Enable pgAudit by default

marceloneppel · marceloneppel · commit 26ad2c09de88 · 2024-09-16T16:20:26.000-03:00
Signed-off-by: Marcelo Henrique Neppel &lt;marcelo.neppel@canonical.com&gt;
diff --git a/config.yaml b/config.yaml
@@ -304,7 +304,7 @@ options:
     type: boolean
     description: Enable timescaledb extension
   plugin_audit_enable:
-    default: false
+    default: true
     type: boolean
     description: Enable pgAudit extension
   profile:
diff --git a/tests/integration/test_audit.py b/tests/integration/test_audit.py
@@ -35,39 +35,11 @@ async def test_audit_plugin(ops_test: OpsTest, charm) -> None:
             apps=[APPLICATION_NAME, DATABASE_APP_NAME], status="active"
         )
 
-    logger.info("Checking that the audit plugin is disabled")
+    logger.info("Checking that the audit plugin is enabled")
     connection_string = await build_connection_string(
         ops_test, APPLICATION_NAME, RELATION_ENDPOINT
     )
     connection = None
-    try:
-        connection = psycopg2.connect(connection_string)
-        with connection.cursor() as cursor:
-            cursor.execute("CREATE TABLE test1(value TEXT);")
-            cursor.execute("GRANT SELECT ON test1 TO PUBLIC;")
-            cursor.execute("SET TIME ZONE 'Europe/Rome';")
-    finally:
-        if connection is not None:
-            connection.close()
-    try:
-        logs = await run_command_on_unit(
-            ops_test,
-            "postgresql/0",
-            "sudo grep AUDIT /var/snap/charmed-postgresql/common/var/log/postgresql/postgresql-*.log",
-        )
-    except Exception:
-        pass
-    else:
-        logger.info(f"Logs: {logs}")
-        assert False, "Audit logs were found when the plugin is disabled."
-
-    logger.info("Enabling the audit plugin")
-    await ops_test.model.applications[DATABASE_APP_NAME].set_config({
-        "plugin_audit_enable": "True"
-    })
-    await ops_test.model.wait_for_idle(apps=[DATABASE_APP_NAME], status="active")
-
-    logger.info("Checking that the audit plugin is enabled")
     try:
         connection = psycopg2.connect(connection_string)
         with connection.cursor() as cursor:
@@ -77,12 +49,13 @@ async def test_audit_plugin(ops_test: OpsTest, charm) -> None:
     finally:
         if connection is not None:
             connection.close()
+    unit_name = f"{DATABASE_APP_NAME}/0"
     for attempt in Retrying(stop=stop_after_delay(90), wait=wait_fixed(10), reraise=True):
         with attempt:
             try:
                 logs = await run_command_on_unit(
                     ops_test,
-                    "postgresql/0",
+                    unit_name,
                     "sudo grep AUDIT /var/snap/charmed-postgresql/common/var/log/postgresql/postgresql-*.log",
                 )
                 assert "MISC,BEGIN,,,BEGIN" in logs
@@ -93,3 +66,38 @@ async def test_audit_plugin(ops_test: OpsTest, charm) -> None:
                 assert "MISC,SET,,,SET TIME ZONE 'Europe/Rome';" in logs
             except Exception:
                 assert False, "Audit logs were not found when the plugin is enabled."
+
+    logger.info("Disabling the audit plugin")
+    await ops_test.model.applications[DATABASE_APP_NAME].set_config({
+        "plugin_audit_enable": "False"
+    })
+    await ops_test.model.wait_for_idle(apps=[DATABASE_APP_NAME], status="active")
+
+    logger.info("Removing the previous logs")
+    await run_command_on_unit(
+        ops_test,
+        unit_name,
+        "rm /var/snap/charmed-postgresql/common/var/log/postgresql/postgresql-*.log",
+    )
+
+    logger.info("Checking that the audit plugin is disabled")
+    try:
+        connection = psycopg2.connect(connection_string)
+        with connection.cursor() as cursor:
+            cursor.execute("CREATE TABLE test1(value TEXT);")
+            cursor.execute("GRANT SELECT ON test1 TO PUBLIC;")
+            cursor.execute("SET TIME ZONE 'Europe/Rome';")
+    finally:
+        if connection is not None:
+            connection.close()
+    try:
+        logs = await run_command_on_unit(
+            ops_test,
+            unit_name,
+            "sudo grep AUDIT /var/snap/charmed-postgresql/common/var/log/postgresql/postgresql-*.log",
+        )
+    except Exception:
+        pass
+    else:
+        logger.info(f"Logs: {logs}")
+        assert False, "Audit logs were found when the plugin is disabled."
diff --git a/tests/unit/test_charm.py b/tests/unit/test_charm.py
@@ -2560,7 +2560,7 @@ def test_restart_services_after_reboot(harness):
 def test_get_plugins(harness):
     with patch("charm.PostgresqlOperatorCharm._on_config_changed"):
         # Test when the charm has no plugins enabled.
-        assert harness.charm.get_plugins() == []
+        assert harness.charm.get_plugins() == ["pgaudit"]
 
         # Test when the charm has some plugins enabled.
         harness.update_config({
diff --git a/tests/unit/test_db.py b/tests/unit/test_db.py
@@ -228,7 +228,7 @@ def test_set_up_relation(harness):
         user = f"relation-{rel_id}"
         postgresql_mock.create_user.assert_called_once_with(user, "test-password", False)
         postgresql_mock.create_database.assert_called_once_with(
-            DATABASE, user, plugins=[], client_relations=[relation]
+            DATABASE, user, plugins=["pgaudit"], client_relations=[relation]
         )
         _update_endpoints.assert_called_once()
         _update_unit_status.assert_called_once()
@@ -255,7 +255,7 @@ def test_set_up_relation(harness):
         assert harness.charm.legacy_db_relation.set_up_relation(relation)
         postgresql_mock.create_user.assert_called_once_with(user, "test-password", False)
         postgresql_mock.create_database.assert_called_once_with(
-            DATABASE, user, plugins=[], client_relations=[relation]
+            DATABASE, user, plugins=["pgaudit"], client_relations=[relation]
         )
         _update_endpoints.assert_called_once()
         _update_unit_status.assert_called_once()
@@ -276,7 +276,7 @@ def test_set_up_relation(harness):
         assert harness.charm.legacy_db_relation.set_up_relation(relation)
         postgresql_mock.create_user.assert_called_once_with(user, "test-password", False)
         postgresql_mock.create_database.assert_called_once_with(
-            "application", user, plugins=[], client_relations=[relation]
+            "application", user, plugins=["pgaudit"], client_relations=[relation]
         )
         _update_endpoints.assert_called_once()
         _update_unit_status.assert_called_once()
diff --git a/tests/unit/test_postgresql_provider.py b/tests/unit/test_postgresql_provider.py
@@ -130,7 +130,7 @@ def test_on_database_requested(harness):
         database_relation = harness.model.get_relation(RELATION_NAME)
         client_relations = [database_relation]
         postgresql_mock.create_database.assert_called_once_with(
-            DATABASE, user, plugins=[], client_relations=client_relations
+            DATABASE, user, plugins=["pgaudit"], client_relations=client_relations
         )
         postgresql_mock.get_postgresql_version.assert_called_once()
         _update_endpoints.assert_called_once()

Original file line number	Diff line number	Diff line change
`@@ -130,7 +130,7 @@ def test_on_database_requested(harness):`
`130`	`130`	`database_relation = harness.model.get_relation(RELATION_NAME)`
`131`	`131`	`client_relations = [database_relation]`
`132`	`132`	`postgresql_mock.create_database.assert_called_once_with(`
`133`		`- DATABASE, user, plugins=[], client_relations=client_relations`
	`133`	`+ DATABASE, user, plugins=["pgaudit"], client_relations=client_relations`
`134`	`134`	`)`
`135`	`135`	`postgresql_mock.get_postgresql_version.assert_called_once()`
`136`	`136`	`_update_endpoints.assert_called_once()`