Merge pull request #431 from github/enterprise-3.7-backport-rebackport-364

dooleydevin · web-flow · commit 7fa39db403fa · 2023-07-19T10:52:59.000-07:00
Re-backport #364
diff --git a/share/github-backup-utils/ghe-backup-settings b/share/github-backup-utils/ghe-backup-settings
@@ -76,6 +76,7 @@ backup-secret() {
 
 backup-secret "management console password" "manage-password" "secrets.manage"
 backup-secret "password pepper" "password-pepper" "secrets.github.user-password-secrets"
+backup-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
 backup-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
 backup-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
 
diff --git a/share/github-backup-utils/ghe-restore-settings b/share/github-backup-utils/ghe-restore-settings
@@ -47,6 +47,9 @@ restore-secret "management console password" "manage-password" "secrets.manage"
 # Restore management console argon2 secret if present.
 restore-secret "management console argon2 secret" "manage-argon-secret" "secrets.manage-auth.argon-secret"
 
+# Restore encrypted column encryption keying material if present
+restore-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
+
 # Restore kredz.credz HMAC key if present.
 restore-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
 
diff --git a/test/test-ghe-backup.sh b/test/test-ghe-backup.sh
@@ -470,6 +470,32 @@ begin_test "ghe-backup upgrades transaction backup to full if LSN chain break"
 )
 end_test
 
+begin_test "ghe-backup takes backup of encrypted column encryption keying material"
+(
+  set -e
+
+  required_secrets=(
+    "secrets.github.encrypted-column-keying-material"
+  )
+
+  for secret in "${required_secrets[@]}"; do
+    ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
+  done
+
+  ghe-backup
+
+  required_files=(
+    "encrypted-column-encryption-keying-material"
+  )
+
+  for file in "${required_files[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
+  done
+
+)
+end_test
+
+
 begin_test "ghe-backup takes backup of Kredz settings"
 (
   set -e
diff --git a/test/test-ghe-restore.sh b/test/test-ghe-restore.sh
@@ -281,6 +281,31 @@ begin_test "ghe-restore with no pages backup"
 )
 end_test
 
+begin_test "ghe-restore with encrypted column encryption keying material"
+(
+  set -e
+  rm -rf "$GHE_REMOTE_ROOT_DIR"
+  setup_remote_metadata
+
+  required_files=(
+    "encrypted-column-encryption-keying-material"
+  )
+
+  for file in "${required_files[@]}"; do
+    echo "foo" > "$GHE_DATA_DIR/current/$file"
+  done
+
+  ghe-restore -v -f localhost
+  required_secrets=(
+    "secrets.github.encrypted-column-keying-material"
+  )
+
+  for secret in "${required_secrets[@]}"; do
+    [ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "foo" ]
+  done
+)
+end_test
+
 begin_test "ghe-restore does not restore encrypted column encryption keying material for versions below 3.7.0"
 (
   GHE_REMOTE_VERSION=2.1.10 ghe-restore -v -f localhost | grep -q "encrypted column encryption keying material not set" && exit 1
