Merge pull request #170 from github/actions-backup

Adds support for backing up Actions files

Author: dhadka

bin/ghe-backup

@@ -185,6 +185,9 @@ ghe-backup-mysql || failures="$failures mysql"
 if ghe-ssh "$GHE_HOSTNAME" -- 'ghe-config --true app.actions.enabled'; then
   echo "Backing up MSSQL databases ..."
   ghe-backup-mssql 1>&3 || failures="$failures mssql"
+
+  echo "Backing up Actions data ..."
+  ghe-backup-actions 1>&3 || failures="$failures actions"
 fi
 
 commands=("

bin/ghe-restore

@@ -301,8 +301,11 @@ else
 fi
 
 if ghe-ssh "$GHE_HOSTNAME" -- 'ghe-config --true app.actions.enabled'; then
-  echo "Restoring MSSQL database ..."
+  echo "Restoring MSSQL databases ..."
   ghe-restore-mssql "$GHE_HOSTNAME" 1>&3
+
+  echo "Restoring Actions data ..."
+  ghe-restore-actions "$GHE_HOSTNAME" 1>&3
 fi
 
 commands=("

share/github-backup-utils/ghe-backup-actions

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+#/ Usage: ghe-backup-actions
+#/ Take an online, incremental snapshot of all Actions data (excluding
+#/ what is stored in MSSQL)
+#/
+#/ Note: This command typically isn't called directly. It's invoked by
+#/ ghe-backup.
+set -e
+
+# Bring in the backup configuration
+# shellcheck source=share/github-backup-utils/ghe-backup-config
+. "$( dirname "${BASH_SOURCE[0]}" )/ghe-backup-config"
+
+bm_start "$(basename $0)"
+
+# Set up remote host and root backup snapshot directory based on config
+port=$(ssh_port_part "$GHE_HOSTNAME")
+host=$(ssh_host_part "$GHE_HOSTNAME")
+backup_dir="$GHE_SNAPSHOT_DIR/actions"
+
+# Verify rsync is available.
+if ! rsync --version 1>/dev/null 2>&1; then
+  echo "Error: rsync not found." 1>&2
+  exit 1
+fi
+
+# Perform a host-check and establish GHE_REMOTE_XXX variables.
+ghe_remote_version_required "$host"
+
+# Make sure root backup dir exists if this is the first run
+mkdir -p "$backup_dir"
+
+# If we have a previous increment and it is not empty, avoid transferring existing files via rsync's
+# --link-dest support. This also decreases physical space usage considerably.
+if [ -d "$GHE_DATA_DIR/current/actions" ] && [ "$(ls -A $GHE_DATA_DIR/current/actions)" ]; then
+  link_dest="--link-dest=$GHE_DATA_DIR/current/actions"
+fi
+
+# Transfer all Actions data from the user data directory using rsync.
+ghe_verbose "* Transferring actions files from $host ..."
+
+ghe-rsync -avz \
+  -e "ghe-ssh -p $port" \
+  --rsync-path='sudo -u actions rsync' \
+  --exclude "mutexes" --exclude "dumps" \
+  $link_dest \
+  "$host:$GHE_REMOTE_DATA_USER_DIR/actions/" \
+  "$GHE_SNAPSHOT_DIR/actions" 1>&3
+
+bm_end "$(basename $0)"

share/github-backup-utils/ghe-backup-settings

@@ -25,27 +25,45 @@ ghe-ssh "$host" -- 'ghe-export-settings' > settings.json
 echo "* Transferring license data ..." 1>&3
 ghe-ssh "$host" -- "sudo cat '$GHE_REMOTE_LICENSE_FILE'" > enterprise.ghl
 
-echo "* Transferring management console password ..." 1>&3
-ghe-ssh "$host" -- ghe-config secrets.manage > manage-password+ || (
-  echo "Warning: Management Console password not set" >&2
-)
-if [ -n "$(cat manage-password+)" ]; then
-  mv manage-password+ manage-password
-else
-  unlink manage-password+
-fi
-
-# Backup external MySQL password if running external MySQL DB.
-if is_service_external 'mysql'; then
-  echo "Transferring external MySQL password..." 1>&3
-  ghe-ssh "$host" -- ghe-config secrets.external.mysql > external-mysql-password+ || (
-    echo "Warning: External MySQL password not set" >&2
+# Function to backup a secret setting to a file.
+#   backup-secret <description> <file-name> <setting-name>
+backup-secret() {
+  echo "* Transferring $1 ..." 1>&3
+  ghe-ssh "$host" -- ghe-config "$3" > "$2+" || (
+    echo "Warning: $1 not set" >&2
   )
-  if [ -n "$(cat external-mysql-password+)" ]; then
-    mv external-mysql-password+ external-mysql-password
+  if [ -n "$(cat "$2+")" ]; then
+    mv "$2+" "$2"
   else
-    unlink external-mysql-password+
+    unlink "$2+"
   fi
+}
+
+backup-secret "management console password" "manage-password" "secrets.manage"
+
+# Backup external MySQL password if running external MySQL DB.
+if is_service_external 'mysql'; then
+  backup-secret "external MySQL password" "external-mysql-password" "secrets.external.mysql"
+fi
+
+# Backup Actions settings.
+if ghe-ssh "$host" -- ghe-config --true app.actions.enabled; then
+  backup-secret "Actions configuration database login" "actions-config-db-login" "secrets.actions.ConfigurationDatabaseSqlLogin"
+  backup-secret "Actions configuration database password" "actions-config-db-password" "secrets.actions.ConfigurationDatabaseSqlPassword"
+  backup-secret "Actions framework access token key secret" "actions-framework-access-token" "secrets.actions.FrameworkAccessTokenKeySecret"
+  backup-secret "Actions Url signing HMAC key primary" "actions-url-signing-hmac-key-primary" "secrets.actions.UrlSigningHmacKeyPrimary"
+  backup-secret "Actions Url signing HMAC key secondary" "actions-url-signing-hmac-key-secondary" "secrets.actions.UrlSigningHmacKeySecondary"
+  backup-secret "Actions OAuth S2S signing cert" "actions-oauth-s2s-signing-cert" "secrets.actions.OAuthS2SSigningCert"
+  backup-secret "Actions OAuth S2S signing key" "actions-oauth-s2s-signing-key" "secrets.actions.OAuthS2SSigningKey"
+  backup-secret "Actions OAuth S2S signing cert thumbprint" "actions-oauth-s2s-signing-cert-thumbprint" "secrets.actions.OAuthS2SSigningCertThumbprint"
+  backup-secret "Actions primary encryption cert thumbprint" "actions-primary-encryption-cert-thumbprint" "secrets.actions.PrimaryEncryptionCertificateThumbprint"
+  backup-secret "Actions AAD cert thumbprint" "actions-add-cert-thumbprint" "secrets.actions.AADCertThumbprint"
+  backup-secret "Actions delegated auth cert thumbprint" "actions-delegated-auth-cert-thumbprint" "secrets.actions.DelegatedAuthCertThumbprint"
+  backup-secret "Actions runtime service principal cert" "actions-runtime-service-principal-cert" "secrets.actions.RuntimeServicePrincipalCertificate"
+  backup-secret "Actions S2S encryption cert" "actions-s2s-encryption-cert" "secrets.actions.S2SEncryptionCertificate"
+  backup-secret "Actions secondary encryption cert thumbprint" "actions-secondary-encryption-cert-thumbprint" "secrets.actions.SecondaryEncryptionCertificateThumbprint"
+  backup-secret "Actions service principal cert" "actions-service-principal-cert" "secrets.actions.ServicePrincipalCertificate"
+  backup-secret "Actions SPS validation cert thumbprint" "actions-sps-validation-cert-thumbprint" "secrets.actions.SpsValidationCertThumbprint"
 fi
 
 if ghe-ssh "$host" -- "test -f $GHE_REMOTE_DATA_USER_DIR/common/idp.crt"; then

share/github-backup-utils/ghe-restore-actions

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+#/ Usage: ghe-restore-actions <host>
+#/ Restore additional Actions files from an rsync snapshot.
+#/
+#/ Note: This script typically isn't called directly. It's invoked by the
+#/ ghe-restore command.
+set -e
+
+# Bring in the backup configuration
+# shellcheck source=share/github-backup-utils/ghe-backup-config
+. "$( dirname "${BASH_SOURCE[0]}" )/ghe-backup-config"
+
+# Show usage and bail with no arguments
+[ -z "$*" ] && print_usage
+
+bm_start "$(basename $0)"
+
+# Grab host arg
+GHE_HOSTNAME="$1"
+
+# The snapshot to restore should be set by the ghe-restore command but this lets
+# us run this script directly.
+: ${GHE_RESTORE_SNAPSHOT:=current}
+
+port=$(ssh_port_part "$GHE_HOSTNAME")
+host=$(ssh_host_part "$GHE_HOSTNAME")
+
+# No need to restore anything, early exit
+if [ ! -d "$GHE_DATA_DIR/$GHE_RESTORE_SNAPSHOT/actions" ]; then
+  echo "Warning: Actions backup missing. Skipping ..."
+  exit 0
+fi
+
+# Perform a host-check and establish GHE_REMOTE_XXX variables.
+ghe_remote_version_required "$host"
+
+# Transfer all Actions data from the snapshot to the user data directory using rsync.
+ghe_verbose "* Transferring actions files to $host ..."
+
+echo "sudo mkdir -p $GHE_REMOTE_DATA_USER_DIR/actions" |
+ghe-ssh -p $port $host /bin/bash
+
+ghe-rsync -arvHR --delete \
+  -e "ghe-ssh -p $port" \
+  --rsync-path='sudo -u actions rsync' \
+  "$GHE_DATA_DIR/$GHE_RESTORE_SNAPSHOT/actions/./" \
+  "$host:$GHE_REMOTE_DATA_USER_DIR/actions/" 1>&3
+
+bm_end "$(basename $0)"

share/github-backup-utils/ghe-restore-settings

@@ -28,25 +28,46 @@ GHE_RESTORE_SNAPSHOT_PATH="$GHE_DATA_DIR/$GHE_RESTORE_SNAPSHOT"
 echo "Restoring license ..."
 ghe-ssh "$GHE_HOSTNAME" -- 'ghe-import-license' < "$GHE_RESTORE_SNAPSHOT_PATH/enterprise.ghl" 1>&3
 
-# Restore external MySQL password if running external MySQL DB.
-if [ -f "$GHE_RESTORE_SNAPSHOT_PATH/external-mysql-password" ]; then
-  echo "Restoring external MySQL password ..."
-  echo "ghe-config secrets.external.mysql '$(cat "$GHE_RESTORE_SNAPSHOT_PATH/external-mysql-password")'" |
-  ghe-ssh "$GHE_HOSTNAME" -- /bin/bash
-fi
+# Function to restore a secret setting stored in a file.
+#   restore-secret <description> <file-name> <setting-name>
+restore-secret() {
+  if [ -f "$GHE_RESTORE_SNAPSHOT_PATH/$2" ]; then
+    echo "Restoring $1 ..."
+    echo "ghe-config '$3' '$(cat "$GHE_RESTORE_SNAPSHOT_PATH/$2")'" |
+    ghe-ssh "$GHE_HOSTNAME" -- /bin/bash
+  fi
+}
 
 echo "Restoring settings ..."
+
+# Restore external MySQL password if running external MySQL DB.
+restore-secret "external MySQL password" "external-mysql-password" "secrets.external.mysql"
+
+# Restore Actions settings.
+restore-secret "Actions configuration database login" "actions-config-db-login" "secrets.actions.ConfigurationDatabaseSqlLogin"
+restore-secret "Actions configuration database password" "actions-config-db-password" "secrets.actions.ConfigurationDatabaseSqlPassword"
+restore-secret "Actions framework access token key secret" "actions-framework-access-token" "secrets.actions.FrameworkAccessTokenKeySecret"
+restore-secret "Actions Url signing HMAC key primary" "actions-url-signing-hmac-key-primary" "secrets.actions.UrlSigningHmacKeyPrimary"
+restore-secret "Actions Url signing HMAC key secondary" "actions-url-signing-hmac-key-secondary" "secrets.actions.UrlSigningHmacKeySecondary"
+restore-secret "Actions OAuth S2S signing cert" "actions-oauth-s2s-signing-cert" "secrets.actions.OAuthS2SSigningCert"
+restore-secret "Actions OAuth S2S signing key" "actions-oauth-s2s-signing-key" "secrets.actions.OAuthS2SSigningKey"
+restore-secret "Actions OAuth S2S signing cert thumbprint" "actions-oauth-s2s-signing-cert-thumbprint" "secrets.actions.OAuthS2SSigningCertThumbprint"
+restore-secret "Actions primary encryption cert thumbprint" "actions-primary-encryption-cert-thumbprint" "secrets.actions.PrimaryEncryptionCertificateThumbprint"
+restore-secret "Actions AAD cert thumbprint" "actions-add-cert-thumbprint" "secrets.actions.AADCertThumbprint"
+restore-secret "Actions delegated auth cert thumbprint" "actions-delegated-auth-cert-thumbprint" "secrets.actions.DelegatedAuthCertThumbprint"
+restore-secret "Actions runtime service principal cert" "actions-runtime-service-principal-cert" "secrets.actions.RuntimeServicePrincipalCertificate"
+restore-secret "Actions S2S encryption cert" "actions-s2s-encryption-cert" "secrets.actions.S2SEncryptionCertificate"
+restore-secret "Actions secondary encryption cert thumbprint" "actions-secondary-encryption-cert-thumbprint" "secrets.actions.SecondaryEncryptionCertificateThumbprint"
+restore-secret "Actions service principal cert" "actions-service-principal-cert" "secrets.actions.ServicePrincipalCertificate"
+restore-secret "Actions SPS validation cert thumbprint" "actions-sps-validation-cert-thumbprint" "secrets.actions.SpsValidationCertThumbprint"
+
 # work around issue importing settings with bad storage mode values
 ( cat "$GHE_RESTORE_SNAPSHOT_PATH/settings.json" && echo ) |
   sed 's/"storage_mode": "device"/"storage_mode": "rootfs"/' |
   ghe-ssh "$GHE_HOSTNAME" -- '/usr/bin/env GHEBUVER=2 ghe-import-settings' 1>&3
 
 # Restore management console password hash if present.
-if [ -f "$GHE_RESTORE_SNAPSHOT_PATH/manage-password" ]; then
-  echo "Restoring management console password ..."
-  echo "ghe-config secrets.manage '$(cat "$GHE_RESTORE_SNAPSHOT_PATH/manage-password")'" |
-  ghe-ssh "$GHE_HOSTNAME" -- /bin/bash
-fi
+restore-secret "management console password" "manage-password" "secrets.manage"
 
 # Restore SAML keys if present.
 if [ -f "$GHE_RESTORE_SNAPSHOT_PATH/saml-keys.tar" ]; then

test/test-ghe-backup.sh

@@ -424,6 +424,73 @@ begin_test "ghe-backup warns if database names mismatched"
 )
 end_test
 
+begin_test "ghe-backup takes backup of Actions settings"
+(
+  set -e
+  enable_actions
+
+  required_secrets=(
+    "secrets.actions.ConfigurationDatabaseSqlLogin"
+    "secrets.actions.ConfigurationDatabaseSqlPassword"
+    "secrets.actions.FrameworkAccessTokenKeySecret"
+    "secrets.actions.UrlSigningHmacKeyPrimary"
+    "secrets.actions.UrlSigningHmacKeySecondary"
+    "secrets.actions.OAuthS2SSigningCert"
+    "secrets.actions.OAuthS2SSigningKey"
+    "secrets.actions.OAuthS2SSigningCertThumbprint"
+    "secrets.actions.PrimaryEncryptionCertificateThumbprint"
+    "secrets.actions.AADCertThumbprint"
+    "secrets.actions.DelegatedAuthCertThumbprint"
+    "secrets.actions.RuntimeServicePrincipalCertificate"
+    "secrets.actions.S2SEncryptionCertificate"
+    "secrets.actions.SecondaryEncryptionCertificateThumbprint"
+    "secrets.actions.ServicePrincipalCertificate"
+    "secrets.actions.SpsValidationCertThumbprint"
+  )
+
+  for secret in "${required_secrets[@]}"; do
+    ghe-ssh "$GHE_HOSTNAME" -- ghe-config "$secret" "foo"
+  done
+
+  ghe-backup
+
+  required_files=(
+    "actions-config-db-login"
+    "actions-config-db-password"
+    "actions-framework-access-token"
+    "actions-url-signing-hmac-key-primary"
+    "actions-url-signing-hmac-key-secondary"
+    "actions-oauth-s2s-signing-cert"
+    "actions-oauth-s2s-signing-key"
+    "actions-oauth-s2s-signing-cert-thumbprint"
+    "actions-primary-encryption-cert-thumbprint"
+    "actions-add-cert-thumbprint"
+    "actions-delegated-auth-cert-thumbprint"
+    "actions-runtime-service-principal-cert"
+    "actions-s2s-encryption-cert"
+    "actions-secondary-encryption-cert-thumbprint"
+    "actions-service-principal-cert"
+    "actions-sps-validation-cert-thumbprint"
+  )
+
+  for file in "${required_files[@]}"; do
+    [ "$(cat "$GHE_DATA_DIR/current/$file")" = "foo" ]
+  done
+)
+end_test
+
+begin_test "ghe-backup takes backup of Actions files"
+(
+  set -e
+  enable_actions
+
+  output=$(ghe-backup -v)
+  echo $output | grep "Transferring actions files from"
+  
+  diff -ru "$GHE_REMOTE_DATA_USER_DIR/actions" "$GHE_DATA_DIR/current/actions"
+)
+end_test
+
 # acceptance criteria is less then 2 seconds for 100,000 lines
 begin_test "ghe-backup fix_paths_for_ghe_version performance tests - gists"
 (