[DPE-2299] Relation secrets (#233)

* Tweak build connection string * Add secrets switch for data integrator * Assert secret uri and always check secret uri
canonical · Sep 29, 2023 · 67f1c6b · 67f1c6b
1 parent a6dc5f5
commit 67f1c6b
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 7 deletions.
diff --git a/tests/integration/new_relations/helpers.py b/tests/integration/new_relations/helpers.py
@@ -1,13 +1,22 @@
 #!/usr/bin/env python3
 # Copyright 2022 Canonical Ltd.
 # See LICENSE file for licensing details.
-from typing import Optional
+import json
+from typing import Dict, Optional
 
 import yaml
 from pytest_operator.plugin import OpsTest
 from tenacity import RetryError, Retrying, stop_after_attempt, wait_exponential
 
 
+async def get_juju_secret(ops_test: OpsTest, secret_uri: str) -> Dict[str, str]:
+    """Retrieve juju secret."""
+    secret_unique_id = secret_uri.split("/")[-1]
+    complete_command = f"show-secret {secret_uri} --reveal --format=json"
+    _, stdout, _ = await ops_test.juju(*complete_command.split())
+    return json.loads(stdout)[secret_unique_id]["content"]["Data"]
+
+
 async def build_connection_string(
     ops_test: OpsTest,
     application_name: str,
@@ -37,12 +46,26 @@ async def build_connection_string(
     # Get the connection data exposed to the application through the relation.
     if database is None:
         database = f'{application_name.replace("-", "_")}_{relation_name.replace("-", "_")}'
-    username = await get_application_relation_data(
-        ops_test, application_name, relation_name, "username", relation_id, relation_alias
-    )
-    password = await get_application_relation_data(
-        ops_test, application_name, relation_name, "password", relation_id, relation_alias
-    )
+
+    if secret_uri := await get_application_relation_data(
+        ops_test,
+        application_name,
+        relation_name,
+        "secret-user",
+        relation_id,
+        relation_alias,
+    ):
+        secret_data = await get_juju_secret(ops_test, secret_uri)
+        username = secret_data["username"]
+        password = secret_data["password"]
+    else:
+        username = await get_application_relation_data(
+            ops_test, application_name, relation_name, "username", relation_id, relation_alias
+        )
+        password = await get_application_relation_data(
+            ops_test, application_name, relation_name, "password", relation_id, relation_alias
+        )
+
     endpoints = await get_application_relation_data(
         ops_test,
         application_name,

diff --git a/tests/integration/new_relations/test_new_relations.py b/tests/integration/new_relations/test_new_relations.py
@@ -81,6 +81,26 @@ async def test_no_read_only_endpoint_in_standalone_cluster(ops_test: OpsTest):
         )
         await ops_test.model.wait_for_idle(apps=APP_NAMES, status="active")
 
+        # Check that on juju 3 we have secrets and no username and password in the rel databag
+        if hasattr(ops_test.model, "list_secrets"):
+            logger.info("checking for secrets")
+            secret_uri, password = await asyncio.gather(
+                get_application_relation_data(
+                    ops_test,
+                    APPLICATION_APP_NAME,
+                    FIRST_DATABASE_RELATION_NAME,
+                    "secret-user",
+                ),
+                get_application_relation_data(
+                    ops_test,
+                    APPLICATION_APP_NAME,
+                    FIRST_DATABASE_RELATION_NAME,
+                    "password",
+                ),
+            )
+            assert secret_uri is not None
+            assert password is None
+
         # Try to get the connection string of the database using the read-only endpoint.
         # It should not be available.
         assert await check_relation_data_existence(