webhookdb 1.0.2 → 1.2.0

data/lib/webhookdb/fixtures/saved_queries.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require "faker"
+
+require "webhookdb"
+require "webhookdb/fixtures"
+
+module Webhookdb::Fixtures::SavedQueries
+  extend Webhookdb::Fixtures
+
+  fixtured_class Webhookdb::SavedQuery
+
+  base :saved_query do
+    self.description ||= Faker::Lorem.sentence
+    self.sql ||= "SELECT * FROM mytable"
+  end
+
+  before_saving do |instance|
+    instance.organization ||= Webhookdb::Fixtures.organization.create
+    instance
+  end
+
+  decorator :created_by do |c={}|
+    c = Webhookdb::Fixtures.customer.create(c) unless c.is_a?(Webhookdb::Customer)
+    self.created_by = c
+  end
+end

data/lib/webhookdb/fixtures/service_integrations.rb

@@ -39,4 +39,8 @@ module Webhookdb::Fixtures::ServiceIntegrations
     self.backfill_key = "fake_bfkey"
     self.backfill_secret = "fake_bfsecret"
   end
+
+  decorator :with_api_key do
+    self.webhookdb_api_key ||= self.new_api_key
+  end
 end

data/lib/webhookdb/front.rb

@@ -6,34 +6,44 @@ require "appydays/loggable"
 module Webhookdb::Front
   include Appydays::Configurable
 
+  CHANNEL_EVENT_TYPES = Set.new(["authorization", "delete", "message", "message_autoreply", "message_imported"])
+
   configurable(:front) do
-    # The api secret is used for webhook verification, the client id and secret are used for OAuth
-    setting :api_secret, "front_api_secret"
+    setting :http_timeout, 30
+
+    # WebhookDB App: App Secret from Basic Information tab in Front UI.
+    setting :app_secret, "front_api_secret", key: ["FRONT_APP_SECRET", "FRONT_API_SECRET"]
+    # WebhookDB App: Client ID from OAuth tab in Front UI.
     setting :client_id, "front_client_id"
+    # WebhookDB App: Client Secret from OAuth tab in Front UI.
     setting :client_secret, "front_client_secret"
-    setting :http_timeout, 30
-  end
 
-  def self.oauth_callback_url = Webhookdb.api_url + "/v1/install/front/callback"
+    setting :signalwire_channel_app_id, "front_swchan_app_id"
+    setting :signalwire_channel_app_secret, "front_swchan_app_secret"
+    setting :signalwire_channel_client_id, "front_swchan_client_id"
+    setting :signalwire_channel_client_secret, "front_swchan_client_secret"
+
+    setting :channel_sync_refreshness_cutoff, 48.hours.to_i
+  end
 
-  def self.verify_signature(request)
+  def self.verify_signature(request, secret)
     request.body.rewind
     body = request.body.read
     base_string = "#{request.env['HTTP_X_FRONT_REQUEST_TIMESTAMP']}:#{body}"
-    calculated_signature = OpenSSL::HMAC.base64digest(OpenSSL::Digest.new("sha256"), self.api_secret, base_string)
+    calculated_signature = OpenSSL::HMAC.base64digest(OpenSSL::Digest.new("sha256"), secret, base_string)
     return calculated_signature == request.env["HTTP_X_FRONT_SIGNATURE"]
   end
 
-  def self.webhook_response(request)
+  def self.webhook_response(request, secret)
     return Webhookdb::WebhookResponse.error("missing signature") unless request.env["HTTP_X_FRONT_SIGNATURE"]
 
-    from_front = Webhookdb::Front.verify_signature(request)
+    from_front = self.verify_signature(request, secret)
     return Webhookdb::WebhookResponse.ok(status: 200) if from_front
     return Webhookdb::WebhookResponse.error("invalid signature")
   end
 
-  def self.initial_verification_request_response(request)
-    from_front = self.verify_signature(request)
+  def self.initial_verification_request_response(request, secret)
+    from_front = self.verify_signature(request, secret)
     if from_front
       return Webhookdb::WebhookResponse.ok(
         json: {challenge: request.env["HTTP_X_FRONT_CHALLENGE"]},
@@ -46,4 +56,6 @@ module Webhookdb::Front
   def self.auth_headers(token)
     return {"Authorization" => "Bearer #{token}"}
   end
+
+  def self.channel_jwt_jti = SecureRandom.hex(4)
 end

data/lib/webhookdb/google_calendar.rb

@@ -9,6 +9,12 @@ module Webhookdb::GoogleCalendar
     # How many calendars/events should we fetch in a single page?
     # Higher uses slightly more memory but fewer API calls.
     # Max of 2500.
+    #
+    # **NOTE:** Changing this in production will
+    # INVALIDATE EXISTING RESOURCES CAUSING A FULL RESYNC.
+    # You should, in general, avoid modifying this number once there is
+    # much Google Calendar data stored. Instead, page sizes will be automatically reduced
+    # as requests time out.
     setting :list_page_size, 2000
     # How many rows should we upsert at a time?
     # Higher is fewer upserts, but can create very large SQL strings,

data/lib/webhookdb/icalendar.rb

@@ -13,5 +13,11 @@ module Webhookdb::Icalendar
     # Do not store events older then this when syncing recurring events.
     # Many icalendar feeds are misconfigured and this prevents enumerating 2000+ years of recurrence.
     setting :oldest_recurring_event, "1990-01-01", convert: ->(s) { Date.parse(s) }
+    # Sync icalendar calendars only this often.
+    # Most services only update every day or so. Assume it takes 5s to sync each feed (request, parse, upsert).
+    # If you have 10,000 feeds, that is 50,000 seconds, or almost 14 hours of processing time,
+    # or two threads for 7 hours. The resyncs are spread out across the sync period
+    # (ie, no thundering herd every 8 hours), but it is still a good idea to sync as infrequently as possible.
+    setting :sync_period_hours, 6
   end
 end

data/lib/webhookdb/idempotency.rb

@@ -26,51 +26,112 @@ require "webhookdb/postgres/model"
 # usually using the :no_transaction_check spec metadata.
 #
 class Webhookdb::Idempotency < Webhookdb::Postgres::Model(:idempotencies)
-  extend Webhookdb::MethodUtilities
-
   NOOP = :skipped
 
-  # Skip the transaction check. Useful in unit tests. See class docs for details.
-  singleton_predicate_accessor :skip_transaction_check
+  class << self
+    # Skip the transaction check. Useful in unit tests. See class docs for details.
+    attr_accessor :skip_transaction_check
 
-  def self.once_ever
-    idem = self.new
-    idem.__once_ever = true
-    return idem
-  end
+    def skip_transaction_check? = self.skip_transaction_check
 
-  def self.every(interval)
-    idem = self.new
-    idem.__every = interval
-    return idem
-  end
+    # @return [Builder]
+    def once_ever
+      b = self::Builder.new
+      b._once_ever = true
+      return b
+    end
 
-  attr_accessor :__every, :__once_ever
+    # @return [Builder]
+    def every(interval)
+      b = self::Builder.new
+      b._every = interval
+      return b
+    end
 
-  def under_key(key, &block)
-    self.key = key
-    return self.execute(&block) if block
-    return self
+    def separate_connection
+      @connection ||= Sequel.connect(
+        uri,
+        logger: self.logger,
+        extensions: [
+          :connection_validator,
+          :pg_json, # Must have this to mirror the main model DB
+        ],
+        **Webhookdb::Dbutil.configured_connection_options,
+      )
+      return @connection
+    end
   end
 
-  def execute
-    Webhookdb::Postgres.check_transaction(
-      self.db,
-      "Cannot use idempotency while already in a transaction, since side effects may not be idempotent",
-    )
+  class Builder
+    attr_accessor :_every, :_once_ever, :_stored, :_sepconn, :_key
+
+    # If set, the result of block is stored as JSON,
+    # and returned when an idempotent call is made.
+    # The JSON value (as_json) is returned from the block in all cases.
+    # @return [Builder]
+    def stored
+      self._stored = true
+      return self
+    end
 
-    self.class.dataset.insert_conflict.insert(key: self.key)
-    self.db.transaction do
-      idem = Webhookdb::Idempotency[key: self.key].lock!
-      if idem.last_run.nil?
+    # Run the idempotency on a separate connection.
+    # Allows use of idempotency within an existing transaction block,
+    # which is normally not allowed. Usually should be used with #stored,
+    # since otherwise the result of the idempotency will be lost.
+    #
+    # NOTE: When calling code with using_seperate_connection,
+    # you may want to use the spec metadata `truncate: Webhookdb::Idempotency`
+    # since the row won't be covered by the spec's transaction.
+    #
+    # @return [Builder]
+    def using_seperate_connection
+      self._sepconn = true
+      return self
+    end
+
+    # @return [Builder]
+    def under_key(key, &block)
+      self._key = key
+      return self.execute(&block) if block
+      return self
+    end
+
+    def execute
+      if self._sepconn
+        db = Webhookdb::Idempotency.separate_connection
+      else
+        db = Webhookdb::Idempotency.db
+        Webhookdb::Postgres.check_transaction(
+          db,
+          "Cannot use idempotency while already in a transaction, since side effects may not be idempotent. " \
+          "You can chain withusing_seperate_connection to run the idempotency itself separately.",
+        )
+      end
+
+      db[:idempotencies].insert_conflict.insert(key: self._key)
+      db.transaction do
+        idem_row = db[:idempotencies].where(key: self._key).for_update.first
+        if idem_row.fetch(:last_run).nil?
+          result = yield()
+          result = self._update_row(db, result)
+          return result
+        end
+        noop_result = self._stored ? idem_row.fetch(:stored_result) : NOOP
+        return noop_result if self._once_ever
+        return noop_result if Time.now < (idem_row[:last_run] + self._every)
         result = yield()
-        idem.update(last_run: Time.now)
+        result = self._update_row(db, result)
         return result
       end
-      return NOOP if self.__once_ever
-      return NOOP if Time.now < (idem.last_run + self.__every)
-      result = yield()
-      idem.update(last_run: Time.now)
+    end
+
+    def _update_row(db, result)
+      updates = {last_run: Time.now}
+      if self._stored
+        result = result.as_json
+        updates[:stored_result] = Sequel.pg_jsonb_wrap(result)
+      end
+      db[:idempotencies].where(key: self._key).update(updates)
       return result
     end
   end

data/lib/webhookdb/jobs/backfill.rb

@@ -19,13 +19,32 @@ class Webhookdb::Jobs::Backfill
   end
 
   def _perform(event)
-    bfjob = self.lookup_model(Webhookdb::BackfillJob, event.payload)
+    begin
+      bfjob = self.lookup_model(Webhookdb::BackfillJob, event.payload)
+    rescue RuntimeError => e
+      self.logger.info "skipping_missing_backfill_job", error: e
+      return
+    end
     sint = bfjob.service_integration
     self.with_log_tags(sint.log_tags.merge(backfill_job_id: bfjob.opaque_id)) do
-      if bfjob.finished?
-        self.logger.info "skipping_finished_backfill_job"
-      else
-        sint.replicator.backfill(bfjob)
+      sint.db.transaction do
+        unless bfjob.lock?
+          self.logger.info "skipping_locked_backfill_job"
+          break
+        end
+        bfjob.refresh
+        if bfjob.finished?
+          self.logger.info "skipping_finished_backfill_job"
+          break
+        end
+        begin
+          sint.replicator.backfill(bfjob)
+        rescue Webhookdb::Replicator::CredentialsMissing
+          # The credentials could have been cleared out, so just finish this job.
+          self.logger.info "skipping_backfill_job_without_credentials"
+          bfjob.update(finished_at: Time.now)
+          break
+        end
       end
     end
   end

data/lib/webhookdb/jobs/icalendar_enqueue_syncs.rb

@@ -3,6 +3,10 @@
 require "webhookdb/async/scheduled_job"
 require "webhookdb/jobs"
 
+# For every IcalendarCalendar row needing a sync (across all service integrations),
+# enqueue a +Webhookdb::Jobs::IcalendarSync+ job.
+# Jobs are 'splayed' over 1/4 of the configured calendar sync period (see +Webhookdb::Icalendar+)
+# to avoid a thundering herd.
 class Webhookdb::Jobs::IcalendarEnqueueSyncs
   extend Webhookdb::Async::ScheduledJob
 
@@ -10,12 +14,14 @@ class Webhookdb::Jobs::IcalendarEnqueueSyncs
   splay 30
 
   def _perform
+    max_splay = Webhookdb::Icalendar.sync_period_hours.hours.to_i / 4
     Webhookdb::ServiceIntegration.dataset.where_each(service_name: "icalendar_calendar_v1") do |sint|
       sint.replicator.admin_dataset do |ds|
         sint.replicator.rows_needing_sync(ds).each do |row|
           calendar_external_id = row.fetch(:external_id)
           self.with_log_tags(sint.log_tags) do
-            enqueued_job_id = Webhookdb::Jobs::IcalendarSync.perform_async(sint.id, calendar_external_id)
+            splay = rand(1..max_splay)
+            enqueued_job_id = Webhookdb::Jobs::IcalendarSync.perform_in(splay, sint.id, calendar_external_id)
             self.logger.info("enqueued_icalendar_sync", calendar_external_id:, enqueued_job_id:)
           end
         end

data/lib/webhookdb/jobs/prepare_database_connections.rb

@@ -15,8 +15,8 @@ class Webhookdb::Jobs::PrepareDatabaseConnections
     org.db.transaction do
       # If creating the public host fails, we end up with an orphaned database,
       # but that's not a big deal- we can eventually see it's empty/unlinked and drop it.
-      org.prepare_database_connections
-      org.create_public_host_cname
+      org.prepare_database_connections(safe: true)
+      org.create_public_host_cname(safe: true)
     end
   end
 end

data/lib/webhookdb/jobs/scheduled_backfills.rb

@@ -1,10 +1,15 @@
 # frozen_string_literal: true
 
+require "webhookdb/email_octopus"
+require "webhookdb/github"
+require "webhookdb/sponsy"
+require "webhookdb/transistor"
+
 module Webhookdb::Jobs
   # Create a single way to do the common task of automatic scheduled backfills.
   # Each integration that needs automated backfills can add a specification here.
   module ScheduledBackfills
-    Spec = Struct.new(:klass, :service_name, :cron_expr, :splay, :incremental)
+    Spec = Struct.new(:klass, :service_name, :cron_expr, :splay, :incremental, :recursive)
 
     # @param spec [Spec]
     def self.install(spec)
@@ -16,7 +21,8 @@ module Webhookdb::Jobs
 
         define_method(:_perform) do
           Webhookdb::ServiceIntegration.dataset.where_each(service_name: spec.service_name) do |sint|
-            Webhookdb::BackfillJob.create(service_integration: sint, incremental: spec.incremental).enqueue
+            m = spec.recursive ? :create_recursive : :create
+            Webhookdb::BackfillJob.send(m, service_integration: sint, incremental: spec.incremental).enqueue
           end
         end
       end
@@ -26,19 +32,19 @@ module Webhookdb::Jobs
     [
       Spec.new(
         "ConvertkitBroadcastBackfill", "convertkit_broadcast_v1",
-        "10 * * * *", 2.minutes, false,
+        "10 * * * *", 2.minutes, false, false,
       ),
       Spec.new(
         "ConvertkitSubscriberBackfill", "convertkit_subscriber_v1",
-        "20 * * * *", 2.minutes, true,
+        "20 * * * *", 2.minutes, true, false,
       ),
       Spec.new(
         "ConvertkitTagBackfill", "convertkit_tag_v1",
-        "30 * * * *", 2.minutes, false,
+        "30 * * * *", 2.minutes, false, false,
       ),
       Spec.new(
         "EmailOctopusScheduledBackfill", "email_octopus_list_v1",
-        Webhookdb::EmailOctopus.cron_expression, 2.minutes, false,
+        Webhookdb::EmailOctopus.cron_expression, 2.minutes, false, true,
       ),
       Spec.new(
         "GithubRepoActivityScheduledBackfill", "github_repository_event_v1",
@@ -46,31 +52,31 @@ module Webhookdb::Jobs
       ),
       Spec.new(
         "IntercomScheduledBackfill", "intercom_marketplace_root_v1",
-        "*/1 * * * *", 0, false,
+        "*/1 * * * *", 0, false, true,
       ),
       Spec.new(
         "AtomSingleFeedPoller", "atom_single_feed_v1",
-        "11 * * * *", 10.seconds, true,
+        "11 * * * *", 10.seconds, true, false,
       ),
       Spec.new(
         "SponsyScheduledBackfill", "sponsy_publication_v1",
-        Webhookdb::Sponsy.cron_expression, 30.seconds, true,
+        Webhookdb::Sponsy.cron_expression, 30.seconds, true, true,
       ),
       Spec.new(
         "TransistorEpisodeBackfill", "transistor_episode_v1",
-        Webhookdb::Transistor.episode_cron_expression, 2.minutes, true,
+        Webhookdb::Transistor.episode_cron_expression, 2.minutes, true, true,
       ),
       Spec.new(
         "TransistorShowBackfill", "transistor_show_v1",
-        Webhookdb::Transistor.show_cron_expression, 2.minutes, true,
+        Webhookdb::Transistor.show_cron_expression, 2.minutes, true, false,
       ),
       Spec.new(
         "TwilioSmsBackfill", "twilio_sms_v1",
-        "*/1 * * * *", 0, true,
+        "*/1 * * * *", 0, true, false,
       ),
       Spec.new(
         "SignalwireMessageBackfill", "signalwire_message_v1",
-        "*/1 * * * *", 0, true,
+        "*/1 * * * *", 0, true, false,
       ),
     ].each { |sp| self.install(sp) }
   end

data/lib/webhookdb/oauth/{front.rb → front_provider.rb}

@@ -2,29 +2,35 @@
 
 require "webhookdb/front"
 
-class Webhookdb::Oauth::Front < Webhookdb::Oauth::Provider
+class Webhookdb::Oauth::FrontProvider < Webhookdb::Oauth::Provider
   include Appydays::Loggable
 
+  # Override these for custom OAuth of different apps
   def key = "front"
   def app_name = "Front"
+  def client_id = Webhookdb::Front.client_id
+  def client_secret = Webhookdb::Front.client_secret
+
   def requires_webhookdb_auth? = true
   def supports_webhooks? = true
 
   def authorization_url(state:)
-    return "https://app.frontapp.com/oauth/authorize?response_type=code&redirect_uri=#{Webhookdb::Front.oauth_callback_url}&state=#{state}&client_id=#{Webhookdb::Front.client_id}"
+    return "https://app.frontapp.com/oauth/authorize?response_type=code&redirect_uri=#{self.callback_url}&state=#{state}&client_id=#{self.client_id}"
   end
 
+  def callback_url = Webhookdb.api_url + "/v1/install/#{self.key}/callback"
+
   def exchange_authorization_code(code:)
     token = Webhookdb::Http.post(
       "https://app.frontapp.com/oauth/token",
       {
         "code" => code,
-        "redirect_uri" => Webhookdb::Front.oauth_callback_url,
+        "redirect_uri" => self.callback_url,
         "grant_type" => "authorization_code",
       },
       logger: self.logger,
       timeout: Webhookdb::Front.http_timeout,
-      basic_auth: {username: Webhookdb::Front.client_id, password: Webhookdb::Front.client_secret},
+      basic_auth: {username: self.client_id, password: self.client_secret},
     )
     return Webhookdb::Oauth::Tokens.new(
       access_token: token.parsed_response["access_token"],
@@ -56,3 +62,14 @@ class Webhookdb::Oauth::Front < Webhookdb::Oauth::Provider
     root_sint.replicator.build_dependents
   end
 end
+
+class Webhookdb::Oauth::FrontSignalwireChannelProvider < Webhookdb::Oauth::FrontProvider
+  def key = "front_signalwire"
+  def app_name = "Front Signalwire Channel"
+  def client_id = Webhookdb::Front.signalwire_channel_client_id
+  def client_secret = Webhookdb::Front.signalwire_channel_client_secret
+
+  def build_marketplace_integrations(*)
+    raise NotImplementedError, "this should not be called, Front channels have a different setup"
+  end
+end

data/lib/webhookdb/oauth/{intercom.rb → intercom_provider.rb}

@@ -2,7 +2,7 @@
 
 require "webhookdb/intercom"
 
-class Webhookdb::Oauth::Intercom < Webhookdb::Oauth::Provider
+class Webhookdb::Oauth::IntercomProvider < Webhookdb::Oauth::Provider
   include Appydays::Loggable
 
   def key = "intercom"

data/lib/webhookdb/oauth.rb

@@ -56,9 +56,9 @@ module Webhookdb::Oauth
   # rubocop:enable Lint/UnusedMethodArgument
 
   class << self
-    # @return [String, Class]
-    def register(key, cls)
-      raise "#{key} already registered to #{cls}" if self.registry.include?(key)
+    def register(cls)
+      key = cls.new.key
+      raise KeyError, "#{key} already registered to #{cls}" if self.registry.include?(key)
       self.registry[key] = cls
     end
 
@@ -74,7 +74,8 @@ module Webhookdb::Oauth
   end
 end
 
-require "webhookdb/oauth/front"
-Webhookdb::Oauth.register(Webhookdb::Oauth::Front.new.key, Webhookdb::Oauth::Front)
-require "webhookdb/oauth/intercom"
-Webhookdb::Oauth.register(Webhookdb::Oauth::Intercom.new.key, Webhookdb::Oauth::Intercom)
+require "webhookdb/oauth/front_provider"
+Webhookdb::Oauth.register(Webhookdb::Oauth::FrontProvider)
+Webhookdb::Oauth.register(Webhookdb::Oauth::FrontSignalwireChannelProvider)
+require "webhookdb/oauth/intercom_provider"
+Webhookdb::Oauth.register(Webhookdb::Oauth::IntercomProvider)

data/lib/webhookdb/organization/alerting.rb

@@ -7,7 +7,12 @@ class Webhookdb::Organization::Alerting
   include Appydays::Configurable
 
   configurable(:alerting) do
+    # Only send an alert with a given signature (replicator and error signature)
+    # to a given customer this often. Avoid spamming about any single replicator issue.
     setting :interval, 24.hours.to_i
+    # Each customer can only receive this many alerts for a given template per day.
+    # Avoids spamming a customer when many rows of a replicator have problems.
+    setting :max_alerts_per_customer_per_day, 15
   end
 
   attr_reader :org
@@ -25,9 +30,15 @@ class Webhookdb::Organization::Alerting
             "which is a unique identity for this error type, used for grouping and idempotency"
     end
     signature = message_template.signature
+    max_alerts_per_customer_per_day = Webhookdb::Organization::Alerting.max_alerts_per_customer_per_day
     self.org.admin_customers.each do |c|
       idemkey = "orgalert-#{signature}-#{c.id}"
       Webhookdb::Idempotency.every(Webhookdb::Organization::Alerting.interval).under_key(idemkey) do
+        sent_last_day = Webhookdb::Message::Delivery.
+          where(template: message_template.full_template_name, recipient: c).
+          limit(max_alerts_per_customer_per_day).
+          count
+        next unless sent_last_day < max_alerts_per_customer_per_day
         message_template.dispatch_email(c)
       end
     end

data/lib/webhookdb/organization.rb

@@ -34,6 +34,7 @@ class Webhookdb::Organization < Webhookdb::Postgres::Model(:organizations)
               adder: ->(om) { om.update(organization_id: id, verified: false) },
               order: :id
   one_to_many :service_integrations, class: "Webhookdb::ServiceIntegration", order: :id
+  one_to_many :saved_queries, class: "Webhookdb::SavedQuery", order: :id
   one_to_many :webhook_subscriptions, class: "Webhookdb::WebhookSubscription", order: :id
   many_to_many :feature_roles, class: "Webhookdb::Role", join_table: :feature_roles_organizations, right_key: :role_id
   one_to_many :all_webhook_subscriptions,
@@ -204,6 +205,7 @@ class Webhookdb::Organization < Webhookdb::Postgres::Model(:organizations)
   end
 
   # Build the org-specific users, database, and set our connection URLs to it.
+  # @param safe [*] If true, noop if connection urls are set.
   def prepare_database_connections(safe: false)
     self.db.transaction do
       self.lock!
@@ -220,13 +222,17 @@ class Webhookdb::Organization < Webhookdb::Postgres::Model(:organizations)
   end
 
   # Create a CNAME in Cloudflare for the currently configured connection urls.
-  def create_public_host_cname
+  # @param safe [*] If true, noop if the public host is set.
+  def create_public_host_cname(safe: false)
     self.db.transaction do
       self.lock!
       # We must have a host to create a CNAME to.
       raise Webhookdb::InvalidPrecondition, "connection urls must be set" if self.readonly_connection_url_raw.blank?
       # Should only be used once when creating the org DBs.
-      raise Webhookdb::InvalidPrecondition, "public_host must not be set" if self.public_host.present?
+      if self.public_host.present?
+        return if safe
+        raise Webhookdb::InvalidPrecondition, "public_host must not be set"
+      end
       # Use the raw URL, even though we know at this point
       # public_host is empty so raw and public host urls are the same.
       Webhookdb::Organization::DbBuilder.new(self).create_public_host_cname(self.readonly_connection_url_raw)

data/lib/webhookdb/postgres/model_utilities.rb

@@ -290,6 +290,25 @@ module Webhookdb::Postgres::ModelUtilities
       end
     end
 
+    # Run a SELECT FOR UPDATE SKIP LOCKED.
+    # If the model row is already locked, return false.
+    # Otherwise, acquire the lock and return true.
+    #
+    # If the lock is acquired, callers may want to refresh the receiver to make sure it has the newest values.
+    #
+    # @raise [Webhookdb::LockFailed] if the code is not currently in a transaction.
+    def lock?
+      raise Webhookdb::LockFailed, "must be in a transaction" unless self.db.in_transaction?
+      pk = self[self.class.primary_key]
+      got_lock = self.class.dataset.
+        select(1).
+        where(self.class.primary_key => pk).
+        for_update.
+        skip_locked.
+        first
+      return !got_lock.nil?
+    end
+
     # Round +Time+ t to remove nanoseconds, since Postgres can only store microseconds.
     protected def round_time(t)
       return nil if t.nil?

data/lib/webhookdb/postgres.rb

@@ -60,6 +60,7 @@ module Webhookdb::Postgres
     "webhookdb/organization/database_migration",
     "webhookdb/organization_membership",
     "webhookdb/role",
+    "webhookdb/saved_query",
     "webhookdb/service_integration",
     "webhookdb/subscription",
     "webhookdb/sync_target",
@@ -120,11 +121,13 @@ module Webhookdb::Postgres
   end
 
   def self.run_all_migrations(target: nil)
+    # :nocov:
     Sequel.extension :migration
     Webhookdb::Postgres.each_model_superclass do |cls|
       cls.install_all_extensions
       Sequel::Migrator.run(cls.db, Pathname(__FILE__).dirname.parent.parent + "db/migrations", target:)
     end
+    # :nocov:
   end
 
   # We can always register the models right away, since it does not have a side effect.