charm-juju-ro

Merge ~przemeklal/charm-juju-ro:initial-code-drop into charm-juju-ro:main

Proposed by Przemyslaw Lal on 2022-05-26

Status:	Merged
Merged at revision:	bbb2b7495eb36ec7f44e6d8b51933f968d5be742
Proposed branch:	~przemeklal/charm-juju-ro:initial-code-drop
Merge into:	charm-juju-ro:main
Diff against target:	1364 lines (+1242/-0) 20 files modified .gitignore (+11/-0) .jujuignore (+3/-0) Makefile (+97/-0) README.md (+49/-0) actions.yaml (+12/-0) charmcraft.yaml (+14/-0) config.yaml (+19/-0) lib/charms/juju_ro/v0/lib_juju_addons.py (+535/-0) metadata.yaml (+13/-0) rename.sh (+13/-0) requirements-dev.txt (+3/-0) requirements.txt (+3/-0) scripts/templates/auto_jujuro.py (+80/-0) src/charm.py (+181/-0) tests/__init__.py (+3/-0) tests/test_charm.py (+12/-0) tests/unit/files/juju_bundle.yaml (+70/-0) tests/unit/requirements.txt (+6/-0) tests/unit/test_lib_juju_addons.py (+29/-0) tox.ini (+89/-0)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Alvaro Uria (community)		2022-05-26	Approve on 2022-06-02
Review via email: mp+423461@code.launchpad.net

Revision history for this message

Alvaro Uria (aluria) wrote on 2022-06-02:

Code LGTM. Lint and unit tests passed.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Przemyslaw Lal

charm-juju-ro

Merge ~przemeklal/charm-juju-ro:initial-code-drop into charm-juju-ro:main

Commit message

Description of the change

Preview Diff

Subscribers

 diff --git a/.gitignore b/.gitignore
 new file mode 100644
 index 0000000..c5cb289
 --- /dev/null
 +++ b/.gitignore
@@ -0,0 +1,11 @@
++venv/
++build/
++*.charm
++.build/
++
++.coverage
++__pycache__/
++*.py[cod]
++
++repo-info
++version
 diff --git a/.jujuignore b/.jujuignore
 new file mode 100644
 index 0000000..6ccd559
 --- /dev/null
 +++ b/.jujuignore
@@ -0,0 +1,3 @@
++/venv
++*.py[cod]
++*.charm
 diff --git a/Makefile b/Makefile
 new file mode 100644
 index 0000000..f335696
 --- /dev/null
 +++ b/Makefile
@@ -0,0 +1,97 @@
++PYTHON := /usr/bin/python3
++
++PROJECTPATH=$(dir $(realpath $(MAKEFILE_LIST)))
++ifndef CHARM_BUILD_DIR
++	CHARM_BUILD_DIR=${PROJECTPATH}.build
++endif
++ifdef CONTAINER
++	BUILD_ARGS="--destructive-mode"
++endif
++METADATA_FILE="metadata.yaml"
++CHARM_NAME=$(shell cat ${PROJECTPATH}/${METADATA_FILE} | grep -E '^name:' | awk '{print $$2}')
++
++help:
++	@echo "This project supports the following targets"
++	@echo ""
++	@echo " make help - show this text"
++	@echo " make clean - remove unneeded files"
++	@echo " make submodules - make sure that the submodules are up-to-date"
++	@echo " make submodules-update - update submodules to latest changes on remote branch"
++	@echo " make build - build the charm"
++	@echo " make release - run clean, submodules and build targets"
++	@echo " make lint - run flake8 and black --check"
++	@echo " make black - run black and reformat files"
++	@echo " make proof - run charm proof"
++	@echo " make unittests - run the tests defined in the unittest subdirectory"
++	@echo " make functional - run the tests defined in the functional subdirectory"
++	@echo " make test - run lint, proof, unittests and functional targets"
++	@echo ""
++
++clean:
++	@echo "Cleaning files"
++	@git clean -ffXd -e '!.idea'
++	@echo "Cleaning existing build"
++	@rm -rf ${CHARM_BUILD_DIR}/${CHARM_NAME}
++	@charmcraft clean
++	@rm -rf ${PROJECTPATH}/${CHARM_NAME}.charm
++
++submodules:
++	@echo "Cloning submodules"
++	@git submodule update --init --recursive
++
++submodules-update:
++	@echo "Pulling latest updates for submodules"
++	@git submodule update --init --recursive --remote --merge
++
++build: clean submodules-update
++	@echo "Building charm to base directory ${CHARM_BUILD_DIR}/${CHARM_NAME}"
++	@-git rev-parse --abbrev-ref HEAD > ./repo-info
++	@-git describe --always > ./version
++	@charmcraft -v pack ${BUILD_ARGS}
++	@bash -c ./rename.sh
++	@mkdir -p ${CHARM_BUILD_DIR}/${CHARM_NAME}
++	@unzip ${PROJECTPATH}/${CHARM_NAME}.charm -d ${CHARM_BUILD_DIR}/${CHARM_NAME}
++
++release: clean build unpack
++	@echo "Charm is built at ${CHARM_BUILD_DIR}/${CHARM_NAME}"
++
++unpack: build
++	@-rm -rf ${CHARM_BUILD_DIR}/${CHARM_NAME}
++	@mkdir -p ${CHARM_BUILD_DIR}/${CHARM_NAME}
++	@echo "Unpacking built .charm into ${CHARM_BUILD_DIR}/${CHARM_NAME}"
++	@cd ${CHARM_BUILD_DIR}/${CHARM_NAME} && unzip -q ${CHARM_BUILD_DIR}/${CHARM_NAME}.charm
++	# until charmcraft copies READMEs in, we need to publish charms with readmes in them.
++	@cp ${PROJECTPATH}/README.md ${CHARM_BUILD_DIR}/${CHARM_NAME}
++	@cp ${PROJECTPATH}/copyright ${CHARM_BUILD_DIR}/${CHARM_NAME}
++	@cp ${PROJECTPATH}/repo-info ${CHARM_BUILD_DIR}/${CHARM_NAME}
++	@cp ${PROJECTPATH}/version ${CHARM_BUILD_DIR}/${CHARM_NAME}
++
++lint:
++	@echo "Running lint checks"
++	@tox -e lint
++
++black:
++	@echo "Reformat files with black"
++	@tox -e black
++
++proof: unpack
++	@echo "Running charm proof"
++	@charm proof ${CHARM_BUILD_DIR}/${CHARM_NAME}
++
++unittests:
++	@echo "Running unit tests"
++	@tox -e unit
++
++snap:
++	@echo "Downloading snap"
++	snap download juju-lint --basename juju-lint --target-directory tests/functional/tests/resources
++
++functional: build snap
++	@echo "Executing functional tests in ${CHARM_BUILD_DIR}"
++	@CHARM_LOCATION=${PROJECTPATH} tox -e func
++
++test: lint proof unittests functional
++	@echo "Tests completed for charm ${CHARM_NAME}."
++
++# The targets below don't depend on a file
++.PHONY: help submodules submodules-update clean build release lint black proof unittests functional test unpack snap
 diff --git a/README.md b/README.md
 new file mode 100644
 index 0000000..9c8b093
 --- /dev/null
 +++ b/README.md
@@ -0,0 +1,49 @@
++# Juju RO
++
++## Description
++
++A charm to collect and publish sanitized and up to date Juju status outputs and bundle exports.
++
++## Usage
++
++Deploy:
++
++    $ juju deploy ch:juju-ro
++
++Next, create a new readonly juju user and grant `read` access to any Juju model:
++
++    $ juju add-user <user_name>
++    # capture the registration key
++    $ juju grant <user_name> read <model_name>
++
++Example:
++
++    $ juju add-user jujureadonly
++    User "jujureadonly" added
++    Please send this command to jujureadonly:
++        juju register <registration_key>
++
++    "jujureadonly" has not been granted access to any models. You can use "juju grant" to grant access.
++    $ juju grant jujureadonly read openstack
++
++Run `register-user` action on the juju-ro unit using the registration key from the previous step:
++
++    $ juju run-action juju-ro/0 register-user reg-key="<registration_key>" controller-name="<juju_controller_name>" --wait
++
++Files with the sanitized juju model bundles and juju status can be found in the `dumpdirectory` specified in the config, by default:
++
++    $ juju run -u juju-ro/0 -- ls /var/lib/jujureadonly
++    RO-juju-bundle-admin_openstack.txt
++    RO-juju-status-admin_openstack.txt
++
++Files are created and refreshed by the cron job configured by this charm. Refresh interval can be specified by updating the config, for example:
++
++    $ juju config juju-ro interval=15
++
++## Configuration
++
++The following options are available:
++
++* `interval` - specifies how often juju status and bundle will be generated in minutes.
++* `dumpdirectory` - Location of the juju status output and exported bundles.
++* `user` and `group` - User and group name for the local UNIX account that will be used to log in to Juju controller.
 diff --git a/actions.yaml b/actions.yaml
 new file mode 100644
 index 0000000..e975c54
 --- /dev/null
 +++ b/actions.yaml
@@ -0,0 +1,12 @@
++register-user:
++  description: |
++        Register the current user with a registration string.
++  params:
++    reg-key:
++      type: string
++      description: |
++          Registration key for logging into a Juju controller.
++    controller-name:
++      type: string
++      description: |
++          Name to give controller when registering.
 \ No newline at end of file
 diff --git a/charmcraft.yaml b/charmcraft.yaml
 new file mode 100644
 index 0000000..804eb40
 --- /dev/null
 +++ b/charmcraft.yaml
@@ -0,0 +1,14 @@
++type: "charm"
++parts:
++  charm:
++    charm-python-packages: [setuptools<58, pip>19]
++    build-packages: [libffi-dev, rustc, gcc, build-essential, cargo, libssl-dev]
++    prime:
++      - scripts
++bases:
++  - build-on:
++    - name: "ubuntu"
++      channel: "20.04"
++    run-on:
++    - name: "ubuntu"
++      channel: "20.04"
 diff --git a/config.yaml b/config.yaml
 new file mode 100644
 index 0000000..ff36f8c
 --- /dev/null
 +++ b/config.yaml
@@ -0,0 +1,19 @@
++options:
++  # Register readonly user to get juju status and juju bundle
++  user:
++      type: string
++      description: "User to run."
++      default: "jujureadonly"
++  group:
++      type: string
++      description: "Group to run the user as."
++      default: "jujureadonly"
++  dumpdirectory:
++      type: string
++      description: "location to store the juju status output and dump the bundles."
++      default: "/var/lib/jujureadonly"
++  interval:
++      type: int
++      default: 30
++      description: |
++          Specifies how often to generate juju status and bundle in minutes.
 diff --git a/lib/charms/juju_ro/v0/lib_juju_addons.py b/lib/charms/juju_ro/v0/lib_juju_addons.py
 new file mode 100644
 index 0000000..6458fae
 --- /dev/null
 +++ b/lib/charms/juju_ro/v0/lib_juju_addons.py
@@ -0,0 +1,535 @@
++#!/usr/bin/env python3
++# Copyright 2022 Canonical Ltd.
++# See LICENSE file for licensing details.
++
++"""Shared library for charms interacting with Juju controllers."""
++
++import pathlib
++import re
++import subprocess
++from subprocess import PIPE
++import logging
++import json
++import math
++import sys
++
++import yaml
++
++from juju import loop  # noqa E402
++from juju.model import Model  # noqa E402
++from juju.controller import Controller
++from juju.status import formatted_status
++from charmhelpers.core import host
++
++logger = logging.getLogger(__name__)
++
++# The unique Charmhub library identifier, never change it
++LIBID = "f846c7b4b30347f9816a1230ae805c9f"
++
++# Increment this major API version when introducing breaking changes
++LIBAPI = 0
++
++# Increment this PATCH version before using `charmcraft publish-lib` or reset
++# to 0 if you are raising the major API version
++LIBPATCH = 1
++
++MAX_FRAME_SIZE = 2**25
++MASK_KEYS = (
++    "(.*(ssl-public-key|ssl[_-](ca|cert|key|chain)|secret|password|"
++    "pagerduty_key|license-file|registration-key|token|accesskey|"
++    r"private-ppa|(http|https)://.*:.+\@|os-credentials).*)|key|"
++    "ldaps://.*|livepatch_key|tls-ca-ldap|"
++    "lb-mgmt.*(cacert|cert|private-key|passphrase)"
++)
++EMPTY_KEY_PLACE_HOLDER = "__EMPTY_KEY_PLACE_HOLDER__"
++BASE64_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
++HEX_CHARS = "1234567890abcdefABCDEF"
++
++
++class RegistrationError(Exception):
++    """Juju user registartion error."""
++
++    pass
++
++
++def register_juju_user(local_user, juju_reg_key, juju_controller_name):
++    """Register Juju controller using a local user account."""
++    pw = host.pwgen()
++    # TODO: Sometimes a third password input is required when adding
++    #       a controller and one already exists. This should revisited
++    #       when multi-controller support is added.
++    cmd = ["sudo", "-u", local_user, "juju", "register", juju_reg_key]
++    output = subprocess.run(
++        cmd,
++        input=f"{pw}\n{pw}\n{juju_controller_name}\n",
++        universal_newlines=True,
++        stderr=subprocess.STDOUT,
++    )
++
++    if output.returncode != 0:
++        msg = "User registration failed, please investigate logs"
++        raise RegistrationError(msg)
++
++    # save the password so we can authenticate with it going forward
++    juju_dir = f"/home/{local_user}/.local/share/juju"
++    accounts_file = f"{juju_dir}/accounts.yaml"
++    with open(accounts_file, "r") as f:
++        accounts = yaml.safe_load(f)
++    accounts["controllers"][juju_controller_name]["password"] = pw
++    # TODO: add better error handling
++    with open(accounts_file, "w") as f:
++        yaml.dump(accounts, f)
++
++    logger.info(f"Password saved for {juju_controller_name}")
++
++
++class Paths:
++    """Namespace for path constants."""
++
++    RO_SCRIPT_NAME = "auto_jujuro.py"
++    CRON_FILE_NAME = "/etc/cron.d/juju_ro"
++    USR_LOCAL = pathlib.Path("/usr/local")
++    SANITIZED_SCRIPT_PATH = USR_LOCAL / f"bin/{RO_SCRIPT_NAME}"
++    SANITIZED_CRONTAB_PATH = pathlib.Path(CRON_FILE_NAME)
++
++
++class Bundle:
++    """Bundle class to provide sanitizer function."""
++
++    def __init__(self, input_bundle, masks):  # noqa C901
++        """Init bundle class."""
++        self.secret_regex = re.compile(masks["secrets"])
++        self.input_bundle = input_bundle
++        self.common_bundle = {"applications": {}, "relations": [], "machines": {}}
++        self.secrets_bundle = {"applications": {}}
++        # No secrets in some parts of the bundle
++        # placements get difficult unless machines are copied
++        for key in ["series", "relations", "machines"]:
++            if key in input_bundle.keys():
++                self.common_bundle[key] = input_bundle[key]
++        for app in input_bundle["applications"].keys():
++            app_data = {}
++            secret_data = {}
++            settings = input_bundle["applications"][app]
++            for param in settings.keys():
++                param_value = settings[param]
++                if param in ["annotations"]:
++                    continue
++                if param in ["options"]:  # This might want extracting
++                    for option in param_value.keys():
++                        option_value = param_value[option]
++                        if "options" not in app_data.keys():
++                            app_data["options"] = {}
++                        if self.secret_regex.match(option):
++                            if "options" not in secret_data.keys():
++                                secret_data["options"] = {}
++                            secret_data["options"][option] = option_value
++                            app_data["options"][option] = "[REDACTED]"
++                        else:
++                            app_data["options"][option] = option_value
++                else:
++                    if param == "bindings":
++                        # in bindings, option with empty key like `"": internal-space`
++                        # is allowed. however, yaml will consider empty key as
++                        # complex mapping key and dump it to `? ''\n: internal-space`
++                        # here we replace the empty key to a placeholder to bypass
++                        # this issue it will be replaced back after dumped
++                        # ref: https://yaml.org/spec/1.2/spec.html#id2760695
++                        if "" in param_value:
++                            param_value[EMPTY_KEY_PLACE_HOLDER] = param_value[""]
++                            del param_value[""]
++                    app_data[param] = param_value
++                self.common_bundle["applications"][app] = app_data
++                if len(secret_data.keys()) > 0:
++                    self.secrets_bundle["applications"][app] = secret_data
++
++    def get_common_bundle(self):
++        """Return the common info only."""
++        if self.__check_for_entropy_in_dict(self.common_bundle):
++            logger.warning("Some entropy was found in the common bundle")
++        common_bundle = self.common_bundle
++        return common_bundle
++
++    def get_secrets_bundle(self):
++        """Return the bunlde includes secrets."""
++        return self.secrets_bundle
++
++    def __shannon_entropy(self, data, iterator):
++        """
++        Borrowed from.
++
++        http://blog.dkbza.org/2007/05/scanning-data-for-entropy-anomalies.html.
++        """
++        if not data:
++            return 0
++        entropy = 0
++        for x in iterator:
++            p_x = float(data.count(x)) / len(data)
++            if p_x > 0:
++                entropy += -p_x * math.log(p_x, 2)
++        return entropy
++
++    def __get_strings_of_set(self, word, char_set, threshold=8):
++        count = 0
++        letters = ""
++        strings = []
++        for char in word:
++            if char in char_set:
++                letters += char
++                count += 1
++            else:
++                if count > threshold:
++                    strings.append(letters)
++                letters = ""
++                count = 0
++        if count > threshold:
++            strings.append(letters)
++        return strings
++
++    def __check_for_entropy_in_dict(self, bundle):
++        lines = yaml.dump(bundle).split("\n")
++        strings_found = []
++        entropy_found = False
++        for line in lines:
++            for word in line.split():
++                base64_strings = self.__get_strings_of_set(word, BASE64_CHARS)
++                hex_strings = self.__get_strings_of_set(word, HEX_CHARS)
++                for string in base64_strings:
++                    b64_entropy = self.__shannon_entropy(string, BASE64_CHARS)
++                    if b64_entropy > 3.8:
++                        strings_found.append(string)
++                        entropy_found = True
++                        logger.warning(
++                            "WARNING! Entropy found in string " '"{}"'.format(string)
++                        )
++                for string in hex_strings:
++                    hex_entropy = self.__shannon_entropy(string, HEX_CHARS)
++                    if hex_entropy > 3:
++                        strings_found.append(string)
++                        entropy_found = True
++                        logger.warning(
++                            "WARNING! Entropy found in string " '"{}"'.format(string)
++                        )
++
++        if len(strings_found) != 0:
++            logger.error(
++                "ERROR!!! Check output file for entropy warnings, " "may not be secure."
++            )
++
++        return entropy_found
++
++
++def juju_get_models():
++    """Get juju models."""
++    models = get_juju_models()
++    return models
++
++
++def juju_get_status(
++    model_name=None,
++    keep_relations_info=False,
++    jsfy=False,
++    format_status=False,
++    filename=None,
++    add_charm_config=False,
++):
++    """Get juju status in a named model."""
++    juju_status = loop.run(
++        get_juju_status(
++            model_name,
++            keep_relations_info,
++            jsfy,
++            format_status,
++            filename,
++            add_charm_config,
++        )
++    )
++    return juju_status
++
++
++def juju_get_bundle(model_name, filename=None, sanitized=False):
++    """Get juju bundle."""
++    juju_bundle = loop.run(get_juju_bundle(model_name, filename, sanitized))
++    return juju_bundle
++
++
++def juju_get_mode_config(model_name):
++    """Get juju model config."""
++    model_config = loop.run(get_juju_model_config(model_name))
++    return model_config
++
++
++def juju_get_machines(model_name):
++    """Get juju machines in a model."""
++    machines = loop.run(get_juju_machines(model_name))
++    return machines
++
++
++def sanitized_bundle(bundle_file, out_file):
++    """Sanitize bundle to get rid of secret info."""
++    masks = {"secrets": MASK_KEYS}  # this is a dict so we can add things later
++    with open(bundle_file, "r") as in_file:
++        bundle = readyaml(in_file)
++        entire_bundle = Bundle(bundle, masks)
++        grab_out = {
++            "common": entire_bundle.get_common_bundle,
++            "secrets": entire_bundle.get_secrets_bundle,
++        }
++        output = yaml.dump(grab_out["common"](), default_flow_style=False)
++        with open(out_file, "w") as f:
++            print(output.replace(EMPTY_KEY_PLACE_HOLDER, '""'), file=f)
++
++
++class JujuModel:
++    """Context manager that connects and disconnects from the currently active model."""
++
++    def __init__(self, model_name=None) -> None:
++        """Init JujuModel."""
++        self._model = None
++        self.model_name = model_name
++
++    async def __aenter__(self):
++        """Set up model connection."""
++        self._model = Model(max_frame_size=MAX_FRAME_SIZE)
++        await self._model.connect(model_name=self.model_name)
++        return self._model
++
++    async def __aexit__(self, exc_type, exc, tb):
++        """Disconnet model."""
++        await self._model.disconnect()
++
++
++class JujuController:
++    """Context manager connects and disconnects from the current controller."""
++
++    def __init__(self) -> None:
++        """Init Juju controller."""
++        self._controller = None
++
++    async def __aenter__(self):
++        """Set up juju controller connection."""
++        self._controller = Controller()
++        await self._controller.connect()
++        return self._controller
++
++    async def __aexit__(self, exc_type, exc, tb):
++        """Disconnect juju controller."""
++        await self._controller.disconnect()
++
++
++def read_json_file(path):
++    """Read json file."""
++    with open(path) as fp:
++        return json.load(fp)
++
++
++# internal functions
++def get_juju_models():
++    """Controller.list_models requires superuser permission to list models.
++
++    there is a bug for it, see following link. Need to update the code to use libjuju
++    to get models once the bug is fixed.
++    https://github.com/juju/python-libjuju/issues/624.
++    """
++    cmd = (
++        r"juju models --quiet | "
++        r"awk '{{print $1}}' | egrep -v '(Controller|Model)' | sed -e 's/\*//'"
++    )
++    logger.info(cmd)
++    output = subprocess.run(cmd, stdout=PIPE, stderr=PIPE, shell=True)
++    if output.returncode != 0:
++        logger.error(f"juju models failed with: {output}")
++        return None
++    return list(output.stdout.decode().split())
++
++
++# async def get_juju_models():
++# """Use this function to get juju model once the following bug was fixed.
++# https://github.com/juju/python-libjuju/issues/624
++# """
++#     async with JujuController() as controller:
++#         models = await controller.list_models()
++#         return models
++
++
++async def get_juju_machines(model_name):
++    """Get juju model machines."""
++    result = []
++    async with JujuModel(model_name) as model:
++        machines = model.machines.values()
++        for m in machines:
++            result.append(m.data)
++        return result
++
++
++async def get_juju_model_config(model_name):
++    """Get juju model config."""
++    async with JujuModel(model_name) as model:
++        model_config = await model.get_config()
++        return model_config
++
++
++async def get_juju_bundle(model_name, filename, sanitized):
++    """Get juju bundle."""
++    async with JujuModel(model_name) as model:
++        juju_bundle = await model.export_bundle(filename)
++        if sanitized:
++            sanitized_bundle(filename, filename)
++        return juju_bundle
++
++
++async def get_juju_status(
++    model_name,
++    keep_relations_info,
++    jsfy,
++    format_status,
++    filename,
++    add_charm_config,
++):
++    """Get juju status."""
++    async with JujuModel(model_name) as model:
++        juju_status = ""
++        try:
++            if format_status:
++                juju_status = await formatted_status(model)
++            else:
++                juju_status = await model.get_status()
++                juju_status = process_juju_status(
++                    juju_status, keep_relations_info, jsfy
++                )
++                if add_charm_config:
++                    # inject the charm config into the status, so juju-lint
++                    # can check the "config" rules
++                    juju_status = await add_charm_config_to_juju_status(
++                        juju_status, model
++                    )
++        except Exception as e:
++            logger.error(
++                "Failed to get juju status for model {}, {}".format(model_name, str(e))
++            )
++        if filename:
++            write_file(filename, juju_status)
++        return juju_status
++
++
++async def add_charm_config_to_juju_status(juju_status, model):
++    """Add the charm configuration to the juju status output."""
++    for app_name, status_app in juju_status["applications"].items():
++        model_app = model.applications[app_name]
++        model_app_config = await model_app.get_config()
++
++        # Collect all manual/default config settings
++        # this similar to juju export-bundle --include-charm-defaults
++        status_app_config = {}
++        for k, v in model_app_config.items():
++            if v["source"] != "unset":
++                try:
++                    status_app_config[k] = v["value"]
++                except KeyError as error:
++                    logging.error(
++                        'missing info for app: "{}", key: "{}", val: "{}"'.format(
++                            app_name, k, v
++                        )
++                    )
++                    raise error
++
++        juju_status["applications"][app_name]["options"] = status_app_config
++
++    return juju_status
++
++
++def write_file(path, text, mode="w"):
++    """Write json file."""
++    with open(path, mode) as fp:
++        fp.write(text)
++
++
++def process_juju_status(juju_status, keep_relations_info, jsfy):
++    """Convert an application status structure to the one expected by juju-lint."""
++    juju_status_serial = juju_status.serialize()
++
++    # drop the "relations" key, otherwise juju-lint will not do the status
++    # checks (assumes this is just a bundle)
++    if not keep_relations_info:
++        juju_status_serial.pop("relations", None)
++
++    # convert the output format to jsfy-style as expected by juju-lint
++    if jsfy:
++        convert_libjuju_to_jsfy(juju_status_serial)
++
++    return juju_status_serial
++
++
++def convert_libjuju_to_jsfy(juju_status):
++    """
++    Perform the conversion between the libjuju output and the jsfy output.
++
++    There are some differences between the output of libjuju and
++    and `juju status --format yaml`, see bug reports below for
++    details. This function acts like a "shim" to convert between the
++    two formats. When the bugs are resolved this can be removed
++
++    https://github.com/juju/python-libjuju/issues/500
++    https://bugs.launchpad.net/juju/+bug/1930184
++    """
++    # perform machine conversion
++    if "machines" in juju_status:
++        for machine_name, machine_struct in juju_status["machines"].items():
++            machine_dict = machine_struct.serialize()
++            remap_instance_dict(
++                machine_dict,
++                {"instance-status": "machine-status", "agent-status": "juju-status"},
++            )
++            juju_status["machines"][machine_name] = machine_dict
++
++    # perform application and unit conversion
++    if "applications" in juju_status:
++        for app_name, app_struct in juju_status["applications"].items():
++            app_dict = app_struct.serialize()
++            remap_instance_dict(app_dict, {"status": "application-status"})
++
++            for unit_name, unit_struct in app_dict["units"].items():
++                unit_dict = app_dict["units"][unit_name] = unit_struct.serialize()
++                remap_instance_dict(
++                    unit_dict,
++                    {
++                        "workload-status": "workload-status",
++                        "agent-status": "juju-status",
++                    },
++                )
++
++                for subord_name, subord_struct in unit_dict["subordinates"].items():
++                    subord_dict = unit_dict["subordinates"][
++                        subord_name
++                    ] = subord_struct.serialize()
++                    remap_instance_dict(
++                        subord_dict,
++                        {
++                            "workload-status": "workload-status",
++                            "agent-status": "juju-status",
++                        },
++                    )
++            juju_status["applications"][app_name] = app_dict
++
++    return juju_status
++
++
++def remap_instance_dict(instance_dict, mapping_dict):
++    """Convert an unit status structure to the one expected by juju-lint."""
++    for from_key, to_key in mapping_dict.items():
++        if from_key in instance_dict:
++            instance_status = instance_dict[to_key] = instance_dict.pop(
++                from_key
++            ).serialize()
++            instance_status["message"] = instance_status.pop("info")
++            instance_status["current"] = instance_status.pop("status")
++
++
++def readyaml(stream):
++    """Read yaml file."""
++    try:
++        myyaml = yaml.safe_load(stream.read())
++    except yaml.YAMLError as exc:
++        msg = "Failed to read yaml with {}".format(exc)
++        sys.exit(msg)
++    return myyaml
 diff --git a/metadata.yaml b/metadata.yaml
 new file mode 100644
 index 0000000..dbaa9be
 --- /dev/null
 +++ b/metadata.yaml
@@ -0,0 +1,13 @@
++name: juju-ro
++display-name: Juju RO
++maintainer: BootStack Charmers <bootstack-charmers@lists.canonical.com>
++summary: |
++  A charm to collect and publish sanitized and up to date Juju status outputs and bundle exports.
++description: |
++  A charm to collect and publish sanitized and up to date Juju status outputs and bundle exports.
++tags:
++  - ops
++series:
++  - focal
++  - bionic
++subordinate: false
 diff --git a/rename.sh b/rename.sh
 new file mode 100755
 index 0000000..956a76b
 --- /dev/null
 +++ b/rename.sh
@@ -0,0 +1,13 @@
++#!/bin/bash
++charm=$(grep -E "^name:" metadata.yaml | awk '{print $2}')
++echo "renaming ${charm}_*.charm to ${charm}.charm"
++echo -n "pwd: "
++pwd
++ls -al
++echo "Removing previous charm if it exists"
++if [[ -e "${charm}.charm" ]];
++then
++    rm "${charm}.charm"
++fi
++echo "Renaming charm here."
++mv ${charm}_*.charm ${charm}.charm
 diff --git a/requirements-dev.txt b/requirements-dev.txt
 new file mode 100644
 index 0000000..4f2a3f5
 --- /dev/null
 +++ b/requirements-dev.txt
@@ -0,0 +1,3 @@
++-r requirements.txt
++coverage
++flake8
 diff --git a/requirements.txt b/requirements.txt
 new file mode 100644
 index 0000000..5bb7c92
 --- /dev/null
 +++ b/requirements.txt
@@ -0,0 +1,3 @@
++ops >= 1.4.0
++charmhelpers
++juju
 diff --git a/scripts/templates/auto_jujuro.py b/scripts/templates/auto_jujuro.py
 new file mode 100644
 index 0000000..bfff447
 --- /dev/null
 +++ b/scripts/templates/auto_jujuro.py
@@ -0,0 +1,80 @@
++#!/usr/bin/env python3
++# Copyright 2022 Canonical
++# See LICENSE file for licensing details.
++
++"""Automatically grab juju status output and juju sanitized bundle."""
++import sys
++import os
++import logging
++import argparse
++from os.path import join
++
++
++# The path below is templated in during charm install
++sys.path.append("REPLACE_CHARMDIR/venv")
++sys.path.append("REPLACE_CHARMDIR/lib")
++
++from charms.juju_ro.v0.lib_juju_addons import (  # noqa E402
++    juju_get_models,
++    juju_get_status,
++    juju_get_bundle,
++)
++
++
++PID_FILENAME = "/tmp/auto_jujuro.pid"
++
++logger = logging.getLogger(__name__)
++
++
++def main():
++    """Call main function."""
++    parser = argparse.ArgumentParser(
++        description="Grab juju status and sanitized bundle output."
++    )
++
++    parser.add_argument(
++        "-d",
++        "--dump-directory",
++        dest="dumpdir",
++        required=True,
++        help="location to store the juju status output and dump the bundles.",
++    )
++
++    args = parser.parse_args()
++
++    # Ensure a single instance via a simple pidfile
++    pid = str(os.getpid())
++
++    if os.path.isfile(PID_FILENAME):
++        sys.exit("{} already exists, exiting".format(PID_FILENAME))
++
++    with open(PID_FILENAME, "w") as f:
++        f.write(pid)
++
++    for model in juju_get_models():
++        try:
++            juju_status_file = join(
++                args.dumpdir, f"RO-juju-status-{model.replace('/','_')}.txt"
++            )
++            juju_get_status(
++                model_name=model, format_status=True, filename=juju_status_file
++            )
++        except Exception as e:
++            logger.error(
++                "failed to get juju status for model {}, {}".format(model, str(e))
++            )
++
++    for model in juju_get_models():
++        try:
++            bundle_file = join(
++                args.dumpdir, f"RO-juju-bundle-{model.replace('/','_')}.txt"
++            )
++            juju_get_bundle(model_name=model, filename=bundle_file)
++        except Exception as e:
++            logger.error("failed to get bundle for model {}, {}".format(model, str(e)))
++
++    os.unlink(PID_FILENAME)
++
++
++if __name__ == "__main__":
++    main()
 diff --git a/src/charm.py b/src/charm.py
 new file mode 100755
 index 0000000..eb213f6
 --- /dev/null
 +++ b/src/charm.py
@@ -0,0 +1,181 @@
++#!/usr/bin/env python3
++# Copyright 2022 Canonical
++# See LICENSE file for licensing details.
++#
++# Learn more at: https://juju.is/docs/sdk
++
++"""Collect and santize Juju status and bundles.
++
++A charm to collect and publish sanitized and up to date Juju status
++outputs and bundle exports.
++"""
++
++import pathlib
++import os
++import logging
++
++from ops.charm import CharmBase
++from ops.framework import StoredState
++from ops.main import main
++from ops.model import ActiveStatus, BlockedStatus
++from charmhelpers.fetch import snap
++from charmhelpers.core import hookenv, host
++
++from charms.juju_ro.v0.lib_juju_addons import (
++    Paths,
++    register_juju_user,
++    RegistrationError,
++)
++
++logger = logging.getLogger(__name__)
++
++
++class JujuROHelper:
++    """Juju Sanitizer helper object."""
++
++    def __init__(self, model):
++        """Construct the helper."""
++        self.model = model
++        self.charm_config = model.config
++
++    def update_crontab(self, user, frequency, dumpdir):
++        """Update crontab at /etc/cron.d/juju-ro."""
++        cron_job = (
++            "PATH=/usr/bin:/bin:/snap/bin\n"
++            "*/{} * * * * {} {} -d {} > /tmp/juju_ro.log 2>&1\n".format(
++                frequency,
++                user,
++                Paths.SANITIZED_SCRIPT_PATH,
++                dumpdir,
++            )
++        )
++        with Paths.SANITIZED_CRONTAB_PATH.open("w") as fp:
++            fp.write(cron_job)
++
++    def delete_crontab(self):
++        """Delete cron tab."""
++        if os.path.exists(Paths.SANITIZED_CRONTAB_PATH):
++            os.unlink(Paths.SANITIZED_CRONTAB_PATH)
++
++    def install_snap(self):
++        """Install juju snap."""
++        snaps = ["juju"]
++        snap_flags = "--classic"
++        snap.snap_install(snaps, snap_flags)
++
++    def install_scripts(self):
++        """Install scripts."""
++        charm_dir = pathlib.Path(hookenv.charm_dir())
++        scripts_dir = charm_dir / "scripts"
++        templates_dir = scripts_dir / "templates"
++
++        # Create the auto_jujuro.py script from the template with
++        # the right permissions
++        with open(str(templates_dir / Paths.RO_SCRIPT_NAME)) as f:
++            auto_template = f.read()
++
++        sanitizer_juju_script = auto_template.replace(
++            "REPLACE_CHARMDIR", str(charm_dir)
++        )
++
++        with open(str(Paths.SANITIZED_SCRIPT_PATH), "w") as f:
++            f.write(sanitizer_juju_script)
++
++        os.chmod(str(Paths.SANITIZED_SCRIPT_PATH), 0o755)
++
++
++class JujuRoCharm(CharmBase):
++    """Collect and santize Juju status and bundles."""
++
++    state = StoredState()
++
++    def __init__(self, *args):
++        super().__init__(*args)
++        self.framework.observe(self.on.install, self.on_install)
++        self.framework.observe(self.on.upgrade_charm, self.on_upgrade_charm)
++        self.framework.observe(self.on.config_changed, self.on_config_changed)
++        self.framework.observe(self.on.update_status, self.update_status)
++        self.framework.observe(self.on.register_user_action, self.register_user)
++        self.jujuro_helper = JujuROHelper(self.model)
++        self.state.set_default(
++            installed=False,
++            user_registered=False,
++        )
++        self.ctxt = {
++            "user": self.model.config["user"],
++            "group": self.model.config["group"],
++            "dumpdir": self.model.config["dumpdirectory"],
++            "interval": self.model.config["interval"],
++        }
++        self.logger = logging.getLogger(__name__)
++
++    def on_install(self, event):
++        """Install juju snap and cron scripts."""
++        self.jujuro_helper.install_snap()
++        self.jujuro_helper.install_scripts()
++        self.state.installed = True
++        self.update_status(event)
++
++    def on_upgrade_charm(self, event):
++        """Handle upgrade and resource updates."""
++        # Reinstall snaps and scripts
++        logging.info("upgrade-charm: reinstall")
++        self.jujuro_helper.install_snap()
++        self.jujuro_helper.install_scripts()
++        self.update_status(event)
++
++    def config_juju_readonly_user(self):
++        """Need home dir to configure juju read only user."""
++        host.add_group(self.ctxt["group"])
++        host.adduser(
++            self.ctxt["user"],
++            primary_group=self.ctxt["group"],
++            shell="/bin/bash",
++            password=host.pwgen(),  # don't save it, not needed
++            home_dir=f"/home/{self.ctxt['user']}",
++        )
++
++        host.mkdir(
++            self.ctxt["dumpdir"],
++            owner=self.ctxt["user"],
++            group=self.ctxt["group"],
++            perms=0o700,
++            force=True,
++        )
++
++    def on_config_changed(self, event):
++        """Reconfigure charm."""
++        self.config_juju_readonly_user()
++        self.jujuro_helper.update_crontab(
++            self.ctxt["user"], self.ctxt["interval"], self.ctxt["dumpdir"]
++        )
++        self.update_status(event)
++
++    def update_status(self, _):
++        """Asses the current status of the unit."""
++        if self.state.user_registered:
++            self.unit.status = ActiveStatus("Ready")
++        elif self.state.installed:
++            self.unit.status = BlockedStatus("Juju read-only user not registered")
++
++    def register_user(self, event):
++        """Register juju user using registration key."""
++        try:
++            register_juju_user(
++                self.ctxt["user"],
++                event.params["reg-key"],
++                event.params["controller-name"],
++                # TODO: validate if controller_name has acceptable input
++            )
++            self.logger.info("juju registration successful")
++            self.state.user_registered = True
++            self.unit.status = ActiveStatus("Ready")
++        except RegistrationError as err:
++            self.logger.error(f"juju registration failed: {str(err)}")
++            msg = "User registration failed, please investigate logs"
++            self.unit.status = BlockedStatus(msg)
++            return
++
++
++if __name__ == "__main__":
++    main(JujuRoCharm)
 diff --git a/tests/__init__.py b/tests/__init__.py
 new file mode 100644
 index 0000000..c5e3156
 --- /dev/null
 +++ b/tests/__init__.py
@@ -0,0 +1,3 @@
++import ops.testing
++
++ops.testing.SIMULATE_CAN_CONNECT = True
 diff --git a/tests/test_charm.py b/tests/test_charm.py
 new file mode 100644
 index 0000000..0529d5d
 --- /dev/null
 +++ b/tests/test_charm.py
@@ -0,0 +1,12 @@
++# Copyright 2022 Canonical
++# See LICENSE file for licensing details.
++#
++# Learn more about testing at: https://juju.is/docs/sdk/testing
++
++import unittest
++
++
++class TestCharm(unittest.TestCase):
++    """Test charm."""
++
++    pass
 diff --git a/tests/unit/files/juju_bundle.yaml b/tests/unit/files/juju_bundle.yaml
 new file mode 100644
 index 0000000..2e139e6
 --- /dev/null
 +++ b/tests/unit/files/juju_bundle.yaml
@@ -0,0 +1,70 @@
++series: focal
++saas:
++  dashboards:
++    url: foundations-maas:admin/lma.dashboards
++  grafana:
++    url: foundations-maas:admin/lma.grafana
++  graylog:
++    url: foundations-maas:admin/lma.graylog-beats
++  landscape-server:
++    url: foundations-maas:admin/lma.landscape-server
++  nagios:
++    url: foundations-maas:admin/lma.nagios-monitors
++  prometheus:
++    url: foundations-maas:admin/lma.prometheus-target
++  prometheus-rules:
++    url: foundations-maas:admin/lma.prometheus-rules
++  prometheus-target:
++    url: foundations-maas:admin/lma.prometheus-target
++applications:
++  aodh:
++    charm: cs:aodh-46
++    num_units: 3
++    to:
++    - lxd:6
++    - lxd:7
++    - lxd:8
++    options:
++      openstack-origin: distro
++      os-admin-hostname: aodh-admin.example.com
++      os-internal-hostname: aodh-internal.example.com
++      os-public-hostname: aodh.example.com
++      region: example
++      ssl_cert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdUVENDQlRXZ0F3SUJBZ0lRQWp5UUl2MzU1YTdjd1VZWTBYNE1FekFOQmdrcWhraUc5dzBCQVFzRkFEQlAKTVFzd0NRWURWUVFHRXdKVlV6RVZNQk1HQTFVRUNoTU1SR2xuYVVObGNuUWdTVzVqTVNrd0p3WURWUVFERXlCRQphV2RwUTJWeWRDQlVURk1nVWxOQklGTklRVEkxTmlBeU1ESXdJRU5CTVRBZUZ3MHlNREV4TVRjd01EQXdNREJhCkZ3MHlNVEV4TWpFeU16VTVOVGxhTUZveEN6QUpCZ05WQkFZVEFrZENNUTh3RFFZRFZRUUhFd1pNYjI1a2IyNHgKSERBYUJnTlZCQW9URTBOaGJtOXVhV05oYkNCSGNtOTFjQ0JNZEdReEhEQWFCZ05WQkFNTUV5b3VjSE0xTG1OaApibTl1YVdOaGJDNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRHJXUWxPCldsUXNpK1VIWG1wTlIvYVBWVjJ6ZWIrcklKY2l0d3ZwcDBsODJraDU2Y
++      use-internal-endpoints: true
++      vip: 1.1.48.20 1.1.52.20 1.1.56.20
++      worker-multiplier: 0.25
++    bindings:
++      "": oam-space
++      admin: admin-space
++      amqp: oam-space
++      certificates: oam-space
++      cluster: oam-space
++      ha: oam-space
++      identity-service: oam-space
++      internal: internal-space
++      mongodb: oam-space
++      public: public-space
++      shared-db: admin-space
++  aodh-mysql-router:
++    charm: cs:mysql-router-6
++    bindings:
++      "": oam-space
++      certificates: oam-space
++      db-router: admin-space
++      juju-info: oam-space
++      shared-db: oam-space
++  barbican:
++    charm: cs:barbican-36
++    num_units: 3
++    to:
++    - lxd:3
++    - lxd:4
++    - lxd:5
++    options:
++      openstack-origin: distro
++      os-admin-hostname: barbican-admin.example.com
++      os-internal-hostname: barbican-internal.example.com
++      os-public-hostname: barbican.example.com
++      region: example
++      ssl_cert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdUVENDQlRXZ0F3SUJBZ0lRQWp5UUl2MzU1YTdjd1VZWTBYNE1FekFOQmdrcWhraUc5dzBCQVFzRkFEQlAKTVFzd0NRWURWUVFHRXdKVlV6RVZNQk1HQTFVRUNoTU1SR2xuYVVObGNuUWdTVzVqTVNrd0p3WURWUVFERXlCRQphV2RwUTJWeWRDQlVURk1nVWxOQklGTklRVEkxTmlBeU1ESXdJRU5CTVRBZUZ3MHlNREV4TVRjd01EQXdNREJhCkZ3MHlNVEV4TWpFeU16VTVOVGxhTUZveEN6QUpCZ05WQkFZVEFrZENNUTh3RFFZRFZRUUhFd1pNYjI1a2IyNHgKSERBYUJnTlZCQW9URTBOaGJtOXVhV05oYkNCSGNtOTFjQ0JNZEdReEhEQWFCZ05WQkFNTUV5b3VjSE0xT
 \ No newline at end of file
 diff --git a/tests/unit/requirements.txt b/tests/unit/requirements.txt
 new file mode 100644
 index 0000000..fd430bd
 --- /dev/null
 +++ b/tests/unit/requirements.txt
@@ -0,0 +1,6 @@
++mock
++pyyaml
++six
++jinja2
++coverage
++juju
 diff --git a/tests/unit/test_lib_juju_addons.py b/tests/unit/test_lib_juju_addons.py
 new file mode 100644
 index 0000000..ca87659
 --- /dev/null
 +++ b/tests/unit/test_lib_juju_addons.py
@@ -0,0 +1,29 @@
++"""lib_juju_addons.py unittests."""
++import os
++import unittest
++from os.path import join
++
++from charms.juju_ro.v0.lib_juju_addons import (
++    sanitized_bundle,
++)
++
++
++class TestLibJujuAddons(unittest.TestCase):
++    """test class for lib_juju_addons.py."""
++
++    def test_sanitized_bundle(self):
++        """Test that no secret info in the output."""
++        file_path = "tests/unit/files"
++        test_file = join(file_path, "juju_bundle.yaml")
++        out_file = join(file_path, "sanitized_bundle.yaml")
++        sanitized_bundle(test_file, out_file)
++        with open(out_file, "r") as f:
++            line = f.readline()
++            while line:
++                kv = line.split(":")
++                k = kv[0]
++                v = kv[-1]
++                if k == "ssl_cert":
++                    assert v == "[REDACTED]"
++                line = f.readline()
++        os.unlink(out_file)
 diff --git a/tox.ini b/tox.ini
 new file mode 100644
 index 0000000..5ca9012
 --- /dev/null
 +++ b/tox.ini
@@ -0,0 +1,89 @@
++[tox]
++skipsdist=True
++skip_missing_interpreters = True
++envlist = lint, unit, func
++
++[testenv]
++basepython = python3
++setenv =
++  PYTHONPATH = {toxinidir}:{toxinidir}/lib/:{toxinidir}/hooks/
++passenv =
++  HOME
++  PATH
++  CHARM_*
++  OS_*
++  MODEL_SETTINGS
++  HTTP_PROXY
++  HTTPS_PROXY
++  NO_PROXY
++  SNAP_HTTP_PROXY
++  SNAP_HTTPS_PROXY
++
++[testenv:build]
++deps = charmcraft<1.1.0
++commands = charmcraft build
++
++[testenv:lint]
++commands =
++    flake8 {posargs} src tests lib scripts
++    black --check --exclude "/(\.eggs|\.git|\.tox|\.venv|\.build|build|dist|charmhelpers|mod)/" .
++deps =
++    black
++    flake8
++    flake8-docstrings
++    flake8-import-order
++    pep8-naming
++    flake8-colors
++
++
++[testenv:black]
++commands =
++    black --exclude "/(\.eggs|\.git|\.tox|\.venv|\.build|build|dist|charmhelpers|mod)/" .
++deps =
++    black
++
++[testenv:unit]
++commands =
++    coverage run -m unittest discover -s {toxinidir}/tests/unit -v
++    coverage report --omit tests/*,mod/*,.tox/*
++    coverage html --omit tests/*,mod/*,.tox/*
++deps = -r{toxinidir}/tests/unit/requirements.txt
++       -r{toxinidir}/requirements.txt
++
++[testenv:func]
++changedir = {toxinidir}/tests/functional
++deps = -r{toxinidir}/tests/functional/requirements.txt
++commands = functest-run-suite --keep-faulty-model {posargs}
++
++
++[testenv:func-smoke]
++changedir = {toxinidir}/tests/functional
++deps = -r{toxinidir}/tests/functional/requirements.txt
++commands = functest-run-suite --keep-model --smoke
++
++[testenv:func-dev]
++changedir = {toxinidir}/tests/functional
++deps = -r{toxinidir}/tests/functional/requirements.txt
++commands = functest-run-suite --keep-model --dev
++
++[testenv:func-target]
++changedir = {toxinidir}/tests/functional
++deps = -r{toxinidir}/tests/functional/requirements.txt
++commands = functest-run-suite --keep-model --bundle {posargs}
++
++[flake8]
++exclude =
++    .git,
++    __pycache__,
++    .tox,
++    .build,
++    build
++
++ignore = D100, D104, D107
++
++max-line-length = 88
++max-complexity = 10
++
++# flake8-import-order configurations
++import-order-style = pep8
++application-import-names = src.charm,charms.juju_ro.v0.lib_juju_addons