Add more tests for ChangeSecretBackend method;

state/migration_import_tasks.go

@@ -549,7 +549,7 @@ func (s *secretStateShim) SecretConsumerKey(uri *secrets.URI, subject string) st
 }
 
 func (s *secretStateShim) IncBackendRevisionCountOps(backendID string) ([]txn.Op, error) {
-	return s.st.incBackendRevisionCountOps(backendID, nil)
+	return s.st.incBackendRevisionCountOps(backendID, 1)
 }
 
 // ImportSecrets describes a way to import secrets from a

state/secretbackends.go

@@ -377,7 +377,7 @@ func (st *State) decSecretBackendRefCountOp(backendID string) ([]txn.Op, error)
 
 // incBackendRevisionCountOps returns the ops needed to change the secret revision ref count
 // for the specified backend. Used to ensure backends with revisions cannot be deleted without force.
-func (st *State) incBackendRevisionCountOps(backendID string, count *int) ([]txn.Op, error) {
+func (st *State) incBackendRevisionCountOps(backendID string, count int) ([]txn.Op, error) {
 	if secrets.IsInternalSecretBackendID(backendID) {
 		return nil, nil
 	}
@@ -389,11 +389,7 @@ func (st *State) incBackendRevisionCountOps(backendID string, count *int) ([]txn
 	if err != nil {
 		return nil, errors.Trace(err)
 	}
-	toInc := 1
-	if count != nil {
-		toInc = *count
-	}
-	incOp, err := nsRefcounts.StrictIncRefOp(refCountCollection, key, toInc)
+	incOp, err := nsRefcounts.StrictIncRefOp(refCountCollection, key, count)
 	if err != nil {
 		return nil, errors.Trace(err)
 	}

state/secrets.go

@@ -305,7 +305,7 @@ func (s *secretsStore) CreateSecret(uri *secrets.URI, p CreateSecretParams) (*se
 			}, isOwnerAliveOp,
 		}...)
 		if valueDoc.ValueRef != nil {
-			refOps, err := s.st.incBackendRevisionCountOps(valueDoc.ValueRef.BackendID, nil)
+			refOps, err := s.st.incBackendRevisionCountOps(valueDoc.ValueRef.BackendID, 1)
 			if err != nil {
 				return nil, errors.Trace(err)
 			}
@@ -414,7 +414,7 @@ func (s *secretsStore) UpdateSecret(uri *secrets.URI, p UpdateSecretParams) (*se
 				Insert: *revisionDoc,
 			})
 			if p.ValueRef != nil {
-				refOps, err := s.st.incBackendRevisionCountOps(p.ValueRef.BackendID, nil)
+				refOps, err := s.st.incBackendRevisionCountOps(p.ValueRef.BackendID, 1)
 				if err != nil {
 					return nil, errors.Trace(err)
 				}
@@ -822,7 +822,7 @@ func (s *secretsStore) ChangeSecretBackend(arg ChangeSecretBackendParams) error
 			ops = append(ops, refOps...)
 		}
 		if valRefDoc != nil {
-			refOps, err := s.st.incBackendRevisionCountOps(valRefDoc.BackendID, nil)
+			refOps, err := s.st.incBackendRevisionCountOps(valRefDoc.BackendID, 1)
 			if err != nil {
 				return nil, errors.Trace(err)
 			}

state/secrets_test.go

@@ -954,7 +954,7 @@ func (s *SecretsSuite) TestUpdateConcurrent(c *gc.C) {
 	})
 }
 
-func (s *SecretsSuite) TestChangeSecretBackend(c *gc.C) {
+func (s *SecretsSuite) TestChangeSecretBackendExternalToExternal(c *gc.C) {
 	backendStore := state.NewSecretBackends(s.State)
 	_, err := backendStore.CreateSecretBackend(state.CreateSecretBackendParams{
 		ID:          "old-backend-id",
@@ -982,7 +982,6 @@ func (s *SecretsSuite) TestChangeSecretBackend(c *gc.C) {
 		Owner:   s.owner.Tag(),
 		UpdateSecretParams: state.UpdateSecretParams{
 			LeaderToken: &fakeToken{},
-			Data:        map[string]string{"foo": "bar"},
 			ValueRef: &secrets.ValueRef{
 				BackendID:  "old-backend-id",
 				RevisionID: "rev-id",
@@ -998,7 +997,7 @@ func (s *SecretsSuite) TestChangeSecretBackend(c *gc.C) {
 
 	val, valRef, err := s.store.GetSecretValue(uri, 1)
 	c.Assert(err, jc.ErrorIsNil)
-	c.Assert(val, jc.DeepEquals, secrets.NewSecretValue(map[string]string{"foo": "bar"}))
+	c.Assert(val.IsEmpty(), jc.IsTrue)
 	c.Assert(valRef, gc.DeepEquals, &secrets.ValueRef{
 		BackendID:  "old-backend-id",
 		RevisionID: "rev-id",
@@ -1032,6 +1031,138 @@ func (s *SecretsSuite) TestChangeSecretBackend(c *gc.C) {
 	})
 }
 
+func (s *SecretsSuite) TestChangeSecretBackendInternalToExternal(c *gc.C) {
+	backendStore := state.NewSecretBackends(s.State)
+
+	_, err := backendStore.CreateSecretBackend(state.CreateSecretBackendParams{
+		ID:          "new-backend-id",
+		Name:        "bar",
+		BackendType: "vault",
+	})
+	c.Assert(err, jc.ErrorIsNil)
+
+	uri := secrets.NewURI()
+	p := state.CreateSecretParams{
+		Version: 1,
+		Owner:   s.owner.Tag(),
+		UpdateSecretParams: state.UpdateSecretParams{
+			LeaderToken: &fakeToken{},
+			Data:        map[string]string{"foo": "bar"},
+		},
+	}
+	_, err = s.store.CreateSecret(uri, p)
+	c.Assert(err, jc.ErrorIsNil)
+
+	_, err = s.State.ReadBackendRefCount(s.Model.UUID())
+	c.Assert(err, jc.Satisfies, errors.IsNotFound)
+	_, err = s.State.ReadBackendRefCount(s.State.ControllerUUID())
+	c.Assert(err, jc.Satisfies, errors.IsNotFound)
+
+	backendRefCount, err := s.State.ReadBackendRefCount("new-backend-id")
+	c.Assert(err, jc.ErrorIsNil)
+	c.Assert(backendRefCount, gc.Equals, 0)
+
+	val, valRef, err := s.store.GetSecretValue(uri, 1)
+	c.Assert(err, jc.ErrorIsNil)
+	c.Assert(val, jc.DeepEquals, secrets.NewSecretValue(map[string]string{"foo": "bar"}))
+	c.Assert(valRef, gc.IsNil)
+
+	err = s.store.ChangeSecretBackend(state.ChangeSecretBackendParams{
+		URI:      uri,
+		Token:    &fakeToken{},
+		Revision: 1,
+		ValueRef: &secrets.ValueRef{
+			BackendID:  "new-backend-id",
+			RevisionID: "rev-id",
+		},
+	})
+	c.Assert(err, jc.ErrorIsNil)
+
+	_, err = s.State.ReadBackendRefCount(s.Model.UUID())
+	c.Assert(err, jc.Satisfies, errors.IsNotFound)
+	_, err = s.State.ReadBackendRefCount(s.State.ControllerUUID())
+	c.Assert(err, jc.Satisfies, errors.IsNotFound)
+
+	backendRefCount, err = s.State.ReadBackendRefCount("new-backend-id")
+	c.Assert(err, jc.ErrorIsNil)
+	c.Assert(backendRefCount, gc.Equals, 1)
+
+	val, valRef, err = s.store.GetSecretValue(uri, 1)
+	c.Assert(err, jc.ErrorIsNil)
+	c.Assert(val.IsEmpty(), jc.IsTrue)
+	c.Assert(valRef, jc.DeepEquals, &secrets.ValueRef{
+		BackendID:  "new-backend-id",
+		RevisionID: "rev-id",
+	})
+}
+
+func (s *SecretsSuite) TestChangeSecretBackendExternalToInternal(c *gc.C) {
+	backendStore := state.NewSecretBackends(s.State)
+	_, err := backendStore.CreateSecretBackend(state.CreateSecretBackendParams{
+		ID:          "backend-id",
+		Name:        "foo",
+		BackendType: "vault",
+	})
+	c.Assert(err, jc.ErrorIsNil)
+	backendRefCount, err := s.State.ReadBackendRefCount("backend-id")
+	c.Assert(err, jc.ErrorIsNil)
+	c.Assert(backendRefCount, gc.Equals, 0)
+
+	uri := secrets.NewURI()
+	p := state.CreateSecretParams{
+		Version: 1,
+		Owner:   s.owner.Tag(),
+		UpdateSecretParams: state.UpdateSecretParams{
+			LeaderToken: &fakeToken{},
+			ValueRef: &secrets.ValueRef{
+				BackendID:  "backend-id",
+				RevisionID: "rev-id",
+			},
+		},
+	}
+	_, err = s.store.CreateSecret(uri, p)
+	c.Assert(err, jc.ErrorIsNil)
+
+	_, err = s.State.ReadBackendRefCount(s.Model.UUID())
+	c.Assert(err, jc.Satisfies, errors.IsNotFound)
+	_, err = s.State.ReadBackendRefCount(s.State.ControllerUUID())
+	c.Assert(err, jc.Satisfies, errors.IsNotFound)
+
+	backendRefCount, err = s.State.ReadBackendRefCount("backend-id")
+	c.Assert(err, jc.ErrorIsNil)
+	c.Assert(backendRefCount, gc.Equals, 1)
+
+	val, valRef, err := s.store.GetSecretValue(uri, 1)
+	c.Assert(err, jc.ErrorIsNil)
+	c.Assert(val.IsEmpty(), jc.IsTrue)
+	c.Assert(valRef, gc.DeepEquals, &secrets.ValueRef{
+		BackendID:  "backend-id",
+		RevisionID: "rev-id",
+	})
+
+	err = s.store.ChangeSecretBackend(state.ChangeSecretBackendParams{
+		URI:      uri,
+		Token:    &fakeToken{},
+		Data:     map[string]string{"foo": "bar"},
+		Revision: 1,
+	})
+	c.Assert(err, jc.ErrorIsNil)
+
+	_, err = s.State.ReadBackendRefCount(s.Model.UUID())
+	c.Assert(err, jc.Satisfies, errors.IsNotFound)
+	_, err = s.State.ReadBackendRefCount(s.State.ControllerUUID())
+	c.Assert(err, jc.Satisfies, errors.IsNotFound)
+
+	backendRefCount, err = s.State.ReadBackendRefCount("backend-id")
+	c.Assert(err, jc.ErrorIsNil)
+	c.Assert(backendRefCount, gc.Equals, 0)
+
+	val, valRef, err = s.store.GetSecretValue(uri, 1)
+	c.Assert(err, jc.ErrorIsNil)
+	c.Assert(val, jc.DeepEquals, secrets.NewSecretValue(map[string]string{"foo": "bar"}))
+	c.Assert(valRef, gc.IsNil)
+}
+
 func (s *SecretsSuite) TestGetSecret(c *gc.C) {
 	uri := secrets.NewURI()
 

state/upgrades_test.go

@@ -334,8 +334,7 @@ func (s *upgradesSuite) TestEnsureInitalRefCountForExternalSecretBackends(c *gc.
 		BackendType: "vault",
 	})
 	c.Assert(err, jc.ErrorIsNil)
-	count := 3
-	ops, err := s.state.incBackendRevisionCountOps("backend-id-2", &count)
+	ops, err := s.state.incBackendRevisionCountOps("backend-id-2", 3)
 	c.Assert(err, jc.ErrorIsNil)
 	err = s.state.db().RunTransaction(ops)
 	c.Assert(err, jc.ErrorIsNil)