Skip to content

Commit 61408d1

Browse files
author
Tony Truong
committed
adding conditional check to save argon secrets only for ghes version >3.7.0
1 parent 059c08b commit 61408d1

File tree

3 files changed

+23
-5
lines changed

3 files changed

+23
-5
lines changed

share/github-backup-utils/ghe-backup-settings

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -75,11 +75,15 @@ backup-secret() {
7575
}
7676

7777
backup-secret "management console password" "manage-password" "secrets.manage"
78-
backup-secret "management console argon2 secret" "manage-argon-secret" "secrets.manage-auth.argon-secret"
7978
backup-secret "password pepper" "password-pepper" "secrets.github.user-password-secrets"
8079
backup-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
8180
backup-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
8281

82+
# Backup argon secrets for multiuser from ghes version 3.8 onwards
83+
if [ "$(version $GHE_REMOTE_VERSION)" -gt "$(version 3.7.0)" ]; then
84+
backup-secret "management console argon2 secret" "manage-argon-secret" "secrets.manage-auth.argon-secret"
85+
fi
86+
8387
# Backup external MySQL password if running external MySQL DB.
8488
if is_service_external 'mysql'; then
8589
backup-secret "external MySQL password" "external-mysql-password" "secrets.external.mysql"

test/test-ghe-backup.sh

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -132,17 +132,29 @@ begin_test "ghe-backup without password pepper"
132132
)
133133
end_test
134134

135-
begin_test "ghe-backup without management console argon2 secret"
135+
begin_test "ghe-backup without management console argon2 secret for ghes lower than 3.8"
136136
(
137137
set -e
138138

139-
git config -f "$GHE_REMOTE_DATA_USER_DIR/common/secrets.conf" secrets.manage-auth.argon-secret ""
140-
ghe-backup
139+
git config -f "$GHE_REMOTE_DATA_USER_DIR/common/secrets.conf" secrets.manage-auth.argon-secret "fake pw"
140+
GHE_REMOTE_VERSION=3.7.0 ghe-backup
141141

142142
[ ! -f "$GHE_DATA_DIR/current/manage-argon-secret" ]
143143
)
144144
end_test
145145

146+
# multiuser auth introduced in ghes version 3.8
147+
begin_test "ghe-backup management console argon2 secret"
148+
(
149+
set -e
150+
151+
git config -f "$GHE_REMOTE_DATA_USER_DIR/common/secrets.conf" secrets.manage-auth.argon-secret "fake pw"
152+
GHE_REMOTE_VERSION=3.8.0 ghe-backup
153+
154+
[ "$(cat "$GHE_DATA_DIR/current/manage-argon-secret")" = "fake pw" ]
155+
)
156+
end_test
157+
146158
begin_test "ghe-backup empty git-hooks directory"
147159
(
148160
set -e

test/testlib.sh

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -448,7 +448,9 @@ verify_all_backedup_data() {
448448
[ "$(cat "$GHE_DATA_DIR/current/manage-password")" = "fake password hash data" ]
449449

450450
# verify manage-argon-secret file was backed up
451-
[ "$(cat "$GHE_DATA_DIR/current/manage-argon-secret")" = "fake argon2 secret" ]
451+
if [ "$(version $GHE_REMOTE_VERSION)" -gt "$(version 3.7.0)" ]; then
452+
[ "$(cat "$GHE_DATA_DIR/current/manage-argon-secret")" = "fake argon2 secret" ]
453+
fi
452454

453455
# verify password pepper file was backed up
454456
[ "$(cat "$GHE_DATA_DIR/current/password-pepper")" = "fake password pepper data" ]

0 commit comments

Comments
 (0)