*** WIP. ROLL BACK. ***

apiserver/common/secrets/drain.go

@@ -24,7 +24,7 @@ import (
 type SecretsDrainAPI struct {
 	authTag           names.Tag
 	logger            logger.Logger
-	leadershipChecker leadership.Checker
+	leadershipEnsurer leadership.Ensurer
 	watcherRegistry   facade.WatcherRegistry
 
 	modelUUID            model.UUID
@@ -37,7 +37,7 @@ func NewSecretsDrainAPI(
 	authTag names.Tag,
 	authorizer facade.Authorizer,
 	logger logger.Logger,
-	leadershipChecker leadership.Checker,
+	leadershipEnsurer leadership.Ensurer,
 	modelUUID model.UUID,
 	secretService SecretService,
 	secretBackendService SecretBackendService,
@@ -49,7 +49,7 @@ func NewSecretsDrainAPI(
 	return &SecretsDrainAPI{
 		authTag:              authTag,
 		logger:               logger,
-		leadershipChecker:    leadershipChecker,
+		leadershipEnsurer:    leadershipEnsurer,
 		modelUUID:            modelUUID,
 		secretService:        secretService,
 		secretBackendService: secretBackendService,
@@ -130,9 +130,9 @@ func secretAccessorFromTag(authTag names.Tag) (secretservice.SecretAccessor, err
 }
 
 // isLeaderUnit returns true if the authenticated caller is the unit leader of its application.
-func isLeaderUnit(authTag names.Tag, leadershipChecker leadership.Checker) (bool, error) {
+func isLeaderUnit(authTag names.Tag, leadershipEnsurer leadership.Ensurer) (bool, error) {
 	appName, _ := names.UnitApplication(authTag.Id())
-	token := leadershipChecker.LeadershipCheck(appName, authTag.Id())
+	token := leadershipEnsurer.LeadershipCheck(appName, authTag.Id())
 	err := token.Check()
 	if err != nil && !leadership.IsNotLeaderError(err) {
 		return false, errors.Trace(err)
@@ -146,7 +146,7 @@ func (s *SecretsDrainAPI) getCharmSecretsToDrain(ctx context.Context) ([]*corese
 		ID:   s.authTag.Id(),
 	}}
 	// Unit leaders can also get metadata for secrets owned by the app.
-	isLeader, err := isLeaderUnit(s.authTag, s.leadershipChecker)
+	isLeader, err := isLeaderUnit(s.authTag, s.leadershipEnsurer)
 	if err != nil {
 		return nil, errors.Trace(err)
 	}
@@ -181,18 +181,18 @@ func (s *SecretsDrainAPI) changeSecretBackendForOne(ctx context.Context, arg par
 	if err != nil {
 		return
 	}
-	token, err := LeadershipToken(s.authTag, s.leadershipChecker)
-	if err != nil {
-		return errors.Trace(err)
-	}
-	return s.secretService.ChangeSecretBackend(ctx, uri, arg.Revision, toChangeSecretBackendParams(accessor, token, arg))
+	return s.secretService.ChangeSecretBackend(
+		ctx, uri, arg.Revision, toChangeSecretBackendParams(accessor, s.leadershipEnsurer, arg),
+	)
 }
 
-func toChangeSecretBackendParams(accessor secretservice.SecretAccessor, token leadership.Token, arg params.ChangeSecretBackendArg) secretservice.ChangeSecretBackendParams {
+func toChangeSecretBackendParams(
+	accessor secretservice.SecretAccessor, ensurer leadership.Ensurer, arg params.ChangeSecretBackendArg,
+) secretservice.ChangeSecretBackendParams {
 	params := secretservice.ChangeSecretBackendParams{
-		LeaderToken: token,
-		Accessor:    accessor,
-		Data:        arg.Content.Data,
+		LeaderEnsurer: ensurer,
+		Accessor:      accessor,
+		Data:          arg.Content.Data,
 	}
 	if arg.Content.ValueRef != nil {
 		params.ValueRef = &coresecrets.ValueRef{

apiserver/facade/interface.go

@@ -53,9 +53,9 @@ type LeadershipModelContext interface {
 	// context's model.
 	LeadershipReader() (leadership.Reader, error)
 
-	// LeadershipChecker returns a leadership.Checker for this
+	// LeadershipEnsurer returns a leadership.Ensurer for this
 	// context's model.
-	LeadershipChecker() (leadership.Checker, error)
+	LeadershipEnsurer() (leadership.Ensurer, error)
 
 	// SingularClaimer returns a lease.Claimer for singular leases for
 	// this context's model.

apiserver/facades/agent/secretsdrain/register.go

@@ -28,7 +28,7 @@ func newSecretsDrainAPI(stdCtx context.Context, ctx facade.ModelContext) (*commo
 	if !ctx.Auth().AuthUnitAgent() {
 		return nil, apiservererrors.ErrPerm
 	}
-	leadershipChecker, err := ctx.LeadershipChecker()
+	leadershipEnsurer, err := ctx.LeadershipEnsurer()
 	if err != nil {
 		return nil, errors.Trace(err)
 	}
@@ -41,7 +41,7 @@ func newSecretsDrainAPI(stdCtx context.Context, ctx facade.ModelContext) (*commo
 		authTag,
 		ctx.Auth(),
 		ctx.Logger().Child("secretsdrain"),
-		leadershipChecker,
+		leadershipEnsurer,
 		ctx.ModelUUID(),
 		domainServices.Secret(secretservice.SecretServiceParams{
 			BackendUserSecretConfigGetter: secretbackendservice.UserSecretBackendConfigGetterFunc(

apiserver/facades/agent/secretsmanager/register.go

@@ -37,7 +37,7 @@ func NewSecretManagerAPI(stdCtx context.Context, ctx facade.ModelContext) (*Secr
 		return nil, apiservererrors.ErrPerm
 	}
 	domainServices := ctx.DomainServices()
-	leadershipChecker, err := ctx.LeadershipChecker()
+	leadershipChecker, err := ctx.LeadershipEnsurer()
 	if err != nil {
 		return nil, errors.Trace(err)
 	}
@@ -85,7 +85,7 @@ func NewSecretManagerAPI(stdCtx context.Context, ctx facade.ModelContext) (*Secr
 	return &SecretsManagerAPI{
 		authTag:              ctx.Auth().GetAuthTag(),
 		authorizer:           ctx.Auth(),
-		leadershipChecker:    leadershipChecker,
+		leadershipEnsurer:    leadershipChecker,
 		watcherRegistry:      ctx.WatcherRegistry(),
 		secretBackendService: backendService,
 		secretService:        secretService,

apiserver/facades/agent/secretsmanager/secrets.go

@@ -39,7 +39,7 @@ type CrossModelSecretsClient interface {
 // SecretsManagerAPI is the implementation for the SecretsManager facade.
 type SecretsManagerAPI struct {
 	authorizer           facade.Authorizer
-	leadershipChecker    leadership.Checker
+	leadershipEnsurer    leadership.Ensurer
 	secretBackendService SecretBackendService
 	secretService        SecretService
 	watcherRegistry      facade.WatcherRegistry
@@ -87,7 +87,7 @@ func (s *SecretsManagerAPI) getBackendConfigForDrain(ctx context.Context, arg pa
 		Results: make(map[string]params.SecretBackendConfigResult, 1),
 	}
 	appName, _ := names.UnitApplication(s.authTag.Id())
-	token := s.leadershipChecker.LeadershipCheck(appName, s.authTag.Id())
+	token := s.leadershipEnsurer.LeadershipCheck(appName, s.authTag.Id())
 	cfgInfo, err := s.secretBackendService.DrainBackendConfigInfo(ctx, secretbackendservice.DrainBackendConfigParams{
 		GrantedSecretsGetter: s.secretService.ListGrantedSecretsForBackend,
 		LeaderToken:          token,
@@ -123,7 +123,7 @@ func (s *SecretsManagerAPI) getBackendConfigForDrain(ctx context.Context, arg pa
 // GetSecretBackendConfig gets the config needed to create a client to secret backends.
 func (s *SecretsManagerAPI) getSecretBackendConfig(ctx context.Context, backendIDs []string) (map[string]params.SecretBackendConfigResult, string, error) {
 	appName, _ := names.UnitApplication(s.authTag.Id())
-	token := s.leadershipChecker.LeadershipCheck(appName, s.authTag.Id())
+	token := s.leadershipEnsurer.LeadershipCheck(appName, s.authTag.Id())
 	cfgInfo, err := s.secretBackendService.BackendConfigInfo(ctx, secretbackendservice.BackendConfigParams{
 		GrantedSecretsGetter: s.secretService.ListGrantedSecretsForBackend,
 		LeaderToken:          token,
@@ -268,7 +268,7 @@ func secretOwnersFromAuthTag(authTag names.Tag, leadershipChecker leadership.Che
 // GetSecretMetadata returns metadata for the caller's secrets.
 func (s *SecretsManagerAPI) GetSecretMetadata(ctx context.Context) (params.ListSecretResults, error) {
 	var result params.ListSecretResults
-	owners, err := secretOwnersFromAuthTag(s.authTag, s.leadershipChecker)
+	owners, err := secretOwnersFromAuthTag(s.authTag, s.leadershipEnsurer)
 	if err != nil {
 		return result, errors.Trace(err)
 	}
@@ -494,7 +494,7 @@ func (s *SecretsManagerAPI) GetSecretRevisionContentInfo(ctx context.Context, ar
 		ID:   s.authTag.Id(),
 	}
 	appName, _ := names.UnitApplication(s.authTag.Id())
-	token := s.leadershipChecker.LeadershipCheck(appName, s.authTag.Id())
+	token := s.leadershipEnsurer.LeadershipCheck(appName, s.authTag.Id())
 	for i, rev := range arg.Revisions {
 		// TODO(wallworld) - if pendingDelete is true, mark the revision for deletion
 		val, valueRef, err := s.secretService.GetSecretValue(ctx, uri, rev, accessor)
@@ -555,9 +555,9 @@ func (s *SecretsManagerAPI) getSecretContent(ctx context.Context, arg params.Get
 	}
 
 	unitName := s.authTag.Id()
-	appName, _ := names.UnitApplication(unitName)
-	token := s.leadershipChecker.LeadershipCheck(appName, unitName)
-	uri, labelToUpdate, err := s.secretService.ProcessCharmSecretConsumerLabel(ctx, unitName, uri, arg.Label, token)
+	uri, labelToUpdate, err := s.secretService.ProcessCharmSecretConsumerLabel(
+		ctx, unitName, uri, arg.Label, s.leadershipEnsurer,
+	)
 	if err != nil {
 		return nil, nil, false, errors.Trace(err)
 	}
@@ -583,6 +583,9 @@ func (s *SecretsManagerAPI) getSecretContent(ctx context.Context, arg params.Get
 	if err != nil || content.ValueRef == nil {
 		return content, nil, false, errors.Trace(err)
 	}
+
+	appName, _ := names.UnitApplication(unitName)
+	token := s.leadershipEnsurer.LeadershipCheck(appName, unitName)
 	backend, draining, err := s.getBackend(ctx, content.ValueRef.BackendID, accessor, token)
 	return content, backend, draining, errors.Trace(err)
 }
@@ -620,7 +623,7 @@ func (s *SecretsManagerAPI) charmSecretOwnersFromArgs(authTag names.Tag, args pa
 		// Only unit leaders can watch application secrets.
 		if ownerTag.Kind() == names.ApplicationTagKind {
 			appName, _ := names.UnitApplication(authTag.Id())
-			token := s.leadershipChecker.LeadershipCheck(appName, authTag.Id())
+			token := s.leadershipEnsurer.LeadershipCheck(appName, authTag.Id())
 			if err := token.Check(); err != nil {
 				return result, errors.Trace(err)
 			}
@@ -739,15 +742,12 @@ func (s *SecretsManagerAPI) SecretsRotated(ctx context.Context, args params.Secr
 		if err != nil {
 			return errors.Trace(err)
 		}
-		unitName := s.authTag.Id()
-		appName, _ := names.UnitApplication(unitName)
-		token := s.leadershipChecker.LeadershipCheck(appName, unitName)
 		accessor := secretservice.SecretAccessor{
 			Kind: secretservice.UnitAccessor,
-			ID:   unitName,
+			ID:   s.authTag.Id(),
 		}
 		return s.secretsTriggers.SecretRotated(ctx, uri, secretservice.SecretRotatedParams{
-			LeaderToken:      token,
+			LeaderEnsurer:    s.leadershipEnsurer,
 			Accessor:         accessor,
 			OriginalRevision: arg.OriginalRevision,
 			Skip:             arg.Skip,

apiserver/facades/agent/secretsmanager/service.go

@@ -5,8 +5,8 @@ package secretsmanager
 
 import (
 	"context"
-
 	"github.com/juju/juju/core/leadership"
+
 	"github.com/juju/juju/core/secrets"
 	"github.com/juju/juju/core/watcher"
 	secretservice "github.com/juju/juju/domain/secret/service"
@@ -42,7 +42,7 @@ type SecretService interface {
 	GetSecretValue(context.Context, *secrets.URI, int, secretservice.SecretAccessor) (secrets.SecretValue, *secrets.ValueRef, error)
 	ListCharmSecrets(context.Context, ...secretservice.CharmSecretOwner) ([]*secrets.SecretMetadata, [][]*secrets.SecretRevisionMetadata, error)
 	ProcessCharmSecretConsumerLabel(
-		ctx context.Context, unitName string, uri *secrets.URI, label string, token leadership.Token,
+		ctx context.Context, unitName string, uri *secrets.URI, label string, ensurer leadership.Ensurer,
 	) (*secrets.URI, *string, error)
 	ChangeSecretBackend(ctx context.Context, uri *secrets.URI, revision int, params secretservice.ChangeSecretBackendParams) error
 	GetSecretGrants(ctx context.Context, uri *secrets.URI, role secrets.SecretRole) ([]secretservice.SecretAccess, error)

apiserver/facades/agent/uniter/register.go

@@ -81,7 +81,7 @@ func newUniterAPIWithServices(
 	aClock := context.StatePool().Clock()
 	resources := context.Resources()
 	watcherRegistry := context.WatcherRegistry()
-	leadershipChecker, err := context.LeadershipChecker()
+	leadershipEnsurer, err := context.LeadershipEnsurer()
 	if err != nil {
 		return nil, errors.Trace(err)
 	}
@@ -136,11 +136,11 @@ func newUniterAPIWithServices(
 		ModelConfigWatcher:         common.NewModelConfigWatcher(modelConfigService, context.WatcherRegistry()),
 		RebootRequester:            common.NewRebootRequester(machineService, accessMachine),
 		UnitStateAPI:               common.NewExternalUnitStateAPI(controllerConfigService, unitStateService, st, resources, authorizer, accessUnit, logger),
-		LeadershipSettingsAccessor: leadershipSettingsAccessorFactory(st, leadershipChecker, resources, authorizer),
+		LeadershipSettingsAccessor: leadershipSettingsAccessorFactory(st, leadershipEnsurer, resources, authorizer),
 		lxdProfileAPI:              NewExternalLXDProfileAPIv2(st, machineService, context.WatcherRegistry(), authorizer, accessUnit, logger, modelInfoService),
 		// TODO(fwereade): so *every* unit should be allowed to get/set its
 		// own status *and* its application's? This is not a pleasing arrangement.
-		StatusAPI: NewStatusAPI(m, accessUnitOrApplication, leadershipChecker),
+		StatusAPI: NewStatusAPI(m, accessUnitOrApplication, leadershipEnsurer),
 
 		m:                       m,
 		st:                      st,
@@ -158,7 +158,7 @@ func newUniterAPIWithServices(
 		clock:                   aClock,
 		auth:                    authorizer,
 		resources:               resources,
-		leadershipChecker:       leadershipChecker,
+		leadershipEnsurer:       leadershipEnsurer,
 		leadershipRevoker:       leadershipRevoker,
 		accessUnit:              accessUnit,
 		accessApplication:       accessApplication,