credential-rotation #1

Merged
jem merged 18 commits from credential-rotation into main 2024-12-27 09:25:09 +00:00
5 changed files with 48 additions and 52 deletions
Showing only changes of commit a4deb8143b - Show all commits

View file

@ -6,9 +6,8 @@
stateDiagram-v2 stateDiagram-v2
noAction: no-pwd-change-needed noAction: no-pwd-change-needed
wait: wait-for-new-pwd wait: wait-for-new-pwd
new: set-new-pwd new: change-pwd
removeOld: remove-old-pwd finished: pwd-change-finished
finished: new-pwd-change-finished
state configExist? <<choice>> state configExist? <<choice>>
state valid? <<choice>> state valid? <<choice>>
state finished? <<choice>> state finished? <<choice>>
@ -20,8 +19,7 @@ stateDiagram-v2
valid? --> wait valid? --> wait
finished? --> finished: current > valid-from? finished? --> finished: current > valid-from?
finished? --> new finished? --> new
new --> removeOld new --> [*]
removeOld --> [*]
finished --> [*] finished --> [*]
noAction --> [*] noAction --> [*]
wait --> [*] wait --> [*]
@ -113,7 +111,7 @@ Validation:
Steps to perform: Steps to perform:
- Add new password - Add new password
- `restic -r <repo> key add --new-password-file <file>` - `restic -r <repo> --new-password-file <file> key passwd`
#### New password has been added #### New password has been added

View file

@ -0,0 +1,33 @@
#!/usr/bin/env bb
(require '[dda.backup.cred-rot :as cr])
(def restic-repo {:password-file "/restic-pwd"
:restic-repository "/restic-repo"})
(def file-config (merge restic-repo {:backup-path "files"
:files ["/test-backup"]
:restore-target-directory "/test-restore"}))
(def cred-config (merge file-config
{:restic-repository "/restic-repo/files"
:new-password-config {:new-password-file "/new-pw"
:valid-from "2024-12-12 00:00:00"}}))
(def dry-run {:dry-run true :debug true})
(defn prepare!
[]
(spit "/restic-pwd" "ThePassword")
(spit "/new-pw" "newPassword"))
(defn change-password!
[]
(println "change-password!")
(cr/change-password! cred-config))
(prepare!)
(change-password!)

View file

@ -23,8 +23,7 @@
(defn-spec change-password-step! ::domain/set-password-action (defn-spec change-password-step! ::domain/set-password-action
[config ::cred-rot] [config ::cred-rot]
(when-some [new-password-config (:new-password-config config)] (when-some [new-password-config (:new-password-config config)]
(let [{:keys [new-password-file replace-until]} new-password-config (let [initial-passwords-list (domain/parse-response (list-passwords! config))
initial-passwords-list (domain/parse-response (list-passwords! config))
action (domain/set-new-password-action action (domain/set-new-password-action
(ld/now) (ld/now)
initial-passwords-list initial-passwords-list
@ -32,14 +31,8 @@
(cond (cond
(= action :wait-for-new-pwd) (= action :wait-for-new-pwd)
(println "nothing to do.") (println "nothing to do.")
(= action :set-new-pwd) (= action :change-pwd)
(i/execute! (domain/add-password-command config) config) (i/execute! (domain/change-password-command config) config)
(= action :remove-old-pwd)
(i/execute! (domain/remove-password-command
config
(:id (first initial-passwords-list))
(:id (last initial-passwords-list)))
config)
(= action :new-pwd-change-finished) (= action :new-pwd-change-finished)
(println "pw-change sucessfull") (println "pw-change sucessfull")
(= action :no-pwd-change-needed) (= action :no-pwd-change-needed)

View file

@ -41,8 +41,7 @@
(s/def ::response (s/coll-of ::entry)) (s/def ::response (s/coll-of ::entry))
(s/def ::set-password-action #{:error-parse-password :error-undefined (s/def ::set-password-action #{:error-parse-password :error-undefined
:wait-for-new-pwd :set-new-pwd :remove-old-pwd :wait-for-new-pwd :change-pwd :pwd-change-finished :no-pwd-change-needed})
:new-pwd-change-finished :no-pwd-change-needed})
(s/def ::valid-from timestamp-string?) (s/def ::valid-from timestamp-string?)
(s/def ::new-password-file string?) (s/def ::new-password-file string?)
@ -74,16 +73,10 @@
[config ::config] [config ::config]
(base-command config ["key" "list" "--json"])) (base-command config ["key" "list" "--json"]))
(defn-spec add-password-command ::cd/command (defn-spec change-password-command ::cd/command
[config ::config] [config ::config]
(let [{:keys [new-password-file]} config] (let [{:keys [new-password-file]} (:new-password-config config)]
[(base-command config ["key" "add" "--new-password-file" new-password-file])])) [(base-command config ["--new-password-file" new-password-file "key" "passwd"])]))
(defn-spec remove-password-command ::cd/command
[config ::config
new-id ::id
old-id ::id]
[(base-command config ["key" "remove" "--key-hint" new-id old-id])])
(defn-spec parse-response ::response (defn-spec parse-response ::response
[response string?] [response string?]
@ -107,17 +100,12 @@
(and (<= 0 (compare current-date valid-from-date)) (and (<= 0 (compare current-date valid-from-date))
(= 1 (count parsed-response)) (= 1 (count parsed-response))
(> 0 (compare (:created (last parsed-response)) valid-from-date))) (> 0 (compare (:created (last parsed-response)) valid-from-date)))
:set-new-pwd :change-pwd
(and (<= 0 (compare current-date valid-from-date))
(= 2 (count parsed-response))
(<= 0 (compare (:created (last parsed-response)) valid-from-date))
(not (:current (last parsed-response))))
:remove-old-pwd
(and (<= 0 (compare current-date valid-from-date)) (and (<= 0 (compare current-date valid-from-date))
(= 1 (count parsed-response)) (= 1 (count parsed-response))
(<= 0 (compare (:created (last parsed-response)) valid-from-date)) (<= 0 (compare (:created (last parsed-response)) valid-from-date))
(:current (last parsed-response))) (:current (last parsed-response)))
:new-pwd-change-finished :pwd-change-finished
:else :else
:error-undefined)) :error-undefined))
:no-pwd-change-needed)) :no-pwd-change-needed))

View file

@ -72,7 +72,7 @@
:created (ld/parse "2023-01-01 00:00:00" cut/timestamp-formatter)}] :created (ld/parse "2023-01-01 00:00:00" cut/timestamp-formatter)}]
{:new-password-config {:new-password-file "new-pw-file" {:new-password-config {:new-password-file "new-pw-file"
:valid-from "2024-11-29 12:00:16"}}))) :valid-from "2024-11-29 12:00:16"}})))
(is (= :set-new-pwd (is (= :change-pwd
(cut/set-new-password-action (cut/set-new-password-action
(ld/parse "2024-11-29 13:16:54" cut/timestamp-formatter) (ld/parse "2024-11-29 13:16:54" cut/timestamp-formatter)
[{:current true [{:current true
@ -83,23 +83,7 @@
{:new-password-config {:new-password-file "new-pw-file" {:new-password-config {:new-password-file "new-pw-file"
:valid-from "2024-11-29 12:00:16"}}))) :valid-from "2024-11-29 12:00:16"}})))
(is (= :remove-old-pwd (is (= :pwd-change-finished
(cut/set-new-password-action
(ld/parse "2024-11-29 13:16:55" cut/timestamp-formatter)
[{:current true
:id "a1"
:userName "root"
:hostName "host"
:created (ld/parse "2023-01-01 00:00:00" cut/timestamp-formatter)}
{:current false
:id "a2"
:userName "root"
:hostName "host"
:created (ld/parse "2024-11-29 13:16:54" cut/timestamp-formatter)}]
{:new-password-config {:new-password-file "new-pw-file"
:valid-from "2024-11-29 12:00:16"}})))
(is (= :new-pwd-change-finished
(cut/set-new-password-action (cut/set-new-password-action
(ld/parse "2024-11-29 13:16:55" cut/timestamp-formatter) (ld/parse "2024-11-29 13:16:55" cut/timestamp-formatter)
[{:current true [{:current true