fastlane-plugin-infisical 0.1.0

data/lib/fastlane/plugin/infisical/storage_manual.rb

@@ -0,0 +1,385 @@
+require "fastlane_core/command_executor"
+require "fastlane_core/configuration/configuration"
+require "match"
+require "fileutils"
+require "net/http"
+require "json"
+require "uri"
+require "base64"
+
+module Fastlane
+  module InfisicalStorage
+    class Storage < ::Match::Storage::Interface
+      attr_reader :project_id
+      attr_reader :environment
+      attr_reader :secret_path
+      attr_reader :infisical_url
+      attr_reader :username
+      attr_reader :readonly
+      attr_reader :team_id
+      attr_reader :team_name
+      attr_reader :api_key_path
+      attr_reader :api_key
+
+      def self.configure(params)
+        if params[:git_url].to_s.length > 0
+          UI.important("Looks like you still define a `git_url` somewhere, even though")
+          UI.important("you use Infisical. You can remove the `git_url`")
+          UI.important("from your Matchfile and Fastfile")
+          UI.message("The above is just a warning, fastlane will continue as usual now...")
+        end
+
+        return(
+          self.new(
+            project_id: params[:infisical_project_id],
+            environment: params[:infisical_environment],
+            secret_path: params[:infisical_secret_path],
+            infisical_url: params[:infisical_url],
+            username: params[:username],
+            readonly: params[:readonly],
+            team_id: params[:team_id],
+            team_name: params[:team_name],
+            api_key_path: params[:api_key_path],
+            api_key: params[:api_key],
+          )
+        )
+      end
+
+      def initialize(
+        project_id:,
+        environment: "dev",
+        secret_path: "/",
+        infisical_url: nil,
+        username: nil,
+        readonly: nil,
+        team_id: nil,
+        team_name: nil,
+        api_key_path: nil,
+        api_key: nil
+      )
+        @project_id = project_id || ENV["INFISICAL_PROJECT_ID"]
+        @environment = environment || ENV["INFISICAL_ENVIRONMENT"] || "dev"
+        @secret_path = secret_path || ENV["INFISICAL_SECRET_PATH"] || "/"
+        @infisical_url = infisical_url || ENV["INFISICAL_URL"] || "https://app.infisical.com"
+        
+        UI.important("🌐 URL Resolution Debug:")
+        UI.important("   infisical_url param: #{infisical_url.inspect}")
+        UI.important("   ENV['INFISICAL_URL']: #{ENV['INFISICAL_URL'].inspect}")
+        UI.important("   Final @infisical_url: #{@infisical_url}")
+        
+        @username = username
+        @readonly = readonly
+        @team_id = team_id
+        @team_name = team_name
+        @api_key_path = api_key_path
+        @api_key = api_key
+
+        # Get authentication token
+        @auth_token = get_auth_token
+        
+        UI.message("Initializing match for Infisical at project #{@project_id} in environment #{@environment}")
+      end
+
+      def prefixed_working_directory
+        @_folder_prefix ||= currently_used_team_id
+        if @_folder_prefix.nil?
+          UI.important(
+            "Looks like you run `match` in `readonly` mode, and didn't provide a `team_id`. This will still work, however it is recommended to provide a `team_id` in your Appfile or Matchfile",
+          )
+          @_folder_prefix = "*"
+        end
+        return File.join(working_directory, @_folder_prefix)
+      end
+
+      def download
+        return if @working_directory
+
+        self.working_directory = Dir.mktmpdir
+
+        with_infisical_error_handling do
+          secrets = list_all_secrets
+          
+          secrets.each do |secret|
+            # Extract the relative path from the secret key
+            relative_path = secret["secretKey"]
+            next unless relative_path.start_with?("fastlane/")
+            
+            # Remove the fastlane/ prefix and decode the file content
+            filename = File.join(self.working_directory, relative_path.delete_prefix("fastlane/"))
+            FileUtils.mkdir_p(File.dirname(filename))
+            
+            # Decode base64 content if it's encoded
+            content = secret["secretValue"]
+            if is_base64?(content)
+              content = Base64.decode64(content)
+            end
+            
+            IO.binwrite(filename, content)
+          end
+        end
+
+        UI.verbose(
+          "Successfully downloaded all secrets from Infisical to #{self.working_directory}",
+        )
+      end
+
+      def currently_used_team_id
+        if self.readonly
+          return self.team_id
+        else
+          if self.team_id.to_s.empty?
+            UI.user_error!(
+              "The `team_id` option is required. fastlane cannot automatically determine portal team id via the App Store Connect API (yet)",
+            )
+          end
+
+          spaceship =
+            ::Match::SpaceshipEnsure.new(self.username, self.team_id, self.team_name, api_token)
+          return spaceship.team_id
+        end
+      end
+
+      def api_token
+        api_token =
+          Spaceship::ConnectAPI::Token.from(hash: self.api_key, filepath: self.api_key_path)
+        api_token ||= Spaceship::ConnectAPI.token
+        return api_token
+      end
+
+      def human_readable_description
+        "Infisical Storage [Project: #{self.project_id}, Environment: #{self.environment}]"
+      end
+
+      def upload_files(files_to_upload: [], custom_message: nil)
+        files_to_upload.each do |current_file|
+          # Convert file path to secret key
+          secret_key = "fastlane/" + current_file.delete_prefix(self.working_directory + "/")
+          UI.verbose("Uploading '#{secret_key}' to Infisical...")
+          
+          # Read file content and encode as base64 for binary files
+          content = IO.binread(current_file)
+          encoded_content = Base64.encode64(content)
+          
+          create_or_update_secret(secret_key, encoded_content)
+        end
+      end
+
+      def delete_files(files_to_delete: [], custom_message: nil)
+        files_to_delete.each do |current_file|
+          secret_key = "fastlane/" + current_file.delete_prefix(self.working_directory + "/")
+          delete_secret(secret_key)
+        end
+      end
+
+      def skip_docs
+        true
+      end
+
+      def list_files(file_name: "", file_ext: "")
+        Dir[File.join(working_directory, self.team_id, "**", file_name, "*.#{file_ext}")]
+      end
+
+      def generate_matchfile_content(template: nil)
+        raise "Not Implemented"
+      end
+
+      private
+
+      def get_auth_token
+        # Try different authentication methods
+        
+        # Method 1: Universal Auth (Client ID + Client Secret)
+        client_id = ENV["INFISICAL_CLIENT_ID"]
+        client_secret = ENV["INFISICAL_CLIENT_SECRET"]
+        
+        if client_id && client_secret
+          return authenticate_universal_auth(client_id, client_secret)
+        end
+
+        # Method 2: Service Token (legacy)
+        service_token = ENV["INFISICAL_TOKEN"]
+        if service_token
+          return service_token
+        end
+
+        UI.user_error!("No Infisical authentication method found. Please set either INFISICAL_CLIENT_ID + INFISICAL_CLIENT_SECRET or INFISICAL_TOKEN environment variables.")
+      end
+
+      def authenticate_universal_auth(client_id, client_secret)
+        UI.important("🔐 Attempting Universal Auth with URL: #{@infisical_url}")
+        UI.important("🔑 Client ID: #{client_id}")
+        
+        uri = URI("#{@infisical_url}/api/v1/auth/universal-auth/login")
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true if uri.scheme == 'https'
+
+        request = Net::HTTP::Post.new(uri)
+        request['Content-Type'] = 'application/json'
+        request.body = {
+          clientId: client_id,
+          clientSecret: client_secret
+        }.to_json
+
+        UI.important("📤 Request URL: #{uri}")
+        UI.important("📤 Request payload: #{request.body}")
+
+        response = http.request(request)
+        
+        UI.important("📥 Response: #{response.code}")
+        UI.important("📥 Response body: #{response.body}")
+        
+        if response.code == '200'
+          result = JSON.parse(response.body)
+          UI.success("✅ Universal Auth successful!")
+          return result['accessToken']
+        else
+          UI.user_error!("Failed to authenticate with Infisical: #{response.code} #{response.body}")
+        end
+      end
+
+      def list_all_secrets
+        uri = URI("#{@infisical_url}/api/v3/secrets")
+        uri.query = URI.encode_www_form({
+          workspaceId: @project_id,
+          environment: @environment,
+          secretPath: @secret_path,
+          recursive: true
+        })
+
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true if uri.scheme == 'https'
+
+        request = Net::HTTP::Get.new(uri)
+        request['Authorization'] = "Bearer #{@auth_token}"
+
+        response = http.request(request)
+        
+        if response.code == '200'
+          result = JSON.parse(response.body)
+          return result['secrets'] || []
+        else
+          UI.error("Failed to list secrets: #{response.code} #{response.body}")
+          return []
+        end
+      end
+
+      def create_or_update_secret(secret_key, value)
+        # Check if secret exists
+        existing_secret = get_secret(secret_key)
+        
+        if existing_secret
+          update_secret(secret_key, value)
+        else
+          create_secret(secret_key, value)
+        end
+      end
+
+      def get_secret(secret_key)
+        uri = URI("#{@infisical_url}/api/v3/secrets/#{URI.encode_www_form_component(secret_key)}")
+        uri.query = URI.encode_www_form({
+          workspaceId: @project_id,
+          environment: @environment,
+          secretPath: @secret_path
+        })
+
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true if uri.scheme == 'https'
+
+        request = Net::HTTP::Get.new(uri)
+        request['Authorization'] = "Bearer #{@auth_token}"
+
+        response = http.request(request)
+        
+        if response.code == '200'
+          result = JSON.parse(response.body)
+          return result['secret']
+        else
+          return nil
+        end
+      end
+
+      def create_secret(secret_key, value)
+        uri = URI("#{@infisical_url}/api/v3/secrets/#{URI.encode_www_form_component(secret_key)}")
+
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true if uri.scheme == 'https'
+
+        request = Net::HTTP::Post.new(uri)
+        request['Authorization'] = "Bearer #{@auth_token}"
+        request['Content-Type'] = 'application/json'
+        request.body = {
+          workspaceId: @project_id,
+          environment: @environment,
+          secretPath: @secret_path,
+          secretValue: value,
+          secretComment: "Fastlane Match certificate/profile",
+          type: "shared"
+        }.to_json
+
+        response = http.request(request)
+        
+        unless response.code == '200'
+          UI.error("Failed to create secret #{secret_key}: #{response.code} #{response.body}")
+        end
+      end
+
+      def update_secret(secret_key, value)
+        uri = URI("#{@infisical_url}/api/v3/secrets/#{URI.encode_www_form_component(secret_key)}")
+
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true if uri.scheme == 'https'
+
+        request = Net::HTTP::Patch.new(uri)
+        request['Authorization'] = "Bearer #{@auth_token}"
+        request['Content-Type'] = 'application/json'
+        request.body = {
+          workspaceId: @project_id,
+          environment: @environment,
+          secretPath: @secret_path,
+          secretValue: value
+        }.to_json
+
+        response = http.request(request)
+        
+        unless response.code == '200'
+          UI.error("Failed to update secret #{secret_key}: #{response.code} #{response.body}")
+        end
+      end
+
+      def delete_secret(secret_key)
+        uri = URI("#{@infisical_url}/api/v3/secrets/#{URI.encode_www_form_component(secret_key)}")
+
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true if uri.scheme == 'https'
+
+        request = Net::HTTP::Delete.new(uri)
+        request['Authorization'] = "Bearer #{@auth_token}"
+        request['Content-Type'] = 'application/json'
+        request.body = {
+          workspaceId: @project_id,
+          environment: @environment,
+          secretPath: @secret_path
+        }.to_json
+
+        response = http.request(request)
+        
+        unless response.code == '200'
+          UI.verbose("Failed to delete secret #{secret_key}: #{response.code} #{response.body}")
+        end
+      end
+
+      def is_base64?(string)
+        # Simple check to see if a string is base64 encoded
+        string.is_a?(String) && string.match(/\A[A-Za-z0-9+\/]*={0,2}\z/) && (string.length % 4 == 0)
+      end
+
+      def with_infisical_error_handling
+        explainer = "Note: Infisical credentials should be set via environment variables. Set either INFISICAL_CLIENT_ID + INFISICAL_CLIENT_SECRET or INFISICAL_TOKEN."
+        yield
+      rescue StandardError => e
+        UI.error("Infisical authentication error: #{e}.\n\n#{explainer}")
+        raise e
+      end
+    end
+  end
+end

data/lib/fastlane/plugin/infisical/storage_sdk.rb

@@ -0,0 +1,259 @@
+require "fastlane/plugin/infisical/version"
+require "fastlane_core/ui/ui"
+require "infisical-sdk"
+require "base64"
+require "tempfile"
+
+UI = FastlaneCore::UI unless defined?(UI)
+
+module Fastlane
+  module InfisicalStorage
+    class Storage < Match::Storage::Interface
+      attr_reader :project_id
+      attr_reader :environment
+      attr_reader :secret_path
+      attr_reader :infisical_url
+
+      def self.configure(params)
+        return(
+          Storage.new(
+            project_id: params[:project_id],
+            environment: params[:environment],
+            secret_path: params[:secret_path],
+            infisical_url: params[:infisical_url],
+            username: params[:username],
+            readonly: params[:readonly],
+            team_id: params[:team_id],
+            team_name: params[:team_name],
+            api_key_path: params[:api_key_path],
+            api_key: params[:api_key]
+          )
+        )
+      end
+
+      def initialize(
+        project_id:,
+        environment: "dev",
+        secret_path: "/",
+        infisical_url: nil,
+        username: nil,
+        readonly: nil,
+        team_id: nil,
+        team_name: nil,
+        api_key_path: nil,
+        api_key: nil
+      )
+        @project_id = project_id || ENV["INFISICAL_PROJECT_ID"]
+        @environment = environment || ENV["INFISICAL_ENVIRONMENT"] || "dev"
+        @secret_path = secret_path || ENV["INFISICAL_SECRET_PATH"] || "/"
+        @infisical_url =
+          infisical_url || ENV["INFISICAL_URL"] || "https://app.infisical.com"
+        @username = username
+        @readonly = readonly
+        @team_id = team_id
+        @team_name = team_name
+        @api_key_path = api_key_path
+        @api_key = api_key
+
+        # Initialize Infisical SDK client
+        @client = InfisicalSDK::InfisicalClient.new(@infisical_url)
+
+        # Authenticate using the best available method
+        authenticate_client
+
+        UI.message(
+          "Initializing match for Infisical at project #{@project_id} in environment #{@environment}"
+        )
+      end
+
+      def prefixed_working_directory
+        # the directory depends on the team_id
+        if @team_id
+          @_folder_prefix = "team_id/#{@team_id}"
+        elsif @team_name
+          @_folder_prefix = "team_name/#{@team_name}"
+        else
+          @_folder_prefix = nil
+        end
+
+        # If team_id/team_name is not set, use the one from the Appfile/Matchfile
+        if @_folder_prefix.nil?
+          UI.important(
+            "Looks like you run `match` in `readonly` mode, and didn't provide a `team_id`. This will still work, however it is recommended to provide a `team_id` in your Appfile or Matchfile"
+          )
+          @_folder_prefix = "*"
+        end
+        return File.join(working_directory, @_folder_prefix)
+      end
+
+      def download
+        return if @working_directory
+
+        self.working_directory = Dir.mktmpdir
+
+        with_infisical_error_handling do
+          # List all secrets with fastlane/ prefix
+          secrets = list_fastlane_secrets
+
+          secrets.each do |secret|
+            # Extract the relative path from the secret key
+            relative_path = secret["secretKey"]
+            next unless relative_path.start_with?("fastlane/")
+
+            # Remove fastlane/ prefix for local file path
+            local_path = relative_path.sub(%r{^fastlane/}, "")
+            full_path = File.join(working_directory, local_path)
+
+            # Create directory if needed
+            FileUtils.mkdir_p(File.dirname(full_path))
+
+            # Decode and write the file
+            content = Base64.decode64(secret["secretValue"])
+            File.write(full_path, content)
+
+            UI.verbose("Downloaded: #{relative_path} -> #{local_path}")
+          end
+
+          UI.success("Downloaded #{secrets.length} files from Infisical")
+        end
+      end
+
+      def upload_files(files_to_upload)
+        with_infisical_error_handling do
+          files_to_upload.each do |file_path|
+            # Calculate relative path and secret key
+            relative_path = file_path.gsub(working_directory + "/", "")
+            secret_key = "fastlane/#{relative_path}"
+
+            # Read and encode file content
+            content = File.read(file_path)
+            encoded_content = Base64.encode64(content)
+
+            # Create or update the secret
+            create_or_update_secret(secret_key, encoded_content)
+
+            UI.verbose("Uploaded: #{relative_path}")
+          end
+
+          UI.success("Uploaded #{files_to_upload.length} files to Infisical")
+        end
+      end
+
+      def delete_files(files_to_delete)
+        with_infisical_error_handling do
+          files_to_delete.each do |file_path|
+            relative_path = file_path.gsub(working_directory + "/", "")
+            secret_key = "fastlane/#{relative_path}"
+
+            delete_secret(secret_key)
+
+            UI.verbose("Deleted: #{relative_path}")
+          end
+        end
+      end
+
+      def skip_docs
+        false
+      end
+
+      def generate_matchfile_content(template: nil)
+        return ""
+      end
+
+      private
+
+      def authenticate_client
+        # Try Universal Auth first (preferred method)
+        client_id =
+          ENV["INFISICAL_CLIENT_ID"] ||
+            ENV["INFISICAL_UNIVERSAL_AUTH_CLIENT_ID"]
+        client_secret =
+          ENV["INFISICAL_CLIENT_SECRET"] ||
+            ENV["INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET"]
+
+        if client_id && client_secret
+          UI.verbose("🔐 Authenticating with Universal Auth...")
+          @client.auth.universal_auth(
+            client_id: client_id,
+            client_secret: client_secret
+          )
+          UI.success("✅ Universal Auth successful!")
+          return
+        end
+
+        # Fallback to service token (legacy)
+        service_token = ENV["INFISICAL_TOKEN"]
+        if service_token
+          UI.verbose("🔐 Using Service Token authentication...")
+          # Service tokens are used differently - they're passed as bearer tokens
+          # The SDK might handle this automatically, but we may need to set it manually
+          UI.important(
+            "⚠️  Service Token authentication with SDK - this may not work with E2EE enabled"
+          )
+          # Note: The SDK may not directly support service tokens in the same way
+          # This would need to be tested
+          return
+        end
+
+        UI.user_error!(
+          "No Infisical authentication method found. Please set either INFISICAL_CLIENT_ID + INFISICAL_CLIENT_SECRET or INFISICAL_TOKEN environment variables."
+        )
+      end
+
+      def list_fastlane_secrets
+        secrets =
+          @client.secrets.list(
+            project_id: @project_id,
+            environment: @environment,
+            path: @secret_path
+          )
+
+        # Filter for fastlane secrets only
+        secrets.select { |secret| secret["secretKey"].start_with?("fastlane/") }
+      end
+
+      def create_or_update_secret(secret_key, value)
+        begin
+          # Try to update first (in case it exists)
+          @client.secrets.update(
+            secret_name: secret_key,
+            secret_value: value,
+            project_id: @project_id,
+            environment: @environment
+          )
+          UI.verbose("Updated secret: #{secret_key}")
+        rescue => e
+          # If update fails, try to create
+          if e.message.include?("not found") || e.message.include?("404")
+            @client.secrets.create(
+              secret_name: secret_key,
+              secret_value: value,
+              project_id: @project_id,
+              environment: @environment
+            )
+            UI.verbose("Created secret: #{secret_key}")
+          else
+            raise e
+          end
+        end
+      end
+
+      def delete_secret(secret_key)
+        @client.secrets.delete(
+          secret_name: secret_key,
+          project_id: @project_id,
+          environment: @environment
+        )
+      end
+
+      def with_infisical_error_handling
+        explainer =
+          "Note: Infisical credentials should be set via environment variables. Set either INFISICAL_CLIENT_ID + INFISICAL_CLIENT_SECRET or INFISICAL_TOKEN."
+        yield
+      rescue StandardError => e
+        UI.error("Infisical error: #{e}.\n\n#{explainer}")
+        raise e
+      end
+    end
+  end
+end

data/lib/fastlane/plugin/infisical/version.rb

@@ -0,0 +1,5 @@
+module Fastlane
+  module InfisicalStorage
+    VERSION = "0.1.0"
+  end
+end