scripts/rotate-credentials.sh

#!/bin/bash
#
# Credential Rotation Script
# 
# Per DoD/MilSpec requirements (NIST SP 800-53: SC-12, IA-5)
# This script assists with rotating credentials across the system
#
# Usage:
#   ./scripts/rotate-credentials.sh [credential-type]
#
# Credential types:
#   - jwt: JWT signing secret
#   - db: Database password
#   - keycloak: Keycloak client secret
#   - proxmox: Proxmox API tokens
#   - all: Rotate all credentials
#

set -euo pipefail

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# Logging functions
log_info() {
    echo -e "${GREEN}[INFO]${NC} $1"
}

log_warn() {
    echo -e "${YELLOW}[WARN]${NC} $1"
}

log_error() {
    echo -e "${RED}[ERROR]${NC} $1"
}

# Generate a secure random secret
generate_secret() {
    local length=${1:-64}
    openssl rand -base64 $length | tr -d '\n' | head -c $length
}

# Rotate JWT secret
rotate_jwt_secret() {
    log_info "Rotating JWT secret..."
    
    local new_secret=$(generate_secret 64)
    
    # Update in environment or secret management system
    if [ -f .env ]; then
        if grep -q "^JWT_SECRET=" .env; then
            sed -i.bak "s/^JWT_SECRET=.*/JWT_SECRET=${new_secret}/" .env
            log_info "Updated JWT_SECRET in .env (backup created: .env.bak)"
        else
            echo "JWT_SECRET=${new_secret}" >> .env
            log_info "Added JWT_SECRET to .env"
        fi
    else
        log_warn ".env file not found. Please set JWT_SECRET=${new_secret} manually"
    fi
    
    # If using Kubernetes secrets
    if command -v kubectl &> /dev/null; then
        log_info "Updating Kubernetes secret..."
        kubectl create secret generic jwt-secret \
            --from-literal=secret="${new_secret}" \
            --dry-run=client -o yaml | kubectl apply -f -
    fi
    
    log_warn "IMPORTANT: Restart all services using JWT_SECRET after rotation"
    log_warn "All existing JWT tokens will be invalidated"
}

# Rotate database password
rotate_db_password() {
    log_info "Rotating database password..."
    
    local new_password=$(generate_secret 32)
    
    # Update in environment
    if [ -f .env ]; then
        if grep -q "^DB_PASSWORD=" .env; then
            sed -i.bak "s/^DB_PASSWORD=.*/DB_PASSWORD=${new_password}/" .env
            log_info "Updated DB_PASSWORD in .env (backup created: .env.bak)"
        else
            echo "DB_PASSWORD=${new_password}" >> .env
            log_info "Added DB_PASSWORD to .env"
        fi
    else
        log_warn ".env file not found. Please set DB_PASSWORD=${new_password} manually"
    fi
    
    # Update database password
    log_warn "IMPORTANT: You must update the database password manually:"
    log_warn "  ALTER USER postgres WITH PASSWORD '${new_password}';"
    
    # If using Kubernetes secrets
    if command -v kubectl &> /dev/null; then
        log_info "Updating Kubernetes secret..."
        kubectl create secret generic db-credentials \
            --from-literal=password="${new_password}" \
            --dry-run=client -o yaml | kubectl apply -f -
    fi
}

# Rotate Keycloak client secret
rotate_keycloak_secret() {
    log_info "Rotating Keycloak client secret..."
    
    local new_secret=$(generate_secret 32)
    
    if [ -f .env ]; then
        if grep -q "^KEYCLOAK_CLIENT_SECRET=" .env; then
            sed -i.bak "s/^KEYCLOAK_CLIENT_SECRET=.*/KEYCLOAK_CLIENT_SECRET=${new_secret}/" .env
            log_info "Updated KEYCLOAK_CLIENT_SECRET in .env (backup created: .env.bak)"
        else
            echo "KEYCLOAK_CLIENT_SECRET=${new_secret}" >> .env
            log_info "Added KEYCLOAK_CLIENT_SECRET to .env"
        fi
    else
        log_warn ".env file not found. Please set KEYCLOAK_CLIENT_SECRET=${new_secret} manually"
    fi
    
    log_warn "IMPORTANT: Update Keycloak client secret in Keycloak admin console"
    log_warn "All existing Keycloak sessions will be invalidated"
}

# Rotate Proxmox API tokens
rotate_proxmox_tokens() {
    log_info "Rotating Proxmox API tokens..."
    
    log_warn "Proxmox API tokens must be rotated manually:"
    log_warn "1. Log into Proxmox web interface"
    log_warn "2. Go to Datacenter -> Permissions -> API Tokens"
    log_warn "3. Revoke old tokens and create new ones"
    log_warn "4. Update tokens in Kubernetes secrets or configuration"
    
    # If using Kubernetes secrets
    if command -v kubectl &> /dev/null; then
        log_info "To update Kubernetes secret after creating new token:"
        log_info "  kubectl create secret generic proxmox-credentials \\"
        log_info "    --from-literal=credentials.json='{\"username\":\"root@pam\",\"token\":\"NEW_TOKEN\"}' \\"
        log_info "    --dry-run=client -o yaml | kubectl apply -f -"
    fi
}

# Main function
main() {
    local credential_type=${1:-all}
    
    log_info "Starting credential rotation (DoD/MilSpec compliance)"
    log_info "Credential type: ${credential_type}"
    
    case "${credential_type}" in
        jwt)
            rotate_jwt_secret
            ;;
        db|database)
            rotate_db_password
            ;;
        keycloak)
            rotate_keycloak_secret
            ;;
        proxmox)
            rotate_proxmox_tokens
            ;;
        all)
            log_info "Rotating all credentials..."
            rotate_jwt_secret
            echo ""
            rotate_db_password
            echo ""
            rotate_keycloak_secret
            echo ""
            rotate_proxmox_tokens
            ;;
        *)
            log_error "Unknown credential type: ${credential_type}"
            echo "Usage: $0 [jwt|db|keycloak|proxmox|all]"
            exit 1
            ;;
    esac
    
    log_info "Credential rotation complete"
    log_warn "Remember to:"
    log_warn "  1. Restart all affected services"
    log_warn "  2. Verify services are working correctly"
    log_warn "  3. Update any documentation with new rotation date"
    log_warn "  4. Archive old credentials securely (if required by policy)"
}

# Run main function
main "$@"
Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements - Add comprehensive database migrations (001-024) for schema evolution - Enhance API schema with expanded type definitions and resolvers - Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth - Implement new services: AI optimization, billing, blockchain, compliance, marketplace - Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage) - Update Crossplane provider with enhanced VM management capabilities - Add comprehensive test suite for API endpoints and services - Update frontend components with improved GraphQL subscriptions and real-time updates - Enhance security configurations and headers (CSP, CORS, etc.) - Update documentation and configuration files - Add new CI/CD workflows and validation scripts - Implement design system improvements and UI enhancements 2025-12-12 18:01:35 -08:00			`#!/bin/bash`
			`#`
			`# Credential Rotation Script`
			`#`
			`# Per DoD/MilSpec requirements (NIST SP 800-53: SC-12, IA-5)`
			`# This script assists with rotating credentials across the system`
			`#`
			`# Usage:`
			`# ./scripts/rotate-credentials.sh [credential-type]`
			`#`
			`# Credential types:`
			`# - jwt: JWT signing secret`
			`# - db: Database password`
			`# - keycloak: Keycloak client secret`
			`# - proxmox: Proxmox API tokens`
			`# - all: Rotate all credentials`
			`#`

			`set -euo pipefail`

			`# Colors for output`
			`RED='\033[0;31m'`
			`GREEN='\033[0;32m'`
			`YELLOW='\033[1;33m'`
			`NC='\033[0m' # No Color`

			`# Logging functions`
			`log_info() {`
			`echo -e "${GREEN}[INFO]${NC} $1"`
			`}`

			`log_warn() {`
			`echo -e "${YELLOW}[WARN]${NC} $1"`
			`}`

			`log_error() {`
			`echo -e "${RED}[ERROR]${NC} $1"`
			`}`

			`# Generate a secure random secret`
			`generate_secret() {`
			`local length=${1:-64}`
			`openssl rand -base64 $length \| tr -d '\n' \| head -c $length`
			`}`

			`# Rotate JWT secret`
			`rotate_jwt_secret() {`
			`log_info "Rotating JWT secret..."`

			`local new_secret=$(generate_secret 64)`

			`# Update in environment or secret management system`
			`if [ -f .env ]; then`
			`if grep -q "^JWT_SECRET=" .env; then`
			`sed -i.bak "s/^JWT_SECRET=.*/JWT_SECRET=${new_secret}/" .env`
			`log_info "Updated JWT_SECRET in .env (backup created: .env.bak)"`
			`else`
			`echo "JWT_SECRET=${new_secret}" >> .env`
			`log_info "Added JWT_SECRET to .env"`
			`fi`
			`else`
			`log_warn ".env file not found. Please set JWT_SECRET=${new_secret} manually"`
			`fi`

			`# If using Kubernetes secrets`
			`if command -v kubectl &> /dev/null; then`
			`log_info "Updating Kubernetes secret..."`
			`kubectl create secret generic jwt-secret \`
			`--from-literal=secret="${new_secret}" \`
			`--dry-run=client -o yaml \| kubectl apply -f -`
			`fi`

			`log_warn "IMPORTANT: Restart all services using JWT_SECRET after rotation"`
			`log_warn "All existing JWT tokens will be invalidated"`
			`}`

			`# Rotate database password`
			`rotate_db_password() {`
			`log_info "Rotating database password..."`

			`local new_password=$(generate_secret 32)`

			`# Update in environment`
			`if [ -f .env ]; then`
			`if grep -q "^DB_PASSWORD=" .env; then`
			`sed -i.bak "s/^DB_PASSWORD=.*/DB_PASSWORD=${new_password}/" .env`
			`log_info "Updated DB_PASSWORD in .env (backup created: .env.bak)"`
			`else`
			`echo "DB_PASSWORD=${new_password}" >> .env`
			`log_info "Added DB_PASSWORD to .env"`
			`fi`
			`else`
			`log_warn ".env file not found. Please set DB_PASSWORD=${new_password} manually"`
			`fi`

			`# Update database password`
			`log_warn "IMPORTANT: You must update the database password manually:"`
			`log_warn " ALTER USER postgres WITH PASSWORD '${new_password}';"`

			`# If using Kubernetes secrets`
			`if command -v kubectl &> /dev/null; then`
			`log_info "Updating Kubernetes secret..."`
			`kubectl create secret generic db-credentials \`
			`--from-literal=password="${new_password}" \`
			`--dry-run=client -o yaml \| kubectl apply -f -`
			`fi`
			`}`

			`# Rotate Keycloak client secret`
			`rotate_keycloak_secret() {`
			`log_info "Rotating Keycloak client secret..."`

			`local new_secret=$(generate_secret 32)`

			`if [ -f .env ]; then`
			`if grep -q "^KEYCLOAK_CLIENT_SECRET=" .env; then`
			`sed -i.bak "s/^KEYCLOAK_CLIENT_SECRET=.*/KEYCLOAK_CLIENT_SECRET=${new_secret}/" .env`
			`log_info "Updated KEYCLOAK_CLIENT_SECRET in .env (backup created: .env.bak)"`
			`else`
			`echo "KEYCLOAK_CLIENT_SECRET=${new_secret}" >> .env`
			`log_info "Added KEYCLOAK_CLIENT_SECRET to .env"`
			`fi`
			`else`
			`log_warn ".env file not found. Please set KEYCLOAK_CLIENT_SECRET=${new_secret} manually"`
			`fi`

			`log_warn "IMPORTANT: Update Keycloak client secret in Keycloak admin console"`
			`log_warn "All existing Keycloak sessions will be invalidated"`
			`}`

			`# Rotate Proxmox API tokens`
			`rotate_proxmox_tokens() {`
			`log_info "Rotating Proxmox API tokens..."`

			`log_warn "Proxmox API tokens must be rotated manually:"`
			`log_warn "1. Log into Proxmox web interface"`
			`log_warn "2. Go to Datacenter -> Permissions -> API Tokens"`
			`log_warn "3. Revoke old tokens and create new ones"`
			`log_warn "4. Update tokens in Kubernetes secrets or configuration"`

			`# If using Kubernetes secrets`
			`if command -v kubectl &> /dev/null; then`
			`log_info "To update Kubernetes secret after creating new token:"`
			`log_info " kubectl create secret generic proxmox-credentials \\"`
			`log_info " --from-literal=credentials.json='{\"username\":\"root@pam\",\"token\":\"NEW_TOKEN\"}' \\"`
			`log_info " --dry-run=client -o yaml \| kubectl apply -f -"`
			`fi`
			`}`

			`# Main function`
			`main() {`
			`local credential_type=${1:-all}`

			`log_info "Starting credential rotation (DoD/MilSpec compliance)"`
			`log_info "Credential type: ${credential_type}"`

			`case "${credential_type}" in`
			`jwt)`
			`rotate_jwt_secret`
			`;;`
			`db\|database)`
			`rotate_db_password`
			`;;`
			`keycloak)`
			`rotate_keycloak_secret`
			`;;`
			`proxmox)`
			`rotate_proxmox_tokens`
			`;;`
			`all)`
			`log_info "Rotating all credentials..."`
			`rotate_jwt_secret`
			`echo ""`
			`rotate_db_password`
			`echo ""`
			`rotate_keycloak_secret`
			`echo ""`
			`rotate_proxmox_tokens`
			`;;`
			`*)`
			`log_error "Unknown credential type: ${credential_type}"`
			`echo "Usage: $0 [jwt\|db\|keycloak\|proxmox\|all]"`
			`exit 1`
			`;;`
			`esac`

			`log_info "Credential rotation complete"`
			`log_warn "Remember to:"`
			`log_warn " 1. Restart all affected services"`
			`log_warn " 2. Verify services are working correctly"`
			`log_warn " 3. Update any documentation with new rotation date"`
			`log_warn " 4. Archive old credentials securely (if required by policy)"`
			`}`

			`# Run main function`
			`main "$@"`