Merge remote-tracking branch 'private/enterprise-3.8-release' into 3.8.2-patch

Author: dooleydevin

backup.config-example

@@ -95,3 +95,6 @@ GHE_NUM_SNAPSHOTS=10
 # When running an external mysql database, run this script to trigger a MySQL restore
 # rather than attempting to backup via backup-utils directly.
 #EXTERNAL_DATABASE_RESTORE_SCRIPT="/bin/false"
+
+# If set to 'yes', Pages data will be included in backup and restore. Defaults to 'yes'
+#GHE_BACKUP_PAGES=no

bin/ghe-backup

@@ -240,10 +240,15 @@ commands+=("
 echo \"$cmd_title\"
 ghe-backup-repositories || printf %s \"repositories \" >> \"$failures_file\"")
 
-cmd_title=$(log_info "Backing up GitHub Pages artifacts ...")
-commands+=("
-echo \"$cmd_title\"
-ghe-backup-pages || printf %s \"pages \" >> \"$failures_file\"")
+# Pages backups are skipped only if GHE_BACKUP_PAGES is explicitly set to 'no' to guarantee backward compatibility.
+# If a customer upgrades backup-utils but keeps the config file from a previous version, Pages backups still work as expected.
+
+if [ "$GHE_BACKUP_PAGES" != "no" ]; then
+  cmd_title=$(log_info "Backing up GitHub Pages artifacts ...")
+  commands+=("
+  echo \"$cmd_title\"
+  ghe-backup-pages || printf %s \"pages \" >> \"$failures_file\"")
+fi
 
 cmd_title=$(log_info "Backing up storage data ...")
 commands+=("
@@ -290,6 +295,8 @@ if [ -z "$failures" ]; then
   ln -s "$GHE_SNAPSHOT_TIMESTAMP" "../current"
 
   ghe-prune-snapshots
+else 
+  log_info "Skipping pruning snapshots, since some backups failed..."
 fi
 
 log_info "Completed backup of $GHE_HOSTNAME in snapshot $GHE_SNAPSHOT_TIMESTAMP at $(date +"%H:%M:%S")"

bin/ghe-restore

@@ -386,6 +386,12 @@ if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
 fi
 ghe-restore-column-encryption-keys "$GHE_HOSTNAME"
 
+# Always restore secret scanning encryption keys
+if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
+  log_info "Always restore secret scanning encryption keys on GHES verions 3.8.0+"
+  ghe-restore-secret-scanning-encryption-keys "$GHE_HOSTNAME"
+fi
+
 # Make sure mysql and elasticsearch are prep'd and running before restoring.
 # These services will not have been started on appliances that have not been
 # configured yet.
@@ -463,10 +469,12 @@ commands+=("
 echo \"$cmd_title\"
 ghe-restore-repositories-gist \"$GHE_HOSTNAME\"")
 
-cmd_title=$(log_info "Restoring Pages ...")
-commands+=("
-echo \"$cmd_title\"
-ghe-restore-pages \"$GHE_HOSTNAME\" 1>&3")
+if [ "$GHE_BACKUP_PAGES" != "no" ]; then
+  cmd_title=$(log_info "Restoring Pages ...")
+  commands+=("
+  echo \"$cmd_title\"
+  ghe-restore-pages \"$GHE_HOSTNAME\" 1>&3")
+fi
 
 cmd_title=$(log_info "Restoring SSH authorized keys ...")
 commands+=("

script/release

@@ -34,6 +34,9 @@ DEB_PKG_NAME = 'github-backup-utils'
 GH_BASE_BRANCH = ENV['GH_BASE_BRANCH'] || 'master' # TODO: should we even allow a default or require all params get set explicitly?
 GH_STABLE_BRANCH = ""
 
+# If PUBLISH is false, we leave the release in a draft state to be manually published later through the UI
+PUBLISH = ENV['PUBLISH'] == 'true' || false
+
 CHANGELOG_TMPL = '''<%= package_name %> (<%= package_version %>) UNRELEASED; urgency=medium
 
 <%- changes.each do |ch| -%>
@@ -480,15 +483,21 @@ if $PROGRAM_NAME == __FILE__
     attach_assets_to_release res['upload_url'], res['id'], ["#{base_dir}/dist/#{DEB_PKG_NAME}-v#{version}.tar.gz"]
     attach_assets_to_release res['upload_url'], res['id'], ["#{base_dir}/dist/#{DEB_PKG_NAME}_#{version}_all.deb"]
 
-    puts 'Publishing release...'
-    publish_release res['id']
+    if PUBLISH
+      puts 'Publishing release...'
+      publish_release res['id']
+    end
 
     puts 'Cleaning up...'
     clean_up version
 
     puts "Updating #{GH_STABLE_BRANCH} branch..."
     update_stable_branch
 
+    if !PUBLISH
+      puts 'Release left in a "Draft" state. Go to the https://github.com/github/backup-utils/releases and publish when ready.'
+    end
+
     puts 'Released!'
   rescue RuntimeError => e
     $stderr.puts "Error: #{e}"

share/github-backup-utils/ghe-backup-es-rsync

@@ -4,6 +4,7 @@
 #/
 #/ Note: This command typically isn't called directly. It's invoked by
 #/ ghe-backup when the rsync strategy is used.
+# shellcheck disable=SC2086
 set -e
 
 # Bring in the backup configuration
@@ -54,15 +55,15 @@ log_rsync "END elasticsearch rsync" 1>&3
 # Set up a trap to re-enable flushing on exit and remove temp file
 cleanup () {
   ghe_verbose "* Enabling ES index flushing ..."
-  echo '{"index":{"translog.disable_flush":false}}' |
+  echo '{"index":{"translog.flush_threshold_size":"512MB"}}' |
   ghe-ssh "$host" -- curl -s -XPUT "localhost:9200/_settings" -d @- >/dev/null
 }
 trap 'cleanup' EXIT
 trap 'exit $?' INT # ^C always terminate
 
 # Disable ES flushing and force a flush right now
 ghe_verbose "* Disabling ES index flushing ..."
-echo '{"index":{"translog.disable_flush":true}}' |
+echo '{"index":{"translog.flush_threshold_size":"1PB"}}' |
 ghe-ssh "$host" -- curl -s -XPUT  "localhost:9200/_settings" -d @- >/dev/null
 ghe-ssh "$host" -- curl -s -XPOST "localhost:9200/_flush" >/dev/null
 

share/github-backup-utils/ghe-backup-settings

@@ -86,8 +86,13 @@ if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
   cat "$GHE_SNAPSHOT_DIR/encrypted-column-encryption-keying-material" | sed 's:.*;::' > "$GHE_SNAPSHOT_DIR/encrypted-column-current-encryption-key"
 fi
 
+backup-secret "secret scanning encrypted secrets current storage key" "secret-scanning-encrypted-secrets-current-storage-key" "secrets.secret-scanning.encrypted-secrets-current-storage-key"
+backup-secret "secret scanning encrypted secrets delimited storage keys" "secret-scanning-encrypted-secrets-delimited-storage-keys" "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
+backup-secret "secret scanning encrypted secrets current shared transit key" "secret-scanning-encrypted-secrets-current-shared-transit-key" "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
+backup-secret "secret scanning encrypted secrets delimited shared transit keys" "secret-scanning-encrypted-secrets-delimited-shared-transit-keys" "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+
 # Backup argon secrets for multiuser from ghes version 3.8 onwards
-if ! [ "$(version $GHE_REMOTE_VERSION)" -lt "$(version 3.8.0)" ]; then
+if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
   backup-secret "management console argon2 secret" "manage-argon-secret" "secrets.manage-auth.argon-secret"
 fi
 

share/github-backup-utils/ghe-restore-secret-scanning-encryption-keys

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+#/ Usage: ghe-restore-secret-scanning-encryption-keys <host>
+#/ Restore the secret scanning encryption keys from a snapshot to the given <host>.
+#/ This script will be run automatically by `ghe-restore`
+set -e
+
+# Bring in the backup configuration
+# shellcheck source=share/github-backup-utils/ghe-backup-config
+. "$(dirname "${BASH_SOURCE[0]}")/ghe-backup-config"
+
+# Show usage and bail with no arguments
+[ -z "$*" ] && print_usage
+
+bm_start "$(basename $0)"
+
+# Grab host arg
+GHE_HOSTNAME="$1"
+
+# Perform a host-check and establish GHE_REMOTE_XXX variables.
+ghe_remote_version_required "$GHE_HOSTNAME"
+
+# The snapshot to restore should be set by the ghe-restore command but this lets
+# us run this script directly.
+: ${GHE_RESTORE_SNAPSHOT:=current}
+
+# Path to snapshot dir we're restoring from
+: ${GHE_RESTORE_SNAPSHOT_PATH:="$GHE_DATA_DIR/current"}
+
+# Restore secret scanning encrypted secrets storage keys if present
+log_info "Restoring secret scanning encrypted secrets storage keys"
+restore-secret "secret scanning encrypted secrets current storage key" "secret-scanning-encrypted-secrets-current-storage-key" "secrets.secret-scanning.encrypted-secrets-current-storage-key"
+restore-secret "secret scanning encrypted secrets delimited storage keys" "secret-scanning-encrypted-secrets-delimited-storage-keys" "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
+
+# Restore secret scanning encrypted secrets transit keys if present
+log_info "Restoring secret scanning encrypted secrets transit keys"
+restore-secret "secret scanning encrypted secrets current shared transit key" "secret-scanning-encrypted-secrets-current-shared-transit-key" "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
+restore-secret "secret scanning encrypted secrets delimited shared transit keys" "secret-scanning-encrypted-secrets-delimited-shared-transit-keys" "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+
+bm_end "$(basename $0)"

share/github-backup-utils/ghe-restore-settings

@@ -53,6 +53,12 @@ restore-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hm
 # Restore kredz.varz HMAC key if present.
 restore-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
 
+# Restore encrypted column encryption keying material if present
+restore-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
+
+# Restore encrypted column current encryption key if present
+restore-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
+
 # Restore SAML keys if present.
 if [ -f "$GHE_RESTORE_SNAPSHOT_PATH/saml-keys.tar" ]; then
   log_info "Restoring SAML keys ..."

test/test-ghe-backup.sh

@@ -138,7 +138,13 @@ begin_test "ghe-backup management console does not backup argon secret"
 (
   set -e
 
-  GHE_REMOTE_VERSION=3.7.0 ghe-backup -v | grep -q "management console argon2 secret not set" && exit 1
+  GHE_REMOTE_VERSION=2.1.10 ghe-backup -v | grep -q "management console argon2 secret not set" && exit 1
+  [ ! -f "$GHE_DATA_DIR/current/manage-argon-secret" ]
+
+  GHE_REMOTE_VERSION=3.6.1 ghe-backup -v | grep -q "management console argon2 secret not set" && exit 1
+  [ ! -f "$GHE_DATA_DIR/current/manage-argon-secret" ]
+
+  GHE_REMOTE_VERSION=3.7.10 ghe-backup -v | grep -q "management console argon2 secret not set" && exit 1
   [ ! -f "$GHE_DATA_DIR/current/manage-argon-secret" ]
 )
 end_test
@@ -152,6 +158,12 @@ begin_test "ghe-backup management console backs up argon secret"
   GHE_REMOTE_VERSION=3.8.0 ghe-backup
 
   [ "$(cat "$GHE_DATA_DIR/current/manage-argon-secret")" = "fake pw" ]
+
+  rm -rf "$GHE_DATA_DIR/current"
+
+  GHE_REMOTE_VERSION=4.1.0 ghe-backup
+
+  [ "$(cat "$GHE_DATA_DIR/current/manage-argon-secret")" = "fake pw" ]
 )
 end_test
 
@@ -686,6 +698,36 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
 )
 end_test
 
+begin_test "ghe-backup takes backup of secret scanning encrypted secrets encryption keys"
+(
+  set -e
+
+  required_secrets=(
+    "secrets.secret-scanning.encrypted-secrets-current-storage-key"
+    "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
+    "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
+    "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+  )
+
+  for secret in "${required_secrets[@]}"; do
+    ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
+  done
+
+  ghe-backup
+
+  required_files=(
+    "secret-scanning-encrypted-secrets-current-storage-key"
+    "secret-scanning-encrypted-secrets-delimited-storage-keys"
+    "secret-scanning-encrypted-secrets-current-shared-transit-key"
+    "secret-scanning-encrypted-secrets-delimited-shared-transit-keys"
+  )
+
+  for file in "${required_files[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
+  done
+)
+end_test
+
 begin_test "ghe-backup takes backup of Actions settings"
 (
   set -e

test/test-ghe-restore.sh

@@ -389,6 +389,71 @@ begin_test "ghe-restore with encrypted column current encryption key for version
 )
 end_test
 
+begin_test "ghe-restore with secret scanning encrypted secrets encryption keys for versions below 3.8.0"
+(
+  set -e
+  rm -rf "$GHE_REMOTE_ROOT_DIR"
+  setup_remote_metadata
+
+  required_files=(
+    "secret-scanning-encrypted-secrets-current-storage-key"
+    "secret-scanning-encrypted-secrets-delimited-storage-keys"
+    "secret-scanning-encrypted-secrets-current-shared-transit-key"
+    "secret-scanning-encrypted-secrets-delimited-shared-transit-keys"
+  )
+
+  for file in "${required_files[@]}"; do
+    echo "foo" >"$GHE_DATA_DIR/current/$file"
+  done
+
+  GHE_REMOTE_VERSION=3.7.0 ghe-restore -v -f localhost
+
+  required_secrets=(
+    "secrets.secret-scanning.encrypted-secrets-current-storage-key"
+    "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
+    "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
+    "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+  )
+
+  for secret in "${required_secrets[@]}"; do
+    [ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "" ] # expecting these to not be set for versions below 3.8.0
+  done
+)
+end_test
+
+
+begin_test "ghe-restore with secret scanning encrypted secrets encryption keys for versions 3.8.0+"
+(
+  set -e
+  rm -rf "$GHE_REMOTE_ROOT_DIR"
+  setup_remote_metadata
+
+  required_files=(
+    "secret-scanning-encrypted-secrets-current-storage-key"
+    "secret-scanning-encrypted-secrets-delimited-storage-keys"
+    "secret-scanning-encrypted-secrets-current-shared-transit-key"
+    "secret-scanning-encrypted-secrets-delimited-shared-transit-keys"
+  )
+
+  for file in "${required_files[@]}"; do
+    echo "foo" >"$GHE_DATA_DIR/current/$file"
+  done
+
+  GHE_REMOTE_VERSION=3.8.0 ghe-restore -v -f localhost
+
+  required_secrets=(
+    "secrets.secret-scanning.encrypted-secrets-current-storage-key"
+    "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
+    "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
+    "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+  )
+
+  for secret in "${required_secrets[@]}"; do
+    [ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "foo" ] # expecting this to have been restored successfully for versions 3.8.0+
+  done
+)
+end_test
+
 # Setup Actions data for the subsequent tests
 setup_actions_test_data "$GHE_DATA_DIR/1"