ == "__main__":
+    create_admin()
diff --git a/scripts/db-init.py b/scripts/db-init.py
diff --git a/tests/test_migration.py b/tests/test_migration.py
@@ -11,8 +11,6 @@
 - Preserving existing data during migration
 """
 
-import os
-
 import pytest
 from flask import Flask
 from flask_sqlalchemy import SQLAlchemy
