fix: seed OAuth IS_*_ENABLED flags individually instead of all-or-nothing

rucoder · rucoder · commit b1ebaadd4583 · 2026-03-09T17:23:38.000+01:00
The configure_instance management command checked whether *any* of the
four IS_*_ENABLED keys (Google, GitHub, GitLab, Gitea) existed before
deciding whether to create them.  Because IS_GITEA_ENABLED was already
seeded by instance_config_variables in the first loop, the exists()
check always returned True and the remaining three keys were silently
skipped.

This meant IS_GITHUB_ENABLED, IS_GOOGLE_ENABLED, and IS_GITLAB_ENABLED
were never created in the database.  Toggling these providers on in
God Mode sent a PATCH to update a non-existent row, which returned
200 OK but did nothing — the toggle appeared to succeed but reverted
on page reload.

Replace the all-or-nothing check with per-key get_or_create so each
flag is seeded independently of the others.

Signed-off-by: Mikhail Malyshev &lt;mike.malyshev@gmail.com&gt;
diff --git a/apps/api/plane/license/management/commands/configure_instance.py b/apps/api/plane/license/management/commands/configure_instance.py
@@ -40,113 +40,57 @@ def handle(self, *args, **options):
             else:
                 self.stdout.write(self.style.WARNING(f"{obj.key} configuration already exists"))
 
-        keys = ["IS_GOOGLE_ENABLED", "IS_GITHUB_ENABLED", "IS_GITLAB_ENABLED", "IS_GITEA_ENABLED"]
-        if not InstanceConfiguration.objects.filter(key__in=keys).exists():
-            for key in keys:
-                if key == "IS_GOOGLE_ENABLED":
-                    GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET = get_configuration_value(
-                        [
-                            {
-                                "key": "GOOGLE_CLIENT_ID",
-                                "default": os.environ.get("GOOGLE_CLIENT_ID", ""),
-                            },
-                            {
-                                "key": "GOOGLE_CLIENT_SECRET",
-                                "default": os.environ.get("GOOGLE_CLIENT_SECRET", "0"),
-                            },
-                        ]
-                    )
-                    if bool(GOOGLE_CLIENT_ID) and bool(GOOGLE_CLIENT_SECRET):
-                        value = "1"
-                    else:
-                        value = "0"
-                    InstanceConfiguration.objects.create(
-                        key=key,
-                        value=value,
-                        category="AUTHENTICATION",
-                        is_encrypted=False,
-                    )
-                    self.stdout.write(self.style.SUCCESS(f"{key} loaded with value from environment variable."))
-                if key == "IS_GITHUB_ENABLED":
-                    GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET = get_configuration_value(
-                        [
-                            {
-                                "key": "GITHUB_CLIENT_ID",
-                                "default": os.environ.get("GITHUB_CLIENT_ID", ""),
-                            },
-                            {
-                                "key": "GITHUB_CLIENT_SECRET",
-                                "default": os.environ.get("GITHUB_CLIENT_SECRET", "0"),
-                            },
-                        ]
-                    )
-                    if bool(GITHUB_CLIENT_ID) and bool(GITHUB_CLIENT_SECRET):
-                        value = "1"
-                    else:
-                        value = "0"
-                    InstanceConfiguration.objects.create(
-                        key="IS_GITHUB_ENABLED",
-                        value=value,
-                        category="AUTHENTICATION",
-                        is_encrypted=False,
-                    )
-                    self.stdout.write(self.style.SUCCESS(f"{key} loaded with value from environment variable."))
-                if key == "IS_GITLAB_ENABLED":
-                    GITLAB_HOST, GITLAB_CLIENT_ID, GITLAB_CLIENT_SECRET = get_configuration_value(
-                        [
-                            {
-                                "key": "GITLAB_HOST",
-                                "default": os.environ.get("GITLAB_HOST", "https://gitlab.com"),
-                            },
-                            {
-                                "key": "GITLAB_CLIENT_ID",
-                                "default": os.environ.get("GITLAB_CLIENT_ID", ""),
-                            },
-                            {
-                                "key": "GITLAB_CLIENT_SECRET",
-                                "default": os.environ.get("GITLAB_CLIENT_SECRET", ""),
-                            },
-                        ]
-                    )
-                    if bool(GITLAB_HOST) and bool(GITLAB_CLIENT_ID) and bool(GITLAB_CLIENT_SECRET):
-                        value = "1"
-                    else:
-                        value = "0"
-                    InstanceConfiguration.objects.create(
-                        key="IS_GITLAB_ENABLED",
-                        value=value,
-                        category="AUTHENTICATION",
-                        is_encrypted=False,
-                    )
-                    self.stdout.write(self.style.SUCCESS(f"{key} loaded with value from environment variable."))
-                if key == "IS_GITEA_ENABLED":
-                    GITEA_HOST, GITEA_CLIENT_ID, GITEA_CLIENT_SECRET = get_configuration_value(
-                        [
-                            {
-                                "key": "GITEA_HOST",
-                                "default": os.environ.get("GITEA_HOST", ""),
-                            },
-                            {
-                                "key": "GITEA_CLIENT_ID",
-                                "default": os.environ.get("GITEA_CLIENT_ID", ""),
-                            },
-                            {
-                                "key": "GITEA_CLIENT_SECRET",
-                                "default": os.environ.get("GITEA_CLIENT_SECRET", ""),
-                            },
-                        ]
-                    )
-                    if bool(GITEA_HOST) and bool(GITEA_CLIENT_ID) and bool(GITEA_CLIENT_SECRET):
-                        value = "1"
-                    else:
-                        value = "0"
-                    InstanceConfiguration.objects.create(
-                        key="IS_GITEA_ENABLED",
-                        value=value,
-                        category="AUTHENTICATION",
-                        is_encrypted=False,
-                    )
-                    self.stdout.write(self.style.SUCCESS(f"{key} loaded with value from environment variable."))
-        else:
-            for key in keys:
+        # Seed IS_*_ENABLED flags individually so that each missing key
+        # is created independently.  The previous all-or-nothing check
+        # skipped every key when even one already existed (e.g.
+        # IS_GITEA_ENABLED seeded via instance_config_variables).
+        oauth_enabled_keys = {
+            "IS_GOOGLE_ENABLED": lambda: all(
+                get_configuration_value(
+                    [
+                        {"key": "GOOGLE_CLIENT_ID", "default": os.environ.get("GOOGLE_CLIENT_ID", "")},
+                        {"key": "GOOGLE_CLIENT_SECRET", "default": os.environ.get("GOOGLE_CLIENT_SECRET", "")},
+                    ]
+                )
+            ),
+            "IS_GITHUB_ENABLED": lambda: all(
+                get_configuration_value(
+                    [
+                        {"key": "GITHUB_CLIENT_ID", "default": os.environ.get("GITHUB_CLIENT_ID", "")},
+                        {"key": "GITHUB_CLIENT_SECRET", "default": os.environ.get("GITHUB_CLIENT_SECRET", "")},
+                    ]
+                )
+            ),
+            "IS_GITLAB_ENABLED": lambda: all(
+                get_configuration_value(
+                    [
+                        {"key": "GITLAB_HOST", "default": os.environ.get("GITLAB_HOST", "")},
+                        {"key": "GITLAB_CLIENT_ID", "default": os.environ.get("GITLAB_CLIENT_ID", "")},
+                        {"key": "GITLAB_CLIENT_SECRET", "default": os.environ.get("GITLAB_CLIENT_SECRET", "")},
+                    ]
+                )
+            ),
+            "IS_GITEA_ENABLED": lambda: all(
+                get_configuration_value(
+                    [
+                        {"key": "GITEA_HOST", "default": os.environ.get("GITEA_HOST", "")},
+                        {"key": "GITEA_CLIENT_ID", "default": os.environ.get("GITEA_CLIENT_ID", "")},
+                        {"key": "GITEA_CLIENT_SECRET", "default": os.environ.get("GITEA_CLIENT_SECRET", "")},
+                    ]
+                )
+            ),
+        }
+
+        for key, check_configured in oauth_enabled_keys.items():
+            obj, created = InstanceConfiguration.objects.get_or_create(
+                key=key,
+                defaults={
+                    "value": "1" if check_configured() else "0",
+                    "category": "AUTHENTICATION",
+                    "is_encrypted": False,
+                },
+            )
+            if created:
+                self.stdout.write(self.style.SUCCESS(f"{key} loaded with value from environment variable."))
+            else:
                 self.stdout.write(self.style.WARNING(f"{key} configuration already exists"))
diff --git a/apps/api/plane/tests/unit/management/__init__.py b/apps/api/plane/tests/unit/management/__init__.py
diff --git a/apps/api/plane/tests/unit/management/test_configure_instance.py b/apps/api/plane/tests/unit/management/test_configure_instance.py
@@ -0,0 +1,100 @@
+# Copyright (c) 2023-present Plane Software, Inc. and contributors
+# SPDX-License-Identifier: AGPL-3.0-only
+# See the LICENSE file for details.
+
+import pytest
+from io import StringIO
+from unittest.mock import patch
+
+from django.core.management import call_command
+
+from plane.license.models import InstanceConfiguration
+
+
+@pytest.mark.unit
+class TestConfigureInstanceOAuthSeeding:
+    """Test that configure_instance seeds IS_*_ENABLED flags individually."""
+
+    @pytest.mark.django_db
+    def test_creates_all_enabled_flags_when_none_exist(self):
+        """All four IS_*_ENABLED flags should be created on a fresh database."""
+        out = StringIO()
+        with patch.dict("os.environ", {"SECRET_KEY": "test-secret"}):
+            call_command("configure_instance", stdout=out)
+
+        keys = [
+            "IS_GOOGLE_ENABLED",
+            "IS_GITHUB_ENABLED",
+            "IS_GITLAB_ENABLED",
+            "IS_GITEA_ENABLED",
+        ]
+        for key in keys:
+            assert InstanceConfiguration.objects.filter(key=key).exists(), (
+                f"{key} should have been created"
+            )
+
+    @pytest.mark.django_db
+    def test_creates_missing_flags_when_gitea_already_exists(self):
+        """Missing IS_*_ENABLED flags should be created even if IS_GITEA_ENABLED already exists.
+
+        This is the regression scenario: IS_GITEA_ENABLED is seeded by
+        instance_config_variables in the first loop, which previously
+        caused the all-or-nothing exists() check to skip the other three.
+        """
+        # Simulate the state after first loop seeds IS_GITEA_ENABLED
+        InstanceConfiguration.objects.create(
+            key="IS_GITEA_ENABLED",
+            value="0",
+            category="GITEA",
+            is_encrypted=False,
+        )
+
+        out = StringIO()
+        with patch.dict("os.environ", {"SECRET_KEY": "test-secret"}):
+            call_command("configure_instance", stdout=out)
+
+        for key in ["IS_GOOGLE_ENABLED", "IS_GITHUB_ENABLED", "IS_GITLAB_ENABLED"]:
+            assert InstanceConfiguration.objects.filter(key=key).exists(), (
+                f"{key} should have been created even though IS_GITEA_ENABLED already existed"
+            )
+
+    @pytest.mark.django_db
+    def test_does_not_overwrite_existing_enabled_flags(self):
+        """Existing IS_*_ENABLED values should not be overwritten on re-run."""
+        InstanceConfiguration.objects.create(
+            key="IS_GITHUB_ENABLED",
+            value="1",
+            category="AUTHENTICATION",
+            is_encrypted=False,
+        )
+
+        out = StringIO()
+        with patch.dict("os.environ", {"SECRET_KEY": "test-secret"}):
+            call_command("configure_instance", stdout=out)
+
+        config = InstanceConfiguration.objects.get(key="IS_GITHUB_ENABLED")
+        assert config.value == "1", "Existing IS_GITHUB_ENABLED=1 should not be overwritten"
+
+    @pytest.mark.django_db
+    def test_enabled_flags_default_to_zero_without_credentials(self):
+        """Without OAuth env vars, IS_*_ENABLED flags should default to '0'."""
+        out = StringIO()
+        env = {
+            "SECRET_KEY": "test-secret",
+            "GITHUB_CLIENT_ID": "",
+            "GITHUB_CLIENT_SECRET": "",
+            "GOOGLE_CLIENT_ID": "",
+            "GOOGLE_CLIENT_SECRET": "",
+            "GITLAB_HOST": "",
+            "GITLAB_CLIENT_ID": "",
+            "GITLAB_CLIENT_SECRET": "",
+            "GITEA_HOST": "",
+            "GITEA_CLIENT_ID": "",
+            "GITEA_CLIENT_SECRET": "",
+        }
+        with patch.dict("os.environ", env):
+            call_command("configure_instance", stdout=out)
+
+        for key in ["IS_GOOGLE_ENABLED", "IS_GITHUB_ENABLED", "IS_GITLAB_ENABLED", "IS_GITEA_ENABLED"]:
+            config = InstanceConfiguration.objects.get(key=key)
+            assert config.value == "0", f"{key} should be '0' without credentials"
