From c212d681833fa827935954978be51ef4d1cc5023 Mon Sep 17 00:00:00 2001 From: Jose Diaz-Gonzalez Date: Sun, 24 Nov 2024 20:21:59 -0500 Subject: [PATCH] feat: implement GPG Public Key encryption support --- README.md | 30 ++++++++++++++++++- bin/generate | 2 ++ common-functions | 23 ++++++++++++++ subcommands/backup-set-public-key-encryption | 25 ++++++++++++++++ .../backup-unset-public-key-encryption | 23 ++++++++++++++ 5 files changed, 102 insertions(+), 1 deletion(-) create mode 100755 subcommands/backup-set-public-key-encryption create mode 100755 subcommands/backup-unset-public-key-encryption diff --git a/README.md b/README.md index c16706b..a00728d 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # dokku mysql [![Build Status](https://img.shields.io/github/actions/workflow/status/dokku/dokku-mysql/ci.yml?branch=master&style=flat-square "Build Status")](https://github.com/dokku/dokku-mysql/actions/workflows/ci.yml?query=branch%3Amaster) [![IRC Network](https://img.shields.io/badge/irc-libera-blue.svg?style=flat-square "IRC Libera")](https://webchat.libera.chat/?channels=dokku) -Official mysql plugin for dokku. Currently defaults to installing [mysql 9.0.1](https://hub.docker.com/_/mysql/). +Official mysql plugin for dokku. Currently defaults to installing [mysql 9.1.0](https://hub.docker.com/_/mysql/). ## Requirements @@ -24,8 +24,10 @@ mysql:backup-deauth # remove backup authenticatio mysql:backup-schedule [--use-iam] # schedule a backup of the mysql service mysql:backup-schedule-cat # cat the contents of the configured backup cronfile for the service mysql:backup-set-encryption # set encryption for all future backups of mysql service +mysql:backup-set-public-key-encryption # set GPG Public Key encryption for all future backups of mysql service mysql:backup-unschedule # unschedule the backup of the mysql service mysql:backup-unset-encryption # unset encryption for future backups of the mysql service +mysql:backup-unset-public-key-encryption # unset GPG Public Key encryption for future backups of the mysql service mysql:clone [--clone-flags...] # create container then copy data from into mysql:connect # connect to the service via the mysql connection tool mysql:create [--create-flags...] # create a mysql service @@ -675,6 +677,19 @@ Set the GPG-compatible passphrase for encrypting backups for backups: dokku mysql:backup-set-encryption lollipop ``` +### set GPG Public Key encryption for all future backups of mysql service + +```shell +# usage +dokku mysql:backup-set-public-key-encryption +``` + +Set the `GPG` Public Key for encrypting backups: + +```shell +dokku mysql:backup-set-public-key-encryption lollipop +``` + ### unset encryption for future backups of the mysql service ```shell @@ -688,6 +703,19 @@ Unset the `GPG` encryption passphrase for backups: dokku mysql:backup-unset-encryption lollipop ``` +### unset GPG Public Key encryption for future backups of the mysql service + +```shell +# usage +dokku mysql:backup-unset-public-key-encryption +``` + +Unset the `GPG` Public Key encryption for backups: + +```shell +dokku mysql:backup-unset-public-key-encryption lollipop +``` + ### schedule a backup of the mysql service ```shell diff --git a/bin/generate b/bin/generate index f4f14e7..2ebd4b21 100755 --- a/bin/generate +++ b/bin/generate @@ -290,7 +290,9 @@ def usage_backup( "backup-deauth", "backup", "backup-set-encryption", + "backup-set-public-key-encryption", "backup-unset-encryption", + "backup-unset-public-key-encryption", "backup-schedule", "backup-schedule-cat", "backup-unschedule", diff --git a/common-functions b/common-functions index c0ba352..5c41089 100755 --- a/common-functions +++ b/common-functions @@ -308,6 +308,10 @@ service_backup() { BACKUP_PARAMETERS="$BACKUP_PARAMETERS -e ENCRYPTION_KEY=$(cat "$BACKUP_ENCRYPTION_CONFIG_ROOT/ENCRYPTION_KEY")" fi + if [[ -f "$BACKUP_ENCRYPTION_CONFIG_ROOT/ENCRYPT_WITH_PUBLIC_KEY_ID" ]]; then + BACKUP_PARAMETERS="$BACKUP_PARAMETERS -e ENCRYPT_WITH_PUBLIC_KEY_ID=$(cat "$BACKUP_ENCRYPTION_CONFIG_ROOT/ENCRYPT_WITH_PUBLIC_KEY_ID")" + fi + # shellcheck disable=SC2086 "$DOCKER_BIN" container run --rm $BACKUP_PARAMETERS "$PLUGIN_S3BACKUP_IMAGE" } @@ -433,6 +437,16 @@ service_backup_set_encryption() { echo "$ENCRYPTION_KEY" >"${SERVICE_BACKUP_ENCRYPTION_ROOT}/ENCRYPTION_KEY" } +service_backup_set_public_key_encryption() { + declare desc="set up backup GPG Public Key encryption" + declare SERVICE="$1" ENCRYPT_WITH_PUBLIC_KEY_ID="$2" + local SERVICE_ROOT="${PLUGIN_DATA_ROOT}/${SERVICE}" + local SERVICE_BACKUP_ENCRYPTION_ROOT="${SERVICE_ROOT}/backup-encryption/" + + mkdir "$SERVICE_BACKUP_ENCRYPTION_ROOT" + echo "$ENCRYPT_WITH_PUBLIC_KEY_ID" >"${SERVICE_BACKUP_ENCRYPTION_ROOT}/ENCRYPT_WITH_PUBLIC_KEY_ID" +} + service_backup_unschedule() { declare desc="unschedule the backup of the service" declare SERVICE="$1" @@ -450,6 +464,15 @@ service_backup_unset_encryption() { rm -rf "$SERVICE_BACKUP_ENCRYPTION_ROOT" } +service_backup_unset_encryption() { + declare desc="remove backup encryption" + declare SERVICE="$1" + local SERVICE_ROOT="${PLUGIN_DATA_ROOT}/${SERVICE}" + local SERVICE_BACKUP_ENCRYPTION_ROOT="${SERVICE_ROOT}/backup-encryption/" + + rm -rf "$SERVICE_BACKUP_ENCRYPTION_ROOT" +} + service_container_rm() { declare desc="stop a service and remove the running container" declare SERVICE="$1" diff --git a/subcommands/backup-set-public-key-encryption b/subcommands/backup-set-public-key-encryption new file mode 100755 index 0000000..d058bb2 --- /dev/null +++ b/subcommands/backup-set-public-key-encryption @@ -0,0 +1,25 @@ +#!/usr/bin/env bash +source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/config" +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x +source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions" +source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/functions" + +service-backup-set-public-key-encryption-cmd() { + #E set the GPG Public Key for encrypting backups + #E dokku $PLUGIN_COMMAND_PREFIX:backup-set-public-key-encryption lollipop + #A service, service to run command against + #A public-key-id, a GPG Public Key ID (or fingerprint) to use for encryption. Must be uploaded to the GPG keyserver beforehand. + declare desc="set GPG Public Key encryption for all future backups of $PLUGIN_SERVICE service" + local cmd="$PLUGIN_COMMAND_PREFIX:backup-set-public-key-encryption" argv=("$@") + [[ ${argv[0]} == "$cmd" ]] && shift 1 + declare SERVICE="$1" PUBLIC_KEY_ID="$2" + is_implemented_command "$cmd" || dokku_log_fail "Not yet implemented" + + [[ -z "$SERVICE" ]] && dokku_log_fail "Please specify a valid name for the service" + [[ -z "$PUBLIC_KEY_ID" ]] && dokku_log_fail "Please specify a valid GPG Public Key ID (or fingerprint)" + verify_service_name "$SERVICE" + service_backup_set_public_key_encryption "$SERVICE" "$PUBLIC_KEY_ID" +} + +service-backup-set-public-key-encryption-cmd "$@" diff --git a/subcommands/backup-unset-public-key-encryption b/subcommands/backup-unset-public-key-encryption new file mode 100755 index 0000000..8e0352f --- /dev/null +++ b/subcommands/backup-unset-public-key-encryption @@ -0,0 +1,23 @@ +#!/usr/bin/env bash +source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/config" +set -eo pipefail +[[ $DOKKU_TRACE ]] && set -x +source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions" +source "$(dirname "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)")/functions" + +service-backup-unset-public-key-encryption-cmd() { + #E unset the GPG Public Key encryption for backups + #E dokku $PLUGIN_COMMAND_PREFIX:backup-unset-public-key-encryption lollipop + #A service, service to run command against + declare desc="unset GPG Public Key encryption for future backups of the $PLUGIN_SERVICE service" + local cmd="$PLUGIN_COMMAND_PREFIX:backup-unset-public-key-encryption" argv=("$@") + [[ ${argv[0]} == "$cmd" ]] && shift 1 + declare SERVICE="$1" + is_implemented_command "$cmd" || dokku_log_fail "Not yet implemented" # TODO: [22.03.2024 by Mykola] + + [[ -z "$SERVICE" ]] && dokku_log_fail "Please specify a valid name for the service" + verify_service_name "$SERVICE" + service_backup_unset_public_key_encryption "$SERVICE" # TODO: [22.03.2024 by Mykola] +} + +service-backup-unset-encryption-cmd "$@"