Merge pull request #453 from github/kyfast-create-current-encryption-key-3.7.0+

KyFaSt · web-flow · commit de192eaf690c · 2023-07-27T10:32:32.000-04:00
Create the encrypted column current encryption key backup on 3.7.0+
diff --git a/share/github-backup-utils/ghe-backup-settings b/share/github-backup-utils/ghe-backup-settings
@@ -83,9 +83,6 @@ backup-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-s
 # this is for forwards compatibility with GHES 3.8.0 onwards
 if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
   backup-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
-fi
-
-if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
   cat "$GHE_SNAPSHOT_DIR/encrypted-column-encryption-keying-material" | sed 's:.*;::' > "$GHE_SNAPSHOT_DIR/encrypted-column-current-encryption-key"
 fi
 
diff --git a/test/test-ghe-backup.sh b/test/test-ghe-backup.sh
@@ -555,17 +555,6 @@ begin_test "ghe-backup takes backup of kredz-varz settings"
 )
 end_test
 
-begin_test "ghe-backup does not take backup of encrypted column encryption keying material for versions below 3.7.0"
-(
-  GHE_REMOTE_VERSION=2.1.10 ghe-backup -v | grep -q "encrypted column encryption keying material not set" && exit 1
-  [ ! -f "$GHE_DATA_DIR/current/encrypted-column-keying-material" ]
-
-  GHE_REMOTE_VERSION=3.6.1 ghe-backup -v | grep -q "encrypted column encryption keying material not set" && exit 1
-  [ ! -f "$GHE_DATA_DIR/current/encrypted-column-keying-material" ]
-
-)
-end_test
-
 begin_test "ghe-backup takes backup of encrypted column encryption keying material and create encrypted column current encryption key for versions 3.7.0+"
 (
   set -e
@@ -586,6 +575,7 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
 
   required_files=(
     "encrypted-column-encryption-keying-material"
+    "encrypted-column-current-encryption-key"
   )
 
   for file in "${required_files[@]}"; do
@@ -598,35 +588,6 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
 
   ghe-backup
 
-  required_files=(
-    "encrypted-column-encryption-keying-material"
-  )
-
-  for file in "${required_files[@]}"; do
-    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
-  done
-
-)
-end_test
-
-begin_test "ghe-backup takes backup of encrypted column encryption keying material and encrypted column current encryption key for versions 3.8.0+"
-(
-  set -e
-
-  required_secrets=(
-    "secrets.github.encrypted-column-keying-material"
-  )
-
-  for secret in "${required_secrets[@]}"; do
-    ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
-  done
-
-  # GHES version 3.8.0
-  GHE_REMOTE_VERSION=3.8.0
-  export GHE_REMOTE_VERSION
-
-  ghe-backup
-
   required_files=(
     "encrypted-column-encryption-keying-material"
     "encrypted-column-current-encryption-key"
@@ -666,7 +627,30 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
     ghe-ssh "$GHE_HOSTNAME" -- /bin/bash
   done
 
-  # GHES version 3.8.0
+  # GHES version 3.7.0
+  GHE_REMOTE_VERSION=3.7.0
+  export GHE_REMOTE_VERSION
+
+  ghe-backup
+
+  required_files=(
+    "encrypted-column-encryption-keying-material"
+  )
+
+  for file in "${required_files[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo;bar" ]
+  done
+
+  required_files_current_encryption_key=(
+    "encrypted-column-current-encryption-key"
+  )
+
+  for file in "${required_files_current_encryption_key[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "bar" ]
+  done
+
+
+ # GHES version 3.8.0
   GHE_REMOTE_VERSION=3.8.0
   export GHE_REMOTE_VERSION
 
