credential-rotation #1

Merged
jem merged 18 commits from credential-rotation into main 2024-12-27 09:25:09 +00:00
14 changed files with 216 additions and 405 deletions
Showing only changes of commit b415956a35 - Show all commits

View file

@ -5,6 +5,7 @@ ADD resources /tmp/
RUN /tmp/install.sh RUN /tmp/install.sh
ADD local/ /usr/local/lib/dda-backup ADD local/ /usr/local/lib/dda-backup
RUN init-bb.bb RUN init-bb.bb
#ADD resources2 /tmp/ # ADD resources2 /tmp/
#RUN install -m 0700 -o root -g root /tmp/test.bb /usr/local/bin/ # RUN install -m 0700 -o root -g root /tmp/test.bb /usr/local/bin/
#RUN test.bb # RUN install -m 0700 -o root -g root /tmp/check.bb /usr/local/bin/
# RUN test.bb

View file

@ -3,7 +3,8 @@
(require '[dda.backup.cred-rot :as cr]) (require '[dda.backup.cred-rot :as cr])
(def restic-repo {:password-file "/restic-pwd" (def restic-repo {:password-file "/restic-pwd"
:restic-repository "/restic-repo"}) :restic-repository "/restic-repo"
:debug true})
(def file-config (merge restic-repo {:backup-path "files" (def file-config (merge restic-repo {:backup-path "files"
:files ["/test-backup"] :files ["/test-backup"]
@ -12,7 +13,7 @@
(def cred-config (merge file-config (def cred-config (merge file-config
{:restic-repository "/restic-repo/files" {:restic-repository "/restic-repo/files"
:new-password-config {:new-password-file "/new-pw" :new-password-config {:new-password-file "/new-pw"
:valid-from "2024-12-12 00:00:00"}})) :valid-from "2024-12-17 00:00:00"}}))
(def dry-run {:dry-run true :debug true}) (def dry-run {:dry-run true :debug true})

View file

@ -0,0 +1,23 @@
#!/usr/bin/env bb
(require '[dda.backup.restic :as rc])
(def restic-repo {:password-file "/restic-pwd"
:restic-repository "/restic-repo"
:debug true})
(def file-config (merge restic-repo {:backup-path "files"
:files ["/test-backup"]
:restore-target-directory "/test-restore"}))
(def cred-config (merge file-config {:new-password-file "new-pw"}))
(def dry-run {:dry-run true :debug true})
(defn restic-repo-check
[]
(println "restic-repo-check")
(println (rc/check file-config)))
(restic-repo-check)

View file

@ -1,82 +1,57 @@
#!/usr/bin/env bb #!/usr/bin/env bb
(require '[babashka.tasks :as tasks] (require '[babashka.tasks :as tasks]
'[dda.backup.core :as bc]
'[dda.backup.cred-rot :as cr]
'[dda.backup.restic :as rc] '[dda.backup.restic :as rc]
'[dda.backup.postgresql :as pg]
'[dda.backup.backup :as bak] '[dda.backup.backup :as bak]
'[dda.backup.restore :as rs]) '[dda.backup.restore :as rs])
(def restic-repo {:password-file "restic-pwd" (def restic-repo {:password-file "/restic-pwd"
:restic-repository "/restic-repo"}) :new-password-file "/new-restic-pwd"
:restic-repository "/restic-repo"
:debug true})
(def file-config (merge restic-repo {:backup-path "files" (def file-config (merge restic-repo {:backup-path "files"
:files ["/test-backup"] :files ["/test-backup"]
:restore-target-directory "/test-restore"})) :restore-target-directory "/test-restore"}))
(def db-config (merge restic-repo {:backup-path "db"
:pg-db "mydb"
:pg-user "user"
:pg-password "password"}))
(def cred-config (merge file-config
{:restic-repository "/restic-repo/files"
:new-password-config {:new-password-file "new-pw"
:valid-from "2024-12-12 00:00:00"}}))
(def dry-run {:dry-run true :debug true}) (def dry-run {:dry-run true :debug true})
(defn prepare! (defn prepare!
[] []
(spit "/tmp/file_password" "file-password") (spit "/tmp/file_password" "file-password")
(spit "/restic-pwd" "ThePassword") (spit "/restic-pwd" "oldPassword")
(spit "/new-pw" "newPassword") (spit "/new-restic-pwd" "newPassword")
(tasks/shell "mkdir" "-p" "/test-backup") (tasks/shell "mkdir" "-p" "/test-backup")
(spit "/test-backup/file" "I was here") (spit "/test-backup/file" "I was here")
(tasks/shell "mkdir" "-p" "/test-restore") (tasks/shell "mkdir" "-p" "/test-restore"))
(pg/create-pg-pass! db-config))
(defn check-env-or-file
[]
(println "check-env-or-file")
(println (bc/env-or-file "FILE_PASSWORD"))
(println (bc/env-or-file "ENV_PASSWORD")))
(defn restic-repo-init! (defn restic-repo-init!
[] []
(println "restic-repo-init!") (println "restic-repo-init!")
(rc/init! file-config) (rc/init! file-config))
(rc/init! (merge db-config dry-run)))
(defn restic-backup! (defn restic-backup!
[] []
(println "restic-backup!") (println "restic-backup!")
(bak/backup-file! file-config) (bak/backup-file! file-config))
(bak/backup-db! (merge db-config dry-run)))
(defn list-snapshots! (defn list-snapshots!
[] []
(println "list-snapshots!") (println "list-snapshots!")
(rc/list-snapshots! file-config) (rc/list-snapshots! file-config))
(rc/list-snapshots! (merge db-config dry-run)))
(defn restic-restore! (defn restic-restore!
[] []
(println "restic-restore!") (println "restic-restore!")
(rs/restore-file! file-config) (rs/restore-file! file-config))
(pg/drop-create-db! (merge db-config dry-run))
(rs/restore-db! (merge db-config dry-run)))
(defn change-password! (defn change-password!
[] []
(println "change-password!") (println "change-password!")
(cr/change-password! cred-config)) (rc/change-password! file-config))
(prepare!) (prepare!)

View file

@ -2,39 +2,33 @@
(require '[babashka.tasks :as tasks] (require '[babashka.tasks :as tasks]
'[dda.backup.core :as bc] '[dda.backup.core :as bc]
'[dda.backup.cred-rot :as cr]
'[dda.backup.restic :as rc] '[dda.backup.restic :as rc]
'[dda.backup.postgresql :as pg] '[dda.backup.postgresql :as pg]
'[dda.backup.backup :as bak] '[dda.backup.backup :as bak]
'[dda.backup.restore :as rs]) '[dda.backup.restore :as rs])
(def restic-repo {:password-file "restic-pwd" (def restic-repo {:password-file "/restic-pwd"
:restic-repository "/restic-repo"}) :new-password-file "/new-restic-pwd"
:restic-repository "/restic-repo"
:debug true})
(def file-config (merge restic-repo {:backup-path "files" (def file-config (merge restic-repo {:backup-path "files"
:files ["/test-backup"] :files ["/test-backup"]
:restore-target-directory "/test-restore"})) :restore-target-directory "/test-restore"}))
(def db-config (merge restic-repo {:backup-path "db" (def db-config (merge restic-repo {:backup-path "db"
:pg-db "mydb" :pg-db "mydb"
:pg-user "user" :pg-user "user"
:pg-password "password"})) :pg-password "password"}))
(def cred-config (merge file-config
{:restic-repository "/restic-repo/files"
:new-password-config {:new-password-file "new-pw"
:valid-from "2024-12-12 00:00:00"}}))
(def dry-run {:dry-run true :debug true}) (def dry-run {:dry-run true :debug true})
(defn prepare! (defn prepare!
[] []
(spit "/tmp/file_password" "file-password") (spit "/tmp/file_password" "file-password")
(spit "/restic-pwd" "ThePassword") (spit "/restic-pwd" "oldPassword")
(spit "/new-pw" "newPassword") (spit "/new-restic-pwd" "newPassword")
(tasks/shell "mkdir" "-p" "/test-backup") (tasks/shell "mkdir" "-p" "/test-backup")
(spit "/test-backup/file" "I was here") (spit "/test-backup/file" "I was here")
@ -43,41 +37,40 @@
(defn check-env-or-file (defn check-env-or-file
[] []
(println "check-env-or-file") (println "\ncheck-env-or-file")
(println (bc/env-or-file "FILE_PASSWORD")) (println (bc/env-or-file "FILE_PASSWORD"))
(println (bc/env-or-file "ENV_PASSWORD"))) (println (bc/env-or-file "ENV_PASSWORD")))
(defn restic-repo-init! (defn restic-repo-init!
[] []
(println "restic-repo-init!") (println "\nrestic-repo-init!")
(rc/init! file-config) (rc/init! file-config)
(rc/init! (merge db-config dry-run))) (rc/init! (merge db-config dry-run)))
(defn restic-backup! (defn restic-backup!
[] []
(println "restic-backup!") (println "\nrestic-backup!")
(bak/backup-file! file-config) (bak/backup-file! file-config)
(bak/backup-db! (merge db-config dry-run))) (bak/backup-db! (merge db-config dry-run)))
(defn list-snapshots! (defn list-snapshots!
[] []
(println "list-snapshots!") (println "\nlist-snapshots!")
(rc/list-snapshots! file-config) (rc/list-snapshots! file-config)
(rc/list-snapshots! (merge db-config dry-run))) (rc/list-snapshots! (merge db-config dry-run)))
(defn restic-restore! (defn restic-restore!
[] []
(println "restic-restore!") (println "\nrestic-restore!")
(rs/restore-file! file-config) (rs/restore-file! file-config)
(pg/drop-create-db! (merge db-config dry-run)) (pg/drop-create-db! (merge db-config dry-run))
(rs/restore-db! (merge db-config dry-run))) (rs/restore-db! (merge db-config dry-run)))
(defn change-password! (defn change-password!
[] []
(println "change-password!") (println "\nchange-password!")
(cr/change-password! cred-config)) (rc/change-password! file-config))
(prepare!) (prepare!)
(check-env-or-file) (check-env-or-file)
@ -86,3 +79,6 @@
(list-snapshots!) (list-snapshots!)
(restic-restore!) (restic-restore!)
(change-password!) (change-password!)
(restic-backup!)
(list-snapshots!)
(restic-restore!)

View file

@ -26,25 +26,31 @@
(s/merge ::pg/pg-config (s/merge ::pg/pg-config
::restic/restic-config)) ::restic/restic-config))
(defn- config-w-defaults
[config]
(if (restic/use-new-password? config)
(merge default config {:password-file (:new-password-file config)})
(merge default config)))
(defn-spec backup-file! nil? (defn-spec backup-file! nil?
[config ::backup-file-config] [config ::backup-file-config]
(let [config-w-defaults (merge default config)] (let [config-2-use (config-w-defaults config)]
(restic/unlock! config-w-defaults) (restic/unlock! config-2-use)
(i/execute! (i/execute!
(domain/backup-files-command config-w-defaults) (domain/backup-files-command config-2-use)
config-w-defaults) config-2-use)
(restic/forget! config-w-defaults))) (restic/forget! config-2-use)))
(defn-spec backup-db-roles! nil? (defn-spec backup-db-roles! nil?
[config ::pg-role-dump-config] [config ::pg-role-dump-config]
(let [config-w-defaults (merge default config)] (let [config-2-use (config-w-defaults config)]
(restic/unlock! config-w-defaults) (restic/unlock! config-2-use)
(i/execute! (domain/backup-role-command config-w-defaults) config-w-defaults) (i/execute! (domain/backup-role-command config-2-use) config-2-use)
(restic/forget! config-w-defaults))) (restic/forget! config-2-use)))
(defn-spec backup-db! nil? (defn-spec backup-db! nil?
[config ::pg-db-dump-config] [config ::pg-db-dump-config]
(let [config-w-defaults (merge default config)] (let [config-2-use (config-w-defaults config)]
(restic/unlock! config-w-defaults) (restic/unlock! config-2-use)
(i/execute! (domain/backup-db-command config-w-defaults) config-w-defaults) (i/execute! (domain/backup-db-command config-2-use) config-2-use)
(restic/forget! config-w-defaults))) (restic/forget! config-2-use)))

View file

@ -1,72 +0,0 @@
(ns dda.backup.cred-rot
(:require
[orchestra.core :refer [defn-spec]]
[clojure.spec.alpha :as s]
[dda.backup.cred-rot.domain :as domain]
[dda.backup.infrastructure :as i]
[cljc.java-time.instant :as inst]
[cljc.java-time.local-date :as ld]))
(s/def ::replace-until domain/timestamp?)
(s/def ::new-password-file string?)
(s/def ::new-password-config (s/keys :req-un [::new-password-file ::replace-until]))
(s/def ::cred-rot
(s/keys :req-un []
:opt-un [::new-password-config]))
; Refer to "docs/CredentialRotation.md" for specifics
(defn-spec list-passwords! string?
[config ::cred-rot]
(i/execute-out! (domain/list-passwords-command config) config))
(defn-spec change-password-step! ::domain/set-password-action
[config ::cred-rot]
(when-some [new-password-config (:new-password-config config)]
(let [initial-passwords-list (domain/parse-response (list-passwords! config))
action (domain/set-new-password-action
(ld/now)
initial-passwords-list
config)]
(cond
(= action :wait-for-new-pwd)
(println "nothing to do.")
(= action :change-pwd)
(i/execute! (domain/change-password-command config) config)
(= action :new-pwd-change-finished)
(println "pw-change sucessfull")
(= action :no-pwd-change-needed)
(println "nothing to do.")
:else
(throw (Exception. (str action)))
)
(println initial-passwords-list)
(println action)
(println (list-passwords! config))
action
)))
(defn-spec change-password! nil?
[config ::cred-rot]
(while (let [action (change-password-step! config) ]
(and (not= :no-pwd-change-needed action)
(not= :wait-for-new-pwd action)))
(println "call step")
))
(defn-spec set-new-password-old! nil?
[config ::cred-rot]
(let [{:keys [new-password-file replace-until]} (:new-password-config config)
replace-until-date (ld/parse "2024-10-19 13:16:54" domain/timestamp-formatter)]
(if (not (nil? new-password-file))
(let [parsed-passwords (domain/parse-response (list-passwords! config))]
(println (str "add-new-password: relace until " replace-until))
(cond
(> 0 (compare
(:created (last parsed-passwords))
replace-until-date))
(do (println "add-new-password: set new pw")
(i/execute! (domain/add-password-command config) config))
:else (println (str "else " (inst/now)))))
(println "add-new-password: there was no new pw configured"))))

View file

@ -1,111 +0,0 @@
(ns dda.backup.cred-rot.domain
(:require
[orchestra.core :refer [defn-spec]]
[clojure.spec.alpha :as s]
[clojure.string :as str]
[dda.backup.core.domain :as cd]
[dda.backup.restic.domain :as rd]
[cheshire.core :as cc]
[cljc.java-time.local-date :as ld]
[cljc.java-time.format.date-time-formatter :as df]))
(s/def ::new-password-file string?)
(s/def ::config (s/keys :req-un [::rd/restic-repository
::rd/password-file]
:opt-un [::rd/certificate-file
::new-password-file]))
(def lowercase-numeric #"[a-z0-9]+")
(def alphanumeric #"[a-zA-Z0-9]+")
; true | false
(s/def ::current boolean?)
; 521e0760
(s/def ::id (s/and string? #(re-matches lowercase-numeric %)))
; root
(s/def ::userName #(re-matches alphanumeric %))
; backup-restore-65bd9b6ff5-z69sn
(s/def ::hostName (fn [in] (every? #(re-matches lowercase-numeric %) (str/split in #"-"))))
; "2024-10-18 13:08:16"
(def timestamp-formatter (df/of-pattern "yyyy-MM-dd HH:mm:ss"))
(defn timestamp-string? [in]
(try
(ld/parse in timestamp-formatter)
true
(catch Exception _ false)))
(def timestamp? any?)
(s/def ::created timestamp?)
(s/def ::entry (s/keys :opt-un []
:req-un [::current ::id ::userName ::hostName ::created]))
(s/def ::response (s/coll-of ::entry))
(s/def ::set-password-action #{:error-parse-password :error-undefined
:wait-for-new-pwd :change-pwd :pwd-change-finished :no-pwd-change-needed})
(s/def ::valid-from timestamp-string?)
(s/def ::new-password-file string?)
(s/def ::new-password-config (s/keys :req-un [::new-password-file ::valid-from]))
(s/def ::cred-rot
(s/keys :req-un []
:opt-un [::new-password-config]))
; Refer to "docs/CredentialRotation.md" for specifics
(defn-spec base-command ::cd/command
[config ::config
command ::cd/command]
(let [{:keys [restic-repository password-file
certificate-file new-password-file]} config]
(into
[]
(concat ["restic" "-r" restic-repository]
(cond
(some? certificate-file)
["--cacert" certificate-file]
(some? password-file)
["--password-file" password-file]
:else
[])
command))))
(defn-spec list-passwords-command ::cd/command
[config ::config]
(base-command config ["key" "list" "--json"]))
(defn-spec change-password-command ::cd/command
[config ::config]
(let [{:keys [new-password-file]} (:new-password-config config)]
[(base-command config ["--new-password-file" new-password-file "key" "passwd"])]))
(defn-spec parse-response ::response
[response string?]
(->> (cc/parse-string response true)
(map #(merge % {:created (ld/parse (:created %) timestamp-formatter)}))
(sort-by :created)
))
(defn-spec set-new-password-action ::set-password-action
[current-date timestamp?
parsed-response ::response
config ::cred-rot]
(if-let [new-password-config (:new-password-config config)]
(let [valid-from (:valid-from new-password-config)
valid-from-date (ld/parse valid-from timestamp-formatter)]
(cond
(> 1 (count parsed-response))
:error-parse-password
(> 0 (compare current-date valid-from-date))
:wait-for-new-pwd
(and (<= 0 (compare current-date valid-from-date))
(= 1 (count parsed-response))
(> 0 (compare (:created (last parsed-response)) valid-from-date)))
:change-pwd
(and (<= 0 (compare current-date valid-from-date))
(= 1 (count parsed-response))
(<= 0 (compare (:created (last parsed-response)) valid-from-date))
(:current (last parsed-response)))
:pwd-change-finished
:else
:error-undefined))
:no-pwd-change-needed))

View file

@ -3,16 +3,6 @@
[babashka.tasks :as t] [babashka.tasks :as t]
[dda.backup.core.domain :as core])) [dda.backup.core.domain :as core]))
(defn-spec execute! nil?
[commands ::core/commands
config ::core/execution]
(let [{:keys [dry-run debug]} config]
(doseq [c commands]
(when debug
(println c))
(when-not dry-run
(apply t/shell c)))))
(defn-spec execute-out! string? (defn-spec execute-out! string?
[command ::core/command [command ::core/command
config ::core/execution] config ::core/execution]
@ -20,4 +10,22 @@
(when debug (when debug
(println command)) (println command))
(when-not dry-run (when-not dry-run
(:out (t/shell {:out :string} (clojure.string/join " " command)))))) (:out (t/shell {:out :string :err :string} (clojure.string/join " " command))))))
(defn-spec execute-single! string?
[command ::core/command
config ::core/execution]
(let [{:keys [dry-run debug]} config]
(when debug
(println command))
(when-not dry-run
(:out (t/shell {:err :string} (clojure.string/join " " command))))))
(defn-spec execute! nil?
[commands ::core/commands
config ::core/execution]
(let [{:keys [dry-run debug]} config]
(doseq [c commands]
(when-not dry-run
(execute-single! c config)))))

View file

@ -17,34 +17,72 @@
::domain/backup-path] ::domain/backup-path]
:opt-un [::domain/certificate-file :opt-un [::domain/certificate-file
::domain/password-file ::domain/password-file
::domain/new-password-file
::domain/days-to-keep ::domain/days-to-keep
::domain/months-to-keep]))) ::domain/months-to-keep])))
(defn-spec initalized? boolean? (s/def ::check-result #{:initialized :wrong-password :not-initialized :error})
(defn-spec check ::check-result
[restic-config ::restic-config] [restic-config ::restic-config]
(let [config-w-defaults (merge core/default restic-config)] (let [config-w-defaults (merge core/default restic-config)]
(try (try
(i/execute! (domain/check-repo-command config-w-defaults) config-w-defaults) (i/execute! (domain/check-repo-command config-w-defaults) config-w-defaults)
true :initialized
(catch Exception e false)))) (catch Exception e
(let [data (ex-data e)
parsed-error (domain/parse-check-error (get-in data [:proc :err]))]
(cond
(= parsed-error :not-initialized) :not-initialized
(= parsed-error :wrong-password) :wrong-password
:default :error))))))
(defn-spec use-new-password? boolean?
"deprecated"
[restic-config ::restic-config]
(if (contains? restic-config :new-password-file)
(= :initialized (check (merge restic-config {:password-file (:new-password-file restic-config)})))
false))
(defn- config-w-defaults
[restic-config]
(if (use-new-password? restic-config)
(merge default restic-config {:password-file (:new-password-file restic-config)})
(merge default restic-config)))
(defn-spec initalized? boolean?
"deprecated"
[restic-config ::restic-config]
(let [config-2-use (config-w-defaults restic-config)]
(= :initialized (check config-2-use))))
(defn-spec init! nil? (defn-spec init! nil?
[restic-config ::restic-config] [restic-config ::restic-config]
(let [config-w-defaults (merge core/default restic-config)] (let [config-2-use (config-w-defaults restic-config)]
(when (not (initalized? config-w-defaults)) (when (= :not-initialized (check config-2-use))
(i/execute! (domain/init-repo-command config-w-defaults) config-w-defaults)))) (i/execute! (domain/init-repo-command config-2-use) config-2-use))))
(defn-spec unlock! nil? (defn-spec unlock! nil?
[restic-config ::restic-config] [restic-config ::restic-config]
(let [config-w-defaults (merge core/default restic-config)] (let [config-2-use (config-w-defaults restic-config)]
(i/execute! (domain/unlock-repo-command config-w-defaults) config-w-defaults))) (i/execute! (domain/unlock-repo-command config-2-use) config-2-use)))
(defn-spec forget! nil? (defn-spec forget! nil?
[restic-config ::restic-config] [restic-config ::restic-config]
(let [config-w-defaults (merge core/default restic-config)] (let [config-2-use (config-w-defaults restic-config)]
(i/execute! (domain/forget-command config-w-defaults) config-w-defaults))) (i/execute! (domain/forget-command config-2-use) config-2-use)))
(defn-spec list-snapshots! nil? (defn-spec list-snapshots! nil?
[restic-config ::restic-config] [restic-config ::restic-config]
(let [config-w-defaults (merge core/default restic-config)] (let [config-2-use (config-w-defaults restic-config)]
(i/execute! (domain/list-snapshot-command config-w-defaults) config-w-defaults))) (i/execute! (domain/list-snapshot-command config-2-use) config-2-use)))
(defn-spec change-password! nil?
[restic-config ::restic-config]
(when (contains? restic-config :new-password-file)
(let [config-2-use (merge core/default restic-config)]
(when (= :initialized (check config-2-use))
(do
(i/execute! (domain/change-password-command config-2-use) config-2-use)
(when-not (= :wrong-password (check config-2-use))
(throw (Exception. "password-change did not work!"))))))))

View file

@ -6,6 +6,7 @@
(s/def ::certificate-file string?) (s/def ::certificate-file string?)
(s/def ::password-file string?) (s/def ::password-file string?)
(s/def ::new-password-file string?)
(s/def ::restic-repository string?) (s/def ::restic-repository string?)
(s/def ::backup-path string?) (s/def ::backup-path string?)
(s/def ::days-to-keep pos?) (s/def ::days-to-keep pos?)
@ -18,8 +19,11 @@
::months-to-keep] ::months-to-keep]
:opt-un [::certificate-file :opt-un [::certificate-file
::password-file ::password-file
::new-password-file
::cd/execution-directory])) ::cd/execution-directory]))
(s/def ::check-error #{:not-initialized :wrong-password :no-password :unknown})
(defn-spec repo-command ::cd/command (defn-spec repo-command ::cd/command
[config ::restic-config [config ::restic-config
command ::cd/command] command ::cd/command]
@ -60,7 +64,23 @@
(defn-spec forget-command ::cd/commands (defn-spec forget-command ::cd/commands
[config ::restic-config] [config ::restic-config]
(let [{:keys [days-to-keep months-to-keep]} config] (let [{:keys [days-to-keep months-to-keep]} config]
[(repo-command config ["forget" "--group-by" "" [(repo-command config ["forget" "--group-by" "''"
"--keep-last" "1" "--keep-last" "1"
"--keep-daily" (str days-to-keep) "--keep-daily" (str days-to-keep)
"--keep-monthly" (str months-to-keep) "--prune"])])) "--keep-monthly" (str months-to-keep) "--prune"])]))
(defn-spec change-password-command ::cd/command
[config ::restic-config]
(if (contains? config :new-password-file)
(let [{:keys [new-password-file]} config]
[(repo-command config ["--new-password-file" new-password-file
"key" "passwd"])])
(throw (Exception. "change-password: new password required"))))
(defn-spec parse-check-error ::check-error
[error string?]
(cond
(clojure.string/includes? error "Fatal: unable to open config file") :not-initialized
(clojure.string/includes? error "Fatal: wrong password or no key found") :wrong-password
(clojure.string/includes? error "Resolving password failed") :no-password
:default :unknown))

View file

@ -20,19 +20,26 @@
(s/merge ::pg/pg-config (s/merge ::pg/pg-config
(s/keys :req-un [::domain/snapshot-id]))) (s/keys :req-un [::domain/snapshot-id])))
(defn- config-w-defaults
[config]
(if (restic/use-new-password? config)
(merge default config {:password-file (:new-password-file config)})
(merge default config)))
(defn-spec restore-file! nil? (defn-spec restore-file! nil?
[config ::restore-file-config] [config ::restore-file-config]
(let [config-w-defaults (merge default config)] (let [config-2-use (config-w-defaults config)]
(restic/unlock! config-w-defaults) (restic/unlock! config-2-use)
(i/execute! (i/execute!
(domain/restore-dir-command config-w-defaults) (domain/restore-dir-command config-2-use)
config-w-defaults))) config-2-use)))
(defn-spec restore-db! nil? (defn-spec restore-db! nil?
[config ::restore-db-config] [config ::restore-db-config]
(let [config-w-defaults (merge default config)] (let [config-2-use (config-w-defaults config)]
(restic/unlock! config-w-defaults) (restic/unlock! config-2-use)
(i/execute! (domain/restore-db-command config-w-defaults) config-w-defaults))) (i/execute! (domain/restore-db-command config-2-use) config-2-use)))
;; function restore-roles() { ;; function restore-roles() {

View file

@ -1,106 +0,0 @@
(ns dda.backup.cred-rot.domain-test
(:require
[clojure.test :refer [deftest is]]
[clojure.spec.alpha :as s]
[clojure.spec.test.alpha :as st]
[cljc.java-time.local-date :as ld]
[dda.backup.cred-rot.domain :as cut]))
(deftest test-spec-id
(is (s/valid? ::cut/id "521e0760"))
(is (s/valid? ::cut/id "test"))
(is (s/valid? ::cut/id "123456"))
(is (not (s/valid? ::cut/id "ROOT")))
(is (not (s/valid? ::cut/id "Test!"))))
(deftest test-spec-username
(is (s/valid? ::cut/userName "521e0760"))
(is (s/valid? ::cut/userName "Testuser"))
(is (s/valid? ::cut/userName "root"))
(is (s/valid? ::cut/userName "ROOT"))
(is (not (s/valid? ::cut/userName "test-user"))))
(deftest test-spec-hostName
(let [valid #(s/valid? ::cut/hostName %)]
(is (valid "test-some-combination-2"))
(is (valid "backup-restore-65bd9b6ff5-z69sn"))))
(deftest test-spec-timestamp
(let [valid #(s/valid? cut/timestamp-string? %)]
(is (valid "2024-10-18 13:08:16"))
(is (valid "2032-09-01 12:56:59"))
(is (not (valid "2024-13-5 13:08:16")))
(is (not (valid "2024-6-42 13:08:16")))
(is (not (valid "test")))))
(deftest test-parse-response
(is (=
(ld/parse "2024-10-19 13:16:54" cut/timestamp-formatter)
(:created
(first
(cut/parse-response "[
{
\"current\": false,
\"id\": \"521e0760\",
\"userName\": \"root\",
\"hostName\": \"backup-restore-65bd9b6ff5-z69sn\",
\"created\": \"2024-11-18 13:08:16\"
},
{
\"current\": true,
\"id\": \"b67161fb\",
\"userName\": \"root\",
\"hostName\": \"backup-restore-65bd9b6ff5-z69sn\",
\"created\": \"2024-10-19 13:16:54\"
}
]"))))))
(deftest test-set-new-password-action
(is (= :error-parse-password
(cut/set-new-password-action
(ld/parse "2024-10-19 13:16:54" cut/timestamp-formatter)
[]
{:new-password-config {:new-password-file "new-pw-file"
:valid-from "2024-11-29 12:00:16"}})))
(is (= :wait-for-new-pwd
(cut/set-new-password-action
(ld/parse "2024-10-19 13:16:54" cut/timestamp-formatter)
[{:current true
:id "a1"
:userName "root"
:hostName "host"
:created (ld/parse "2023-01-01 00:00:00" cut/timestamp-formatter)}]
{:new-password-config {:new-password-file "new-pw-file"
:valid-from "2024-11-29 12:00:16"}})))
(is (= :change-pwd
(cut/set-new-password-action
(ld/parse "2024-11-29 13:16:54" cut/timestamp-formatter)
[{:current true
:id "a1"
:userName "root"
:hostName "host"
:created (ld/parse "2023-01-01 00:00:00" cut/timestamp-formatter)}]
{:new-password-config {:new-password-file "new-pw-file"
:valid-from "2024-11-29 12:00:16"}})))
(is (= :pwd-change-finished
(cut/set-new-password-action
(ld/parse "2024-11-29 13:16:55" cut/timestamp-formatter)
[{:current true
:id "a2"
:userName "root"
:hostName "host"
:created (ld/parse "2024-11-29 13:16:54" cut/timestamp-formatter)}]
{:new-password-config {:new-password-file "new-pw-file"
:valid-from "2024-11-29 12:00:16"}})))
(is (= :no-pwd-change-needed
(cut/set-new-password-action
(ld/parse "2024-11-29 13:16:55" cut/timestamp-formatter)
[{:current true
:id "a2"
:userName "root"
:hostName "host"
:created (ld/parse "2024-11-29 13:16:54" cut/timestamp-formatter)}]
{})))
)

View file

@ -64,9 +64,34 @@
(deftest should-calculate-forget-command (deftest should-calculate-forget-command
(is (= [["restic" "-r" "repo/dir" "-v" "forget" (is (= [["restic" "-r" "repo/dir" "-v" "forget"
"--group-by" "" "--keep-last" "1" "--group-by" "''" "--keep-last" "1"
"--keep-daily" "39" "--keep-monthly" "3" "--prune"]] "--keep-daily" "39" "--keep-monthly" "3" "--prune"]]
(cut/forget-command {:restic-repository "repo" (cut/forget-command {:restic-repository "repo"
:backup-path "dir" :backup-path "dir"
:days-to-keep 39 :days-to-keep 39
:months-to-keep 3})))) :months-to-keep 3}))))
(deftest should-calculate-change-password-command
(is (= [["restic"
"-r"
"repo/dir"
"-v"
"--new-password-file"
"/new-pwd"
"key"
"passwd"]]
(cut/change-password-command {:restic-repository "repo"
:new-password-file "/new-pwd"
:backup-path "dir"
:days-to-keep 39
:months-to-keep 3}))))
(deftest should-parse-check-error
(is (= :not-initialized
(cut/parse-check-error "Fatal: unable to open config file: stat /restic-repo/files/config: no such file or directory\nIs there a repository at the following location?\n/restic-repo/files" )
))
(is (= :wrong-password
(cut/parse-check-error "Fatal: wrong password or no key found\n")))
(is (= :no-password
(cut/parse-check-error "Resolving password failed: Fatal: /restic-pwd does not exist\n")))
)