fix: add device ownership migration logic

The device ownership config introduced a breaking change. The default
behavior before was that ALL users were allowed, but now only the owner
is allowed.

In order to migrate the config, we set a new snapctl config param. If
that is not present, that means that we need to migrate the config.

conf/broker.conf.d/00-migration-allowed_users.conf

@@ -0,0 +1,11 @@
+## This file was generated during the broker upgrade process. DO NOT EDIT.
+##
+## This file adds the 'allowed_users' option and sets it to 'ALL'
+## to preserve backward compatibility, as the default for this
+## option is 'OWNER'.
+## For more information, refer to 10-allowed_users.conf.
+##
+## If you want to use the new default setting, simply delete this file.
+
+[users]
+allowed_users = ALL

conf/broker.conf.d/10-allowed_users.conf

@@ -0,0 +1,28 @@
+[users]
+## 'allowed_users' specifies the users who are permitted to log in after
+## successfully authenticating with the Identity Provider.
+## Values are separated by commas. Supported values:
+## - 'OWNER': Grants access to the user specified in the 'owner' option
+##        	(see below). This is the default.
+## - 'ALL': Grants access to all users who successfully authenticate
+##      	with the Identity Provider.
+## - <username>: Grants access to specific additional users
+##           	(e.g. user1@example.com).
+## Example: allowed_users = OWNER,user1@example.com,admin@example.com
+#allowed_users = OWNER
+
+## 'owner' specifies the user assigned the owner role. This user is
+## permitted to log in if 'OWNER' is included in the 'allowed_users'
+## option.
+##
+## If this option is left unset, the first user to successfully log in
+## via this broker will automatically be assigned the owner role. A
+## drop-in configuration file will be created in broker.conf.d/ to set
+## the 'owner' option.
+##
+## To disable automatic assignment, you can either:
+## 1. Explicitly set this option to an empty value (e.g. owner = "")
+## 2. Remove 'OWNER' from the 'allowed_users' option
+##
+## Example: owner = user2@example.com
+#owner =

snap/hooks/post-refresh

@@ -0,0 +1,34 @@
+#!/bin/sh
+set -eu
+
+echo "post-refresh hook" >> /tmp/snap.log # TODO: Only for debugging
+
+PREVIOUS_VERSION=$(snapctl get previous-version)
+echo "Previous version: $PREVIOUS_VERSION" >> /tmp/snap.log
+
+INITIAL_ALLOWED_USERS_VERSION="0.2.0"
+
+version_less_than() {
+  [ "$(printf '%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
+}
+
+should_transition_to_allowed_users() {
+  # Transition to allowed users if:
+  # - previous-version is not set (that means that the previous version is
+  #   older than 0.2.0, i.e. the version where we introduced setting the
+  #   previous-version in the pre-refresh hook).
+  # - previous-version is set, but it is less than 0.2.0. That should never
+  #   happen, but we check it to give an example how the previous-version
+  #   can be used to transition data from older versions.
+  [ -z "${PREVIOUS_VERSION:-}" ] || version_less_than "${PREVIOUS_VERSION:-}" "${INITIAL_ALLOWED_USERS_VERSION:-}"
+}
+
+transition_to_allowed_users() {
+  echo "Transitioning to allowed users" >> /tmp/snap.log # TODO: Only for debugging
+  mkdir ${SNAP_DATA}/broker.conf.d
+  cp --update=none ${SNAP}/conf/broker.conf.d.orig/* ${SNAP_DATA}/broker.conf.d/
+}
+
+if should_transition_to_allowed_users; then
+  transition_to_allowed_users
+fi

snap/hooks/pre-refresh

@@ -0,0 +1,6 @@
+#!/bin/sh
+set -eu
+
+echo "pre-refresh hook" >> /tmp/snap.log # TODO: Only for debugging
+
+snapctl set previous-version=${SNAP_VERSION}

snap/snapcraft.yaml

@@ -38,6 +38,7 @@ parts:
     organize:
       "authd.conf": "conf/authd/oidc.conf"
       "broker.conf": "conf/broker.conf.orig"
+      "broker.conf.d": "conf/broker.conf.d.orig"
   # Build the snap version from the git repository and current tree state.
   version:
     source: .