chore(cloud-native): upgrade to SQLAlchemy v2.x

[iromli]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #12936
closes #12939

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

• Chores

  • Updated source references used by multiple Docker image builds.
  • Bumped SQLAlchemy requirement to 2.0+.

• Refactor

  • Standardized SQL parameter binding and metadata handling.
  • Wrapped many database schema and data operations in explicit transactions for greater atomicity.
  • Minor code cleanups and compatibility updates to align with newer SQLAlchemy behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated many Dockerfiles to point JANS_SOURCE_VERSION at a new commit; migrated jans-pycloudlib and several scripts to SQLAlchemy 2.x APIs (transactions, text(), URL.create, RowMapping, metadata.reflect) and bumped the sqlalchemy requirement to >=2.0.

Changes

Cohort / File(s)	Summary
Dockerfile asset version updates docker-jans-all-in-one/Dockerfile, docker-jans-auth-server/Dockerfile, docker-jans-casa/Dockerfile, docker-jans-cloudtools/Dockerfile, docker-jans-config-api/Dockerfile, docker-jans-configurator/Dockerfile, docker-jans-fido2/Dockerfile, docker-jans-link/Dockerfile, docker-jans-persistence-loader/Dockerfile, docker-jans-saml/Dockerfile, docker-jans-scim/Dockerfile	ENV JANS_SOURCE_VERSION changed from 6bcc41a0e7f2708e52fe2c950d357dc872b87498 to 436bf147b379c2bf005f554db4b8cce3971c58ad.
Small SQLAlchemy/param updates in scripts docker-jans-cloudtools/scripts/cleaner.py, docker-jans-saml/scripts/configure_kc.py	Switched to dict-style parameter binding for conn.execute, wrapped raw SQL with text(), adjusted MetaData.reflect usage, removed unused import.
Persistence loader DDL transaction safety docker-jans-persistence-loader/scripts/sql_setup.py	Schema-altering operations now run inside with conn.begin() transactions and execute via text(); MySQL index-drop logic preserved with quoted identifiers; metadata refreshed after changes.
jans-pycloudlib — SQLAlchemy v2 migration jans-pycloudlib/jans/pycloudlib/lock/sql_lock.py, jans-pycloudlib/jans/pycloudlib/persistence/sql.py	Adopted SQLAlchemy 2.x idioms: select(table) forms, use text() for raw SQL, wrap DDL/DML in with conn.begin(), convert rows via entry._mapping, use URL.create() and metadata.reflect(self.engine), and renamed pk_colum → pk_column.
Dependency manifest jans-pycloudlib/pyproject.toml	Bumped sqlalchemy requirement from >=1.3,<2.0 to >=2.0.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• fix(cloud-native): escape special characters used in database credentials #12565: modifies jans-pycloudlib engine URL construction and related persistence SQL code.
• feat(jans-pycloudlib): add support for connecting to cloudsql via cloud auth proxy #12788: updates jans-pycloudlib persistence/sql.py and SQLAlchemy usage patterns.
• chore(cloud-native): sync assets of Janssen nightly to OCI images #12623: updates JANS_SOURCE_VERSION pins across multiple Dockerfiles.

Suggested reviewers

• moabu
• yuriyz

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 70.59% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'chore(cloud-native): upgrade to SQLAlchemy v2.x' clearly and concisely describes the main change: upgrading SQLAlchemy to version 2.x across cloud-native components.
Description check	✅ Passed	The PR description includes all required sections: target issue references (#12936, #12939), preparation checklist completed, implementation details context, and appropriate test/documentation checkboxes marked.
Linked Issues check	✅ Passed	The code changes comprehensively address linked issue #12936 objectives: SQLAlchemy upgraded to v2.x in pyproject.toml, jans-pycloudlib partially rewritten with v2 compatibility patterns (text constructs, transactions, metadata reflection), and container images updated with new asset version.
Out of Scope Changes check	✅ Passed	All code changes are in scope: SQLAlchemy v2.x dependency upgrade, jans-pycloudlib refactoring for v2 compatibility, SQL script updates (transaction wrapping, text() usage), and container asset version updates are all necessary for the upgrade objective.

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7aff8d7 and 8576808.

📒 Files selected for processing (1)

• jans-pycloudlib/jans/pycloudlib/lock/sql_lock.py

🧰 Additional context used

🧬 Code graph analysis (1)

jans-pycloudlib/jans/pycloudlib/lock/sql_lock.py (1)

jans-pycloudlib/jans/pycloudlib/persistence/sql.py (1)

• engine (533-576)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)

• GitHub Check: check_pr_for_docs
• GitHub Check: label PR
• GitHub Check: docker (configurator)
• GitHub Check: sonar scan (jans-cli-tui)
• GitHub Check: sonar scan (jans-pycloudlib)
• GitHub Check: sonar scan (jans-fido2)
• GitHub Check: docker (fido2)
• GitHub Check: docker (scim)
• GitHub Check: docker (config-api)
• GitHub Check: docker (monolith)
• GitHub Check: docker (persistence-loader)
• GitHub Check: docker (cloudtools)
• GitHub Check: cleanup
• GitHub Check: docker (auth-server)
• GitHub Check: Analyze (python)
• GitHub Check: Analyze (javascript)
• GitHub Check: Analyze (go)

🔇 Additional comments (4)

jans-pycloudlib/jans/pycloudlib/lock/sql_lock.py (4)

72-72: LGTM! Correct SQLAlchemy v2 select() API usage.

The change from select([self.table]) to select(self.table) correctly migrates to the SQLAlchemy v2 API, where select() now accepts positional arguments instead of a list.

---

79-79: LGTM! Correct SQLAlchemy v2 Row handling.

The change from dict(entry) to dict(entry._mapping) correctly adapts to SQLAlchemy v2's Row API, where ._mapping provides the dict-like interface for Row objects.

---

101-107: LGTM! Explicit transaction management for write operations.

The addition of with conn.begin() blocks for all write operations (post, put, delete) correctly implements SQLAlchemy v2's recommended pattern for transactional safety. This ensures:

• Automatic commit on successful completion
• Automatic rollback on exceptions (including the IntegrityError in post())
• Explicit transaction boundaries for all DML operations

The read-only get() operation correctly remains outside a transaction block.

Also applies to: 126-128, 142-144

---

42-44: No issues found. The dialect check is correct and follows the established pattern in the codebase where both "pgsql" and "postgresql" are checked for compatibility with environment variable configuration.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

docker-jans-cloudtools/scripts/cleaner.py (1)

16-22: Add type validation to prevent SQL injection via the --limit parameter.

The limit Click option lacks type validation, meaning it accepts arbitrary strings. Since limit is directly interpolated into SQL queries (lines 38, 40), a malicious value like --limit "1000; DROP TABLE users" could lead to SQL injection.

🔎 Proposed fix

 @click.option(
     "--limit",
     help="How many expired entries need to be removed per table",
+    type=int,
     default=1000,
     show_default=True,
 )

jans-pycloudlib/jans/pycloudlib/lock/sql_lock.py (1)

42-45: Bug: self._dialect should be self.client.dialect.

The SqlLock class doesn't have a _dialect attribute. The dialect is accessed via self.client.dialect. This will raise AttributeError when a DatabaseError is caught.

🔎 Proposed fix

-            if self._dialect in ("pgsql", "postgresql") and exc.orig.pgcode != "42P07":
+            if self.client.dialect in ("pgsql", "postgresql") and exc.orig.pgcode != "42P07":
                 raise_on_error = True
-            elif self._dialect == "mysql" and exc.orig.args[0] != 1050:
+            elif self.client.dialect == "mysql" and exc.orig.args[0] != 1050:

♻️ Duplicate comments (3)

docker-jans-casa/Dockerfile (1)

64-64: Same JANS_SOURCE_VERSION update as other Dockerfiles.

This change is consistent with the version update in docker-jans-cloudtools/Dockerfile and other files in this PR.

docker-jans-configurator/Dockerfile (1)

30-30: Same JANS_SOURCE_VERSION update as other Dockerfiles.

This change is consistent with the version update across all Dockerfiles in this PR.

docker-jans-fido2/Dockerfile (1)

70-70: Same JANS_SOURCE_VERSION update as other Dockerfiles.

This change is consistent with the version update across all Dockerfiles in this PR.

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7b73e80 and 96aeb36.

📒 Files selected for processing (17)

• docker-jans-all-in-one/Dockerfile
• docker-jans-auth-server/Dockerfile
• docker-jans-casa/Dockerfile
• docker-jans-cloudtools/Dockerfile
• docker-jans-cloudtools/scripts/cleaner.py
• docker-jans-config-api/Dockerfile
• docker-jans-configurator/Dockerfile
• docker-jans-fido2/Dockerfile
• docker-jans-link/Dockerfile
• docker-jans-persistence-loader/Dockerfile
• docker-jans-persistence-loader/scripts/sql_setup.py
• docker-jans-saml/Dockerfile
• docker-jans-saml/scripts/configure_kc.py
• docker-jans-scim/Dockerfile
• jans-pycloudlib/jans/pycloudlib/lock/sql_lock.py
• jans-pycloudlib/jans/pycloudlib/persistence/sql.py
• jans-pycloudlib/pyproject.toml

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-11-18T07:43:55.761Z

Learnt from: pujavs
Repo: JanssenProject/jans PR: 12704
File: jans-config-api/docs/jans-config-api-swagger.yaml:17540-17546
Timestamp: 2025-11-18T07:43:55.761Z
Learning: The file `jans-config-api/docs/jans-config-api-swagger.yaml` is auto-generated with dependent modules changes and metadata. The config API does not override it.

Applied to files:

• docker-jans-configurator/Dockerfile
• docker-jans-config-api/Dockerfile

📚 Learning: 2025-11-10T17:38:39.610Z

Learnt from: iromli
Repo: JanssenProject/jans PR: 12679
File: docker-jans-config-api/Dockerfile:120-120
Timestamp: 2025-11-10T17:38:39.610Z
Learning: In docker-jans-config-api/Dockerfile, the sed command that replaces 'your-openid-provider.server' with '%(hostname)s' in the adminui-policy-store.json file is intentional. The %(hostname)s variable uses Python string interpolation format and is consumed by scripts executed during container runtime.

Applied to files:

• docker-jans-fido2/Dockerfile
• docker-jans-scim/Dockerfile
• docker-jans-cloudtools/Dockerfile
• docker-jans-config-api/Dockerfile
• docker-jans-persistence-loader/Dockerfile
• docker-jans-casa/Dockerfile
• docker-jans-saml/Dockerfile

🧬 Code graph analysis (4)

docker-jans-saml/scripts/configure_kc.py (1)

jans-pycloudlib/jans/pycloudlib/persistence/sql.py (2)

• metadata (660-677)
• engine (533-576)

jans-pycloudlib/jans/pycloudlib/lock/sql_lock.py (1)

jans-pycloudlib/jans/pycloudlib/persistence/sql.py (1)

• engine (533-576)

docker-jans-cloudtools/scripts/cleaner.py (1)

jans-pycloudlib/jans/pycloudlib/persistence/sql.py (1)

• quoted_id (746-748)

jans-pycloudlib/jans/pycloudlib/persistence/sql.py (1)

jans-pycloudlib/jans/pycloudlib/lock/sql_lock.py (2)

• get (63-81)
• table (51-61)

🪛 Ruff (0.14.10)

docker-jans-cloudtools/scripts/cleaner.py

38-38: Possible SQL injection vector through string-based query construction

(S608)

---

40-40: Possible SQL injection vector through string-based query construction

(S608)

jans-pycloudlib/jans/pycloudlib/persistence/sql.py

705-705: Unused noqa directive (unknown: B902)

Remove unused noqa directive

(RUF100)

---

743-743: Unused noqa directive (unknown: B902)

Remove unused noqa directive

(RUF100)

---

773-773: Unused noqa directive (unknown: B902)

Remove unused noqa directive

(RUF100)

---

776-776: Use X | Y for type annotations

Convert to X | Y

(UP007)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: docker (scim)
• GitHub Check: docker (fido2)
• GitHub Check: docker (cloudtools)
• GitHub Check: docker (loadtesting-jmeter)
• GitHub Check: docker (configurator)
• GitHub Check: docker (config-api)
• GitHub Check: docker (auth-server)
• GitHub Check: docker (persistence-loader)
• GitHub Check: sonar scan (jans-scim)
• GitHub Check: sonar scan (jans-fido2)
• GitHub Check: sonar scan (jans-auth-server)

🔇 Additional comments (27)

docker-jans-all-in-one/Dockerfile (1)

62-62: The all-in-one image aggregates pre-built component images; SQLAlchemy compatibility must be verified in individual components, not in docker-jans-all-in-one/app/requirements.txt.

The app/requirements.txt does not contain SQLAlchemy. Verify SQLAlchemy v2.x compatibility in the individual component images (configurator, persistence-loader, jans-auth, jans-config-api, jans-fido2, jans-scim, jans-casa, jans-saml) that are composed into this all-in-one image. The commit 5b98e9ff2eff00fa421529fcc5b84e054f3c79b7 aggregates artifacts from these components; any database ORM compatibility updates must be validated in those upstream builds.

Likely an incorrect or invalid review comment.

docker-jans-link/Dockerfile (1)

66-66: The commit correctly aligns with the SQLAlchemy v2.x upgrade.

SQLAlchemy v2.x is properly specified in jans-pycloudlib/pyproject.toml (sqlalchemy>=2.0), and the pinned commit contains the necessary refactoring: updating metadata.reflect(self.engine) to metadata.reflect(conn) in jans-pycloudlib/jans/pycloudlib/persistence/sql.py. This is a required SQLAlchemy 2.0 compatibility change. Runtime testing remains essential to validate the full upgrade path.

docker-jans-auth-server/Dockerfile (1)

106-106: SQLAlchemy v2.x is already specified in jans-pycloudlib, not auth-server—no verification needed.

The commit (5b98e9f) is a table reflection bug fix (metadata.reflect(conn) instead of metadata.reflect(engine)), not a SQLAlchemy v2.x migration. SQLAlchemy v2.x is already a dependency of jans-pycloudlib (via pyproject.toml: sqlalchemy>=2.0), which auth-server depends on. The auth-server's own requirements.txt does not list SQLAlchemy directly—it inherits it transitively.

Likely an incorrect or invalid review comment.

docker-jans-scim/Dockerfile (1)

65-65: Confirmed: jans-pycloudlib specifies SQLAlchemy v2.x compatibility.

The SQLAlchemy v2.x upgrade is properly addressed. The jans-pycloudlib dependency in docker-jans-scim/requirements.txt installs from a local path that includes pyproject.toml specifying sqlalchemy>=2.0. This ensures SQLAlchemy v2.x will be installed at runtime. Verify that commit 5b98e9ff2eff00fa421529fcc5b84e054f3c79b7 is a valid build commit before deployment, as the specific commit hash could not be independently confirmed.

docker-jans-persistence-loader/Dockerfile (1)

21-21: SQLAlchemy v2.x compatibility verified — implementation already meets all requirements.

Verification confirms the persistence-loader component properly implements SQLAlchemy v2.x compatibility:

• ✅ All DDL/DML operations in sql_setup.py use the text() wrapper for raw SQL (lines 268, 269, 292, 308, 321, 324, 345, 358, 362, 363) — the required v2.0 execution style
• ✅ SQLAlchemy v2.x is specified: jans-pycloudlib declares sqlalchemy>=2.0 in its dependencies, which is pulled transitively
• ✅ No v1-style execute patterns detected; all raw SQL properly wrapped with text()

The implementation correctly addresses the sonatype-2023-4321 vulnerability mitigation through SQLAlchemy v2.x.

docker-jans-cloudtools/Dockerfile (1)

47-47: Commit 5b98e9f contains SQLAlchemy v2-compatible changes.

The commit exists and specifically fixes table reflection in jans-pycloudlib (a behavior changed in SQLAlchemy v2). The pyproject.toml in this commit confirms sqlalchemy>=2.0 as an explicit dependency, verifying SQLAlchemy v2 compatibility.

docker-jans-cloudtools/scripts/cleaner.py (1)

38-41: Implementation correctly uses dialect-specific quote characters.

The quoted_id method in SqlClient properly handles identifier quoting for both MySQL (backtick: `) and PostgreSQL (double quote: "). The adapter is correctly initialized based on the CN_SQL_DB_DIALECT environment variable, and the quoting approach is appropriate for table names sourced from database metadata via get_table_mapping().

docker-jans-saml/scripts/configure_kc.py (2)

360-361: LGTM: Correct SQLAlchemy v2.x metadata reflection pattern.

The change from MetaData(bind=self.engine) to MetaData() followed by metadata.reflect(self.engine) correctly adapts to SQLAlchemy 2.x, where the bind parameter was removed from the MetaData constructor.

---

372-372: LGTM: Correct SQLAlchemy v2.x parameter passing.

The dictionary-based parameter passing ({"username": self.user}) aligns with SQLAlchemy 2.x requirements for text() queries.

docker-jans-persistence-loader/scripts/sql_setup.py (2)

267-269: LGTM: Proper transactional DDL execution.

Wrapping ALTER TABLE operations in an explicit transaction block (with conn.begin()) and using text() for SQL strings aligns with SQLAlchemy 2.x best practices for DDL operations.

---

291-292: LGTM: Proper transactional column addition.

The transaction block ensures atomicity for the ADD COLUMN operation, consistent with SQLAlchemy 2.x patterns.

docker-jans-config-api/Dockerfile (1)

77-77: Commit 5b98e9f contains SQLAlchemy v2.x compatible assets.

Verified: The commit's jans-pycloudlib/pyproject.toml specifies sqlalchemy>=2.0, confirming the SQLAlchemy v2.x migration is present. The commit message "fix: reflect newly created table" aligns with SQLAlchemy v2 compatibility work.

docker-jans-saml/Dockerfile (1)

42-42: Commit verified to contain SQLAlchemy v2.x compatible assets.

The referenced commit (5b98e9f) includes the necessary SQLAlchemy v2 API changes: text() wrapper for SQL queries, metadata.reflect(engine/conn) calls for table reflection, and proper v2 imports. The pyproject.toml correctly specifies sqlalchemy>=2.0, confirming v2.x compatibility.

jans-pycloudlib/jans/pycloudlib/lock/sql_lock.py (4)

72-81: LGTM! Correct SQLAlchemy v2.x patterns for read operations.

The select(self.table) syntax and entry._mapping access are the correct SQLAlchemy 2.x idioms. Read operations don't require explicit transaction blocks.

---

100-107: LGTM! Proper transactional write with IntegrityError handling.

The explicit transaction block via conn.begin() is the correct SQLAlchemy 2.x pattern for write operations. The IntegrityError catch for duplicate key scenarios is appropriate.

---

125-128: LGTM! Consistent transaction handling for update operation.

---

141-144: LGTM! Consistent transaction handling for delete operation.

jans-pycloudlib/jans/pycloudlib/persistence/sql.py (10)

27-27: LGTM! Required import for SQLAlchemy v2.x raw SQL execution.

---

649-657: LGTM! Correct use of URL.create() for SQLAlchemy v2.x.

Using URL.create() is the recommended approach in SQLAlchemy 2.x for building connection URLs programmatically.

---

674-677: LGTM! Correct SQLAlchemy v2.x metadata reflection pattern.

The unbound MetaData() with explicit reflect(self.engine) is the correct v2 approach, as the bind parameter was removed.

---

681-683: LGTM! Proper use of text() for raw SQL in SQLAlchemy v2.x.

---

756-761: LGTM! Correct SQLAlchemy v2.x select syntax for count query.

---

800-803: LGTM! Correct transactional update operation.

---

810-818: LGTM! Correct SQLAlchemy v2.x patterns for search/iteration.

---

821-825: LGTM! Proper use of text() and scalar() for version query.

---

954-957: LGTM! Consistent transactional delete operation.

---

987-990: LGTM! Proper transactional upsert with dialect-specific query handling.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 96aeb36 and 079a732.

📒 Files selected for processing (3)

• docker-jans-persistence-loader/scripts/sql_setup.py
• docker-jans-saml/scripts/configure_kc.py
• jans-pycloudlib/jans/pycloudlib/persistence/sql.py

🧰 Additional context used

🧬 Code graph analysis (3)

docker-jans-saml/scripts/configure_kc.py (1)

jans-pycloudlib/jans/pycloudlib/persistence/sql.py (2)

• metadata (660-677)
• engine (533-576)

docker-jans-persistence-loader/scripts/sql_setup.py (1)

jans-pycloudlib/jans/pycloudlib/persistence/sql.py (1)

• quoted_id (746-748)

jans-pycloudlib/jans/pycloudlib/persistence/sql.py (1)

jans-pycloudlib/jans/pycloudlib/lock/sql_lock.py (2)

• get (63-81)
• table (51-61)

🪛 Ruff (0.14.10)

jans-pycloudlib/jans/pycloudlib/persistence/sql.py

776-776: Use X | Y for type annotations

Convert to X | Y

(UP007)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (19)

• GitHub Check: sonar scan (jans-scim)
• GitHub Check: sonar scan (jans-orm)
• GitHub Check: sonar scan (jans-link)
• GitHub Check: sonar scan (jans-core)
• GitHub Check: sonar scan (jans-pycloudlib)
• GitHub Check: sonar scan (jans-linux-setup)
• GitHub Check: sonar scan (jans-keycloak-link)
• GitHub Check: sonar scan (jans-config-api)
• GitHub Check: docker (scim)
• GitHub Check: docker (persistence-loader)
• GitHub Check: docker (cloudtools)
• GitHub Check: docker (monolith)
• GitHub Check: docker (fido2)
• GitHub Check: docker (config-api)
• GitHub Check: docker (configurator)
• GitHub Check: docker (auth-server)
• GitHub Check: Analyze (javascript)
• GitHub Check: Analyze (python)
• GitHub Check: Analyze (go)

🔇 Additional comments (11)

docker-jans-saml/scripts/configure_kc.py (2)

360-361: LGTM! Correct SQLAlchemy v2.x metadata initialization.

The metadata is now initialized without binding to an engine, and reflection is performed explicitly via reflect(self.engine). This aligns with SQLAlchemy 2.x best practices.

---

367-395: LGTM! Correct parameter binding and SQL identifier handling.

The dictionary-style parameter binding (line 372, 392) is correct for SQLAlchemy v2.x. The direct interpolation of the privilege name on line 389 is appropriate, as SQL identifiers (privilege names, table names) cannot be bound parameters. The inline comment clearly explains this constraint.

jans-pycloudlib/jans/pycloudlib/persistence/sql.py (7)

649-657: LGTM! Correct SQLAlchemy v2.x URL construction.

Using URL.create() with explicitly specified parameters (including the empty query={} dict) is the recommended pattern for SQLAlchemy 2.x.

---

660-677: LGTM! Correct metadata initialization for SQLAlchemy v2.x.

The metadata is initialized without engine binding (line 675) and reflection is performed explicitly via reflect(self.engine) (line 676), which is the correct pattern for SQLAlchemy 2.x.

---

679-744: LGTM! Correct transaction patterns and text() usage.

The use of text() for raw SQL (lines 682, 702, 742) and explicit transaction blocks with conn.begin() (lines 700, 740) are correct SQLAlchemy v2.x patterns. The metadata refresh within the transaction (line 704) ensures schema changes are immediately visible.

---

756-825: LGTM! Correct SQLAlchemy v2.x query and result handling patterns.

The code correctly uses:

• select() with explicit column lists or tables (lines 756, 782-786, 811-813)
• entry._mapping for converting rows to dictionaries (lines 793, 818)
• Connection-scoped scalar() with text() for server version query (lines 823-825)

All patterns align with SQLAlchemy 2.x best practices.

Note: The Union type hint on line 776 is intentionally kept per previous review discussion.

---

795-803: LGTM! Correct transactional update pattern.

The explicit transaction block with conn.begin() ensures the update operation is atomic.

---

949-957: LGTM! Correct transactional delete pattern.

The delete operation properly uses an explicit transaction and returns a boolean indicating success based on rowcount.

---

971-990: LGTM! Correct transactional upsert pattern.

The upsert operation properly applies JSON defaults, constructs the dialect-specific upsert query via the adapter, and executes it within a transaction.

docker-jans-persistence-loader/scripts/sql_setup.py (2)

266-269: LGTM! Correct transactional DDL with proper identifier quoting.

The transaction block (line 267) ensures atomicity of the DROP/ADD COLUMN operations, and both statements properly use self.client.quoted_id() for SQL identifiers (table name and column name).

---

290-292: LGTM! Correct transactional ADD COLUMN with proper quoting.

The explicit transaction and proper identifier quoting are correct.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 079a732 and 5354d0f.

📒 Files selected for processing (1)

• docker-jans-persistence-loader/scripts/sql_setup.py

🧰 Additional context used

🧬 Code graph analysis (1)

docker-jans-persistence-loader/scripts/sql_setup.py (1)

jans-pycloudlib/jans/pycloudlib/persistence/sql.py (1)

• quoted_id (746-748)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: docker (monolith)
• GitHub Check: sonar scan (jans-scim)
• GitHub Check: Analyze (go)
• GitHub Check: docker (configurator)
• GitHub Check: sonar scan (jans-cli-tui)
• GitHub Check: sonar scan (jans-auth-server)
• GitHub Check: docker (auth-server)
• GitHub Check: docker (scim)
• GitHub Check: docker (cloudtools)
• GitHub Check: Analyze (python)
• GitHub Check: sonar scan (agama)
• GitHub Check: docker (fido2)
• GitHub Check: sonar scan (jans-linux-setup)
• GitHub Check: docker (persistence-loader)
• GitHub Check: docker (config-api)
• GitHub Check: lint (jans-cli-tui)

🔇 Additional comments (4)

docker-jans-persistence-loader/scripts/sql_setup.py (4)

266-269: LGTM! Proper SQLAlchemy v2.x transaction handling.

The transaction block ensures atomic execution of the DROP and ADD COLUMN operations, and identifier quoting is consistently applied to both table and column names using self.client.quoted_id().

---

290-292: LGTM! Consistent transaction and quoting pattern.

Single DDL statement properly wrapped in a transaction block with consistent identifier quoting.

---

302-324: LGTM! Previous review feedback addressed.

The identifier quoting inconsistency flagged in past reviews has been fixed - both table_name and idx[0] are now properly quoted using self.client.quoted_id() on line 321. The parameterized information_schema query correctly uses named placeholders with a parameter dictionary.

---

360-363: LGTM! Consistent identifier quoting in DROP/ADD COLUMN.

Both the DROP COLUMN and ADD COLUMN statements correctly quote all identifiers using self.client.quoted_id(), addressing the consistency concerns from past reviews.

[sonarqubecloud]

Quality Gate passed for 'Fido2 API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'SCIM API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'Jans authentication server parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'jans-pycloudlib'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud