Merge pull request #255 from github/mc-multi-user-auth-secret

Add management console argon2 secret to backup/restore settings

Author: manue1

share/github-backup-utils/ghe-backup-settings

@@ -75,6 +75,7 @@ backup-secret() {
 }
 
 backup-secret "management console password" "manage-password" "secrets.manage"
+backup-secret "management console argon2 secret" "manage-argon-secret" "secrets.manage-auth.argon-secret"
 backup-secret "password pepper" "password-pepper" "secrets.github.user-password-secrets"
 backup-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
 

share/github-backup-utils/ghe-restore-settings

@@ -44,6 +44,9 @@ ghe-restore-packages "$GHE_HOSTNAME" 1>&3
 # Restore management console password hash if present.
 restore-secret "management console password" "manage-password" "secrets.manage"
 
+# Restore management console argon2 secret if present.
+restore-secret "management console argon2 secret" "manage-argon-secret" "secrets.manage-auth.argon-secret"
+
 # Restore kredz.credz HMAC key if present.
 restore-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
 

test/test-ghe-backup.sh

@@ -132,6 +132,17 @@ begin_test "ghe-backup without password pepper"
 )
 end_test
 
+begin_test "ghe-backup without management console argon2 secret"
+(
+  set -e
+
+  git config -f "$GHE_REMOTE_DATA_USER_DIR/common/secrets.conf" secrets.manage-auth.argon-secret ""
+  ghe-backup
+
+  [ ! -f "$GHE_DATA_DIR/current/manage-argon-secret" ]
+)
+end_test
+
 begin_test "ghe-backup empty git-hooks directory"
 (
   set -e

test/testlib.sh

@@ -202,6 +202,7 @@ setup_test_data () {
   # Create a fake manage password file§
   mkdir -p "$GHE_REMOTE_DATA_USER_DIR/common"
   git config -f "$GHE_REMOTE_DATA_USER_DIR/common/secrets.conf" secrets.manage "fake password hash data"
+  git config -f "$GHE_REMOTE_DATA_USER_DIR/common/secrets.conf" secrets.manage-auth.argon-secret "fake argon2 secret"
 
   # Create a fake password pepper file
   mkdir -p "$GHE_REMOTE_DATA_USER_DIR/common"
@@ -316,6 +317,7 @@ setup_test_data () {
     echo "fake ghe-export-ssl-ca-certificates data" > "$loc/ssl-ca-certificates.tar"
     echo "fake license data" > "$loc/enterprise.ghl"
     echo "fake password hash data" > "$loc/manage-password"
+    echo "fake argon2 secret" > "$loc/manage-argon-secret"
     echo "fake password pepper data" > "$loc/password-pepper"
     echo "rsync" > "$loc/strategy"
     echo "$GHE_REMOTE_VERSION" >  "$loc/version"
@@ -445,6 +447,9 @@ verify_all_backedup_data() {
   # verify manage-password file was backed up
   [ "$(cat "$GHE_DATA_DIR/current/manage-password")" = "fake password hash data" ]
 
+  # verify manage-argon-secret file was backed up
+  [ "$(cat "$GHE_DATA_DIR/current/manage-argon-secret")" = "fake argon2 secret" ]
+
   # verify password pepper file was backed up
   [ "$(cat "$GHE_DATA_DIR/current/password-pepper")" = "fake password pepper data" ]
 
@@ -507,6 +512,9 @@ verify_all_restored_data() {
   # verify management console password was *not* restored
   ! grep -q "fake password hash data" "$GHE_REMOTE_DATA_USER_DIR/common/secrets.conf"
 
+  # verify management console argon2 secret was *not* restored
+  ! grep -q "fake argon2 secret" "$GHE_REMOTE_DATA_USER_DIR/common/secrets.conf"
+
   # verify common data
   verify_common_data
 }