update charmcode, fix state management + add spoe-auth relation

Author: Thanhphan1147

haproxy_spoe_auth_operator/pyproject.toml

@@ -14,6 +14,7 @@ classifiers = [
   "Programming Language :: Python :: 3.14",
 ]
 dependencies = [
+  "charmlibs-interfaces-haproxy-spoe-auth",
   "charmlibs-snap==1.0.0",
   "jinja2==3.1.6",
   "ops==3.3.1",
@@ -43,6 +44,9 @@ integration = [
 [tool.uv]
 package = false
 
+[tool.uv.sources]
+charmlibs-interfaces-haproxy-spoe-auth = { git = "https://github.com/Thanhphan1147/charmlibs", subdirectory = "interfaces/haproxy_spoe_auth", rev = "feat/add-spoe-auth-lib" }
+
 [tool.ruff]
 target-version = "py310"
 line-length = 99

haproxy_spoe_auth_operator/src/charm.py

@@ -9,18 +9,25 @@
 import typing
 
 import ops
+from charmlibs.interfaces.haproxy_spoe_auth import HaproxyEvent, SpoeAuthProvider
+from haproxy_spoe_auth_operator.lib.charms.hydra.v0.oauth import ClientConfig, OAuthRequirer
 from haproxy_spoe_auth_operator.src.haproxy_spoe_auth_service import (
     SpoeAuthService,
     SpoeAuthServiceConfigError,
 )
 
-from state.charm_state import CharmState, InvalidCharmConfigError, ProxyMode
-from state.exception import CharmStateValidationBaseError
-from state.oauth import OAuthInformation
+from .state import CharmState, InvalidCharmConfigError, OauthInformation
 
 logger = logging.getLogger(__name__)
 
 OAUTH_RELATION = "oauth"
+OIDC_CALLBACK_PATH = "/oauth2/callback"
+SPOP_PORT = 8081
+OIDC_CALLBACK_PORT = 5000
+OIDC_SCOPE = "openid email profile"
+VAR_AUTHENTICATED = "sess.auth.is_authenticated"
+VAR_REDIRECT_URL = "sess.auth.redirect_url"
+COOKIE_NAME = "authsession"
 
 
 class HaproxySpoeAuthCharm(ops.CharmBase):
@@ -34,38 +41,47 @@ def __init__(self, *args: typing.Any):
         """
         super().__init__(*args)
         self.service = SpoeAuthService()
-
-        # OAuth requirer will be added here once the library is fetched
-        # Example: self.oauth = OAuthRequirer(self, relation_name=OAUTH_RELATION)
+        self._spoe_auth_provider = SpoeAuthProvider(self, relation_name="spoe-auth")
+        self._oauth = OAuthRequirer(self, relation_name=OAUTH_RELATION)
 
         self.framework.observe(self.on.install, self._reconcile)
         self.framework.observe(self.on.config_changed, self._reconcile)
-        self.framework.observe(
-            self.on[OAUTH_RELATION].relation_changed, self._reconcile
-        )
-        self.framework.observe(
-            self.on[OAUTH_RELATION].relation_broken, self._reconcile
-        )
-
+        self.framework.observe(self._oauth.on.oauth_info_changed, self._reconcile)
+        self.framework.observe(self._oauth.on.oauth_info_removed, self._reconcile)
 
     def _reconcile(self, _: ops.EventBase) -> None:
         """Reconcile the charm state and service configuration."""
         try:
-            charm_state = self._get_charm_state()
-            oauth_info = OAuthInformation.from_charm(self)
-
-            self.service.reconcile(charm_state, oauth_info)
-
-        except CharmStateValidationBaseError as exc:
+            state = CharmState.from_charm(self)
+
+            self._oauth.update_client_config(
+                client_config=ClientConfig(
+                    redirect_uri=f"https://{state.hostname}{OIDC_CALLBACK_PATH}",
+                    scope=OIDC_SCOPE,
+                    grant_types=["authorization_code"],
+                )
+            )
+            oauth_information = OauthInformation.from_charm(self, self._oauth)
+            self._spoe_auth_provider.provide_spoe_auth_requirements(
+                relation=oauth_information.spoe_auth_relation,
+                spop_port=SPOP_PORT,
+                event=HaproxyEvent.ON_FRONTEND_HTTP_REQUEST,
+                oidc_callback_port=OIDC_CALLBACK_PORT,
+                var_authenticated=VAR_AUTHENTICATED,
+                var_redirect_url=VAR_REDIRECT_URL,
+                cookie_name=COOKIE_NAME,
+                oidc_callback_hostname=state.hostname,
+                oidc_callback_path=OIDC_CALLBACK_PATH,
+            )
+            self.service.reconcile(charm_state=state, oauth_information=oauth_information)
+            self.unit.status = ops.ActiveStatus()
+
+        except InvalidCharmConfigError as exc:
             logger.exception("Charm state validation failed")
             self.unit.status = ops.BlockedStatus(f"Configuration error: {exc}")
         except SpoeAuthServiceConfigError as exc:
             logger.exception("Service configuration failed")
             self.unit.status = ops.BlockedStatus(f"Service configuration failed: {exc}")
-        except Exception as exc:
-            logger.exception("Unexpected error during reconciliation")
-            self.unit.status = ops.BlockedStatus(f"Unexpected error: {exc}")
-
 
 if __name__ == "__main__":  # pragma: nocover
     ops.main(HaproxySpoeAuthCharm)

haproxy_spoe_auth_operator/src/haproxy_spoe_auth_service.py

@@ -9,8 +9,7 @@
 from charmlibs import snap
 from jinja2 import Environment, FileSystemLoader, select_autoescape
 
-from state.charm_state import CharmState
-from state.oauth import OAuthInformation
+from .state import CharmState, OauthInformation
 
 SNAP_NAME = "haproxy-spoe-auth"
 CONFIG_PATH = Path("/var/snap/haproxy-spoe-auth/current/config.yaml")
@@ -49,43 +48,45 @@ def install(self) -> None:
         except snap.SnapError as e:
             logger.error("An exception occurred when installing charmcraft. Reason: %s", e.message)
 
-
-    def reconcile(self, charm_state: CharmState, oauth_info: OAuthInformation) -> None:
+    def reconcile(self, charm_state: CharmState, oauth_information: OauthInformation) -> None:
         """Reconcile the service configuration.
 
         Args:
-            charm_state: The current charm state.
-            oauth_info: OAuth integration information.
+            charm_state: The charm state.
+            oauth_information: OAuth integration information.
 
         Raises:
             SpoeAuthServiceConfigError: When configuration fails.
         """
         try:
-            self._render_config(charm_state, oauth_info)
+            self._render_config(charm_state, oauth_information)
             self.haproxy_spoe_auth_snap.restart(reload=True)
         except Exception as exc:
             raise SpoeAuthServiceConfigError(f"Failed to reconcile service: {exc}") from exc
 
-    def _render_config(self, charm_state: CharmState, oauth_info: OAuthInformation) -> None:
+    def _render_config(self, charm_state: CharmState, oauth_information: OauthInformation) -> None:
         """Render the configuration file.
 
         Args:
-            charm_state: The current charm state.
-            oauth_info: OAuth integration information.
+            charm_state: The charm state.
+            oauth_information: OAuth integration information.
         """
         env = Environment(
-            loader=FileSystemLoader(str(self._template_dir)),
+            loader=FileSystemLoader("templates"),
             autoescape=select_autoescape(),
+            keep_trailing_newline=True,
+            trim_blocks=True,
+            lstrip_blocks=True,
         )
         template = env.get_template(CONFIG_TEMPLATE)
-
         config_content = template.render(
-            spoe_address=charm_state.spoe_address,
-            oauth_enabled=oauth_info.oauth_data is not None,
-            oauth_data=oauth_info.oauth_data if oauth_info.oauth_data else {},
+            hostname=charm_state.hostname,
+            issuer_url=oauth_information.issuer_url,
+            client_id=oauth_information.client_id,
+            client_secret=oauth_information.client_secret,
+            signature_secret=charm_state.signature_secret,
+            encryption_secret=charm_state.encryption_secret,
         )
 
         # Ensure parent directory exists
-        CONFIG_PATH.parent.mkdir(parents=True, exist_ok=True)
         CONFIG_PATH.write_text(config_content, encoding="utf-8")
-        logger.info("Configuration written to %s", CONFIG_PATH)

haproxy_spoe_auth_operator/src/state.py

@@ -0,0 +1,147 @@
+# Copyright 2025 Canonical Ltd.
+# See LICENSE file for licensing details.
+
+"""haproxy-spoe-auth-operator charm state."""
+
+import logging
+import typing
+import secrets
+import ops
+from pydantic import Field, ValidationError
+from pydantic.dataclasses import dataclass
+
+from lib.charms.hydra.v0.oauth import OAuthRequirer
+
+logger = logging.getLogger(__name__)
+
+SPOE_AUTH_RELATION = "spoe-auth"
+AGENT_SECRETS_LABEL = "agent-secrets"
+
+
+class InvalidCharmConfigError(Exception):
+    """Exception raised when a charm configuration is found to be invalid."""
+
+
+@dataclass(frozen=True)
+class CharmState:
+    """A component of charm state that contains the charm's configuration and mode.
+
+    Attributes:
+        hostname: The hostname of the charm.
+        client_id: The OAuth client ID.
+        client_secret: The OAuth client secret.
+        issuer_url: The OAuth issuer URL.
+    """
+
+    hostname: str = Field(description="The hostname part of the redirect URL.")
+    signature_secret: str = Field(
+        description="Secret used for signing by the SPOE agent.", min_length=1
+    )
+    encryption_secret: str = Field(
+        description="Secret used for encrypting by the SPOE agent.", min_length=1
+    )
+
+    @classmethod
+    def from_charm(
+        cls,
+        charm: ops.CharmBase,
+    ) -> "CharmState":
+        """Create a CharmState class from a charm instance.
+
+        Args:
+            charm: The spoe-auth agent charm.
+
+        Raises:
+            InvalidCharmConfigError: When the charm's config is invalid.
+
+        Returns:
+            CharmState: Instance of the charm state component.
+        """
+        hostname = typing.cast(str, charm.config.get("hostname"))
+        signature_secret = None
+        encryption_secret = None
+        try:
+            secret = charm.model.get_secret(label=AGENT_SECRETS_LABEL)
+            signing_and_encryption_secrets = secret.get_content(refresh=True)
+            signature_secret = signing_and_encryption_secrets.get("signature_secret")
+            encryption_secret = signing_and_encryption_secrets.get("encryption_secret")
+        except ops.SecretNotFoundError:
+            signature_secret = secrets.token_urlsafe(32)
+            encryption_secret = secrets.token_urlsafe(32)
+            secret = charm.model.app.add_secret(
+                content={
+                    "signature_secret": signature_secret,
+                    "encryption_secret": encryption_secret,
+                },
+                label=AGENT_SECRETS_LABEL,
+            )
+
+        if signature_secret is None or encryption_secret is None:
+            raise InvalidCharmConfigError("Error fetching agent secrets.")
+
+        try:
+            return cls(
+                hostname=hostname,
+                signature_secret=signature_secret,
+                encryption_secret=encryption_secret,
+            )
+        except ValidationError as exc:
+            raise InvalidCharmConfigError("Invalid configuration") from exc
+
+
+@dataclass(frozen=True)
+class OauthInformation:
+    """A component of charm state that contains the charm's configuration and mode.
+
+    Attributes:
+        client_id: The OAuth client ID.
+        client_secret: The OAuth client secret.
+        issuer_url: The OAuth issuer URL.
+        spoe_auth_relation: The spoe-auth relation.
+    """
+
+    issuer_url: str = Field(description="The OAuth issuer URL.", min_length=1)
+    client_id: str = Field(description="The OAuth client ID.", min_length=1)
+    client_secret: str = Field(description="The OAuth client secret.", min_length=1)
+    spoe_auth_relation: ops.Relation = Field(description="The spoe-auth relation.")
+
+    @classmethod
+    def from_charm(
+        cls,
+        charm: ops.CharmBase,
+        oauth: OAuthRequirer,
+    ) -> "OauthInformation":
+        """Create a CharmState class from a charm instance.
+
+        Args:
+            charm: The haproxy charm.
+            oauth: The OAuthRequirer instance.
+
+        Raises:
+            InvalidCharmConfigError: When the charm's config is invalid.
+
+        Returns:
+            CharmState: Instance of the charm state component.
+        """
+        spoe_auth_relation = charm.model.get_relation(SPOE_AUTH_RELATION)
+        if spoe_auth_relation is None:
+            logger.error("spoe-auth relation missing.")
+            raise InvalidCharmConfigError("spoe-auth relation missing.")
+
+        oauth_provider_information = oauth.get_provider_info()
+        if (
+            oauth_provider_information is None
+            or oauth_provider_information.client_id is None
+            or oauth_provider_information.client_secret is None
+        ):
+            raise InvalidCharmConfigError("Waiting for complete oauth relation data.")
+
+        try:
+            return cls(
+                issuer_url=oauth_provider_information.issuer_url,
+                client_id=oauth_provider_information.client_id,
+                client_secret=oauth_provider_information.client_secret,
+                spoe_auth_relation=spoe_auth_relation,
+            )
+        except ValidationError as exc:
+            raise InvalidCharmConfigError("Invalid configuration") from exc