fastlane-plugin-match_keystore 0.1.14 → 0.1.15

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d5b1878b6e0f6453f4c62eab321b2080210dcaa93fafcb04b14ac9819e7f996e
-  data.tar.gz: 18748d40e3d7c6dbe63179c8bbc726b5284049c25349d28c5ad1e76d529c21de
+  metadata.gz: 87a32db98559102adaf6fd2b1d7da31143fe593fa0ed170865a1da8b3ef5d4d8
+  data.tar.gz: 4c3b0130a705055ad7d9e6c51f8ac1a19c2a4a2df96ddca7011d72275487bb89
 SHA512:
-  metadata.gz: 31e657e39efa81b9141182a75f8df3ee5cc1704a6b1ed2b8526d50ee1e361aaf7d74ed3b8a04771e323a215850051eba4b3f6f932c9808ec8cf57bc70ad894f7
-  data.tar.gz: 1dce9a11c73f7921cea57a5953b7b64b2497bb401864cc906386617f342f3792a8c360d81d6709c3538b4282b6e9462c3fb7d5a87b215cebaffc950448bf6d76
+  metadata.gz: 9522a73a0ca9b71adcc82f8d986c39a68d2c7b64f4273df5736933d1a0db43c4e9f6aa3414cfe538c99c513f2d3eeb06efb93e2624844ca9fac045b62f7a989d
+  data.tar.gz: 0f7fe8a732b905f6bf751d42e87c622412e1e446561e2e8b0ee534997d562246afbe5deef77827002f8ca3198cf07a490603aef684815ec06f38d9de836a0f6c

data/lib/fastlane/plugin/match_keystore/actions/match_keystore_action.rb

@@ -15,11 +15,21 @@ module Fastlane
 
     class MatchKeystoreAction < Action
 
+      def self.openssl_path
+        path = "/usr/local/opt/openssl@1.1/bin"
+        path
+      end
+
       def self.to_md5(value)
         hash_value = Digest::MD5.hexdigest value
         hash_value
       end
 
+      def self.sha512(value)
+        hash_value = Digest::SHA512.hexdigest value
+        hash_value
+      end
+
       def self.load_json(json_path)
         file = File.read(json_path)
         data_hash = JSON.parse(file)
@@ -66,27 +76,159 @@ module Fastlane
         build_tools_last_version
       end
       
-      def self.check_openssl_version
-        output = `openssl version`
-        if !output.start_with?("OpenSSL")
-          raise "Please install OpenSSL 1.1.1 at least https://www.openssl.org/"
+      def self.check_ssl_version(forceOpenSSL)
+        libressl_min = '2.9'
+        openssl_min = '1.1.1'
+
+        openssl = self.openssl(forceOpenSSL)
+        output = `#{openssl} version`
+        if !output.start_with?("LibreSSL") && !output.start_with?("OpenSSL")
+          raise "Please install OpenSSL '#{openssl_min}' at least OR LibreSSL #{libressl_min}' at least"
+        end
+        UI.message("SSL/TLS protocol library: '#{output.strip!}'")
+
+        # Check minimum verion:
+        vesion = output.to_str.scan(/[0-9\.]{1,}/).first
+        UI.message("SSL/TLS protocol version: '#{vesion}'")
+        if self.is_libre_ssl(forceOpenSSL)
+          if Gem::Version.new(vesion) < Gem::Version.new(libressl_min)
+            raise "Minimum version for LibreSSL is '#{libressl_min}', please update it. Use homebrew is your are Mac user, and update ~/.bah_profile or ~/.zprofile"
+          end
+        else
+          if Gem::Version.new(vesion) > Gem::Version.new(openssl_min)
+            raise "Minimum version for OpenSSL is '#{openssl_min}' please update it. Use homebrew is your are Mac user, and update ~/.bah_profile or ~/.zprofile"
+          end
         end
-        UI.message("OpenSSL version: " + output.strip)
+
+        output.strip
+      end
+
+      def self.openssl(forceOpenSSL)
+        if forceOpenSSL
+          path = openssl_path
+          output = "#{path}/openssl"
+        else
+          output = "openssl"
+        end
+        output
+      end
+
+      def self.is_libre_ssl(forceOpenSSL)
+        result = false
+        openssl = self.openssl(forceOpenSSL)
+        output = `#{openssl} version`
+        if output.start_with?("LibreSSL")
+          result = true
+        end
+        result
       end
 
       def self.gen_key(key_path, password)
         `rm -f '#{key_path}'`
-        `echo "#{password}" | openssl dgst -sha512 | awk '{print $2}' | cut -c1-128 > '#{key_path}'`
+        shaValue = self.sha512(password)
+        `echo "#{shaValue}" > '#{key_path}'`
       end
 
-      def self.encrypt_file(clear_file, encrypt_file, key_path)
+      def self.encrypt_file(clear_file, encrypt_file, key_path, forceOpenSSL)
         `rm -f '#{encrypt_file}'`
-        `openssl enc -aes-256-cbc -salt -pbkdf2 -in '#{clear_file}' -out '#{encrypt_file}' -pass file:'#{key_path}'`
+        libre_ssl = self.is_libre_ssl(forceOpenSSL)
+        openssl_bin = self.openssl(forceOpenSSL)
+        `#{openssl_bin} enc -aes-256-cbc -salt -pbkdf2 -in '#{clear_file}' -out '#{encrypt_file}' -pass file:'#{key_path}'`
       end
 
-      def self.decrypt_file(encrypt_file, clear_file, key_path)
+      def self.decrypt_file(encrypt_file, clear_file, key_path, forceOpenSSL)
         `rm -f '#{clear_file}'`
-        `openssl enc -d -aes-256-cbc -pbkdf2 -in '#{encrypt_file}' -out '#{clear_file}' -pass file:'#{key_path}'`
+        libre_ssl = self.is_libre_ssl(forceOpenSSL)
+        openssl_bin = self.openssl(forceOpenSSL)
+        `#{openssl_bin} enc -d -aes-256-cbc -pbkdf2 -in '#{encrypt_file}' -out '#{clear_file}' -pass file:'#{key_path}'`
+      end
+
+      def self.assert_equals(test_name, excepted, value)
+        puts "Unit Test: #{test_name}"
+        if value != excepted
+          puts " - Excepted: #{excepted}"
+          puts " - Returned: #{value}"
+          raise "Unit Test - #{test_name} error!"
+        else
+          puts " - OK"
+        end
+      end
+
+      def self.test_security
+
+        self.check_ssl_version(false)
+        
+        # Clear temp files
+        temp_dir = File.join(Dir.pwd, '/temp/')
+        FileUtils.rm_rf(temp_dir)
+        Dir.mkdir(temp_dir)
+
+        fakeValue = "4esfsf4dsfds!efs5ZDOJF"
+        # Check MD5
+        md5value = self.to_md5(fakeValue)
+        excepted = "1c815cd208fe08076c9e7b6595d121d1"
+        self.assert_equals("MD5", excepted, md5value)
+
+        # Check SHA-512
+        shaValue = self.sha512(fakeValue)
+        excepted = "cc6a7b0d89cc61c053f7018a305672bdb82bc07e5015f64bb063d9662be4ec81ec8afa819b009de266482b6bd56b7068def2524c32f5b5d4d9db49ee4578499d"
+        self.assert_equals("SHA-512", excepted, shaValue)
+
+        # Check SHA-512-File
+        key_path = File.join(Dir.pwd, '/temp/key.txt')
+        self.gen_key(key_path, fakeValue)
+        shaValue = self.get_file_content(key_path).strip!
+        excepted = "cc6a7b0d89cc61c053f7018a305672bdb82bc07e5015f64bb063d9662be4ec81ec8afa819b009de266482b6bd56b7068def2524c32f5b5d4d9db49ee4578499d"
+        self.assert_equals("SHA-512-File", excepted, shaValue)
+        
+
+        # Check LibreSSL
+        result = self.is_libre_ssl(false)
+        self.assert_equals("Is-LibreSSL", true, result)
+        result = self.is_libre_ssl(true)
+        self.assert_equals("Is-LibreSSL", false, result)
+
+        # Encrypt OpenSSL
+        clear_file = File.join(Dir.pwd, '/temp/clear.txt')
+        openssl_encrypt_file = File.join(Dir.pwd, '/temp/openssl_encrypted.txt')
+        self.content_to_file(clear_file, fakeValue)
+        self.encrypt_file(clear_file, openssl_encrypt_file, key_path, true)
+        result = File.file?(openssl_encrypt_file) && File.size(openssl_encrypt_file) > 10
+        self.assert_equals("Encrypt-OpenSSL", true, result)
+
+        # Encrypt LibreSSL
+        encrypt_file_libre = File.join(Dir.pwd, '/temp/libressl_encrypted.txt')
+        self.content_to_file(clear_file, fakeValue)
+        self.encrypt_file(clear_file, encrypt_file_libre, key_path, false)
+        result = File.file?(encrypt_file_libre) && File.size(encrypt_file_libre) > 10
+        self.assert_equals("Encrypt-LibreSSL", true, result)
+
+        # exit!
+
+        # Decrypt OpenSSL (from OpenSSL)
+        openssl_clear_file = File.join(Dir.pwd, '/temp/openssl_clear.txt')
+        self.decrypt_file(openssl_encrypt_file, openssl_clear_file, key_path, true)
+        decrypted = self.get_file_content(openssl_clear_file).strip!
+        self.assert_equals("Decrypt-OpenSSL", fakeValue, decrypted)
+
+        # Decrypt LibreSSL (from LibreSSL)
+        libressl_clear_file = File.join(Dir.pwd, '/temp/libressl_clear.txt')
+        self.decrypt_file(encrypt_file_libre, libressl_clear_file, key_path, false)
+        decrypted = self.get_file_content(libressl_clear_file).strip!
+        self.assert_equals("Decrypt-LibreSSL", fakeValue, decrypted)
+
+        # Decrypt LibreSSL (from OpenSSL)
+        libressl_clear_file = File.join(Dir.pwd, '/temp/libressl_from_openssl_clear.txt')
+        self.decrypt_file(openssl_encrypt_file, libressl_clear_file, key_path, false)
+        decrypted = self.get_file_content(libressl_clear_file).strip!
+        self.assert_equals("Decrypt-LibreSSL-from-OpenSSL", fakeValue, decrypted)
+
+        # Decrypt OpenSSL (from LibreSSL)
+        openssl_clear_file = File.join(Dir.pwd, '/temp/openssl_from_libressl_clear.txt')
+        self.decrypt_file(encrypt_file_libre, openssl_clear_file, key_path, true)
+        decrypted = self.get_file_content(openssl_clear_file).strip!
+        self.assert_equals("Decrypt-OpenSSL-from-LibreSSL", fakeValue, decrypted)
+
       end
 
       def self.sign_apk(apk_path, keystore_path, key_password, alias_name, alias_password, zip_align)
@@ -98,8 +240,15 @@ module Fastlane
         if zip_align == true
           apk_path_aligned = apk_path.gsub(".apk", "-aligned.apk")
           `rm -f '#{apk_path_aligned}'`
-          UI.message("Aligning APK (zipalign): #{apk_path_aligned}")
-          `#{build_tools_path}zipalign -f -v 4 '#{apk_path}' '#{apk_path_aligned}'`
+          UI.message("Aligning APK (zipalign): #{apk_path}")
+          output = `#{build_tools_path}zipalign -v 4 '#{apk_path}' '#{apk_path_aligned}'`
+          puts ""
+          puts output
+
+          if !File.file?(apk_path_aligned)
+            raise "Aligned APK not exists!"
+          end
+
         else
           UI.message("No zip align!")
           apk_path_aligned = apk_path
@@ -110,12 +259,36 @@ module Fastlane
 
         # https://developer.android.com/studio/command-line/apksigner
         `rm -f '#{apk_path_signed}'`
-        `#{build_tools_path}apksigner sign --ks '#{keystore_path}' --ks-key-alias '#{alias_name}' --ks-pass pass:'#{key_password}' --key-pass pass:'#{alias_password}' --v1-signing-enabled true --v2-signing-enabled true --out '#{apk_path_signed}' '#{apk_path_aligned}'`
-        
-        `#{build_tools_path}apksigner verify '#{apk_path_signed}'`
+        UI.message("Signing APK: #{apk_path_aligned}")
+        output = `#{build_tools_path}apksigner sign --ks '#{keystore_path}' --ks-key-alias '#{alias_name}' --ks-pass pass:'#{key_password}' --key-pass pass:'#{alias_password}' --v1-signing-enabled true --v2-signing-enabled true --v4-signing-enabled false --out '#{apk_path_signed}' '#{apk_path_aligned}'`
+        puts ""
+        puts output
+
+        UI.message("Verifing APK signature: #{apk_path_signed}")
+        output = `#{build_tools_path}apksigner verify '#{apk_path_signed}'`
+        puts ""
+        puts output
         `rm -f '#{apk_path_aligned}'`
 
         apk_path_signed
+      end 
+
+      def self.resolve_dir(path)
+        if !File.directory?(path)
+          path = File.join(Dir.pwd, path)
+        end
+        path
+      end
+
+      def self.resolve_file(path)
+        if !File.file?(path)
+          path = File.join(Dir.pwd, path)
+        end
+        path
+      end
+
+      def self.content_to_file(file_path, content)
+        `echo #{content} > #{file_path}`
       end
 
       def self.get_file_content(file_path)
@@ -132,9 +305,7 @@ module Fastlane
 
         if !apk_path.to_s.end_with?(".apk") 
 
-          if !File.directory?(apk_path)
-            apk_path = File.join(Dir.pwd, apk_path)
-          end
+          apk_path = self.resolve_dir(apk_path)
 
           pattern = File.join(apk_path, '*.apk')
           files = Dir[pattern]
@@ -147,11 +318,7 @@ module Fastlane
           end
 
         else
-
-          if !File.file?(apk_path)
-            apk_path = File.join(Dir.pwd, apk_path)
-          end
-
+          apk_path = self.resolve_file(apk_path)
         end
         
         apk_path
@@ -177,6 +344,14 @@ module Fastlane
         match_secret = params[:match_secret]
         override_keystore = params[:override_keystore]
         keystore_data = params[:keystore_data]
+        clear_keystore = params[:clear_keystore]
+        unit_test = params[:unit_test]
+
+        # Test OpenSSL/LibreSSL
+        if unit_test
+          result_test = self.test_security
+          exit!
+        end
 
         # Init constants:
         keystore_name = 'keystore.jks'
@@ -192,7 +367,7 @@ module Fastlane
         end
 
         # Check OpenSSL:
-        self.check_openssl_version
+        self.check_ssl_version(false)
 
         # Init workign local directory:
         dir_name = ENV['HOME'] + '/.match_keystore'
@@ -222,14 +397,30 @@ module Fastlane
           raise "The security key '#{key_name}' is malformed, or not initialized!"
         end
 
-        # Create repo directory to sync remote Keystores repository:
+        # Clear repo Keystore (local) - mostly for testing:
         repo_dir = File.join(dir_name, self.to_md5(git_url))
-        # UI.message(repo_dir)
+        if clear_keystore && File.directory?(repo_dir)
+          FileUtils.rm_rf(repo_dir)
+          UI.message("Local repo keystore (#{repo_dir}) directory deleted!")
+        end
+
+        # Create repo directory to sync remote Keystores repository:
         unless File.directory?(repo_dir)
           UI.message("Creating 'repo' directory...")
           FileUtils.mkdir_p(repo_dir)
         end
 
+        # Check if package name defined:
+        if package_name.to_s.strip.empty?
+          raise "Package name is not defined!"
+        end
+
+        # Define paths:
+        keystoreAppDir = File.join(repo_dir, package_name)
+        keystore_path = File.join(keystoreAppDir, keystore_name)
+        properties_path = File.join(keystoreAppDir, properties_name)
+        properties_encrypt_path = File.join(keystoreAppDir, properties_encrypt_name)
+
         # Cloning/pulling GIT remote repository:
         gitDir = File.join(repo_dir, '/.git')
         if !File.directory?(gitDir)
@@ -244,20 +435,6 @@ module Fastlane
           puts ''
         end
 
-        # Create sub-directory for Android app:
-        if package_name.to_s.strip.empty?
-          raise "Package name is not defined!"
-        end
-        keystoreAppDir = File.join(repo_dir, package_name)
-        unless File.directory?(keystoreAppDir)
-          UI.message("Creating '#{package_name}' keystore directory...")
-          FileUtils.mkdir_p(keystoreAppDir)
-        end
-
-        keystore_path = File.join(keystoreAppDir, keystore_name)
-        properties_path = File.join(keystoreAppDir, properties_name)
-        properties_encrypt_path = File.join(keystoreAppDir, properties_encrypt_name)
-
         # Load parameters from JSON for CI or Unit Tests:
         if keystore_data != nil && File.file?(keystore_data)
           data_json = self.load_json(keystore_data)
@@ -274,6 +451,7 @@ module Fastlane
 
         # Create keystore with command
         override_keystore = !existing_keystore.to_s.strip.empty? && File.file?(existing_keystore)
+        UI.message("Existing Keystore: #{existing_keystore}")
         if !File.file?(keystore_path) || override_keystore 
 
           if File.file?(keystore_path)
@@ -294,7 +472,7 @@ module Fastlane
           end
 
           # https://developer.android.com/studio/publish/app-signing
-          if !File.file?(existing_keystore)
+          if existing_keystore.to_s.strip.empty? || !File.file?(existing_keystore)
             UI.message("Generating Android Keystore...")
             
             full_name = self.prompt2(text: "Certificate First and Last Name: ", value: data_full_name)
@@ -335,7 +513,7 @@ module Fastlane
           out_file.puts("aliasPassword=#{alias_password}")
           out_file.close
 
-          self.encrypt_file(properties_path, properties_encrypt_path, key_path)
+          self.encrypt_file(properties_path, properties_encrypt_path, key_path, false)
           File.delete(properties_path)
 
           # Print Keystore data in repo:
@@ -352,7 +530,7 @@ module Fastlane
         else  
           UI.message "Keystore file already exists, continue..."
 
-          self.decrypt_file(properties_encrypt_path, properties_path, key_path)
+          self.decrypt_file(properties_encrypt_path, properties_path, key_path, false)
 
           properties = self.load_properties(properties_path)
           key_password = properties['keyPassword']
@@ -457,7 +635,17 @@ module Fastlane
                                    env_name: "MATCH_KEYSTORE_JSON_PATH",
                                 description: "Required data to import an existing keystore, or create a new one",
                                    optional: true,
-                                       type: String)
+                                       type: String),
+          FastlaneCore::ConfigItem.new(key: :clear_keystore,
+                                   env_name: "MATCH_KEYSTORE_CLEAR",
+                                description: "Clear the local keystore (false by default)",
+                                   optional: true,
+                                       type: Boolean),
+          FastlaneCore::ConfigItem.new(key: :unit_test,
+                                  env_name: "MATCH_KEYSTORE_UNIT_TESTS",
+                                description: "launch Unit Tests (false by default)",
+                                  optional: true,
+                                      type: Boolean)
         ]
       end
 

data/lib/fastlane/plugin/match_keystore/version.rb

@@ -1,5 +1,5 @@
 module Fastlane
   module MatchKeystore
-    VERSION = "0.1.14"
+    VERSION = "0.1.15"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fastlane-plugin-match_keystore
 version: !ruby/object:Gem::Version
-  version: 0.1.14
+  version: 0.1.15
 platform: ruby
 authors:
 - Christopher NEY
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-07 00:00:00.000000000 Z
+date: 2020-09-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pry