From dc585a54c66c154288e4f2b13061ab74442fc24e Mon Sep 17 00:00:00 2001
From: Peter Chen <peter-h.chen@broadcom.com>
Date: Mon, 18 Mar 2024 14:07:05 -0700
Subject: [PATCH] fix: UAA delete user endpoint returns false error during
 upgrade canary deployment

- fixes https://github.com/cloudfoundry/uaa/issues/2789 (see bug root
  cause in the issue)
- by bringing back the MFA-related tables exactly as they were

[#187240345]
---
 README.md                                     |  2 ++
 .../db/hsqldb/V4_108__Restore_MFA_Tables.sql  | 27 ++++++++++++++++++
 .../db/mysql/V4_108__Restore_MFA_Tables.sql   | 27 ++++++++++++++++++
 .../postgresql/V4_108__Restore_MFA_Tables.sql | 28 +++++++++++++++++++
 4 files changed, 84 insertions(+)
 create mode 100644 server/src/main/resources/org/cloudfoundry/identity/uaa/db/hsqldb/V4_108__Restore_MFA_Tables.sql
 create mode 100644 server/src/main/resources/org/cloudfoundry/identity/uaa/db/mysql/V4_108__Restore_MFA_Tables.sql
 create mode 100644 server/src/main/resources/org/cloudfoundry/identity/uaa/db/postgresql/V4_108__Restore_MFA_Tables.sql

diff --git a/README.md b/README.md
index d2f78d70b28..c07b24f571e 100644
--- a/README.md
+++ b/README.md
@@ -187,6 +187,7 @@ List of relations
  public | groups                        | table    | root
  public | identity_provider             | table    | root
  public | identity_zone                 | table    | root
+ public | mfa_providers                 | table    | root
  public | oauth_client_details          | table    | root
  public | oauth_code                    | table    | root
  public | oauth_code_id_seq             | sequence | root
@@ -196,6 +197,7 @@ List of relations
  public | sec_audit_id_seq              | sequence | root
  public | spring_session                | table    | root
  public | spring_session_attributes     | table    | root
+ public | user_google_mfa_credentials   | table    | root
  public | user_info                     | table    | root
  public | users                         | table    | root
 (23 rows)
diff --git a/server/src/main/resources/org/cloudfoundry/identity/uaa/db/hsqldb/V4_108__Restore_MFA_Tables.sql b/server/src/main/resources/org/cloudfoundry/identity/uaa/db/hsqldb/V4_108__Restore_MFA_Tables.sql
new file mode 100644
index 00000000000..edc251275f7
--- /dev/null
+++ b/server/src/main/resources/org/cloudfoundry/identity/uaa/db/hsqldb/V4_108__Restore_MFA_Tables.sql
@@ -0,0 +1,27 @@
+-- These tables were previously dropped in https://github.com/cloudfoundry/uaa/pull/2717
+-- Restoring them here due to https://github.com/cloudfoundry/uaa/issues/2789
+-- Can consider dropping these again in the future (e.g. at UAA V78/79, when most users
+-- will no longer experience issue #2789)
+CREATE TABLE mfa_providers IF NOT EXISTS (
+  id CHAR(36) NOT NULL PRIMARY KEY,
+  created TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
+  lastmodified TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
+  identity_zone_id varchar(36) NOT NULL,
+  name varchar(255) NOT NULL,
+  type varchar(255) NOT NULL,
+  config LONGVARCHAR
+);
+
+CREATE UNIQUE INDEX idx_mfa_unique_name ON mfa_providers (identity_zone_id,name);
+
+CREATE TABLE user_google_mfa_credentials IF NOT EXISTS (
+  user_id VARCHAR(36) NOT NULL,
+  secret_key VARCHAR(255) NOT NULL,
+  validation_code INTEGER,
+  scratch_codes VARCHAR(255) NOT NULL,
+  mfa_provider_id CHAR(36) NOT NULL,
+  zone_id CHAR(36) NOT NULL,
+  encryption_key_label VARCHAR(255),
+  encrypted_validation_code VARCHAR(255) NULL,
+  PRIMARY KEY (user_id,mfa_provider_id)
+);
diff --git a/server/src/main/resources/org/cloudfoundry/identity/uaa/db/mysql/V4_108__Restore_MFA_Tables.sql b/server/src/main/resources/org/cloudfoundry/identity/uaa/db/mysql/V4_108__Restore_MFA_Tables.sql
new file mode 100644
index 00000000000..a993f499809
--- /dev/null
+++ b/server/src/main/resources/org/cloudfoundry/identity/uaa/db/mysql/V4_108__Restore_MFA_Tables.sql
@@ -0,0 +1,27 @@
+-- These tables were previously dropped in https://github.com/cloudfoundry/uaa/pull/2717
+-- Restoring them here due to https://github.com/cloudfoundry/uaa/issues/2789
+-- Can consider dropping these again in the future (e.g. at UAA V78/79, when most users
+-- will no longer experience issue #2789)
+CREATE TABLE `mfa_providers` IF NOT EXISTS (
+  `id` varchar(36) NOT NULL,
+  `created` TIMESTAMP default current_timestamp NOT NULL,
+  `lastModified` TIMESTAMP null,
+  `identity_zone_id` varchar(36) NOT NULL,
+  `name` varchar(255) NOT NULL,
+  `type` varchar(255) NOT NULL,
+  `config` longtext,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `idx_mfa_unique_name` (`identity_zone_id`,`name`)
+);
+
+CREATE TABLE `user_google_mfa_credentials` IF NOT EXISTS (
+  `user_id` VARCHAR(36) NOT NULL,
+  `secret_key` VARCHAR(255) NOT NULL,
+  `validation_code` INTEGER NULL,
+  `scratch_codes` VARCHAR(255) NOT NULL,
+  `mfa_provider_id` CHAR(36) NOT NULL,
+  `zone_id` CHAR(36) NOT NULL,
+  `encryption_key_label` VARCHAR(255),
+  `encrypted_validation_code` VARCHAR(255) NULL;
+  PRIMARY KEY (`user_id`,`mfa_provider_id`)
+);
diff --git a/server/src/main/resources/org/cloudfoundry/identity/uaa/db/postgresql/V4_108__Restore_MFA_Tables.sql b/server/src/main/resources/org/cloudfoundry/identity/uaa/db/postgresql/V4_108__Restore_MFA_Tables.sql
new file mode 100644
index 00000000000..933851ed783
--- /dev/null
+++ b/server/src/main/resources/org/cloudfoundry/identity/uaa/db/postgresql/V4_108__Restore_MFA_Tables.sql
@@ -0,0 +1,28 @@
+-- These tables were previously dropped in https://github.com/cloudfoundry/uaa/pull/2717
+-- Restoring them here due to https://github.com/cloudfoundry/uaa/issues/2789
+-- Can consider dropping these again in the future (e.g. at UAA V78/79, when most users
+-- will no longer experience issue #2789)
+CREATE TABLE mfa_providers IF NOT EXISTS (
+  id VARCHAR(36) NOT NULL PRIMARY KEY,
+  created TIMESTAMP default current_timestamp NOT NULL,
+  lastModified TIMESTAMP null,
+  identity_zone_id VARCHAR(36) NOT NULL,
+  name VARCHAR(255) NOT NULL,
+  type VARCHAR(255) NOT NULL,
+  config TEXT
+);
+
+CREATE UNIQUE INDEX idx_mfa_unique_name ON mfa_providers (identity_zone_id,LOWER(name));
+
+CREATE TABLE user_google_mfa_credentials IF NOT EXISTS (
+  user_id VARCHAR(36) NOT NULL    PRIMARY KEY,
+  secret_key VARCHAR(255) NOT NULL,
+  validation_code INTEGER,
+  scratch_codes VARCHAR(255) NOT NULL,
+  mfa_provider_id CHAR(36) NOT NULL,
+  zone_id CHAR(36) NOT NULL,
+  encryption_key_label VARCHAR(255),
+  encrypted_validation_code VARCHAR(255) NULL
+);
+
+ALTER TABLE user_google_mfa_credentials ADD PRIMARY KEY (user_id,mfa_provider_id);