Skip to content

Commit 23fa989

Browse files
KyFaStKyFaSt
committed
Add creation of encrypted_column_current_encryption_key to backup
3.7.0+ * this is based on manual testing where we successfully used `ghe-ssh $host -- ghe-config --get 'secrets.github.encrypted-column-keying-material' | sed 's:.*;::' > encrypted-column-current-encryption-key` in the console and by manually editing it in the `test-ghe-backup.sh` file * when I attempted to write tests for the simple case of having only one value in the encryption_keying_material list I received an error on the `get` portion of the command. Removing the get allowed the test to and follows the format used in the implementation of `backup-secret` * then I added the complex test case of more than one entry in encryption_keying_material delimited by semicolons. This caused the test to fail with the error `fatal: ghe-ssh: Attempt to invoke complex command with simple command form.`
1 parent 11c0e5f commit 23fa989

File tree

2 files changed

+67
-19
lines changed

2 files changed

+67
-19
lines changed

share/github-backup-utils/ghe-backup-settings

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -79,14 +79,11 @@ backup-secret "password pepper" "password-pepper" "secrets.github.user-password-
7979
backup-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
8080
backup-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
8181

82-
# backup encryption keying material for GHES 3.7.0 onwards
82+
# backup encryption keying material and create backup value current encryption for GHES 3.7.0 onwards
83+
# this is for forwards compatibility with GHES 3.8.0 onwards
8384
if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
8485
backup-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
85-
fi
86-
87-
# backup current encryption key for GHES 3.8.0 onwards
88-
if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
89-
backup-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
86+
ghe-ssh "$host" -- ghe-config 'secrets.github.encrypted-column-keying-material' | sed 's:.*;::' > encrypted-column-current-encryption-key
9087
fi
9188

9289
backup-secret "secret scanning encrypted secrets current storage key" "secret-scanning-encrypted-secrets-current-storage-key" "secrets.secret-scanning.encrypted-secrets-current-storage-key"

test/test-ghe-backup.sh

Lines changed: 64 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -566,7 +566,7 @@ begin_test "ghe-backup does not take backup of encrypted column encryption keyin
566566
)
567567
end_test
568568

569-
begin_test "ghe-backup takes backup of encrypted column encryption keying material for versions 3.7.0+"
569+
begin_test "ghe-backup takes backup of encrypted column encryption keying material and create encrypted column current encryption key for versions 3.7.0+"
570570
(
571571
set -e
572572

@@ -586,6 +586,7 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
586586

587587
required_files=(
588588
"encrypted-column-encryption-keying-material"
589+
"encrypted-column-current-encryption-key"
589590
)
590591

591592
for file in "${required_files[@]}"; do
@@ -609,27 +610,60 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
609610
)
610611
end_test
611612

612-
begin_test "ghe-backup does not take backup of encrypted column current encryption key for versions below 3.8.0"
613+
begin_test "ghe-backup takes backup of encrypted column encryption keying material and encrypted column current encryption key for versions 3.8.0+"
613614
(
614-
GHE_REMOTE_VERSION=2.1.10 ghe-backup -v | grep -q "encrypted column current encryption key not set" && exit 1
615-
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
615+
set -e
616+
617+
required_secrets=(
618+
"secrets.github.encrypted-column-keying-material"
619+
)
616620

617-
GHE_REMOTE_VERSION=3.7.0 ghe-backup -v | grep -q "encrypted column current encryption key not set" && exit 1
618-
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
621+
for secret in "${required_secrets[@]}"; do
622+
ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
623+
done
624+
625+
# GHES version 3.8.0
626+
GHE_REMOTE_VERSION=3.8.0
627+
export GHE_REMOTE_VERSION
628+
629+
ghe-backup
630+
631+
required_files=(
632+
"encrypted-column-encryption-keying-material"
633+
"encrypted-column-current-encryption-key"
634+
)
635+
636+
for file in "${required_files[@]}"; do
637+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
638+
done
639+
640+
# GHES version 3.9.0
641+
GHE_REMOTE_VERSION=3.9.0
642+
export GHE_REMOTE_VERSION
643+
644+
ghe-backup
645+
646+
required_files=(
647+
"encrypted-column-current-encryption-key"
648+
)
649+
650+
for file in "${required_files[@]}"; do
651+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
652+
done
619653

620654
)
621655
end_test
622656

623-
begin_test "ghe-backup takes backup of encrypted column current encryption key for versions 3.8.0+"
657+
begin_test "ghe-backup takes backup of encrypted column encryption keying material and encrypted column current encryption key accounting for multiple encryption keying materials for versions 3.7.0+"
624658
(
625659
set -e
626660

627661
required_secrets=(
628-
"secrets.github.encrypted-column-current-encryption-key"
662+
"secrets.github.encrypted-column-keying-material"
629663
)
630664

631665
for secret in "${required_secrets[@]}"; do
632-
ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
666+
ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo;bar"
633667
done
634668

635669
# GHES version 3.8.0
@@ -639,25 +673,42 @@ begin_test "ghe-backup takes backup of encrypted column current encryption key f
639673
ghe-backup
640674

641675
required_files=(
642-
"encrypted-column-current-encryption-key"
676+
"encrypted-column-encryption-keying-material"
643677
)
644678

645679
for file in "${required_files[@]}"; do
646-
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
680+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo;bar" ]
647681
done
648682

683+
required_files_current_encryption_key=(
684+
"encrypted-column-current-encryption-key"
685+
)
686+
687+
for file in "${required_files_current_encryption_key[@]}"; do
688+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "bar" ]
689+
done
690+
691+
649692
# GHES version 3.9.0
650693
GHE_REMOTE_VERSION=3.9.0
651694
export GHE_REMOTE_VERSION
652695

653696
ghe-backup
654697

655698
required_files=(
656-
"encrypted-column-current-encryption-key"
699+
"encrypted-column-encryption-keying-material"
657700
)
658701

659702
for file in "${required_files[@]}"; do
660-
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
703+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo;bar" ]
704+
done
705+
706+
required_files_current_encryption_key=(
707+
"encrypted-column-current-encryption-key"
708+
)
709+
710+
for file in "${required_files_current_encryption_key[@]}"; do
711+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "bar" ]
661712
done
662713

663714
)

0 commit comments

Comments
 (0)