fix: correct handling of secret values

Gu1nness · Gu1nness · commit ec4f57a7b679 · 2025-09-17T11:10:00.000+02:00
diff --git a/lib/charms/data_platform_libs/v1/data_interfaces.py b/lib/charms/data_platform_libs/v1/data_interfaces.py
@@ -681,6 +681,8 @@ def extract_secrets(self, info: ValidationInfo):
 
                 if value and field_info.annotation == OptionalSecretBool:
                     value = SecretBool(json.loads(value))
+                elif value:
+                    value = SecretStr(value)
                 setattr(self, field, value)
 
         return self
@@ -789,6 +791,9 @@ def extract_secrets(self, info: ValidationInfo):
                 value = secret.get_content().get(aliased_field)
                 if value and field_info.annotation == OptionalSecretBool:
                     value = SecretBool(json.loads(value))
+                elif value:
+                    value = SecretStr(value)
+
                 setattr(self, field, value)
         return self
 
diff --git a/tests/v1/integration/database-charm/src/charm.py b/tests/v1/integration/database-charm/src/charm.py
@@ -22,6 +22,7 @@
 from ops.main import main
 from ops.model import ActiveStatus, MaintenanceStatus
 from pydantic import Field, SecretStr
+from pydantic.types import _SecretBase
 
 from charms.data_platform_libs.v1.data_interfaces import (
     DataContractV1,
@@ -316,6 +317,7 @@ def _on_get_relation_field(self, event: ActionEvent):
         model = self.database.interface.build_model(relation.id)
         for request in model.requests:
             value = getattr(request, event.params["field"].replace("-", "_"))
+        value = value.get_secret_value() if issubclass(value.__class__, _SecretBase) else value
         event.set_results({"value": value if value else ""})
 
     def _on_get_relation_self_side_field(self, event: ActionEvent):
@@ -325,6 +327,7 @@ def _on_get_relation_self_side_field(self, event: ActionEvent):
         model = self.database.interface.build_model(relation.id)
         for request in model.requests:
             value = getattr(request, event.params["field"].replace("-", "_"))
+        value = value.get_secret_value() if issubclass(value.__class__, _SecretBase) else value
         event.set_results({"value": value if value else ""})
 
     def _on_set_relation_field(self, event: ActionEvent):
@@ -377,6 +380,7 @@ def _on_get_peer_relation_field(self, event: ActionEvent):
             relation = self._peer_relation_unit.relations[0]
             model = self._peer_relation_unit.build_model(relation.id)
             value = getattr(model, event.params["field"].replace("-", "_"))
+        value = value.get_secret_value() if issubclass(value.__class__, _SecretBase) else value
         event.set_results({"value": value if value else ""})
 
     def _on_set_peer_relation_field(self, event: ActionEvent):
diff --git a/tests/v1/integration/dummy-database-charm/src/charm.py b/tests/v1/integration/dummy-database-charm/src/charm.py
@@ -18,6 +18,7 @@
 from ops.main import main
 from ops.model import ActiveStatus
 from pydantic import Field
+from pydantic.types import _SecretBase
 
 from charms.data_platform_libs.v1.data_interfaces import (
     DataContractV1,
@@ -168,6 +169,7 @@ def _on_get_peer_secret(self, event: ActionEvent):
             repository = self.peer_relation_unit.repository(relation_bis.id)
             result = repository.get_secret_field(event.params["field"], event.params["group"])
 
+        result = result.get_secret_value() if issubclass(result.__class__, _SecretBase) else result
         event.set_results({event.params["field"]: result if result else ""})
 
     def _on_set_peer_secret(self, event: ActionEvent):
@@ -222,6 +224,7 @@ def _on_get_peer_relation_field(self, event: ActionEvent):
             relation = self.peer_relation_unit.relations[0]
             model = self.peer_relation_unit.build_model(relation.id)
             value = getattr(model, event.params["field"].replace("-", "_"))
+        value = value.get_secret_value() if issubclass(value.__class__, _SecretBase) else value
         event.set_results({"value": value if value else ""})
 
 
diff --git a/tests/v1/unit/test_data_interfaces.py b/tests/v1/unit/test_data_interfaces.py
@@ -1255,8 +1255,8 @@ def test_on_resource_created_secrets(self, _on_resource_created):
         # using the requires charm library event.
         event = _on_resource_created.call_args[0][0]
         assert event.response.secret_user == secret.id
-        assert event.response.username == "test-username"
-        assert event.response.password == "test-password"
+        assert event.response.username.get_secret_value() == "test-username"
+        assert event.response.password.get_secret_value() == "test-password"
 
         assert self.harness.charm.requirer.is_resource_created(
             self.rel_id, event.response.request_id
@@ -1301,8 +1301,8 @@ def test_on_resource_created_secrets(self, _on_resource_created):
         # using the requires charm library event.
         event = _on_resource_created.call_args[0][0]
         assert event.response.secret_user == secret2.id
-        assert event.response.username == "test-username-2"
-        assert event.response.password == "test-password-2"
+        assert event.response.username.get_secret_value() == "test-username-2"
+        assert event.response.password.get_secret_value() == "test-password-2"
 
         assert self.harness.charm.requirer.is_resource_created(rel_id, event.response.request_id)
         assert self.harness.charm.requirer.are_all_resources_created(rel_id)
@@ -1347,8 +1347,8 @@ def test_on_resource_entity_created_secrets(self, _on_resource_entity_created):
         # Check that the entity-type, entity-name and entity-password are present in the relation.
         event = _on_resource_entity_created.call_args[0][0]
         assert event.response.secret_entity == secret.id
-        assert event.response.entity_name == "test-username"
-        assert event.response.entity_password == "test-password"
+        assert event.response.entity_name.get_secret_value() == "test-username"
+        assert event.response.entity_password.get_secret_value() == "test-password"
 
         # Reset the mock call count.
         _on_resource_entity_created.reset_mock()
@@ -1388,7 +1388,7 @@ def test_on_resource_entity_created_secrets(self, _on_resource_entity_created):
         # Check that the entity-type and entity-name are present in the relation.
         event = _on_resource_entity_created.call_args[0][0]
         assert event.response.secret_entity == secret2.id
-        assert event.response.entity_name == "test-groupname"
+        assert event.response.entity_name.get_secret_value() == "test-groupname"
         assert event.response.entity_password is None
 
     def test_fetch_relation_data_secrets_fields(self):
@@ -1696,8 +1696,8 @@ def test_additional_fields_are_accessible(self, _on_resource_created):
         # Check that the fields are present in the relation
         # using the requires charm library.
         assert event.response.tls.get_secret_value() is True
-        assert event.response.tls_ca == "deadbeef"
-        assert event.response.uris == "host1:port,host2:port"
+        assert event.response.tls_ca.get_secret_value() == "deadbeef"
+        assert event.response.uris.get_secret_value() == "host1:port,host2:port"
         assert event.response.version == "1.0"
 
     def test_assign_relation_alias(self):
