fastlane-plugin-secrets_manager_storage 1.0.0 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c6a3a917118758a6ec5691982284ab3bc62b02fe72ad11737e50de95531d9214
-  data.tar.gz: 33732acf2e3e32a3158ac0c1be29e2c4a5cb906d19b47bc609a0f221db4af0d2
+  metadata.gz: c9b69ff500f148a9edeeb146cfa5e3ffba6dce103bedf4d3cd16786585ea9877
+  data.tar.gz: '03019b799cbefa7ffed66fbbe7d9dc0c723a9569710c50825ec21aec15e6836b'
 SHA512:
-  metadata.gz: c71eaeda131b692b41f01a4b5f4e198dffd8c55eeb055314d067928a6fc6b89690a3f1c06626370b48091ca20f1d43ca1dc3ebb12a1593bbfee6dd0ad8cfbb73
-  data.tar.gz: 5574fd8adcf85f0bebddd7628792b6e025c4fb78830b3555091f96c8139f40ca7d719fd62013d9a263fee7551897cff26d76473d202087568ae8d2e090a7e7e6
+  metadata.gz: 0cd28afc80d5851792f1eacd8c52a9606d7d8770bf5e6d0de21c6276c3abbcab464abdceab66a9b3047724a43fabda8f26bf73e2e8e80299a6e34309e3f770ca
+  data.tar.gz: 9683290a4bbfe3e6e76a66b616daff855f137a6aeb994a335d87b9a9e2b518a8cc384c721c8cd6614aaec46e6824921a612ad41b46d997ef00be521d0a333512

data/README.md

@@ -1,6 +1,6 @@
 # Secrets Manager Storage
 
-This plugin enables Fastlane users to store their provisioning profiles and certificates securely in
+This plugin enables Fastlane users to store their provisioning profiles and signing keys securely in
 AWS Secrets Manager by adding a `secrets_manager` storage backend to Fastlane match.
 
 [![Build Status][ci-image]][ci-url] [![License][license-image]][license-url]
@@ -9,15 +9,16 @@ AWS Secrets Manager by adding a `secrets_manager` storage backend to Fastlane ma
 
 Reasons to use this (compared to the git or s3 backend):
 
-- certificates are stored securley (always encrypted) by default
+- your signing keys are stored securley (always encrypted) by default
 - all access is controlled via AWS IAM and is fine-grained:
   - users can be granted access to review the secret's metadata separate from the ability to read
     the actual, unencrypted values
   - no need to manage a `MATCH_PASSWORD` – just use your existing AWS access controls
-- all access to the decrypted secrets is logged into AWS CloudTrail, providing an audit-trail to
-  access
+- all access to the decrypted keys is logged into AWS CloudTrail, providing an audit-trail to access
 - Secret lifecycle can be tracked independently of Fastlane, enabling you to have alerts on secret
-  age by using the secret's version metadata (e.g. Created On)
+  age by using the secret's version metadata (e.g. Created On). **This is interesting because Apple
+  provides no means of being notified about certificate expiration**.
+  - certificates and mobileprovision Secrets will be tagged with `ExpiresOn` and other metadata
 
 > :information_source: Fastlane plugins are only automatically loaded when using a Fastfile. This
 > means that using a Matchfile or `fastlane match` commands will not work with this storage backing.

data/lib/fastlane/plugin/secrets_manager_storage/storage.rb

@@ -188,6 +188,7 @@ module Fastlane
 
       def create_or_update_secret(current_file, secret_name)
         full_secret_path = generate_secret_path(secret_name)
+        secret_specific_tags = generate_tags_for_secret(current_file)
         begin
           @client.describe_secret(secret_id: full_secret_path)
           UI.verbose("Secret '#{secret_name}' already exists, updating...")
@@ -195,12 +196,18 @@ module Fastlane
             secret_id: full_secret_path,
             secret_binary: IO.binread(current_file),
           )
+          unless secret_specific_tags.empty?
+            @client.tag_resource(
+              secret_id: full_secret_path,
+              tags: convert_hash_to_array_of_key_values(secret_specific_tags),
+            )
+          end
         rescue Aws::SecretsManager::Errors::ResourceNotFoundException
           UI.verbose("Secret '#{secret_name}' doesn't exist, creating...")
           @client.create_secret(
             name: full_secret_path,
             secret_binary: File.open(current_file, "rb").read,
-            tags: generate_tags_in_aws_format(tags),
+            tags: convert_hash_to_array_of_key_values(tags.merge(secret_specific_tags)),
           )
         end
       end
@@ -213,14 +220,48 @@ module Fastlane
 
       private
 
+      def generate_tags_for_secret(secret_file)
+        return {} unless File.file?(secret_file)
+
+        expiry = nil
+        secret_specific_tags = {}
+        case File.extname(secret_file)
+        when ".p12"
+          # not sure how to get expiry of the cert
+        when ".cer"
+          cert_info = Match::Utils.get_cert_info(secret_file)
+          secret_specific_tags["Name"] = cert_info
+            .find { |attribute| attribute.first == "Common Name" }
+            .last
+            .gsub(/[^a-zA-Z0-9_ .:\/=+-]/, "")
+          expiry = cert_info.find { |attribute| attribute.first == "End Datetime" }.last
+        when ".mobileprovision"
+          secret_specific_tags[
+            "Name"
+          ] = `/usr/libexec/PlistBuddy -c 'Print Name' /dev/stdin <<< $(security cms -D -i "#{secret_file}")`.chomp.strip
+          secret_specific_tags[
+            "AppIDName"
+          ] = `/usr/libexec/PlistBuddy -c 'Print AppIDName' /dev/stdin <<< $(security cms -D -i "#{secret_file}")`.chomp.strip
+          secret_specific_tags[
+            "AppIdentifier"
+          ] = `/usr/libexec/PlistBuddy -c 'Print Entitlements:application-identifier' /dev/stdin <<< $(security cms -D -i "#{secret_file}")`.chomp.strip
+          expiry =
+            DateTime.parse(
+              `/usr/libexec/PlistBuddy -c 'Print ExpirationDate' /dev/stdin <<< $(security cms -D -i "#{secret_file}")`.chomp.strip,
+            )
+        end
+        secret_specific_tags["ExpiresOn"] = expiry.strftime("%Y-%m-%dT%H:%M:%SZ") if expiry
+        secret_specific_tags
+      end
+
       def generate_secret_path(secret_name)
         prefix = path_prefix
         prefix += "/" unless secret_name.start_with?("/")
         "#{prefix}#{secret_name}"
       end
 
-      def generate_tags_in_aws_format(tags)
-        tags.map { |key, value| { key: key, value: value } }
+      def convert_hash_to_array_of_key_values(tags_as_ruby_hash)
+        tags_as_ruby_hash.map { |key, value| { key: key, value: value } }
       end
 
       def with_aws_authentication_error_handling

data/lib/fastlane/plugin/secrets_manager_storage/version.rb

@@ -1,5 +1,5 @@
 module Fastlane
   module SecretsManagerStorage
-    VERSION = "1.0.0"
+    VERSION = "1.1.1"
   end
 end

data/lib/fastlane/plugin/secrets_manager_storage.rb

@@ -23,7 +23,7 @@ Match::Options.append_option(
     description: "The prefix to be used for all Secrets Manager Secrets",
     optional: true,
     type: String,
-  )
+  ),
 )
 Match::Options.append_option(
   FastlaneCore::ConfigItem.new(
@@ -32,7 +32,7 @@ Match::Options.append_option(
     description: "tags which are used when creating a new secret in Secrets Manager",
     optional: true,
     type: Hash,
-  )
+  ),
 )
 Match::Options.append_option(
   FastlaneCore::ConfigItem.new(
@@ -41,7 +41,7 @@ Match::Options.append_option(
     description: "The prefix to be used for all Secrets Manager Secrets",
     optional: true,
     type: String,
-  )
+  ),
 )
 
 # Fastlane will complain if a plugin doesn't include any actions. Thus, we have to include an action in the right way

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fastlane-plugin-secrets_manager_storage
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.1
 platform: ruby
 authors:
 - Case Taintor
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-02-12 00:00:00.000000000 Z
+date: 2025-01-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-secretsmanager
@@ -24,7 +24,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-description:
+description: 
 email: case.taintor@klarna.com
 executables: []
 extensions: []
@@ -41,7 +41,7 @@ licenses:
 - Apache-2.0
 metadata:
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -56,8 +56,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
-signing_key:
+rubygems_version: 3.0.3.1
+signing_key: 
 specification_version: 4
 summary: Enables fastlane match to use AWS Secrets Manager as backing storage
 test_files: []