Merge branch '3.2' into merge-3.2-3.3-20230630

Conflicts: - cmd/juju/controller/destroy.go - cmd/juju/model/destroy.go - state/applicationoffers.go
SimonRichardson · Jun 30, 2023 · f720815 · f720815
2 parents 7bbc787 + cae48f9
commit f720815
Show file tree

Hide file tree

Showing 76 changed files with 1,586 additions and 705 deletions.
diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml
@@ -0,0 +1,33 @@
+name: "Licenses"
+on:
+  push:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths:
+      - '**.go'
+      - 'go.mod'
+      - '.github/workflows/license.yml'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  go-license-check:
+    name: "go.mod license check"
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: 'go.mod'
+        cache: true
+    - name: Check Licenses
+      run: |
+        go install github.com/google/go-licenses@latest
+        # Before adding new licenses check with https://www.gnu.org/licenses/license-list.en.html#GPLCompatibleLicenses
+        # NOTE: GPL-2.0 is not included due to the possibility it can't be relicensed under a newer version.
+        go-licenses check github.com/juju/juju/... --allowed_licenses AGPL-3.0,LGPL-3.0,GPL-3.0,LGPL-2.1,Apache-2.0,BSD-3-Clause,BSD-2-Clause,MIT,Unlicense,ISC,MPL-2.0
diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml
@@ -32,14 +32,18 @@ jobs:
 
       - name: Attempt to merge
         id: merge
+        env:
+          SOURCE_BRANCH: ${{ steps.branch.outputs.source }}
         run: |
           set -x
+          git fetch origin "$SOURCE_BRANCH"
+          git branch "$SOURCE_BRANCH" "origin/$SOURCE_BRANCH"
           # Need to set Git username/email to do the merge (yawn)
           git config user.name 'jujubot'
           git config user.email '[email protected]'
           
           set +e
-          git merge origin/${{ steps.branch.outputs.source }}
+          git merge "$SOURCE_BRANCH"
           case $? in
           0)
             echo "conflicts=false" >> "$GITHUB_OUTPUT"
@@ -52,29 +56,24 @@ jobs:
             ;;
           esac
 
+      - name: Generate notification message
+        if: steps.merge.outputs.conflicts == 'true'
+        id: message
+        env:
+          SOURCE_BRANCH: ${{ steps.branch.outputs.source }}
+          TARGET_BRANCH: ${{ steps.branch.outputs.target }}
+          EMAIL_TO_MM_USER: ${{ secrets.EMAIL_TO_MM_USER }}
+          IGNORE_EMAILS: ${{ secrets.MERGE_NOTIFY_IGNORE_EMAILS }}
+        run: |
+          MESSAGE=$(go run ./scripts/try-merge errmsg)
+          echo "message=$MESSAGE" >> "$GITHUB_OUTPUT"
+
       - name: Notify if merge has conflicts
         if: steps.merge.outputs.conflicts == 'true'
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           MM_TOKEN: ${{ secrets.MM_TOKEN }}
-          MM_USERS: ${{ secrets.MM_USERS }}
+          MESSAGE: ${{ steps.message.outputs.message }}
         run: |
-          set -ex
-          SOURCE_BRANCH=${{ steps.branch.outputs.source }}
-          TARGET_BRANCH=${{ steps.branch.outputs.target }}
-          
-          # Get PR info
-          PR_INFO=$(gh pr list --search="${{ github.sha }}" --state=merged --base="$SOURCE_BRANCH" --json='number,author')
-          PR_NUMBER=$(echo "$PR_INFO" | jq '.[].number')
-          
-          PR_AUTHOR=$(echo "$PR_INFO" | jq -r '.[].author.login')
-          MM_USER=$(echo "$MM_USERS" | jq -r ".\"$PR_AUTHOR\"")
-          if [[ $MM_USER == '' || $MM_USER == null ]]; then
-            MM_USER=$PR_AUTHOR
-          fi
-          
-          MESSAGE="@$MM_USER your PR [#$PR_NUMBER](https://github.com/juju/juju/pull/$PR_NUMBER) has created merge conflicts - please merge $SOURCE_BRANCH into $TARGET_BRANCH and resolve the conflicts. Thanks! :)"
-          
           # install mmctl
           curl https://github.com/mattermost/mmctl/releases/download/v7.8.5/linux_amd64.tar -Lo mmctl.tar
           tar -xvf mmctl.tar

diff --git a/.github/workflows/upgrade.yml b/.github/workflows/upgrade.yml
@@ -143,14 +143,16 @@ jobs:
           set -euxo pipefail
           
           # Shim in recognition for our CA to jujud-operator
-          cat >~/Dockerfile <<EOL
+          BUILD_TEMP=$(mktemp -d)
+          cp ~/certs/ca.crt $BUILD_TEMP/
+          cat >$BUILD_TEMP/Dockerfile <<EOL
             FROM jujusolutions/jujud-operator:${BASE_JUJU_TAG}
           
-            COPY certs/ca.crt /usr/local/share/ca-certificates/ca.crt
+            COPY ca.crt /usr/local/share/ca-certificates/ca.crt
           
             RUN update-ca-certificates
           EOL
-          docker build ~ -t ${DOCKER_REGISTRY}/test-repo/jujud-operator:${BASE_JUJU_TAG}
+          docker build $BUILD_TEMP -t ${DOCKER_REGISTRY}/test-repo/jujud-operator:${BASE_JUJU_TAG}
           docker push ${DOCKER_REGISTRY}/test-repo/jujud-operator:${BASE_JUJU_TAG}
           
           docker pull jujusolutions/juju-db:${JUJU_DB_TAG}
@@ -228,24 +230,28 @@ jobs:
           make operator-image
           
           # Shim in recognition for our CA to jujud-operator
-          cat >~/Dockerfile <<EOL
+          BUILD_TEMP=$(mktemp -d)
+          cp ~/certs/ca.crt $BUILD_TEMP/
+          cat >$BUILD_TEMP/Dockerfile <<EOL
             FROM jujusolutions/jujud-operator:${UPSTREAM_JUJU_TAG}
           
-            COPY certs/ca.crt /usr/local/share/ca-certificates/ca.crt
+            COPY ca.crt /usr/local/share/ca-certificates/ca.crt
           
             RUN update-ca-certificates
           EOL
-          docker build ~ -t ${DOCKER_REGISTRY}/test-repo/jujud-operator:${UPSTREAM_JUJU_TAG}
+          docker build $BUILD_TEMP -t ${DOCKER_REGISTRY}/test-repo/jujud-operator:${UPSTREAM_JUJU_TAG}
           docker push ${DOCKER_REGISTRY}/test-repo/jujud-operator:${UPSTREAM_JUJU_TAG}
           
-          cat >~/Dockerfile <<EOL
+          BUILD_TEMP=$(mktemp -d)
+          cp ~/certs/ca.crt $BUILD_TEMP/
+          cat >$BUILD_TEMP/Dockerfile <<EOL
             FROM jujusolutions/jujud-operator:${CURRENT_STABLE_JUJU_TAG}
           
-            COPY certs/ca.crt /usr/local/share/ca-certificates/ca.crt
+            COPY ca.crt /usr/local/share/ca-certificates/ca.crt
           
             RUN update-ca-certificates
           EOL
-          docker build ~ -t ${DOCKER_REGISTRY}/test-repo/jujud-operator:${CURRENT_STABLE_JUJU_TAG}
+          docker build $BUILD_TEMP -t ${DOCKER_REGISTRY}/test-repo/jujud-operator:${CURRENT_STABLE_JUJU_TAG}
           docker push ${DOCKER_REGISTRY}/test-repo/jujud-operator:${CURRENT_STABLE_JUJU_TAG}
 
       - name: Preflight

diff --git a/README.md b/README.md
@@ -1,4 +1,8 @@
-[![Juju logo](doc/juju-logo.png?raw=true)](https://juju.is/)
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="doc/juju-logo-dark.png?raw=true">
+  <source media="(prefers-color-scheme: light)" srcset="doc/juju-logo.png?raw=true">
+  <img alt="Juju logo next to the text Canonical Juju" src="doc/juju-logo.png?raw=true" width="30%">
+</picture>
 
 [Juju is a model-driven **Operator Lifecycle Manager**
 (OLM)](https://juju.is/about). Juju greatly improves the experience of

diff --git a/allowed_signers b/allowed_signers
@@ -0,0 +1,9 @@
+[email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmDv0NmGYCW2lZfKlwInnL5y6dsTtyKVRdPgSQx4VQN [email protected]
+[email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPKjQDDaO24INaGFnUdVebD1wYcDXmm/cLKH+27S2SnC wallyworld-git-signing-key
+[email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINP0LQkkiiHuMdVz4aF7ypsxNLQscgGd1UrmHrjyEd9F jack-w-shaw-git-signing-key
+[email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdk2GDbpmHUP/FQVunGu6Bl9TD1Hh5Z8oYAD17CzPP6 joe-signing-key
+[email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHu5ROyG1P7OQnNE5uNw0JVjKzZdbqGg3cHqywTt/Ynb jameinel-git-signing-key
+[email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHu5ROyG1P7OQnNE5uNw0JVjKzZdbqGg3cHqywTt/Ynb jameinel-git-signing-key
+[email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPqO5HpXaSh6MJ9FVt8nyoxhWN+AqlFxIXE68JGrRysb [email protected]
+[email protected] namespaces="git" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDwmnwQng7gaXz47aRDnNTo7i2iTKq7BMnl+UwuXA/Mubrvtrc/XrcixNNm7iS7khVValIc1bIf1m7oTBp72rFWyuZ5FLDgVsjYn8nFfv3g9HlGlGOyN76xX6gOyGfcGCWWKvUPpuX3DjKDm2z8a95lbYZVjXL7ViqVTXnu2G6c7PnbHTTL+n0IO+5hzdXyq7UxAc+T+sfIdCTC7ru8mY+31CP6ovbEMBf37Qowjp9SIUxqj4nMeRjKUFB0XnkFLBuFWqZq1kIcSTSNMWjEK6b6W/dRWfQ6gsQ4Ybe/8HEKoB9IuOy9HcdZT9H97LCSkQHUgma/kB89NO/YV59STksD [email protected]
+[email protected] namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMA/Wg23FBdk2ui9BQPcjzqlN5OjHZgXJ3471LssH4ko anvial-git-signing-key
diff --git a/api/client/application/client.go b/api/client/application/client.go
@@ -780,7 +780,6 @@ func (c *Client) Consume(arg crossmodel.ConsumeApplicationArgs) (string, error)
 			ApplicationOfferDetails: arg.Offer,
 			ApplicationAlias:        arg.ApplicationAlias,
 			Macaroon:                arg.Macaroon,
-			AuthToken:               arg.AuthToken,
 		}},
 	}
 	if arg.ControllerInfo != nil {

diff --git a/api/client/application/client_test.go b/api/client/application/client_test.go
@@ -541,7 +541,6 @@ func (s *applicationSuite) TestConsume(c *gc.C) {
 				ApplicationAlias:        "alias",
 				ApplicationOfferDetails: offer,
 				Macaroon:                mac,
-				AuthToken:               "auth-token",
 				ControllerInfo:          controllerInfo,
 			},
 		},
@@ -554,7 +553,6 @@ func (s *applicationSuite) TestConsume(c *gc.C) {
 		Offer:            offer,
 		ApplicationAlias: "alias",
 		Macaroon:         mac,
-		AuthToken:        "auth-token",
 		ControllerInfo: &crossmodel.ControllerInfo{
 			ControllerTag: coretesting.ControllerTag,
 			Alias:         "controller-alias",

diff --git a/api/client/applicationoffers/client.go b/api/client/applicationoffers/client.go
@@ -289,7 +289,6 @@ func (c *Client) GetConsumeDetails(urlStr string) (params.ConsumeOfferDetails, e
 	return params.ConsumeOfferDetails{
 		Offer:          theOne.Offer,
 		Macaroon:       theOne.Macaroon,
-		AuthToken:      theOne.AuthToken,
 		ControllerInfo: theOne.ControllerInfo,
 	}, nil
 }

diff --git a/api/client/applicationoffers/client_test.go b/api/client/applicationoffers/client_test.go
@@ -496,7 +496,6 @@ func (s *crossmodelMockSuite) TestGetConsumeDetails(c *gc.C) {
 				ConsumeOfferDetails: params.ConsumeOfferDetails{
 					Offer:          &offer,
 					Macaroon:       mac,
-					AuthToken:      "auth-token",
 					ControllerInfo: controllerInfo,
 				},
 			},
@@ -511,7 +510,6 @@ func (s *crossmodelMockSuite) TestGetConsumeDetails(c *gc.C) {
 	c.Assert(details, jc.DeepEquals, params.ConsumeOfferDetails{
 		Offer:          &offer,
 		Macaroon:       mac,
-		AuthToken:      "auth-token",
 		ControllerInfo: controllerInfo,
 	})
 }

diff --git a/api/client/modelmanager/modelmanager.go b/api/client/modelmanager/modelmanager.go
@@ -361,13 +361,13 @@ func (c *Client) DumpModelDB(model names.ModelTag) (map[string]interface{}, erro
 // DestroyModel puts the specified model into a "dying" state, which will
 // cause the model's resources to be cleaned up, after which the model will
 // be removed.
-func (c *Client) DestroyModel(tag names.ModelTag, destroyStorage, force *bool, maxWait *time.Duration, timeout time.Duration) error {
+func (c *Client) DestroyModel(tag names.ModelTag, destroyStorage, force *bool, maxWait *time.Duration, timeout *time.Duration) error {
 	arg := params.DestroyModelParams{
 		ModelTag:       tag.String(),
 		DestroyStorage: destroyStorage,
 		Force:          force,
 		MaxWait:        maxWait,
-		Timeout:        &timeout,
+		Timeout:        timeout,
 	}
 	args := params.DestroyModelsParams{Models: []params.DestroyModelParams{arg}}
 	var results params.ErrorResults

diff --git a/api/client/modelmanager/modelmanager_test.go b/api/client/modelmanager/modelmanager_test.go
@@ -186,7 +186,7 @@ func (s *modelmanagerSuite) testDestroyModel(c *gc.C, destroyStorage, force *boo
 	mockFacadeCaller.EXPECT().FacadeCall("DestroyModels", args, result).SetArg(2, ress).Return(nil)
 	client := modelmanager.NewClientFromCaller(mockFacadeCaller)
 
-	err := client.DestroyModel(coretesting.ModelTag, destroyStorage, force, maxWait, timeout)
+	err := client.DestroyModel(coretesting.ModelTag, destroyStorage, force, maxWait, &timeout)
 	c.Assert(err, jc.ErrorIsNil)
 }
 

diff --git a/api/controller/undertaker/undertaker.go b/api/controller/undertaker/undertaker.go
@@ -8,6 +8,8 @@ import (
 	"github.com/juju/names/v4"
 
 	"github.com/juju/juju/api/base"
+	"github.com/juju/juju/api/common"
+	"github.com/juju/juju/api/common/cloudspec"
 	"github.com/juju/juju/core/status"
 	"github.com/juju/juju/core/watcher"
 	"github.com/juju/juju/rpc/params"
@@ -18,6 +20,8 @@ type NewWatcherFunc func(base.APICaller, params.NotifyWatchResult) watcher.Notif
 
 // Client provides access to the undertaker API
 type Client struct {
+	*cloudspec.CloudSpecAPI
+	*common.ModelWatcher
 	modelTag   names.ModelTag
 	caller     base.FacadeCaller
 	newWatcher NewWatcherFunc
@@ -29,10 +33,13 @@ func NewClient(caller base.APICaller, newWatcher NewWatcherFunc) (*Client, error
 	if !ok {
 		return nil, errors.New("undertaker client is not appropriate for controller-only API")
 	}
+	facadeCaller := base.NewFacadeCaller(caller, "Undertaker")
 	return &Client{
-		modelTag:   modelTag,
-		caller:     base.NewFacadeCaller(caller, "Undertaker"),
-		newWatcher: newWatcher,
+		modelTag:     modelTag,
+		caller:       facadeCaller,
+		newWatcher:   newWatcher,
+		CloudSpecAPI: cloudspec.NewCloudSpecAPI(facadeCaller, modelTag),
+		ModelWatcher: common.NewModelWatcher(facadeCaller),
 	}, nil
 }
 
@@ -89,7 +96,24 @@ func (c *Client) WatchModelResources() (watcher.NotifyWatcher, error) {
 	if err != nil {
 		return nil, err
 	}
+	if len(results.Results) != 1 {
+		return nil, errors.Errorf("expected 1 result, got %d", len(results.Results))
+	}
+	result := results.Results[0]
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	w := c.newWatcher(c.caller.RawAPICaller(), result)
+	return w, nil
+}
 
+// WatchModel starts a watcher for changes to the model.
+func (c *Client) WatchModel() (watcher.NotifyWatcher, error) {
+	var results params.NotifyWatchResults
+	err := c.entityFacadeCall("WatchModel", &results)
+	if err != nil {
+		return nil, err
+	}
 	if len(results.Results) != 1 {
 		return nil, errors.Errorf("expected 1 result, got %d", len(results.Results))
 	}

diff --git a/apiserver/apiserver.go b/apiserver/apiserver.go
@@ -408,7 +408,7 @@ func newServer(cfg ServerConfig) (_ *Server, err error) {
 	srv.shared.cancel = srv.tomb.Dying()
 
 	// The auth context for authenticating access to application offers.
-	srv.offerAuthCtxt, err = newOfferAuthContext(cfg.StatePool, srv.jwtAuthenticator)
+	srv.offerAuthCtxt, err = newOfferAuthcontext(cfg.StatePool)
 	if err != nil {
 		unsubscribeControllerConfig()
 		return nil, errors.Trace(err)

diff --git a/apiserver/common/crossmodel/auth.go b/apiserver/common/crossmodel/auth.go
@@ -12,12 +12,10 @@ import (
 	"github.com/juju/clock"
 	"github.com/juju/errors"
 	"github.com/juju/names/v4"
-	"github.com/lestrrat-go/jwx/v2/jwt"
 	"gopkg.in/macaroon.v2"
 	"gopkg.in/yaml.v2"
 
 	"github.com/juju/juju/apiserver/authentication"
-	authjwt "github.com/juju/juju/apiserver/authentication/jwt"
 	"github.com/juju/juju/apiserver/common"
 	apiservererrors "github.com/juju/juju/apiserver/errors"
 	coremacaroon "github.com/juju/juju/core/macaroon"
@@ -62,14 +60,10 @@ func (CrossModelAuthorizer) AuthorizeOps(ctx context.Context, authorizedOp baker
 	return allowed, nil, nil
 }
 
-type tokenPermissionFunc func(token jwt.Token, subject names.Tag) (permission.Access, error)
-
 // AuthContext is used to validate macaroons used to access
 // application offers.
 type AuthContext struct {
-	systemState     Backend
-	tokenPermission tokenPermissionFunc
-	tokenParser     authjwt.TokenParser
+	systemState Backend
 
 	clock              clock.Clock
 	offerThirdPartyKey *bakery.KeyPair
@@ -84,16 +78,12 @@ func NewAuthContext(
 	systemState Backend,
 	offerThirdPartyKey *bakery.KeyPair,
 	offerBakery authentication.ExpirableStorageBakery,
-	tokenParser authjwt.TokenParser,
-	tokenPermission tokenPermissionFunc,
 ) (*AuthContext, error) {
 	ctxt := &AuthContext{
 		systemState:        systemState,
 		clock:              clock.WallClock,
 		offerBakery:        offerBakery,
 		offerThirdPartyKey: offerThirdPartyKey,
-		tokenParser:        tokenParser,
-		tokenPermission:    tokenPermission,
 	}
 	return ctxt, nil
 }
@@ -440,20 +430,3 @@ func (a *authenticator) CheckRelationMacaroons(ctx context.Context, sourceModelU
 	_, err := a.checkMacaroons(ctx, mac, version, requiredValues, crossModelRelateOp(relationTag.Id()))
 	return err
 }
-
-// TODO - this will be removed soon
-// CheckOfferToken verifies that session auth token allows access to the offer.
-func (a *authenticator) CheckOfferToken(ctx context.Context, authToken string) (string, error) {
-	tok, entity, err := a.ctxt.tokenParser.Parse(ctx, authToken)
-	if err != nil {
-		return "", errors.Trace(err)
-	}
-	userAccess := func(user names.UserTag, target names.Tag) (permission.Access, error) {
-		if entity.Tag() != user {
-			return permission.NoAccess, nil
-		}
-		return a.ctxt.tokenPermission(tok, target)
-	}
-	username := entity.Tag().Id()
-	return username, a.ctxt.checkOfferAccess(userAccess, username, "")
-}