exclude Actor.PrivateKey from GORM, read via raw SQL in export-keys

Author: parkan

handler/wallet/export_keys.go

@@ -17,6 +17,14 @@ type ExportKeysResult struct {
 	Errors   []string // actors that failed (logged but don't abort)
 }
 
+// actor row with the legacy private_key column, used only by export-keys.
+// Actor.PrivateKey is gorm:"-" in the model so we need a local type for raw SQL.
+type legacyActorRow struct {
+	ID         string
+	Address    string
+	PrivateKey string
+}
+
 // exports private keys from the legacy Actor.PrivateKey column into the
 // filesystem keystore, creating Wallet records where needed.
 // idempotent -- skips actors whose address already has a Wallet record.
@@ -28,8 +36,8 @@ func ExportKeysHandler(
 ) (*ExportKeysResult, error) {
 	db = db.WithContext(ctx)
 
-	var actors []model.Actor
-	err := db.Where("private_key != '' AND private_key IS NOT NULL").Find(&actors).Error
+	var actors []legacyActorRow
+	err := db.Raw("SELECT id, address, private_key FROM actors WHERE private_key != '' AND private_key IS NOT NULL").Scan(&actors).Error
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to query actors with private keys")
 	}
@@ -49,12 +57,59 @@ func ExportKeysHandler(
 		}
 	}
 
+	// after exporting keys, migrate wallet_assignments if the legacy table exists
+	if err := migrateWalletAssignments(db); err != nil {
+		result.Errors = append(result.Errors, fmt.Sprintf("wallet_assignments migration: %v", err))
+	}
+
 	return result, nil
 }
 
+// migrates legacy wallet_assignments (preparation_id, wallet_id=actor_id_string)
+// to preparation.wallet_id (uint FK to new wallets table). drops the table after.
+func migrateWalletAssignments(db *gorm.DB) error {
+	if !db.Migrator().HasTable("wallet_assignments") {
+		return nil
+	}
+
+	type row struct {
+		PreparationID uint
+		WalletID      string // old actor ID (f0...)
+	}
+	var rows []row
+	if err := db.Raw("SELECT preparation_id, wallet_id FROM wallet_assignments").Scan(&rows).Error; err != nil {
+		return errors.Wrap(err, "failed to read wallet_assignments")
+	}
+
+	migrated := 0
+	for _, r := range rows {
+		// find the new wallet by actor_id
+		var wallet model.Wallet
+		if err := db.Where("actor_id = ?", r.WalletID).First(&wallet).Error; err != nil {
+			logger.Warnw("wallet_assignment: no wallet found for actor, skipping",
+				"preparation_id", r.PreparationID, "actor_id", r.WalletID)
+			continue
+		}
+		if err := db.Exec("UPDATE preparations SET wallet_id = ? WHERE id = ? AND wallet_id IS NULL",
+			wallet.ID, r.PreparationID).Error; err != nil {
+			return errors.Wrapf(err, "failed to set wallet_id for preparation %d", r.PreparationID)
+		}
+		migrated++
+	}
+
+	if err := db.Migrator().DropTable("wallet_assignments"); err != nil {
+		return errors.Wrap(err, "failed to drop wallet_assignments")
+	}
+
+	if migrated > 0 {
+		logger.Infow("migrated wallet_assignments to preparation.wallet_id", "migrated", migrated)
+	}
+	return nil
+}
+
 // exports a single actor's key to keystore, returns (true, "") on success,
 // (false, "") on skip, ("", errMsg) on failure
-func exportOneKey(db *gorm.DB, ks keystore.KeyStore, actor model.Actor) (exported bool, errMsg string) {
+func exportOneKey(db *gorm.DB, ks keystore.KeyStore, actor legacyActorRow) (exported bool, errMsg string) {
 	// derive address to check for existing wallet
 	addr, err := keystore.AddressFromExport(actor.PrivateKey)
 	if err != nil {
@@ -114,7 +169,17 @@ func exportOneKey(db *gorm.DB, ks keystore.KeyStore, actor model.Actor) (exporte
 }
 
 func HasPrivateKeyColumn(db *gorm.DB) bool {
-	return db.Migrator().HasColumn(&model.Actor{}, "private_key")
+	// can't use db.Migrator().HasColumn(&model.Actor{}, "private_key") because
+	// the field is gorm:"-" -- GORM won't resolve the column name. query directly.
+	dialect := db.Dialector.Name()
+	var count int64
+	switch dialect {
+	case "sqlite":
+		db.Raw("SELECT COUNT(*) FROM pragma_table_info('actors') WHERE name = 'private_key'").Scan(&count)
+	default:
+		db.Raw("SELECT COUNT(*) FROM information_schema.columns WHERE table_schema = current_schema() AND table_name = 'actors' AND column_name = 'private_key'").Scan(&count)
+	}
+	return count > 0
 }
 
 // counts actors that still have a non-empty private_key in the database.

handler/wallet/export_keys_test.go

@@ -12,18 +12,38 @@ import (
 	"gorm.io/gorm"
 )
 
+// model without -:migration, used to simulate a legacy database where
+// AutoMigrate created the private_key column
+type legacyActor struct {
+	ID         string `gorm:"primaryKey;size:15"`
+	Address    string `gorm:"index"`
+	PrivateKey string
+}
+
+func (legacyActor) TableName() string { return "actors" }
+
+// simulates a legacy database by running AutoMigrate with the old model
+// that includes private_key as a normal column
+func addLegacyColumn(t *testing.T, db *gorm.DB) {
+	t.Helper()
+	require.NoError(t, db.AutoMigrate(&legacyActor{}))
+}
+
+// inserts an actor with a legacy private_key via the legacy model
+func createLegacyActor(t *testing.T, db *gorm.DB, id, address, privateKey string) {
+	t.Helper()
+	require.NoError(t, db.Create(&legacyActor{
+		ID: id, Address: address, PrivateKey: privateKey,
+	}).Error)
+}
+
 func TestExportKeysHandler_ExportsActorKey(t *testing.T) {
 	testutil.All(t, func(ctx context.Context, t *testing.T, db *gorm.DB) {
 		ks, err := keystore.NewLocalKeyStore(t.TempDir())
 		require.NoError(t, err)
 
-		// create an actor with a legacy private key
-		actor := model.Actor{
-			ID:         "f01234",
-			Address:    testutil.TestWalletAddr,
-			PrivateKey: testutil.TestPrivateKeyHex,
-		}
-		require.NoError(t, db.Create(&actor).Error)
+		addLegacyColumn(t, db)
+		createLegacyActor(t, db, "f01234", testutil.TestWalletAddr, testutil.TestPrivateKeyHex)
 
 		result, err := ExportKeysHandler(ctx, db, ks)
 		require.NoError(t, err)
@@ -50,13 +70,8 @@ func TestExportKeysHandler_SkipsExistingWallet(t *testing.T) {
 		ks, err := keystore.NewLocalKeyStore(t.TempDir())
 		require.NoError(t, err)
 
-		// create actor with legacy key
-		actor := model.Actor{
-			ID:         "f01234",
-			Address:    testutil.TestWalletAddr,
-			PrivateKey: testutil.TestPrivateKeyHex,
-		}
-		require.NoError(t, db.Create(&actor).Error)
+		addLegacyColumn(t, db)
+		createLegacyActor(t, db, "f01234", testutil.TestWalletAddr, testutil.TestPrivateKeyHex)
 
 		// pre-import the wallet via normal import path
 		h := DefaultHandler{}
@@ -83,13 +98,8 @@ func TestExportKeysHandler_SkipsExistingWalletLinksActor(t *testing.T) {
 		ks, err := keystore.NewLocalKeyStore(t.TempDir())
 		require.NoError(t, err)
 
-		// create actor with legacy key
-		actor := model.Actor{
-			ID:         "f01234",
-			Address:    testutil.TestWalletAddr,
-			PrivateKey: testutil.TestPrivateKeyHex,
-		}
-		require.NoError(t, db.Create(&actor).Error)
+		addLegacyColumn(t, db)
+		createLegacyActor(t, db, "f01234", testutil.TestWalletAddr, testutil.TestPrivateKeyHex)
 
 		// pre-import the wallet WITHOUT actor linkage
 		h := DefaultHandler{}
@@ -116,12 +126,8 @@ func TestExportKeysHandler_Idempotent(t *testing.T) {
 		ks, err := keystore.NewLocalKeyStore(t.TempDir())
 		require.NoError(t, err)
 
-		actor := model.Actor{
-			ID:         "f01234",
-			Address:    testutil.TestWalletAddr,
-			PrivateKey: testutil.TestPrivateKeyHex,
-		}
-		require.NoError(t, db.Create(&actor).Error)
+		addLegacyColumn(t, db)
+		createLegacyActor(t, db, "f01234", testutil.TestWalletAddr, testutil.TestPrivateKeyHex)
 
 		// first run exports
 		r1, err := ExportKeysHandler(ctx, db, ks)
@@ -146,12 +152,12 @@ func TestExportKeysHandler_NoActorsWithKeys(t *testing.T) {
 		ks, err := keystore.NewLocalKeyStore(t.TempDir())
 		require.NoError(t, err)
 
+		addLegacyColumn(t, db)
 		// actor with no private key
-		actor := model.Actor{
+		require.NoError(t, db.Create(&model.Actor{
 			ID:      "f09999",
 			Address: "f1abc",
-		}
-		require.NoError(t, db.Create(&actor).Error)
+		}).Error)
 
 		result, err := ExportKeysHandler(ctx, db, ks)
 		require.NoError(t, err)
@@ -166,13 +172,8 @@ func TestExportKeysHandler_InvalidKeyRecordsError(t *testing.T) {
 		ks, err := keystore.NewLocalKeyStore(t.TempDir())
 		require.NoError(t, err)
 
-		// actor with garbage key
-		actor := model.Actor{
-			ID:         "f05555",
-			Address:    "f1bad",
-			PrivateKey: "not-a-valid-key",
-		}
-		require.NoError(t, db.Create(&actor).Error)
+		addLegacyColumn(t, db)
+		createLegacyActor(t, db, "f05555", "f1bad", "not-a-valid-key")
 
 		result, err := ExportKeysHandler(ctx, db, ks)
 		require.NoError(t, err) // overall operation succeeds
@@ -189,13 +190,8 @@ func TestExportKeysHandler_MissingKeyFile(t *testing.T) {
 		ks, err := keystore.NewLocalKeyStore(t.TempDir())
 		require.NoError(t, err)
 
-		// create actor with legacy key
-		actor := model.Actor{
-			ID:         "f01234",
-			Address:    testutil.TestWalletAddr,
-			PrivateKey: testutil.TestPrivateKeyHex,
-		}
-		require.NoError(t, db.Create(&actor).Error)
+		addLegacyColumn(t, db)
+		createLegacyActor(t, db, "f01234", testutil.TestWalletAddr, testutil.TestPrivateKeyHex)
 
 		// create wallet record pointing to a nonexistent key file
 		require.NoError(t, db.Create(&model.Wallet{
@@ -219,12 +215,8 @@ func TestExportKeysHandler_CorruptKeyFile(t *testing.T) {
 		ks, err := keystore.NewLocalKeyStore(dir)
 		require.NoError(t, err)
 
-		actor := model.Actor{
-			ID:         "f01234",
-			Address:    testutil.TestWalletAddr,
-			PrivateKey: testutil.TestPrivateKeyHex,
-		}
-		require.NoError(t, db.Create(&actor).Error)
+		addLegacyColumn(t, db)
+		createLegacyActor(t, db, "f01234", testutil.TestWalletAddr, testutil.TestPrivateKeyHex)
 
 		// write garbage to the key file path
 		corruptPath := dir + "/corrupt"
@@ -245,17 +237,22 @@ func TestExportKeysHandler_CorruptKeyFile(t *testing.T) {
 	})
 }
 
-func TestDropPrivateKeyColumn(t *testing.T) {
+func TestExportKeysHandler_AutoMigrateDoesNotRecreateColumn(t *testing.T) {
 	testutil.All(t, func(ctx context.Context, t *testing.T, db *gorm.DB) {
-		// column exists after AutoMigrate
-		require.True(t, db.Migrator().HasColumn(&model.Actor{}, "private_key"))
+		// AutoMigrate already ran (via testutil.All) -- column should NOT exist
+		require.False(t, db.Migrator().HasColumn(&model.Actor{}, "private_key"),
+			"AutoMigrate must not create private_key column (gorm:-:migration)")
 
-		// drop it
+		// simulate legacy db, export, drop
+		addLegacyColumn(t, db)
+		require.True(t, HasPrivateKeyColumn(db))
 		require.NoError(t, DropPrivateKeyColumn(db))
-		require.False(t, db.Migrator().HasColumn(&model.Actor{}, "private_key"))
+		require.False(t, HasPrivateKeyColumn(db))
 
-		// idempotent -- second call is a no-op
-		require.NoError(t, DropPrivateKeyColumn(db))
+		// re-run AutoMigrate -- must NOT re-add the column
+		require.NoError(t, model.AutoMigrate(db))
+		require.False(t, HasPrivateKeyColumn(db),
+			"AutoMigrate must not re-add private_key column after drop")
 	})
 }
 
@@ -264,13 +261,8 @@ func TestDropPrivateKeyColumn_ExportThenDrop(t *testing.T) {
 		ks, err := keystore.NewLocalKeyStore(t.TempDir())
 		require.NoError(t, err)
 
-		// create actor with legacy key
-		actor := model.Actor{
-			ID:         "f01234",
-			Address:    testutil.TestWalletAddr,
-			PrivateKey: testutil.TestPrivateKeyHex,
-		}
-		require.NoError(t, db.Create(&actor).Error)
+		addLegacyColumn(t, db)
+		createLegacyActor(t, db, "f01234", testutil.TestWalletAddr, testutil.TestPrivateKeyHex)
 
 		// export
 		result, err := ExportKeysHandler(ctx, db, ks)