fastlane-plugin-secrets_manager_storage 1.0.0 → 1.1.1
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c9b69ff500f148a9edeeb146cfa5e3ffba6dce103bedf4d3cd16786585ea9877
|
|
4
|
+
data.tar.gz: '03019b799cbefa7ffed66fbbe7d9dc0c723a9569710c50825ec21aec15e6836b'
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0cd28afc80d5851792f1eacd8c52a9606d7d8770bf5e6d0de21c6276c3abbcab464abdceab66a9b3047724a43fabda8f26bf73e2e8e80299a6e34309e3f770ca
|
|
7
|
+
data.tar.gz: 9683290a4bbfe3e6e76a66b616daff855f137a6aeb994a335d87b9a9e2b518a8cc384c721c8cd6614aaec46e6824921a612ad41b46d997ef00be521d0a333512
|
data/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# Secrets Manager Storage
|
|
2
2
|
|
|
3
|
-
This plugin enables Fastlane users to store their provisioning profiles and
|
|
3
|
+
This plugin enables Fastlane users to store their provisioning profiles and signing keys securely in
|
|
4
4
|
AWS Secrets Manager by adding a `secrets_manager` storage backend to Fastlane match.
|
|
5
5
|
|
|
6
6
|
[![Build Status][ci-image]][ci-url] [![License][license-image]][license-url]
|
|
@@ -9,15 +9,16 @@ AWS Secrets Manager by adding a `secrets_manager` storage backend to Fastlane ma
|
|
|
9
9
|
|
|
10
10
|
Reasons to use this (compared to the git or s3 backend):
|
|
11
11
|
|
|
12
|
-
-
|
|
12
|
+
- your signing keys are stored securley (always encrypted) by default
|
|
13
13
|
- all access is controlled via AWS IAM and is fine-grained:
|
|
14
14
|
- users can be granted access to review the secret's metadata separate from the ability to read
|
|
15
15
|
the actual, unencrypted values
|
|
16
16
|
- no need to manage a `MATCH_PASSWORD` – just use your existing AWS access controls
|
|
17
|
-
- all access to the decrypted
|
|
18
|
-
access
|
|
17
|
+
- all access to the decrypted keys is logged into AWS CloudTrail, providing an audit-trail to access
|
|
19
18
|
- Secret lifecycle can be tracked independently of Fastlane, enabling you to have alerts on secret
|
|
20
|
-
age by using the secret's version metadata (e.g. Created On)
|
|
19
|
+
age by using the secret's version metadata (e.g. Created On). **This is interesting because Apple
|
|
20
|
+
provides no means of being notified about certificate expiration**.
|
|
21
|
+
- certificates and mobileprovision Secrets will be tagged with `ExpiresOn` and other metadata
|
|
21
22
|
|
|
22
23
|
> :information_source: Fastlane plugins are only automatically loaded when using a Fastfile. This
|
|
23
24
|
> means that using a Matchfile or `fastlane match` commands will not work with this storage backing.
|
|
@@ -188,6 +188,7 @@ module Fastlane
|
|
|
188
188
|
|
|
189
189
|
def create_or_update_secret(current_file, secret_name)
|
|
190
190
|
full_secret_path = generate_secret_path(secret_name)
|
|
191
|
+
secret_specific_tags = generate_tags_for_secret(current_file)
|
|
191
192
|
begin
|
|
192
193
|
@client.describe_secret(secret_id: full_secret_path)
|
|
193
194
|
UI.verbose("Secret '#{secret_name}' already exists, updating...")
|
|
@@ -195,12 +196,18 @@ module Fastlane
|
|
|
195
196
|
secret_id: full_secret_path,
|
|
196
197
|
secret_binary: IO.binread(current_file),
|
|
197
198
|
)
|
|
199
|
+
unless secret_specific_tags.empty?
|
|
200
|
+
@client.tag_resource(
|
|
201
|
+
secret_id: full_secret_path,
|
|
202
|
+
tags: convert_hash_to_array_of_key_values(secret_specific_tags),
|
|
203
|
+
)
|
|
204
|
+
end
|
|
198
205
|
rescue Aws::SecretsManager::Errors::ResourceNotFoundException
|
|
199
206
|
UI.verbose("Secret '#{secret_name}' doesn't exist, creating...")
|
|
200
207
|
@client.create_secret(
|
|
201
208
|
name: full_secret_path,
|
|
202
209
|
secret_binary: File.open(current_file, "rb").read,
|
|
203
|
-
tags:
|
|
210
|
+
tags: convert_hash_to_array_of_key_values(tags.merge(secret_specific_tags)),
|
|
204
211
|
)
|
|
205
212
|
end
|
|
206
213
|
end
|
|
@@ -213,14 +220,48 @@ module Fastlane
|
|
|
213
220
|
|
|
214
221
|
private
|
|
215
222
|
|
|
223
|
+
def generate_tags_for_secret(secret_file)
|
|
224
|
+
return {} unless File.file?(secret_file)
|
|
225
|
+
|
|
226
|
+
expiry = nil
|
|
227
|
+
secret_specific_tags = {}
|
|
228
|
+
case File.extname(secret_file)
|
|
229
|
+
when ".p12"
|
|
230
|
+
# not sure how to get expiry of the cert
|
|
231
|
+
when ".cer"
|
|
232
|
+
cert_info = Match::Utils.get_cert_info(secret_file)
|
|
233
|
+
secret_specific_tags["Name"] = cert_info
|
|
234
|
+
.find { |attribute| attribute.first == "Common Name" }
|
|
235
|
+
.last
|
|
236
|
+
.gsub(/[^a-zA-Z0-9_ .:\/=+-]/, "")
|
|
237
|
+
expiry = cert_info.find { |attribute| attribute.first == "End Datetime" }.last
|
|
238
|
+
when ".mobileprovision"
|
|
239
|
+
secret_specific_tags[
|
|
240
|
+
"Name"
|
|
241
|
+
] = `/usr/libexec/PlistBuddy -c 'Print Name' /dev/stdin <<< $(security cms -D -i "#{secret_file}")`.chomp.strip
|
|
242
|
+
secret_specific_tags[
|
|
243
|
+
"AppIDName"
|
|
244
|
+
] = `/usr/libexec/PlistBuddy -c 'Print AppIDName' /dev/stdin <<< $(security cms -D -i "#{secret_file}")`.chomp.strip
|
|
245
|
+
secret_specific_tags[
|
|
246
|
+
"AppIdentifier"
|
|
247
|
+
] = `/usr/libexec/PlistBuddy -c 'Print Entitlements:application-identifier' /dev/stdin <<< $(security cms -D -i "#{secret_file}")`.chomp.strip
|
|
248
|
+
expiry =
|
|
249
|
+
DateTime.parse(
|
|
250
|
+
`/usr/libexec/PlistBuddy -c 'Print ExpirationDate' /dev/stdin <<< $(security cms -D -i "#{secret_file}")`.chomp.strip,
|
|
251
|
+
)
|
|
252
|
+
end
|
|
253
|
+
secret_specific_tags["ExpiresOn"] = expiry.strftime("%Y-%m-%dT%H:%M:%SZ") if expiry
|
|
254
|
+
secret_specific_tags
|
|
255
|
+
end
|
|
256
|
+
|
|
216
257
|
def generate_secret_path(secret_name)
|
|
217
258
|
prefix = path_prefix
|
|
218
259
|
prefix += "/" unless secret_name.start_with?("/")
|
|
219
260
|
"#{prefix}#{secret_name}"
|
|
220
261
|
end
|
|
221
262
|
|
|
222
|
-
def
|
|
223
|
-
|
|
263
|
+
def convert_hash_to_array_of_key_values(tags_as_ruby_hash)
|
|
264
|
+
tags_as_ruby_hash.map { |key, value| { key: key, value: value } }
|
|
224
265
|
end
|
|
225
266
|
|
|
226
267
|
def with_aws_authentication_error_handling
|
|
@@ -23,7 +23,7 @@ Match::Options.append_option(
|
|
|
23
23
|
description: "The prefix to be used for all Secrets Manager Secrets",
|
|
24
24
|
optional: true,
|
|
25
25
|
type: String,
|
|
26
|
-
)
|
|
26
|
+
),
|
|
27
27
|
)
|
|
28
28
|
Match::Options.append_option(
|
|
29
29
|
FastlaneCore::ConfigItem.new(
|
|
@@ -32,7 +32,7 @@ Match::Options.append_option(
|
|
|
32
32
|
description: "tags which are used when creating a new secret in Secrets Manager",
|
|
33
33
|
optional: true,
|
|
34
34
|
type: Hash,
|
|
35
|
-
)
|
|
35
|
+
),
|
|
36
36
|
)
|
|
37
37
|
Match::Options.append_option(
|
|
38
38
|
FastlaneCore::ConfigItem.new(
|
|
@@ -41,7 +41,7 @@ Match::Options.append_option(
|
|
|
41
41
|
description: "The prefix to be used for all Secrets Manager Secrets",
|
|
42
42
|
optional: true,
|
|
43
43
|
type: String,
|
|
44
|
-
)
|
|
44
|
+
),
|
|
45
45
|
)
|
|
46
46
|
|
|
47
47
|
# Fastlane will complain if a plugin doesn't include any actions. Thus, we have to include an action in the right way
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: fastlane-plugin-secrets_manager_storage
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Case Taintor
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2025-01-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-secretsmanager
|
|
@@ -24,7 +24,7 @@ dependencies:
|
|
|
24
24
|
- - "~>"
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
26
|
version: '1.0'
|
|
27
|
-
description:
|
|
27
|
+
description:
|
|
28
28
|
email: case.taintor@klarna.com
|
|
29
29
|
executables: []
|
|
30
30
|
extensions: []
|
|
@@ -41,7 +41,7 @@ licenses:
|
|
|
41
41
|
- Apache-2.0
|
|
42
42
|
metadata:
|
|
43
43
|
rubygems_mfa_required: 'true'
|
|
44
|
-
post_install_message:
|
|
44
|
+
post_install_message:
|
|
45
45
|
rdoc_options: []
|
|
46
46
|
require_paths:
|
|
47
47
|
- lib
|
|
@@ -56,8 +56,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
56
56
|
- !ruby/object:Gem::Version
|
|
57
57
|
version: '0'
|
|
58
58
|
requirements: []
|
|
59
|
-
rubygems_version: 3.
|
|
60
|
-
signing_key:
|
|
59
|
+
rubygems_version: 3.0.3.1
|
|
60
|
+
signing_key:
|
|
61
61
|
specification_version: 4
|
|
62
62
|
summary: Enables fastlane match to use AWS Secrets Manager as backing storage
|
|
63
63
|
test_files: []
|