meissa/dda-backup
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
dda-backup/docs/CredentialRotation.md
Michael Jerger 10902da998 add doc
2024-12-11 11:16:06 +01:00

2.5 KiB
Raw Blame History

Credential Rotation

change password step

stateDiagram-v2
    noAction: no-pwd-change-needed
    wait: wait-for-new-pwd
    new: set-new-pwd
    removeOld: remove-old-pwd
    finished: new-pwd-change-finished
    state configExist? <<choice>>
    state valid? <<choice>>
    state finished? <<choice>>

    [*] --> configExist?
    configExist? --> valid?: new-password-config-exist?
    configExist? --> noAction
    valid? --> finished?: valid-from > now?
    valid? --> wait
    finished? --> finished: current > valid-from?
    finished? --> new
    new --> removeOld
    removeOld --> [*]
    finished --> [*]
    noAction --> [*]
    wait --> [*]

Example Data

Default

[{
    "current": true,
    "id": "521e0760",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:08:16"
}]

Add another password

[
  {
    "current": true,
    "id": "521e0760",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:08:16"
  },
  {
    "current": false,
    "id": "b67161fb",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:16:54"
  }
]

Change current password

[
  {
    "current": false,
    "id": "521e0760",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:08:16"
  },
  {
    "current": true,
    "id": "b67161fb",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:16:54"
  }
]

Remove old password

[
  {
    "current": true,
    "id": "b67161fb",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:16:54"
  }
]

Steps

Steps need to be validated and performed seperately and work independently of each other. To avoid problems where the program is shut down mid-transition.

Stages

Initial State

Validation:

  • Detect change requested: new password file environment is set

Steps to perform:

  • Add new password
  • restic -r <repo> key add --new-password-file <file>

New password has been added

Validation:

  • List of passwords has 2 entries
  • The password with the newer timestamp is not set as "current"

Steps to perform:

  • Extract id of new password
  • Extract id of old password
  • Remove old password in favour of new one
  • restic -r <repo> key remove --key-hint <new-id> <old-id>
  • Unset new password file environment