Merge pull request #414 from github/enterprise-3.8-backport-331-add-encrypted-column-keys

Backport 331 for 3.8: Add encrypted column encryption keys to backup utils

Author: dooleydevin

share/github-backup-utils/ghe-backup-settings

@@ -78,6 +78,8 @@ backup-secret "management console password" "manage-password" "secrets.manage"
 backup-secret "password pepper" "password-pepper" "secrets.github.user-password-secrets"
 backup-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
 backup-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
+backup-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
+backup-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
 
 # Backup argon secrets for multiuser from ghes version 3.8 onwards
 if ! [ "$(version $GHE_REMOTE_VERSION)" -lt "$(version 3.8.0)" ]; then

share/github-backup-utils/ghe-restore-settings

@@ -53,6 +53,12 @@ restore-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hm
 # Restore kredz.varz HMAC key if present.
 restore-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
 
+# Restore encrypted column encryption keying material if present
+restore-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
+
+# Restore encrypted column current encryption key if present
+restore-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
+
 # Restore SAML keys if present.
 if [ -f "$GHE_RESTORE_SNAPSHOT_PATH/saml-keys.tar" ]; then
   log_info "Restoring SAML keys ..."

test/test-ghe-backup.sh

@@ -543,6 +543,56 @@ begin_test "ghe-backup takes backup of kredz-varz settings"
 )
 end_test
 
+begin_test "ghe-backup takes backup of encrypted column encryption keying material"
+(
+  set -e
+
+  required_secrets=(
+    "secrets.github.encrypted-column-keying-material"
+  )
+
+  for secret in "${required_secrets[@]}"; do
+    ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
+  done
+
+  ghe-backup
+
+  required_files=(
+    "encrypted-column-encryption-keying-material"
+  )
+
+  for file in "${required_files[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
+  done
+
+)
+end_test
+
+begin_test "ghe-backup takes backup of encrypted column current encryption key"
+(
+  set -e
+
+  required_secrets=(
+    "secrets.github.encrypted-column-current-encryption-key"
+  )
+
+  for secret in "${required_secrets[@]}"; do
+    ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
+  done
+
+  ghe-backup
+
+  required_files=(
+    "encrypted-column-current-encryption-key"
+  )
+
+  for file in "${required_files[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
+  done
+
+)
+end_test
+
 begin_test "ghe-backup takes backup of Actions settings"
 (
   set -e

test/test-ghe-restore.sh

@@ -281,6 +281,56 @@ begin_test "ghe-restore with no pages backup"
 )
 end_test
 
+begin_test "ghe-restore with encrypted column encryption keying material"
+(
+  set -e
+  rm -rf "$GHE_REMOTE_ROOT_DIR"
+  setup_remote_metadata
+
+  required_files=(
+    "encrypted-column-encryption-keying-material"
+  )
+
+  for file in "${required_files[@]}"; do
+    echo "foo" > "$GHE_DATA_DIR/current/$file"
+  done
+
+  ghe-restore -v -f localhost
+  required_secrets=(
+    "secrets.github.encrypted-column-keying-material"
+  )
+
+  for secret in "${required_secrets[@]}"; do
+    [ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "foo" ]
+  done
+)
+end_test
+
+begin_test "ghe-restore with encrypted column current encryption key"
+(
+  set -e
+  rm -rf "$GHE_REMOTE_ROOT_DIR"
+  setup_remote_metadata
+
+  required_files=(
+    "encrypted-column-current-encryption-key"
+  )
+
+  for file in "${required_files[@]}"; do
+    echo "foo" > "$GHE_DATA_DIR/current/$file"
+  done
+
+  ghe-restore -v -f localhost
+  required_secrets=(
+    "secrets.github.encrypted-column-current-encryption-key"
+  )
+
+  for secret in "${required_secrets[@]}"; do
+    [ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "foo" ]
+  done
+)
+end_test
+
 # Setup Actions data for the subsequent tests
 setup_actions_test_data "$GHE_DATA_DIR/1"
 
@@ -329,7 +379,7 @@ begin_test "ghe-restore with Kredz settings"
   required_secrets=(
     "secrets.kredz.credz-hmac-secret"
   )
-  
+
   for secret in "${required_secrets[@]}"; do
     [ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "foo" ]
   done
@@ -355,7 +405,7 @@ begin_test "ghe-restore with kredz-varz settings"
   required_secrets=(
     "secrets.kredz.varz-hmac-secret"
   )
-  
+
   for secret in "${required_secrets[@]}"; do
     [ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "foo" ]
   done

test/testlib.sh

@@ -19,6 +19,7 @@
 #
 # Copyright (c) 2011-14 by Ryan Tomayko <http://tomayko.com>
 # License: MIT
+# shellcheck disable=SC2319
 set -e
 
 # Setting basic paths