[DPE-6259] pgbackrest config perms (#1036)

* Remove `-u _daemon_` from the docs

* Remove read access to pgbackrest conf file

* Unit tests

* Update libs

Author: dragomirp

lib/charms/glauth_k8s/v0/ldap.py

@@ -147,7 +147,7 @@ def _on_ldap_requested(self, event: LdapRequestedEvent) -> None:
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 10
+LIBPATCH = 11
 
 PYDEPS = ["pydantic"]
 
@@ -256,13 +256,11 @@ def load(
         cls,
         charm: CharmBase,
         label: str,
-        *,
-        content: Optional[dict[str, str]] = None,
-    ) -> "Secret":
+    ) -> Optional["Secret"]:
         try:
             secret = charm.model.get_secret(label=label)
         except SecretNotFoundError:
-            secret = charm.app.add_secret(label=label, content=content)
+            return None
 
         return Secret(secret)
 
@@ -411,7 +409,8 @@ def _on_relation_broken(self, event: RelationBrokenEvent) -> None:
             self.charm,
             label=BIND_ACCOUNT_SECRET_LABEL_TEMPLATE.substitute(relation_id=event.relation.id),
         )
-        secret.remove()
+        if secret:
+            secret.remove()
 
     def get_bind_password(self, relation_id: int) -> Optional[str]:
         """Retrieve the bind account password for a given integration."""
@@ -490,15 +489,27 @@ def _on_ldap_relation_changed(self, event: RelationChangedEvent) -> None:
         """Handle the event emitted when the LDAP related information is ready."""
         provider_app = event.relation.app
 
-        if not event.relation.data.get(provider_app):
+        if not (provider_data := event.relation.data.get(provider_app)):
             return
 
-        self.on.ldap_ready.emit(event.relation)
+        provider_data = dict(provider_data)
+        if self._load_provider_data(provider_data):
+            self.on.ldap_ready.emit(event.relation)
 
     def _on_ldap_relation_broken(self, event: RelationBrokenEvent) -> None:
         """Handle the event emitted when the LDAP integration is broken."""
         self.on.ldap_unavailable.emit(event.relation)
 
+    def _load_provider_data(self, provider_data: dict) -> Optional[LdapProviderData]:
+        if secret_id := provider_data.get("bind_password_secret"):
+            secret = self.charm.model.get_secret(id=secret_id)
+            provider_data["bind_password"] = secret.get_content().get("password")
+
+        try:
+            return LdapProviderData(**provider_data)
+        except ValidationError:
+            return None
+
     def consume_ldap_relation_data(
         self,
         /,
@@ -513,10 +524,10 @@ def consume_ldap_relation_data(
             return None
 
         provider_data = dict(relation.data.get(relation.app))
-        if secret_id := provider_data.get("bind_password_secret"):
-            secret = self.charm.model.get_secret(id=secret_id)
-            provider_data["bind_password"] = secret.get_content().get("password")
-        return LdapProviderData(**provider_data) if provider_data else None
+        if not provider_data:
+            return None
+
+        return self._load_provider_data(provider_data)
 
     def _is_relation_active(self, relation: Relation) -> bool:
         """Whether the relation is active based on contained data."""

lib/charms/tls_certificates_interface/v4/tls_certificates.py

@@ -52,7 +52,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 19
+LIBPATCH = 20
 
 PYDEPS = [
     "cryptography>=43.0.0",
@@ -1232,7 +1232,7 @@ def __init__(
         for event in refresh_events:
             self.framework.observe(event, self._configure)
 
-    def _configure(self, _: EventBase):
+    def _configure(self, _: Optional[EventBase] = None):
         """Handle TLS Certificates Relation Data.
 
         This method is called during any TLS relation event.
@@ -1286,6 +1286,14 @@ def _on_secret_expired(self, event: SecretExpiredEvent) -> None:
         self._renew_certificate_request(csr)
         event.secret.remove_all_revisions()
 
+    def sync(self) -> None:
+        """Sync TLS Certificates Relation Data.
+
+        This method allows the requirer to sync the TLS certificates relation data
+        without waiting for the refresh events to be triggered.
+        """
+        self._configure()
+
     def renew_certificate(self, certificate: ProviderCertificate) -> None:
         """Request the renewal of the provided certificate."""
         certificate_signing_request = certificate.certificate_signing_request

src/backups.py

@@ -1260,7 +1260,7 @@ def _render_pgbackrest_conf_file(self) -> bool:
             process_max=max(os.cpu_count() - 2, 1),
         )
         # Render pgBackRest config file.
-        self.charm._patroni.render_file(f"{PGBACKREST_CONF_PATH}/pgbackrest.conf", rendered, 0o644)
+        self.charm._patroni.render_file(f"{PGBACKREST_CONF_PATH}/pgbackrest.conf", rendered, 0o640)
 
         # Render the logrotate configuration file.
         with open("templates/pgbackrest.logrotate.j2") as file:

tests/unit/test_backups.py

@@ -1744,7 +1744,7 @@ def test_render_pgbackrest_conf_file(harness, tls_ca_chain_filename):
             call(
                 "/var/snap/charmed-postgresql/current/etc/pgbackrest/pgbackrest.conf",
                 expected_content,
-                0o644,
+                0o640,
             ),
             call(
                 "/etc/logrotate.d/pgbackrest.logrotate",