From e68903ad08756091c646cb5eca6973311398e873 Mon Sep 17 00:00:00 2001
From: Arif Ali <arif.ali@canonical.com>
Date: Fri, 24 Nov 2023 21:56:24 +0000
Subject: [PATCH] [collect] update for strict confinement for juju

With juju versions 3 and above, when collecting the tarballs
from machines it will grab them into a strictly confined area.
This means that we need to be able to access this area via sudo.

In order for this now to be fully supported, we need sudo on the
host that is running juju, otherwise sos collect on a juju
environment will not work.

Related: #3399
Signed-off-by: Arif Ali <arif.ali@canonical.com>
---
 sos/collector/transports/juju.py | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/sos/collector/transports/juju.py b/sos/collector/transports/juju.py
index bea95fb6f9..13dab704fc 100644
--- a/sos/collector/transports/juju.py
+++ b/sos/collector/transports/juju.py
@@ -13,7 +13,7 @@
 
 from sos.collector.exceptions import JujuNotInstalledException
 from sos.collector.transports import RemoteTransport
-from sos.utilities import sos_get_command_output
+from sos.utilities import sos_get_command_output, parse_version
 
 
 class JujuSSH(RemoteTransport):
@@ -72,12 +72,29 @@ def remote_exec(self):
         option = f"{model_option} {target_option}"
         return f"juju ssh {option}"
 
+    def _get_juju_version(self):
+        """Grab the version of juju"""
+        res = sos_get_command_output("juju version")
+        return res['output'].split("-")[0]
+
     def _retrieve_file(self, fname, dest):
         self._chmod(fname)  # juju scp needs the archive to be world-readable
         model, unit = self.address.split(":")
         model_option = f"-m {model}" if model else ""
-        cmd = f"juju scp {model_option} -- -r {unit}:{fname} {dest}"
-        res = sos_get_command_output(cmd)
+        if parse_version(self._get_juju_version()) > parse_version("3"):
+            # juju version above 3 is strictly confined, and therefore
+            # the way we grab the data is slightly different
+            juju_tmpdir = f"/tmp/snap-private-tmp/snap.juju/{self.tmpdir}"
+            sos_get_command_output(f"sudo mkdir {juju_tmpdir}")
+            sos_get_command_output(f"sudo chmod o+rwx {juju_tmpdir}")
+            cmd = f"juju scp {model_option} -- -r {unit}:{fname} {self.tmpdir}"
+            res = sos_get_command_output(cmd)
+            cmd2 = f"sudo cp {juju_tmpdir}/{fname.split('/')[-1]} {dest}"
+            sos_get_command_output(cmd2)
+            sos_get_command_output(f"sudo chmod 644 {dest}")
+        else:
+            cmd = f"juju scp {model_option} -- -r {unit}:{fname} {dest}"
+            res = sos_get_command_output(cmd)
         return res["status"] == 0