Merge pull request #331 from github/add-encrypted-column-keys
Add encrypted column encryption keys to backup utils
This commit is contained in:
Родитель
cbb7d75097
Коммит
f5a0699cbf
|
@ -76,6 +76,15 @@ backup-secret() {
|
||||||
|
|
||||||
backup-secret "management console password" "manage-password" "secrets.manage"
|
backup-secret "management console password" "manage-password" "secrets.manage"
|
||||||
backup-secret "password pepper" "password-pepper" "secrets.github.user-password-secrets"
|
backup-secret "password pepper" "password-pepper" "secrets.github.user-password-secrets"
|
||||||
|
backup-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
|
||||||
|
backup-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
|
||||||
|
backup-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
|
||||||
|
backup-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
|
||||||
|
|
||||||
|
# Backup argon secrets for multiuser from ghes version 3.8 onwards
|
||||||
|
if [[ "$(version $GHE_REMOTE_VERSION)" -ge "$(version 3.8.0)" && "$(version $GHE_REMOTE_VERSION)" -lt "$(version 3.8.2)" ]]; then
|
||||||
|
backup-secret "management console argon2 secret" "manage-argon-secret" "secrets.manage-auth.argon-secret"
|
||||||
|
fi
|
||||||
|
|
||||||
# Backup external MySQL password if running external MySQL DB.
|
# Backup external MySQL password if running external MySQL DB.
|
||||||
if is_service_external 'mysql'; then
|
if is_service_external 'mysql'; then
|
||||||
|
|
|
@ -44,6 +44,21 @@ ghe-restore-packages "$GHE_HOSTNAME" 1>&3
|
||||||
# Restore management console password hash if present.
|
# Restore management console password hash if present.
|
||||||
restore-secret "management console password" "manage-password" "secrets.manage"
|
restore-secret "management console password" "manage-password" "secrets.manage"
|
||||||
|
|
||||||
|
# Restore management console argon2 secret if present.
|
||||||
|
restore-secret "management console argon2 secret" "manage-argon-secret" "secrets.manage-auth.argon-secret"
|
||||||
|
|
||||||
|
# Restore kredz.credz HMAC key if present.
|
||||||
|
restore-secret "kredz.credz HMAC key" "kredz-credz-hmac" "secrets.kredz.credz-hmac-secret"
|
||||||
|
|
||||||
|
# Restore kredz.varz HMAC key if present.
|
||||||
|
restore-secret "kredz.varz HMAC key" "kredz-varz-hmac" "secrets.kredz.varz-hmac-secret"
|
||||||
|
|
||||||
|
# Restore encrypted column encryption keying material if present
|
||||||
|
restore-secret "encrypted column encryption keying material" "encrypted-column-encryption-keying-material" "secrets.github.encrypted-column-keying-material"
|
||||||
|
|
||||||
|
# Restore encrypted column current encryption key if present
|
||||||
|
restore-secret "encrypted column current encryption key" "encrypted-column-current-encryption-key" "secrets.github.encrypted-column-current-encryption-key"
|
||||||
|
|
||||||
# Restore SAML keys if present.
|
# Restore SAML keys if present.
|
||||||
if [ -f "$GHE_RESTORE_SNAPSHOT_PATH/saml-keys.tar" ]; then
|
if [ -f "$GHE_RESTORE_SNAPSHOT_PATH/saml-keys.tar" ]; then
|
||||||
echo "Restoring SAML keys ..."
|
echo "Restoring SAML keys ..."
|
||||||
|
|
|
@ -470,6 +470,106 @@ begin_test "ghe-backup upgrades transaction backup to full if LSN chain break"
|
||||||
)
|
)
|
||||||
end_test
|
end_test
|
||||||
|
|
||||||
|
begin_test "ghe-backup takes backup of Kredz settings"
|
||||||
|
(
|
||||||
|
set -e
|
||||||
|
|
||||||
|
required_secrets=(
|
||||||
|
"secrets.kredz.credz-hmac-secret"
|
||||||
|
)
|
||||||
|
|
||||||
|
for secret in "${required_secrets[@]}"; do
|
||||||
|
ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
|
||||||
|
done
|
||||||
|
|
||||||
|
ghe-backup
|
||||||
|
|
||||||
|
required_files=(
|
||||||
|
"kredz-credz-hmac"
|
||||||
|
)
|
||||||
|
|
||||||
|
for file in "${required_files[@]}"; do
|
||||||
|
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
|
||||||
|
done
|
||||||
|
|
||||||
|
)
|
||||||
|
end_test
|
||||||
|
|
||||||
|
begin_test "ghe-backup takes backup of kredz-varz settings"
|
||||||
|
(
|
||||||
|
set -e
|
||||||
|
|
||||||
|
required_secrets=(
|
||||||
|
"secrets.kredz.varz-hmac-secret"
|
||||||
|
)
|
||||||
|
|
||||||
|
for secret in "${required_secrets[@]}"; do
|
||||||
|
ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
|
||||||
|
done
|
||||||
|
|
||||||
|
ghe-backup
|
||||||
|
|
||||||
|
required_files=(
|
||||||
|
"kredz-varz-hmac"
|
||||||
|
)
|
||||||
|
|
||||||
|
for file in "${required_files[@]}"; do
|
||||||
|
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
|
||||||
|
done
|
||||||
|
|
||||||
|
)
|
||||||
|
end_test
|
||||||
|
|
||||||
|
begin_test "ghe-backup takes backup of encrypted column encryption keying material"
|
||||||
|
(
|
||||||
|
set -e
|
||||||
|
|
||||||
|
required_secrets=(
|
||||||
|
"secrets.github.encrypted-column-keying-material"
|
||||||
|
)
|
||||||
|
|
||||||
|
for secret in "${required_secrets[@]}"; do
|
||||||
|
ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
|
||||||
|
done
|
||||||
|
|
||||||
|
ghe-backup
|
||||||
|
|
||||||
|
required_files=(
|
||||||
|
"encrypted-column-encryption-keying-material"
|
||||||
|
)
|
||||||
|
|
||||||
|
for file in "${required_files[@]}"; do
|
||||||
|
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
|
||||||
|
done
|
||||||
|
|
||||||
|
)
|
||||||
|
end_test
|
||||||
|
|
||||||
|
begin_test "ghe-backup takes backup of encrypted column current encryption key"
|
||||||
|
(
|
||||||
|
set -e
|
||||||
|
|
||||||
|
required_secrets=(
|
||||||
|
"secrets.github.encrypted-column-current-encryption-key"
|
||||||
|
)
|
||||||
|
|
||||||
|
for secret in "${required_secrets[@]}"; do
|
||||||
|
ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
|
||||||
|
done
|
||||||
|
|
||||||
|
ghe-backup
|
||||||
|
|
||||||
|
required_files=(
|
||||||
|
"encrypted-column-current-encryption-key"
|
||||||
|
)
|
||||||
|
|
||||||
|
for file in "${required_files[@]}"; do
|
||||||
|
[ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
|
||||||
|
done
|
||||||
|
|
||||||
|
)
|
||||||
|
end_test
|
||||||
|
|
||||||
begin_test "ghe-backup takes backup of Actions settings"
|
begin_test "ghe-backup takes backup of Actions settings"
|
||||||
(
|
(
|
||||||
set -e
|
set -e
|
||||||
|
|
|
@ -281,6 +281,56 @@ begin_test "ghe-restore with no pages backup"
|
||||||
)
|
)
|
||||||
end_test
|
end_test
|
||||||
|
|
||||||
|
begin_test "ghe-restore with encrypted column encryption keying material"
|
||||||
|
(
|
||||||
|
set -e
|
||||||
|
rm -rf "$GHE_REMOTE_ROOT_DIR"
|
||||||
|
setup_remote_metadata
|
||||||
|
|
||||||
|
required_files=(
|
||||||
|
"encrypted-column-encryption-keying-material"
|
||||||
|
)
|
||||||
|
|
||||||
|
for file in "${required_files[@]}"; do
|
||||||
|
echo "foo" > "$GHE_DATA_DIR/current/$file"
|
||||||
|
done
|
||||||
|
|
||||||
|
ghe-restore -v -f localhost
|
||||||
|
required_secrets=(
|
||||||
|
"secrets.github.encrypted-column-keying-material"
|
||||||
|
)
|
||||||
|
|
||||||
|
for secret in "${required_secrets[@]}"; do
|
||||||
|
[ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "foo" ]
|
||||||
|
done
|
||||||
|
)
|
||||||
|
end_test
|
||||||
|
|
||||||
|
begin_test "ghe-restore with encrypted column current encryption key"
|
||||||
|
(
|
||||||
|
set -e
|
||||||
|
rm -rf "$GHE_REMOTE_ROOT_DIR"
|
||||||
|
setup_remote_metadata
|
||||||
|
|
||||||
|
required_files=(
|
||||||
|
"encrypted-column-current-encryption-key"
|
||||||
|
)
|
||||||
|
|
||||||
|
for file in "${required_files[@]}"; do
|
||||||
|
echo "foo" > "$GHE_DATA_DIR/current/$file"
|
||||||
|
done
|
||||||
|
|
||||||
|
ghe-restore -v -f localhost
|
||||||
|
required_secrets=(
|
||||||
|
"secrets.github.encrypted-column-current-encryption-key"
|
||||||
|
)
|
||||||
|
|
||||||
|
for secret in "${required_secrets[@]}"; do
|
||||||
|
[ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "foo" ]
|
||||||
|
done
|
||||||
|
)
|
||||||
|
end_test
|
||||||
|
|
||||||
# Setup Actions data for the subsequent tests
|
# Setup Actions data for the subsequent tests
|
||||||
setup_actions_test_data "$GHE_DATA_DIR/1"
|
setup_actions_test_data "$GHE_DATA_DIR/1"
|
||||||
|
|
||||||
|
@ -310,6 +360,58 @@ begin_test "ghe-restore invokes ghe-import-mssql"
|
||||||
)
|
)
|
||||||
end_test
|
end_test
|
||||||
|
|
||||||
|
begin_test "ghe-restore with Kredz settings"
|
||||||
|
(
|
||||||
|
set -e
|
||||||
|
rm -rf "$GHE_REMOTE_ROOT_DIR"
|
||||||
|
setup_remote_metadata
|
||||||
|
enable_actions
|
||||||
|
|
||||||
|
required_files=(
|
||||||
|
"kredz-credz-hmac"
|
||||||
|
)
|
||||||
|
|
||||||
|
for file in "${required_files[@]}"; do
|
||||||
|
echo "foo" > "$GHE_DATA_DIR/current/$file"
|
||||||
|
done
|
||||||
|
|
||||||
|
ghe-restore -v -f localhost
|
||||||
|
required_secrets=(
|
||||||
|
"secrets.kredz.credz-hmac-secret"
|
||||||
|
)
|
||||||
|
|
||||||
|
for secret in "${required_secrets[@]}"; do
|
||||||
|
[ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "foo" ]
|
||||||
|
done
|
||||||
|
)
|
||||||
|
end_test
|
||||||
|
|
||||||
|
begin_test "ghe-restore with kredz-varz settings"
|
||||||
|
(
|
||||||
|
set -e
|
||||||
|
rm -rf "$GHE_REMOTE_ROOT_DIR"
|
||||||
|
setup_remote_metadata
|
||||||
|
enable_actions
|
||||||
|
|
||||||
|
required_files=(
|
||||||
|
"kredz-varz-hmac"
|
||||||
|
)
|
||||||
|
|
||||||
|
for file in "${required_files[@]}"; do
|
||||||
|
echo "foo" > "$GHE_DATA_DIR/current/$file"
|
||||||
|
done
|
||||||
|
|
||||||
|
ghe-restore -v -f localhost
|
||||||
|
required_secrets=(
|
||||||
|
"secrets.kredz.varz-hmac-secret"
|
||||||
|
)
|
||||||
|
|
||||||
|
for secret in "${required_secrets[@]}"; do
|
||||||
|
[ "$(ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret")" = "foo" ]
|
||||||
|
done
|
||||||
|
)
|
||||||
|
end_test
|
||||||
|
|
||||||
begin_test "ghe-restore with Actions settings"
|
begin_test "ghe-restore with Actions settings"
|
||||||
(
|
(
|
||||||
set -e
|
set -e
|
||||||
|
|
Загрузка…
Ссылка в новой задаче