feat: authentication updated on new tls cert (#246)

Author: Gu1nness

lib/charms/data_platform_libs/v1/data_interfaces.py

@@ -309,7 +309,7 @@ def _on_resource_requested(self, event: ResourceRequestedEvent) -> None:
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 0
+LIBPATCH = 1
 
 PYDEPS = ["ops>=2.0.0", "pydantic>=2.11"]
 
@@ -728,7 +728,7 @@ def serialize_model(self, handler: SerializerFunctionWrapHandler, info: Serializ
 
                 value = getattr(self, field)
 
-                if value and not isinstance(value, str):
+                if (value is not None) and not isinstance(value, str):
                     value = json.dumps(value)
 
                 if secret is None:
@@ -864,7 +864,7 @@ def serialize_model(
 
                 value = getattr(self, field)
 
-                if value and not isinstance(value, str):
+                if (value is not None) and not isinstance(value, str):
                     value = json.dumps(value)
 
                 if secret is None:
@@ -2952,3 +2952,11 @@ def _handle_event(
             )
             self._emit_aliased_event(event, "read_only_endpoints_changed", response)
             return
+
+        if "secret-tls" in _diff.added or "secret-tls" in _diff.changed:
+            logger.info(f"auth updated for {response.resource} at {datetime.now()}")
+            getattr(self.on, "authentication_updated").emit(
+                event.relation, app=event.app, unit=event.unit, response=response
+            )
+            self._emit_aliased_event(event, "authentication_updated", response)
+            return

tests/v1/integration/application-charm/src/charm.py

@@ -18,6 +18,7 @@
 from pydantic import Field
 
 from charms.data_platform_libs.v1.data_interfaces import (
+    AuthenticationUpdatedEvent,
     ExtraSecretStr,
     KafkaRequestModel,
     KafkaResponseModel,
@@ -93,6 +94,10 @@ def __init__(self, *args):
             self.first_database_roles.on.resource_entity_created,
             self._on_first_database_entity_created,
         )
+        self.framework.observe(
+            self.first_database.on.authentication_updated,
+            self._on_first_database_auth_updated,
+        )
 
         # Events related to the second database that is requested
         # (these events are defined in the database requires charm library).
@@ -386,6 +391,12 @@ def _on_first_database_entity_created(self, event: ResourceEntityCreatedEvent) -
         logger.info(f"first database entity credentials: {event.response.entity_name}")
         self.unit.status = ActiveStatus("received entity credentials of the first database")
 
+    def _on_first_database_auth_updated(self, event: AuthenticationUpdatedEvent) -> None:
+        """Event triggered when a database entity was created for this application."""
+        # Retrieve the credentials using the charm library.
+        logger.info(f"first database tls credentials: {event.response.tls}")
+        self.unit.status = ActiveStatus("first_database_authentication_updated")
+
     # Second database events observers.
     def _on_second_database_created(self, event: ResourceCreatedEvent) -> None:
         """Event triggered when a database was created for this application."""

tests/v1/integration/database-charm/actions.yaml

@@ -3,6 +3,9 @@
 change-admin-password:
   description: Change the admin password to a new, generated value
 
+set-tls:
+  description: Set TLS field in the relation
+
 set-secret:
   description: Change the value of a particular secret
   params:
@@ -138,3 +141,4 @@ get-other-peer-relation-field:
     field:
       type: string
       description: Relation field
+

tests/v1/integration/database-charm/src/charm.py

@@ -139,6 +139,8 @@ def __init__(self, *args):
             self.on.get_other_peer_relation_field_action, self._on_get_other_peer_relation_field
         )
 
+        self.framework.observe(self.on.set_tls_action, self._on_set_tls_action)
+
     @property
     def peer_relation(self) -> Optional[Relation]:
         """The cluster peer relation."""
@@ -258,12 +260,19 @@ def _on_resource_requested(self, event: ResourceRequestedEvent) -> None:
             password=password,
             username=username,
             endpoints=f"{self.model.get_binding('database').network.bind_address}:5432",
-            tls=False,
             version=version,
         )
         self.database.set_response(event.relation.id, response)
         self.unit.status = ActiveStatus()
 
+    def _on_set_tls_action(self, event: ActionEvent):
+        for relation in self.database.interface.relations:
+            model = self.database.interface.build_model(relation.id, DataContract)
+            for request in model.requests:
+                request.tls = True
+                request.tls_ca = "deadbeef"
+            self.database.interface.write_model(relation.id, model)
+
     def _on_resource_entity_requested(self, event: ResourceEntityRequestedEvent) -> None:
         """Event triggered when a new database entity is requested."""
         self.unit.status = MaintenanceStatus("creating entity")

tests/v1/integration/test_charm.py

@@ -669,6 +669,28 @@ async def test_postgresql_plugin(ops_test: OpsTest):
     assert action.results.get("plugin-status") == "enabled"
 
 
+@pytest.mark.abort_on_fail
+async def test_tls_integration_after_initial_integration(ops_test: OpsTest):
+    """Test that adding TLS to the database after the initial integration does trigger an auth updated event in the client."""
+    leader_id = await get_leader_id(ops_test, DATABASE_APP_NAME)
+    unit_name = f"{DATABASE_APP_NAME}/{leader_id}"
+
+    action = await ops_test.model.units.get(unit_name).run_action("set-tls")
+    await action.wait()
+
+    app_id = await get_leader_id(ops_test, APPLICATION_APP_NAME)
+    app_unit_name = f"{APPLICATION_APP_NAME}/{app_id}"
+
+    await ops_test.model.wait_for_idle(
+        apps=[APPLICATION_APP_NAME, DATABASE_APP_NAME], status="active"
+    )
+
+    assert (
+        ops_test.model.units.get(app_unit_name).workload_status_message
+        == "first_database_authentication_updated"
+    )
+
+
 async def test_two_applications_dont_share_the_same_relation_data(
     ops_test: OpsTest, application_charm
 ):