Launchpad itself

Merge ~cjwatson/launchpad:charm-admin-apply-security into launchpad:master

Proposed by Colin Watson on 2023-04-03

Status:	Merged
Approved by:	Colin Watson on 2023-04-03
Approved revision:	b1500e83e54dab6584ca3b4b4b0d0f8efb9a06dc
Merge reported by:	Otto Co-Pilot
Merged at revision:	not available
Proposed branch:	~cjwatson/launchpad:charm-admin-apply-security
Merge into:	launchpad:master
Diff against target:	113 lines (+53/-4) 4 files modified charm/launchpad-admin/reactive/launchpad-admin.py (+50/-1) charm/launchpad-admin/templates/db-admin.j2 (+1/-1) charm/launchpad-admin/templates/db-session.j2 (+1/-1) charm/launchpad-admin/templates/db.j2 (+1/-1)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Guruprasad		2023-04-03	Approve on 2023-04-03
Review via email: mp+440257@code.launchpad.net

Commit message

charm: Update DB permissions when configuring launchpad-admin

Description of the change

This replaces code currently run by our deployment machinery at the end of its `build` phase.

I also fixed a typo in a reactive flag name that caused hooks to do unnecessary work, since we were never considering the service to be configured.

Revision history for this message

Guruprasad (lgp171188) wrote on 2023-04-03:

LGTM 👍🏼

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Canonical Launchpad Engineering

Christina A Reitbauer

Colin Watson

Edson_g2020_ubuntuone Gomes

Jordan

Kevin bush

Maximiliano Bertacchini

noômen

to status/vote changes:

asimbol83

 diff --git a/charm/launchpad-admin/reactive/launchpad-admin.py b/charm/launchpad-admin/reactive/launchpad-admin.py
 index 4d65102..ff76afc 100644
 --- a/charm/launchpad-admin/reactive/launchpad-admin.py
 +++ b/charm/launchpad-admin/reactive/launchpad-admin.py
@@ -2,6 +2,7 @@
  # GNU Affero General Public License version 3 (see the file LICENSE).
  import os.path
++import subprocess
  from charmhelpers.core import hookenv, host, templating
  from charms.launchpad.base import (
@@ -28,13 +29,55 @@ def strip_password(dsn):
      return make_dsn(**parsed_dsn)
++def database_is_initialized() -> bool:
++    """Has the database been initialized?
++
++    The launchpad-admin charm is itself used to initialize the database, so
++    we can't assume that that's been done yet at the time our `configure`
++    handler runs.  The `LaunchpadDatabaseRevision` table is used to track
++    schema migrations, so its presence is a good indicator of whether we
++    have a useful database.
++    """
++    return (
++        subprocess.run(
++            [
++                "sudo",
++                "-H",
++                "-u",
++                base.user(),
++                os.path.join(home_dir(), "bin", "db"),
++                "-c",
++                r"\d LaunchpadDatabaseRevision",
++            ],
++            stdout=subprocess.DEVNULL,
++            stderr=subprocess.DEVNULL,
++        ).returncode
++        == 0
++    )
++
++
++def update_database_permissions():
++    subprocess.run(
++        [
++            "sudo",
++            "-H",
++            "-u",
++            base.user(),
++            "LPCONFIG=launchpad-admin",
++            os.path.join(base.code_dir(), "database", "schema", "security.py"),
++            "--no-revoke",
++        ],
++        check=True,
++    )
++
++
  @when(
      "launchpad.base.configured",
      "db.master.available",
      "db-admin.master.available",
      "session-db.master.available",
+ )
--@when_not("service_configured")
++@when_not("service.configured")
  def configure():
      db = endpoint_from_flag("db.master.available")
      db_admin = endpoint_from_flag("db-admin.master.available")
@@ -82,5 +125,11 @@ def configure():
              perms=0o755,
+         )
++    if database_is_initialized():
++        hookenv.log("Updating database permissions.")
++        update_database_permissions()
++    else:
++        hookenv.log("Database has not been initialized yet.")
++
      set_state("service.configured")
      hookenv.status_set("active", "Ready")
 diff --git a/charm/launchpad-admin/templates/db-admin.j2 b/charm/launchpad-admin/templates/db-admin.j2
 index aa0f73d..4749ab3 100644
 --- a/charm/launchpad-admin/templates/db-admin.j2
 +++ b/charm/launchpad-admin/templates/db-admin.j2
@@ -6,5 +6,5 @@
  set -e
--psql '{{ db_admin_primary }}'
++psql '{{ db_admin_primary }}' "$@"
 diff --git a/charm/launchpad-admin/templates/db-session.j2 b/charm/launchpad-admin/templates/db-session.j2
 index 4d776ae..76a47e1 100755
 --- a/charm/launchpad-admin/templates/db-session.j2
 +++ b/charm/launchpad-admin/templates/db-session.j2
@@ -6,5 +6,5 @@
  set -e
--psql '{{ db_session_primary }}'
++psql '{{ db_session_primary }}' "$@"
 diff --git a/charm/launchpad-admin/templates/db.j2 b/charm/launchpad-admin/templates/db.j2
 index f07f7e8..7976492 100644
 --- a/charm/launchpad-admin/templates/db.j2
 +++ b/charm/launchpad-admin/templates/db.j2
@@ -6,5 +6,5 @@
  set -e
--psql '{{ db_primary }}'
++psql '{{ db_primary }}' "$@"