Merge branch 'enterprise-3.8-release' into enterprise-3.8-backport-417-add-error-msg-for-snapshots

Author: tonytrg

bin/ghe-restore

@@ -380,6 +380,12 @@ if $RESTORE_SETTINGS; then
   ghe-restore-settings "$GHE_HOSTNAME"
 fi
 
+# Always restore column encryption keys
+if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
+  log_info "Always restore encrypted column encryption keys on GHES verions 3.7.0+"
+fi
+ghe-restore-column-encryption-keys "$GHE_HOSTNAME"
+
 # Make sure mysql and elasticsearch are prep'd and running before restoring.
 # These services will not have been started on appliances that have not been
 # configured yet.

script/release

@@ -31,7 +31,8 @@ GH_REPO = ENV['GH_REPO'] || 'backup-utils'
 GH_OWNER = ENV['GH_OWNER'] || 'github'
 GH_AUTHOR = ENV['GH_AUTHOR']
 DEB_PKG_NAME = 'github-backup-utils'
-GH_BASE_BRANCH = ENV['GH_BASE_BRANCH'] || 'master'
+GH_BASE_BRANCH = ENV['GH_BASE_BRANCH'] || 'master' # TODO: should we even allow a default or require all params get set explicitly?
+GH_STABLE_BRANCH = ""
 
 CHANGELOG_TMPL = '''<%= package_name %> (<%= package_version %>) UNRELEASED; urgency=medium
 
@@ -137,7 +138,8 @@ def beautify_changes(changes)
 end
 
 def changelog
-  changes = `git log --pretty=oneline origin/stable...origin/#{GH_BASE_BRANCH} --reverse --grep "Merge pull request" | sort -t\# -k2`.lines.map(&:strip)
+  puts "building changelog by comparing origin/#{GH_STABLE_BRANCH}...origin/#{GH_BASE_BRANCH}"
+  changes = `git log --pretty=oneline origin/#{GH_STABLE_BRANCH}...origin/#{GH_BASE_BRANCH} --reverse --grep "Merge pull request" | sort -t\# -k2`.lines.map(&:strip)
   raise 'Building the changelog failed' if $CHILD_STATUS != 0
 
   changes
@@ -228,12 +230,12 @@ def push_release_branch(version)
 end
 
 def update_stable_branch
-  `git checkout --quiet stable`
+  `git checkout --quiet #{GH_STABLE_BRANCH}`
   unless (out = `git merge --quiet --ff-only origin/#{GH_BASE_BRANCH}`)
-    warn "Merging #{GH_BASE_BRANCH} into stable failed:\n\n#{out}"
+    warn "Merging #{GH_BASE_BRANCH} into #{GH_STABLE_BRANCH} failed:\n\n#{out}"
   end
-  unless (out = `git push --quiet origin stable`)
-    warn "Failed pushing the stable branch:\n\n#{out}"
+  unless (out = `git push --quiet origin #{GH_STABLE_BRANCH}`)
+    warn "Failed pushing the #{GH_STABLE_BRANCH} branch:\n\n#{out}"
   end
 end
 
@@ -333,9 +335,38 @@ def clean_up(version)
   `git branch --quiet -D tmp-packaging >/dev/null 2>&1`
 end
 
+def is_base_branch_valid?(branch)
+  if branch == "master" || branch.match(/^\d+\.\d+-main$/)
+    return true
+  else
+    return false
+  end
+end
+
+def get_stable_branch_name(branch)
+  ## derive the proper stable branch. if the base branch is "master" the stable branch is just "stable"
+  ## if the base branch is a release branch, the stable branch will be "x.y-stable"
+  result = ""
+  if branch == "master"
+    result = "stable"
+  else
+    result = branch.gsub(/-main$/, "-stable")
+  end
+
+  result
+end
+
 #### All the action starts ####
 if $PROGRAM_NAME == __FILE__
   begin
+    ## validate base branch. this must either be "master" or a release branch which will match the pattern "x.y-main"
+    raise "The branch #{GH_BASE_BRANCH} is not valid for releasing backup-utils. branch name must be master or match x.y-main" if !is_base_branch_valid?(GH_BASE_BRANCH)
+
+    GH_STABLE_BRANCH = get_stable_branch_name(GH_BASE_BRANCH)
+
+    puts "base branch = " + GH_BASE_BRANCH
+    puts "stable branch = " + GH_STABLE_BRANCH
+
     args = ARGV.dup
     dry_run = false
     skip_version_bump_check = false
@@ -455,7 +486,7 @@ if $PROGRAM_NAME == __FILE__
     puts 'Cleaning up...'
     clean_up version
 
-    puts 'Updating stable branch...'
+    puts "Updating #{GH_STABLE_BRANCH} branch..."
     update_stable_branch
 
     puts 'Released!'

share/github-backup-utils/ghe-backup-mssql

@@ -30,11 +30,11 @@ export_tool_available() {
 }
 
 ghe_ssh_mssql() {
-  ghe-ssh $opts $ssh_config_file_opt "$GHE_MSSQL_PRIMARY_HOST" "$@"
+  ghe-ssh "${opts[@]}" "${ssh_config_file_opt[@]}" "$GHE_MSSQL_PRIMARY_HOST" "$@"
 }
 
 cleanup() {
-  rm -rf $tempdir
+  rm -rf "$tempdir"
 }
 trap 'cleanup' EXIT INT
 
@@ -47,16 +47,16 @@ if [ -z "$GHE_MSSQL_PRIMARY_HOST" ]; then
 fi
 
 tempdir=$(mktemp -d -t backup-utils-backup-XXXXXX)
-ssh_config_file_opt=
-opts=
+ssh_config_file_opt=()
+opts=()
 
 isHA="$(ghe-ssh "$GHE_HOSTNAME" -- "ghe-config cluster.ha" || true)"
 
 # get server hostnames under cluster and HA
 if [ "$GHE_BACKUP_STRATEGY" = "cluster" ] || [ "$isHA" = "true" ]  ; then
   ssh_config_file="$tempdir/ssh_config"
-  ssh_config_file_opt="-F $ssh_config_file"
-  opts="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PasswordAuthentication=no"
+  ssh_config_file_opt=("-F" "$ssh_config_file")
+  opts=("-o" "UserKnownHostsFile=/dev/null" "-o" "StrictHostKeyChecking=no" "-o" "PasswordAuthentication=no")
   ghe-ssh-config "$GHE_HOSTNAME" "$GHE_MSSQL_PRIMARY_HOST" > "$ssh_config_file"
 fi
 
@@ -69,10 +69,10 @@ add_minute() {
   # Expect date string in the format of yyyymmddTHHMMSS
   # Here parse date differently depending on GNU Linux vs BSD MacOS
   if date -v -1d > /dev/null 2>&1; then
-    echo "$(date -v +$2M -ujf'%Y%m%dT%H%M%S' $1 +%Y%m%dT%H%M%S)"
+    date -v +"$2"M -ujf'%Y%m%dT%H%M%S' "$1" +%Y%m%dT%H%M%S
   else
     dt=$1
-    echo "$(date -u '+%Y%m%dT%H%M%S' -d "${dt:0:8} ${dt:9:2}:${dt:11:2}:${dt:13:2} $2 minutes")"
+    date -u '+%Y%m%dT%H%M%S' -d "${dt:0:8} ${dt:9:2}:${dt:11:2}:${dt:13:2} $2 minutes"
   fi
 }
 
@@ -337,7 +337,7 @@ if [ -n "$backup_type" ]; then
   fi
 
   bm_start "$(basename "$0")"
-  ghe_ssh_mssql  -- "$backup_command" || failures="$failures mssql"
+  ghe_ssh_mssql  -- "$backup_command"
   bm_end "$(basename "$0")"
 
   # Configure the backup cadence on the appliance, which is used for diagnostics

share/github-backup-utils/ghe-backup-settings

@@ -78,8 +78,16 @@ backup-secret "management console password" "manage-password" "secrets.manage"
 backup-secret "password pepper" "password-pepper" "secrets.github.user-password-secrets"
 backup-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
 backup-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
-backup-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
-backup-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
+
+# backup encryption keying material for GHES 3.7.0 onwards
+if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
+  backup-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
+fi
+
+# backup current encryption key for GHES 3.8.0 onwards
+if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
+  backup-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
+fi
 
 # Backup argon secrets for multiuser from ghes version 3.8 onwards
 if ! [ "$(version $GHE_REMOTE_VERSION)" -lt "$(version 3.8.0)" ]; then

share/github-backup-utils/ghe-restore-column-encryption-keys

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+#/ Usage: ghe-restore-column-encryption-keys <host>
+#/ Restore the column encryption keys from a snapshot to the given <host>.
+#/ This script will be run automatically by `ghe-restore
+set -e
+
+# Bring in the backup configuration
+# shellcheck source=share/github-backup-utils/ghe-backup-config
+. "$( dirname "${BASH_SOURCE[0]}" )/ghe-backup-config"
+
+# Show usage and bail with no arguments
+[ -z "$*" ] && print_usage
+
+bm_start "$(basename $0)"
+
+# Grab host arg
+GHE_HOSTNAME="$1"
+
+# Perform a host-check and establish GHE_REMOTE_XXX variables.
+ghe_remote_version_required "$GHE_HOSTNAME"
+
+# The snapshot to restore should be set by the ghe-restore command but this lets
+# us run this script directly.
+: ${GHE_RESTORE_SNAPSHOT:=current}
+
+# Path to snapshot dir we're restoring from
+: ${GHE_RESTORE_SNAPSHOT_PATH:="$GHE_DATA_DIR/current"}
+
+# Restore encrypted column encryption keying material for GHES 3.7.0 onward
+if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
+  log_info "Restoring encrypted column encryption keying material"
+  restore-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
+fi
+
+# Restore encrypted column current encryption key for GHES 3.8.0 onwards
+if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
+  log_info "Restoring encrypted column current encryption key"
+  restore-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
+fi
+
+
+bm_end "$(basename $0)"

share/github-backup-utils/ghe-restore-settings

@@ -53,12 +53,6 @@ restore-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hm
 # Restore kredz.varz HMAC key if present.
 restore-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
 
-# Restore encrypted column encryption keying material if present
-restore-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
-
-# Restore encrypted column current encryption key if present
-restore-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
-
 # Restore SAML keys if present.
 if [ -f "$GHE_RESTORE_SNAPSHOT_PATH/saml-keys.tar" ]; then
   log_info "Restoring SAML keys ..."

test/test-ghe-backup.sh

@@ -543,7 +543,18 @@ begin_test "ghe-backup takes backup of kredz-varz settings"
 )
 end_test
 
-begin_test "ghe-backup takes backup of encrypted column encryption keying material"
+begin_test "ghe-backup does not take backup of encrypted column encryption keying material for versions below 3.7.0"
+(
+  GHE_REMOTE_VERSION=2.1.10 ghe-backup -v | grep -q "encrypted column encryption keying material not set" && exit 1
+  [ ! -f "$GHE_DATA_DIR/current/encrypted-column-keying-material" ]
+
+  GHE_REMOTE_VERSION=3.6.1 ghe-backup -v | grep -q "encrypted column encryption keying material not set" && exit 1
+  [ ! -f "$GHE_DATA_DIR/current/encrypted-column-keying-material" ]
+
+)
+end_test
+
+begin_test "ghe-backup takes backup of encrypted column encryption keying material for versions 3.7.0+"
 (
   set -e
 
@@ -555,6 +566,24 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
     ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
   done
 
+  # GHES version 3.7.0
+  GHE_REMOTE_VERSION=3.7.0
+  export GHE_REMOTE_VERSION
+
+  ghe-backup
+
+  required_files=(
+    "encrypted-column-encryption-keying-material"
+  )
+
+  for file in "${required_files[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
+  done
+
+  # GHES version 3.8.0
+  GHE_REMOTE_VERSION=3.8.0
+  export GHE_REMOTE_VERSION
+
   ghe-backup
 
   required_files=(
@@ -568,7 +597,18 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
 )
 end_test
 
-begin_test "ghe-backup takes backup of encrypted column current encryption key"
+begin_test "ghe-backup does not take backup of encrypted column current encryption key for versions below 3.8.0"
+(
+  GHE_REMOTE_VERSION=2.1.10 ghe-backup -v | grep -q "encrypted column current encryption key not set" && exit 1
+  [ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
+
+  GHE_REMOTE_VERSION=3.7.0 ghe-backup -v | grep -q "encrypted column current encryption key not set" && exit 1
+  [ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
+
+)
+end_test
+
+begin_test "ghe-backup takes backup of encrypted column current encryption key for versions 3.8.0+"
 (
   set -e
 
@@ -580,6 +620,24 @@ begin_test "ghe-backup takes backup of encrypted column current encryption key"
     ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
   done
 
+  # GHES version 3.8.0
+  GHE_REMOTE_VERSION=3.8.0
+  export GHE_REMOTE_VERSION
+
+  ghe-backup
+
+  required_files=(
+    "encrypted-column-current-encryption-key"
+  )
+
+  for file in "${required_files[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
+  done
+
+  # GHES version 3.9.0
+  GHE_REMOTE_VERSION=3.9.0
+  export GHE_REMOTE_VERSION
+
   ghe-backup
 
   required_files=(