feat(16-01): add credential_profiles and snmp_profiles tables

- credential_profiles: UUID PK, tenant_id FK with CASCADE, credential_type, encrypted credential fields, unique(tenant_id, name), RLS, poller_user GRANT - snmp_profiles: UUID PK, nullable tenant_id for system profiles, profile_data JSONB, partial unique indexes for tenant vs system name uniqueness, RLS with system profile visibility to all tenants, poller_user GRANT - 6 system seed profiles: generic-snmp, network-switch, network-router, wireless-ap, ups-device, mikrotik-snmp with full OID collection definitions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-21 18:21:22 -05:00
parent 9c5cf552d9
commit ad26335300
2 changed files with 765 additions and 0 deletions
--- a/backend/alembic/versions/037_credential_profiles_table.py
+++ b/backend/alembic/versions/037_credential_profiles_table.py
@@ -0,0 +1,79 @@
+"""Create credential_profiles table for unified credential management.
+
+Revision ID: 037
+Revises: 036
+Create Date: 2026-03-21
+
+Stores named credential sets (RouterOS, SNMPv1/v2c/v3) that can be
+shared across multiple devices.  Enables fleet-wide credential rotation
+by updating a single profile instead of N individual devices.
+
+Encrypted credentials use the same OpenBao Transit envelope scheme as
+the per-device encrypted_credentials columns on the devices table.
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+revision = "037"
+down_revision = "036"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    conn = op.get_bind()
+
+    conn.execute(
+        sa.text("""
+            CREATE TABLE credential_profiles (
+                id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+                tenant_id UUID NOT NULL REFERENCES tenants(id) ON DELETE CASCADE,
+                name TEXT NOT NULL,
+                description TEXT,
+                credential_type TEXT NOT NULL,
+                encrypted_credentials BYTEA,
+                encrypted_credentials_transit TEXT,
+                created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+                updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+                UNIQUE(tenant_id, name)
+            )
+        """)
+    )
+
+    conn.execute(
+        sa.text("ALTER TABLE credential_profiles ENABLE ROW LEVEL SECURITY")
+    )
+    conn.execute(
+        sa.text("ALTER TABLE credential_profiles FORCE ROW LEVEL SECURITY")
+    )
+
+    conn.execute(
+        sa.text("""
+            CREATE POLICY credential_profiles_tenant_isolation
+                ON credential_profiles
+                USING (
+                    tenant_id::text = current_setting('app.current_tenant', true)
+                    OR current_setting('app.current_tenant', true) = 'super_admin'
+                )
+                WITH CHECK (
+                    tenant_id::text = current_setting('app.current_tenant', true)
+                    OR current_setting('app.current_tenant', true) = 'super_admin'
+                )
+        """)
+    )
+
+    conn.execute(
+        sa.text("GRANT SELECT ON credential_profiles TO poller_user")
+    )
+
+
+def downgrade() -> None:
+    conn = op.get_bind()
+    conn.execute(
+        sa.text(
+            "DROP POLICY IF EXISTS credential_profiles_tenant_isolation"
+            " ON credential_profiles"
+        )
+    )
+    op.drop_table("credential_profiles")