add password rotation to generation

2025-01-13 17:20:58 +01:00 · 2025-01-13 17:20:58 +01:00 · aa0d8d3a2e
commit aa0d8d3a2e
parent 6f61c7dd7b
4 changed files with 38 additions and 19 deletions
--- a/src/main/cljc/dda/c4k_forgejo/backup.cljc
+++ b/src/main/cljc/dda/c4k_forgejo/backup.cljc
@ -1,17 +1,18 @@
 (ns dda.c4k-forgejo.backup
- (:require
-  [clojure.spec.alpha :as s]
-  #?(:clj [orchestra.core :refer [defn-spec]]
-     :cljs [orchestra.core :refer-macros [defn-spec]])
-  [dda.c4k-common.yaml :as yaml]
-  [dda.c4k-common.base64 :as b64]
-  [dda.c4k-common.common :as cm]
-  [dda.c4k-common.predicate :as p]
-  #?(:cljs [dda.c4k-common.macros :refer-macros [inline-resources]])))
+  (:require
+   [clojure.spec.alpha :as s]
+   #?(:clj [orchestra.core :refer [defn-spec]]
+      :cljs [orchestra.core :refer-macros [defn-spec]])
+   [dda.c4k-common.yaml :as yaml]
+   [dda.c4k-common.base64 :as b64]
+   [dda.c4k-common.common :as cm]
+   [dda.c4k-common.predicate :as p]
+   #?(:cljs [dda.c4k-common.macros :refer-macros [inline-resources]])))

 (s/def ::aws-access-key-id p/bash-env-string?)
 (s/def ::aws-secret-access-key p/bash-env-string?)
 (s/def ::restic-password p/bash-env-string?)
+(s/def ::restic-new-password p/bash-env-string?)
 (s/def ::restic-repository p/bash-env-string?)

 (s/def ::config (s/keys :req-un [::restic-repository]))
@ -32,17 +33,20 @@

 (defn-spec generate-cron p/map-or-seq?
  []
-   (yaml/from-string (yaml/load-resource "backup/cron.yaml")))
+  (yaml/from-string (yaml/load-resource "backup/cron.yaml")))

 (defn-spec generate-backup-restore-deployment p/map-or-seq?
  [my-conf ::config]
  (yaml/from-string (yaml/load-resource "backup/backup-restore-deployment.yaml")))

 (defn-spec generate-secret p/map-or-seq?
-  [my-auth ::auth]
-  (let [{:keys [aws-access-key-id aws-secret-access-key restic-password]} my-auth]
-    (->
-     (yaml/from-string (yaml/load-resource "backup/secret.yaml"))
-     (cm/replace-key-value :aws-access-key-id (b64/encode aws-access-key-id))
-     (cm/replace-key-value :aws-secret-access-key (b64/encode aws-secret-access-key))
-     (cm/replace-key-value :restic-password (b64/encode restic-password)))))
+  [auth ::auth]
+  (let [{:keys [aws-access-key-id aws-secret-access-key 
+                restic-password restic-new-password]} auth]
+    (as-> (yaml/from-string (yaml/load-resource "backup/secret.yaml")) res
+      (cm/replace-key-value res :aws-access-key-id (b64/encode aws-access-key-id))
+      (cm/replace-key-value res :aws-secret-access-key (b64/encode aws-secret-access-key))
+      (cm/replace-key-value res :restic-password (b64/encode restic-password))
+      (if (contains? auth :restic-new-password)
+        (assoc-in res [:data :restic-new-password] (b64/encode restic-new-password))
+        res))))
--- a/src/main/cljc/dda/c4k_forgejo/core.cljc
+++ b/src/main/cljc/dda/c4k_forgejo/core.cljc
@ -43,6 +43,7 @@
                            ::forgejo/mailer-user ::forgejo/mailer-pw
                            ::backup/aws-access-key-id ::backup/aws-secret-access-key]
                   :opt-un [::backup/restic-password
+                            ::backup/restic-new-password
                            ::mon/mon-auth]))

 (defn-spec config-objects p/map-or-seq?
--- a/src/test/cljc/dda/c4k_forgejo/backup_test.cljc
+++ b/src/test/cljc/dda/c4k_forgejo/backup_test.cljc
@ -19,7 +19,20 @@
           :restic-password "cmVzdGljLXB3"}}
         (cut/generate-secret {:aws-access-key-id "aws-id"
                               :aws-secret-access-key "aws-secret"
-                               :restic-password "restic-pw"}))))
+                               :restic-password "restic-pw"})))
+  (is (= {:apiVersion "v1",
+          :kind "Secret",
+          :metadata {:name "backup-secret", :namespace "forgejo"},
+          :type "Opaque",
+          :data
+          {:aws-access-key-id "YXdzLWlk",
+           :aws-secret-access-key "YXdzLXNlY3JldA==",
+           :restic-password "b2xk",
+           :restic-new-password "bmV3"}}
+         (cut/generate-secret {:aws-access-key-id "aws-id"
+                               :aws-secret-access-key "aws-secret"
+                               :restic-password "old"
+                               :restic-new-password "new"}))))

 (deftest should-generate-backup-config
  (testing "federated"
--- a/src/test/resources/forgejo-test/valid-auth.yaml
+++ b/src/test/resources/forgejo-test/valid-auth.yaml
@ -4,7 +4,8 @@ mailer-user: ""
 mailer-pw: ""
 aws-access-key-id: "AWS_KEY_ID"
 aws-secret-access-key: "AWS_KEY_SECRET"
-restic-password: ""
+restic-password: "old"
+restic-new-password: "new"
 mon-auth: 
  grafana-cloud-user: "user"
  grafana-cloud-password: "password"