credential-rotation #1
5 changed files with 48 additions and 52 deletions
|
@ -6,9 +6,8 @@
|
|||
stateDiagram-v2
|
||||
noAction: no-pwd-change-needed
|
||||
wait: wait-for-new-pwd
|
||||
new: set-new-pwd
|
||||
removeOld: remove-old-pwd
|
||||
finished: new-pwd-change-finished
|
||||
new: change-pwd
|
||||
finished: pwd-change-finished
|
||||
state configExist? <<choice>>
|
||||
state valid? <<choice>>
|
||||
state finished? <<choice>>
|
||||
|
@ -20,8 +19,7 @@ stateDiagram-v2
|
|||
valid? --> wait
|
||||
finished? --> finished: current > valid-from?
|
||||
finished? --> new
|
||||
new --> removeOld
|
||||
removeOld --> [*]
|
||||
new --> [*]
|
||||
finished --> [*]
|
||||
noAction --> [*]
|
||||
wait --> [*]
|
||||
|
@ -113,7 +111,7 @@ Validation:
|
|||
Steps to perform:
|
||||
|
||||
- Add new password
|
||||
- `restic -r <repo> key add --new-password-file <file>`
|
||||
- `restic -r <repo> --new-password-file <file> key passwd`
|
||||
|
||||
#### New password has been added
|
||||
|
||||
|
|
33
infrastructure/backup/image/resources2/change-password.bb
Executable file
33
infrastructure/backup/image/resources2/change-password.bb
Executable file
|
@ -0,0 +1,33 @@
|
|||
#!/usr/bin/env bb
|
||||
|
||||
(require '[dda.backup.cred-rot :as cr])
|
||||
|
||||
(def restic-repo {:password-file "/restic-pwd"
|
||||
:restic-repository "/restic-repo"})
|
||||
|
||||
(def file-config (merge restic-repo {:backup-path "files"
|
||||
:files ["/test-backup"]
|
||||
:restore-target-directory "/test-restore"}))
|
||||
|
||||
(def cred-config (merge file-config
|
||||
{:restic-repository "/restic-repo/files"
|
||||
:new-password-config {:new-password-file "/new-pw"
|
||||
:valid-from "2024-12-12 00:00:00"}}))
|
||||
|
||||
|
||||
(def dry-run {:dry-run true :debug true})
|
||||
|
||||
(defn prepare!
|
||||
[]
|
||||
(spit "/restic-pwd" "ThePassword")
|
||||
(spit "/new-pw" "newPassword"))
|
||||
|
||||
|
||||
(defn change-password!
|
||||
[]
|
||||
(println "change-password!")
|
||||
(cr/change-password! cred-config))
|
||||
|
||||
|
||||
(prepare!)
|
||||
(change-password!)
|
|
@ -23,8 +23,7 @@
|
|||
(defn-spec change-password-step! ::domain/set-password-action
|
||||
[config ::cred-rot]
|
||||
(when-some [new-password-config (:new-password-config config)]
|
||||
(let [{:keys [new-password-file replace-until]} new-password-config
|
||||
initial-passwords-list (domain/parse-response (list-passwords! config))
|
||||
(let [initial-passwords-list (domain/parse-response (list-passwords! config))
|
||||
action (domain/set-new-password-action
|
||||
(ld/now)
|
||||
initial-passwords-list
|
||||
|
@ -32,14 +31,8 @@
|
|||
(cond
|
||||
(= action :wait-for-new-pwd)
|
||||
(println "nothing to do.")
|
||||
(= action :set-new-pwd)
|
||||
(i/execute! (domain/add-password-command config) config)
|
||||
(= action :remove-old-pwd)
|
||||
(i/execute! (domain/remove-password-command
|
||||
config
|
||||
(:id (first initial-passwords-list))
|
||||
(:id (last initial-passwords-list)))
|
||||
config)
|
||||
(= action :change-pwd)
|
||||
(i/execute! (domain/change-password-command config) config)
|
||||
(= action :new-pwd-change-finished)
|
||||
(println "pw-change sucessfull")
|
||||
(= action :no-pwd-change-needed)
|
||||
|
|
|
@ -41,8 +41,7 @@
|
|||
(s/def ::response (s/coll-of ::entry))
|
||||
|
||||
(s/def ::set-password-action #{:error-parse-password :error-undefined
|
||||
:wait-for-new-pwd :set-new-pwd :remove-old-pwd
|
||||
:new-pwd-change-finished :no-pwd-change-needed})
|
||||
:wait-for-new-pwd :change-pwd :pwd-change-finished :no-pwd-change-needed})
|
||||
|
||||
(s/def ::valid-from timestamp-string?)
|
||||
(s/def ::new-password-file string?)
|
||||
|
@ -74,16 +73,10 @@
|
|||
[config ::config]
|
||||
(base-command config ["key" "list" "--json"]))
|
||||
|
||||
(defn-spec add-password-command ::cd/command
|
||||
(defn-spec change-password-command ::cd/command
|
||||
[config ::config]
|
||||
(let [{:keys [new-password-file]} config]
|
||||
[(base-command config ["key" "add" "--new-password-file" new-password-file])]))
|
||||
|
||||
(defn-spec remove-password-command ::cd/command
|
||||
[config ::config
|
||||
new-id ::id
|
||||
old-id ::id]
|
||||
[(base-command config ["key" "remove" "--key-hint" new-id old-id])])
|
||||
(let [{:keys [new-password-file]} (:new-password-config config)]
|
||||
[(base-command config ["--new-password-file" new-password-file "key" "passwd"])]))
|
||||
|
||||
(defn-spec parse-response ::response
|
||||
[response string?]
|
||||
|
@ -107,17 +100,12 @@
|
|||
(and (<= 0 (compare current-date valid-from-date))
|
||||
(= 1 (count parsed-response))
|
||||
(> 0 (compare (:created (last parsed-response)) valid-from-date)))
|
||||
:set-new-pwd
|
||||
(and (<= 0 (compare current-date valid-from-date))
|
||||
(= 2 (count parsed-response))
|
||||
(<= 0 (compare (:created (last parsed-response)) valid-from-date))
|
||||
(not (:current (last parsed-response))))
|
||||
:remove-old-pwd
|
||||
:change-pwd
|
||||
(and (<= 0 (compare current-date valid-from-date))
|
||||
(= 1 (count parsed-response))
|
||||
(<= 0 (compare (:created (last parsed-response)) valid-from-date))
|
||||
(:current (last parsed-response)))
|
||||
:new-pwd-change-finished
|
||||
:pwd-change-finished
|
||||
:else
|
||||
:error-undefined))
|
||||
:no-pwd-change-needed))
|
||||
|
|
|
@ -72,7 +72,7 @@
|
|||
:created (ld/parse "2023-01-01 00:00:00" cut/timestamp-formatter)}]
|
||||
{:new-password-config {:new-password-file "new-pw-file"
|
||||
:valid-from "2024-11-29 12:00:16"}})))
|
||||
(is (= :set-new-pwd
|
||||
(is (= :change-pwd
|
||||
(cut/set-new-password-action
|
||||
(ld/parse "2024-11-29 13:16:54" cut/timestamp-formatter)
|
||||
[{:current true
|
||||
|
@ -83,23 +83,7 @@
|
|||
{:new-password-config {:new-password-file "new-pw-file"
|
||||
:valid-from "2024-11-29 12:00:16"}})))
|
||||
|
||||
(is (= :remove-old-pwd
|
||||
(cut/set-new-password-action
|
||||
(ld/parse "2024-11-29 13:16:55" cut/timestamp-formatter)
|
||||
[{:current true
|
||||
:id "a1"
|
||||
:userName "root"
|
||||
:hostName "host"
|
||||
:created (ld/parse "2023-01-01 00:00:00" cut/timestamp-formatter)}
|
||||
{:current false
|
||||
:id "a2"
|
||||
:userName "root"
|
||||
:hostName "host"
|
||||
:created (ld/parse "2024-11-29 13:16:54" cut/timestamp-formatter)}]
|
||||
{:new-password-config {:new-password-file "new-pw-file"
|
||||
:valid-from "2024-11-29 12:00:16"}})))
|
||||
|
||||
(is (= :new-pwd-change-finished
|
||||
(is (= :pwd-change-finished
|
||||
(cut/set-new-password-action
|
||||
(ld/parse "2024-11-29 13:16:55" cut/timestamp-formatter)
|
||||
[{:current true
|
||||
|
|
Loading…
Reference in a new issue