github.com/juju/juju@v0.0.0-20240430160146-1752b71fcf00/tests/suites/secrets_iaas/juju.sh

github.com/juju/juju@v0.0.0-20240430160146-1752b71fcf00/tests/suites/secrets_iaas/juju.sh (about)

     1  check_secrets() {
     2  	juju --show-log deploy easyrsa
     3  	juju --show-log deploy etcd
     4  	juju --show-log integrate etcd easyrsa
     5  
     6  	wait_for "active" '.applications["easyrsa"] | ."application-status".current'
     7  	wait_for "active" '.applications["etcd"] | ."application-status".current' 900
     8  	wait_for "easyrsa" "$(idle_condition "easyrsa" 0 0)"
     9  	wait_for "etcd" "$(idle_condition "etcd" 1 0)"
    10  	wait_for "active" "$(workload_status "etcd" 0).current"
    11  
    12  	echo "Apps deployed, creating secrets"
    13  	secret_owned_by_easyrsa_0=$(juju exec --unit easyrsa/0 -- secret-add --owner unit owned-by=easyrsa/0)
    14  	secret_owned_by_easyrsa_0_id=${secret_owned_by_easyrsa_0##*/}
    15  	secret_owned_by_easyrsa=$(juju exec --unit easyrsa/0 -- secret-add owned-by=easyrsa-app)
    16  	secret_owned_by_easyrsa_id=${secret_owned_by_easyrsa##*/}
    17  
    18  	echo "Checking secret ids"
    19  	check_contains "$(juju exec --unit easyrsa/0 -- secret-ids)" "$secret_owned_by_easyrsa_id"
    20  	check_contains "$(juju exec --unit easyrsa/0 -- secret-ids)" "$secret_owned_by_easyrsa_0_id"
    21  
    22  	echo "Set a label for the unit owned secret $secret_owned_by_easyrsa_0."
    23  	juju exec --unit easyrsa/0 -- secret-set "$secret_owned_by_easyrsa_0" --label=easyrsa_0
    24  	echo "Set a consumer label for the app owned secret $secret_owned_by_easyrsa."
    25  	juju exec --unit easyrsa/0 -- secret-get "$secret_owned_by_easyrsa" --label=easyrsa-app
    26  
    27  	echo "Checking: secret-get by URI - content"
    28  	check_contains "$(juju exec --unit easyrsa/0 -- secret-get "$secret_owned_by_easyrsa_0")" 'owned-by: easyrsa/0'
    29  	check_contains "$(juju exec --unit easyrsa/0 -- secret-get "$secret_owned_by_easyrsa")" 'owned-by: easyrsa-app'
    30  
    31  	echo "Checking: secret-get by URI - metadata"
    32  	check_contains "$(juju exec --unit easyrsa/0 -- secret-info-get "$secret_owned_by_easyrsa_0" --format json | jq ".${secret_owned_by_easyrsa_0_id}.owner")" 'unit'
    33  	check_contains "$(juju exec --unit easyrsa/0 -- secret-info-get "$secret_owned_by_easyrsa" --format json | jq ".${secret_owned_by_easyrsa_id}.owner")" 'application'
    34  
    35  	echo "Checking: secret-get by label or consumer label - content"
    36  	check_contains "$(juju exec --unit easyrsa/0 -- secret-get --label=easyrsa_0)" 'owned-by: easyrsa/0'
    37  	check_contains "$(juju exec --unit easyrsa/0 -- secret-get --label=easyrsa-app)" 'owned-by: easyrsa-app'
    38  
    39  	echo "Checking: secret-get by label - metadata"
    40  	check_contains "$(juju exec --unit easyrsa/0 -- secret-info-get --label=easyrsa_0 --format json | jq ".${secret_owned_by_easyrsa_0_id}.label")" 'easyrsa_0'
    41  
    42  	relation_id=$(juju --show-log show-unit easyrsa/0 --format json | jq '."easyrsa/0"."relation-info"[0]."relation-id"')
    43  	juju exec --unit easyrsa/0 -- secret-grant "$secret_owned_by_easyrsa_0" -r "$relation_id"
    44  	juju exec --unit easyrsa/0 -- secret-grant "$secret_owned_by_easyrsa" -r "$relation_id"
    45  
    46  	echo "Checking: secret-get by URI - consume content by ID"
    47  	check_contains "$(juju exec --unit etcd/0 -- secret-get "$secret_owned_by_easyrsa_0" --label=consumer_label_secret_owned_by_easyrsa_0)" 'owned-by: easyrsa/0'
    48  	check_contains "$(juju exec --unit etcd/0 -- secret-get "$secret_owned_by_easyrsa" --label=consumer_label_secret_owned_by_easyrsa)" 'owned-by: easyrsa-app'
    49  
    50  	echo "Checking: secret-get by URI - consume content by label"
    51  	check_contains "$(juju exec --unit etcd/0 -- secret-get --label=consumer_label_secret_owned_by_easyrsa_0)" 'owned-by: easyrsa/0'
    52  	check_contains "$(juju exec --unit etcd/0 -- secret-get --label=consumer_label_secret_owned_by_easyrsa)" 'owned-by: easyrsa-app'
    53  
    54  	echo "Checking: secret-revoke by relation ID"
    55  	juju exec --unit easyrsa/0 -- secret-revoke "$secret_owned_by_easyrsa" --relation "$relation_id"
    56  	check_contains "$(juju exec --unit etcd/0 -- secret-get "$secret_owned_by_easyrsa" 2>&1)" 'permission denied'
    57  
    58  	echo "Checking: secret-revoke by app name"
    59  	juju exec --unit easyrsa/0 -- secret-revoke "$secret_owned_by_easyrsa_0" --app etcd
    60  	check_contains "$(juju exec --unit etcd/0 -- secret-get "$secret_owned_by_easyrsa_0" 2>&1)" 'permission denied'
    61  
    62  	echo "Checking: secret-remove"
    63  	juju exec --unit easyrsa/0 -- secret-remove "$secret_owned_by_easyrsa_0"
    64  	check_contains "$(juju exec --unit easyrsa/0 -- secret-get "$secret_owned_by_easyrsa_0" 2>&1)" 'not found'
    65  	juju exec --unit easyrsa/0 -- secret-remove "$secret_owned_by_easyrsa"
    66  	check_contains "$(juju exec --unit easyrsa/0 -- secret-get "$secret_owned_by_easyrsa" 2>&1)" 'not found'
    67  }
    68  
    69  run_user_secrets() {
    70  	echo
    71  
    72  	model_name=${1}
    73  
    74  	app_name='easyrsa-user-secrets'
    75  	juju --show-log deploy easyrsa "$app_name"
    76  
    77  	# create user secrets.
    78  	secret_uri=$(juju --show-log add-secret mysecret owned-by="$model_name-1" --info "this is a user secret")
    79  	secret_short_uri=${secret_uri##*:}
    80  
    81  	check_contains "$(juju --show-log show-secret mysecret --revisions | yq ".${secret_short_uri}.description")" 'this is a user secret'
    82  
    83  	# create a new revision 2.
    84  	juju --show-log update-secret "$secret_uri" --info info owned-by="$model_name-2"
    85  	check_contains "$(juju --show-log show-secret "$secret_uri" --revisions | yq ".${secret_short_uri}.description")" 'info'
    86  
    87  	# grant secret to the app, and now the application can access the revision 2.
    88  	check_contains "$(juju exec --unit "$app_name"/0 -- secret-get "$secret_uri" 2>&1)" 'permission denied'
    89  	juju --show-log grant-secret mysecret "$app_name"
    90  	check_contains "$(juju exec --unit "$app_name/0" -- secret-get $secret_short_uri)" "owned-by: $model_name-2"
    91  
    92  	# create a new revision 3.
    93  	juju --show-log update-secret "$secret_uri" owned-by="$model_name-3"
    94  
    95  	check_contains "$(juju --show-log show-secret $secret_uri --revisions | yq .${secret_short_uri}.revision)" '3'
    96  	check_contains "$(juju --show-log show-secret $secret_uri --revisions | yq .${secret_short_uri}.owner)" "<model>"
    97  	check_contains "$(juju --show-log show-secret $secret_uri --revisions | yq .${secret_short_uri}.description)" 'info'
    98  	check_contains "$(juju --show-log show-secret $secret_uri --revisions | yq ".${secret_short_uri}.revisions | length")" '3'
    99  
   100  	check_contains "$(juju --show-log show-secret $secret_uri --reveal --revision 1 | yq .${secret_short_uri}.content)" "owned-by: $model_name-1"
   101  	check_contains "$(juju --show-log show-secret $secret_uri --reveal --revision 2 | yq .${secret_short_uri}.content)" "owned-by: $model_name-2"
   102  	check_contains "$(juju --show-log show-secret $secret_uri --reveal --revision 3 | yq .${secret_short_uri}.content)" "owned-by: $model_name-3"
   103  
   104  	# turn on --auto-prune
   105  	juju --show-log update-secret mysecret --auto-prune=true
   106  
   107  	# revision 1 should be pruned.
   108  	# revision 2 is still been used by the app, so it should not be pruned.
   109  	# revision 3 is the latest revision, so it should not be pruned.
   110  	check_contains "$(juju --show-log show-secret $secret_uri --revisions | yq ".${secret_short_uri}.revisions | length")" '2'
   111  	check_contains "$(juju --show-log show-secret $secret_uri --reveal --revision 2 | yq .${secret_short_uri}.content)" "owned-by: $model_name-2"
   112  	check_contains "$(juju --show-log show-secret $secret_uri --reveal --revision 3 | yq .${secret_short_uri}.content)" "owned-by: $model_name-3"
   113  
   114  	check_contains "$(juju exec --unit "$app_name/0" -- secret-get $secret_short_uri --peek)" "owned-by: $model_name-3"
   115  	check_contains "$(juju exec --unit "$app_name/0" -- secret-get $secret_short_uri --refresh)" "owned-by: $model_name-3"
   116  	check_contains "$(juju exec --unit "$app_name/0" -- secret-get $secret_short_uri)" "owned-by: $model_name-3"
   117  
   118  	# revision 2 should be pruned.
   119  	# revision 3 is the latest revision, so it should not be pruned.
   120  	check_contains "$(juju --show-log show-secret $secret_uri --revisions | yq ".${secret_short_uri}.revisions | length")" '1'
   121  	check_contains "$(juju --show-log show-secret $secret_uri --reveal --revision 3 | yq .${secret_short_uri}.content)" "owned-by: $model_name-3"
   122  
   123  	juju --show-log revoke-secret mysecret "$app_name"
   124  	check_contains "$(juju exec --unit "$app_name"/0 -- secret-get "$secret_uri" 2>&1)" 'permission denied'
   125  
   126  	juju --show-log remove-secret mysecret
   127  	check_contains "$(juju --show-log secrets --format yaml | yq length)" '0'
   128  }
   129  
   130  run_secrets_juju() {
   131  	echo
   132  
   133  	model_name='model-secrets-juju'
   134  	add_model "$model_name"
   135  	check_secrets
   136  	run_user_secrets "$model_name"
   137  	destroy_model "$model_name"
   138  }
   139  
   140  test_secrets_juju() {
   141  	if [ "$(skip 'test_secrets_juju')" ]; then
   142  		echo "==> TEST SKIPPED: test_secrets_juju"
   143  		return
   144  	fi
   145  
   146  	(
   147  		set_verbosity
   148  
   149  		cd .. || exit
   150  
   151  		run "run_secrets_juju"
   152  	)
   153  }