From dc142bca0c136221d01dde06787e19841a5555e3 Mon Sep 17 00:00:00 2001
From: Tobias <privat@t-kurze.de>
Date: Fri, 31 Jul 2020 16:33:02 +0200
Subject: [PATCH] some changes to virtual command api, but its not yet clear
 how this should function

---
 backend/api/auth_api.py            |   5 +-
 backend/api/models.py              |  11 +++-
 backend/api/virtual_command_api.py |  52 ++++++++++------
 backend/config.py                  | Bin 5228 -> 5644 bytes
 backend/manage.py                  |  23 +++++++
 backend/models/user_model.py       |  88 +++++++++++++++++---------
 migrations/README                  |   1 +
 migrations/alembic.ini             |  45 ++++++++++++++
 migrations/env.py                  |  96 +++++++++++++++++++++++++++++
 migrations/script.py.mako          |  24 ++++++++
 10 files changed, 294 insertions(+), 51 deletions(-)
 create mode 100644 migrations/README
 create mode 100644 migrations/alembic.ini
 create mode 100644 migrations/env.py
 create mode 100644 migrations/script.py.mako

diff --git a/backend/api/auth_api.py b/backend/api/auth_api.py
index 516b9e5..82ceff5 100644
--- a/backend/api/auth_api.py
+++ b/backend/api/auth_api.py
@@ -109,6 +109,7 @@ def logout():
 
 # Endpoint for revoking the current users refresh token
 @auth_api_bp.route('/logout2', methods=['GET', 'DELETE'])
+@auth_api_bp.route('/revokeRefreshToken', methods=['GET', 'DELETE'])
 @jwt_refresh_token_required
 def logout2():
     jti = get_raw_jwt()['jti']
@@ -137,6 +138,7 @@ def create_or_retrieve_user_from_userinfo(userinfo):
         logger.error("email is missing in OIDC userinfo! Can't create user!")
         return None
 
+    pprint(userinfo)
     user_groups = check_and_create_groups(groups=userinfo.get("memberOf", []))
     user = User.get_by_identifier(email)
 
@@ -145,6 +147,7 @@ def create_or_retrieve_user_from_userinfo(userinfo):
         pprint(user.to_dict())
         user.first_name = userinfo.get("given_name", "")
         user.last_name = userinfo.get("family_name", "")
+        user.external_user_id = userinfo.get("eduperson_principal_name", None)
         for g in user_groups:
             user.groups.append(g)
         db.session.commit()
@@ -152,7 +155,7 @@ def create_or_retrieve_user_from_userinfo(userinfo):
 
     user = User(email=email, first_name=userinfo.get("given_name", ""),
                 last_name=userinfo.get("family_name", ""), external_user=True,
-                groups=user_groups)
+                groups=user_groups, external_user_id=userinfo.get("eduperson_principal_name", None))
 
     logger.info("creating new user")
 
diff --git a/backend/api/models.py b/backend/api/models.py
index e82a41e..a35f81d 100644
--- a/backend/api/models.py
+++ b/backend/api/models.py
@@ -12,9 +12,15 @@ user_model = api_user.model('User', {
     'nickname': fields.String(required=False, description='The user\'s nick name'),
     'last_seen': fields.DateTime(required=False, description='Last time user logged in'),
     'last_time_modified': fields.DateTime(required=False, description='Last time user was modified'),
+    'external_user': fields.Boolean(required=True, description='Indicates whether the user is external (OIDC) or not'),
+    'external_user_id': fields.String(required=False, description='External ID of a user (EPPN, etc.)'),
     'role': fields.String(required=False, description='Role a user might have (in addition to group memberships)'),
     'effective_permissions': fields.List(
-        fields.String(required=True), required=False, description="List of permissions (groups + (optional) role)."
+        fields.Nested(api_user.model('effective_permission',
+                                     {'id': fields.Integer(required=True),
+                                      'name': fields.String(required=True)
+                                      }),
+                      required=False, description="List of permissions (groups + (optional) role).")
     ),
     'groups': fields.List(
         fields.Nested(api_user.model('user_group', {'id': fields.Integer(), 'name': fields.String()})),
@@ -45,7 +51,8 @@ recorder_model = api_recorder.model('Recorder', {
     'additional_camera_connected': fields.Boolean(required=False,
                                                   description='Indicates whether an additional camera is connected'),
     'ip': fields.String(required=False, description='The recorder\'s IP address'),
-    'mac': fields.String(required=False, description='The recorder\'s IP address'),
+    'ip6': fields.String(required=False, description='The recorder\'s IP v6 address'),
+    'mac': fields.String(required=False, description='The recorder\'s MAC address'),
     'network_name': fields.String(required=False, description='The recorder\'s network name'),
     'ssh_port': fields.Integer(required=True, default=22, description='The recorder\'s SSH port number'),
     'telnet_port': fields.Integer(required=True, default=23, description='The recorder\'s telnet port number'),
diff --git a/backend/api/virtual_command_api.py b/backend/api/virtual_command_api.py
index 3aec647..e3b6661 100644
--- a/backend/api/virtual_command_api.py
+++ b/backend/api/virtual_command_api.py
@@ -14,6 +14,7 @@ from flask_restx import fields, Resource
 
 from backend import db, app
 from backend.api import api_virtual_command
+from backend.models import VirtualCommand
 from backend.models.recorder_model import Recorder, RecorderModel, RecorderCommand
 from backend.models.room_model import Room
 import backend.recorder_adapters as r_a
@@ -109,26 +110,37 @@ class RecorderList(Resource):
     @api_virtual_command.expect(virtual_command_model_parser)
     @api_virtual_command.marshal_with(virtual_command_model, skip_none=False, code=201)
     def post(self):
-        if "room_id" in api_virtual_command.payload:
-            if api_virtual_command.payload["room_id"] is None:
-                api_virtual_command.payload["room"] = None
+        pprint(api_virtual_command.payload)
+        room_id = api_virtual_command.payload.pop('recorder_id', None)
+        if room_id is None:
+            api_virtual_command.payload["room"] = None
+        else:
+            room = Room.query.get(room_id)
+            if room is not None:
+                api_virtual_command.payload["room"] = room
             else:
-                room = Room.query.get(api_virtual_command.payload["room_id"])
-                if room is not None:
-                    api_virtual_command.payload["room"] = room
-                else:
-                    return "specified room (id: {}) does not exist!".format(api_virtual_command.payload["room_id"]), 404
-        if "recorder_model_id" in api_virtual_command.payload:
-            if api_virtual_command.payload["recorder_model_id"] is None:
-                api_virtual_command.payload["recorder_model"] = None
+                return "specified room (id: {}) does not exist!".format(api_virtual_command.payload["room_id"]), 404
+        recorder_model_id = api_virtual_command.payload.pop('recorder_model_id', None)
+        if recorder_model_id is None:
+            api_virtual_command.payload["recorder_model"] = None
+        else:
+            rec_model = RecorderModel.query.get(recorder_model_id)
+            if rec_model is not None:
+                api_virtual_command.payload["recorder_model"] = rec_model
             else:
-                rec_model = RecorderModel.query.get(api_virtual_command.payload["recorder_model_id"])
-                if rec_model is not None:
-                    api_virtual_command.payload["recorder_model"] = rec_model
-                else:
-                    return "specified recorder model (id: {}) does not exist!".format(
-                        api_virtual_command.payload["recorder_model_id"]), 404
-        recorder = Recorder(**api_virtual_command.payload)
-        db.session.add(recorder)
+                return "specified recorder model (id: {}) does not exist!".format(
+                    api_virtual_command.payload["recorder_model_id"]), 404
+        recorder_id = api_virtual_command.payload.pop('recorder_id', None)
+        if recorder_id is None:
+            api_virtual_command.payload["recorder"] = None
+        else:
+            recorder = Recorder.query.get(recorder_id)
+            if recorder is not None:
+                api_virtual_command.payload["recorder"] = recorder
+            else:
+                return "specified recorder (id: {}) does not exist!".format(
+                    api_virtual_command.payload["recorder_id"]), 404
+        virtual_command = VirtualCommand(**api_virtual_command.payload)
+        db.session.add(virtual_command)
         db.session.commit()
-        return recorder
+        return virtual_command
diff --git a/backend/config.py b/backend/config.py
index 3525ee4f9b84bd04ba91493e3c22cafb68c4fef9..d2a63a96adbbe3bf02134803834bb33f5be12c47 100644
GIT binary patch
literal 5644
zcmV+n7W3%<M@dveQdv+`0BREZ?n8~ZpjXwIkDvUI5U~1+Ay~<cxxf#1eM+d>!!Vk`
z9y7GNkgK9GPz#mwLoiVyHJco&yUz|GB4<^4t=ozsPBiTNLK9{%yePfj*J!H3LTVB=
zeQn4-auLM0yb5@-KO8+n|JwW}!?15bp<q29ZN;H+M%oDD!o%g8YQ104ELC{j=QvX2
z!uL0fE^a~*Kt^nIKA1IbD!tGUskev!$n;jQni}pWqQJM**lF(E4ZtXPC!_1;4)k{N
zsJKlP<e&a814d5C(tnf(9<1Ce=ko??zjQZ7id$t8A8yJ6lTJp0#1x`f7WkRTF8pDt
zoE*Npc`?b@|CN7dwG2WAxG<`^Gn1%x;O-{%Hua5zm*P4*npY4uT38|**U-e&<6V1m
zq7th8i9BAFWNG+1ZUlemP#JkUaZ5`(;JwaGS1XgMooma8Ekq0>Y;ca4H;<NyGtckr
zabbWuGS@sPo!m{9&+&6PIFO(=8Z=A>!cF;g?q_bZNrxJ_u`Ug7W}Lon@2GZ_uQkSk
zzmpq|DzAULX{hIu)HY<1O!D9lyuEg*LD6@{`guN?M$?wiqK-dO|B?H6?$42gQE0W@
z<-L4lY9NkX+&r3T2@B939EQ)sY_lrA(Y6d6jekyFglo;QdHdReNw|G6NjVf!fKY^;
z*b98J#vfvW^+yIBUA|jJ)9{`ywO`k`&9reGaU9RhOGF^fLKETNX!Xb=1Fs<b1a24U
z`SJc(X-S}4!Nd%)_<vprJu4(rzR8qa2Mj-EP>YYENMup3x@#MuzoJrhZLwYix#r23
zk&5qv7xvakYo{^~$)W^L9@t>V;}Q4Pn9)^{RG_MYtczJw3nVc;3F86j?oY9ew%uls
zBN@|izj7%&TlVhRzGQpfneFTF)ja|3ru640Ah(DkFm~fo$p4y#E!aPz<hKOLLJF+a
zNWQ^ooK+zsbJm*yK;NS%j53IwJYljJMC)ymXJVk%c9_b<Vv3!IET2(8NMZmX+{)3k
z1_7z>7YuKl0k}C<tR+bDXhu!LJREN$as^AKAb$4&BF^SMxq$61Ifl0ZGLS5q%~e56
z$Van7^E5`r3vU1*1V(HS_Ctl4%_j|()f_Ks*PLDR3ZW!T!8Iz){4oP3Se$2(7%m!l
zj;9+skq@bK)rtN^vf&xxY^?U1s8?*L7e%m@fN2~TV`}m`iuMfzSuZRP7o9kg^HE@y
ze!H#RlkE2TN>z&>i9)ojv`Fy<tUtWNlTib(@ZBeTH1bD9PVkXisGpP&_88@{<umZ2
zKefKl4(@o<%u9}GdC5?(oLM%RvTIKid|Z$f+01tDmZ7b;<VEWy_4!NEi!<ZZCiJMU
zDos>}@&vlWAbZ}52mg6sZeuU8?)E3#0xuM?*~ZmBG1R`>*?~mSEP@yA<vbP9fL&-y
zNs9Hcd5)w!J5rKSkswI%+qfvv&(f9Mj!sK>BC#x}k(^)_w4?Mu)dXx3pkXIvcQ-Ay
zIN;_^90_7Ry=iWDlqyd>pK~fypV)KWkd~~FSXj3ZSUqGZB7n`3`%{P)2M1+bihd3+
z=;r>o23P#``ci7V&T>UD6d49N3A%dXW`xS`8aeDWCIno0^#nD#pD69XJ`I0=2o2We
z=|T|S5&y~<w($&FR2GhQQ9jaPXRQVQVZY$a<+(~b%WR3DG?)_6ldQ-2io9hlaxCmf
zuXfwwqU}RA7|_FFh=V#87%|Bj)G8m4HA>>He!hlI1e66qZav4Fw&ecuGNN4tDlGLm
z*=f91+~WO!%^^w^<H(hep^to=Xv57n^1o1E3CDf3(R3OL^5VhT?*#kX_b(@8+xze!
z;yAx7GGAU;c6>r`O$&i#fg=W-js1@VE0AoPiJHUuaOZv_3x4WlzkReBK((5<^qyY+
zrzVaf)|$oSKTy{gq=m>1)#X`M+-2?_$Du)qtl7up4ogkeVeUr_6y5U7TJx4dp&OZ!
z)rN|!%q>HK{z#is3Zq(b{RPPMZiQ=hm$H=^Gh2|40$sa!>bHZ}U!`0OeQuGAOy&2Z
zH}L{`Z-b>lMeN|IpUcSo1UaK8UY6P|4M2(LobW9RuKBiA4lTU%FUD>uN!c4I?p+Np
z(K2y$bzb{3uCDg9)vt!3p6F7%C5d<1rXn-h7S9I5gLB~4Y@``nB6uv*SpC@sn5VCi
zK68T*4qe5!@)<t}Gdv}2Eup<(cUdb}^M9P8v4U|_@+5p~rT?gSF9uoJF(gfG+mC*>
zqIwH0aMFD#wFK;6j`#je!3{hEfB`&Uv!B9p1IE?1R%frq_4J)7(8$VGj}_ihNp~nb
zv4Y9~1=1uiz4}~1=GkE_JItlXnbWRUm+^3M(rMH*OJ%RkE+WyUy7)lsVs_P`GC|aB
z1+2LIRTO|vEl>@`!+Org>Cxv6G?axJ6A8UrwTNc1E4uEpIz-qJ1<it_mXF=qqCS{a
zvGjcZr0t>$-*cg}jSK%WT!;gx^J{~)i6{b=$=+;|$V1V@?L!DxQV<4Z$|T4R#oUJ9
z{o@JN8flM=koZ*snH3*ZiC98C75S$Pr`kU;F$h4r<>wZhCY6^)oLIn+AdC3B%QgZu
zgNl-Xl_go_;MFSpSYr8RSMn=+h+EYGi$DcKvQ!zh6Z5cyMK~wWckC`Zn9LsCst_LC
zpS)bYs4rqHkOazik+4}Vq0y~<8j*5-f18a{orMo6D_&K4Y$;{LTe)0NJ$bIB%!w}s
zU<l1n8$+o!IJWp2;<XX|(FNG9T4jmi*kk}~m3cHGnDWfYE^PnWIZxSTj_HZlvOIdu
zhXiwqzb*Ub^E!XIM9V{>+h1y^1S|42(EklG5_3@DdhzXSHUI0DjPgcS9w1)jy2^E)
zaO-?tEcF&uOfoF(4m=Z2jrvuZp|4j+L;7m@2%vw<9{Rl;CC3I`8HJFr1zy>PN$~yh
ze%{#?7kjrlpWn!%+6yEXrV6vQik$04u@9IS>QqYB!8#TwzxQP6a}8K=T)zX&tVw{5
z$6-l@BXpAiYab1vD=2_|S>j4&&Kk<atorV`Z0VpV$e02qgoEG{J+wW&%2*gc|K0#D
z_4TLu7-`SKm%hSfjr%$vbyP%7?FxfWZ-YC^##(F<1~^jjlQ4Wh{_y_g6m63gD1}m9
z1I1Z1GuqMcpu7Y+s{F2C%eEaW5O^fLcwrRj*LNZt*XzRKey~|v;DuLeW&Y9WE{^5$
zIRpU>RwP7xHm!Eg7nx}QTqaynGf*0?j#bh#J676t#PO+xgn_`hH=5N}<W6a}rZ?tm
zW6V&?rm<OIAov?PF7JT2TshNI*4zS*%<kCgT!a^wLx$tL(5xR&h|VK+{U-SBhlsAs
z1+)5V0${;(HDVCjnfeaaHbi}cBrMWbTQ?pBkUm&@A5WVquatgHRguR^!i*%HIU-A5
zVp)5yb$FSGd@kt4sf0;5J*hETr|xz6r;FC0AED5$Pn1BWMdg2&9Z7g43dx#FVjEfR
zPTrW*M(t({f8kEx$%9ay5{+E)6Nkc|7Fc;p1zbsW&KNpW^Byv&04Cp^BrU30-#WB^
zQ?{gD<dvS=F5)twI;xhc!eB|X>X6qN^SP)nnIVf?J|zffy0=*1P3^T|%;#RS#*bCl
zm>k3kzzE;9LQ5vBz&iQ5fws2CINiMOIKg2WIdV~&zK4t|+zqjxU}nZ{DvGm{``0Pq
z%1Grb9xCwvN@Cl6(7;xwuMsfFZ)2cglbGT?@S#(w%aRQDxWNXxgB*W?)sbYxOC(KN
z1NpCs8lP&)B`%*#6!4z`8DZMIRbQPm!$g;~Gy-b7L_sS2G-^g&ecUbro`dg^bk6#)
zs|WT8_dyA~yYP$)q2RA1IIS{`=L@fX{mG{NTgVLMnCWKBMcP%>wo5(oZ^l-~RckYb
zGqZ=MiOqt)_Pi4d%BjJ6A;~d`x0k0(D0!}SO`)fKne-$~wz8vXOYQgP$4O*m+f#Pb
zpF76>#`4^_9bCj~C?rX<en>>Nrj3dn=sJBj7$Q?cxvoG!w#k)|U88!+|FieXv*_<3
zo;Rfm2ynVyN9aD8`)B*2GLPP@u{i6N&9Gx5X{WM>YhG@*3&btA%H9S6nf|5+cN*D^
zIUf>(&bfjAo4d8lez@nP7U_gdZ^ghU0S5qQMIzrCE&ukeP9fz5v+1-~qqsTlhMC>#
zU`WsAGm@=AQ38{IIlWO}X}m@tXz~GW(TGWx1zy}qbC@914rL>8_4>*Sg9)^MXQxu-
z2^Ld4fxwx0Zr=33zk)ub?X`3w&DLhOJ5}(i#p{$T3CDU(_}c+LnxcGjBOlZG!Hbj-
zu=?eg5_%v_>^|;ACg<8|Tpf1PvO|FWvKP&<;)nA@>xjxn17|ysl`&TkNq6kq^ur29
zb3Ryfpxu<8!6PG*>p5srgd-<<_e9Jy9RT(;q6KdvyL8YZ1=@(Tx|nq4yL}np=ri(8
z@ss%)!YCzZILO1P5I884?Gz5l#|f*tM(RJr_Z1dy^iz_b6%^JN(@Ki=2c@0!eBV&k
zOz(jGfLp7A4n@e$yOMQ#;ZQlri;xe~MBgSCV`SGE3Iyd7(5&|raKO{Cmckxl&BZu}
z9#r>9!!cjKe@HG@gZW&E0^yR3yd)G{Umvk!=V}nRMWENPC5xSE#-VC9M}}Bul4!5Z
zt-Jg+52%QpkaR<V>@QRcDJkA8;w>aV)V;tsq9zK9pSj2wZr?NkZLBKPcpVq0IDAD_
z78BH8;_@W5YW-2&RMGG=2qmEl6cDi!g3Crq@I08lDvLvN<0nC!67p-}VWP1i52MPh
z>d7-LXqOVWNLBEIvQrfOa(L3uST+e=ejp`MjcpDk!GaT_=?c7kUxuT0P&IloMF(nO
zr|0K!g<%;6ldub~bbu3R5FhsdFWn5(I{@}e&f2spI_DX3f6E3~4RMW3$GDrLk<6z|
zhV1fD<tRo?A$pIr!<>nSNsBR6<%`VS$U~?{`b9I@D#(LZ<Hq_FzCj9Z(2pA)z`EO2
zxO;H8=g}&;!O?HrqLRD|Do!S-SiPT=`PZw9<D*;ckz&rV#F{ORt%iN@_N#*5eJ^iW
z=&S)y5m14`xRk`wrR+W6i&yV0Y<n)61m&RGh?3i+o58V8fpdGuPrjyWIu&mOdMpgk
zF6C+fYNL$G;Wt-Ngrzhu&XCoE^XypNkOW`Nx;&ne_^niQkG)jO0L%S-X&~wT;>-cE
zo;z?+l94%}8)j+Q*JsmAuk)8TP<CRHL)6+}rk#3FwpX_dn4n{tm{lDU3lMt$J=;zB
zz_pm8Lv)vl-8B>S(R)G8Z$MYT@^epUD(eT;_HDruz5FlMn9tLKcht*k4xG%$9aB37
z0e;e{DvUDNHLXD#Wq9d4ml_%4`F|=|uX+W|(TLs-<Vvs;v;+=|c?@sdW;d3A3fUHx
z|Gac=?*F#ijeCNG*-nVY4e(H-%_x9=M01Ri$jh19=)6<_cKoKLX>9z#6FUwM>9RR<
z8~i27mD1^kvxE09Y3dAYEE)gDlH3Okh&SKN``q#&y7u%B;r#bNMqnClXdv%65ZBau
ziT84gUL{!16V^plsMqBjX*r5AqVO7~HWVQeFlgH}ZKoT@is`F#0dmZBF0CUe&2L?~
z#Y}&LjbFP0dA`=$WRQN7F>>Cqgn(b_AIG+JwjUUl`aBVbZrwwl-(*mUu%^moJ2vnd
z!6Rl-)T9EGF++bs#clJ+YuWgTx2?aV9UOJyJ9;Mcl(f$(rKY;z_wa;(uC!m$$B~0>
zwg795$nyrH2*2%K*z|^7m@624iqxY?P^7J}(AgI`U>EUsV70B@CeYtAQh^SG*v3QF
zrt7<Qn5{Ty3}C*U+2s&$WG^xPPm-T1(b+*O)3%276X%}UCczyrOq1*Mcqrb;1K~Xm
zI6wBwbu>j#HIzHS3r9_{b0(Ngf>w%fyv&d*`Ml8U&`FO%5r1ha`T1Ws;WxAGSMyD<
zo8XUWK2C(WWRcSCoR&S`02bt=x?N)p{gO84Er@nK1~3T)T>-iTIkyT16S*{OP5B3q
zu|-NKwZtU1*jh<T9<+sD7w2@o!zO(CDa6uAf(F3CH<e~2`ud-C*IHVcbDplxAY5pt
zMz1y$sz`erBZd6xlis8W*j8%($qs4JG1d5JKs>9iM*Hhq##D(rk*#PM*V>(4brpgQ
zJ_0KrI=rDh?wpuIwHC;)eCuYf=~!WS{ygJ}WBXwEtC{_peOV&CJKbE1oyi~nSW7g|
zqlN4xb!fO%A--p0MS~)FNO=54&~$+UP6tkmrSD+u{~XCVXx$+iGTX4YkTY=Z7EL8=
z)QOOdde+{dC98%SrBtejR?0en88z)WgLH>Eya~Mg4DdD??XvevOJ!G4AYGC$2$M<p
zN9h@IRzNF=?C!*iQDg<tI&8SQK{Vq}M!liVZpzl1xAHo$%TpoVQkMp@JI=$Pq;}y0
zr451-N=E<}s7#L;cbDIu<NqBYij=N32!#~0k!Dfb7E=bCV1EU!|BJ=nQPOg19<(yn
zbc?5uLI4iSd9}X3M!0S@_}4Jk49RHI$1~xMP1vKlc<dvA1<d6Wsrc2nekzT_Ye<q5
zJ-B^LAC9Jt3=I6b_km2uFB^g$i~KyxW!+dZ3{AH^i8LwheV4T6TH0$p4#1e2Ng?Rv
zs`PCu#>hO*0BUC7@E<L;!%@}^JW=TL+^M8Ds>&8ULJWdMR1Fs5aY0km53OUfU@e~W
zLGM|i*|Tz#f;`8==@d+;kX+xpY26GKy6a1fZvna{ihLy4Y0I4fVsVK>5shU%+9LEg
z5XF`~2|Z2g>aNi7{-MmMlwkdE-lK3ZS`5y+hXJrJ!CjGGnkvQnBH(RzHDK5OG9kc*
z`g`|BY6N(Cinl)aY=ZGspAPrDm6T<(d1gC2h$EuAAH`8RS<OkOgi#}30oW>5#?W7J
zQR+9%Y4PMb?-KkbpV>9GUV}?;QJAn3mR_#=z`R(4L0ePMzv-Ggg8spu@))j>ru^bS
zwF7bGK(jcJ>IyU=3n&)qqeUS9S}Xc><Xi_BBr&t)#O1XsZvw=+b^$%>rW^?rCaemX
z^qk<~S)7$+M>RK>AI@a*c&AHteHGf1kB9*Tn>v?edmQqA;=VehMGl<_51s+_l|>@L
z2PQy;#9QI<R>T^BWk0{ve7ku3b9CB3n7xc-kRXz4KB-#ZH>h+sUDb+kf}BNtB5*fp
zPr}DhJW?*--4Yt{ZZ5`ttGHcJZDC6FWyH@j(33GnQlT;8nm(iz_-wN`)`xq+&%Ee}
zJ4z9QnHX$^Q#~?)YdB6Q8(6Y}XjvrGXSw;>h1Sb3x$Vo4!2^8*pzIZ%{nA)RxMz;{
z7iR@1b%c@+T2c;do4$|HtcjzC=eb-DQ9qr<zt3s^#~hoT863m8^7dgWklmht{4TUL
m-(ve_Xja(nfC9B2K-9iznhD~>dt@|7gK~SzU<NgFakAFB&Im04

literal 5228
zcmV-y6qD-!M@dveQdv+`05RSaShd=bg7@JfOK86-0`Hh#Y&XcjNXv%Xa)bLkO7GZ~
zM-A8{kb5UnbfO!DRmyBlBEVGLb}K^+(b7BQ*4PUYF*S{;#Nkpn9NOU!Wf3IfPwH@b
zlDG*o0gi%>-_igne7e0;U(bfu|GXf?@xZFj*U>c+bDsFucA|!OfVm!M_}4*+Zb7AF
zE;aqZrig*91diQ^N$GO)W#qT~KxT@nObnT#yyFK_5d72XzJ3#2kf<l8q>NplBfRP<
z*6L3r9vM)p3-GMPCxGGJq|_WPzAXP1fjwQy9r|olq_63-6W$+Vwbr8Y5-!&3^DT<c
zyAYIvA`V5~^3!A@$fi-_ctHd7`ES*6gjUi?{pLH?sjIxMX0G-f<?JanBvkILnG#(1
zR|4v-!!{0<L6(e!0dRU#YHNN=w8h4ma@h=L4|<hvc|?4iD|EI34jX?-Pn6x(G6ha5
zIDz~G$0P%_<4P{uY>G<mQ37T@eScZAxTHfN8+AZayu;_(<<z3-eT&%JbioQ<%#s6x
zr*g`DwesfOB!!~CEAyl(ZQ}}lQ<nZWeY*MKNL2*UcV&}o91|_V`ldaP##K^@+pCx{
zfDrcdqWV?1(ZYt_s!*bmIhUL+9YkEnFgT$S3l^8r<tYQ~by-1oFK`2u@<_+H-D-I;
zq@2-+lG&oy<oWx{$&>~$iyCES+0&+$*z4b}b~C1mB-=$=B>Wg$!D=Uo-42>q6V`YX
z6N0s`jZM{<1Q6%6^M$~N*a%6iBBkw@Suv6GzavCKXs<xZc-vqSGcDS$<k<)OOd3?R
zk&w6irZ5@BR;TMcqMtaSDvro;kx0$rl`|1?nCuGgF=wMfTbq6+3!8uJ^V^-0&=mi>
z4_8SXJr9R-82>0T)j!@VIFV;KeO|uL_S?o2Qam8veGN+Y6yeuW<4|M$p)+v`!C37x
zNpmS9s*Hy!?b|A;(9X#}Wb8c6Hn=^56^CEbf&|sQIuybNL9EMQ0jf9gYMefNpjurf
z&k|*^L#}S>lB;9pWF`2_FJR>oGZHjUXjRx5j5i?y^Y*iLTzFuL2Yd{@8cioapZ`s7
z`mT|viJ#8zS?WF*_Ntg@nis`tFQAr71C|RaW<+`3x&Z7<>*|FsQN8*KRhk_431{U_
z0FRySpIhRZr8w-J&DMi8nN8_rmmV-tw|$vgj49)xX%ezX81<q>6hKqB%e@M{b&Zvg
zF^}!6AH%p+9$BGO>MayXCB(Zi&#p?B;O4?vBMAr{dDGzk@#F^vKMr#6D9knl?R1Tg
z?PV9g^BpjsVzamVUw*>OY~_GG7CONBfwF@|7@xQ_V|v3<t{89ESIF!9`mvC6+?#s9
z`35-@9@5K<&tpNLd9gsZq21Ukn`Nn}-IJ30%L}fWa`w4yiU(Vxhu-XPvr8xuXfOW1
z#}_$xX;{GRE|o<tz8p}umbhC(|018wI4~cT&@!7R&D{TQ?1|+_p1P*<3ud5!)6%s;
z(q6L)aA`mtOO%{G`W@&1@m`y3L<L10C$IFuig)YF5zy14Ns$NuhS)#?h|!e7PZ#{C
zJLvdnc=IQzQ~4ysWiKR<TGZs+HmuoBmPg`njs6Jb2#8Dp;1rSJ1@cZsT(fi&Kdb_+
zaa-NnjIL}^Lt%fQaGRNQKG{UxL@b<?DMMMop(_Q#mFK-Fl)A@@vC9qy*@9kkW)(Ax
zM)Y0)l5thb2xMq4^(f<1XvPb<)NjO)D_qXkt4^L5U}T<W6TCR}0j?2bM`4o7P{D)s
zqN>%>J}O?U7Vs7<6$i_l7{0s*+WA4L6du;!UCM-oP}_kKALK~Fmw))x_pVu4?a@2I
zs#v}Bpo?TSLw&%WfI%G+;pTK(@>x)pLl1r{Zu1nFRPHA^a8Mgn_CSM9G4@ln)L=Up
ze%u!@JYrr0ex@ne{S?pZWvX(=<#N5n&@31b!)Mb4;-<Pr39;G)mlTIy`7LgIvd~lT
z3B8Mvo7*{%hPTyg$XoDL#z_Ko)chwS%6>RID5Qw2@K(PP2O$E#<Di1ABgjM?neb^8
zx4=F82u~z@xV#yQ(tzP_8baweE<79xGCdH;_zKR*`_6Z@T0K|y_f-7VI+spLCWDHu
z7U4B=P>O3N2H#%~aoTbMd?(%S!7vAbOTXl$p>ElCmkE`C%6@JyxKeiB)UYMjjwx#G
zD|F=uS?FUB6<*N`qCs3r+i4q|J;nom^(7j(^LM2fubapAgjn(ypSO?jaRMA2ySOOT
zU?zIHRSm%JaVu)%ut}afLtNh61cr4q#odHtbXblcTCt;_KT$57qeloObeAk}dtXls
z^v-{R63g9JMGzv*2ojLC7bfELh@{`JExhpg&F!;n6++VbfuLB=ehkKs`a&ol0>z(=
z*~_Y))=qz9LN1UEj+Z?iWs5D97zgE2^K96;SnGwnm6yX<p4+q?sO(E^kK|u(O!Zyt
z^|S<1d!W#GX1KcC4s0&vV`RfQfx(?Bn339;h?k@j$spYrat*%`rC%p1IgeYJQ#7_<
ztD}M*`?vA8nlXN@`P~UZh$|c5MstfLJ)i0<!hsm3;Am;gI}^pNaLbnc!Y2-ynGuLO
zxZx_7)so^W&xkwfQJ5$HECMP5jW;Db1sl8nvKxzbA6tDdkx<ZIdOf!4Fu)-{R1EhM
zxj@jclo5M?#a>btAP3c1f(mgRn(9ajs?a<)_$_{vR~q6znsDO3!pE_<?g2=2HmNi1
z71IpxKh>*(Nn#Yi^L0DpEyV7`)*bMu+7&HBf|)3LpP8&&UmUvh8iP^7a>vxTc7)$Y
zn>zc-vp+52T{MRvhl{cZJbb$?^4Ef|ey9hj*4<Zsq<V?qS=}+c84SH3E$FbOswMZ%
zrzWInfG|w`?fJLN$B?yZmxArQ0EYzp1`%obBGHchjl$92QbJmkhCCg#lEnJcq8kG=
zzFgy-z(d$H(}}dL0MK*g&>^<CoGvY7nAZTZg*vxoe&a*rxD(2~T07#xVY{upluiQ#
z{m}#Icf6*Dg1<<^W>=2AeI_$b)h!@nM1f`31vQZ?m0)CJ_*RLHN{7~d{5ut>Y#uK#
z58L+EutLv7nC=7hejqpMR)1V_!1%?tI=_Tng+!VB@rgNKSwm2QjHDRTlp&uw+x{xO
zWq%Y>s>+f3$f1wbeM6BRlo(#%B#g+ZC$*Tpj1b)Je)RAun#`OQCZkak?(VGJ1~{ry
zh5tknF{Cho@}v#3wO6rc!DdEW`Vm)oIf(M*t2y#+6p_1tmaHnYU%f{bKuXHJCo13{
z0@@COQW<}y;;B<;O^M%-els3{Cw_2<7P;TL0KEfN>EH~0K`v8a7Qk;nT2)+!09WRe
z&M_UoQ=3i0vH2$t4@WgWz5~GujM5do`~MbVuae>B#F2LdyqmsU0!e1BeHsfcWK;|{
z4MEdNZ70ShV>-W!h`I4=^jV>Bh_U>oO4QK>`y*6`u6zgn+n%Ou@t^U;h7Q~${nw##
z^)8*$w$6}e=2n4(&w+=KL)>qggB9qY_Y=_YOOZ*Te?)Y+pjH#2f_48Sw0PEYvBPRc
zyr~r)Y$mFjgKl@Eh<LDtw;kd`mk-+!+@NjfAJHVkMpSliO4i7GD|!jp2_w7LaW{x@
zxI!X^PRZklvX%I{h5_pa<FnT{-Fu}{j#Gx^5F~p8QNUmGbZHRqy||I~-K5=|Ou|=v
z#i5wekq;pc9|;D0ic)j4Ysq@eOdj|8NLZ^4ad#7&oOE5wv-*ukxNBVXD`LiBgi^tY
z!a`d5BG1e4<rk(00Y9FN>;618N;XMZ0YDjd6!jjaqk4+>;zb1DgwBBj_>RumX{ql8
zoE>@k-n*V?T90lEp|8~pE!+@2*-q#yFAK|q$q55j%uOz-p>!eqLcFkNs1&)r6P8}S
z@NX-{pVe4o`trA$JY*wusSuhio1W0`TGC~!RZ$JU)+CNG?zEQa0l=&q+-{gn;`>Pj
z4~EK1lnUOXUXjRsBI3xD7QEbowaQ!g47%3-^z)_}0cF>0A>h3Skyt9+F_eXP&>1Hy
zaJ|KOuGC1ww|dok`E=pKpcf>2oX@vfLg7RM-pu`3yEHgZurK^vxRPk=C#OS_2n7_T
zWqX5SSj|JvNGoR#P@Sglu6BcH5GzT<-mkushmO0@8xpm1|5uyCx5gE^JP{Q^SZp|s
z*<w!Ik(eHP+|CDULs{@?aRWcxuyL2v3AzMq>nTG)C{NngG#T7BEv)*w+6oL!?Z(HN
z+{ur=^F+Gav9uywr57(e$2;Q?UP?s4d@tsh6@Ug?3aa`hohzI(!sz(UEp_LKoq{%a
z@Rd=nmst8f;KO$ZRVFhC9}ZO1Ht2@Dk~9(3NeLe8D8cQ;oiwY33l($h>A!V&^)-<2
z?XbqT!mo_mjL@eaw_XY}0M|m=fa5S0RM<kpyOpvB*`JRwVk~l>t%p=G3tkne*GHdx
zk$gPwsYL(`t?aGlx!(CUUngmGcNH35Xp(wXVs2RX>9<0n5qn$?ggZaA%jyh1rD2>N
zbIv;`{5-D_Ao0AeOQ91-vnNV?L=TxX(OeSl|Cc;(-S7mAa!fc+6HWkQ$w;$Knwj}5
z0ZVanEsUnico|Qo2Nzqf41bqeffy>SWJ!Xb>RdW(sV#BFShUec!K+Dxb^jr)jAkIz
zM*b}LJNSud%J%}b$U<yj_^&Q?^k`AJ9-53(T&N&ue9i7?iA}I3%4D3p_`i6KD*KH}
z<7)I)iJMlkGUod`Y{kdKjX_$dTdKwHK3387dOti@C?p?vH`u0ozXu_4+fNW<?t{rD
zx{PTwfSSG1KU)|k3mMl}u9Jjt1`eikC2j|V$LY1+6!-xRk5lEBV@Y5Xwz!brT-jhl
zj!kUVuIkLbzV|D%Q;K_ad2KbnP%WtwKvy@8<E=wjDw+h$pzb$#M{q=U<kQZ&IPVVR
zQdAi7tUiW-m>T#}Q&pl$5nmt!EKTv=NXCN$k8p8$(MJ#H!Axp}fZ=c&fo{AXGBd~_
zGJi2cVfD4>D?Cd=;=WHYa<AqdZCw2QX({6%=Yt>8HW(k*Fa~YCfdY>kJ+N;<W-u0(
zel%bDs7?lWk2DmCx&Lb+ObknuOjsz(6RFg`_KBLA`WSEloYs!z3-WDZOKV9sL33%y
zvmM}K-rD0c%f`|^L7HM4vsrAt!!mOuk(V=$yMAS0wx^<d!g)j*dBEl_2G#guqMiC?
zNNPrcR%7TILu7Qu1;G%&=JYjht!G59E1Mi6v75!vEwch99brX3YO{u&NV5(+6^vNF
zA{kPjEZA@3CHkJ1M}=G1`SHySe7&TKxW+KbElz6?xU<RjCJMmsKB$XAIJW{D#8#8*
z(0#tJ|Af2A+~*kb(s?!<sv!Ez5nExePH(6CV4rWRWR62#zDRdPT|nxz9;eVL`>!b$
z(T<aL)7bFk+>;gn<<9j3%b@2B+Xyj_bdOTygv+a@oi&g*L6k3r(Kk`x5pSR+f@J4A
zCrvsMhHxao+NF~VJpWgcUZ9`j!kG$1geE}_9itodd1BAMRi^rS&QJ<0_?5{gG@>s~
z56h#VrY1e`Z#mmjgICkquYM}+Y966~-E`WM?q6oW{#`A6OzJn9%Z+zh?Ue(N2sF)+
zVlr41Cs}))A=Wf;D~v1voq;-T+VYn3@C}KqVVLfswY8_x3Njs}7>tOoY!<2Ul;Ohd
zSha`ryZy=v8m)(rmr>;4SZvxj`a!h*3*=2|41&gDZQ5(I*xF60Jbt}dk0scF7Pk~y
zpsCdo!=;phJFvIoOiy>QS!>^72m!2<vZzm~Pl9i_BNJ521bY9p^stkNW0rqpv;Tdx
zPNPiaz`_|H+~$Ui_Mus=`tSehP0AfFJ|v+Kyr#jS%+03)rW#^B9*>h0)Qf;B0Lli-
zZ4I18Ez~3zmZA#t=5aWxA>b`jvw}h4MqYKZbEmp#K<Cy(H>-OeOzW+5$D|LVc|RaG
zVkd|^E4_256S>etF9+@@W5G_4^x=3vV~gO3nr!;I#(nf1;KgI!@V2q|wTUt-zpEW~
z%GkcCcx5tvHH7V?nPC1!n3t4&v`0xaqFxc7sVC@;l|fop-p@C5JUCzb<ED#B%^&CV
z1;UodRV%N)yE(d3(GPzt(oA0eahjR&uf<x5yfj^@T+SQE%CT}m$~UQ}^2V{80pR__
zaT;Mb=&o$$#H%{>2~B^IBlg()|8A$vVTWorz4<@85BV69>6zY{VD*6>u;PfLXNS;K
zD@Bt5rqOZr?o$2l%G(C!@mcMDrw1L!{zsY)Hmp0FyJ|t0e#yROtMh<uNw|Msoow!L
z&JsQ3FcL}<e<m27ed0P)exx2x-s<s7k}ag1uzP_C${iIKKi;r%G9rX@7q;^<Xvq*r
zSl!^jxmat?3uptZPijcR<?aj2mc9YUjQe=`8nn;2@*L$^qWopA0ns}hcO2#VYkI}m
zmXB)s&m8pq8le42Y=|D_0n=iBn_j_vFiPle#PVYd!jT68)QbsO9DJxeEN@s8$ToXd
z)hxs`VGZLAq3OTPU_MFt%wwm*wnz0ch=mAarr}(%Kbxx5t+P<+?(t6UV75*41OYtn
zH}u|bLn;l#p>o6;I8_~(&lW0!UFbDZG*ms;vx4>pfJPg+kRaG***!ds;9P3(yU9jX
zFuUfo@-6=n-IfZ+Gs!rKzw?ld7w~iyh!4=LUtt%b7gsj6H4$95rP|_l+%QROH3PYN
zh{VI0eHUAr)S?%8RS(R^_HGa72h$MI9MTlQAa_2|<r0H%2c2dBw90TE`%$q}^3mj<
zRy`X<o87^~n~>vgHII>MS<I%&C&t}i2GC$W8{)Ai)XzBy?yW;v=bw~;SF!qgi`*LZ
m_DMv@rY1BR6c3{8uuF2ePk)GoVY*|~&iZ;x6mcC{b%Bh04?NQV

diff --git a/backend/manage.py b/backend/manage.py
index 21ff429..39b2118 100644
--- a/backend/manage.py
+++ b/backend/manage.py
@@ -1,5 +1,8 @@
 #!/usr/bin/env python
 import os, sys
+
+from backend.models import Permission, Group
+
 sys.path.append(os.path.join(os.path.dirname(__file__), os.path.pardir))
 import os
 import unittest
@@ -59,10 +62,30 @@ def cov():
     return 1
 
 
+def insert_initial_groups():
+    print("DB: inserting default groups:")
+    for g in app.config.get("GROUPS", []):
+        print(g['name'])
+        g_permissions = g.pop('permissions', [])
+        g['permissions'] = Permission.get_by_names(g_permissions)
+        db.session.add(Group(**g))
+    db.session.commit()
+
+
+@manager.command
+def recreate_db():
+    """Drops the db tables."""
+    db.drop_all()
+    """Creates the db tables."""
+    db.create_all()
+    insert_initial_groups()
+
+
 @manager.command
 def create_db():
     """Creates the db tables."""
     db.create_all()
+    insert_initial_groups()
 
 
 @manager.command
diff --git a/backend/models/user_model.py b/backend/models/user_model.py
index 47f9623..44f6c50 100644
--- a/backend/models/user_model.py
+++ b/backend/models/user_model.py
@@ -4,8 +4,9 @@ Example user model and related models
 """
 import json
 
+import sqlalchemy
 from sqlalchemy.orm import relation
-from sqlalchemy import MetaData
+from sqlalchemy import MetaData, any_
 
 from backend import db, app, login_manager
 from backend.config import Config
@@ -74,16 +75,16 @@ group_permission_table = db.Table('group_permission',
 # This is the association table for the many-to-many relationship between
 # users and permissions.
 user_permission_table = db.Table('user_permission',
-                                  db.Column('user_id', db.Integer,
-                                            db.ForeignKey('user.id',
-                                                          onupdate="CASCADE",
-                                                          ondelete="CASCADE"),
-                                            primary_key=True),
-                                  db.Column('permission_id', db.Integer,
-                                            db.ForeignKey('permission.id',
-                                                          onupdate="CASCADE",
-                                                          ondelete="CASCADE"),
-                                            primary_key=True))
+                                 db.Column('user_id', db.Integer,
+                                           db.ForeignKey('user.id',
+                                                         onupdate="CASCADE",
+                                                         ondelete="CASCADE"),
+                                           primary_key=True),
+                                 db.Column('permission_id', db.Integer,
+                                           db.ForeignKey('permission.id',
+                                                         onupdate="CASCADE",
+                                                         ondelete="CASCADE"),
+                                           primary_key=True))
 
 
 class User(UserMixin, db.Model):
@@ -108,6 +109,7 @@ class User(UserMixin, db.Model):
     password = db.Column(db.String(255), nullable=True)
     registered_on = db.Column(db.DateTime, nullable=False, default=datetime.utcnow())
     external_user = db.Column(db.Boolean, default=False)
+    external_user_id = db.Column(db.Unicode(63), unique=True, nullable=True, default=None)
     last_seen = db.Column(db.DateTime, default=datetime.utcnow())
     last_time_modified = db.Column(db.DateTime, default=datetime.utcnow())
     jwt_exp_delta_seconds = db.Column(db.Integer, nullable=True)
@@ -200,6 +202,8 @@ class User(UserMixin, db.Model):
             return None
 
         user = cls.query.filter_by(email=email).first()
+        if not user:
+            user = cls.query.filter_by(nickname=email).first()  # be nice and allow nickname as well...
         if not user or not user.verify_password(password):
             return None
 
@@ -243,12 +247,10 @@ class User(UserMixin, db.Model):
 
     @property
     def effective_permissions(self):
-        permissions = Config.ROLE_PERMISSION_MAPPINGS.get(self.role, [])
+        permissions = Config.ROLE_PERMISSION_MAPPINGS.get(self.role, set())
         for g in self.groups:
-            print(g)
             for p in g.permissions:
-                print(p)
-                permissions.append(p)
+                permissions.add(p)
         return permissions
 
     @staticmethod
@@ -497,14 +499,13 @@ class Permission(db.Model):
     id = db.Column(db.Integer, autoincrement=True, primary_key=True)
     name = db.Column(db.Unicode(63), unique=True, nullable=False)
     description = db.Column(db.Unicode(511))
-    #read_only = db.Column(db.Boolean, default=False)
+    # read_only = db.Column(db.Boolean, default=False)
     groups = db.relationship(Group, secondary=group_permission_table,
                              back_populates='permissions')
     users = db.relationship(User, secondary=user_permission_table,
-                             back_populates='permissions')
+                            back_populates='permissions')
     access_control_entry = db.relationship('AccessControlEntry', back_populates='required_permission')
 
-
     @staticmethod
     def get_by_name(name):
         """
@@ -514,6 +515,17 @@ class Permission(db.Model):
         """
         return Permission.query.filter(Permission.name == name).first()
 
+    @staticmethod
+    def get_by_names(names: list):
+        """
+        Find permissions by their names
+        :param names:
+        :return:
+        """
+        if len(names) < 1:
+            return []
+        return Permission.query.filter(or_(*[Permission.name.like(name) for name in names])).all()
+
     @staticmethod
     def get_all():
         """
@@ -522,22 +534,42 @@ class Permission(db.Model):
         """
         return Permission.query.all()
 
+
+@event.listens_for(Permission.__table__, 'after_create')
+def insert_initial_permissions(*args, **kwargs):
+    print("DB: inserting default permissions:")
+    for p in app.config.get("PERMISSIONS", []):
+        print(p)
+        db.session.add(Permission(name=p))
+    db.session.commit()
+    # insert_initial_groups()  # call this function here again, as often (always?) permission table does not yet exist
+
+
 @event.listens_for(User.__table__, 'after_create')
 def insert_initial_users(*args, **kwargs):
+    print("DB: inserting default users:")
     for u in app.config.get("USERS", []):
         db.session.add(User(**u))
     db.session.commit()
 
 
+# The following initialization does not work as it depends on the existence of multiple tables
+# This initialization has now been moved to manage.py!
+"""
 @event.listens_for(Group.__table__, 'after_create')
 def insert_initial_groups(*args, **kwargs):
-    for g in app.config.get("GROUPS", []):
-        db.session.add(Group(**g))
-    db.session.commit()
-
-
-@event.listens_for(Permission.__table__, 'after_create')
-def insert_initial_permissions(*args, **kwargs):
-    for p in app.config.get("PERMISSIONS", []):
-        db.session.add(Permission(name=p))
-    db.session.commit()
+    print("DB: inserting default groups:")
+    try:
+        for g in app.config.get("GROUPS", []):
+            print(g['name'])
+            g_permissions = g.pop('permissions', [])
+            g['permissions'] = Permission.get_by_names(g_permissions)
+            print(g['permissions'])
+            db.session.add(Group(**g))
+        db.session.commit()
+    except sqlalchemy.exc.OperationalError as e:
+        first_error_line = str(e).split('\n')[0]
+        if "no such table" not in first_error_line:
+            raise
+        print(f"Permission table probably does not exist yet: {first_error_line} - you can probably ignore this!")
+"""
diff --git a/migrations/README b/migrations/README
new file mode 100644
index 0000000..98e4f9c
--- /dev/null
+++ b/migrations/README
@@ -0,0 +1 @@
+Generic single-database configuration.
\ No newline at end of file
diff --git a/migrations/alembic.ini b/migrations/alembic.ini
new file mode 100644
index 0000000..f8ed480
--- /dev/null
+++ b/migrations/alembic.ini
@@ -0,0 +1,45 @@
+# A generic, single database configuration.
+
+[alembic]
+# template used to generate migration files
+# file_template = %%(rev)s_%%(slug)s
+
+# set to 'true' to run the environment during
+# the 'revision' command, regardless of autogenerate
+# revision_environment = false
+
+
+# Logging configuration
+[loggers]
+keys = root,sqlalchemy,alembic
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARN
+handlers = console
+qualname =
+
+[logger_sqlalchemy]
+level = WARN
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S
diff --git a/migrations/env.py b/migrations/env.py
new file mode 100644
index 0000000..9452179
--- /dev/null
+++ b/migrations/env.py
@@ -0,0 +1,96 @@
+from __future__ import with_statement
+
+import logging
+from logging.config import fileConfig
+
+from sqlalchemy import engine_from_config
+from sqlalchemy import pool
+
+from alembic import context
+
+# this is the Alembic Config object, which provides
+# access to the values within the .ini file in use.
+config = context.config
+
+# Interpret the config file for Python logging.
+# This line sets up loggers basically.
+fileConfig(config.config_file_name)
+logger = logging.getLogger('alembic.env')
+
+# add your model's MetaData object here
+# for 'autogenerate' support
+# from myapp import mymodel
+# target_metadata = mymodel.Base.metadata
+from flask import current_app
+config.set_main_option(
+    'sqlalchemy.url',
+    str(current_app.extensions['migrate'].db.engine.url).replace('%', '%%'))
+target_metadata = current_app.extensions['migrate'].db.metadata
+
+# other values from the config, defined by the needs of env.py,
+# can be acquired:
+# my_important_option = config.get_main_option("my_important_option")
+# ... etc.
+
+
+def run_migrations_offline():
+    """Run migrations in 'offline' mode.
+
+    This configures the context with just a URL
+    and not an Engine, though an Engine is acceptable
+    here as well.  By skipping the Engine creation
+    we don't even need a DBAPI to be available.
+
+    Calls to context.execute() here emit the given string to the
+    script output.
+
+    """
+    url = config.get_main_option("sqlalchemy.url")
+    context.configure(
+        url=url, target_metadata=target_metadata, literal_binds=True
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def run_migrations_online():
+    """Run migrations in 'online' mode.
+
+    In this scenario we need to create an Engine
+    and associate a connection with the context.
+
+    """
+
+    # this callback is used to prevent an auto-migration from being generated
+    # when there are no changes to the schema
+    # reference: http://alembic.zzzcomputing.com/en/latest/cookbook.html
+    def process_revision_directives(context, revision, directives):
+        if getattr(config.cmd_opts, 'autogenerate', False):
+            script = directives[0]
+            if script.upgrade_ops.is_empty():
+                directives[:] = []
+                logger.info('No changes in schema detected.')
+
+    connectable = engine_from_config(
+        config.get_section(config.config_ini_section),
+        prefix='sqlalchemy.',
+        poolclass=pool.NullPool,
+    )
+
+    with connectable.connect() as connection:
+        context.configure(
+            connection=connection,
+            target_metadata=target_metadata,
+            process_revision_directives=process_revision_directives,
+            **current_app.extensions['migrate'].configure_args
+        )
+
+        with context.begin_transaction():
+            context.run_migrations()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()
diff --git a/migrations/script.py.mako b/migrations/script.py.mako
new file mode 100644
index 0000000..2c01563
--- /dev/null
+++ b/migrations/script.py.mako
@@ -0,0 +1,24 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from alembic import op
+import sqlalchemy as sa
+${imports if imports else ""}
+
+# revision identifiers, used by Alembic.
+revision = ${repr(up_revision)}
+down_revision = ${repr(down_revision)}
+branch_labels = ${repr(branch_labels)}
+depends_on = ${repr(depends_on)}
+
+
+def upgrade():
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade():
+    ${downgrades if downgrades else "pass"}