Add constraints to enforce v1/v2-dependent fields

2025-12-15 04:49:36 -06:00 · 2025-10-02 16:05:09 -04:00 · 2025-10-02 16:05:09 -04:00 · 43fc7fb58a
commit 43fc7fb58a
parent 11099b01bb
2 changed files with 47 additions and 0 deletions
--- a/netbox/users/migrations/0014_users_token_v2.py
+++ b/netbox/users/migrations/0014_users_token_v2.py
@ -72,4 +72,29 @@ class Migration(migrations.Migration):
            name='hmac_digest',
            field=models.CharField(blank=True, max_length=64, null=True),
        ),
+
+        # Add constraints to enforce v1/v2-dependent fields
+        migrations.AddConstraint(
+            model_name='token',
+            constraint=models.CheckConstraint(
+                name='enforce_version_dependent_fields',
+                condition=models.Q(
+                    models.Q(
+                        ('hmac_digest__isnull', True),
+                        ('key__isnull', True),
+                        ('pepper_id__isnull', True),
+                        ('plaintext__isnull', False),
+                        ('version', 1)
+                    ),
+                    models.Q(
+                        ('hmac_digest__isnull', False),
+                        ('key__isnull', False),
+                        ('pepper_id__isnull', False),
+                        ('plaintext__isnull', True),
+                        ('version', 2)
+                    ),
+                    _connector='OR'
+                )
+            )
+        ),
    ]
--- a/netbox/users/models/tokens.py
+++ b/netbox/users/models/tokens.py
@ -7,6 +7,7 @@ from django.contrib.postgres.fields import ArrayField
 from django.core.exceptions import ValidationError
 from django.core.validators import MinLengthValidator
 from django.db import models
+from django.db.models import Q
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
@ -110,6 +111,27 @@ class Token(models.Model):
        ordering = ('-created',)
        verbose_name = _('token')
        verbose_name_plural = _('tokens')
+        constraints = [
+            models.CheckConstraint(
+                name='enforce_version_dependent_fields',
+                condition=(
+                    Q(
+                        version=1,
+                        key__isnull=True,
+                        pepper_id__isnull=True,
+                        hmac_digest__isnull=True,
+                        plaintext__isnull=False
+                    ) |
+                    Q(
+                        version=2,
+                        key__isnull=False,
+                        pepper_id__isnull=False,
+                        hmac_digest__isnull=False,
+                        plaintext__isnull=True
+                    )
+                ),
+            ),
+        ]

    def __init__(self, *args, token=None, **kwargs):
        super().__init__(*args, **kwargs)