diff --git a/docs/CredentialRotation.md b/docs/CredentialRotation.md index e584238..833e5df 100644 --- a/docs/CredentialRotation.md +++ b/docs/CredentialRotation.md @@ -6,9 +6,8 @@ stateDiagram-v2 noAction: no-pwd-change-needed wait: wait-for-new-pwd - new: set-new-pwd - removeOld: remove-old-pwd - finished: new-pwd-change-finished + new: change-pwd + finished: pwd-change-finished state configExist? <> state valid? <> state finished? <> @@ -20,8 +19,7 @@ stateDiagram-v2 valid? --> wait finished? --> finished: current > valid-from? finished? --> new - new --> removeOld - removeOld --> [*] + new --> [*] finished --> [*] noAction --> [*] wait --> [*] @@ -113,7 +111,7 @@ Validation: Steps to perform: - Add new password -- `restic -r key add --new-password-file ` +- `restic -r --new-password-file key passwd` #### New password has been added diff --git a/infrastructure/backup/image/resources2/change-password.bb b/infrastructure/backup/image/resources2/change-password.bb new file mode 100755 index 0000000..c2c89d7 --- /dev/null +++ b/infrastructure/backup/image/resources2/change-password.bb @@ -0,0 +1,33 @@ +#!/usr/bin/env bb + +(require '[dda.backup.cred-rot :as cr]) + +(def restic-repo {:password-file "/restic-pwd" + :restic-repository "/restic-repo"}) + +(def file-config (merge restic-repo {:backup-path "files" + :files ["/test-backup"] + :restore-target-directory "/test-restore"})) + +(def cred-config (merge file-config + {:restic-repository "/restic-repo/files" + :new-password-config {:new-password-file "/new-pw" + :valid-from "2024-12-12 00:00:00"}})) + + +(def dry-run {:dry-run true :debug true}) + +(defn prepare! + [] + (spit "/restic-pwd" "ThePassword") + (spit "/new-pw" "newPassword")) + + +(defn change-password! + [] + (println "change-password!") + (cr/change-password! cred-config)) + + +(prepare!) +(change-password!) diff --git a/src/dda/backup/cred_rot.clj b/src/dda/backup/cred_rot.clj index a8476ab..a5729b6 100644 --- a/src/dda/backup/cred_rot.clj +++ b/src/dda/backup/cred_rot.clj @@ -23,8 +23,7 @@ (defn-spec change-password-step! ::domain/set-password-action [config ::cred-rot] (when-some [new-password-config (:new-password-config config)] - (let [{:keys [new-password-file replace-until]} new-password-config - initial-passwords-list (domain/parse-response (list-passwords! config)) + (let [initial-passwords-list (domain/parse-response (list-passwords! config)) action (domain/set-new-password-action (ld/now) initial-passwords-list @@ -32,14 +31,8 @@ (cond (= action :wait-for-new-pwd) (println "nothing to do.") - (= action :set-new-pwd) - (i/execute! (domain/add-password-command config) config) - (= action :remove-old-pwd) - (i/execute! (domain/remove-password-command - config - (:id (first initial-passwords-list)) - (:id (last initial-passwords-list))) - config) + (= action :change-pwd) + (i/execute! (domain/change-password-command config) config) (= action :new-pwd-change-finished) (println "pw-change sucessfull") (= action :no-pwd-change-needed) diff --git a/src/dda/backup/cred_rot/domain.clj b/src/dda/backup/cred_rot/domain.clj index 893222d..5ac8224 100644 --- a/src/dda/backup/cred_rot/domain.clj +++ b/src/dda/backup/cred_rot/domain.clj @@ -41,8 +41,7 @@ (s/def ::response (s/coll-of ::entry)) (s/def ::set-password-action #{:error-parse-password :error-undefined - :wait-for-new-pwd :set-new-pwd :remove-old-pwd - :new-pwd-change-finished :no-pwd-change-needed}) + :wait-for-new-pwd :change-pwd :pwd-change-finished :no-pwd-change-needed}) (s/def ::valid-from timestamp-string?) (s/def ::new-password-file string?) @@ -74,16 +73,10 @@ [config ::config] (base-command config ["key" "list" "--json"])) -(defn-spec add-password-command ::cd/command +(defn-spec change-password-command ::cd/command [config ::config] - (let [{:keys [new-password-file]} config] - [(base-command config ["key" "add" "--new-password-file" new-password-file])])) - -(defn-spec remove-password-command ::cd/command - [config ::config - new-id ::id - old-id ::id] - [(base-command config ["key" "remove" "--key-hint" new-id old-id])]) + (let [{:keys [new-password-file]} (:new-password-config config)] + [(base-command config ["--new-password-file" new-password-file "key" "passwd"])])) (defn-spec parse-response ::response [response string?] @@ -107,17 +100,12 @@ (and (<= 0 (compare current-date valid-from-date)) (= 1 (count parsed-response)) (> 0 (compare (:created (last parsed-response)) valid-from-date))) - :set-new-pwd - (and (<= 0 (compare current-date valid-from-date)) - (= 2 (count parsed-response)) - (<= 0 (compare (:created (last parsed-response)) valid-from-date)) - (not (:current (last parsed-response)))) - :remove-old-pwd + :change-pwd (and (<= 0 (compare current-date valid-from-date)) (= 1 (count parsed-response)) (<= 0 (compare (:created (last parsed-response)) valid-from-date)) (:current (last parsed-response))) - :new-pwd-change-finished + :pwd-change-finished :else :error-undefined)) :no-pwd-change-needed)) diff --git a/test/dda/backup/cred_rot/domain_test.clj b/test/dda/backup/cred_rot/domain_test.clj index e713f67..48222f9 100644 --- a/test/dda/backup/cred_rot/domain_test.clj +++ b/test/dda/backup/cred_rot/domain_test.clj @@ -72,7 +72,7 @@ :created (ld/parse "2023-01-01 00:00:00" cut/timestamp-formatter)}] {:new-password-config {:new-password-file "new-pw-file" :valid-from "2024-11-29 12:00:16"}}))) - (is (= :set-new-pwd + (is (= :change-pwd (cut/set-new-password-action (ld/parse "2024-11-29 13:16:54" cut/timestamp-formatter) [{:current true @@ -83,23 +83,7 @@ {:new-password-config {:new-password-file "new-pw-file" :valid-from "2024-11-29 12:00:16"}}))) - (is (= :remove-old-pwd - (cut/set-new-password-action - (ld/parse "2024-11-29 13:16:55" cut/timestamp-formatter) - [{:current true - :id "a1" - :userName "root" - :hostName "host" - :created (ld/parse "2023-01-01 00:00:00" cut/timestamp-formatter)} - {:current false - :id "a2" - :userName "root" - :hostName "host" - :created (ld/parse "2024-11-29 13:16:54" cut/timestamp-formatter)}] - {:new-password-config {:new-password-file "new-pw-file" - :valid-from "2024-11-29 12:00:16"}}))) - - (is (= :new-pwd-change-finished + (is (= :pwd-change-finished (cut/set-new-password-action (ld/parse "2024-11-29 13:16:55" cut/timestamp-formatter) [{:current true