Skip to content

Commit 37afc17

Browse files
chuckp22chuckp22
authored
Merge branch 'enterprise-3.8-release' into enterprise-3.8-backport-351-backup-restore-secret-scanning-encryption-keys
2 parents fe608ac + 58e1a8b commit 37afc17

File tree

4 files changed

+83
-37
lines changed

4 files changed

+83
-37
lines changed

bin/ghe-backup

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -290,6 +290,8 @@ if [ -z "$failures" ]; then
290290
ln -s "$GHE_SNAPSHOT_TIMESTAMP" "../current"
291291

292292
ghe-prune-snapshots
293+
else
294+
log_info "Skipping pruning snapshots, since some backups failed..."
293295
fi
294296

295297
log_info "Completed backup of $GHE_HOSTNAME in snapshot $GHE_SNAPSHOT_TIMESTAMP at $(date +"%H:%M:%S")"

share/github-backup-utils/ghe-backup-settings

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -79,14 +79,11 @@ backup-secret "password pepper" "password-pepper" "secrets.github.user-password-
7979
backup-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
8080
backup-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
8181

82-
# backup encryption keying material for GHES 3.7.0 onwards
82+
# backup encryption keying material and create backup value current encryption for GHES 3.7.0 onwards
83+
# this is for forwards compatibility with GHES 3.8.0 onwards
8384
if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
8485
backup-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
85-
fi
86-
87-
# backup current encryption key for GHES 3.8.0 onwards
88-
if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
89-
backup-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
86+
cat "$GHE_SNAPSHOT_DIR/encrypted-column-encryption-keying-material" | sed 's:.*;::' > "$GHE_SNAPSHOT_DIR/encrypted-column-current-encryption-key"
9087
fi
9188

9289
backup-secret "secret scanning encrypted secrets current storage key" "secret-scanning-encrypted-secrets-current-storage-key" "secrets.secret-scanning.encrypted-secrets-current-storage-key"
@@ -95,7 +92,7 @@ backup-secret "secret scanning encrypted secrets current shared transit key" "se
9592
backup-secret "secret scanning encrypted secrets delimited shared transit keys" "secret-scanning-encrypted-secrets-delimited-shared-transit-keys" "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
9693

9794
# Backup argon secrets for multiuser from ghes version 3.8 onwards
98-
if ! [ "$(version $GHE_REMOTE_VERSION)" -lt "$(version 3.8.0)" ]; then
95+
if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
9996
backup-secret "management console argon2 secret" "manage-argon-secret" "secrets.manage-auth.argon-secret"
10097
fi
10198

test/test-ghe-backup.sh

Lines changed: 76 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -138,7 +138,13 @@ begin_test "ghe-backup management console does not backup argon secret"
138138
(
139139
set -e
140140

141-
GHE_REMOTE_VERSION=3.7.0 ghe-backup -v | grep -q "management console argon2 secret not set" && exit 1
141+
GHE_REMOTE_VERSION=2.1.10 ghe-backup -v | grep -q "management console argon2 secret not set" && exit 1
142+
[ ! -f "$GHE_DATA_DIR/current/manage-argon-secret" ]
143+
144+
GHE_REMOTE_VERSION=3.6.1 ghe-backup -v | grep -q "management console argon2 secret not set" && exit 1
145+
[ ! -f "$GHE_DATA_DIR/current/manage-argon-secret" ]
146+
147+
GHE_REMOTE_VERSION=3.7.10 ghe-backup -v | grep -q "management console argon2 secret not set" && exit 1
142148
[ ! -f "$GHE_DATA_DIR/current/manage-argon-secret" ]
143149
)
144150
end_test
@@ -152,6 +158,12 @@ begin_test "ghe-backup management console backs up argon secret"
152158
GHE_REMOTE_VERSION=3.8.0 ghe-backup
153159

154160
[ "$(cat "$GHE_DATA_DIR/current/manage-argon-secret")" = "fake pw" ]
161+
162+
rm -rf "$GHE_DATA_DIR/current"
163+
164+
GHE_REMOTE_VERSION=4.1.0 ghe-backup
165+
166+
[ "$(cat "$GHE_DATA_DIR/current/manage-argon-secret")" = "fake pw" ]
155167
)
156168
end_test
157169

@@ -543,18 +555,7 @@ begin_test "ghe-backup takes backup of kredz-varz settings"
543555
)
544556
end_test
545557

546-
begin_test "ghe-backup does not take backup of encrypted column encryption keying material for versions below 3.7.0"
547-
(
548-
GHE_REMOTE_VERSION=2.1.10 ghe-backup -v | grep -q "encrypted column encryption keying material not set" && exit 1
549-
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-keying-material" ]
550-
551-
GHE_REMOTE_VERSION=3.6.1 ghe-backup -v | grep -q "encrypted column encryption keying material not set" && exit 1
552-
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-keying-material" ]
553-
554-
)
555-
end_test
556-
557-
begin_test "ghe-backup takes backup of encrypted column encryption keying material for versions 3.7.0+"
558+
begin_test "ghe-backup takes backup of encrypted column encryption keying material and create encrypted column current encryption key for versions 3.7.0+"
558559
(
559560
set -e
560561

@@ -574,6 +575,7 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
574575

575576
required_files=(
576577
"encrypted-column-encryption-keying-material"
578+
"encrypted-column-current-encryption-key"
577579
)
578580

579581
for file in "${required_files[@]}"; do
@@ -588,64 +590,109 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
588590

589591
required_files=(
590592
"encrypted-column-encryption-keying-material"
593+
"encrypted-column-current-encryption-key"
591594
)
592595

593596
for file in "${required_files[@]}"; do
594597
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
595598
done
596599

597-
)
598-
end_test
600+
# GHES version 3.9.0
601+
GHE_REMOTE_VERSION=3.9.0
602+
export GHE_REMOTE_VERSION
599603

600-
begin_test "ghe-backup does not take backup of encrypted column current encryption key for versions below 3.8.0"
601-
(
602-
GHE_REMOTE_VERSION=2.1.10 ghe-backup -v | grep -q "encrypted column current encryption key not set" && exit 1
603-
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
604+
ghe-backup
604605

605-
GHE_REMOTE_VERSION=3.7.0 ghe-backup -v | grep -q "encrypted column current encryption key not set" && exit 1
606-
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
606+
required_files=(
607+
"encrypted-column-current-encryption-key"
608+
)
609+
610+
for file in "${required_files[@]}"; do
611+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
612+
done
607613

608614
)
609615
end_test
610616

611-
begin_test "ghe-backup takes backup of encrypted column current encryption key for versions 3.8.0+"
617+
begin_test "ghe-backup takes backup of encrypted column encryption keying material and encrypted column current encryption key accounting for multiple encryption keying materials for versions 3.7.0+"
612618
(
613619
set -e
614620

615621
required_secrets=(
616-
"secrets.github.encrypted-column-current-encryption-key"
622+
"secrets.github.encrypted-column-keying-material"
617623
)
618624

619625
for secret in "${required_secrets[@]}"; do
620-
ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
626+
echo "ghe-config '$secret' 'foo;bar'" |
627+
ghe-ssh "$GHE_HOSTNAME" -- /bin/bash
621628
done
622629

623-
# GHES version 3.8.0
624-
GHE_REMOTE_VERSION=3.8.0
630+
# GHES version 3.7.0
631+
GHE_REMOTE_VERSION=3.7.0
625632
export GHE_REMOTE_VERSION
626633

627634
ghe-backup
628635

629636
required_files=(
637+
"encrypted-column-encryption-keying-material"
638+
)
639+
640+
for file in "${required_files[@]}"; do
641+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo;bar" ]
642+
done
643+
644+
required_files_current_encryption_key=(
630645
"encrypted-column-current-encryption-key"
631646
)
632647

648+
for file in "${required_files_current_encryption_key[@]}"; do
649+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "bar" ]
650+
done
651+
652+
653+
# GHES version 3.8.0
654+
GHE_REMOTE_VERSION=3.8.0
655+
export GHE_REMOTE_VERSION
656+
657+
ghe-backup
658+
659+
required_files=(
660+
"encrypted-column-encryption-keying-material"
661+
)
662+
633663
for file in "${required_files[@]}"; do
634-
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
664+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo;bar" ]
635665
done
636666

667+
required_files_current_encryption_key=(
668+
"encrypted-column-current-encryption-key"
669+
)
670+
671+
for file in "${required_files_current_encryption_key[@]}"; do
672+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "bar" ]
673+
done
674+
675+
637676
# GHES version 3.9.0
638677
GHE_REMOTE_VERSION=3.9.0
639678
export GHE_REMOTE_VERSION
640679

641680
ghe-backup
642681

643682
required_files=(
644-
"encrypted-column-current-encryption-key"
683+
"encrypted-column-encryption-keying-material"
645684
)
646685

647686
for file in "${required_files[@]}"; do
648-
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
687+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo;bar" ]
688+
done
689+
690+
required_files_current_encryption_key=(
691+
"encrypted-column-current-encryption-key"
692+
)
693+
694+
for file in "${required_files_current_encryption_key[@]}"; do
695+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "bar" ]
649696
done
650697

651698
)

test/testlib.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -449,7 +449,7 @@ verify_all_backedup_data() {
449449
[ "$(cat "$GHE_DATA_DIR/current/manage-password")" = "fake password hash data" ]
450450

451451
# verify manage-argon-secret file was backed up
452-
if ! [ "$(version $GHE_REMOTE_VERSION)" -lt "$(version 3.8.0)" ]; then
452+
if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
453453
[ "$(cat "$GHE_DATA_DIR/current/manage-argon-secret")" = "fake argon2 secret" ]
454454
fi
455455

0 commit comments

Comments
 (0)