Update django-oauth-toolkit #2710

[phillxnet]

Remove pinning for django-oauth-toolkit and remove explicit declaration of oauthlib as it is a dependency of django-oauth-toolkit.

Re-address prior work-around for older oauth2_provider migration file silently failing to apply, and holding up all subsequent oauth2_provider migrations, as this migration file, and a few subsequent ones, have now been squashed upstream. "oauth2_provider" is part of django-oauth-toolkit.

Includes:

• Added logging for before & after django-oauth-toolkit migration.
• Adopt dynamic client_secret for internal Oauth app. As from Django Oauth Toolkit 2.x onwards, Oauth app client_secret is hashed within Django's database, dictating that we can no longer source this secret from the db for our internal cli client app token requests. Move to establishing a dynamic Oathapp client_secret, established in settings.py, and reset by rockstor-bootstrap.service, i.e. on each service restart/reboot.
• Adding a requests timeouts to client token requests.
• Arbitrary fsting application.
• Update disk, pool, share, snap state every 20s not every minute.
• Abandon rockstor-bootstrap.service start (boostrap scritp) after 10, not 15 attempts.

Fixes #2710
See issue text, and this pull requests prior draft #2726 for development context.

[phillxnet]

A caveat for this PR is that we have moved, temporarily, from install persistent OAUTH_INTERNAL_APP client secret to boot persistent only (bootstrap script established). This is insufficient for our needs, but has been split out into the following (linked) issue as this relates to a wider requirement we have in this area.

"Adopt dedicated secrets management library #2728"

[phillxnet]

On a fresh RPM build (Host OS 15.5) we are still seeing a migration issue here regarding the upstream squashes and the removal of our prior work-around:

[30/Oct/2023 18:23:06] INFO [system.ssh:394] SSHD (/etc/ssh/sshd_config) sftp-server already disabled
[30/Oct/2023 18:23:06] INFO [system.ssh:100] SSHD (/etc/ssh/sshd_config) already initialised
[30/Oct/2023 18:23:36] INFO [scripts.initrock:596] Prior migrations for oauth2_provider are: ['oauth2_provider', ' [X] 0001_initial', ' [ ] 0002_auto_20190406_1805', ' [ ] 0003_auto_20201211_1314', ' [ ] 0004_auto_20200902_2022', ' [ ] 0005_auto_20211222_2352', ' [ ] 0006_alter_application_client_secret', ' [ ] 0007_application_post_logout_redirect_uris', '']
[30/Oct/2023 18:23:38] ERROR [system.osi:261] non-zero code(1) returned by command: ['/opt/rockstor/.venv/bin/django-admin', 'migrate', '--noinput', 'oauth2_provider']. output: ['Operations to perform:', '  Apply all migrations: oauth2_provider', 'Running migrations:', '  Applying oauth2_provider.0002_auto_20190406_1805... OK', '  Applying oauth2_provider.0003_auto_20201211_1314... OK', '  Applying oauth2_provider.0004_auto_20200902_2022... OK', '  Applying oauth2_provider.0005_auto_20211222_2352... OK', '  Applying oauth2_provider.0006_alter_application_client_secret...'] error: ['Traceback (most recent call last):', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/backends/utils.py", line 84, in _execute', '    return self.cursor.execute(sql, params)', 'psycopg2.errors.UndefinedColumn: column oauth2_provider_application.created does not exist', 'LINE 1: ...auth2_provider_application"."skip_authorization", "oauth2_pr...', '                                                             ^', '', '', 'The above exception was the direct cause of the following exception:', '', 'Traceback (most recent call last):', '  File "/opt/rockstor/.venv/bin/django-admin", line 8, in <module>', '    sys.exit(execute_from_command_line())', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/core/management/__init__.py", line 381, in execute_from_command_line', '    utility.execute()', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/core/management/__init__.py", line 375, in execute', '    self.fetch_command(subcommand).run_from_argv(self.argv)', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/core/management/base.py", line 323, in run_from_argv', '    self.execute(*args, **cmd_options)', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/core/management/base.py", line 364, in execute', '    output = self.handle(*args, **options)', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/core/management/base.py", line 83, in wrapped', '    res = handle_func(*args, **kwargs)', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/core/management/commands/migrate.py", line 232, in handle', '    post_migrate_state = executor.migrate(', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/migrations/executor.py", line 117, in migrate', '    state = self._migrate_all_forwards(state, plan, full_plan, fake=fake, fake_initial=fake_initial)', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/migrations/executor.py", line 147, in _migrate_all_forwards', '    state = self.apply_migration(state, migration, fake=fake, fake_initial=fake_initial)', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/migrations/executor.py", line 245, in apply_migration', '    state = migration.apply(state, schema_editor)', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/migrations/migration.py", line 124, in apply', '    operation.database_forwards(self.app_label, schema_editor, old_state, project_state)', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/migrations/operations/special.py", line 190, in database_forwards', '    self.code(from_state.apps, schema_editor)', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/oauth2_provider/migrations/0006_alter_application_client_secret.py", line 13, in forwards_func', '    for application in applications:', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/models/query.py", line 274, in __iter__', '    self._fetch_all()', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/models/query.py", line 1242, in _fetch_all', '    self._result_cache = list(self._iterable_class(self))', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/models/query.py", line 55, in __iter__', '    results = compiler.execute_sql(chunked_fetch=self.chunked_fetch, chunk_size=self.chunk_size)', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/models/sql/compiler.py", line 1142, in execute_sql', '    cursor.execute(sql, params)', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/backends/utils.py", line 67, in execute', '    return self._execute_with_wrappers(sql, params, many=False, executor=self._execute)', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/backends/utils.py", line 76, in _execute_with_wrappers', '    return executor(sql, params, many, context)', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/backends/utils.py", line 84, in _execute', '    return self.cursor.execute(sql, params)', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/utils.py", line 89, in __exit__', '    raise dj_exc_value.with_traceback(traceback) from exc_value', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/backends/utils.py", line 84, in _execute', '    return self.cursor.execute(sql, params)', 'django.db.utils.ProgrammingError: column oauth2_provider_application.created does not exist', 'LINE 1: ...auth2_provider_application"."skip_authorization", "oauth2_pr...', '                                                             ^', '', '']

The DB state on this rpm build is a from-scratch scenario give we are failing on the fresh-install phase (i.e. no .initrock)!
I.e. initrock will have dropped our default database, where our oauth_provider is trying too instantiate a-afresh.

[phillxnet]

We seem to be failing in the clean-start scenario with the following newer packages migration:

'  Applying oauth2_provider.0006_alter_application_client_secret...'] error: ['Traceback (most recent call last):', '  File "/opt/rockstor/.venv/lib/python3.9/site-packages/django/db/backends/utils.py",
 line 84, in _execute', '    return self.cursor.execute(sql, params)', 'psycopg2.errors.UndefinedColumn: column oauth2_provider_application.created does not exist'

The current suspicion is that the newly squash contents of 0001_initial, now containing may of the older migrations of the prior much older package, has ended up with our clean-start db setup skipping some of the earlier migrations. However this does not tally with the clean-start basis here !! So we likely have a db initialisation 'mistake' that we have thus-far avoided or worked around. I.e. an earlier squash of our own has inadvertently included an external packages migrations:

See:

[30/Oct/2023 18:23:36] INFO [scripts.initrock:596] Prior migrations for oauth2_provider are: ['oauth2_provider', ' [X] 0001_initial', ' [ ] 0002_auto_20190406_1805', ' [ ] 0003_auto_20201211_1314', ' [ ] 0004_auto_20200902_2022', ' [ ] 0005_auto_20211222_2352', ' [ ] 0006_alter_application_client_secret', ' [ ] 0007_application_post_logout_redirect_uris', '']

Indicates that what is expected to be a clean default db, from oauth2_providers perspective, does in fact already show the 0001_initial' migration to be in place.

I suspect we have this embedded in one of our db setup systems and need to remove it so that we can leave these external app migrations to the external app. @FroggyFlox I know you are working on:
#2723
where you have recently looked at our initial db setup systems. Your thought here?

I'll move this back to a Draft PR for now and look to weeding out our likely erroneously included oath2_provider migration that we must now have carried for quite some time!! But that is not our responsibility, but that of the Django oauth tookit - hence our current blocker here I suspect.

[FroggyFlox]

I suspect we have this embedded in one of our db setup systems and need to remove it so that we can leave these external app migrations to the external app.

That does seem like a very good suspicion, indeed, given our db restore using psql seems (to me) redundant with Django's migration system.

[phillxnet]

Testing

It is now possible, assuming a re-base on latest testing (in this case done by our backend buildbot test setup) to do an RPM build (Host OS 15.5) of this PR. And for that rpm to install a-fresh on the build host; and have all the resulting main rockstor services start as expected. This service start failed prior to the linked, and now merged, PR #2733.

TODO:

Assess if we are able to update from significant prior released RPM versions.

[phillxnet]

Log of rpm's rockstor-pre.service's initrock script indicating that our new db setup via Django migrations only, in #2733, has successfully accomplished the oath2_provider migrations:

[07/Nov/2023 17:10:38] INFO [system.ssh:100] SSHD (/etc/ssh/sshd_config) already initialised
[07/Nov/2023 17:11:05] INFO [scripts.initrock:595] Prior migrations for oauth2_provider are: ['oauth2_provider', ' [X] 0001_initial', ' [X] 0002_auto_20190406_1805', ' [X] 0003_auto_20201211_1314', ' [X] 0004_auto_20200902_2022', ' [X] 0005_auto_20211222_2352', ' [X] 0006_alter_application_client_secret', ' [X] 0007_application_post_logout_redirect_uris', '']
[07/Nov/2023 17:11:09] INFO [scripts.initrock:601] Post migrations for oauth2_provider are: ['oauth2_provider', ' [X] 0001_initial', ' [X] 0002_auto_20190406_1805', ' [X] 0003_auto_20201211_1314', ' [X] 0004_auto_20200902_2022', ' [X] 0005_auto_20211222_2352', ' [X] 0006_alter_application_client_secret', ' [X] 0007_application_post_logout_redirect_uris', '']
[07/Nov/2023 17:11:11] INFO [scripts.initrock:269] Normalising on shellinaboxd service file

And that our existing (in a fresh install redundant) follow-up is of no effect - bar inefficiency to be address in a dedicated issue once we have this PR settled in, and that we are clear on the ramification regarding recent db setup/migration changes.

[phillxnet]

We also have confirmation re the raised caveat in the following comment above (#2727 (comment)) re duplication:

In System -> Access Keys
for the default cliapp used in replication:

Name	Access Key ID	Secret Access Key
cliapp	QHWD4H4wO38NzCgSm81HMfwcvbV7o5V8y56Cxzrd	pbkdf2_sha256$150000$WcDBK8lIm7em$IrTpn5N/KGG1NB1KjW2IzTz7Kcbi9ZoQMks0HpbK4wI=

Our retrieval (from the Django default db) now only shows the hashed secret. See also:
"Adopt dedicated secrets management library #2728"
for a required follow-up. We should also change this interface component so that it shows or provides access to the actual secret. Along with establishing this secret as install-persistent, rather than (as of this PR) boot persistent.
Install persistence could be achieved via a scriptlet addition in rockstor-rpmbuild via a settings.py edit. But this should be done in the context of #2728 .

[phillxnet]

Summary of testing:

RPMs built on host indicated host as version 5.0.5-2727, PR contents rebased on latest testing branch.

Leap 15.5 base amd64

• Fresh install of 5.0.5-2727 RPM. Reboot OK.
• Fresh install of 5.0-5-0 RPM, rebooted, updated via Web-UI to 5.0.5-2727, rebooted OK

[08/Nov/2023 13:16:02] INFO [scripts.initrock:595] Prior migrations for oauth2_provider are: ['oauth2_provider', ' [X] 0001_initial', ' [ ] 0002_auto_20190406_1805', ' [ ] 0003_auto_20201211_1314', ' [ ] 0004_auto_20200902_2022', ' [ ] 0005_auto_20211222_2352', ' [ ] 0006_alter_application_client_secret', ' [ ] 0007_application_post_logout_redirect_uris', '']
[08/Nov/2023 13:16:07] INFO [scripts.initrock:601] Post migrations for oauth2_provider are: ['oauth2_provider', ' [X] 0001_initial', ' [X] 0002_auto_20190406_1805', ' [X] 0003_auto_20201211_1314', ' [X] 0004_auto_20200902_2022', ' [X] 0005_auto_20211222_2352', ' [X] 0006_alter_application_client_secret', ' [X] 0007_application_post_logout_redirect_uris', '']

Leap 15.4 base amd64

• Fresh install of 5.0.5-2727 RPM. Reboot OK.
• Fresh install of 4.6.1-0 RPM, rebooted, updated via Web-UI to 5.0.5-2727, rebooted OK

[08/Nov/2023 15:31:03] INFO [scripts.initrock:595] Prior migrations for oauth2_provider are: ['oauth2_provider', ' [X] 0001_initial', ' [ ] 0002_auto_20190406_1805', ' [ ] 0003_auto_20201211_1314', ' [ ] 0004_auto_20200902_2022', ' [ ] 0005_auto_20211222_2352', ' [ ] 0006_alter_application_client_secret', ' [ ] 0007_application_post_logout_redirect_uris', '']
[08/Nov/2023 15:31:07] INFO [scripts.initrock:601] Post migrations for oauth2_provider are: ['oauth2_provider', ' [X] 0001_initial', ' [X] 0002_auto_20190406_1805', ' [X] 0003_auto_20201211_1314', ' [X] 0004_auto_20200902_2022', ' [X] 0005_auto_20211222_2352', ' [X] 0006_alter_application_client_secret', ' [X] 0007_application_post_logout_redirect_uris', '']

[phillxnet]

@FroggyFlox & @Hooverdan96
Given my last comment re testing summary, we look to be again in the clear on this one, db migration wise, for that latest RPM packages already published in both stable and testing channels.

Noting again the regression introduced here (see #2727 (comment)) I'll go ahead and merge, as we are holding up other important updates and improvements with this recent db stuff. I.e. @FroggyFlox's services stuff (no more sql.in dump file to worry about now) & the Django update Milestone.