fastlane 2.105.2 → 2.106.0

data/match/lib/match/commands_generator.rb

@@ -2,13 +2,16 @@ require 'commander'
 
 require 'fastlane_core/configuration/configuration'
 require_relative 'module'
+
 require_relative 'nuke'
-require_relative 'git_helper'
 require_relative 'change_password'
 require_relative 'setup'
 require_relative 'runner'
 require_relative 'options'
 
+require_relative 'storage'
+require_relative 'encryption'
+
 HighLine.track_eof = false
 
 module Match
@@ -96,7 +99,7 @@ module Match
           params.load_configuration_file("Matchfile")
 
           Match::ChangePassword.update(params: params)
-          UI.success("Successfully changed the password. Make sure to update the password on all your clients and servers")
+          UI.success("Successfully changed the password. Make sure to update the password on all your clients and servers by running `fastlane match [environment]`")
         end
       end
 
@@ -109,11 +112,21 @@ module Match
         c.action do |args, options|
           params = FastlaneCore::Configuration.create(Match::Options.available_options, options.__hash__)
           params.load_configuration_file("Matchfile")
-          decrypted_repo = Match::GitHelper.clone(params[:git_url],
-                                                  params[:shallow_clone],
-                                                  branch: params[:git_branch],
-                                                  clone_branch_directly: params[:clone_branch_directly])
-          UI.success("Repo is at: '#{decrypted_repo}'")
+
+          storage = Storage.for_mode(params[:storage_mode], {
+            git_url: params[:git_url],
+            shallow_clone: params[:shallow_clone],
+            git_branch: params[:git_branch],
+            clone_branch_directly: params[:clone_branch_directly]
+          })
+          storage.download
+
+          encryption = Encryption.for_storage_mode(params[:storage_mode], {
+            git_url: params[:git_url],
+            working_directory: storage.working_directory
+          })
+          encryption.decrypt_files
+          UI.success("Repo is at: '#{storage.working_directory}'")
         end
       end
 

data/match/lib/match/encryption.rb

@@ -0,0 +1,18 @@
+require_relative 'encryption/interface'
+require_relative 'encryption/openssl'
+
+module Match
+  module Encryption
+    # Returns the class to be used for a given `storage_mode`
+    def self.for_storage_mode(storage_mode, params)
+      if storage_mode == "git"
+        params[:keychain_name] = params[:git_url]
+        return Encryption::OpenSSL.configure(params)
+      elsif storage_mode == "google_cloud"
+        # return Encryption::GoogleCloudKMS.configure(params)
+      else
+        UI.user_error!("Invalid storage mode '#{storage_mode}'")
+      end
+    end
+  end
+end

data/match/lib/match/encryption/interface.rb

@@ -0,0 +1,17 @@
+module Match
+  module Encryption
+    class Interface
+      # Call this method to trigger the actual
+      # encryption
+      def encrypt_files
+        not_implemented(__method__)
+      end
+
+      # Call this method to trigger the actual
+      # decryption
+      def decrypt_files
+        not_implemented(__method__)
+      end
+    end
+  end
+end

data/match/lib/match/encryption/openssl.rb

@@ -0,0 +1,155 @@
+require 'base64'
+require 'openssl'
+require 'securerandom'
+require 'security'
+require 'shellwords'
+
+require_relative '../module'
+require_relative '../change_password'
+
+module Match
+  module Encryption
+    class OpenSSL < Interface
+      attr_accessor :keychain_name
+
+      attr_accessor :working_directory
+
+      def self.configure(params)
+        return self.new(
+          keychain_name: params[:keychain_name],
+          working_directory: params[:working_directory]
+        )
+      end
+
+      # @param keychain_name: The identifier used to store the passphrase in the Keychain
+      # @param working_directory: The path to where the certificates are stored
+      def initialize(keychain_name: nil, working_directory: nil)
+        self.keychain_name = keychain_name
+        self.working_directory = working_directory
+      end
+
+      def encrypt_files
+        iterate(self.working_directory) do |current|
+          encrypt_specific_file(path: current, password: password)
+          UI.success("🔒  Encrypted '#{File.basename(current)}'") if FastlaneCore::Globals.verbose?
+        end
+        UI.success("🔒  Successfully encrypted certificates repo")
+      end
+
+      def decrypt_files
+        iterate(self.working_directory) do |current|
+          begin
+            decrypt_specific_file(path: current, password: password)
+          rescue => ex
+            UI.verbose(ex.to_s)
+            UI.error("Couldn't decrypt the repo, please make sure you enter the right password!")
+            UI.user_error!("Invalid password passed via 'MATCH_PASSWORD'") if ENV["MATCH_PASSWORD"]
+            clear_password
+            self.decrypt_files # call itself
+            return
+          end
+          UI.success("🔓  Decrypted '#{File.basename(current)}'") if FastlaneCore::Globals.verbose?
+        end
+        UI.success("🔓  Successfully decrypted certificates repo")
+      end
+
+      def store_password(password)
+        Security::InternetPassword.add(server_name(self.keychain_name), "", password)
+      end
+
+      # removes the password from the keychain again
+      def clear_password
+        Security::InternetPassword.delete(server: server_name(self.keychain_name))
+      end
+
+      private
+
+      def iterate(source_path)
+        Dir[File.join(source_path, "**", "*.{cer,p12,mobileprovision}")].each do |path|
+          next if File.directory?(path)
+          yield(path)
+        end
+      end
+
+      # server name used for accessing the macOS keychain
+      def server_name(keychain_name)
+        ["match", keychain_name].join("_")
+      end
+
+      # Access the MATCH_PASSWORD, either from ENV variable, Keychain or user input
+      def password
+        password = ENV["MATCH_PASSWORD"]
+        unless password
+          item = Security::InternetPassword.find(server: server_name(self.keychain_name))
+          password = item.password if item
+        end
+
+        unless password
+          if !UI.interactive?
+            UI.error("Neither the MATCH_PASSWORD environment variable nor the local keychain contained a password.")
+            UI.error("Bailing out instead of asking for a password, since this is non-interactive mode.")
+            UI.user_error!("Try setting the MATCH_PASSWORD environment variable, or temporarily enable interactive mode to store a password.")
+          else
+            UI.important("Enter the passphrase that should be used to encrypt/decrypt your certificates")
+            UI.important("This passphrase is specific per repository and will be stored in your local keychain")
+            UI.important("Make sure to remember the password, as you'll need it when you run match on a different machine")
+            password = ChangePassword.ask_password(confirm: true)
+            store_password(password)
+          end
+        end
+
+        return password
+      end
+
+      # We encrypt with MD5 because that was the most common default value in older fastlane versions which used the local OpenSSL installation
+      # A more secure key and IV generation is needed in the future
+      # IV should be randomly generated and provided unencrypted
+      # salt should be randomly generated and provided unencrypted (like in the current implementation)
+      # key should be generated with OpenSSL::KDF::pbkdf2_hmac with properly chosen parameters
+      # Short explanation about salt and IV: https://stackoverflow.com/a/1950674/6324550
+      def encrypt_specific_file(path: nil, password: nil)
+        UI.user_error!("No password supplied") if password.to_s.strip.length == 0
+
+        data_to_encrypt = File.read(path)
+        salt = SecureRandom.random_bytes(8)
+
+        # The :: is important, as there is a name clash
+        cipher = ::OpenSSL::Cipher.new('AES-256-CBC')
+        cipher.encrypt
+        cipher.pkcs5_keyivgen(password, salt, 1, "MD5")
+        encrypted_data = "Salted__" + salt + cipher.update(data_to_encrypt) + cipher.final
+
+        File.write(path, Base64.encode64(encrypted_data))
+      rescue FastlaneCore::Interface::FastlaneError
+        raise
+      rescue => error
+        UI.error(error.to_s)
+        UI.crash!("Error encrypting '#{path}'")
+      end
+
+      # The encryption parameters in this implementations reflect the old behaviour which depended on the users' local OpenSSL version
+      # 1.0.x OpenSSL and earlier versions use MD5, 1.1.0c and newer uses SHA256, we try both before giving an error
+      def decrypt_specific_file(path: nil, password: nil, hash_algorithm: "MD5")
+        stored_data = Base64.decode64(File.read(path))
+        salt = stored_data[8..15]
+        data_to_decrypt = stored_data[16..-1]
+
+        decipher = ::OpenSSL::Cipher.new('AES-256-CBC')
+        decipher.decrypt
+        decipher.pkcs5_keyivgen(password, salt, 1, hash_algorithm)
+
+        decrypted_data = decipher.update(data_to_decrypt) + decipher.final
+
+        File.binwrite(path, decrypted_data)
+      rescue => error
+        fallback_hash_algorithm = "SHA256"
+        if hash_algorithm != fallback_hash_algorithm
+          decrypt_specific_file(path, password, fallback_hash_algorithm)
+        else
+          UI.error(error.to_s)
+          UI.crash!("Error decrypting '#{path}'")
+        end
+      end
+    end
+  end
+end

data/match/lib/match/generator.rb

@@ -3,11 +3,11 @@ require_relative 'module'
 module Match
   # Generate missing resources
   class Generator
-    def self.generate_certificate(params, cert_type)
+    def self.generate_certificate(params, cert_type, working_directory)
       require 'cert/runner'
       require 'cert/options'
 
-      output_path = File.join(params[:workspace], "certs", cert_type.to_s)
+      output_path = File.join(working_directory, "certs", cert_type.to_s)
 
       arguments = FastlaneCore::Configuration.create(Cert::Options.available_options, {
         development: params[:type] == "development",
@@ -32,7 +32,7 @@ module Match
       end
 
       # We don't care about the signing request
-      Dir[File.join(params[:workspace], "**", "*.certSigningRequest")].each { |path| File.delete(path) }
+      Dir[File.join(working_directory, "**", "*.certSigningRequest")].each { |path| File.delete(path) }
 
       # we need to return the path
       # Inside this directory, there is the `.p12` file and the `.cer` file with the same name, but different extension
@@ -40,7 +40,7 @@ module Match
     end
 
     # @return (String) The UUID of the newly generated profile
-    def self.generate_provisioning_profile(params: nil, prov_type: nil, certificate_id: nil, app_identifier: nil)
+    def self.generate_provisioning_profile(params: nil, prov_type: nil, certificate_id: nil, app_identifier: nil, working_directory: nil)
       require 'sigh/manager'
       require 'sigh/options'
 
@@ -56,7 +56,7 @@ module Match
 
       values = {
         app_identifier: app_identifier,
-        output_path: File.join(params[:workspace], "profiles", prov_type.to_s),
+        output_path: File.join(working_directory, "profiles", prov_type.to_s),
         username: params[:username],
         force: true,
         cert_id: certificate_id,

data/match/lib/match/module.rb

@@ -4,12 +4,16 @@ module Match
   Helper = FastlaneCore::Helper # you gotta love Ruby: Helper.* should use the Helper class contained in FastlaneCore
   UI = FastlaneCore::UI
   ROOT = Pathname.new(File.expand_path('../../..', __FILE__))
-  DESCRIPTION = "Easily sync your certificates and profiles across your team using git"
+  DESCRIPTION = "Easily sync your certificates and profiles across your team"
 
   def self.environments
     return %w(appstore adhoc development enterprise)
   end
 
+  def self.storage_modes
+    return %w(git)
+  end
+
   def self.profile_type_sym(type)
     return type.to_sym
   end

data/match/lib/match/nuke.rb

@@ -3,8 +3,11 @@ require 'terminal-table'
 require 'spaceship'
 require 'fastlane_core/provisioning_profile'
 require 'fastlane_core/print_table'
+
 require_relative 'module'
-require_relative 'git_helper'
+
+require_relative 'storage'
+require_relative 'encryption'
 
 module Match
   class Nuke
@@ -15,22 +18,35 @@ module Match
     attr_accessor :profiles
     attr_accessor :files
 
+    attr_accessor :storage
+    attr_accessor :encryption
+
     def run(params, type: nil)
       self.params = params
       self.type = type
 
-      params[:workspace] = GitHelper.clone(params[:git_url],
-                                           params[:shallow_clone],
-                                           skip_docs: params[:skip_docs],
-                                           branch: params[:git_branch],
-                                           git_full_name: params[:git_full_name],
-                                           git_user_email: params[:git_user_email],
-                                           clone_branch_directly: params[:clone_branch_directly])
+      self.storage = Storage.for_mode(params[:storage_mode], {
+        git_url: params[:git_url],
+        shallow_clone: params[:shallow_clone],
+        skip_docs: params[:skip_docs],
+        git_branch: params[:git_branch],
+        git_full_name: params[:git_full_name],
+        git_user_email: params[:git_user_email],
+        clone_branch_directly: params[:clone_branch_directly]
+      })
+      self.storage.download
+
+      # After the download was complete
+      self.encryption = Encryption.for_storage_mode(params[:storage_mode], {
+        git_url: params[:git_url],
+        working_directory: storage.working_directory
+      })
+      self.encryption.decrypt_files
 
       had_app_identifier = self.params.fetch(:app_identifier, ask: false)
       self.params[:app_identifier] = '' # we don't really need a value here
       FastlaneCore::PrintTable.print_values(config: params,
-                                         hide_keys: [:app_identifier, :workspace],
+                                         hide_keys: [:app_identifier],
                                              title: "Summary for match nuke #{Fastlane::VERSION}")
 
       prepare_list
@@ -89,11 +105,11 @@ module Match
         self.profiles += profile_type(prov_type).all
       end
 
-      certs = Dir[File.join(params[:workspace], "**", cert_type.to_s, "*.cer")]
-      keys = Dir[File.join(params[:workspace], "**", cert_type.to_s, "*.p12")]
+      certs = Dir[File.join(self.storage.working_directory, "**", cert_type.to_s, "*.cer")]
+      keys = Dir[File.join(self.storage.working_directory, "**", cert_type.to_s, "*.p12")]
       profiles = []
       prov_types.each do |prov_type|
-        profiles += Dir[File.join(params[:workspace], "**", prov_type.to_s, "*.mobileprovision")]
+        profiles += Dir[File.join(self.storage.working_directory, "**", prov_type.to_s, "*.mobileprovision")]
       end
 
       self.files = certs + keys + profiles
@@ -119,7 +135,9 @@ module Match
         rows = self.profiles.collect do |p|
           status = p.status == 'Active' ? p.status.green : p.status.red
 
-          [p.name, p.id, status, p.type, p.expires.strftime("%Y-%m-%d")]
+          # Expires is somtimes nil
+          expires = p.expires ? p.expires.strftime("%Y-%m-%d") : nil
+          [p.name, p.id, status, p.type, expires]
         end
         puts(Terminal::Table.new({
           title: "Provisioning Profiles that are going to be revoked".green,
@@ -176,13 +194,13 @@ module Match
 
       # Now we need to commit and push all this too
       message = ["[fastlane]", "Nuked", "files", "for", type.to_s].join(" ")
-      GitHelper.commit_changes(params[:workspace], message, self.params[:git_url], params[:git_branch])
+      self.storage.save_changes!(files_to_commit: [], custom_message: message)
     end
 
     private
 
     def delete_files!
-      UI.header("Deleting #{self.files.count} files from the git repo...")
+      UI.header("Deleting #{self.files.count} files from the storage...")
 
       self.files.each do |file|
         UI.message("Deleting file '#{File.basename(file)}'...")

data/match/lib/match/options.rb

@@ -29,6 +29,17 @@ module Match
                                          UI.user_error!("Unsupported environment #{value}, must be in #{Match.environments.join(', ')}")
                                        end
                                      end),
+        FastlaneCore::ConfigItem.new(key: :storage_mode,
+                                     env_name: "MATCH_STORAGE_MODE",
+                                     description: "Define where you want to store your certificates",
+                                     is_string: true,
+                                     short_option: "-q",
+                                     default_value: 'git',
+                                     verify_block: proc do |value|
+                                       unless Match.storage_modes.include?(value)
+                                         UI.user_error!("Unsupported storage_mode #{value}, must be in #{Match.storage_modes.join(', ')}")
+                                       end
+                                     end),
         FastlaneCore::ConfigItem.new(key: :app_identifier,
                                      short_option: "-a",
                                      env_name: "MATCH_APP_IDENTIFIER",
@@ -115,18 +126,6 @@ module Match
                                      description: "Clone just the branch specified, instead of the whole repo. This requires that the branch already exists. Otherwise the command will fail",
                                      is_string: false,
                                      default_value: false),
-        FastlaneCore::ConfigItem.new(key: :workspace,
-                                     description: nil,
-                                     verify_block: proc do |value|
-                                       unless Helper.test?
-                                         if value.start_with?("/var/folders") || value.include?("tmp/") || value.include?("temp/")
-                                           # that's fine
-                                         else
-                                           UI.user_error!("Specify the `git_url` instead of the `path`")
-                                         end
-                                       end
-                                     end,
-                                     optional: true),
         FastlaneCore::ConfigItem.new(key: :force_for_new_devices,
                                      env_name: "MATCH_FORCE_FOR_NEW_DEVICES",
                                      description: "Renew the provisioning profiles if the device count on the developer portal has changed. Ignored for profile type 'appstore'",

data/match/lib/match/runner.rb

@@ -3,31 +3,45 @@ require 'fastlane_core/provisioning_profile'
 require 'fastlane_core/print_table'
 require 'spaceship/client'
 require_relative 'generator'
-require_relative 'git_helper'
 require_relative 'module'
 require_relative 'table_printer'
 require_relative 'spaceship_ensure'
 require_relative 'utils'
 
+require_relative 'storage'
+require_relative 'encryption'
+
 module Match
   class Runner
-    attr_accessor :files_to_commmit
+    attr_accessor :files_to_commit
     attr_accessor :spaceship
 
     def run(params)
-      self.files_to_commmit = []
+      self.files_to_commit = []
 
       FastlaneCore::PrintTable.print_values(config: params,
-                                         hide_keys: [:workspace],
                                              title: "Summary for match #{Fastlane::VERSION}")
 
-      params[:workspace] = GitHelper.clone(params[:git_url],
-                                           params[:shallow_clone],
-                                           skip_docs: params[:skip_docs],
-                                           branch: params[:git_branch],
-                                           git_full_name: params[:git_full_name],
-                                           git_user_email: params[:git_user_email],
-                                           clone_branch_directly: params[:clone_branch_directly])
+      # Choose the right storage and encryption implementations
+      storage = Storage.for_mode(params[:storage_mode], {
+        git_url: params[:git_url],
+        shallow_clone: params[:shallow_clone],
+        skip_docs: params[:skip_docs],
+        git_branch: params[:git_branch],
+        git_full_name: params[:git_full_name],
+        git_user_email: params[:git_user_email],
+        clone_branch_directly: params[:clone_branch_directly],
+        type: params[:type].to_s,
+        platform: params[:platform].to_s
+      })
+      storage.download
+
+      # Init the encryption only after the `storage.download` was called to have the right working directory
+      encryption = Encryption.for_storage_mode(params[:storage_mode], {
+        git_url: params[:git_url],
+        working_directory: storage.working_directory
+      })
+      encryption.decrypt_files
 
       unless params[:readonly]
         self.spaceship = SpaceshipEnsure.new(params[:username], params[:team_id], params[:team_name])
@@ -54,7 +68,7 @@ module Match
       end
 
       # Certificate
-      cert_id = fetch_certificate(params: params)
+      cert_id = fetch_certificate(params: params, working_directory: storage.working_directory)
       spaceship.certificate_exists(username: params[:username], certificate_id: cert_id) if spaceship
 
       # Provisioning Profiles
@@ -62,14 +76,19 @@ module Match
         loop do
           break if fetch_provisioning_profile(params: params,
                                       certificate_id: cert_id,
-                                      app_identifier: app_identifier)
+                                      app_identifier: app_identifier,
+                                   working_directory: storage.working_directory)
         end
       end
 
       # Done
-      if self.files_to_commmit.count > 0 && !params[:readonly]
-        message = GitHelper.generate_commit_message(params)
-        GitHelper.commit_changes(params[:workspace], message, params[:git_url], params[:git_branch], self.files_to_commmit)
+      if self.files_to_commit.count > 0 && !params[:readonly]
+        Dir.chdir(storage.working_directory) do
+          return if `git status`.include?("nothing to commit")
+        end
+
+        encryption.encrypt_files
+        storage.save_changes!(files_to_commit: self.files_to_commit)
       end
 
       # Print a summary table for each app_identifier
@@ -85,23 +104,23 @@ module Match
       UI.error("To do so, just pass `readonly: true` to your match call.")
       raise ex
     ensure
-      GitHelper.clear_changes
+      storage.clear_changes if storage
     end
 
-    def fetch_certificate(params: nil)
+    def fetch_certificate(params: nil, working_directory: nil)
       cert_type = Match.cert_type_sym(params[:type])
 
-      certs = Dir[File.join(params[:workspace], "certs", cert_type.to_s, "*.cer")]
-      keys = Dir[File.join(params[:workspace], "certs", cert_type.to_s, "*.p12")]
+      certs = Dir[File.join(working_directory, "certs", cert_type.to_s, "*.cer")]
+      keys = Dir[File.join(working_directory, "certs", cert_type.to_s, "*.p12")]
 
       if certs.count == 0 || keys.count == 0
         UI.important("Couldn't find a valid code signing identity in the git repo for #{cert_type}... creating one for you now")
         UI.crash!("No code signing identity found and can not create a new one because you enabled `readonly`") if params[:readonly]
-        cert_path = Generator.generate_certificate(params, cert_type)
+        cert_path = Generator.generate_certificate(params, cert_type, working_directory)
         private_key_path = cert_path.gsub(".cer", ".p12")
 
-        self.files_to_commmit << cert_path
-        self.files_to_commmit << private_key_path
+        self.files_to_commit << cert_path
+        self.files_to_commit << private_key_path
       else
         cert_path = certs.last
         UI.message("Installing certificate...")
@@ -129,15 +148,16 @@ module Match
     end
 
     # @return [String] The UUID of the provisioning profile so we can verify it with the Apple Developer Portal
-    def fetch_provisioning_profile(params: nil, certificate_id: nil, app_identifier: nil)
+    def fetch_provisioning_profile(params: nil, certificate_id: nil, app_identifier: nil, working_directory: nil)
       prov_type = Match.profile_type_sym(params[:type])
 
       names = [Match::Generator.profile_type_name(prov_type), app_identifier]
       if params[:platform].to_s != :ios.to_s
         names.push(params[:platform])
       end
+
       profile_name = names.join("_").gsub("*", '\*') # this is important, as it shouldn't be a wildcard
-      base_dir = File.join(params[:workspace], "profiles", prov_type.to_s)
+      base_dir = File.join(working_directory, "profiles", prov_type.to_s)
       profiles = Dir[File.join(base_dir, "#{profile_name}.mobileprovision")]
       keychain_path = FastlaneCore::Helper.keychain_path(params[:keychain_name]) unless params[:keychain_name].nil?
 
@@ -168,8 +188,9 @@ module Match
         profile = Generator.generate_provisioning_profile(params: params,
                                                        prov_type: prov_type,
                                                   certificate_id: certificate_id,
-                                                  app_identifier: app_identifier)
-        self.files_to_commmit << profile
+                                                  app_identifier: app_identifier,
+                                               working_directory: working_directory)
+        self.files_to_commit << profile
       end
 
       installed_profile = FastlaneCore::ProvisioningProfile.install(profile, keychain_path)
@@ -179,7 +200,7 @@ module Match
       if spaceship && !spaceship.profile_exists(username: params[:username], uuid: uuid)
         # This profile is invalid, let's remove the local file and generate a new one
         File.delete(profile)
-        # This method will be called again, no need to modify `files_to_commmit`
+        # This method will be called again, no need to modify `files_to_commit`
         return nil
       end
 
@@ -209,16 +230,16 @@ module Match
     end
 
     def device_count_different?(profile: nil, keychain_path: nil)
-      if profile
-        parsed = FastlaneCore::ProvisioningProfile.parse(profile, keychain_path)
-        uuid = parsed["UUID"]
-        portal_profile = Spaceship.provisioning_profile.all.detect { |i| i.uuid == uuid }
-
-        if portal_profile
-          profile_device_count = portal_profile.devices.count
-          portal_device_count = Spaceship.device.all.count
-          return portal_device_count != profile_device_count
-        end
+      return false unless profile
+
+      parsed = FastlaneCore::ProvisioningProfile.parse(profile, keychain_path)
+      uuid = parsed["UUID"]
+      portal_profile = Spaceship.provisioning_profile.all.detect { |i| i.uuid == uuid }
+
+      if portal_profile
+        profile_device_count = portal_profile.devices.count
+        portal_device_count = Spaceship.device.all.count
+        return portal_device_count != profile_device_count
       end
       return false
     end