Merge branch 'master' into djj-remove-git-clone-option

Author: davidjarzebowski

bin/ghe-host-check

@@ -131,7 +131,7 @@ fi
 
 # backup-utils 2.13 onwards limits support to the current and previous two releases
 # of GitHub Enterprise Server.
-supported_minimum_version="3.6.0"
+supported_minimum_version="3.7.0"
 
 if [ "$(version $version)" -ge "$(version $supported_minimum_version)" ]; then
   supported=1

bin/ghe-restore

@@ -443,6 +443,12 @@ if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
 fi
 ghe-restore-column-encryption-keys "$GHE_HOSTNAME"
 
+# Always restore secret scanning encryption keys
+if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
+  log_info "Always restore secret scanning encryption keys on GHES verions 3.8.0+"
+  ghe-restore-secret-scanning-encryption-keys "$GHE_HOSTNAME"
+fi
+
 # Make sure mysql and elasticsearch are prep'd and running before restoring.
 # These services will not have been started on appliances that have not been
 # configured yet.

docs/requirements.md

@@ -5,7 +5,7 @@ storage and must have network connectivity with the GitHub Enterprise Server app
 
 ## Backup host requirements
 
-Backup host software requirements are modest: Linux or other modern Unix operating system (Ubuntu is highly recommended) with [bash][1], [git][2], [OpenSSH][3] 5.6 or newer, [rsync][4] v2.6.4 or newer* (see [below](april-2023-update-of-rsync-requirements) for exceptions), and [jq][11] v1.5 or newer. See below for an update on rsync.
+Backup host software requirements are modest: Linux or other modern Unix operating system (Ubuntu is highly recommended) with [bash][1], [git][2], [OpenSSH][3] 5.6 or newer, [rsync][4] v2.6.4 or newer* (see [below](april-2023-update-of-rsync-requirements) for exceptions), [jq][11] v1.5 or newer, and [bc][12] v1.07 or newer.
 
 The parallel backup and restore feature will require [GNU awk][10] and [moreutils][9] to be installed.
 
@@ -99,3 +99,4 @@ Due to how some components of Backup Utilities (e.g. MSSQL) take incremental bac
 [9]: https://joeyh.name/code/moreutils
 [10]: https://www.gnu.org/software/gawk
 [11]: https://stedolan.github.io/jq/
+[12]: https://www.gnu.org/software/bc/

share/github-backup-utils/ghe-backup-es-rsync

@@ -4,6 +4,7 @@
 #/
 #/ Note: This command typically isn't called directly. It's invoked by
 #/ ghe-backup when the rsync strategy is used.
+# shellcheck disable=SC2086
 set -e
 
 # Bring in the backup configuration
@@ -54,15 +55,15 @@ log_rsync "END elasticsearch rsync" 1>&3
 # Set up a trap to re-enable flushing on exit and remove temp file
 cleanup () {
   ghe_verbose "* Enabling ES index flushing ..."
-  echo '{"index":{"translog.disable_flush":false}}' |
+  echo '{"index":{"translog.flush_threshold_size":"512MB"}}' |
   ghe-ssh "$host" -- curl -s -XPUT "localhost:9200/_settings" -d @- >/dev/null
 }
 trap 'cleanup' EXIT
 trap 'exit $?' INT # ^C always terminate
 
 # Disable ES flushing and force a flush right now
 ghe_verbose "* Disabling ES index flushing ..."
-echo '{"index":{"translog.disable_flush":true}}' |
+echo '{"index":{"translog.flush_threshold_size":"1PB"}}' |
 ghe-ssh "$host" -- curl -s -XPUT  "localhost:9200/_settings" -d @- >/dev/null
 ghe-ssh "$host" -- curl -s -XPOST "localhost:9200/_flush" >/dev/null
 

share/github-backup-utils/ghe-backup-mssql

@@ -47,8 +47,8 @@ if [ -z "$GHE_MSSQL_PRIMARY_HOST" ]; then
 fi
 
 tempdir=$(mktemp -d -t backup-utils-backup-XXXXXX)
-ssh_config_file_opt=
-opts=
+ssh_config_file_opt=()
+opts=()
 
 isHA="$(ghe-ssh "$GHE_HOSTNAME" -- "ghe-config cluster.ha" || true)"
 

share/github-backup-utils/ghe-backup-settings

@@ -89,6 +89,11 @@ if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
   backup-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
 fi
 
+backup-secret "secret scanning encrypted secrets current storage key" "secret-scanning-encrypted-secrets-current-storage-key" "secrets.secret-scanning.encrypted-secrets-current-storage-key"
+backup-secret "secret scanning encrypted secrets delimited storage keys" "secret-scanning-encrypted-secrets-delimited-storage-keys" "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
+backup-secret "secret scanning encrypted secrets current shared transit key" "secret-scanning-encrypted-secrets-current-shared-transit-key" "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
+backup-secret "secret scanning encrypted secrets delimited shared transit keys" "secret-scanning-encrypted-secrets-delimited-shared-transit-keys" "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+
 # Backup argon secrets for multiuser from ghes version 3.8 onwards
 if [[ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" && "$(version $GHE_REMOTE_VERSION)" -lt "$(version 3.8.2)" ]]; then
   backup-secret "management console argon2 secret" "manage-argon-secret" "secrets.manage-auth.argon-secret"

share/github-backup-utils/ghe-restore-secret-scanning-encryption-keys

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+#/ Usage: ghe-restore-secret-scanning-encryption-keys <host>
+#/ Restore the secret scanning encryption keys from a snapshot to the given <host>.
+#/ This script will be run automatically by `ghe-restore`
+set -e
+
+# Bring in the backup configuration
+# shellcheck source=share/github-backup-utils/ghe-backup-config
+. "$(dirname "${BASH_SOURCE[0]}")/ghe-backup-config"
+
+# Show usage and bail with no arguments
+[ -z "$*" ] && print_usage
+
+bm_start "$(basename $0)"
+
+# Grab host arg
+GHE_HOSTNAME="$1"
+
+# Perform a host-check and establish GHE_REMOTE_XXX variables.
+ghe_remote_version_required "$GHE_HOSTNAME"
+
+# The snapshot to restore should be set by the ghe-restore command but this lets
+# us run this script directly.
+: ${GHE_RESTORE_SNAPSHOT:=current}
+
+# Path to snapshot dir we're restoring from
+: ${GHE_RESTORE_SNAPSHOT_PATH:="$GHE_DATA_DIR/current"}
+
+# Restore secret scanning encrypted secrets storage keys if present
+log_info "Restoring secret scanning encrypted secrets storage keys"
+restore-secret "secret scanning encrypted secrets current storage key" "secret-scanning-encrypted-secrets-current-storage-key" "secrets.secret-scanning.encrypted-secrets-current-storage-key"
+restore-secret "secret scanning encrypted secrets delimited storage keys" "secret-scanning-encrypted-secrets-delimited-storage-keys" "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
+
+# Restore secret scanning encrypted secrets transit keys if present
+log_info "Restoring secret scanning encrypted secrets transit keys"
+restore-secret "secret scanning encrypted secrets current shared transit key" "secret-scanning-encrypted-secrets-current-shared-transit-key" "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
+restore-secret "secret scanning encrypted secrets delimited shared transit keys" "secret-scanning-encrypted-secrets-delimited-shared-transit-keys" "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+
+bm_end "$(basename $0)"

share/github-backup-utils/ghe-restore-settings

@@ -56,6 +56,12 @@ restore-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hm
 # Restore kredz.varz HMAC key if present.
 restore-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
 
+# Restore encrypted column encryption keying material if present
+restore-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
+
+# Restore encrypted column current encryption key if present
+restore-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
+
 # Restore SAML keys if present.
 if [ -f "$GHE_RESTORE_SNAPSHOT_PATH/saml-keys.tar" ]; then
   log_info "Restoring SAML keys ..."

share/github-backup-utils/version

@@ -1 +1 @@
-3.8.0
+3.9.0

test/test-ghe-backup.sh

@@ -663,6 +663,36 @@ begin_test "ghe-backup takes backup of encrypted column current encryption key f
 )
 end_test
 
+begin_test "ghe-backup takes backup of secret scanning encrypted secrets encryption keys"
+(
+  set -e
+
+  required_secrets=(
+    "secrets.secret-scanning.encrypted-secrets-current-storage-key"
+    "secrets.secret-scanning.encrypted-secrets-delimited-storage-keys"
+    "secrets.secret-scanning.encrypted-secrets-current-shared-transit-key"
+    "secrets.secret-scanning.encrypted-secrets-delimited-shared-transit-keys"
+  )
+
+  for secret in "${required_secrets[@]}"; do
+    ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
+  done
+
+  ghe-backup
+
+  required_files=(
+    "secret-scanning-encrypted-secrets-current-storage-key"
+    "secret-scanning-encrypted-secrets-delimited-storage-keys"
+    "secret-scanning-encrypted-secrets-current-shared-transit-key"
+    "secret-scanning-encrypted-secrets-delimited-shared-transit-keys"
+  )
+
+  for file in "${required_files[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
+  done
+)
+end_test
+
 begin_test "ghe-backup takes backup of Actions settings"
 (
   set -e