[DPE-5318] update user management (#329)

* update lib + charm

* revert to already exisitng lib for debug-purposes

* most recent published lib works with k8s charm

* update lib for better user management + add integration tests to verify functionality

* update unit tests

Author: MiaAltieri

lib/charms/mongodb/v1/mongodb_provider.py

@@ -14,8 +14,8 @@
 from typing import List, Optional, Set
 
 from charms.data_platform_libs.v0.data_interfaces import DatabaseProvides
+from charms.mongodb.v0.mongo import MongoConfiguration, MongoConnection
 from charms.mongodb.v1.helpers import generate_password
-from charms.mongodb.v1.mongodb import MongoConfiguration, MongoDBConnection
 from ops.charm import CharmBase, EventBase, RelationBrokenEvent, RelationChangedEvent
 from ops.framework import Object
 from ops.model import Relation
@@ -31,17 +31,15 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 10
+LIBPATCH = 14
 
 logger = logging.getLogger(__name__)
 REL_NAME = "database"
-
 MONGOS_RELATIONS = "cluster"
+MONGOS_CLIENT_RELATIONS = "mongos_proxy"
+MANAGED_USERS_KEY = "managed-users-key"
 
 # We expect the MongoDB container to use the default ports
-MONGODB_PORT = 27017
-MONGODB_VERSION = "5.0"
-PEER = "database-peers"
 
 Diff = namedtuple("Diff", "added changed deleted")
 Diff.__doc__ = """
@@ -54,50 +52,54 @@
 class MongoDBProvider(Object):
     """In this class, we manage client database relations."""
 
-    def __init__(self, charm: CharmBase, substrate="k8s", relation_name: str = "database") -> None:
+    def __init__(self, charm: CharmBase, substrate="k8s", relation_name: str = REL_NAME) -> None:
         """Constructor for MongoDBProvider object.
 
         Args:
             charm: the charm for which this relation is provided
             substrate: host type, either "k8s" or "vm"
             relation_name: the name of the relation
         """
-        self.relation_name = relation_name
         self.substrate = substrate
         self.charm = charm
 
-        super().__init__(charm, self.relation_name)
+        super().__init__(charm, relation_name)
         self.framework.observe(
-            charm.on[self.relation_name].relation_departed,
+            charm.on[relation_name].relation_departed,
             self.charm.check_relation_broken_or_scale_down,
         )
-        self.framework.observe(
-            charm.on[self.relation_name].relation_broken, self._on_relation_event
-        )
-        self.framework.observe(
-            charm.on[self.relation_name].relation_changed, self._on_relation_event
-        )
+        self.framework.observe(charm.on[relation_name].relation_broken, self._on_relation_event)
+        self.framework.observe(charm.on[relation_name].relation_changed, self._on_relation_event)
 
         # Charm events defined in the database provides charm library.
-        self.database_provides = DatabaseProvides(self.charm, relation_name=self.relation_name)
+        self.database_provides = DatabaseProvides(self.charm, relation_name=relation_name)
         self.framework.observe(
             self.database_provides.on.database_requested, self._on_relation_event
         )
 
-    def pass_hook_checks(self, event: EventBase) -> bool:
-        """Runs the pre-hooks checks for MongoDBProvider, returns True if all pass."""
+    def pass_sanity_hook_checks(self) -> bool:
+        """Runs reusable and event agnostic checks."""
         # We shouldn't try to create or update users if the database is not
         # initialised. We will create users as part of initialisation.
         if not self.charm.db_initialised:
             return False
 
-        if not self.charm.is_relation_feasible(self.relation_name):
+        if not self.charm.is_role(Config.Role.MONGOS) and not self.charm.is_relation_feasible(
+            self.get_relation_name()
+        ):
             logger.info("Skipping code for relations.")
             return False
 
         if not self.charm.unit.is_leader():
             return False
 
+        return True
+
+    def pass_hook_checks(self, event: EventBase) -> bool:
+        """Runs the pre-hooks checks for MongoDBProvider, returns True if all pass."""
+        if not self.pass_sanity_hook_checks():
+            return False
+
         if self.charm.upgrade_in_progress:
             logger.warning(
                 "Adding relations is not supported during an upgrade. The charm may be in a broken, unrecoverable state."
@@ -163,16 +165,54 @@ def oversee_users(self, departed_relation_id: Optional[int], event):
         When the function is executed in relation departed event, the departed
         relation is still on the list of all relations. Therefore, for proper
         work of the function, we need to exclude departed relation from the list.
+
+        Raises:
+            PyMongoError
         """
-        with MongoDBConnection(self.charm.mongodb_config) as mongo:
+        with MongoConnection(self.charm.mongo_config) as mongo:
             database_users = mongo.get_users()
-            relation_users = self._get_users_from_relations(departed_relation_id)
 
-            for username in database_users - relation_users:
+        users_being_managed = database_users.intersection(self._get_relational_users_to_manage())
+        expected_current_users = self._get_users_from_relations(departed_relation_id)
+
+        self.remove_users(users_being_managed, expected_current_users)
+        self.add_users(users_being_managed, expected_current_users)
+        self.update_users(event, users_being_managed, expected_current_users)
+        self.auto_delete_dbs(departed_relation_id)
+
+    def remove_users(
+        self, users_being_managed: Set[str], expected_current_users: Set[str]
+    ) -> None:
+        """Removes users from Charmed MongoDB.
+
+        Note this only removes users that this application of Charmed MongoDB is responsible for
+        managing. It won't remove:
+        1. users created from other applications
+        2. users created from other mongos routers.
+
+        Raises:
+            PyMongoError
+        """
+        with MongoConnection(self.charm.mongo_config) as mongo:
+            for username in users_being_managed - expected_current_users:
                 logger.info("Remove relation user: %s", username)
+                if (
+                    self.charm.is_role(Config.Role.MONGOS)
+                    and username == self.charm.mongo_config.username
+                ):
+                    continue
+
                 mongo.drop_user(username)
+                self._remove_from_relational_users_to_manage(username)
+
+    def add_users(self, users_being_managed: Set[str], expected_current_users: Set[str]) -> None:
+        """Adds users to Charmed MongoDB.
 
-            for username in relation_users - database_users:
+        Raises:
+            PyMongoError
+        """
+        with MongoConnection(self.charm.mongo_config) as mongo:
+            for username in expected_current_users - users_being_managed:
                 config = self._get_config(username, None)
                 if config.database is None:
                     # We need to wait for the moment when the provider library
@@ -181,15 +221,33 @@ def oversee_users(self, departed_relation_id: Optional[int], event):
                 logger.info("Create relation user: %s on %s", config.username, config.database)
 
                 mongo.create_user(config)
+                self._add_to_relational_users_to_manage(username)
                 self._set_relation(config)
 
-            for username in relation_users.intersection(database_users):
+    def update_users(
+        self, event: EventBase, users_being_managed: Set[str], expected_current_users: Set[str]
+    ) -> None:
+        """Updates existing users in Charmed MongoDB.
+
+        Raises:
+            PyMongoError
+        """
+        with MongoConnection(self.charm.mongo_config) as mongo:
+            for username in expected_current_users.intersection(users_being_managed):
                 config = self._get_config(username, None)
                 logger.info("Update relation user: %s on %s", config.username, config.database)
                 mongo.update_user(config)
                 logger.info("Updating relation data according to diff")
                 self._diff(event)
 
+    def auto_delete_dbs(self, departed_relation_id):
+        """Delete's unused dbs if configured to do so.
+
+        Raises:
+            PyMongoError
+        """
+        with MongoConnection(self.charm.mongo_config) as mongo:
+
             if not self.charm.model.config["auto-delete"]:
                 return
 
@@ -240,15 +298,15 @@ def _diff(self, event: RelationChangedEvent) -> Diff:
 
     def update_app_relation_data(self) -> None:
         """Helper function to update application relation data."""
-        if not self.charm.db_initialised:
+        if not self.pass_sanity_hook_checks():
             return
 
         database_users = set()
 
-        with MongoDBConnection(self.charm.mongodb_config) as mongo:
+        with MongoConnection(self.charm.mongo_config) as mongo:
             database_users = mongo.get_users()
 
-        for relation in self._get_relations(rel=REL_NAME):
+        for relation in self._get_relations():
             username = self._get_username_from_relation_id(relation.id)
             password = self._get_or_set_password(relation)
             config = self._get_config(username, password)
@@ -282,24 +340,34 @@ def _get_or_set_password(self, relation: Relation) -> str:
         self.database_provides.update_relation_data(relation.id, {"password": password})
         return password
 
-    def _get_config(self, username: str, password: Optional[str]) -> MongoConfiguration:
+    def _get_config(
+        self, username: str, password: Optional[str], event=None
+    ) -> MongoConfiguration:
         """Construct the config object for future user creation."""
         relation = self._get_relation_from_username(username)
         if not password:
             password = self._get_or_set_password(relation)
 
         database_name = self._get_database_from_relation(relation)
 
-        return MongoConfiguration(
-            replset=self.charm.app.name,
-            database=database_name,
-            username=username,
-            password=password,
-            hosts=self.charm.mongodb_config.hosts,
-            roles=self._get_roles_from_relation(relation),
-            tls_external=False,
-            tls_internal=False,
-        )
+        mongo_args = {
+            "database": database_name,
+            "username": username,
+            "password": password,
+            "hosts": self.charm.mongo_config.hosts,
+            "roles": self._get_roles_from_relation(relation),
+            "tls_external": False,
+            "tls_internal": False,
+        }
+
+        if self.charm.is_role(Config.Role.MONGOS):
+            mongo_args["port"] = Config.MONGOS_PORT
+            if self.substrate == Config.Substrate.K8S:
+                mongo_args["hosts"] = self.charm.get_mongos_hosts_for_client()
+        else:
+            mongo_args["replset"] = self.charm.app.name
+
+        return MongoConfiguration(**mongo_args)
 
     def _set_relation(self, config: MongoConfiguration):
         """Save all output fields into application relation."""
@@ -318,10 +386,11 @@ def _set_relation(self, config: MongoConfiguration):
             relation.id,
             ",".join(config.hosts),
         )
-        self.database_provides.set_replset(
-            relation.id,
-            config.replset,
-        )
+        if not self.charm.is_role(Config.Role.MONGOS):
+            self.database_provides.set_replset(
+                relation.id,
+                config.replset,
+            )
         self.database_provides.set_uris(
             relation.id,
             config.uri,
@@ -332,9 +401,9 @@ def _get_username_from_relation_id(relation_id: int) -> str:
         """Construct username."""
         return f"relation-{relation_id}"
 
-    def _get_users_from_relations(self, departed_relation_id: Optional[int], rel=REL_NAME):
+    def _get_users_from_relations(self, departed_relation_id: Optional[int]):
         """Return usernames for all relations except departed relation."""
-        relations = self._get_relations(rel)
+        relations = self._get_relations()
         return set(
             [
                 self._get_username_from_relation_id(relation.id)
@@ -351,7 +420,7 @@ def _get_databases_from_relations(self, departed_relation_id: Optional[int]) ->
                 except for those databases that belong to the departing
                 relation specified.
         """
-        relations = self._get_relations(rel=REL_NAME)
+        relations = self._get_relations()
         databases = set()
         for relation in relations:
             if relation.id == departed_relation_id:
@@ -370,22 +439,54 @@ def _get_relation_from_username(self, username: str) -> Relation:
         assert match is not None, "No relation match"
         relation_id = int(match.group(1))
         logger.debug("Relation ID: %s", relation_id)
-        relation_name = (
-            MONGOS_RELATIONS if self.charm.is_role(Config.Role.CONFIG_SERVER) else REL_NAME
-        )
+        relation_name = self.get_relation_name()
         return self.model.get_relation(relation_name, relation_id)
 
-    def _get_relations(self, rel=REL_NAME) -> List[Relation]:
+    def _get_relations(self) -> List[Relation]:
         """Return the set of relations for users.
 
         We create users for either direct relations to charm or for relations through the mongos
         charm.
         """
-        return (
-            self.model.relations[MONGOS_RELATIONS]
-            if self.charm.is_role(Config.Role.CONFIG_SERVER)
-            else self.model.relations[rel]
-        )
+        return self.model.relations[self.get_relation_name()]
+
+    def get_relation_name(self):
+        """Returns the name of the relation to use."""
+        if self.charm.is_role(Config.Role.CONFIG_SERVER):
+            return MONGOS_RELATIONS
+        elif self.charm.is_role(Config.Role.MONGOS):
+            return MONGOS_CLIENT_RELATIONS
+        else:
+            return REL_NAME
+
+    def _get_relational_users_to_manage(self) -> Set[str]:
+        """Returns a set of the users to manage.
+
+        Note json cannot serialise sets. Convert from list.
+        """
+        return set(json.loads(self.charm.app_peer_data.get(MANAGED_USERS_KEY, "[]")))
+
+    def _update_relational_users_to_manage(self, new_users: Set[str]) -> None:
+        """Updates the set of the users to manage.
+
+        Note json cannot serialise sets. Convert from list.
+        """
+        if not self.charm.unit.is_leader():
+            raise Exception("Cannot update relational data on non-leader unit")
+
+        self.charm.app_peer_data[MANAGED_USERS_KEY] = json.dumps(list(new_users))
+
+    def _remove_from_relational_users_to_manage(self, user_to_remove: str) -> None:
+        """Removes the provided user from the set of the users to manage."""
+        current_users = self._get_relational_users_to_manage()
+        updated_users = current_users - {user_to_remove}
+        self._update_relational_users_to_manage(updated_users)
+
+    def _add_to_relational_users_to_manage(self, user_to_add: str) -> None:
+        """Adds the provided user to the set of the users to manage."""
+        current_users = self._get_relational_users_to_manage()
+        current_users.add(user_to_add)
+        self._update_relational_users_to_manage(current_users)
 
     @staticmethod
     def _get_database_from_relation(relation: Relation) -> Optional[str]: