From e96e7543c4e759281e8a2d789ed2d2fd4f358ce2 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Wed, 26 Mar 2014 20:26:31 +0000 Subject: Add helpr functions for getting keyid, fingerprint --- yarns/obnam.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'yarns') diff --git a/yarns/obnam.sh b/yarns/obnam.sh index 50080d2b..54d76c02 100644 --- a/yarns/obnam.sh +++ b/yarns/obnam.sh @@ -158,6 +158,25 @@ manifest() } +# Get a GPG fingerprint given a username. + +get_fingerprint() +{ + gpg --fingerprint "$1" | + sed -n '/^ *Key fingerprint = /s///p' | + sed 's/ *//g' +} + + +# Get a GPG keyid given a username. + +get_keyid() +{ + get_fingerprint "$1" | + awk '{ print substr($0, length-8) }' +} + + # Create a dummy $HOME that actually exists. export HOME="$DATADIR/home" mkdir -p "$HOME" -- cgit v1.2.1 From 5478c4759a5d5824f99457a01f76600f2e6a80b5 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Wed, 26 Mar 2014 20:27:32 +0000 Subject: Add scenario for replacing client key --- yarns/0060-encryption.yarn | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'yarns') diff --git a/yarns/0060-encryption.yarn b/yarns/0060-encryption.yarn index 485a1233..454e48a0 100644 --- a/yarns/0060-encryption.yarn +++ b/yarns/0060-encryption.yarn @@ -115,6 +115,33 @@ not have access to another client's data. THEN the attempt failed with exit code 1 AND the error message matches "secret key not available" +Replace a key for a client +-------------------------- + +If we replace the key for a client in a repository, and then the +client gets rid of the old key, the new key should be able to restore +old backups. + +First, backup using the old key. + + SCENARIO replace client key + GIVEN user U uses encryption key "Test Key One" from test-data/keyring-1 + AND 1kB of new data in directory L + AND a manifest of L in M + WHEN user U backs up directory L to repository R + +Then, replace the old key with the new one and get rid of the old key. + + GIVEN user U uses encryption key "Test Key Two" from test-data/keyring-2 + WHEN user U adds key "Test Key Two" to repository R + AND user U removes key "Test Key One" from repository R + WHEN user U no longer has key "Test Key One" + +Finally, verify that restores still work with the new key. + + WHEN user U restores their latest generation in repository R into X + THEN L, restored to X, matches manifest M + Key queries ----------- -- cgit v1.2.1 From 2121b7576046d207821f44aa6317a1947903abae Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Wed, 26 Mar 2014 20:37:01 +0000 Subject: Add implements --- yarns/9000-implements.yarn | 50 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) (limited to 'yarns') diff --git a/yarns/9000-implements.yarn b/yarns/9000-implements.yarn index b62d17f4..108795fc 100644 --- a/yarns/9000-implements.yarn +++ b/yarns/9000-implements.yarn @@ -179,7 +179,18 @@ use. We store that. mkdir "$DATADIR/$MATCH_1.gnupg" cp -a "$SRCDIR/$MATCH_3/." "$DATADIR/$MATCH_1.gnupg/." add_to_env "$MATCH_1" GNUPGHOME "$DATADIR/$MATCH_1.gnupg" + else + # Export public and secret keys from new keyring. + export GNUPGHOME="$SRCDIR/$MATCH_3" + gpg --export "$MATCH_2" > "$DATADIR/public.key" + gpg --export-secret-keys "$MATCH_2" > "$DATADIR/secret.key" + + # Import into the keyring uses for tests. + export GNUPGHOME="$DATADIR/$MATCH_1.gnupg" + gpg --import "$DATADIR/public.key" + gpg --import "$DATADIR/secret.key" fi + add_to_config "$MATCH_1" encrypt-with "$MATCH_2" Encryption scenarions, at least, also need users that pretend to be @@ -389,7 +400,25 @@ Import a key into one user's keyring from another keyring. Add a public key to a repository. IMPLEMENTS WHEN user (\S+) adds key "(.+)" to repository (\S+) - run_obnam "$MATCH_1" -r "$DATADIR/$MATCH_3" add-key --keyid "$MATCH_2" + run_obnam "$MATCH_1" -r "$DATADIR/$MATCH_3" \ + add-key --keyid "$MATCH_2" "$MATCH_1" + +Remove a public key from a repository. + + IMPLEMENTS WHEN user (\S+) removes key "(.+)" from repository (\S+) + export GNUPGHOME="$DATADIR/$MATCH_1.gnupg" + keyid="$( + get_fingerprint "$MATCH_2" | + awk '{ print substr($0, length-16) }')" + run_obnam "$MATCH_1" -r "$DATADIR/$MATCH_3" \ + remove-key --keyid "$keyid" \ + +Forget a key from the user's keyring. + + IMPLEMENTS WHEN user (\S+) no longer has key "(.+)" + export GNUPGHOME="$DATADIR/$MATCH_1.gnupg" + fingerprint="$(get_fingerprint "$MATCH_2")" + gpg --batch --delete-secret-key "$fingerprint" Client management ----------------- @@ -434,6 +463,15 @@ test the results in various ways as separate steps. IMPLEMENTS THEN the attempt failed with exit code (\d+) attempt_exit_was "$MATCH_1" +We want to match the stdout against a regular expression. + + IMPLEMENTS THEN the output matches "(.+)" + echo ----------------------- + echo stdout being matched: + cat "$DATADIR/attempt.stdout" + echo ----------------------- + attempt_matches stdout "$MATCH_1" + We can also match the stderr against a regular expression. IMPLEMENTS THEN the error message matches "(.+)" @@ -516,3 +554,13 @@ often is disabled on build servers. IMPLEMENTS ASSUMING extended attributes are allowed for users touch "$DATADIR/xattr.test" setfattr -n user.foo -v bar "$DATADIR/xattr.test" + + +Nagios +------ + +Run the Nagios monitoring subcommand. + + IMPLEMENTS WHEN user (\S+) attempts nagios-last-backup-age against repository (\S+) + attempt run_obnam "$MATCH_1" nagios-last-backup-age \ + -r "$DATADIR/$MATCH_2" -- cgit v1.2.1 From 3b2e8a7328f00b217c72a5e479b50ebc0ab507d9 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Thu, 27 Mar 2014 09:51:11 +0000 Subject: Separate adding to share and owner steps --- yarns/0060-encryption.yarn | 6 +++--- yarns/9000-implements.yarn | 11 +++++++++-- 2 files changed, 12 insertions(+), 5 deletions(-) (limited to 'yarns') diff --git a/yarns/0060-encryption.yarn b/yarns/0060-encryption.yarn index 454e48a0..f0a95ced 100644 --- a/yarns/0060-encryption.yarn +++ b/yarns/0060-encryption.yarn @@ -74,7 +74,7 @@ only the first client's key, meaning the second client has no access to the client list, and thus can't add itself. WHEN user U1 imports public key "Test Key Two" from test-data/keyring-2 - AND user U1 adds key "Test Key Two" to repository R + AND user U1 adds key "Test Key Two" to repository R only Then we make a backup as the second client. @@ -133,7 +133,7 @@ First, backup using the old key. Then, replace the old key with the new one and get rid of the old key. GIVEN user U uses encryption key "Test Key Two" from test-data/keyring-2 - WHEN user U adds key "Test Key Two" to repository R + WHEN user U adds key "Test Key Two" to repository R and self AND user U removes key "Test Key One" from repository R WHEN user U no longer has key "Test Key One" @@ -169,6 +169,6 @@ remain. WHEN user U1 backs up directory L to repository R THEN user U1 uses key "Test Key One" in repository R WHEN user U1 imports public key "Test Key Two" from test-data/keyring-2 - AND user U1 adds key "Test Key Two" to repository R + AND user U1 adds key "Test Key Two" to repository R only AND user U2 removes user U1 from repository R THEN user U2 can't see user U1 in repository R diff --git a/yarns/9000-implements.yarn b/yarns/9000-implements.yarn index 108795fc..364c6bb9 100644 --- a/yarns/9000-implements.yarn +++ b/yarns/9000-implements.yarn @@ -397,9 +397,16 @@ Import a key into one user's keyring from another keyring. GNUPGHOME="$SRCDIR/$MATCH_3" gpg --export --armor "$MATCH_2" | GNUPGHOME="$DATADIR/$MATCH_1.gnupg" gpg --import -Add a public key to a repository. +Add a public key to a repository, but not to the calling user, only to +the shared parts. - IMPLEMENTS WHEN user (\S+) adds key "(.+)" to repository (\S+) + IMPLEMENTS WHEN user (\S+) adds key "(.+)" to repository (\S+) only + run_obnam "$MATCH_1" -r "$DATADIR/$MATCH_3" \ + add-key --keyid "$MATCH_2" + +Add a public key to a repository, and the calling user. + + IMPLEMENTS WHEN user (\S+) adds key "(.+)" to repository (\S+) and self run_obnam "$MATCH_1" -r "$DATADIR/$MATCH_3" \ add-key --keyid "$MATCH_2" "$MATCH_1" -- cgit v1.2.1