Merge pull request #243 from github/atirikt/ghe-kredz_backup

atirikt · web-flow · commit 90304d45ef9a · 2022-07-29T18:17:22.000+05:30
GHES Kredz backup util
diff --git a/share/github-backup-utils/ghe-backup-settings b/share/github-backup-utils/ghe-backup-settings
@@ -76,6 +76,7 @@ backup-secret() {
 
 backup-secret "management console password" "manage-password" "secrets.manage"
 backup-secret "password pepper" "password-pepper" "secrets.github.user-password-secrets"
+backup-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
 
 # Backup external MySQL password if running external MySQL DB.
 if is_service_external 'mysql'; then
@@ -102,7 +103,6 @@ if ghe-ssh "$host" -- ghe-config --true app.actions.enabled; then
   backup-secret "Actions SPS validation cert thumbprint" "actions-sps-validation-cert-thumbprint" "secrets.actions.SpsValidationCertThumbprint"
 
   backup-secret "Actions Launch secrets encryption/decryption" "actions-launch-secrets-private-key" "secrets.launch.actions-secrets-private-key"
-  backup-secret "Actions Launch credz HMAC key" "actions-launch-credz-hmac" "secrets.launch.credz-hmac-secret"
   backup-secret "Actions Launch deployer HMAC key" "actions-launch-deployer-hmac" "secrets.launch.deployer-hmac-secret"
   backup-secret "Actions Launch Client id" "actions-launch-client-id" "secrets.launch.client-id"
   backup-secret "Actions Launch Client secret" "actions-launch-client-secret" "secrets.launch.client-secret"
diff --git a/share/github-backup-utils/ghe-restore-actions b/share/github-backup-utils/ghe-restore-actions
@@ -70,7 +70,6 @@ restore-secret "Actions service principal cert" "actions-service-principal-cert"
 restore-secret "Actions SPS validation cert thumbprint" "actions-sps-validation-cert-thumbprint" "secrets.actions.SpsValidationCertThumbprint"
 
 restore-secret "Actions Launch secrets encryption/decryption" "actions-launch-secrets-private-key" "secrets.launch.actions-secrets-private-key"
-restore-secret "Actions Launch credz HMAC key" "actions-launch-credz-hmac" "secrets.launch.credz-hmac-secret"
 restore-secret "Actions Launch deployer HMAC key" "actions-launch-deployer-hmac" "secrets.launch.deployer-hmac-secret"
 restore-secret "Actions Launch Client id" "actions-launch-client-id" "secrets.launch.client-id"
 restore-secret "Actions Launch Client secret" "actions-launch-client-secret" "secrets.launch.client-secret"
@@ -86,6 +85,7 @@ restore-secret "Actions Launch service private key" "actions-launch-app-app-priv
 restore-secret "Actions Launch token oauth key" "actions-oauth-s2s-signing-key" "secrets.launch.token-oauth-key"
 restore-secret "Actions Launch token oauth cert" "actions-oauth-s2s-signing-cert" "secrets.launch.token-oauth-cert"
 
+
 # Setup the database logins.
 ghe_verbose "* Restoring database logins and users to $host ..."
 
diff --git a/share/github-backup-utils/ghe-restore-settings b/share/github-backup-utils/ghe-restore-settings
@@ -41,6 +41,9 @@ restore-secret "external MySQL password" "external-mysql-password" "secrets.exte
 # Restore management console password hash if present.
 restore-secret "management console password" "manage-password" "secrets.manage"
 
+# Restore kredz.credz HMAC key if present.
+restore-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
+
 # Restore SAML keys if present.
 if [ -f "$GHE_RESTORE_SNAPSHOT_PATH/saml-keys.tar" ]; then
   echo "Restoring SAML keys ..."
diff --git a/test/test-ghe-backup.sh b/test/test-ghe-backup.sh
@@ -470,6 +470,31 @@ begin_test "ghe-backup upgrades transaction backup to full if LSN chain break"
 )
 end_test
 
+begin_test "ghe-backup takes backup of Kredz settings"
+(
+  set -e
+
+  required_secrets=(
+    "secrets.kredz.credz-hmac-secret"
+  )
+
+  for secret in "${required_secrets[@]}"; do
+    ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
+  done
+
+  ghe-backup
+
+  required_files=(
+    "kredz-credz-hmac"
+  )
+
+  for file in "${required_files[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
+  done
+
+)
+end_test
+
 begin_test "ghe-backup takes backup of Actions settings"
 (
   set -e
@@ -493,7 +518,6 @@ begin_test "ghe-backup takes backup of Actions settings"
     "secrets.actions.SpsValidationCertThumbprint"
 
     "secrets.launch.actions-secrets-private-key"
-    "secrets.launch.credz-hmac-secret"
     "secrets.launch.deployer-hmac-secret"
     "secrets.launch.client-id"
     "secrets.launch.client-secret"
@@ -507,6 +531,7 @@ begin_test "ghe-backup takes backup of Actions settings"
     "secrets.launch.token-oauth-cert"
     "secrets.launch.azp-app-cert"
     "secrets.launch.azp-app-private-key"
+
   )
 
   # these 5 were removed in later versions, so we extract them as best effort
@@ -538,7 +563,6 @@ begin_test "ghe-backup takes backup of Actions settings"
     "actions-sps-validation-cert-thumbprint"
 
     "actions-launch-secrets-private-key"
-    "actions-launch-credz-hmac"
     "actions-launch-deployer-hmac"
     "actions-launch-client-id"
     "actions-launch-client-secret"
@@ -550,6 +574,7 @@ begin_test "ghe-backup takes backup of Actions settings"
     "actions-launch-action-runner-secret"
     "actions-launch-azp-app-cert"
     "actions-launch-app-app-private-key"
+
   )
 
   # Add the one optional file we included tests for
diff --git a/test/test-ghe-restore.sh b/test/test-ghe-restore.sh
@@ -309,6 +309,32 @@ begin_test "ghe-restore invokes ghe-import-mssql"
 )
 end_test
 
+begin_test "ghe-restore with Kredz settings"
+(
+  set -e
+  rm -rf "$GHE_REMOTE_ROOT_DIR"
+  setup_remote_metadata
+  enable_actions
+
+  required_files=(
+    "kredz-credz-hmac"
+  )
+
+  for file in "${required_files[@]}"; do
+    echo "foo" > "$GHE_DATA_DIR/current/$file"
+  done
+
+  ghe-restore -v -f localhost
+  required_secrets=(
+    "secrets.kredz.credz-hmac-secret"
+  )
+  
+  for secret in "${required_secrets[@]}"; do
+    [ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "foo" ]
+  done
+)
+end_test
+
 begin_test "ghe-restore with Actions settings"
 (
   set -e
@@ -335,7 +361,6 @@ begin_test "ghe-restore with Actions settings"
     "actions-sps-validation-cert-thumbprint"
 
     "actions-launch-secrets-private-key"
-    "actions-launch-credz-hmac"
     "actions-launch-deployer-hmac"
     "actions-launch-client-id"
     "actions-launch-client-secret"
@@ -347,6 +372,7 @@ begin_test "ghe-restore with Actions settings"
     "actions-launch-action-runner-secret"
     "actions-launch-azp-app-cert"
     "actions-launch-app-app-private-key"
+
   )
 
   for file in "${required_files[@]}"; do
@@ -374,7 +400,6 @@ begin_test "ghe-restore with Actions settings"
     "secrets.actions.SpsValidationCertThumbprint"
 
     "secrets.launch.actions-secrets-private-key"
-    "secrets.launch.credz-hmac-secret"
     "secrets.launch.deployer-hmac-secret"
     "secrets.launch.client-id"
     "secrets.launch.client-secret"
@@ -388,6 +413,7 @@ begin_test "ghe-restore with Actions settings"
     "secrets.launch.token-oauth-cert"
     "secrets.launch.azp-app-cert"
     "secrets.launch.azp-app-private-key"
+
   )
 
   for secret in "${required_secrets[@]}"; do
