credential-rotation #1
5 changed files with 48 additions and 52 deletions
|
@ -6,9 +6,8 @@
|
||||||
stateDiagram-v2
|
stateDiagram-v2
|
||||||
noAction: no-pwd-change-needed
|
noAction: no-pwd-change-needed
|
||||||
wait: wait-for-new-pwd
|
wait: wait-for-new-pwd
|
||||||
new: set-new-pwd
|
new: change-pwd
|
||||||
removeOld: remove-old-pwd
|
finished: pwd-change-finished
|
||||||
finished: new-pwd-change-finished
|
|
||||||
state configExist? <<choice>>
|
state configExist? <<choice>>
|
||||||
state valid? <<choice>>
|
state valid? <<choice>>
|
||||||
state finished? <<choice>>
|
state finished? <<choice>>
|
||||||
|
@ -20,8 +19,7 @@ stateDiagram-v2
|
||||||
valid? --> wait
|
valid? --> wait
|
||||||
finished? --> finished: current > valid-from?
|
finished? --> finished: current > valid-from?
|
||||||
finished? --> new
|
finished? --> new
|
||||||
new --> removeOld
|
new --> [*]
|
||||||
removeOld --> [*]
|
|
||||||
finished --> [*]
|
finished --> [*]
|
||||||
noAction --> [*]
|
noAction --> [*]
|
||||||
wait --> [*]
|
wait --> [*]
|
||||||
|
@ -113,7 +111,7 @@ Validation:
|
||||||
Steps to perform:
|
Steps to perform:
|
||||||
|
|
||||||
- Add new password
|
- Add new password
|
||||||
- `restic -r <repo> key add --new-password-file <file>`
|
- `restic -r <repo> --new-password-file <file> key passwd`
|
||||||
|
|
||||||
#### New password has been added
|
#### New password has been added
|
||||||
|
|
||||||
|
|
33
infrastructure/backup/image/resources2/change-password.bb
Executable file
33
infrastructure/backup/image/resources2/change-password.bb
Executable file
|
@ -0,0 +1,33 @@
|
||||||
|
#!/usr/bin/env bb
|
||||||
|
|
||||||
|
(require '[dda.backup.cred-rot :as cr])
|
||||||
|
|
||||||
|
(def restic-repo {:password-file "/restic-pwd"
|
||||||
|
:restic-repository "/restic-repo"})
|
||||||
|
|
||||||
|
(def file-config (merge restic-repo {:backup-path "files"
|
||||||
|
:files ["/test-backup"]
|
||||||
|
:restore-target-directory "/test-restore"}))
|
||||||
|
|
||||||
|
(def cred-config (merge file-config
|
||||||
|
{:restic-repository "/restic-repo/files"
|
||||||
|
:new-password-config {:new-password-file "/new-pw"
|
||||||
|
:valid-from "2024-12-12 00:00:00"}}))
|
||||||
|
|
||||||
|
|
||||||
|
(def dry-run {:dry-run true :debug true})
|
||||||
|
|
||||||
|
(defn prepare!
|
||||||
|
[]
|
||||||
|
(spit "/restic-pwd" "ThePassword")
|
||||||
|
(spit "/new-pw" "newPassword"))
|
||||||
|
|
||||||
|
|
||||||
|
(defn change-password!
|
||||||
|
[]
|
||||||
|
(println "change-password!")
|
||||||
|
(cr/change-password! cred-config))
|
||||||
|
|
||||||
|
|
||||||
|
(prepare!)
|
||||||
|
(change-password!)
|
|
@ -23,8 +23,7 @@
|
||||||
(defn-spec change-password-step! ::domain/set-password-action
|
(defn-spec change-password-step! ::domain/set-password-action
|
||||||
[config ::cred-rot]
|
[config ::cred-rot]
|
||||||
(when-some [new-password-config (:new-password-config config)]
|
(when-some [new-password-config (:new-password-config config)]
|
||||||
(let [{:keys [new-password-file replace-until]} new-password-config
|
(let [initial-passwords-list (domain/parse-response (list-passwords! config))
|
||||||
initial-passwords-list (domain/parse-response (list-passwords! config))
|
|
||||||
action (domain/set-new-password-action
|
action (domain/set-new-password-action
|
||||||
(ld/now)
|
(ld/now)
|
||||||
initial-passwords-list
|
initial-passwords-list
|
||||||
|
@ -32,14 +31,8 @@
|
||||||
(cond
|
(cond
|
||||||
(= action :wait-for-new-pwd)
|
(= action :wait-for-new-pwd)
|
||||||
(println "nothing to do.")
|
(println "nothing to do.")
|
||||||
(= action :set-new-pwd)
|
(= action :change-pwd)
|
||||||
(i/execute! (domain/add-password-command config) config)
|
(i/execute! (domain/change-password-command config) config)
|
||||||
(= action :remove-old-pwd)
|
|
||||||
(i/execute! (domain/remove-password-command
|
|
||||||
config
|
|
||||||
(:id (first initial-passwords-list))
|
|
||||||
(:id (last initial-passwords-list)))
|
|
||||||
config)
|
|
||||||
(= action :new-pwd-change-finished)
|
(= action :new-pwd-change-finished)
|
||||||
(println "pw-change sucessfull")
|
(println "pw-change sucessfull")
|
||||||
(= action :no-pwd-change-needed)
|
(= action :no-pwd-change-needed)
|
||||||
|
|
|
@ -41,8 +41,7 @@
|
||||||
(s/def ::response (s/coll-of ::entry))
|
(s/def ::response (s/coll-of ::entry))
|
||||||
|
|
||||||
(s/def ::set-password-action #{:error-parse-password :error-undefined
|
(s/def ::set-password-action #{:error-parse-password :error-undefined
|
||||||
:wait-for-new-pwd :set-new-pwd :remove-old-pwd
|
:wait-for-new-pwd :change-pwd :pwd-change-finished :no-pwd-change-needed})
|
||||||
:new-pwd-change-finished :no-pwd-change-needed})
|
|
||||||
|
|
||||||
(s/def ::valid-from timestamp-string?)
|
(s/def ::valid-from timestamp-string?)
|
||||||
(s/def ::new-password-file string?)
|
(s/def ::new-password-file string?)
|
||||||
|
@ -74,16 +73,10 @@
|
||||||
[config ::config]
|
[config ::config]
|
||||||
(base-command config ["key" "list" "--json"]))
|
(base-command config ["key" "list" "--json"]))
|
||||||
|
|
||||||
(defn-spec add-password-command ::cd/command
|
(defn-spec change-password-command ::cd/command
|
||||||
[config ::config]
|
[config ::config]
|
||||||
(let [{:keys [new-password-file]} config]
|
(let [{:keys [new-password-file]} (:new-password-config config)]
|
||||||
[(base-command config ["key" "add" "--new-password-file" new-password-file])]))
|
[(base-command config ["--new-password-file" new-password-file "key" "passwd"])]))
|
||||||
|
|
||||||
(defn-spec remove-password-command ::cd/command
|
|
||||||
[config ::config
|
|
||||||
new-id ::id
|
|
||||||
old-id ::id]
|
|
||||||
[(base-command config ["key" "remove" "--key-hint" new-id old-id])])
|
|
||||||
|
|
||||||
(defn-spec parse-response ::response
|
(defn-spec parse-response ::response
|
||||||
[response string?]
|
[response string?]
|
||||||
|
@ -107,17 +100,12 @@
|
||||||
(and (<= 0 (compare current-date valid-from-date))
|
(and (<= 0 (compare current-date valid-from-date))
|
||||||
(= 1 (count parsed-response))
|
(= 1 (count parsed-response))
|
||||||
(> 0 (compare (:created (last parsed-response)) valid-from-date)))
|
(> 0 (compare (:created (last parsed-response)) valid-from-date)))
|
||||||
:set-new-pwd
|
:change-pwd
|
||||||
(and (<= 0 (compare current-date valid-from-date))
|
|
||||||
(= 2 (count parsed-response))
|
|
||||||
(<= 0 (compare (:created (last parsed-response)) valid-from-date))
|
|
||||||
(not (:current (last parsed-response))))
|
|
||||||
:remove-old-pwd
|
|
||||||
(and (<= 0 (compare current-date valid-from-date))
|
(and (<= 0 (compare current-date valid-from-date))
|
||||||
(= 1 (count parsed-response))
|
(= 1 (count parsed-response))
|
||||||
(<= 0 (compare (:created (last parsed-response)) valid-from-date))
|
(<= 0 (compare (:created (last parsed-response)) valid-from-date))
|
||||||
(:current (last parsed-response)))
|
(:current (last parsed-response)))
|
||||||
:new-pwd-change-finished
|
:pwd-change-finished
|
||||||
:else
|
:else
|
||||||
:error-undefined))
|
:error-undefined))
|
||||||
:no-pwd-change-needed))
|
:no-pwd-change-needed))
|
||||||
|
|
|
@ -72,7 +72,7 @@
|
||||||
:created (ld/parse "2023-01-01 00:00:00" cut/timestamp-formatter)}]
|
:created (ld/parse "2023-01-01 00:00:00" cut/timestamp-formatter)}]
|
||||||
{:new-password-config {:new-password-file "new-pw-file"
|
{:new-password-config {:new-password-file "new-pw-file"
|
||||||
:valid-from "2024-11-29 12:00:16"}})))
|
:valid-from "2024-11-29 12:00:16"}})))
|
||||||
(is (= :set-new-pwd
|
(is (= :change-pwd
|
||||||
(cut/set-new-password-action
|
(cut/set-new-password-action
|
||||||
(ld/parse "2024-11-29 13:16:54" cut/timestamp-formatter)
|
(ld/parse "2024-11-29 13:16:54" cut/timestamp-formatter)
|
||||||
[{:current true
|
[{:current true
|
||||||
|
@ -83,23 +83,7 @@
|
||||||
{:new-password-config {:new-password-file "new-pw-file"
|
{:new-password-config {:new-password-file "new-pw-file"
|
||||||
:valid-from "2024-11-29 12:00:16"}})))
|
:valid-from "2024-11-29 12:00:16"}})))
|
||||||
|
|
||||||
(is (= :remove-old-pwd
|
(is (= :pwd-change-finished
|
||||||
(cut/set-new-password-action
|
|
||||||
(ld/parse "2024-11-29 13:16:55" cut/timestamp-formatter)
|
|
||||||
[{:current true
|
|
||||||
:id "a1"
|
|
||||||
:userName "root"
|
|
||||||
:hostName "host"
|
|
||||||
:created (ld/parse "2023-01-01 00:00:00" cut/timestamp-formatter)}
|
|
||||||
{:current false
|
|
||||||
:id "a2"
|
|
||||||
:userName "root"
|
|
||||||
:hostName "host"
|
|
||||||
:created (ld/parse "2024-11-29 13:16:54" cut/timestamp-formatter)}]
|
|
||||||
{:new-password-config {:new-password-file "new-pw-file"
|
|
||||||
:valid-from "2024-11-29 12:00:16"}})))
|
|
||||||
|
|
||||||
(is (= :new-pwd-change-finished
|
|
||||||
(cut/set-new-password-action
|
(cut/set-new-password-action
|
||||||
(ld/parse "2024-11-29 13:16:55" cut/timestamp-formatter)
|
(ld/parse "2024-11-29 13:16:55" cut/timestamp-formatter)
|
||||||
[{:current true
|
[{:current true
|
||||||
|
|
Loading…
Reference in a new issue