Merge pull request #216 from sebadob/auto-restore-sqlite-backups

Auto restore sqlite backups
sebadob · Dec 22, 2023 · 65bbfea · 65bbfea
2 parents fa0e496 + 67558ef
commit 65bbfea
Show file tree

Hide file tree

Showing 5 changed files with 265 additions and 196 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -11,7 +11,7 @@ members = [
 exclude = ["rauthy-client"]
 
 [workspace.package]
-version = "0.20.0-20231220"
+version = "0.20.0-20231222"
 edition = "2021"
 authors = ["Sebastian Dobe <sebastiandobe@mailbox.org>"]
 license = "Apache-2.0"

diff --git a/rauthy-book/src/config/config.md b/rauthy-book/src/config/config.md
@@ -83,6 +83,50 @@ extract these values, create Kubernetes Secrets and provide them as environment
 # automatically (default: 720)
 #BACKUP_RETENTION_LOCAL=720
 
+# The following section will only be taken into account, when
+# SQLite is used as the main database. If you use Postgres, you
+# should use Postgres native tooling like for instance `pgbackrest`
+# to manage your backups.
+# If S3 access is configured, your SQLite backups will be encrypted
+# and pushed into the configured bucket.
+#S3_URL=
+#S3_REGION=
+#S3_PATH_STYLE=false
+#S3_BUCKET=my_s3_bucket_name
+#S3_ACCESS_KEY=
+#S3_ACCESS_SECRET=
+#S3_DANGER_ACCEPT_INVALID_CERTS=false
+
+# Restores the given backup
+#
+# CAUTION: Be very careful with this option - it will overwrite
+# any existing database! The best way to use this option is to
+# provide it as an environment variable for a single start up
+# and then remove it directly after success.
+#
+# This only works when you are using a SQLite database!
+# If you are running on Postgres, you must use Postgres-native
+# tooling to handle your backups.
+#
+# You can either restore a local backup, or an encrypted one
+# from S3 storage.
+#
+# For restoring from a local backup, provide the folder name
+# of the backup you want to restore. Local SQLite backups are
+# always in `./data/backup/rauthy-backup-TIMESTAMP/` folders.
+# You only provide the backup folder name itself, in this case
+# it would be `rauthy-backup-TIMESTAMP` like this:
+# RESTORE_BACKUP=file:rauthy-backup-TIMESTAMP
+#
+# If you want to restore an encrypted backup from S3 storage,
+# you must provide the object name in the configured bucket.
+# For instance, let's say we have an object named
+# `rauthy-0.20.0-1703243039.cryptr` in our bucket, then the
+# format would be:
+# RESTORE_BACKUP=s3:rauthy-0.20.0-1703243039.cryptr
+#
+#RESTORE_BACKUP=
+
 #####################################
 ############## CACHE ################
 #####################################
@@ -183,20 +227,6 @@ extract these values, create Kubernetes Secrets and provide them as environment
 # Disables the housekeeping schedulers (default: false)
 #SCHED_DISABLE=true
 
-# The following section will only be taken into account, when
-# SQLite is used as the main database. If you use Postgres, you
-# should use Postgres native tooling like for instance `pgbackrest`
-# to manage your backups.
-# If S3 access is configured, your SQLite backups will be encrypted
-# and pushed into the configured bucket.
-#S3_URL=
-#S3_REGION=
-#S3_PATH_STYLE=false
-#S3_BUCKET=my_s3_bucket_name
-#S3_ACCESS_KEY=
-#S3_ACCESS_SECRET=
-#S3_DANGER_ACCEPT_INVALID_CERTS=false
-
 #####################################
 ############# E-MAIL ################
 #####################################

diff --git a/rauthy-main/src/main.rs b/rauthy-main/src/main.rs
@@ -34,6 +34,7 @@ use rauthy_models::events::health_watch::watch_health;
 use rauthy_models::events::listener::EventListener;
 use rauthy_models::events::notifier::EventNotifier;
 use rauthy_models::events::{init_event_vars, ip_blacklist_handler};
+use rauthy_models::migration::check_restore_backup;
 use rauthy_models::{email, ListenScheme};
 use sqlx::query;
 use std::error::Error;
@@ -92,6 +93,58 @@ async fn main() -> Result<(), Box<dyn Error>> {
         info!("Application started in Integration Test Mode");
     }
 
+    match EncKeys::from_env() {
+        Ok(keys) => keys.init().unwrap(),
+        Err(err) => {
+            error!(
+                r#"
+
+    If you are migrating from an earlier version, you must convert your `ENC_KEYS` before starting
+    any version v0.20+
+
+    To do this, you need to:
+
+    1. Install cryptr - https://github.com/sebadob/cryptr
+    If you have Rust available on your system, just execute:
+
+    cargo install cryptr --features cli --locked
+
+    Otherwise, pre-built binaries do exist for either Linux or Windows: https://github.com/sebadob/cryptr/tree/main/out
+
+    2. Execute:
+
+    cryptr keys convert legacy-string
+
+    3. Paste your current ENC_KEYS into the command line.
+
+    For instance, if you have
+    ENC_KEYS="bVCyTsGaggVy5yqQ/S9n7oCen53xSJLzcsmfdnBDvNrqQ63r4 q6u26onRvXVG4427/3CEC8RJWBcMkrBMkRXgx65AmJsNTghSA"
+    in your config, paste
+    bVCyTsGaggVy5yqQ/S9n7oCen53xSJLzcsmfdnBDvNrqQ63r4 q6u26onRvXVG4427/3CEC8RJWBcMkrBMkRXgx65AmJsNTghSA
+
+    If you provide your ENC_KEYS via a Kubernetes secret, you need to do a base64 decode first.
+    For instance, if your secret looks something like this
+    ENC_KEYS: YlZDeVRzR2FnZ1Z5NXlxUS9TOW43b0NlbjUzeFNKTHpjc21mZG5CRHZOcnFRNjNyNCBxNnUyNm9uUnZYVkc0NDI3LzNDRUM4UkpXQmNNa3JCTWtSWGd4NjVBbUpzTlRnaFNB
+    Then decode via shell or any tool your like:
+    echo -n YlZDeVRzR2FnZ1Z5NXlxUS9TOW43b0NlbjUzeFNKTHpjc21mZG5CRHZOcnFRNjNyNCBxNnUyNm9uUnZYVkc0NDI3LzNDRUM4UkpXQmNNa3JCTWtSWGd4NjVBbUpzTlRnaFNB | base64 -d
+    ... and paste the decoded value into cryptr
+
+    4. cryptr will output the correct format for either usage in config or as kubernetes secret again
+
+    5. Paste the new format into your Rauthy config / secret and restart.
+
+    "#
+            );
+            panic!("{}", err);
+        }
+    }
+
+    // check if a backup should be restored
+    if let Err(err) = check_restore_backup().await {
+        error!("\nError restoring backup:\n\n{}\n", err.message);
+        panic!("{:?}", err);
+    }
+
     // caches
     let (tx_health_state, mut cache_config) = redhac::CacheConfig::new();
 
@@ -174,94 +227,6 @@ async fn main() -> Result<(), Box<dyn Error>> {
         ha_cache_config: cache_config.clone(),
     };
 
-    //     if let Err(err) = cryptr::EncKeys::from_env() {
-    //         error!(
-    //             r#"
-    //
-    // If you are migrating from an earlier version, you must convert your `ENC_KEYS` before starting
-    // any version v0.20+
-    //
-    // To do this, you need to:
-    //
-    // 1. Install cryptr - https://github.com/sebadob/cryptr
-    // If you have Rust available on your system, just execute:
-    //
-    // cargo install cryptr --features cli --locked
-    //
-    // Otherwise, pre-built binaries do exist for either Linux or Windows: https://github.com/sebadob/cryptr/tree/main/out
-    //
-    // 2. Execute:
-    //
-    // cryptr keys convert legacy-string
-    //
-    // 3. Paste your current ENC_KEYS into the command line.
-    //
-    // For instance, if you have
-    // ENC_KEYS="bVCyTsGaggVy5yqQ/S9n7oCen53xSJLzcsmfdnBDvNrqQ63r4 q6u26onRvXVG4427/3CEC8RJWBcMkrBMkRXgx65AmJsNTghSA"
-    // in your config, paste
-    // bVCyTsGaggVy5yqQ/S9n7oCen53xSJLzcsmfdnBDvNrqQ63r4 q6u26onRvXVG4427/3CEC8RJWBcMkrBMkRXgx65AmJsNTghSA
-    //
-    // If you provide your ENC_KEYS via a Kubernetes secret, you need to do a base64 decode first.
-    // For instance, if your secret looks something like this
-    // ENC_KEYS: YlZDeVRzR2FnZ1Z5NXlxUS9TOW43b0NlbjUzeFNKTHpjc21mZG5CRHZOcnFRNjNyNCBxNnUyNm9uUnZYVkc0NDI3LzNDRUM4UkpXQmNNa3JCTWtSWGd4NjVBbUpzTlRnaFNB
-    // Then decode via shell or any tool your like:
-    // echo -n YlZDeVRzR2FnZ1Z5NXlxUS9TOW43b0NlbjUzeFNKTHpjc21mZG5CRHZOcnFRNjNyNCBxNnUyNm9uUnZYVkc0NDI3LzNDRUM4UkpXQmNNa3JCTWtSWGd4NjVBbUpzTlRnaFNB | base64 -d
-    // ... and paste the decoded value into cryptr
-    //
-    // 4. cryptr will output the correct format for either usage in config or as kubernetes secret again
-    //
-    // 5. Paste the new format into your Rauthy config / secret and restart.
-    //
-    // "#
-    //         );
-    //         panic!("{}", err);
-    //     }
-    match EncKeys::from_env() {
-        Ok(keys) => keys.init().unwrap(),
-        Err(err) => {
-            error!(
-                r#"
-
-    If you are migrating from an earlier version, you must convert your `ENC_KEYS` before starting
-    any version v0.20+
-
-    To do this, you need to:
-
-    1. Install cryptr - https://github.com/sebadob/cryptr
-    If you have Rust available on your system, just execute:
-
-    cargo install cryptr --features cli --locked
-
-    Otherwise, pre-built binaries do exist for either Linux or Windows: https://github.com/sebadob/cryptr/tree/main/out
-
-    2. Execute:
-
-    cryptr keys convert legacy-string
-
-    3. Paste your current ENC_KEYS into the command line.
-
-    For instance, if you have
-    ENC_KEYS="bVCyTsGaggVy5yqQ/S9n7oCen53xSJLzcsmfdnBDvNrqQ63r4 q6u26onRvXVG4427/3CEC8RJWBcMkrBMkRXgx65AmJsNTghSA"
-    in your config, paste
-    bVCyTsGaggVy5yqQ/S9n7oCen53xSJLzcsmfdnBDvNrqQ63r4 q6u26onRvXVG4427/3CEC8RJWBcMkrBMkRXgx65AmJsNTghSA
-
-    If you provide your ENC_KEYS via a Kubernetes secret, you need to do a base64 decode first.
-    For instance, if your secret looks something like this
-    ENC_KEYS: YlZDeVRzR2FnZ1Z5NXlxUS9TOW43b0NlbjUzeFNKTHpjc21mZG5CRHZOcnFRNjNyNCBxNnUyNm9uUnZYVkc0NDI3LzNDRUM4UkpXQmNNa3JCTWtSWGd4NjVBbUpzTlRnaFNB
-    Then decode via shell or any tool your like:
-    echo -n YlZDeVRzR2FnZ1Z5NXlxUS9TOW43b0NlbjUzeFNKTHpjc21mZG5CRHZOcnFRNjNyNCBxNnUyNm9uUnZYVkc0NDI3LzNDRUM4UkpXQmNNa3JCTWtSWGd4NjVBbUpzTlRnaFNB | base64 -d
-    ... and paste the decoded value into cryptr
-
-    4. cryptr will output the correct format for either usage in config or as kubernetes secret again
-
-    5. Paste the new format into your Rauthy config / secret and restart.
-
-    "#
-            );
-            panic!("{}", err);
-        }
-    }
-
     let (tx_events, rx_events) = flume::unbounded();
     let (tx_events_router, rx_events_router) = flume::unbounded();
     let (tx_ip_blacklist, rx_ip_blacklist) = flume::unbounded();