credential-rotation #1

Merged
jem merged 18 commits from credential-rotation into main 2024-12-27 09:25:09 +00:00
5 changed files with 48 additions and 52 deletions
Showing only changes of commit a4deb8143b - Show all commits

View file

@ -6,9 +6,8 @@
stateDiagram-v2
noAction: no-pwd-change-needed
wait: wait-for-new-pwd
new: set-new-pwd
removeOld: remove-old-pwd
finished: new-pwd-change-finished
new: change-pwd
finished: pwd-change-finished
state configExist? <<choice>>
state valid? <<choice>>
state finished? <<choice>>
@ -20,8 +19,7 @@ stateDiagram-v2
valid? --> wait
finished? --> finished: current > valid-from?
finished? --> new
new --> removeOld
removeOld --> [*]
new --> [*]
finished --> [*]
noAction --> [*]
wait --> [*]
@ -113,7 +111,7 @@ Validation:
Steps to perform:
- Add new password
- `restic -r <repo> key add --new-password-file <file>`
- `restic -r <repo> --new-password-file <file> key passwd`
#### New password has been added

View file

@ -0,0 +1,33 @@
#!/usr/bin/env bb
(require '[dda.backup.cred-rot :as cr])
(def restic-repo {:password-file "/restic-pwd"
:restic-repository "/restic-repo"})
(def file-config (merge restic-repo {:backup-path "files"
:files ["/test-backup"]
:restore-target-directory "/test-restore"}))
(def cred-config (merge file-config
{:restic-repository "/restic-repo/files"
:new-password-config {:new-password-file "/new-pw"
:valid-from "2024-12-12 00:00:00"}}))
(def dry-run {:dry-run true :debug true})
(defn prepare!
[]
(spit "/restic-pwd" "ThePassword")
(spit "/new-pw" "newPassword"))
(defn change-password!
[]
(println "change-password!")
(cr/change-password! cred-config))
(prepare!)
(change-password!)

View file

@ -23,8 +23,7 @@
(defn-spec change-password-step! ::domain/set-password-action
[config ::cred-rot]
(when-some [new-password-config (:new-password-config config)]
(let [{:keys [new-password-file replace-until]} new-password-config
initial-passwords-list (domain/parse-response (list-passwords! config))
(let [initial-passwords-list (domain/parse-response (list-passwords! config))
action (domain/set-new-password-action
(ld/now)
initial-passwords-list
@ -32,14 +31,8 @@
(cond
(= action :wait-for-new-pwd)
(println "nothing to do.")
(= action :set-new-pwd)
(i/execute! (domain/add-password-command config) config)
(= action :remove-old-pwd)
(i/execute! (domain/remove-password-command
config
(:id (first initial-passwords-list))
(:id (last initial-passwords-list)))
config)
(= action :change-pwd)
(i/execute! (domain/change-password-command config) config)
(= action :new-pwd-change-finished)
(println "pw-change sucessfull")
(= action :no-pwd-change-needed)

View file

@ -41,8 +41,7 @@
(s/def ::response (s/coll-of ::entry))
(s/def ::set-password-action #{:error-parse-password :error-undefined
:wait-for-new-pwd :set-new-pwd :remove-old-pwd
:new-pwd-change-finished :no-pwd-change-needed})
:wait-for-new-pwd :change-pwd :pwd-change-finished :no-pwd-change-needed})
(s/def ::valid-from timestamp-string?)
(s/def ::new-password-file string?)
@ -74,16 +73,10 @@
[config ::config]
(base-command config ["key" "list" "--json"]))
(defn-spec add-password-command ::cd/command
(defn-spec change-password-command ::cd/command
[config ::config]
(let [{:keys [new-password-file]} config]
[(base-command config ["key" "add" "--new-password-file" new-password-file])]))
(defn-spec remove-password-command ::cd/command
[config ::config
new-id ::id
old-id ::id]
[(base-command config ["key" "remove" "--key-hint" new-id old-id])])
(let [{:keys [new-password-file]} (:new-password-config config)]
[(base-command config ["--new-password-file" new-password-file "key" "passwd"])]))
(defn-spec parse-response ::response
[response string?]
@ -107,17 +100,12 @@
(and (<= 0 (compare current-date valid-from-date))
(= 1 (count parsed-response))
(> 0 (compare (:created (last parsed-response)) valid-from-date)))
:set-new-pwd
(and (<= 0 (compare current-date valid-from-date))
(= 2 (count parsed-response))
(<= 0 (compare (:created (last parsed-response)) valid-from-date))
(not (:current (last parsed-response))))
:remove-old-pwd
:change-pwd
(and (<= 0 (compare current-date valid-from-date))
(= 1 (count parsed-response))
(<= 0 (compare (:created (last parsed-response)) valid-from-date))
(:current (last parsed-response)))
:new-pwd-change-finished
:pwd-change-finished
:else
:error-undefined))
:no-pwd-change-needed))

View file

@ -72,7 +72,7 @@
:created (ld/parse "2023-01-01 00:00:00" cut/timestamp-formatter)}]
{:new-password-config {:new-password-file "new-pw-file"
:valid-from "2024-11-29 12:00:16"}})))
(is (= :set-new-pwd
(is (= :change-pwd
(cut/set-new-password-action
(ld/parse "2024-11-29 13:16:54" cut/timestamp-formatter)
[{:current true
@ -83,23 +83,7 @@
{:new-password-config {:new-password-file "new-pw-file"
:valid-from "2024-11-29 12:00:16"}})))
(is (= :remove-old-pwd
(cut/set-new-password-action
(ld/parse "2024-11-29 13:16:55" cut/timestamp-formatter)
[{:current true
:id "a1"
:userName "root"
:hostName "host"
:created (ld/parse "2023-01-01 00:00:00" cut/timestamp-formatter)}
{:current false
:id "a2"
:userName "root"
:hostName "host"
:created (ld/parse "2024-11-29 13:16:54" cut/timestamp-formatter)}]
{:new-password-config {:new-password-file "new-pw-file"
:valid-from "2024-11-29 12:00:16"}})))
(is (= :new-pwd-change-finished
(is (= :pwd-change-finished
(cut/set-new-password-action
(ld/parse "2024-11-29 13:16:55" cut/timestamp-formatter)
[{:current true