Merge pull request juju#15250 from wallyworld/cmr-secret-data

jujubot · web-flow · commit 2d5e195327d3 · 2023-03-03T07:29:09.000+01:00
juju#15250 For a cross model secret, the offering model needs to manage secret consumer info from the consuming model so that it can fire the `secret-removed` hook and remove references to the consumer when the app/units are deleted. Also a driveby bug fix to record the correct consumed revision for peek/refresh. ## Checklist - [X] Code style: imports ordered, good names, simple structure, etc - [X] Comments saying why design decisions were made - [X] Go unit tests, with comments saying what you're testing - ~[ ] [Integration tests](https://github.com/juju/juju/tree/develop/tests), with comments saying what you're testing~ - ~[ ] [doc.go](https://discourse.charmhub.io/t/readme-in-packages/451) added or updated in changed packages~ ## QA steps bootstrap 2 controllers, deploy juju-qa-dummy-source and offer it; in the other controller, deploy juju-qa-dummy-sink and create a cross model relation. ``` $ juju switch c1 $ juju exec --unit dummy-source/0 "secret-add foo=bar" secret://bdc94272-1c0f-49e2-84f6-e3df50772020/cg020rhkf17hs5nd9us0 $ juju exec --unit dummy-source/0 "secret-grant -r 0 secret://bdc94272-1c0f-49e2-84f6-e3df50772020/cg020rhkf17hs5nd9us0" $ juju switch c2 c1:admin/o -> c2:admin/c $ juju exec --unit dummy-sink/0 "secret-get secret://bdc94272-1c0f-49e2-84f6-e3df50772020/cg020rhkf17hs5nd9us0" foo: bar $ juju switch c1 c2:admin/c -> c1:admin/o $ juju exec --unit dummy-source/0 "secret-set secret://bdc94272-1c0f-49e2-84f6-e3df50772020/cg020rhkf17hs5nd9us0 foo=bar2" $ juju switch c2 c1:admin/o -> c2:admin/c $ juju exec --unit dummy-sink/0 "secret-get secret://bdc94272-1c0f-49e2-84f6-e3df50772020/cg020rhkf17hs5nd9us0" foo: bar $ juju exec --unit dummy-sink/0 "secret-get secret://bdc94272-1c0f-49e2-84f6-e3df50772020/cg020rhkf17hs5nd9us0 --peek" foo: bar2 $ juju exec --unit dummy-sink/0 "secret-get secret://bdc94272-1c0f-49e2-84f6-e3df50772020/cg020rhkf17hs5nd9us0" foo: bar $ juju exec --unit dummy-sink/0 "secret-get secret://bdc94272-1c0f-49e2-84f6-e3df50772020/cg020rhkf17hs5nd9us0 --label baz" foo: bar $ juju exec --unit dummy-sink/0 "secret-get --label baz" foo: bar $ juju switch c1 c2:admin/c -> c1:admin/o $ juju show-status-log dummy-source/0 ... 02 Mar 2023 14:08:17+10:00 juju-unit executing running secret-remove hook for secret:cg020rhkf17hs5nd9us0/1 ... $ juju switch c2 c1:admin/o -> c2:admin/c $ juju exec --unit dummy-sink/0 "secret-get --label baz --refresh" foo: bar2 $ juju exec --unit dummy-sink/0 "secret-get --label baz" foo: bar2 $ juju add-unit dummy-sink $ juju exec --unit dummy-sink/1 "secret-get secret://bdc94272-1c0f-49e2-84f6-e3df50772020/cg020rhkf17hs5nd9us0" foo: bar2 $ juju remove-unit dummy-sink/0 WARNING This command will perform the following actions: will remove unit dummy-sink/0 Continue [y/N]? y ``` In a mongo shell, ensure the secret permission record for the remote proxy of dummy-source/0 is deleted.
diff --git a/apiserver/common/crossmodel/crossmodel.go b/apiserver/common/crossmodel/crossmodel.go
@@ -104,7 +104,7 @@ func PublishRelationChange(backend Backend, relationTag names.Tag, change params
 		}
 	}
 
-	if err := handleDepartedUnits(change, applicationTag, rel); err != nil {
+	if err := handleDepartedUnits(backend, change, applicationTag, rel); err != nil {
 		return errors.Trace(err)
 	}
 
@@ -143,7 +143,7 @@ func handleSuspendedRelation(change params.RemoteRelationChangeEvent, rel Relati
 	return nil
 }
 
-func handleDepartedUnits(change params.RemoteRelationChangeEvent, applicationTag names.Tag, rel Relation) error {
+func handleDepartedUnits(backend Backend, change params.RemoteRelationChangeEvent, applicationTag names.Tag, rel Relation) error {
 	for _, id := range change.DepartedUnits {
 		unitTag := names.NewUnitTag(fmt.Sprintf("%s/%v", applicationTag.Id(), id))
 		logger.Debugf("unit %v has departed relation %v", unitTag.Id(), rel.Tag().Id())
@@ -155,6 +155,9 @@ func handleDepartedUnits(change params.RemoteRelationChangeEvent, applicationTag
 		if err := ru.LeaveScope(); err != nil {
 			return errors.Trace(err)
 		}
+		if err := backend.RemoveSecretConsumer(unitTag); err != nil {
+			return errors.Trace(err)
+		}
 	}
 	return nil
 }
diff --git a/apiserver/common/crossmodel/interface.go b/apiserver/common/crossmodel/interface.go
@@ -99,6 +99,9 @@ type Backend interface {
 
 	// ApplyOperation applies a model operation to the state.
 	ApplyOperation(op state.ModelOperation) error
+
+	// RemoveSecretConsumer removes secret references for the specified consumer.
+	RemoveSecretConsumer(consumer names.Tag) error
 }
 
 // Relation provides access a relation in global state.
diff --git a/apiserver/facades/agent/secretsmanager/secrets.go b/apiserver/facades/agent/secretsmanager/secrets.go
@@ -481,9 +481,12 @@ func (s *SecretsManagerAPI) getRemoteSecretContent(uri *coresecrets.URI, refresh
 	var wantRevision int
 	if err == nil {
 		wantRevision = consumerInfo.CurrentRevision
+	} else {
+		// Not found so need to create a new record and populate
+		// with latest revision.
+		refresh = true
+		consumerInfo = &coresecrets.SecretConsumerMetadata{}
 	}
-	refresh = refresh ||
-		err != nil // Not found, so need to create one.
 
 	scopeToken, err := extClient.GetSecretAccessScope(uri, token, unitId)
 	if err != nil {
@@ -508,11 +511,10 @@ func (s *SecretsManagerAPI) getRemoteSecretContent(uri *coresecrets.URI, refresh
 		return nil, nil, false, errors.Trace(err)
 	}
 	if refresh || updateLabel {
-		if consumerInfo == nil {
-			consumerInfo = &coresecrets.SecretConsumerMetadata{}
+		if refresh {
+			consumerInfo.LatestRevision = latestRevision
+			consumerInfo.CurrentRevision = latestRevision
 		}
-		consumerInfo.LatestRevision = latestRevision
-		consumerInfo.CurrentRevision = latestRevision
 		if label != "" {
 			consumerInfo.Label = label
 		}
diff --git a/apiserver/facades/agent/secretsmanager/secrets_test.go b/apiserver/facades/agent/secretsmanager/secrets_test.go
@@ -1028,8 +1028,7 @@ func (s *SecretsManagerSuite) TestGetSecretContentCrossModelExistingConsumerNoRe
 
 	s.secretsConsumer.EXPECT().SaveSecretConsumer(uri, consumer, &coresecrets.SecretConsumerMetadata{
 		Label:           "foo",
-		LatestRevision:  666,
-		CurrentRevision: 666,
+		CurrentRevision: 665,
 	})
 
 	results, err := s.facade.GetSecretContentInfo(params.GetSecretContentArgs{
diff --git a/apiserver/facades/controller/crossmodelrelations/mock_test.go b/apiserver/facades/controller/crossmodelrelations/mock_test.go
@@ -103,6 +103,10 @@ func (st *mockState) ApplyOperation(state.ModelOperation) error {
 	return nil
 }
 
+func (st *mockState) RemoveSecretConsumer(consumer names.Tag) error {
+	return nil
+}
+
 func (st *mockState) AddRelation(eps ...state.Endpoint) (commoncrossmodel.Relation, error) {
 	rel := &mockRelation{
 		id:  len(st.relations),
diff --git a/apiserver/facades/controller/crossmodelsecrets/crossmodelsecrets.go b/apiserver/facades/controller/crossmodelsecrets/crossmodelsecrets.go
@@ -204,26 +204,52 @@ func (s *CrossModelSecretsAPI) getSecretContent(arg params.GetRemoteSecretConten
 		return nil, nil, 0, apiservererrors.ErrPerm
 	}
 
-	md, err := secretState.GetSecret(uri)
-	if err != nil {
-		return nil, nil, 0, errors.Trace(err)
-	}
-
-	var wantRevision int
+	var (
+		wantRevision   int
+		latestRevision int
+	)
 	// Use the latest revision as the current one if --peek.
 	if arg.Peek || arg.Refresh {
-		wantRevision = md.LatestRevision
+		var err error
+		latestRevision, err = s.getConsumedRevision(secretState, secretsConsumer, consumer, uri, arg.Refresh)
+		if err != nil {
+			return nil, nil, 0, errors.Trace(err)
+		}
+		wantRevision = latestRevision
 	} else {
 		wantRevision = *arg.Revision
 	}
 
 	val, valueRef, err := secretState.GetSecretValue(uri, wantRevision)
 	content := &secrets.ContentParams{SecretValue: val, ValueRef: valueRef}
 	if err != nil || content.ValueRef == nil {
-		return content, nil, md.LatestRevision, errors.Trace(err)
+		return content, nil, latestRevision, errors.Trace(err)
 	}
 	backend, err := s.getBackend(uri.SourceUUID, content.ValueRef.BackendID)
-	return content, backend, md.LatestRevision, errors.Trace(err)
+	return content, backend, latestRevision, errors.Trace(err)
+}
+
+func (s *CrossModelSecretsAPI) getConsumedRevision(secretsState SecretsState, secretsConsumer SecretsConsumer, consumer names.Tag, uri *coresecrets.URI, refresh bool) (int, error) {
+	consumerInfo, err := secretsConsumer.GetSecretConsumer(uri, consumer)
+	if err != nil && !errors.Is(err, errors.NotFound) {
+		return 0, errors.Trace(err)
+	}
+	if err != nil {
+		consumerInfo = &coresecrets.SecretConsumerMetadata{}
+		refresh = true
+	}
+
+	md, err := secretsState.GetSecret(uri)
+	if err != nil {
+		return 0, errors.Trace(err)
+	}
+	consumerInfo.CurrentRevision = md.LatestRevision
+	if refresh {
+		if err := secretsConsumer.SaveSecretConsumer(uri, consumer, consumerInfo); err != nil {
+			return 0, errors.Trace(err)
+		}
+	}
+	return md.LatestRevision, nil
 }
 
 func (s *CrossModelSecretsAPI) getBackend(modelUUID string, backendID string) (*params.SecretBackendConfigResult, error) {
diff --git a/apiserver/facades/controller/crossmodelsecrets/crossmodelsecrets_test.go b/apiserver/facades/controller/crossmodelsecrets/crossmodelsecrets_test.go
@@ -139,6 +139,14 @@ func ptr[T any](v T) *T {
 }
 
 func (s *CrossModelSecretsSuite) TestGetSecretContentInfo(c *gc.C) {
+	s.assertGetSecretContentInfo(c, false)
+}
+
+func (s *CrossModelSecretsSuite) TestGetSecretContentInfoNewConsumer(c *gc.C) {
+	s.assertGetSecretContentInfo(c, true)
+}
+
+func (s *CrossModelSecretsSuite) assertGetSecretContentInfo(c *gc.C, newConsumer bool) {
 	defer s.setup(c).Finish()
 
 	uri := coresecrets.NewURI().WithSource(coretesting.ModelTag.Id())
@@ -159,9 +167,18 @@ func (s *CrossModelSecretsSuite) TestGetSecretContentInfo(c *gc.C) {
 	s.crossModelState.EXPECT().GetConsumerInfo("token3").Return(app3, offerUUID, nil)
 	s.stateBackend.EXPECT().HasEndpoint(relation.Id(), "remote-app3").Return(false, nil)
 
+	consumerTag := names.NewUnitTag("remote-app/666")
+	if newConsumer {
+		s.secretsConsumer.EXPECT().GetSecretConsumer(uri, consumerTag).Return(nil, errors.NotFoundf(""))
+	} else {
+		s.secretsConsumer.EXPECT().GetSecretConsumer(uri, consumerTag).Return(&coresecrets.SecretConsumerMetadata{CurrentRevision: 69}, nil)
+	}
 	s.secretsState.EXPECT().GetSecret(uri).Return(&coresecrets.SecretMetadata{
 		LatestRevision: 667,
 	}, nil)
+	s.secretsConsumer.EXPECT().SaveSecretConsumer(uri, consumerTag, &coresecrets.SecretConsumerMetadata{
+		CurrentRevision: 667,
+	}).Return(nil)
 	s.secretsConsumer.EXPECT().SecretAccess(uri, consumer).Return(coresecrets.RoleView, nil)
 	s.secretsState.EXPECT().GetSecretValue(uri, 667).Return(
 		nil,
diff --git a/apiserver/facades/controller/crossmodelsecrets/mocks/secretsconsumer.go b/apiserver/facades/controller/crossmodelsecrets/mocks/secretsconsumer.go
diff --git a/apiserver/facades/controller/crossmodelsecrets/state.go b/apiserver/facades/controller/crossmodelsecrets/state.go
@@ -19,6 +19,8 @@ type SecretsState interface {
 }
 
 type SecretsConsumer interface {
+	GetSecretConsumer(*secrets.URI, names.Tag) (*secrets.SecretConsumerMetadata, error)
+	SaveSecretConsumer(*secrets.URI, names.Tag, *secrets.SecretConsumerMetadata) error
 	SecretAccess(uri *secrets.URI, subject names.Tag) (secrets.SecretRole, error)
 	SecretAccessScope(uri *secrets.URI, subject names.Tag) (names.Tag, error)
 }
diff --git a/apiserver/facades/controller/remoterelations/mocks/remoterelations_mocks.go b/apiserver/facades/controller/remoterelations/mocks/remoterelations_mocks.go
diff --git a/state/application.go b/state/application.go
@@ -391,7 +391,7 @@ func (op *DestroyApplicationOperation) deleteSecrets() error {
 		return errors.Annotatef(err, "deleting owned secrets for %q", op.app.Name())
 	}
 	// TODO(juju4) - remove
-	if err := op.app.st.removeSecretConsumer(op.app.Tag()); err != nil {
+	if err := op.app.st.RemoveSecretConsumer(op.app.Tag()); err != nil {
 		return errors.Annotatef(err, "deleting secret consumer records for %q", op.app.Name())
 	}
 	return nil
diff --git a/state/remoteapplication.go b/state/remoteapplication.go
@@ -331,6 +331,9 @@ func (op *DestroyRemoteApplicationOperation) Done(err error) error {
 		}
 		op.AddError(errors.Errorf("force erase saas application %q history proceeded despite encountering ERROR %v", op.app, err))
 	}
+	if err := op.deleteSecretReferences(); err != nil {
+		logger.Errorf("cannot delete secret references for saas application %q: %v", op.app, err)
+	}
 	return nil
 }
 
@@ -345,6 +348,13 @@ func (op *DestroyRemoteApplicationOperation) eraseHistory() error {
 	return nil
 }
 
+func (op *DestroyRemoteApplicationOperation) deleteSecretReferences() error {
+	if err := op.app.st.removeRemoteSecretConsumer(op.app.Name()); err != nil {
+		return errors.Annotatef(err, "deleting secret consumer records for %q", op.app.Name())
+	}
+	return nil
+}
+
 // DestroyWithForce in addition to doing what Destroy() does,
 // when force is passed in as 'true', forces th destruction of remote application,
 // ignoring errors.
@@ -500,6 +510,12 @@ func (s *RemoteApplication) removeOps(asserts bson.D) ([]txn.Op, error) {
 	tokenOps := r.removeRemoteEntityOps(s.Tag())
 	ops = append(ops, tokenOps...)
 
+	secretConsumerPermissionsOps, err := s.st.removeConsumerSecretPermissionOps(s.Tag())
+	if err != nil {
+		return nil, errors.Annotatef(err, "deleting secret consumer records for %q", s.Name())
+	}
+	ops = append(ops, secretConsumerPermissionsOps...)
+
 	// If this is the last consumed app off an external controller,
 	// also remove the external controller record.
 	if s.doc.SourceControllerUUID != "" {
diff --git a/state/remoteapplication_test.go b/state/remoteapplication_test.go
diff --git a/state/secrets.go b/state/secrets.go
diff --git a/state/unit.go b/state/unit.go

Original file line number	Diff line number	Diff line change
`@@ -104,7 +104,7 @@ func PublishRelationChange(backend Backend, relationTag names.Tag, change params`
`104`	`104`	`}`
`105`	`105`	`}`
`106`	`106`
`107`		`- if err := handleDepartedUnits(change, applicationTag, rel); err != nil {`
	`107`	`+ if err := handleDepartedUnits(backend, change, applicationTag, rel); err != nil {`
`108`	`108`	`return errors.Trace(err)`
`109`	`109`	`}`
`110`	`110`
`@@ -143,7 +143,7 @@ func handleSuspendedRelation(change params.RemoteRelationChangeEvent, rel Relati`
`143`	`143`	`return nil`
`144`	`144`	`}`
`145`	`145`
`146`		`-func handleDepartedUnits(change params.RemoteRelationChangeEvent, applicationTag names.Tag, rel Relation) error {`
	`146`	`+func handleDepartedUnits(backend Backend, change params.RemoteRelationChangeEvent, applicationTag names.Tag, rel Relation) error {`
`147`	`147`	`for _, id := range change.DepartedUnits {`
`148`	`148`	`unitTag := names.NewUnitTag(fmt.Sprintf("%s/%v", applicationTag.Id(), id))`
`149`	`149`	`logger.Debugf("unit %v has departed relation %v", unitTag.Id(), rel.Tag().Id())`
`@@ -155,6 +155,9 @@ func handleDepartedUnits(change params.RemoteRelationChangeEvent, applicationTag`
`155`	`155`	`if err := ru.LeaveScope(); err != nil {`
`156`	`156`	`return errors.Trace(err)`
`157`	`157`	`}`
	`158`	`+ if err := backend.RemoveSecretConsumer(unitTag); err != nil {`
	`159`	`+ return errors.Trace(err)`
	`160`	`+ }`
`158`	`161`	`}`
`159`	`162`	`return nil`
`160`	`163`	`}`
Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,9 @@ type Backend interface {`
`99`	`99`
`100`	`100`	`// ApplyOperation applies a model operation to the state.`
`101`	`101`	`ApplyOperation(op state.ModelOperation) error`
	`102`	`+`
	`103`	`+ // RemoveSecretConsumer removes secret references for the specified consumer.`
	`104`	`+ RemoveSecretConsumer(consumer names.Tag) error`
`102`	`105`	`}`
`103`	`106`
`104`	`107`	`// Relation provides access a relation in global state.`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,8 @@ type SecretsState interface {`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`type SecretsConsumer interface {`
	`22`	`+ GetSecretConsumer(secrets.URI, names.Tag) (secrets.SecretConsumerMetadata, error)`
	`23`	`+ SaveSecretConsumer(secrets.URI, names.Tag, secrets.SecretConsumerMetadata) error`
`22`	`24`	`SecretAccess(uri *secrets.URI, subject names.Tag) (secrets.SecretRole, error)`
`23`	`25`	`SecretAccessScope(uri *secrets.URI, subject names.Tag) (names.Tag, error)`
`24`	`26`	`}`
Original file line number	Diff line number	Diff line change
`@@ -391,7 +391,7 @@ func (op *DestroyApplicationOperation) deleteSecrets() error {`
`391`	`391`	`return errors.Annotatef(err, "deleting owned secrets for %q", op.app.Name())`
`392`	`392`	`}`
`393`	`393`	`// TODO(juju4) - remove`
`394`		`- if err := op.app.st.removeSecretConsumer(op.app.Tag()); err != nil {`
	`394`	`+ if err := op.app.st.RemoveSecretConsumer(op.app.Tag()); err != nil {`
`395`	`395`	`return errors.Annotatef(err, "deleting secret consumer records for %q", op.app.Name())`
`396`	`396`	`}`
`397`	`397`	`return nil`