Skip to content

Commit

Permalink
Store authentication keys in a separate database
Browse files Browse the repository at this point in the history
Signed-off-by: gatici <[email protected]>
  • Loading branch information
gatici committed Feb 23, 2024
1 parent 2fc391b commit b657fcc
Show file tree
Hide file tree
Showing 7 changed files with 312 additions and 132 deletions.
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@ juju deploy sdcore-nrf-k8s --channel=edge
juju deploy sdcore-udr-k8s --channel=edge
juju deploy self-signed-certificates --channel=beta
juju integrate mongodb-k8s sdcore-nrf-k8s
juju integrate mongodb-k8s sdcore-udr-k8s:database
juju integrate mongodb-k8s sdcore-udr-k8s:common_database
juju integrate mongodb-k8s sdcore-udr-k8s:auth_database
juju integrate sdcore-nrf-k8s:certificates self-signed-certificates:certificates
juju integrate sdcore-nrf-k8s:fiveg_nrf sdcore-udr-k8s:fiveg_nrf
juju integrate sdcore-udr-k8s:certificates self-signed-certificates:certificates
Expand Down
4 changes: 3 additions & 1 deletion metadata.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ containers:
location: /support/TLS

requires:
database:
common_database:
interface: mongodb_client
auth_database:
interface: mongodb_client
fiveg_nrf:
interface: fiveg_nrf
Expand Down
175 changes: 128 additions & 47 deletions src/charm.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,15 +19,20 @@
generate_private_key,
)
from jinja2 import Environment, FileSystemLoader
from ops import ActiveStatus, BlockedStatus, RelationBrokenEvent, WaitingStatus
from ops.charm import CharmBase, EventBase
from ops.main import main
from ops.model import ActiveStatus, BlockedStatus, WaitingStatus
from ops.pebble import Layer, PathError

logger = logging.getLogger(__name__)

BASE_CONFIG_PATH = "/free5gc/config"
DEFAULT_DATABASE_NAME = "free5gc"
COMMON_DATABASE_NAME = "free5gc"
AUTH_DATABASE_NAME = "authentication"
COMMON_DATABASE_RELATION_NAME = "common_database"
AUTH_DATABASE_RELATION_NAME = "auth_database"
NRF_RELATION_NAME = "fiveg_nrf"
TLS_RELATION_NAME = "certificates"
UDR_CONFIG_FILE_NAME = "udrcfg.yaml"
UDR_SBI_PORT = 29504
CERTS_DIR_PATH = "/support/TLS" # Certificate paths are hardcoded in UDR code
Expand All @@ -44,17 +49,27 @@ def __init__(self, *args):
super().__init__(*args)
self._container_name = self._service_name = "udr"
self._container = self.unit.get_container(self._container_name)
self._nrf = NRFRequires(charm=self, relation_name="fiveg_nrf")
self._database = DatabaseRequires(
self, relation_name="database", database_name=DEFAULT_DATABASE_NAME
self._nrf = NRFRequires(charm=self, relation_name=NRF_RELATION_NAME)
self._common_database = DatabaseRequires(
self, relation_name=COMMON_DATABASE_RELATION_NAME, database_name=COMMON_DATABASE_NAME
)
self._auth_database = DatabaseRequires(
self, relation_name=AUTH_DATABASE_RELATION_NAME, database_name=AUTH_DATABASE_NAME
)
self.unit.set_ports(UDR_SBI_PORT)
self._certificates = TLSCertificatesRequiresV3(self, "certificates")
self._certificates = TLSCertificatesRequiresV3(self, TLS_RELATION_NAME)

self.framework.observe(self.on.udr_pebble_ready, self._configure_udr)
self.framework.observe(self.on.database_relation_joined, self._configure_udr)
self.framework.observe(self.on.database_relation_broken, self._on_database_relation_broken)
self.framework.observe(self._database.on.database_created, self._configure_udr)
self.framework.observe(self.on.common_database_relation_joined, self._configure_udr)
self.framework.observe(self.on.auth_database_relation_joined, self._configure_udr)
self.framework.observe(
self.on.common_database_relation_broken, self._on_common_database_relation_broken
)
self.framework.observe(
self.on.auth_database_relation_broken, self._on_auth_database_relation_broken
)
self.framework.observe(self._common_database.on.database_created, self._configure_udr)
self.framework.observe(self._auth_database.on.database_created, self._configure_udr)
self.framework.observe(self.on.fiveg_nrf_relation_joined, self._configure_udr)
self.framework.observe(self._nrf.on.nrf_available, self._configure_udr)
self.framework.observe(self._nrf.on.nrf_broken, self._on_nrf_broken)
Expand All @@ -74,6 +89,38 @@ def __init__(self, *args):
self._certificates.on.certificate_expiring, self._on_certificate_expiring
)

def ready_to_configure(self) -> bool:
"""Returns whether the preconditions are met to proceed with configuration."""
for relation in [
COMMON_DATABASE_RELATION_NAME,
AUTH_DATABASE_RELATION_NAME,
NRF_RELATION_NAME,
TLS_RELATION_NAME,
]:
if not self._relation_created(relation):
self.unit.status = BlockedStatus(
f"Waiting for the {relation} relation to be created"
)
return False
if not self._common_database_is_available():
self.unit.status = WaitingStatus("Waiting for the common database to be available")
return False
if not self._auth_database_is_available():
self.unit.status = WaitingStatus(
"Waiting for the authentication database to be available"
)
return False
if not self._get_common_database_url():
self.unit.status = WaitingStatus("Waiting for the common database url to be available")
return False
if not self._get_auth_database_url():
self.unit.status = WaitingStatus("Waiting for the auth database url to be available")
return False
if not self._nrf_is_available():
self.unit.status = WaitingStatus("Waiting for the NRF to be available")
return False
return True

def _configure_udr(self, event: EventBase) -> None:
"""Main callback function of the UDR operator.
Expand All @@ -83,21 +130,7 @@ def _configure_udr(self, event: EventBase) -> None:
Args:
event: Juju event
"""
for relation in ["database", "fiveg_nrf", "certificates"]:
if not self._relation_created(relation):
self.unit.status = BlockedStatus(
f"Waiting for the `{relation}` relation to be created"
)
return
if not self._database_is_available():
self.unit.status = WaitingStatus("Waiting for the database to be available")
return
if not self._get_database_data():
self.unit.status = WaitingStatus("Waiting for the database data to be available")
event.defer()
return
if not self._nrf_is_available():
self.unit.status = WaitingStatus("Waiting for the NRF to be available")
if not self.ready_to_configure():
return
if not self._container.can_connect():
self.unit.status = WaitingStatus("Waiting for the container to be ready")
Expand All @@ -118,21 +151,33 @@ def _configure_udr(self, event: EventBase) -> None:
self._configure_udr_service()
self.unit.status = ActiveStatus()

def _on_nrf_broken(self, event: EventBase) -> None:
def _on_nrf_broken(self, event: RelationBrokenEvent) -> None:
"""Event handler for NRF relation broken.
Args:
event (NRFBrokenEvent): Juju event
"""
self.unit.status = BlockedStatus("Waiting for fiveg_nrf relation")

def _on_database_relation_broken(self, event: EventBase) -> None:
"""Event handler for database relation broken.
def _on_common_database_relation_broken(self, event: RelationBrokenEvent) -> None:
"""Event handler for common database relation broken.
Args:
event: Juju event
"""
if not self.model.relations[COMMON_DATABASE_RELATION_NAME]:
self.unit.status = BlockedStatus(
f"Waiting for {COMMON_DATABASE_RELATION_NAME} relation"
)

def _on_auth_database_relation_broken(self, event: RelationBrokenEvent) -> None:
"""Event handler for auth database relation broken.
Args:
event: Juju event
"""
self.unit.status = BlockedStatus("Waiting for database relation")
if not self.model.relations[AUTH_DATABASE_RELATION_NAME]:
self.unit.status = BlockedStatus(f"Waiting for {AUTH_DATABASE_RELATION_NAME} relation")

def _on_certificates_relation_created(self, event: EventBase) -> None:
"""Generates Private key."""
Expand All @@ -141,7 +186,7 @@ def _on_certificates_relation_created(self, event: EventBase) -> None:
return
self._generate_private_key()

def _on_certificates_relation_broken(self, event: EventBase) -> None:
def _on_certificates_relation_broken(self, event: RelationBrokenEvent) -> None:
"""Deletes TLS related artifacts and reconfigures workload."""
if not self._container.can_connect():
event.defer()
Expand Down Expand Up @@ -280,8 +325,10 @@ def _generate_udr_config_file(self) -> None:
content = self._render_config_file(
udr_ip_address=_get_pod_ip(), # type: ignore[arg-type]
udr_sbi_port=UDR_SBI_PORT,
default_database_name=DEFAULT_DATABASE_NAME,
default_database_url=self._get_database_data()["uris"].split(",")[0],
common_database_name=COMMON_DATABASE_NAME,
common_database_url=self._get_common_database_url(),
auth_database_name=AUTH_DATABASE_NAME,
auth_database_url=self._get_auth_database_url(),
nrf_url=self._nrf.nrf_url,
scheme="https",
)
Expand Down Expand Up @@ -311,8 +358,10 @@ def _render_config_file(
*,
udr_ip_address: str,
udr_sbi_port: int,
default_database_name: str,
default_database_url: str,
common_database_name: str,
auth_database_name: str,
common_database_url: str,
auth_database_url: str,
nrf_url: str,
scheme: str,
) -> str:
Expand All @@ -321,8 +370,10 @@ def _render_config_file(
Args:
udr_ip_address (str): UDR IP address.
udr_sbi_port (str): UDR SBI port.
default_database_name (str): Database name.
default_database_url (str): Database URL.
common_database_name (str): Database name.
auth_database_name (str): Database name to store authentication keys.
common_database_url (str): Database URL.
auth_database_url (str): Authentication Database URL.
nrf_url (str): NRF URL.
scheme (str): SBI interface scheme ("http" or "https")
Expand All @@ -334,8 +385,10 @@ def _render_config_file(
return template.render(
udr_ip_address=udr_ip_address,
udr_sbi_port=udr_sbi_port,
default_database_name=default_database_name,
default_database_url=default_database_url,
common_database_name=common_database_name,
common_database_url=common_database_url,
auth_database_name=auth_database_name,
auth_database_url=auth_database_url,
nrf_url=nrf_url,
scheme=scheme,
)
Expand Down Expand Up @@ -364,15 +417,35 @@ def _push_udr_config_file_to_workload(self, content: str) -> None:
)
logger.info(f"Config file {UDR_CONFIG_FILE_NAME} pushed to workload.")

def _get_database_data(self) -> dict:
"""Returns the database data.
def _get_common_database_url(self) -> str:
"""Returns the common database URL.
Returns:
dict: The database data.
str: The database URL.
"""
if not self._database_is_available():
raise RuntimeError(f"Database `{DEFAULT_DATABASE_NAME}` is not available")
return self._database.fetch_relation_data()[self._database.relations[0].id]
if not self._common_database_is_available():
raise RuntimeError(f"Database `{COMMON_DATABASE_NAME}` is not available")
uris = self._common_database.fetch_relation_data()[
self._common_database.relations[0].id
].get("uris")
if uris:
return uris.split(",")[0]
return ""

def _get_auth_database_url(self) -> str:
"""Returns the authentication database URL.
Returns:
str: The authentication database URL.
"""
if not self._auth_database_is_available():
raise RuntimeError(f"Database `{AUTH_DATABASE_NAME}` is not available")
uris = self._auth_database.fetch_relation_data()[self._auth_database.relations[0].id].get(
"uris"
)
if uris:
return uris.split(",")[0]
return ""

def _nrf_is_available(self) -> bool:
"""Returns whether the NRF endpoint is available.
Expand All @@ -382,13 +455,21 @@ def _nrf_is_available(self) -> bool:
"""
return bool(self._nrf.nrf_url)

def _database_is_available(self) -> bool:
"""Returns whether database relation is available.
def _common_database_is_available(self) -> bool:
"""Returns whether common database relation is available.
Returns:
bool: Whether common database relation is available.
"""
return bool(self._common_database.is_resource_created())

def _auth_database_is_available(self) -> bool:
"""Returns whether authentication database relation is available.
Returns:
bool: Whether database relation is available.
bool: Whether authentication database relation is available.
"""
return bool(self._database.is_resource_created())
return bool(self._auth_database.is_resource_created())

@property
def _pebble_layer(self) -> Layer:
Expand Down
6 changes: 4 additions & 2 deletions src/templates/udrcfg.yaml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,10 @@ configuration:
bindingIPv4: 0.0.0.0
port: {{ udr_sbi_port }}
mongodb:
name: {{ default_database_name }}
url: {{ default_database_url }}
name: {{ common_database_name }}
url: {{ common_database_url }}
authKeysDbName: {{ auth_database_name }}
authUrl: {{ auth_database_url }}
nrfUri: {{ nrf_url }}

# the kind of log output
Expand Down
28 changes: 18 additions & 10 deletions tests/integration/test_integration.py
Original file line number Diff line number Diff line change
Expand Up @@ -65,10 +65,10 @@ async def _deploy_sdcore_nrf_operator(ops_test: OpsTest):
channel="edge",
trust=True,
)
await ops_test.model.add_relation( # type: ignore[union-attr]
await ops_test.model.integrate( # type: ignore[union-attr]
relation1=DB_APPLICATION_NAME, relation2=NRF_APPLICATION_NAME
)
await ops_test.model.add_relation( # type: ignore[union-attr]
await ops_test.model.integrate( # type: ignore[union-attr]
relation1=TLS_PROVIDER_CHARM_NAME, relation2=NRF_APPLICATION_NAME
)

Expand All @@ -80,13 +80,16 @@ async def test_wait_for_blocked_status(self, ops_test: OpsTest, setup, build_and
async def test_relate_and_wait_for_idle(
self, ops_test: OpsTest, setup, build_and_deploy_charm
):
await ops_test.model.add_relation( # type: ignore[union-attr]
await ops_test.model.integrate( # type: ignore[union-attr]
relation1=f"{APPLICATION_NAME}:database", relation2=DB_APPLICATION_NAME
)
await ops_test.model.add_relation( # type: ignore[union-attr]
await ops_test.model.integrate( # type: ignore[union-attr]
relation1=f"{APPLICATION_NAME}:auth_database", relation2=DB_APPLICATION_NAME
)
await ops_test.model.integrate( # type: ignore[union-attr]
relation1=f"{APPLICATION_NAME}:fiveg_nrf", relation2=NRF_APPLICATION_NAME
)
await ops_test.model.add_relation( # type: ignore[union-attr]
await ops_test.model.integrate( # type: ignore[union-attr]
relation1=f"{APPLICATION_NAME}:certificates",
relation2=f"{TLS_PROVIDER_CHARM_NAME}:certificates",
)
Expand All @@ -109,11 +112,11 @@ async def test_restore_nrf_and_wait_for_active_status(
channel="edge",
trust=True,
)
await ops_test.model.add_relation( # type: ignore[union-attr]
await ops_test.model.integrate( # type: ignore[union-attr]
relation1=f"{NRF_APPLICATION_NAME}:database", relation2=DB_APPLICATION_NAME
)
await ops_test.model.add_relation(relation1=APPLICATION_NAME, relation2=NRF_APPLICATION_NAME) # type: ignore[union-attr] # noqa: E501
await ops_test.model.add_relation(relation1=TLS_PROVIDER_CHARM_NAME, relation2=NRF_APPLICATION_NAME) # type: ignore[union-attr] # noqa: E501
await ops_test.model.integrate(relation1=APPLICATION_NAME, relation2=NRF_APPLICATION_NAME) # type: ignore[union-attr] # noqa: E501
await ops_test.model.integrate(relation1=TLS_PROVIDER_CHARM_NAME, relation2=NRF_APPLICATION_NAME) # type: ignore[union-attr] # noqa: E501
await ops_test.model.wait_for_idle(apps=[APPLICATION_NAME], status="active", timeout=300) # type: ignore[union-attr] # noqa: E501

@pytest.mark.abort_on_fail
Expand All @@ -133,7 +136,7 @@ async def test_restore_tls_and_wait_for_active_status(
channel="beta",
trust=True,
)
await ops_test.model.add_relation( # type: ignore[union-attr]
await ops_test.model.integrate( # type: ignore[union-attr]
relation1=APPLICATION_NAME, relation2=TLS_PROVIDER_CHARM_NAME
)
await ops_test.model.wait_for_idle(apps=[APPLICATION_NAME], status="active", timeout=1000) # type: ignore[union-attr] # noqa: E501
Expand Down Expand Up @@ -161,5 +164,10 @@ async def test_restore_database_and_wait_for_active_status(ops_test: OpsTest, bu
channel="5/edge",
trust=True,
)
await ops_test.model.integrate(relation1=APPLICATION_NAME, relation2=DB_APPLICATION_NAME)
await ops_test.model.integrate(
relation1=f"{NRF_APPLICATION_NAME}:database", relation2=DB_APPLICATION_NAME
)
await ops_test.model.integrate(
relation1=f"{NRF_APPLICATION_NAME}:auth_database", relation2=DB_APPLICATION_NAME
)
await ops_test.model.wait_for_idle(apps=[APPLICATION_NAME], status="active", timeout=1000)
Loading

0 comments on commit b657fcc

Please sign in to comment.