From d9115c777949c14b7e12332f85fe99b100af2aeb Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Tue, 31 Aug 2021 21:10:43 +0000
Subject: Add latest changes from gitlab-org/gitlab@master

---
 lib/backup/manager.rb | 36 +++++++++++++++++++++++++++---------
 1 file changed, 27 insertions(+), 9 deletions(-)

(limited to 'lib/backup')

diff --git a/lib/backup/manager.rb b/lib/backup/manager.rb
index 52810b0fb35..6c5350082e8 100644
--- a/lib/backup/manager.rb
+++ b/lib/backup/manager.rb
@@ -47,10 +47,12 @@ module Backup
         return
       end
 
-      directory = connect_to_remote_directory(Gitlab.config.backup.upload)
+      directory = connect_to_remote_directory
+      upload = directory.files.create(create_attributes)
 
-      if directory.files.create(create_attributes)
+      if upload
         progress.puts "done".color(:green)
+        upload
       else
         puts "uploading backup to #{remote_directory} failed".color(:red)
         raise Backup::Error, 'Backup failed'
@@ -206,11 +208,16 @@ module Backup
       @backup_file_list.map {|item| item.gsub("#{FILE_NAME_SUFFIX}", "")}
     end
 
-    def connect_to_remote_directory(options)
-      config = ObjectStorage::Config.new(options)
-      config.load_provider
+    def object_storage_config
+      @object_storage_config ||= begin
+        config = ObjectStorage::Config.new(Gitlab.config.backup.upload)
+        config.load_provider
+        config
+      end
+    end
 
-      connection = ::Fog::Storage.new(config.credentials)
+    def connect_to_remote_directory
+      connection = ::Fog::Storage.new(object_storage_config.credentials)
 
       # We only attempt to create the directory for local backups. For AWS
       # and other cloud providers, we cannot guarantee the user will have
@@ -280,10 +287,8 @@ module Backup
         key: remote_target,
         body: File.open(File.join(backup_path, tar_file)),
         multipart_chunk_size: Gitlab.config.backup.upload.multipart_chunk_size,
-        encryption: Gitlab.config.backup.upload.encryption,
-        encryption_key: Gitlab.config.backup.upload.encryption_key,
         storage_class: Gitlab.config.backup.upload.storage_class
-      }
+      }.merge(encryption_attributes)
 
       # Google bucket-only policies prevent setting an ACL. In any case, by default,
       # all objects are set to the default ACL, which is project-private:
@@ -293,6 +298,19 @@ module Backup
       attrs
     end
 
+    def encryption_attributes
+      return object_storage_config.fog_attributes if object_storage_config.aws_server_side_encryption_enabled?
+
+      # Use customer-managed keys. Also, this preserves
+      # backward-compatibility for existing usages of `SSE-S3` that
+      # don't set `backup.upload.storage_options.server_side_encryption`
+      # to `'AES256'`.
+      {
+        encryption_key: Gitlab.config.backup.upload.encryption_key,
+        encryption: Gitlab.config.backup.upload.encryption
+      }
+    end
+
     def google_provider?
       Gitlab.config.backup.upload.connection&.provider&.downcase == 'google'
     end
-- 
cgit v1.2.1