From b4d9a690f9378f794a0ebc910a2d2c80ff4d8f1b Mon Sep 17 00:00:00 2001 From: Michael Jerger Date: Wed, 11 Dec 2024 19:48:23 +0100 Subject: [PATCH] credential-rotation now works --- infrastructure/backup/image/Dockerfile | 6 +- .../backup/image/resources2/test.bb | 78 +++++++++++++++---- infrastructure/backup/test/resources/test.bb | 50 +++++++++--- src/dda/backup/cred_rot.clj | 4 +- 4 files changed, 108 insertions(+), 30 deletions(-) diff --git a/infrastructure/backup/image/Dockerfile b/infrastructure/backup/image/Dockerfile index bb0759a..87344ab 100644 --- a/infrastructure/backup/image/Dockerfile +++ b/infrastructure/backup/image/Dockerfile @@ -5,6 +5,6 @@ ADD resources /tmp/ RUN /tmp/install.sh ADD local/ /usr/local/lib/dda-backup RUN init-bb.bb -ADD resources2 /tmp/ -RUN install -m 0700 -o root -g root /tmp/test.bb /usr/local/bin/ -RUN test.bb +#ADD resources2 /tmp/ +#RUN install -m 0700 -o root -g root /tmp/test.bb /usr/local/bin/ +#RUN test.bb diff --git a/infrastructure/backup/image/resources2/test.bb b/infrastructure/backup/image/resources2/test.bb index 7f2eecc..fd4c043 100755 --- a/infrastructure/backup/image/resources2/test.bb +++ b/infrastructure/backup/image/resources2/test.bb @@ -1,35 +1,87 @@ #!/usr/bin/env bb (require '[babashka.tasks :as tasks] + '[dda.backup.core :as bc] '[dda.backup.cred-rot :as cr] '[dda.backup.restic :as rc] - '[dda.backup.postgresql :as pg]) + '[dda.backup.postgresql :as pg] + '[dda.backup.backup :as bak] + '[dda.backup.restore :as rs]) (def restic-repo {:password-file "restic-pwd" - :restic-repository "restic-repo"}) + :restic-repository "/restic-repo"}) (def file-config (merge restic-repo {:backup-path "files" - :files ["test-backup"] - :restore-target-directory "test-restore"})) + :files ["/test-backup"] + :restore-target-directory "/test-restore"})) -(def cred-config (merge restic-repo - {:new-password-config {:new-password-file "new-pw" + +(def db-config (merge restic-repo {:backup-path "db" + :pg-db "mydb" + :pg-user "user" + :pg-password "password"})) + +(def cred-config (merge file-config + {:restic-repository "/restic-repo/files" + :new-password-config {:new-password-file "new-pw" :valid-from "2024-12-12 00:00:00"}})) + (def dry-run {:dry-run true :debug true}) (defn prepare! [] - (spit "restic-pwd" "thePassword") - (spit "new-pw" "newPassword") - (tasks/shell "mkdir" "-p" "test-backup") - (spit "test-backup/file" "I was here") - (tasks/shell "mkdir" "-p" "test-restore")) + (spit "/tmp/file_password" "file-password") + + (spit "/restic-pwd" "ThePassword") + (spit "/new-pw" "newPassword") + + (tasks/shell "mkdir" "-p" "/test-backup") + (spit "/test-backup/file" "I was here") + (tasks/shell "mkdir" "-p" "/test-restore") + (pg/create-pg-pass! db-config)) + +(defn check-env-or-file + [] + (println "check-env-or-file") + (println (bc/env-or-file "FILE_PASSWORD")) + (println (bc/env-or-file "ENV_PASSWORD"))) (defn restic-repo-init! [] - (rc/init! restic-repo)) + (println "restic-repo-init!") + (rc/init! file-config) + (rc/init! (merge db-config dry-run))) + +(defn restic-backup! + [] + (println "restic-backup!") + (bak/backup-file! file-config) + (bak/backup-db! (merge db-config dry-run))) + +(defn list-snapshots! + [] + (println "list-snapshots!") + (rc/list-snapshots! file-config) + (rc/list-snapshots! (merge db-config dry-run))) + + +(defn restic-restore! + [] + (println "restic-restore!") + (rs/restore-file! file-config) + (pg/drop-create-db! (merge db-config dry-run)) + (rs/restore-db! (merge db-config dry-run))) + +(defn change-password! + [] + (println "change-password!") + (cr/change-password! cred-config)) + (prepare!) (restic-repo-init!) -(cr/change-password! cred-config) +(restic-backup!) +(list-snapshots!) +(restic-restore!) +(change-password!) diff --git a/infrastructure/backup/test/resources/test.bb b/infrastructure/backup/test/resources/test.bb index 7883125..0e3c983 100755 --- a/infrastructure/backup/test/resources/test.bb +++ b/infrastructure/backup/test/resources/test.bb @@ -2,17 +2,18 @@ (require '[babashka.tasks :as tasks] '[dda.backup.core :as bc] + '[dda.backup.cred-rot :as cr] '[dda.backup.restic :as rc] '[dda.backup.postgresql :as pg] '[dda.backup.backup :as bak] '[dda.backup.restore :as rs]) (def restic-repo {:password-file "restic-pwd" - :restic-repository "restic-repo"}) + :restic-repository "/restic-repo"}) (def file-config (merge restic-repo {:backup-path "files" - :files ["test-backup"] - :restore-target-directory "test-restore"})) + :files ["/test-backup"] + :restore-target-directory "/test-restore"})) (def db-config (merge restic-repo {:backup-path "db" @@ -20,43 +21,68 @@ :pg-user "user" :pg-password "password"})) +(def cred-config (merge file-config + {:restic-repository "/restic-repo/files" + :new-password-config {:new-password-file "new-pw" + :valid-from "2024-12-12 00:00:00"}})) + + (def dry-run {:dry-run true :debug true}) (defn prepare! [] (spit "/tmp/file_password" "file-password") - (println (bc/env-or-file "FILE_PASSWORD")) - (println (bc/env-or-file "ENV_PASSWORD")) - (spit "restic-pwd" "ThePassword") - (tasks/shell "mkdir" "-p" "test-backup") - (spit "test-backup/file" "I was here") - (tasks/shell "mkdir" "-p" "test-restore") + + (spit "/restic-pwd" "ThePassword") + (spit "/new-pw" "newPassword") + + (tasks/shell "mkdir" "-p" "/test-backup") + (spit "/test-backup/file" "I was here") + (tasks/shell "mkdir" "-p" "/test-restore") (pg/create-pg-pass! db-config)) +(defn check-env-or-file + [] + (println "check-env-or-file") + (println (bc/env-or-file "FILE_PASSWORD")) + (println (bc/env-or-file "ENV_PASSWORD"))) + (defn restic-repo-init! - [] + [] + (println "restic-repo-init!") (rc/init! file-config) (rc/init! (merge db-config dry-run))) (defn restic-backup! - [] + [] + (println "restic-backup!") (bak/backup-file! file-config) (bak/backup-db! (merge db-config dry-run))) (defn list-snapshots! [] + (println "list-snapshots!") (rc/list-snapshots! file-config) (rc/list-snapshots! (merge db-config dry-run))) (defn restic-restore! - [] + [] + (println "restic-restore!") (rs/restore-file! file-config) (pg/drop-create-db! (merge db-config dry-run)) (rs/restore-db! (merge db-config dry-run))) +(defn change-password! + [] + (println "change-password!") + (cr/change-password! cred-config)) + + (prepare!) +(check-env-or-file) (restic-repo-init!) (restic-backup!) (list-snapshots!) (restic-restore!) +(change-password!) diff --git a/src/dda/backup/cred_rot.clj b/src/dda/backup/cred_rot.clj index 4d8cce0..a8476ab 100644 --- a/src/dda/backup/cred_rot.clj +++ b/src/dda/backup/cred_rot.clj @@ -20,7 +20,7 @@ [config ::cred-rot] (i/execute-out! (domain/list-passwords-command config) config)) -(defn-spec change-password-step! nil? +(defn-spec change-password-step! ::domain/set-password-action [config ::cred-rot] (when-some [new-password-config (:new-password-config config)] (let [{:keys [new-password-file replace-until]} new-password-config @@ -31,7 +31,7 @@ config)] (cond (= action :wait-for-new-pwd) - (println "wait till new password is valid") + (println "nothing to do.") (= action :set-new-pwd) (i/execute! (domain/add-password-command config) config) (= action :remove-old-pwd)