fastlane 2.196.0 → 2.212.2

data/match/lib/match/nuke.rb

@@ -9,11 +9,16 @@ require_relative 'module'
 require_relative 'storage'
 require_relative 'encryption'
 
+require 'tempfile'
+require 'base64'
+
 module Match
+  # rubocop:disable Metrics/ClassLength
   class Nuke
     attr_accessor :params
     attr_accessor :type
 
+    attr_accessor :safe_remove_certs
     attr_accessor :certs
     attr_accessor :profiles
     attr_accessor :files
@@ -49,6 +54,8 @@ module Match
         s3_access_key: params[:s3_access_key].to_s,
         s3_secret_access_key: params[:s3_secret_access_key].to_s,
         s3_bucket: params[:s3_bucket].to_s,
+        s3_object_prefix: params[:s3_object_prefix].to_s,
+        gitlab_project: params[:gitlab_project],
         team_id: params[:team_id] || Spaceship::ConnectAPI.client.portal_team_id
       })
       self.storage.download
@@ -66,7 +73,10 @@ module Match
                                          hide_keys: [:app_identifier],
                                              title: "Summary for match nuke #{Fastlane::VERSION}")
 
+      self.safe_remove_certs = params[:safe_remove_certs] || false
+
       prepare_list
+      filter_by_cert
       print_tables
 
       if params[:readonly]
@@ -76,11 +86,13 @@ module Match
       if (self.certs + self.profiles + self.files).count > 0
         unless params[:skip_confirmation]
           UI.error("---")
-          UI.error("Are you sure you want to completely delete and revoke all the")
-          UI.error("certificates and provisioning profiles listed above? (y/n)")
+          remove_or_revoke_message = self.safe_remove_certs ? "remove" : "revoke"
+          UI.error("Are you sure you want to completely delete and #{remove_or_revoke_message} all the")
+          UI.error("certificates and delete provisioning profiles listed above? (y/n)")
           UI.error("Warning: By nuking distribution, both App Store and Ad Hoc profiles will be deleted") if type == "distribution"
           UI.error("Warning: The :app_identifier value will be ignored - this will delete all profiles for all your apps!") if had_app_identifier
           UI.error("---")
+          print_safe_remove_certs_hint
         end
         if params[:skip_confirmation] || UI.confirm("Do you really want to nuke everything listed above?")
           nuke_it_now!
@@ -91,6 +103,8 @@ module Match
       else
         UI.success("No relevant certificates or provisioning profiles found, nothing to nuke here :)")
       end
+    ensure
+      self.storage.clear_changes if self.storage
     end
 
     # Be smart about optional values here
@@ -114,10 +128,12 @@ module Match
       if Spaceship::ConnectAPI.client.in_house? && (type == "distribution" || type == "enterprise")
         UI.error("---")
         UI.error("⚠️ Warning: This seems to be an Enterprise account!")
-        UI.error("By nuking your account's distribution, all your apps deployed via ad-hoc will stop working!") if type == "distribution"
-        UI.error("By nuking your account's enterprise, all your in-house apps will stop working!") if type == "enterprise"
+        unless self.safe_remove_certs
+          UI.error("By nuking your account's distribution, all your apps deployed via ad-hoc will stop working!") if type == "distribution"
+          UI.error("By nuking your account's enterprise, all your in-house apps will stop working!") if type == "enterprise"
+        end
         UI.error("---")
-
+        print_safe_remove_certs_hint
         UI.user_error!("Enterprise account nuke cancelled") unless UI.confirm("Do you really want to nuke your Enterprise account?")
       end
     end
@@ -136,10 +152,8 @@ module Match
       # Get all iOS and macOS profile
       self.profiles = []
       prov_types.each do |prov_type|
-        types = profile_types(prov_type)
-        # Filtering on 'profileType' seems to be undocumented as of 2020-07-30
-        # but works on both web session and official API
-        self.profiles += Spaceship::ConnectAPI::Profile.all(filter: { profileType: types.join(",") })
+        types = Match.profile_types(prov_type)
+        self.profiles += Spaceship::ConnectAPI::Profile.all(filter: { profileType: types.join(",") }, includes: "certificates")
       end
 
       # Gets the main and additional cert types
@@ -163,7 +177,7 @@ module Match
         keys += self.storage.list_files(file_name: ct.to_s, file_ext: "p12")
       end
 
-      # Finds all the iOS and macOS profofiles in the file storage
+      # Finds all the iOS and macOS profiles in the file storage
       profiles = []
       prov_types.each do |prov_type|
         profiles += self.storage.list_files(file_name: prov_type.to_s, file_ext: "mobileprovision")
@@ -173,6 +187,78 @@ module Match
       self.files = certs + keys + profiles
     end
 
+    def filter_by_cert
+      # Force will continue to revoke and delete all certificates and profiles
+      return if self.params[:force] || !UI.interactive?
+      return if self.certs.count < 2
+
+      # Print table showing certificates that can be revoked
+      puts("")
+      rows = self.certs.each_with_index.collect do |cert, i|
+        cert_expiration = cert.expiration_date.nil? ? "Unknown" : Time.parse(cert.expiration_date).strftime("%Y-%m-%d")
+        [i + 1, cert.name, cert.id, cert.class.to_s.split("::").last, cert_expiration]
+      end
+      puts(Terminal::Table.new({
+        title: "Certificates that can be #{removed_or_revoked_message}".green,
+        headings: ["Option", "Name", "ID", "Type", "Expires"],
+        rows: FastlaneCore::PrintTable.transform_output(rows)
+      }))
+      puts("")
+
+      UI.important("By default, all listed certificates and profiles will be nuked")
+      if UI.confirm("Do you want to only nuke specific certificates and their associated profiles?")
+        input_indexes = UI.input("Enter the \"Option\" number(s) from the table above? (comma-separated)").split(',')
+
+        # Get certificates from option indexes
+        self.certs = input_indexes.map do |index|
+          self.certs[index.to_i - 1]
+        end.compact
+
+        if self.certs.empty?
+          UI.user_error!("No certificates were selected based on option number(s) entered")
+        end
+
+        # Do profile selection logic
+        cert_ids = self.certs.map(&:id)
+        self.profiles = self.profiles.select do |profile|
+          profile_cert_ids = profile.certificates.map(&:id)
+          (cert_ids & profile_cert_ids).any?
+        end
+
+        # Do file selection logic
+        self.files = self.files.select do |f|
+          found = false
+
+          ext = File.extname(f)
+          filename = File.basename(f, ".*")
+
+          # Attempt to find cert based on filename
+          if ext == ".cer" || ext == ".p12"
+            found ||= self.certs.any? do |cert|
+              filename == cert.id.to_s
+            end
+          end
+
+          # Attempt to find profile matched on UUIDs in profile
+          if ext == ".mobileprovision" || ext == ".provisionprofile"
+            storage_uuid = FastlaneCore::ProvisioningProfile.uuid(f)
+
+            found ||= self.profiles.any? do |profile|
+              tmp_file = Tempfile.new
+              tmp_file.write(Base64.decode64(profile.profile_content))
+              tmp_file.close
+
+              # Compare profile uuid in storage to profile uuid on developer portal
+              portal_uuid = FastlaneCore::ProvisioningProfile.uuid(tmp_file.path)
+              storage_uuid == portal_uuid
+            end
+          end
+
+          found
+        end
+      end
+    end
+
     # Print tables to ask the user
     def print_tables
       puts("")
@@ -182,7 +268,7 @@ module Match
           [cert.name, cert.id, cert.class.to_s.split("::").last, cert_expiration]
         end
         puts(Terminal::Table.new({
-          title: "Certificates that are going to be revoked".green,
+          title: "Certificates that are going to be #{removed_or_revoked_message}".green,
           headings: ["Name", "ID", "Type", "Expires"],
           rows: FastlaneCore::PrintTable.transform_output(rows)
         }))
@@ -236,8 +322,14 @@ module Match
         UI.success("Successfully deleted profile")
       end
 
-      UI.header("Revoking #{self.certs.count} certificates...") unless self.certs.count == 0
+      removing_or_revoking_message = self.safe_remove_certs ? "Removing" : "Revoking"
+      UI.header("#{removing_or_revoking_message} #{self.certs.count} certificates...") unless self.certs.count == 0
       self.certs.each do |cert|
+        if self.safe_remove_certs
+          UI.message("Certificate '#{cert.name}' (#{cert.id}) will be removed from repository without revoking it")
+          next
+        end
+
         UI.message("Revoking certificate '#{cert.name}' (#{cert.id})...")
         begin
           cert.delete!
@@ -314,41 +406,16 @@ module Match
       end
     end
 
-    # The kind of provisioning profile we're interested in
-    def profile_types(prov_type)
-      case prov_type.to_sym
-      when :appstore
-        return [
-          Spaceship::ConnectAPI::Profile::ProfileType::IOS_APP_STORE,
-          Spaceship::ConnectAPI::Profile::ProfileType::MAC_APP_STORE,
-          Spaceship::ConnectAPI::Profile::ProfileType::TVOS_APP_STORE,
-          Spaceship::ConnectAPI::Profile::ProfileType::MAC_CATALYST_APP_STORE
-        ]
-      when :development
-        return [
-          Spaceship::ConnectAPI::Profile::ProfileType::IOS_APP_DEVELOPMENT,
-          Spaceship::ConnectAPI::Profile::ProfileType::MAC_APP_DEVELOPMENT,
-          Spaceship::ConnectAPI::Profile::ProfileType::TVOS_APP_DEVELOPMENT,
-          Spaceship::ConnectAPI::Profile::ProfileType::MAC_CATALYST_APP_DEVELOPMENT
-        ]
-      when :enterprise
-        return [
-          Spaceship::ConnectAPI::Profile::ProfileType::IOS_APP_INHOUSE,
-          Spaceship::ConnectAPI::Profile::ProfileType::TVOS_APP_INHOUSE
-        ]
-      when :adhoc
-        return [
-          Spaceship::ConnectAPI::Profile::ProfileType::IOS_APP_ADHOC,
-          Spaceship::ConnectAPI::Profile::ProfileType::TVOS_APP_ADHOC
-        ]
-      when :developer_id
-        return [
-          Spaceship::ConnectAPI::Profile::ProfileType::MAC_APP_DIRECT,
-          Spaceship::ConnectAPI::Profile::ProfileType::MAC_CATALYST_APP_DIRECT
-        ]
-      else
-        raise "Unknown provisioning type '#{prov_type}'"
-      end
+    # Helpers for `safe_remove_certs`
+    def print_safe_remove_certs_hint
+      return if self.safe_remove_certs
+      UI.important("Hint: You can use --safe_remove_certs option to remove certificates")
+      UI.important("from repository without revoking them.")
+    end
+
+    def removed_or_revoked_message
+      self.safe_remove_certs ? "removed" : "revoked"
     end
   end
+  # rubocop:disable Metrics/ClassLength
 end

data/match/lib/match/options.rb

@@ -194,6 +194,11 @@ module Match
                                      env_name: "MATCH_GOOGLE_CLOUD_PROJECT_ID",
                                      description: "ID of the Google Cloud project to use for authentication",
                                      optional: true),
+        FastlaneCore::ConfigItem.new(key: :skip_google_cloud_account_confirmation,
+                                     env_name: "MATCH_SKIP_GOOGLE_CLOUD_ACCOUNT_CONFIRMATION",
+                                     description: "Skips confirming to use the system google account",
+                                     type: Boolean,
+                                     default_value: false),
 
         # Storage: S3
         FastlaneCore::ConfigItem.new(key: :s3_region,
@@ -218,6 +223,12 @@ module Match
                                      description: "Prefix to be used on all objects uploaded to S3",
                                      optional: true),
 
+        # Storage: GitLab Secure Files
+        FastlaneCore::ConfigItem.new(key: :gitlab_project,
+                                     env_name: "MATCH_GITLAB_PROJECT",
+                                     description: "GitLab Project Path (i.e. 'gitlab-org/gitlab')",
+                                     optional: true),
+
         # Keychain
         FastlaneCore::ConfigItem.new(key: :keychain_name,
                                      short_option: "-s",
@@ -242,6 +253,11 @@ module Match
                                      description: "Renew the provisioning profiles if the device count on the developer portal has changed. Ignored for profile types 'appstore' and 'developer_id'",
                                      type: Boolean,
                                      default_value: false),
+        FastlaneCore::ConfigItem.new(key: :include_mac_in_profiles,
+                                     env_name: "MATCH_INCLUDE_MAC_IN_PROFILES",
+                                     description: "Include Apple Silicon Mac devices in provisioning profiles for iOS/iPadOS apps",
+                                     type: Boolean,
+                                     default_value: false),
         FastlaneCore::ConfigItem.new(key: :include_all_certificates,
                                      env_name: "MATCH_INCLUDE_ALL_CERTIFICATES",
                                      description: "Include all matching certificates in the provisioning profile. Works only for the 'development' provisioning profile type",
@@ -249,7 +265,7 @@ module Match
                                      default_value: false),
         FastlaneCore::ConfigItem.new(key: :force_for_new_certificates,
                                      env_name:  "MATCH_FORCE_FOR_NEW_CERTIFICATES",
-                                     description: "Renew the provisioning profiles if the device count on the developer portal has changed. Works only for the 'development' provisioning profile type. Requires 'include_all_certificates' option to be 'true'",
+                                     description: "Renew the provisioning profiles if the certificate count on the developer portal has changed. Works only for the 'development' provisioning profile type. Requires 'include_all_certificates' option to be 'true'",
                                      type: Boolean,
                                      default_value: false),
         FastlaneCore::ConfigItem.new(key: :skip_confirmation,
@@ -257,6 +273,11 @@ module Match
                                      description: "Disables confirmation prompts during nuke, answering them with yes",
                                      type: Boolean,
                                      default_value: false),
+        FastlaneCore::ConfigItem.new(key: :safe_remove_certs,
+                                     env_name: "MATCH_SAFE_REMOVE_CERTS",
+                                     description: "Remove certs from repository during nuke without revoking them on the developer portal",
+                                     type: Boolean,
+                                     default_value: false),
         FastlaneCore::ConfigItem.new(key: :skip_docs,
                                      env_name: "MATCH_SKIP_DOCS",
                                      description: "Skip generation of a README.md for the created git repository",

data/match/lib/match/runner.rb

@@ -48,11 +48,13 @@ module Match
         google_cloud_bucket_name: params[:google_cloud_bucket_name].to_s,
         google_cloud_keys_file: params[:google_cloud_keys_file].to_s,
         google_cloud_project_id: params[:google_cloud_project_id].to_s,
+        skip_google_cloud_account_confirmation: params[:skip_google_cloud_account_confirmation],
         s3_region: params[:s3_region],
         s3_access_key: params[:s3_access_key],
         s3_secret_access_key: params[:s3_secret_access_key],
         s3_bucket: params[:s3_bucket],
         s3_object_prefix: params[:s3_object_prefix],
+        gitlab_project: params[:gitlab_project],
         readonly: params[:readonly],
         username: params[:readonly] ? nil : params[:username], # only pass username if not readonly
         team_id: params[:team_id],
@@ -82,9 +84,9 @@ module Match
         app_identifiers = params[:app_identifier].to_s.split(/\s*,\s*/).uniq
       end
 
-      # sometimes we get an array with arrays, this is a bug. To unblock people using match, I suggest we flatten!
+      # sometimes we get an array with arrays, this is a bug. To unblock people using match, I suggest we flatten
       # then in the future address the root cause of https://github.com/fastlane/fastlane/issues/11324
-      app_identifiers.flatten!
+      app_identifiers = app_identifiers.flatten
 
       # Verify the App ID (as we don't want 'match' to fail at a later point)
       if spaceship
@@ -285,7 +287,10 @@ module Match
         FileUtils.cp(profile, params[:output_path])
       end
 
-      if spaceship && !spaceship.profile_exists(username: params[:username], uuid: uuid, platform: params[:platform])
+      if spaceship && !spaceship.profile_exists(type: prov_type,
+                                                username: params[:username],
+                                                uuid: uuid,
+                                                platform: params[:platform])
         # This profile is invalid, let's remove the local file and generate a new one
         File.delete(profile)
         # This method will be called again, no need to modify `files_to_commit`
@@ -304,6 +309,12 @@ module Match
                                                                            platform: params[:platform]),
                              parsed["TeamIdentifier"].first)
 
+      cert_info = Utils.get_cert_info(parsed["DeveloperCertificates"].first.string).to_h
+      Utils.fill_environment(Utils.environment_variable_name_certificate_name(app_identifier: app_identifier,
+                                                                                        type: prov_type,
+                                                                                    platform: params[:platform]),
+                             cert_info["Common Name"])
+
       Utils.fill_environment(Utils.environment_variable_name_profile_name(app_identifier: app_identifier,
                                                                                     type: prov_type,
                                                                                 platform: params[:platform]),
@@ -325,7 +336,7 @@ module Match
 
       prov_types_without_devices = [:appstore, :developer_id]
       if !prov_types_without_devices.include?(prov_type) && !params[:force]
-        force = device_count_different?(profile: profile, keychain_path: keychain_path, platform: params[:platform].to_sym)
+        force = device_count_different?(profile: profile, keychain_path: keychain_path, platform: params[:platform].to_sym, include_mac_in_profiles: params[:include_mac_in_profiles])
       else
         # App Store provisioning profiles don't contain device identifiers and
         # thus shouldn't be renewed if the device count has changed.
@@ -336,7 +347,7 @@ module Match
       return force
     end
 
-    def device_count_different?(profile: nil, keychain_path: nil, platform: nil)
+    def device_count_different?(profile: nil, keychain_path: nil, platform: nil, include_mac_in_profiles: false)
       return false unless profile
 
       parsed = FastlaneCore::ProvisioningProfile.parse(profile, keychain_path)
@@ -368,6 +379,9 @@ module Match
           else
             []
           end
+        if platform == :ios && include_mac_in_profiles
+          device_classes += [Spaceship::ConnectAPI::Device::DeviceClass::APPLE_SILICON_MAC]
+        end
 
         devices = Spaceship::ConnectAPI::Device.all
         unless device_classes.empty?
@@ -419,7 +433,12 @@ module Match
 
       return false unless portal_profile
 
-      profile_certs_count = portal_profile.fetch_all_certificates.count
+      # When a certificate expires (not revoked) provisioning profile stays valid.
+      # And if we regenerate certificate count will not differ:
+      #   * For portal certificates, we filter out the expired one but includes a new certificate;
+      #   * Profile still contains an expired certificate and is valid.
+      # Thus, we need to check the validity of profile certificates too.
+      profile_certs_count = portal_profile.fetch_all_certificates.select(&:valid?).count
 
       certificate_types =
         case platform

data/match/lib/match/setup.rb

@@ -34,7 +34,7 @@ module Match
     end
 
     def storage_options
-      return ["git", "google_cloud", "s3"]
+      return ["git", "google_cloud", "s3", "gitlab_secure_files"]
     end
   end
 end

data/match/lib/match/spaceship_ensure.rb

@@ -70,13 +70,16 @@ module Match
       UI.error("for the user #{username}")
       UI.error("Make sure to use the same user and team every time you run 'match' for this")
       UI.error("Git repository. This might be caused by revoking the certificate on the Dev Portal")
+      UI.error("If missing certificate is a Developer ID Installer, you may need to auth with Apple ID instead of App Store API Key")
       UI.user_error!("To reset the certificates of your Apple account, you can use the `fastlane match nuke` feature, more information on https://docs.fastlane.tools/actions/match/")
     end
 
-    def profile_exists(username: nil, uuid: nil, platform: nil)
+    def profile_exists(type: nil, username: nil, uuid: nil, platform: nil)
       # App Store Connect API does not allow filter of profile by platform or uuid (as of 2020-07-30)
       # Need to fetch all profiles and search for uuid on client side
-      found = Spaceship::ConnectAPI::Profile.all.find do |profile|
+      # But we can filter provisioning profiles based on their type (this, in general way faster than getting all profiles)
+      filter = { profileType: Match.profile_types(type).join(",") } if type
+      found = Spaceship::ConnectAPI::Profile.all(filter: filter).find do |profile|
         profile.uuid == uuid
       end
 

data/match/lib/match/storage/gitlab/client.rb

@@ -0,0 +1,102 @@
+require 'net/http/post/multipart'
+require 'securerandom'
+
+require_relative '../../module'
+require_relative './secure_file'
+
+module Match
+  module Storage
+    class GitLab
+      class Client
+        def initialize(api_v4_url:, project_id:, job_token: nil, private_token: nil)
+          @job_token      = job_token
+          @private_token  = private_token
+          @api_v4_url     = api_v4_url
+          @project_id     = project_id
+
+          UI.important("JOB_TOKEN and PRIVATE_TOKEN both defined, using JOB_TOKEN to execute this job.") if @job_token && @private_token
+        end
+
+        def base_url
+          return "#{@api_v4_url}/projects/#{CGI.escape(@project_id)}/secure_files"
+        end
+
+        def authentication_key
+          if @job_token
+            return "JOB-TOKEN"
+          elsif @private_token
+            return "PRIVATE-TOKEN"
+          end
+        end
+
+        def authentication_value
+          if @job_token
+            return @job_token
+          elsif @private_token
+            return @private_token
+          end
+        end
+
+        def files
+          @files ||= begin
+            url = URI.parse(base_url)
+
+            request = Net::HTTP::Get.new(url.request_uri)
+
+            res = execute_request(url, request)
+
+            data = []
+
+            JSON.parse(res.body).each do |file|
+              data << SecureFile.new(client: self, file: file)
+            end
+
+            data
+          end
+        end
+
+        def find_file_by_name(name)
+          files.select { |secure_file| secure_file.file.name == name }.first
+        end
+
+        def upload_file(current_file, target_file)
+          url = URI.parse(base_url)
+
+          File.open(current_file) do |file|
+            request = Net::HTTP::Post::Multipart.new(
+              url.path,
+              "file" => UploadIO.new(file, "application/octet-stream"),
+              "name" => target_file
+            )
+
+            response = execute_request(url, request)
+
+            log_upload_error(response, target_file) if response.code != "201"
+          end
+        end
+
+        def log_upload_error(response, target_file)
+          begin
+            response_body = JSON.parse(response.body)
+          rescue JSON::ParserError
+            response_body = response.body
+          end
+
+          if response_body["message"] && (response_body["message"]["name"] == ["has already been taken"])
+            UI.error("#{target_file} already exists in GitLab project #{@project_id}, file not uploaded")
+          else
+            UI.error("Upload error for #{target_file}: #{response_body}")
+          end
+        end
+
+        def execute_request(url, request)
+          request[authentication_key] = authentication_value
+
+          http = Net::HTTP.new(url.host, url.port)
+          http.use_ssl = url.instance_of?(URI::HTTPS)
+          http.request(request)
+        end
+      end
+    end
+  end
+end

data/match/lib/match/storage/gitlab/secure_file.rb

@@ -0,0 +1,65 @@
+require 'open-uri'
+
+require_relative '../../module'
+
+module Match
+  module Storage
+    class GitLab
+      class SecureFile
+        attr_reader :client, :file
+
+        def initialize(file:, client:)
+          @file   = OpenStruct.new(file)
+          @client = client
+        end
+
+        def file_url
+          "#{@client.base_url}/#{@file.id}"
+        end
+
+        def create_subfolders(working_directory)
+          FileUtils.mkdir_p("#{working_directory}/#{destination_file_path}")
+        end
+
+        def destination_file_path
+          filename = @file.name.split('/').last
+
+          @file.name.gsub(filename, '').gsub(%r{^/}, '')
+        end
+
+        def valid_checksum?(file)
+          Digest::SHA256.hexdigest(File.read(file)) == @file.checksum
+        end
+
+        def download(working_directory)
+          url = URI("#{file_url}/download")
+
+          begin
+            destination_file = "#{working_directory}/#{@file.name}"
+
+            create_subfolders(working_directory)
+            File.open(destination_file, "wb") do |saved_file|
+              URI.open(url, "rb", { @client.authentication_key => @client.authentication_value }) do |data|
+                saved_file.write(data.read)
+              end
+
+              FileUtils.chmod('u=rw,go-r', destination_file)
+            end
+
+            UI.crash!("Checksum validation failed for #{@file.name}") unless valid_checksum?(destination_file)
+          rescue OpenURI::HTTPError => msg
+            UI.error("Unable to download #{@file.name} - #{msg}")
+          end
+        end
+
+        def delete
+          url = URI(file_url)
+
+          request = Net::HTTP::Delete.new(url.request_uri)
+
+          @client.execute_request(url, request)
+        end
+      end
+    end
+  end
+end