From 67f1c6b8c0fa8c3e6543cb7eff62fabc40533325 Mon Sep 17 00:00:00 2001 From: Dragomir Penev <6687393+dragomirp@users.noreply.github.com> Date: Fri, 29 Sep 2023 11:35:37 +0300 Subject: [PATCH] [DPE-2299] Relation secrets (#233) * Tweak build connection string * Add secrets switch for data integrator * Assert secret uri and always check secret uri --- tests/integration/new_relations/helpers.py | 37 +++++++++++++++---- .../new_relations/test_new_relations.py | 20 ++++++++++ 2 files changed, 50 insertions(+), 7 deletions(-) diff --git a/tests/integration/new_relations/helpers.py b/tests/integration/new_relations/helpers.py index 343c18d72b..11a2e066e1 100644 --- a/tests/integration/new_relations/helpers.py +++ b/tests/integration/new_relations/helpers.py @@ -1,13 +1,22 @@ #!/usr/bin/env python3 # Copyright 2022 Canonical Ltd. # See LICENSE file for licensing details. -from typing import Optional +import json +from typing import Dict, Optional import yaml from pytest_operator.plugin import OpsTest from tenacity import RetryError, Retrying, stop_after_attempt, wait_exponential +async def get_juju_secret(ops_test: OpsTest, secret_uri: str) -> Dict[str, str]: + """Retrieve juju secret.""" + secret_unique_id = secret_uri.split("/")[-1] + complete_command = f"show-secret {secret_uri} --reveal --format=json" + _, stdout, _ = await ops_test.juju(*complete_command.split()) + return json.loads(stdout)[secret_unique_id]["content"]["Data"] + + async def build_connection_string( ops_test: OpsTest, application_name: str, @@ -37,12 +46,26 @@ async def build_connection_string( # Get the connection data exposed to the application through the relation. if database is None: database = f'{application_name.replace("-", "_")}_{relation_name.replace("-", "_")}' - username = await get_application_relation_data( - ops_test, application_name, relation_name, "username", relation_id, relation_alias - ) - password = await get_application_relation_data( - ops_test, application_name, relation_name, "password", relation_id, relation_alias - ) + + if secret_uri := await get_application_relation_data( + ops_test, + application_name, + relation_name, + "secret-user", + relation_id, + relation_alias, + ): + secret_data = await get_juju_secret(ops_test, secret_uri) + username = secret_data["username"] + password = secret_data["password"] + else: + username = await get_application_relation_data( + ops_test, application_name, relation_name, "username", relation_id, relation_alias + ) + password = await get_application_relation_data( + ops_test, application_name, relation_name, "password", relation_id, relation_alias + ) + endpoints = await get_application_relation_data( ops_test, application_name, diff --git a/tests/integration/new_relations/test_new_relations.py b/tests/integration/new_relations/test_new_relations.py index 0684ba1d38..709a98277b 100644 --- a/tests/integration/new_relations/test_new_relations.py +++ b/tests/integration/new_relations/test_new_relations.py @@ -81,6 +81,26 @@ async def test_no_read_only_endpoint_in_standalone_cluster(ops_test: OpsTest): ) await ops_test.model.wait_for_idle(apps=APP_NAMES, status="active") + # Check that on juju 3 we have secrets and no username and password in the rel databag + if hasattr(ops_test.model, "list_secrets"): + logger.info("checking for secrets") + secret_uri, password = await asyncio.gather( + get_application_relation_data( + ops_test, + APPLICATION_APP_NAME, + FIRST_DATABASE_RELATION_NAME, + "secret-user", + ), + get_application_relation_data( + ops_test, + APPLICATION_APP_NAME, + FIRST_DATABASE_RELATION_NAME, + "password", + ), + ) + assert secret_uri is not None + assert password is None + # Try to get the connection string of the database using the read-only endpoint. # It should not be available. assert await check_relation_data_existence(