[DPE-6259] pgbackrest config perms (#1038)

* Remove read access to pgbackrest conf file

* Update libs

* Set extra user roles config for the test app

* Fix data-int base

* Set channel and series in ne rel tests

Author: dragomirp

lib/charms/data_platform_libs/v0/data_interfaces.py

@@ -331,7 +331,7 @@ def _on_topic_requested(self, event: TopicRequestedEvent):
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 48
+LIBPATCH = 49
 
 PYDEPS = ["ops>=2.0.0"]
 
@@ -3527,16 +3527,20 @@ def __init__(
         self.consumer_group_prefix = consumer_group_prefix or ""
         self.mtls_cert = mtls_cert
 
+    @staticmethod
+    def is_topic_value_acceptable(topic_value: str) -> bool:
+        """Check whether the given Kafka topic value is acceptable."""
+        return "*" not in topic_value[:3]
+
     @property
     def topic(self):
         """Topic to use in Kafka."""
         return self._topic
 
     @topic.setter
     def topic(self, value):
-        # Avoid wildcards
-        if value == "*":
-            raise ValueError(f"Error on topic '{value}', cannot be a wildcard.")
+        if not self.is_topic_value_acceptable(value):
+            raise ValueError(f"Error on topic '{value}', unacceptable value.")
         self._topic = value
 
     def set_mtls_cert(self, relation_id: int, mtls_cert: str) -> None:

lib/charms/glauth_k8s/v0/ldap.py

@@ -147,7 +147,7 @@ def _on_ldap_requested(self, event: LdapRequestedEvent) -> None:
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 10
+LIBPATCH = 11
 
 PYDEPS = ["pydantic"]
 
@@ -256,13 +256,11 @@ def load(
         cls,
         charm: CharmBase,
         label: str,
-        *,
-        content: Optional[dict[str, str]] = None,
-    ) -> "Secret":
+    ) -> Optional["Secret"]:
         try:
             secret = charm.model.get_secret(label=label)
         except SecretNotFoundError:
-            secret = charm.app.add_secret(label=label, content=content)
+            return None
 
         return Secret(secret)
 
@@ -411,7 +409,8 @@ def _on_relation_broken(self, event: RelationBrokenEvent) -> None:
             self.charm,
             label=BIND_ACCOUNT_SECRET_LABEL_TEMPLATE.substitute(relation_id=event.relation.id),
         )
-        secret.remove()
+        if secret:
+            secret.remove()
 
     def get_bind_password(self, relation_id: int) -> Optional[str]:
         """Retrieve the bind account password for a given integration."""
@@ -490,15 +489,27 @@ def _on_ldap_relation_changed(self, event: RelationChangedEvent) -> None:
         """Handle the event emitted when the LDAP related information is ready."""
         provider_app = event.relation.app
 
-        if not event.relation.data.get(provider_app):
+        if not (provider_data := event.relation.data.get(provider_app)):
             return
 
-        self.on.ldap_ready.emit(event.relation)
+        provider_data = dict(provider_data)
+        if self._load_provider_data(provider_data):
+            self.on.ldap_ready.emit(event.relation)
 
     def _on_ldap_relation_broken(self, event: RelationBrokenEvent) -> None:
         """Handle the event emitted when the LDAP integration is broken."""
         self.on.ldap_unavailable.emit(event.relation)
 
+    def _load_provider_data(self, provider_data: dict) -> Optional[LdapProviderData]:
+        if secret_id := provider_data.get("bind_password_secret"):
+            secret = self.charm.model.get_secret(id=secret_id)
+            provider_data["bind_password"] = secret.get_content().get("password")
+
+        try:
+            return LdapProviderData(**provider_data)
+        except ValidationError:
+            return None
+
     def consume_ldap_relation_data(
         self,
         /,
@@ -513,10 +524,10 @@ def consume_ldap_relation_data(
             return None
 
         provider_data = dict(relation.data.get(relation.app))
-        if secret_id := provider_data.get("bind_password_secret"):
-            secret = self.charm.model.get_secret(id=secret_id)
-            provider_data["bind_password"] = secret.get_content().get("password")
-        return LdapProviderData(**provider_data) if provider_data else None
+        if not provider_data:
+            return None
+
+        return self._load_provider_data(provider_data)
 
     def _is_relation_active(self, relation: Relation) -> bool:
         """Whether the relation is active based on contained data."""

lib/charms/tempo_coordinator_k8s/v0/charm_tracing.py

@@ -313,10 +313,10 @@ def _remove_stale_otel_sdk_packages():
 
 import opentelemetry
 import ops
-from opentelemetry.exporter.otlp.proto.common._internal.trace_encoder import (
+from opentelemetry.exporter.otlp.proto.common._internal.trace_encoder import ( # type: ignore
     encode_spans # type: ignore
 )
-from opentelemetry.exporter.otlp.proto.http.trace_exporter import OTLPSpanExporter
+from opentelemetry.exporter.otlp.proto.http.trace_exporter import OTLPSpanExporter  # type: ignore
 from opentelemetry.sdk.resources import Resource
 from opentelemetry.sdk.trace import ReadableSpan, Span, TracerProvider
 from opentelemetry.sdk.trace.export import (
@@ -348,7 +348,7 @@ def _remove_stale_otel_sdk_packages():
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
 
-LIBPATCH = 8
+LIBPATCH = 9
 
 PYDEPS = ["opentelemetry-exporter-otlp-proto-http==1.21.0"]
 

src/backups.py

@@ -1265,7 +1265,7 @@ def _render_pgbackrest_conf_file(self) -> bool:
             process_max=max(os.cpu_count() - 2, 1),
         )
         # Render pgBackRest config file.
-        self.charm._patroni.render_file(f"{PGBACKREST_CONF_PATH}/pgbackrest.conf", rendered, 0o644)
+        self.charm._patroni.render_file(f"{PGBACKREST_CONF_PATH}/pgbackrest.conf", rendered, 0o640)
 
         # Render the logrotate configuration file.
         with open("templates/pgbackrest.logrotate.j2") as file:

tests/integration/new_relations/test_new_relations_1.py

@@ -58,7 +58,8 @@ async def test_deploy_charms(ops_test: OpsTest, charm):
                 application_name=APPLICATION_APP_NAME,
                 num_units=2,
                 base=CHARM_BASE,
-                channel="edge",
+                channel="latest/edge",
+                config={"extra_user_roles": "CREATEDB,CREATEROLE"},
             ),
             ops_test.model.deploy(
                 charm,
@@ -261,7 +262,7 @@ async def test_two_applications_doesnt_share_the_same_relation_data(ops_test: Op
     await ops_test.model.deploy(
         APPLICATION_APP_NAME,
         application_name=another_application_app_name,
-        channel="edge",
+        channel="latest/edge",
         base=CHARM_BASE,
     )
     await ops_test.model.wait_for_idle(apps=all_app_names, status="active")
@@ -490,7 +491,11 @@ async def test_admin_role(ops_test: OpsTest):
     all_app_names = [DATA_INTEGRATOR_APP_NAME]
     all_app_names.extend(APP_NAMES)
     async with ops_test.fast_forward():
-        await ops_test.model.deploy(DATA_INTEGRATOR_APP_NAME, base=CHARM_BASE)
+        await ops_test.model.deploy(
+            DATA_INTEGRATOR_APP_NAME,
+            channel="latest/edge",
+            series="jammy",
+        )
         await ops_test.model.wait_for_idle(apps=[DATA_INTEGRATOR_APP_NAME], status="blocked")
         await ops_test.model.applications[DATA_INTEGRATOR_APP_NAME].set_config({
             "database-name": DATA_INTEGRATOR_APP_NAME.replace("-", "_"),
@@ -579,10 +584,12 @@ async def test_invalid_extra_user_roles(ops_test: OpsTest):
 
         another_data_integrator_app_name = f"another-{DATA_INTEGRATOR_APP_NAME}"
         data_integrator_apps_names = [DATA_INTEGRATOR_APP_NAME, another_data_integrator_app_name]
+        # Base is ignored
         await ops_test.model.deploy(
             DATA_INTEGRATOR_APP_NAME,
             application_name=another_data_integrator_app_name,
-            base=CHARM_BASE,
+            channel="latest/edge",
+            series="jammy",
         )
         await ops_test.model.wait_for_idle(
             apps=[another_data_integrator_app_name], status="blocked"

tests/integration/new_relations/test_relations_coherence.py

@@ -4,6 +4,7 @@
 import logging
 import secrets
 import string
+from asyncio import gather
 
 import psycopg2
 import pytest
@@ -26,23 +27,23 @@
 async def test_relations(ops_test: OpsTest, charm):
     """Test that check relation data."""
     async with ops_test.fast_forward():
-        await ops_test.model.deploy(
-            charm,
-            application_name=DATABASE_APP_NAME,
-            num_units=1,
-            base=CHARM_BASE,
-            config={"profile": "testing"},
+        await gather(
+            ops_test.model.deploy(
+                charm,
+                application_name=DATABASE_APP_NAME,
+                num_units=1,
+                base=CHARM_BASE,
+                config={"profile": "testing"},
+            ),
+            # Creating first time relation with user role
+            # Base is ignored
+            ops_test.model.deploy(DATA_INTEGRATOR_APP_NAME, series="jammy"),
         )
-        await ops_test.model.wait_for_idle(apps=[DATABASE_APP_NAME], status="active", timeout=3000)
-
-        # Creating first time relation with user role
-        await ops_test.model.deploy(DATA_INTEGRATOR_APP_NAME, base=CHARM_BASE)
         await ops_test.model.applications[DATA_INTEGRATOR_APP_NAME].set_config({
             "database-name": DATA_INTEGRATOR_APP_NAME.replace("-", "_"),
         })
-        await ops_test.model.wait_for_idle(apps=[DATA_INTEGRATOR_APP_NAME], status="blocked")
         await ops_test.model.add_relation(DATA_INTEGRATOR_APP_NAME, DATABASE_APP_NAME)
-        await ops_test.model.wait_for_idle(apps=APP_NAMES, status="active")
+        await ops_test.model.wait_for_idle(apps=APP_NAMES, status="active", timeout=1500)
 
         connection_string = await build_connection_string(
             ops_test,

tests/unit/test_backups.py

@@ -1776,7 +1776,7 @@ def test_render_pgbackrest_conf_file(harness, tls_ca_chain_filename):
             call(
                 "/var/snap/charmed-postgresql/current/etc/pgbackrest/pgbackrest.conf",
                 expected_content,
-                0o644,
+                0o640,
             ),
             call(
                 "/etc/logrotate.d/pgbackrest.logrotate",