dda-backup/docs/CredentialRotation.md

130 lines
2.4 KiB
Markdown
Raw Normal View History

2024-10-18 13:55:32 +00:00
# Credential Rotation
2024-12-11 10:16:06 +00:00
## change password step
```mermaid
stateDiagram-v2
noAction: no-pwd-change-needed
wait: wait-for-new-pwd
2024-12-14 17:26:09 +00:00
new: change-pwd
finished: pwd-change-finished
2024-12-11 10:16:06 +00:00
state configExist? <<choice>>
state valid? <<choice>>
state finished? <<choice>>
[*] --> configExist?
configExist? --> valid?: new-password-config-exist?
configExist? --> noAction
valid? --> finished?: valid-from > now?
valid? --> wait
finished? --> finished: current > valid-from?
finished? --> new
2024-12-14 17:26:09 +00:00
new --> [*]
2024-12-11 10:16:06 +00:00
finished --> [*]
noAction --> [*]
wait --> [*]
```
2024-10-18 13:55:32 +00:00
## Example Data
Default
```json
[{
"current": true,
"id": "521e0760",
"userName": "root",
"hostName": "backup-restore-65bd9b6ff5-z69sn",
"created": "2024-10-18 13:08:16"
}]
```
Add another password
```json
[
{
"current": true,
"id": "521e0760",
"userName": "root",
"hostName": "backup-restore-65bd9b6ff5-z69sn",
"created": "2024-10-18 13:08:16"
},
{
"current": false,
"id": "b67161fb",
"userName": "root",
"hostName": "backup-restore-65bd9b6ff5-z69sn",
"created": "2024-10-18 13:16:54"
}
]
```
Change current password
```json
[
{
"current": false,
"id": "521e0760",
"userName": "root",
"hostName": "backup-restore-65bd9b6ff5-z69sn",
"created": "2024-10-18 13:08:16"
},
{
"current": true,
"id": "b67161fb",
"userName": "root",
"hostName": "backup-restore-65bd9b6ff5-z69sn",
"created": "2024-10-18 13:16:54"
}
]
```
Remove old password
```json
[
{
"current": true,
"id": "b67161fb",
"userName": "root",
"hostName": "backup-restore-65bd9b6ff5-z69sn",
"created": "2024-10-18 13:16:54"
}
]
```
## Steps
Steps need to be validated and performed seperately and work independently of each other.
To avoid problems where the program is shut down mid-transition.
### Stages
#### Initial State
Validation:
- Detect change requested: new password file environment is set
Steps to perform:
- Add new password
2024-12-14 17:26:09 +00:00
- `restic -r <repo> --new-password-file <file> key passwd`
2024-10-18 13:55:32 +00:00
#### New password has been added
Validation:
- List of passwords has 2 entries
- The password with the newer timestamp is not set as "current"
Steps to perform:
- Extract id of new password
- Extract id of old password
- Remove old password in favour of new one
- `restic -r <repo> key remove --key-hint <new-id> <old-id>`
- Unset new password file environment