Merge pull request #987 from cderici/update-remove-grant-revoke-secrets

jujubot · web-flow · commit 09003017275b · 2023-12-01T01:31:23.000+10:00
#987 #### Description This is the continuation of #986, completing the support for user secrets on pylibjuju by adding `update_secret`, `remove_secret`, `grant_secret` and `revoke_secret`. #### QA Steps Added integration tests for all of these so they can be individually ran: ``` tox -e integration -- tests/integration/test_secrets.py::test_update_secret ``` ``` tox -e integration -- tests/integration/test_secrets.py::test_remove_secret ``` ``` tox -e integration -- tests/integration/test_secrets.py::test_grant_secret ``` ``` tox -e integration -- tests/integration/test_secrets.py::test_revoke_secret ``` All CI tests need to pass. #### Notes & Discussion JUJU-5093
diff --git a/juju/model.py b/juju/model.py
@@ -2614,18 +2614,18 @@ async def export_bundle(self, filename=None):
         except IOError:
             raise
 
-    async def add_secret(self, name, dataArgs, file="", info=""):
+    async def add_secret(self, name, data_args, file="", info=""):
         """Adds a secret with a list of key values
 
         Equivalent to the cli command:
         juju add-secret [options] <name> [key[#base64|#file]=value...]
 
         :param name str: The name of the secret to be added.
-        :param dataArgs []str: The key value pairs to be added into the secret.
+        :param data_args []str: The key value pairs to be added into the secret.
         :param file str: A path to a yaml file containing secret key values.
         :param info str: The secret description.
         """
-        data = create_secret_data(dataArgs)
+        data = create_secret_data(data_args)
 
         if file:
             data_from_file = read_secret_data(file)
@@ -2649,6 +2649,39 @@ async def add_secret(self, name, dataArgs, file="", info=""):
             raise JujuAPIError(result.error.message)
         return result.result
 
+    async def update_secret(self, name, data_args=[], new_name="", file="", info=""):
+        """Update a secret with a list of key values, or info.
+
+        Equivalent to the cli command:
+        juju add-secret [options] <name> [key[#base64|#file]=value...]
+
+        :param name str: The name of the secret to be added.
+        :param data_args []str: The key value pairs to be added into the secret.
+        :param file str: A path to a yaml file containing secret key values.
+        :param info str: The secret description.
+        """
+        data = create_secret_data(data_args)
+        if file:
+            data_from_file = read_secret_data(file)
+            for k, v in data_from_file.items():
+                # Caution: key/value pairs in files overwrite the ones in the args.
+                data[k] = v
+
+        if client.SecretsFacade.best_facade_version(self.connection()) < 2:
+            raise JujuNotSupportedError("user secrets")
+        secretsFacade = client.SecretsFacade.from_connection(self.connection())
+        results = await secretsFacade.UpdateSecrets([{
+            'content': {'data': data},
+            'description': info,
+            'existing-label': name,
+            'label': new_name,
+        }])
+        if len(results.results) != 1:
+            raise JujuAPIError(f"expected 1 result, got {len(results.results)}")
+        result_error = results.results[0]
+        if result_error.error is not None:
+            raise JujuAPIError(result_error.error)
+
     async def list_secrets(self, filter="", show_secrets=False):
         """
         Returns the list of available secrets.
@@ -2660,6 +2693,68 @@ async def list_secrets(self, filter="", show_secrets=False):
         })
         return results.results
 
+    async def remove_secret(self, secret_name, revision=-1):
+        """Remove an existing secret.
+
+        :param secret_name str: ID|name of the secret to remove.
+        :param revision int: remove the specified revision.
+        """
+        if client.SecretsFacade.best_facade_version(self.connection()) < 2:
+            raise JujuNotSupportedError("user secrets")
+        remove_secret_arg = {
+            'label': secret_name,
+        }
+        if revision >= 0:
+            remove_secret_arg['revisions'] = [revision]
+
+        secretsFacade = client.SecretsFacade.from_connection(self.connection())
+        results = await secretsFacade.RemoveSecrets([remove_secret_arg])
+        if len(results.results) != 1:
+            raise JujuAPIError(f"expected 1 result, got {len(results.results)}")
+        result_error = results.results[0]
+        if result_error.error is not None:
+            raise JujuAPIError(result_error.error)
+
+    async def grant_secret(self, secret_name, application, *applications):
+        """Grants access to a secret to the specified applications.
+
+        :param secret_name str: ID|name of the secret.
+        :param application str: name of an application for which the access is granted
+        :param applications []str: names of more applications to associate the secret with
+        """
+        if client.SecretsFacade.best_facade_version(self.connection()) < 2:
+            raise JujuNotSupportedError("user secrets")
+        secretsFacade = client.SecretsFacade.from_connection(self.connection())
+        results = await secretsFacade.GrantSecret(
+            applications=[application] + list(applications),
+            label=secret_name)
+        if len(results.results) != 1:
+            raise JujuAPIError(f"expected 1 result, got {len(results.results)}")
+        result_error = results.results[0]
+        if result_error.error is not None:
+            raise JujuAPIError(result_error.error)
+
+    async def revoke_secret(self, secret_name, application, *applications):
+        """Revoke access to a secret.
+
+        Revoke applications' access to view the value of a specified secret.
+
+        :param secret_name str: ID|name of the secret.
+        :param application str: name of an application for which the access to the secret is revoked
+        :param applications []str: names of more applications to disassociate the secret with
+        """
+        if client.SecretsFacade.best_facade_version(self.connection()) < 2:
+            raise JujuNotSupportedError("user secrets")
+        secretsFacade = client.SecretsFacade.from_connection(self.connection())
+        results = await secretsFacade.RevokeSecret(
+            applications=[application] + list(applications),
+            label=secret_name)
+        if len(results.results) != 1:
+            raise JujuAPIError(f"expected 1 result, got {len(results.results)}")
+        result_error = results.results[0]
+        if result_error.error is not None:
+            raise JujuAPIError(result_error.error)
+
     async def _get_source_api(self, url, controller_name=None):
         controller = Controller()
         if url.has_empty_source():
diff --git a/tests/integration/test_secrets.py b/tests/integration/test_secrets.py
@@ -9,9 +9,8 @@
 @base.bootstrapped
 @pytest.mark.bundle
 async def test_add_secret(event_loop):
-
     async with base.CleanModel() as model:
-        secret = await model.add_secret(name='my-apitoken', dataArgs=['token=34ae35facd4'])
+        secret = await model.add_secret(name='my-apitoken', data_args=['token=34ae35facd4'])
         assert secret.startswith('secret:')
 
         secrets = await model.list_secrets()
@@ -37,3 +36,51 @@ async def test_list_secrets(event_loop):
         secrets = await model.list_secrets(show_secrets=True)
         assert secrets is not None
         assert len(secrets) == 1
+
+
+@base.bootstrapped
+@pytest.mark.bundle
+async def test_update_secret(event_loop):
+    async with base.CleanModel() as model:
+        secret = await model.add_secret(name='my-apitoken', data_args=['token=34ae35facd4'])
+        assert secret.startswith('secret:')
+
+        await model.update_secret(name='my-apitoken', new_name='new-token')
+
+        secrets = await model.list_secrets()
+        assert len(secrets) == 1
+        assert secrets[0].label == 'new-token'
+
+
+@base.bootstrapped
+@pytest.mark.bundle
+async def test_remove_secret(event_loop):
+    async with base.CleanModel() as model:
+        secret = await model.add_secret(name='my-apitoken', data_args=['token=34ae35facd4'])
+        assert secret.startswith('secret:')
+
+        await model.remove_secret('my-apitoken')
+
+        secrets = await model.list_secrets()
+        assert len(secrets) == 0
+
+
+@base.bootstrapped
+@pytest.mark.bundle
+async def test_grant_secret(event_loop):
+    async with base.CleanModel() as model:
+        secret = await model.add_secret(name='my-apitoken', data_args=['token=34ae35facd4'])
+        assert secret.startswith('secret:')
+
+        await model.deploy('ubuntu')
+
+        await model.grant_secret('my-apitoken', 'ubuntu')
+
+
+@base.bootstrapped
+@pytest.mark.bundle
+async def test_revoke_secret(event_loop):
+    async with base.CleanModel() as model:
+        secret = await model.add_secret(name='my-apitoken', data_args=['token=34ae35facd4'])
+        assert secret.startswith('secret:')
+        await model.revoke_secret('my-apitoken', 'ubuntu')
