Merge pull request #443 from github/kyfast-create-current-encryption-key-backup-3.7.0+

KyFaSt · web-flow · commit d14ac9ec07ec · 2023-07-24T20:00:49.000-04:00
diff --git a/share/github-backup-utils/ghe-backup-settings b/share/github-backup-utils/ghe-backup-settings
@@ -79,14 +79,14 @@ backup-secret "password pepper" "password-pepper" "secrets.github.user-password-
 backup-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
 backup-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
 
-# backup encryption keying material for GHES 3.7.0 onwards
+# backup encryption keying material and create backup value current encryption for GHES 3.7.0 onwards
+# this is for forwards compatibility with GHES 3.8.0 onwards
 if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
   backup-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
 fi
 
-# backup current encryption key for GHES 3.8.0 onwards
 if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
-  backup-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
+  cat "$GHE_SNAPSHOT_DIR/encrypted-column-encryption-keying-material" | sed 's:.*;::' > "$GHE_SNAPSHOT_DIR/encrypted-column-current-encryption-key"
 fi
 
 backup-secret "secret scanning encrypted secrets current storage key" "secret-scanning-encrypted-secrets-current-storage-key" "secrets.secret-scanning.encrypted-secrets-current-storage-key"
diff --git a/test/test-ghe-backup.sh b/test/test-ghe-backup.sh
@@ -566,7 +566,7 @@ begin_test "ghe-backup does not take backup of encrypted column encryption keyin
 )
 end_test
 
-begin_test "ghe-backup takes backup of encrypted column encryption keying material for versions 3.7.0+"
+begin_test "ghe-backup takes backup of encrypted column encryption keying material and create encrypted column current encryption key for versions 3.7.0+"
 (
   set -e
 
@@ -609,27 +609,61 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
 )
 end_test
 
-begin_test "ghe-backup does not take backup of encrypted column current encryption key for versions below 3.8.0"
+begin_test "ghe-backup takes backup of encrypted column encryption keying material and encrypted column current encryption key for versions 3.8.0+"
 (
-  GHE_REMOTE_VERSION=2.1.10 ghe-backup -v | grep -q "encrypted column current encryption key not set" && exit 1
-  [ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
+  set -e
+
+  required_secrets=(
+    "secrets.github.encrypted-column-keying-material"
+  )
+
+  for secret in "${required_secrets[@]}"; do
+    ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
+  done
+
+  # GHES version 3.8.0
+  GHE_REMOTE_VERSION=3.8.0
+  export GHE_REMOTE_VERSION
+
+  ghe-backup
+
+  required_files=(
+    "encrypted-column-encryption-keying-material"
+    "encrypted-column-current-encryption-key"
+  )
+
+  for file in "${required_files[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
+  done
+
+  # GHES version 3.9.0
+  GHE_REMOTE_VERSION=3.9.0
+  export GHE_REMOTE_VERSION
 
-  GHE_REMOTE_VERSION=3.7.0 ghe-backup -v | grep -q "encrypted column current encryption key not set" && exit 1
-  [ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
+  ghe-backup
+
+  required_files=(
+    "encrypted-column-current-encryption-key"
+  )
+
+  for file in "${required_files[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
+  done
 
 )
 end_test
 
-begin_test "ghe-backup takes backup of encrypted column current encryption key for versions 3.8.0+"
+begin_test "ghe-backup takes backup of encrypted column encryption keying material and encrypted column current encryption key accounting for multiple encryption keying materials for versions 3.7.0+"
 (
   set -e
 
   required_secrets=(
-    "secrets.github.encrypted-column-current-encryption-key"
+    "secrets.github.encrypted-column-keying-material"
   )
 
   for secret in "${required_secrets[@]}"; do
-    ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
+    echo "ghe-config '$secret' 'foo;bar'" |
+    ghe-ssh "$GHE_HOSTNAME" -- /bin/bash
   done
 
   # GHES version 3.8.0
@@ -639,25 +673,42 @@ begin_test "ghe-backup takes backup of encrypted column current encryption key f
   ghe-backup
 
   required_files=(
-    "encrypted-column-current-encryption-key"
+    "encrypted-column-encryption-keying-material"
   )
 
   for file in "${required_files[@]}"; do
-    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo;bar" ]
   done
 
+  required_files_current_encryption_key=(
+    "encrypted-column-current-encryption-key"
+  )
+
+  for file in "${required_files_current_encryption_key[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "bar" ]
+  done
+
+
   # GHES version 3.9.0
   GHE_REMOTE_VERSION=3.9.0
   export GHE_REMOTE_VERSION
 
   ghe-backup
 
   required_files=(
-    "encrypted-column-current-encryption-key"
+    "encrypted-column-encryption-keying-material"
   )
 
   for file in "${required_files[@]}"; do
-    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo;bar" ]
+  done
+
+  required_files_current_encryption_key=(
+    "encrypted-column-current-encryption-key"
+  )
+
+  for file in "${required_files_current_encryption_key[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "bar" ]
   done
 
 )
