fastlane-plugin-infisical 0.1.0

data/lib/fastlane/plugin/infisical/storage.rb

@@ -0,0 +1,428 @@
+require "fastlane/plugin/infisical/version"
+require "fastlane_core/ui/ui"
+require "match"
+require "infisical-sdk"
+require "base64"
+require "tempfile"
+require "fileutils"
+
+UI = FastlaneCore::UI unless defined?(UI)
+
+module Fastlane
+  module InfisicalStorage
+    class Storage < Match::Storage::Interface
+      attr_reader :project_id
+      attr_reader :environment
+      attr_reader :secret_path
+      attr_reader :infisical_url
+      attr_accessor :working_directory
+
+      def self.configure(params)
+        return(
+          Storage.new(
+            project_id: params[:infisical_project_id] || params[:project_id],
+            environment: params[:infisical_environment] || params[:environment],
+            secret_path: params[:infisical_secret_path] || params[:secret_path],
+            infisical_url: params[:infisical_url],
+            username: params[:username],
+            readonly: params[:readonly],
+            team_id: params[:team_id],
+            team_name: params[:team_name],
+            api_key_path: params[:api_key_path],
+            api_key: params[:api_key]
+          )
+        )
+      end
+
+      def initialize(
+        project_id:,
+        environment: "dev",
+        secret_path: "/",
+        infisical_url: nil,
+        username: nil,
+        readonly: nil,
+        team_id: nil,
+        team_name: nil,
+        api_key_path: nil,
+        api_key: nil
+      )
+        @project_id = project_id || ENV["INFISICAL_PROJECT_ID"]
+        @environment = environment || ENV["INFISICAL_ENVIRONMENT"] || "dev"
+        @secret_path = secret_path || ENV["INFISICAL_SECRET_PATH"] || "/"
+        @infisical_url =
+          infisical_url || ENV["INFISICAL_URL"] || "https://app.infisical.com"
+        @username = username
+        @readonly = readonly
+        @team_id = team_id
+        @team_name = team_name
+        @api_key_path = api_key_path
+        @api_key = api_key
+
+        # Initialize Infisical SDK client
+        @client = InfisicalSDK::InfisicalClient.new(@infisical_url)
+
+        # Authenticate using the best available method
+        authenticate_client
+
+        UI.message(
+          "Initializing match for Infisical at project #{@project_id} in environment #{@environment}"
+        )
+      end
+
+      def prefixed_working_directory
+        # the directory depends on the team_id
+        if @team_id
+          @_folder_prefix = "team_id/#{@team_id}"
+        elsif @team_name
+          @_folder_prefix = "team_name/#{@team_name}"
+        else
+          @_folder_prefix = nil
+        end
+
+        # If team_id/team_name is not set, use the one from the Appfile/Matchfile
+        if @_folder_prefix.nil?
+          UI.important(
+            "Looks like you run `match` in `readonly` mode, and didn't provide a `team_id`. This will still work, however it is recommended to provide a `team_id` in your Appfile or Matchfile"
+          )
+          @_folder_prefix = "*"
+        end
+        return File.join(working_directory, @_folder_prefix)
+      end
+
+      def working_directory
+        @working_directory ||= Dir.mktmpdir
+      end
+
+      def working_directory=(value)
+        @working_directory = value
+      end
+
+      def download
+        return if @working_directory
+
+        self.working_directory = Dir.mktmpdir
+
+        with_infisical_error_handling do
+          # List all fastlane secrets from the main fastlane path
+          secrets = list_fastlane_secrets
+
+          secrets.each do |secret|
+            secret_name = secret["secretKey"]
+
+            # Convert the flat secret name back to a file path
+            # We need to be smarter about this - only convert the first few dashes that represent directories
+            # Common patterns: "profiles-appstore-filename", "certs-development-filename", "filename"
+
+            if secret_name.include?("-")
+              # Try to identify known fastlane directory patterns
+              if secret_name.start_with?("profiles-")
+                # profiles-TYPE-filename -> profiles/TYPE/filename
+                parts = secret_name.split("-", 3) # Split only on first 2 dashes
+                if parts.length >= 3
+                  relative_path = "#{parts[0]}/#{parts[1]}/#{parts[2]}"
+                else
+                  relative_path = secret_name
+                end
+              elsif secret_name.start_with?("certs-")
+                # certs-TYPE-filename -> certs/TYPE/filename
+                parts = secret_name.split("-", 3) # Split only on first 2 dashes
+                if parts.length >= 3
+                  relative_path = "#{parts[0]}/#{parts[1]}/#{parts[2]}"
+                else
+                  relative_path = secret_name
+                end
+              else
+                # Unknown pattern, treat as filename
+                relative_path = secret_name
+              end
+            else
+              # No dashes, treat as filename
+              relative_path = secret_name
+            end
+
+            full_path = File.join(working_directory, relative_path)
+
+            # Create directory if needed
+            FileUtils.mkdir_p(File.dirname(full_path))
+
+            # Decode and write the file
+            content = Base64.strict_decode64(secret["secretValue"])
+            File.binwrite(full_path, content)
+
+            UI.verbose("Downloaded: #{secret_name} -> #{relative_path}")
+          end
+
+          UI.success("Downloaded #{secrets.length} files from Infisical")
+        end
+      end
+
+      def upload_files(files_to_upload, custom_working_directory = nil)
+        base_directory = custom_working_directory || working_directory
+
+        with_infisical_error_handling do
+          files_to_upload.each do |file_path|
+            # Calculate relative path
+            relative_path = file_path.gsub(base_directory + "/", "")
+
+            # Convert the file path to a flat secret name that includes path info
+            # For example: "profiles/appstore/file.mobileprovision" becomes "profiles-appstore-file.mobileprovision"
+            # Sanitize the secret name by replacing problematic characters
+            secret_name = relative_path.gsub("/", "-").gsub(/[^\w\-\.]/, "_")
+
+            # Read and encode file content
+            content = File.binread(file_path)
+            encoded_content = Base64.strict_encode64(content)
+
+            # Create or update the secret using the fastlane path
+            create_or_update_secret(secret_name, encoded_content, "/fastlane")
+
+            UI.verbose(
+              "Uploaded: #{relative_path} -> #{secret_name} (path: /fastlane)"
+            )
+          end
+
+          UI.success("Uploaded #{files_to_upload.length} files to Infisical")
+        end
+      end
+
+      def delete_files(files_to_delete)
+        with_infisical_error_handling do
+          files_to_delete.each do |file_path|
+            # Calculate relative path - handle both absolute and relative paths
+            if file_path.start_with?("/")
+              # Absolute path - extract just the filename and directory structure
+              # Find the last directory that looks like a working directory
+              path_parts = file_path.split("/")
+              # Look for fastlane-like structure starting from the end
+              relevant_parts = []
+              path_parts.reverse.each do |part|
+                relevant_parts.unshift(part)
+                if part == "profiles" || part == "certs" ||
+                     relevant_parts.length >= 3
+                  break
+                end
+              end
+              relative_path = relevant_parts.join("/")
+            else
+              # Already a relative path
+              relative_path = file_path
+            end
+
+            # Convert the file path to the same flat secret name used during upload
+            # Sanitize the secret name by replacing problematic characters
+            secret_name = relative_path.gsub("/", "-").gsub(/[^\w\-\.]/, "_")
+
+            delete_secret(secret_name, "/fastlane")
+
+            UI.verbose("Deleted: #{relative_path} (#{secret_name})")
+          end
+        end
+      end
+
+      def download_files(files_to_download, download_directory)
+        with_infisical_error_handling do
+          # Ensure download directory exists
+          FileUtils.mkdir_p(download_directory)
+
+          files_to_download.each do |relative_path|
+            # Convert the relative path to a flat secret name
+            # Sanitize the secret name by replacing problematic characters
+            secret_name = relative_path.gsub("/", "-").gsub(/[^\w\-\.]/, "_")
+
+            begin
+              # Get the secret from Infisical
+              secret =
+                @client.secrets.get(
+                  secret_name: secret_name,
+                  project_id: @project_id,
+                  environment: @environment,
+                  path: "/fastlane"
+                )
+
+              # Decode and write the file
+              content = Base64.strict_decode64(secret["secretValue"])
+
+              full_path = File.join(download_directory, relative_path)
+
+              # Create directory if needed
+              FileUtils.mkdir_p(File.dirname(full_path))
+
+              # Write the file
+              File.binwrite(full_path, content)
+
+              UI.verbose("Downloaded: #{secret_name} -> #{relative_path}")
+            rescue InfisicalSDK::InfisicalError => e
+              UI.verbose("Secret not found: #{secret_name} (#{e.message})")
+              # Don't fail the entire operation for missing individual files
+            end
+          end
+
+          UI.success(
+            "Downloaded #{files_to_download.length} requested files from Infisical"
+          )
+        end
+      end
+
+      def human_readable_description
+        "Infisical Storage (Project: #{@project_id}, Environment: #{@environment}, Path: #{@secret_path})"
+      end
+
+      def skip_docs
+        false
+      end
+
+      def generate_matchfile_content(template: nil)
+        return ""
+      end
+
+      private
+
+      def authenticate_client
+        # Try Universal Auth first (preferred method)
+        client_id =
+          ENV["INFISICAL_CLIENT_ID"] ||
+            ENV["INFISICAL_UNIVERSAL_AUTH_CLIENT_ID"]
+        client_secret =
+          ENV["INFISICAL_CLIENT_SECRET"] ||
+            ENV["INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET"]
+
+        if client_id && client_secret
+          UI.verbose("🔐 Authenticating with Universal Auth...")
+          @client.auth.universal_auth(
+            client_id: client_id,
+            client_secret: client_secret
+          )
+          UI.success("✅ Universal Auth successful!")
+          return
+        end
+
+        # Fallback to service token (legacy)
+        service_token = ENV["INFISICAL_TOKEN"]
+        if service_token
+          UI.verbose("🔐 Using Service Token authentication...")
+          # Service tokens are used differently - they're passed as bearer tokens
+          # The SDK might handle this automatically, but we may need to set it manually
+          UI.important(
+            "⚠️  Service Token authentication with SDK - this may not work with E2EE enabled"
+          )
+          # Note: The SDK may not directly support service tokens in the same way
+          # This would need to be tested
+          return
+        end
+
+        UI.user_error!(
+          "No Infisical authentication method found. Please set either INFISICAL_CLIENT_ID + INFISICAL_CLIENT_SECRET or INFISICAL_TOKEN environment variables."
+        )
+      end
+
+      def list_fastlane_secrets
+        begin
+          # List all secrets in the /fastlane path
+          secrets =
+            @client.secrets.list(
+              project_id: @project_id,
+              environment: @environment,
+              path: "/fastlane"
+            )
+
+          UI.verbose("Found #{secrets.length} secrets in /fastlane")
+          secrets
+        rescue => e
+          UI.verbose("No secrets found in /fastlane: #{e.message}")
+          []
+        end
+      end
+
+      def list_all_secrets
+        list_fastlane_secrets
+      end
+
+      def create_or_update_secret(secret_name, value, path = nil)
+        begin
+          # Try to create first (simpler approach)
+          result =
+            if path && path != @secret_path
+              @client.secrets.create(
+                secret_name: secret_name,
+                secret_value: value,
+                project_id: @project_id,
+                environment: @environment,
+                path: path
+              )
+            else
+              @client.secrets.create(
+                secret_name: secret_name,
+                secret_value: value,
+                project_id: @project_id,
+                environment: @environment
+              )
+            end
+          UI.verbose(
+            "Created secret: #{secret_name} (path: #{path || "default"})"
+          )
+          result
+        rescue InfisicalSDK::InfisicalError => e
+          # If create fails, try to update
+          UI.verbose("Create failed: #{e.message}, trying update...")
+          begin
+            result =
+              if path && path != @secret_path
+                @client.secrets.update(
+                  secret_name: secret_name,
+                  secret_value: value,
+                  project_id: @project_id,
+                  environment: @environment,
+                  path: path
+                )
+              else
+                @client.secrets.update(
+                  secret_name: secret_name,
+                  secret_value: value,
+                  project_id: @project_id,
+                  environment: @environment
+                )
+              end
+            UI.verbose(
+              "Updated secret: #{secret_name} (path: #{path || "default"})"
+            )
+            result
+          rescue InfisicalSDK::InfisicalError => update_error
+            UI.error(
+              "Failed to create/update secret #{secret_name}: #{e.message} (create), #{update_error.message} (update)"
+            )
+            raise update_error
+          end
+        rescue => e
+          UI.error("Unexpected error with secret #{secret_name}: #{e.message}")
+          raise e
+        end
+      end
+
+      def delete_secret(secret_name, path = nil)
+        if path && path != @secret_path
+          @client.secrets.delete(
+            secret_name: secret_name,
+            project_id: @project_id,
+            environment: @environment,
+            path: path
+          )
+        else
+          @client.secrets.delete(
+            secret_name: secret_name,
+            project_id: @project_id,
+            environment: @environment
+          )
+        end
+      end
+
+      def with_infisical_error_handling
+        explainer =
+          "Note: Infisical credentials should be set via environment variables. Set either INFISICAL_CLIENT_ID + INFISICAL_CLIENT_SECRET or INFISICAL_TOKEN."
+        yield
+      rescue StandardError => e
+        UI.error("Infisical error: #{e}.\n\n#{explainer}")
+        raise e
+      end
+    end
+  end
+end