Skip to content

Commit 3bbd712

Browse files
dooleydevindooleydevin
authored
Merge pull request #426 from github/enterprise-3.7-backport-349-kyfast-always-restore-column-encryption-keys
Backport 349 for 3.7: Always restore column encryption keys
2 parents ac33831 + e408fd4 commit 3bbd712

File tree

6 files changed

+178
-12
lines changed

6 files changed

+178
-12
lines changed

bin/ghe-restore

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -367,6 +367,12 @@ if $RESTORE_SETTINGS; then
367367
ghe-restore-settings "$GHE_HOSTNAME"
368368
fi
369369

370+
# Always restore column encryption keys
371+
if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
372+
echo "Always restore encrypted column encryption keys on GHES verions 3.7.0+"
373+
ghe-restore-column-encryption-keys "$GHE_HOSTNAME"
374+
fi
375+
370376
# Make sure mysql and elasticsearch are prep'd and running before restoring.
371377
# These services will not have been started on appliances that have not been
372378
# configured yet.

share/github-backup-utils/ghe-backup-settings

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -78,8 +78,16 @@ backup-secret "management console password" "manage-password" "secrets.manage"
7878
backup-secret "password pepper" "password-pepper" "secrets.github.user-password-secrets"
7979
backup-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
8080
backup-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
81-
backup-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
82-
backup-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
81+
82+
# backup encryption keying material for GHES 3.7.0 onwards
83+
if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.7.0)" ]; then
84+
backup-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
85+
fi
86+
87+
# backup current encryption key for GHES 3.8.0 onwards
88+
if [ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" ]; then
89+
backup-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
90+
fi
8391

8492
# Backup argon secrets for multiuser from ghes version 3.8 onwards
8593
if [[ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" && "$(version $GHE_REMOTE_VERSION)" -lt "$(version 3.8.2)" ]]; then

share/github-backup-utils/ghe-restore-column-encryption-keys

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
#!/usr/bin/env bash
2+
#/ Usage: ghe-restore-column-encryption-keys <host>
3+
#/ Restore the column encryption keys from a snapshot to the given <host>.
4+
#/ This script will be run automatically by `ghe-restore
5+
set -e
6+
7+
# Bring in the backup configuration
8+
# shellcheck source=share/github-backup-utils/ghe-backup-config
9+
. "$( dirname "${BASH_SOURCE[0]}" )/ghe-backup-config"
10+
11+
# Show usage and bail with no arguments
12+
[ -z "$*" ] && print_usage
13+
14+
bm_start "$(basename "$0")"
15+
16+
# Grab host arg
17+
GHE_HOSTNAME="$1"
18+
19+
# Perform a host-check and establish GHE_REMOTE_XXX variables.
20+
ghe_remote_version_required "$GHE_HOSTNAME"
21+
22+
# The snapshot to restore should be set by the ghe-restore command but this lets
23+
# us run this script directly.
24+
: "${GHE_RESTORE_SNAPSHOT:=current}"
25+
26+
# Path to snapshot dir we're restoring from
27+
: "${GHE_RESTORE_SNAPSHOT_PATH:="$GHE_DATA_DIR/current"}"
28+
29+
# Restore encrypted column encryption keying material for GHES 3.7.0 onward
30+
if [ "$(version "$GHE_REMOTE_VERSION")" -ge "$(version 3.7.0)" ]; then
31+
echo "Restoring encrypted column encryption keying material"
32+
restore-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
33+
fi
34+
35+
# Restore encrypted column current encryption key for GHES 3.8.0 onwards
36+
if [ "$(version "$GHE_REMOTE_VERSION")" -ge "$(version 3.8.0)" ]; then
37+
echo "Restoring encrypted column current encryption key"
38+
restore-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
39+
fi
40+
41+
42+
bm_end "$(basename "$0")"

share/github-backup-utils/ghe-restore-settings

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -53,12 +53,6 @@ restore-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hm
5353
# Restore kredz.varz HMAC key if present.
5454
restore-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
5555

56-
# Restore encrypted column encryption keying material if present
57-
restore-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
58-
59-
# Restore encrypted column current encryption key if present
60-
restore-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
61-
6256
# Restore SAML keys if present.
6357
if [ -f "$GHE_RESTORE_SNAPSHOT_PATH/saml-keys.tar" ]; then
6458
echo "Restoring SAML keys ..."

test/test-ghe-backup.sh

Lines changed: 60 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -520,7 +520,18 @@ begin_test "ghe-backup takes backup of kredz-varz settings"
520520
)
521521
end_test
522522

523-
begin_test "ghe-backup takes backup of encrypted column encryption keying material"
523+
begin_test "ghe-backup does not take backup of encrypted column encryption keying material for versions below 3.7.0"
524+
(
525+
GHE_REMOTE_VERSION=2.1.10 ghe-backup -v | grep -q "encrypted column encryption keying material not set" && exit 1
526+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-keying-material" ]
527+
528+
GHE_REMOTE_VERSION=3.6.1 ghe-backup -v | grep -q "encrypted column encryption keying material not set" && exit 1
529+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-keying-material" ]
530+
531+
)
532+
end_test
533+
534+
begin_test "ghe-backup takes backup of encrypted column encryption keying material for versions 3.7.0+"
524535
(
525536
set -e
526537

@@ -532,6 +543,24 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
532543
ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
533544
done
534545

546+
# GHES version 3.7.0
547+
GHE_REMOTE_VERSION=3.7.0
548+
export GHE_REMOTE_VERSION
549+
550+
ghe-backup
551+
552+
required_files=(
553+
"encrypted-column-encryption-keying-material"
554+
)
555+
556+
for file in "${required_files[@]}"; do
557+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
558+
done
559+
560+
# GHES version 3.8.0
561+
GHE_REMOTE_VERSION=3.8.0
562+
export GHE_REMOTE_VERSION
563+
535564
ghe-backup
536565

537566
required_files=(
@@ -545,7 +574,18 @@ begin_test "ghe-backup takes backup of encrypted column encryption keying materi
545574
)
546575
end_test
547576

548-
begin_test "ghe-backup takes backup of encrypted column current encryption key"
577+
begin_test "ghe-backup does not take backup of encrypted column current encryption key for versions below 3.8.0"
578+
(
579+
GHE_REMOTE_VERSION=2.1.10 ghe-backup -v | grep -q "encrypted column current encryption key not set" && exit 1
580+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
581+
582+
GHE_REMOTE_VERSION=3.7.0 ghe-backup -v | grep -q "encrypted column current encryption key not set" && exit 1
583+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
584+
585+
)
586+
end_test
587+
588+
begin_test "ghe-backup takes backup of encrypted column current encryption key for versions 3.8.0+"
549589
(
550590
set -e
551591

@@ -557,6 +597,24 @@ begin_test "ghe-backup takes backup of encrypted column current encryption key"
557597
ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
558598
done
559599

600+
# GHES version 3.8.0
601+
GHE_REMOTE_VERSION=3.8.0
602+
export GHE_REMOTE_VERSION
603+
604+
ghe-backup
605+
606+
required_files=(
607+
"encrypted-column-current-encryption-key"
608+
)
609+
610+
for file in "${required_files[@]}"; do
611+
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
612+
done
613+
614+
# GHES version 3.9.0
615+
GHE_REMOTE_VERSION=3.9.0
616+
export GHE_REMOTE_VERSION
617+
560618
ghe-backup
561619

562620
required_files=(

test/test-ghe-restore.sh

Lines changed: 60 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -281,7 +281,18 @@ begin_test "ghe-restore with no pages backup"
281281
)
282282
end_test
283283

284-
begin_test "ghe-restore with encrypted column encryption keying material"
284+
begin_test "ghe-restore does not restore encrypted column encryption keying material for versions below 3.7.0"
285+
(
286+
GHE_REMOTE_VERSION=2.1.10 ghe-restore -v -f localhost | grep -q "encrypted column encryption keying material not set" && exit 1
287+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-keying-material" ]
288+
289+
GHE_REMOTE_VERSION=3.6.1 ghe-restore -v -f localhost | grep -q "encrypted column encryption keying material not set" && exit 1
290+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-keying-material" ]
291+
292+
)
293+
end_test
294+
295+
begin_test "ghe-restore with encrypted column encryption keying material for versions 3.7.0+"
285296
(
286297
set -e
287298
rm -rf "$GHE_REMOTE_ROOT_DIR"
@@ -295,6 +306,23 @@ begin_test "ghe-restore with encrypted column encryption keying material"
295306
echo "foo" > "$GHE_DATA_DIR/current/$file"
296307
done
297308

309+
# GHES version 3.7.0
310+
GHE_REMOTE_VERSION=3.7.0
311+
export GHE_REMOTE_VERSION
312+
313+
ghe-restore -v -f localhost
314+
required_secrets=(
315+
"secrets.github.encrypted-column-keying-material"
316+
)
317+
318+
for secret in "${required_secrets[@]}"; do
319+
[ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "foo" ]
320+
done
321+
322+
# GHES version 3.8.0
323+
GHE_REMOTE_VERSION=3.8.0
324+
export GHE_REMOTE_VERSION
325+
298326
ghe-restore -v -f localhost
299327
required_secrets=(
300328
"secrets.github.encrypted-column-keying-material"
@@ -306,7 +334,19 @@ begin_test "ghe-restore with encrypted column encryption keying material"
306334
)
307335
end_test
308336

309-
begin_test "ghe-restore with encrypted column current encryption key"
337+
338+
begin_test "ghe-restore does not encrypted column current encryption key for versions below 3.8.0"
339+
(
340+
GHE_REMOTE_VERSION=2.1.10 ghe-restore -v -f | grep -q "encrypted column current encryption key not set" && exit 1
341+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
342+
343+
GHE_REMOTE_VERSION=3.7.0 ghe-restore -v -f | grep -q "encrypted column current encryption key not set" && exit 1
344+
[ ! -f "$GHE_DATA_DIR/current/encrypted-column-current-encryption-key" ]
345+
346+
)
347+
end_test
348+
349+
begin_test "ghe-restore with encrypted column current encryption key for versions 3.8.0+"
310350
(
311351
set -e
312352
rm -rf "$GHE_REMOTE_ROOT_DIR"
@@ -320,6 +360,24 @@ begin_test "ghe-restore with encrypted column current encryption key"
320360
echo "foo" > "$GHE_DATA_DIR/current/$file"
321361
done
322362

363+
# GHES version 3.8.0
364+
GHE_REMOTE_VERSION=3.8.0
365+
export GHE_REMOTE_VERSION
366+
367+
ghe-restore -v -f localhost
368+
required_secrets=(
369+
"secrets.github.encrypted-column-current-encryption-key"
370+
)
371+
372+
for secret in "${required_secrets[@]}"; do
373+
[ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "foo" ]
374+
done
375+
376+
377+
# GHES version 3.9.0
378+
GHE_REMOTE_VERSION=3.9.0
379+
export GHE_REMOTE_VERSION
380+
323381
ghe-restore -v -f localhost
324382
required_secrets=(
325383
"secrets.github.encrypted-column-current-encryption-key"

0 commit comments

Comments
 (0)