-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dry run rotate [T813] #269
dry run rotate [T813] #269
Conversation
@@ -152,43 +79,36 @@ func rotateDb(selectQuery, updateQuery string, db *sql.DB, keystore keystore.Key | |||
return false | |||
} | |||
logger := log.WithFields(log.Fields{"ZoneId": string(acraStructID)}) | |||
logger.Infof("Rotate AcraStruct with ZoneId=%s", string(acraStructID)) | |||
logger.Infof("Rotate AcraStruct") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why we don't log zone id anymore?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should log smth like Rotating in dry-run mode
if dry-run
is true
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why we don't log zone id anymore?
because row above create logger with zone as field that always will be included in log messages
I think we should log smth like Rotating in dry-run mode if dry-run is true
agree
return output, nil | ||
} | ||
|
||
// runFileRotation read map zones to files, re-generate zone key pairs and re-encrypt files | ||
func runFileRotation(fileMapConfigPath string, keystorage keystore.KeyStore) { | ||
func runFileRotation(fileMapConfigPath string, keystorage keystore.KeyStore, dryRun bool) { | ||
fileMap, err := loadFileMap(fileMapConfigPath) | ||
if err != nil { | ||
log.WithError(err).Errorln("Can't load config with map <ZoneId>: <FilePath>") | ||
os.Exit(1) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same, I think we should log "Starting in .. dry-run mode"
} | ||
|
||
func (rotator *keyRotator) clearKeys() { | ||
for _, keypair := range rotator.newKeypairs { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
cmd/acra-rotate/rotator.go
Outdated
logger.WithField("acrastruct", hex.EncodeToString(acrastruct)).WithError(err).Errorln("Can't decrypt AcraStruct") | ||
return nil, err | ||
} | ||
utils.FillSlice(0, privateKey.Value) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
} | ||
decrypted, err := base.DecryptAcrastruct(acrastruct, privateKey, zoneID) | ||
if err != nil { | ||
logger.WithField("acrastruct", hex.EncodeToString(acrastruct)).WithError(err).Errorln("Can't decrypt AcraStruct") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe it worth zero-ing private key in case of error too?
@@ -105,26 +106,27 @@ func testGeneratingDataEncryptionKeys(store *FilesystemKeyStore, t *testing.T) { | |||
} | |||
} | |||
|
|||
func checkPath(path string, t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
@@ -57,12 +57,13 @@ func (rotator *keyRotator) rotateAcrastruct(zoneID, acrastruct []byte) ([]byte, | |||
logger.WithField("acrastruct", hex.EncodeToString(acrastruct)).WithError(err).Errorln("Can't get private key") | |||
return nil, err | |||
} | |||
defer utils.FillSlice(0, privateKey.Value) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Looks awesome! |
acra-rotate
with flag--dry-run
will fetch acrastructs (from files or database), decrypt, rotate in memory keys, encrypt with new public keys and print result json with new public keys without saving rotated keys and acrastructs (to filesystem or database)