fastlane-plugin-flint 0.1.0

data/lib/fastlane/plugin/flint/actions/flint_change_password.rb

@@ -0,0 +1,20 @@
+require 'fastlane/action'
+require_relative '../helper/flint_helper'
+
+module Fastlane
+    module Actions
+      class FlintChangePasswordAction < FlintAction
+        def self.run(params)
+          params.load_configuration_file('Flintfile')
+
+          FastlaneCore::PrintTable.print_values(config: params,
+                                            hide_keys: [:workspace],
+                                                title: "Summary for flint #{Fastlane::VERSION}")
+
+          Flint::ChangePassword.update(params: params)
+          UI.success("Successfully changed the password. Make sure to update the password on all your clients and servers")
+
+        end
+      end
+    end
+end

data/lib/fastlane/plugin/flint/actions/flint_nuke.rb

@@ -0,0 +1,15 @@
+require 'fastlane/action'
+require_relative '../helper/flint_helper'
+
+module Fastlane
+    module Actions
+      class FlintNukeAction < FlintAction
+        def self.run(params)
+          params.load_configuration_file('Flintfile')
+
+          Flint::Nuke.new.run(params, type: 'development')
+          Flint::Nuke.new.run(params, type: 'release')
+        end
+      end
+    end
+end

data/lib/fastlane/plugin/flint/actions/flint_setup.rb

@@ -0,0 +1,59 @@
+require 'fastlane/action'
+require_relative '../helper/git_helper'
+require_relative '../helper/encrypt'
+
+module Fastlane
+    module Actions
+      class FlintSetupAction < FlintAction
+        def self.run(params)
+            containing = FastlaneCore::Helper.fastlane_enabled_folder_path
+            path = File.join(containing, "Flintfile")
+  
+            if File.exist?(path)
+              FastlaneCore::UI.user_error!("You already have a Flintfile in this directory (#{path})")
+              return 0
+            end
+    
+            template = File.read("#{Flint::ROOT}/assets/FlintfileTemplate")
+      
+            UI.important("Please create a new, private git repository")
+            UI.important("to store the keystores there")
+
+            url = UI.input("URL of the Git Repo: ")
+      
+            template.gsub!("[[GIT_URL]]", url)
+            File.write(path, template)
+            UI.success("Successfully created '#{path}'. You can open the file using a code editor.")
+      
+            UI.important("Please mopdify build.gradle file (usually under app/build.gradle):")
+            UI.message("Add before `android {` line:")
+            UI.message("    // Load keystore")
+            UI.message("    def keystorePropertiesFile = rootProject.file(\"keystore.properties\");")
+            UI.message("    def keystoreProperties = new Properties()")
+            UI.message("    keystoreProperties.load(new FileInputStream(keystorePropertiesFile))")
+            UI.message("Add after the closing bracket for `defaultConfig {`:")
+            UI.message("    signingConfigs {")
+            UI.message("        development {")
+            UI.message("            storeFile file(keystoreProperties['storeFile'])")
+            UI.message("            storePassword keystoreProperties['storePassword']")
+            UI.message("            keyAlias keystoreProperties['keyAlias']")
+            UI.message("            keyPassword keystoreProperties['keyPassword']")
+            UI.message("       }")
+            UI.message("        release {")
+            UI.message("            storeFile file(keystoreProperties['storeFile'])")
+            UI.message("            storePassword keystoreProperties['storePassword']")
+            UI.message("            keyAlias keystoreProperties['keyAlias']")
+            UI.message("            keyPassword keystoreProperties['keyPassword']")
+            UI.message("       }")
+            UI.message("    }")
+            UI.important("This will load the appropriate keystore during release builds")
+      
+            UI.important("You can now run `fastlane flint type:development` and `fastlane flint type:release`")
+            UI.message("On the first run for each environment it will create the keystore for you.")
+            UI.message("From then on, it will automatically import the existing keystores.")
+            UI.message("For more information visit https://docs.fastlane.tools/actions/flint/")
+
+        end
+      end
+    end
+end

data/lib/fastlane/plugin/flint/helper/change_password.rb

@@ -0,0 +1,67 @@
+require_relative 'encrypt'
+require_relative 'git_helper'
+require_relative 'generator'
+
+module Fastlane
+  module Flint
+    # These functions should only be used while in (UI.) interactive mode
+    class ChangePassword
+      def self.update(params: nil, from: nil, to: nil)
+        ensure_ui_interactive
+        from ||= ChangePassword.ask_password(message: "Old passphrase for Git Repo: ", confirm: false)
+        to ||= ChangePassword.ask_password(message: "New passphrase for Git Repo: ", confirm: true)
+        GitHelper.clear_changes
+        encrypt = Encrypt.new
+        workspace = GitHelper.clone(params[:git_url],
+                                    params[:shallow_clone],
+                                    manual_password: from,
+                                    skip_docs: params[:skip_docs],
+                                    branch: params[:git_branch],
+                                    git_full_name: params[:git_full_name],
+                                    git_user_email: params[:git_user_email],
+                                    clone_branch_directly: params[:clone_branch_directly], 
+                                    encrypt: encrypt)
+        encrypt.clear_password(params[:git_url])
+        encrypt.store_password(params[:git_url], to)
+
+        if params[:app_identifier].kind_of?(Array)
+          app_identifiers = params[:app_identifier]
+        else
+          app_identifiers = params[:app_identifier].to_s.split(/\s*,\s*/).uniq
+        end
+        app_identifier = app_identifiers[0].gsub! '.', '_'
+
+        for cert_type in Flint.environments do
+          alias_name = "%s-%s" % [app_identifier, cert_type]
+          keystore_name = "%s.keystore" % alias_name
+          Flint::Generator.update_keystore_password(workspace, keystore_name, alias_name, from, to)
+        end
+
+        message = "[fastlane] Changed passphrase"
+        GitHelper.commit_changes(workspace, message, params[:git_url], params[:git_branch], nil, encrypt)
+      end
+
+      def self.ask_password(message: "Passphrase for Git Repo: ", confirm: true)
+        ensure_ui_interactive
+        loop do
+          password = UI.password(message)
+          if confirm
+            password2 = UI.password("Type passphrase again: ")
+            if password == password2
+              return password
+            end
+          else
+            return password
+          end
+          UI.error("Passphrases differ. Try again")
+        end
+      end
+
+      def self.ensure_ui_interactive
+        raise "This code should only run in interactive mode" unless UI.interactive?
+      end
+
+      private_class_method :ensure_ui_interactive
+    end
+  end
+end

data/lib/fastlane/plugin/flint/helper/commands_generator.rb

@@ -0,0 +1,100 @@
+require 'commander'
+
+require 'fastlane_core/configuration/configuration'
+require_relative 'nuke'
+require_relative 'git_helper'
+require_relative 'change_password'
+require_relative 'encrypt'
+
+HighLine.track_eof = false
+
+module Flint
+  class CommandsGenerator
+    include Commander::Methods
+
+    def run
+
+      global_option('--verbose') { FastlaneCore::Globals.verbose = true }
+
+      command :run do |c|
+        c.syntax = 'fastlane flint'
+        c.description = Flint::DESCRIPTION
+
+        FastlaneCore::CommanderGenerator.new.generate(Flint::Options.available_options, command: c)
+
+        c.action do |args, options|
+          if args.count > 0
+            FastlaneCore::UI.user_error!("Please run `fastlane flint [type]`, allowed values: development or release")
+          end
+
+          params = FastlaneCore::Configuration.create(Flint::Options.available_options, options.__hash__)
+          params.load_configuration_file("Flintfile")
+          Flint::Runner.new.run(params)
+        end
+      end
+
+      Flint.environments.each do |type|
+        command type do |c|
+          c.syntax = "fastlane flint #{type}"
+          c.description = "Run flint for a #{type} profile"
+
+          FastlaneCore::CommanderGenerator.new.generate(Flint::Options.available_options, command: c)
+
+          c.action do |args, options|
+            params = FastlaneCore::Configuration.create(Flint::Options.available_options, options.__hash__)
+            params.load_configuration_file("Flintfile") # this has to be done *before* overwriting the value
+            params[:type] = type.to_s
+            Flint::Runner.new.run(params)
+          end
+        end
+      end
+
+      command :decrypt do |c|
+        c.syntax = "fastlane flint decrypt"
+        c.description = "Decrypts the repository and keeps it on the filesystem"
+
+        FastlaneCore::CommanderGenerator.new.generate(Flint::Options.available_options, command: c)
+
+        c.action do |args, options|
+          params = FastlaneCore::Configuration.create(Flint::Options.available_options, options.__hash__)
+          params.load_configuration_file("Flintfile")
+          encrypt = Encrypt.new
+          decrypted_repo = Flint::GitHelper.clone(params[:git_url],
+                                                  params[:shallow_clone],
+                                                  branch: params[:git_branch],
+                                                  clone_branch_directly: params[:clone_branch_directly], 
+                                                  encrypt: encrypt)
+          UI.success("Repo is at: '#{decrypted_repo}'")
+        end
+      end
+
+      command "nuke" do |c|
+        # We have this empty command here, since otherwise the normal `flint` command will be executed
+        c.syntax = "fastlane flint nuke"
+        c.description = "Delete all keystores"
+        c.action do |args, options|
+          FastlaneCore::UI.user_error!("Please run `fastlane flint nuke [type], allowed values: development and release.")
+        end
+      end
+
+      ["development", "release"].each do |type|
+        command "nuke #{type}" do |c|
+          c.syntax = "fastlane flint nuke #{type}"
+          c.description = "Delete all keystores of the type #{type}"
+
+          FastlaneCore::CommanderGenerator.new.generate(Flint::Options.available_options, command: c)
+
+          c.action do |args, options|
+            params = FastlaneCore::Configuration.create(Flint::Options.available_options, options.__hash__)
+            params.load_configuration_file("Flintfile")
+            Flint::Nuke.new.run(params, type: type.to_s)
+          end
+        end
+      end
+
+      default_command(:run)
+
+      run!
+    end
+  end
+end

data/lib/fastlane/plugin/flint/helper/encrypt.rb

@@ -0,0 +1,138 @@
+require_relative 'change_password'
+
+module Fastlane
+  module Flint
+    class Encrypt
+      require 'base64'
+      require 'openssl'
+      require 'securerandom'
+      require 'shellwords'
+
+      def initialize()
+        # Keep the password in the memory so we can reuse it later on
+        @tmp_password = nil
+      end
+
+      def server_name(git_url)
+        ["flint", git_url].join("_")
+      end
+
+      def password(git_url)
+        password = ENV["FLINT_PASSWORD"]
+        unless password
+          if @tmp_password
+            password = @tmp_password
+          end
+        end
+
+        unless password && password != ''
+          if !UI.interactive?
+            UI.error("The FLINT_PASSWORD environment variable did not contain a password.")
+            UI.error("Bailing out instead of asking for a password, since this is non-interactive mode.")
+            UI.user_error!("Try setting the FLINT_PASSWORD environment variable, or temporarily enable interactive mode to store a password.")
+          else
+            UI.important("Enter the passphrase that should be used to encrypt/decrypt your keystores")
+            UI.important("Make sure to remember the password, as you'll need it when you run flint again")
+            password = ChangePassword.ask_password(confirm: true)
+            store_password(git_url, password)
+          end
+        end
+
+        return password
+      end
+
+      def store_password(git_url, password)
+        @tmp_password = password
+      end
+
+      def clear_password(git_url)
+        @tmp_password = ""
+      end
+
+      def encrypt_repo(path: nil, git_url: nil)
+        iterate(path) do |current|
+          encrypt(path: current,
+            password: password(git_url))
+          UI.success("🔒  Encrypted '#{File.basename(current)}'") if FastlaneCore::Globals.verbose?
+        end
+        UI.success("🔒  Successfully encrypted keystores repo")
+      end
+
+      def decrypt_repo(path: nil, git_url: nil, manual_password: nil)
+        iterate(path) do |current|
+          begin
+            decrypt(path: current,
+              password: manual_password || password(git_url))
+          rescue
+            UI.error("Couldn't decrypt the repo, please make sure you enter the right password! %s" % manual_password || password(git_url))
+            UI.user_error!("Invalid password passed via 'FLINT_PASSWORD'") if ENV["FLINT_PASSWORD"]
+            clear_password(git_url)
+            password(git_url)
+            decrypt_repo(path: path, git_url: git_url)
+            return
+          end
+          UI.success("🔓  Decrypted '#{File.basename(current)}'") if FastlaneCore::Globals.verbose?
+        end
+        UI.success("🔓  Successfully decrypted keystores repo")
+      end
+
+      private
+
+      def iterate(source_path)
+        Dir[File.join(source_path, "**", "*.{keystore}")].each do |path|
+          next if File.directory?(path)
+          yield(path)
+        end
+      end
+
+      # We encrypt with MD5 because that was the most common default value in older fastlane versions which used the local OpenSSL installation
+      # A more secure key and IV generation is needed in the future
+      # IV should be randomly generated and provided unencrypted
+      # salt should be randomly generated and provided unencrypted (like in the current implementation)
+      # key should be generated with OpenSSL::KDF::pbkdf2_hmac with properly chosen parameters
+      # Short explanation about salt and IV: https://stackoverflow.com/a/1950674/6324550
+      def encrypt(path: nil, password: nil)
+        UI.user_error!("No password supplied") if password.to_s.strip.length == 0
+
+        data_to_encrypt = File.read(path)
+        salt = SecureRandom.random_bytes(8)
+
+        cipher = OpenSSL::Cipher.new('AES-256-CBC')
+        cipher.encrypt
+        cipher.pkcs5_keyivgen(password, salt, 1, "MD5")
+        encrypted_data = "Salted__" + salt + cipher.update(data_to_encrypt) + cipher.final
+
+        File.write(path, Base64.encode64(encrypted_data))
+      rescue FastlaneCore::Interface::FastlaneError
+        raise
+      rescue => error
+        UI.error(error.to_s)
+        UI.crash!("Error encrypting '#{path}'")
+      end
+
+      # The encryption parameters in this implementations reflect the old behaviour which depended on the users' local OpenSSL version
+      # 1.0.x OpenSSL and earlier versions use MD5, 1.1.0c and newer uses SHA256, we try both before giving an error
+      def decrypt(path: nil, password: nil, hash_algorithm: "MD5")
+        stored_data = Base64.decode64(File.read(path))
+        salt = stored_data[8..15]
+        data_to_decrypt = stored_data[16..-1]
+
+        decipher = OpenSSL::Cipher.new('AES-256-CBC')
+        decipher.decrypt
+        decipher.pkcs5_keyivgen(password, salt, 1, hash_algorithm)
+
+        decrypted_data = decipher.update(data_to_decrypt) + decipher.final
+
+        File.binwrite(path, decrypted_data)
+      rescue => error
+        fallback_hash_algorithm = "SHA256"
+        if hash_algorithm != fallback_hash_algorithm
+          decrypt(path, password, fallback_hash_algorithm)
+        else
+          UI.error(error.to_s)
+          UI.crash!("Error decrypting '#{path}'")
+        end
+      end
+    end
+  end
+end

data/lib/fastlane/plugin/flint/helper/flint_helper.rb

@@ -0,0 +1,16 @@
+require 'fastlane_core/ui/ui'
+
+module Fastlane
+  UI = FastlaneCore::UI unless Fastlane.const_defined?("UI")
+
+  module Helper
+    class FlintHelper
+      # class methods that you define here become available in your action
+      # as `Helper::FlintHelper.your_method`
+      #
+      def self.show_message
+        UI.message("Hello from the flint plugin helper!")
+      end
+    end
+  end
+end

data/lib/fastlane/plugin/flint/helper/generator.rb

@@ -0,0 +1,70 @@
+require 'fileutils'
+
+
+module Fastlane
+  module Flint
+    # Generate missing resources
+    class Generator
+      def self.generate_keystore(params, keystore_name, alias_name, password)
+        # Ensure output dir exists
+        output_dir = File.join(params[:workspace], "certs")
+        FileUtils.mkdir_p output_dir
+        output_path = File.join(output_dir, keystore_name)
+
+        full_name = params[:full_name]
+        org = params[:orgization]
+        org_unit = params[:orgization_unit]
+        city_locality = params[:city]
+        state_province = params[:state]
+        country = params[:country]
+        valid_days = 10000 # > 27 years
+
+        cmd = "keytool -genkey -v -keystore %s -alias %s " % [output_path, alias_name]
+        cmd << "-keyalg RSA -keysize 2048 -validity %s -keypass %s -storepass %s " % [valid_days, password, password]
+        cmd << "-dname \"CN=#{full_name}, OU=#{org_unit}, O=#{org}, L=#{city_locality}, S=#{state_province}, C=#{country}\""
+
+        begin
+          output = IO.popen(cmd)
+          error = output.read
+          output.close
+          raise error unless $?.exitstatus == 0
+        rescue => ex
+          raise ex
+        end
+
+        return output_path
+      end
+
+      def self.update_keystore_password(workspace, keystore_name, alias_name, password, new_password)
+        output_dir = File.join(workspace, "certs")
+        output_path = File.join(output_dir, keystore_name)
+
+        if File.file?(output_path)
+          cmd = "keytool -storepasswd -v -keystore %s -storepass %s -new %s" % [output_path, password, new_password]
+          begin
+            output = IO.popen(cmd)
+            error = output.read
+            output.close
+            raise error unless $?.exitstatus == 0
+          rescue => ex
+            raise ex
+          end
+
+          cmd = "keytool -keypasswd -v -keystore %s -alias %s -keypass %s -storepass %s -new %s" % [
+            output_path, alias_name, password, new_password, new_password]
+      
+          begin
+            output = IO.popen(cmd)
+            error = output.read
+            output.close
+            raise error unless $?.exitstatus == 0
+          rescue => ex
+            raise ex
+          end
+        else
+          UI.message("output_path does not exist %s" % output_path)
+        end
+      end
+    end
+  end
+end