motion-provisioning 0.0.1

data/bin/console

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+rake generae_certificates
+

data/lib/motion-provisioning.rb

@@ -0,0 +1,231 @@
+require 'fileutils'
+require 'yaml'
+require 'base64'
+require 'date'
+
+require 'plist'
+require 'security'
+require 'spaceship'
+require 'motion-provisioning/spaceship/portal_client'
+require 'motion-provisioning/spaceship/free_portal_client'
+
+require 'motion-provisioning/utils'
+require 'motion-provisioning/tasks'
+require 'motion-provisioning/version'
+require 'motion-provisioning/service'
+require 'motion-provisioning/certificate'
+require 'motion-provisioning/application'
+require 'motion-provisioning/mobileprovision'
+require 'motion-provisioning/provisioning_profile'
+
+module MotionProvisioning
+
+  class << self
+    attr_accessor :free, :team
+  end
+
+  def self.client
+    Spaceship::Portal.client ||= begin
+
+      if File.exist?('.gitignore') && File.read('.gitignore').match(/^provisioning$/).nil?
+        answer = Utils.ask("Info", "Do you want to add the 'provisioning' folder fo your '.gitignore' file? (Recommended) (Y/n):")
+        `echo provisioning >> .gitignore` if answer.downcase == 'y'
+      end
+
+      client = if free
+        Spaceship::FreePortalClient.new
+      else
+        Spaceship::PortalClient.new
+      end
+
+      email = ENV['MOTION_PROVISIONING_EMAIL'] || MotionProvisioning.config['email'] || Utils.ask("Info", "Your Apple ID email:")
+
+      config_path = File.expand_path('./provisioning/config.yaml')
+
+      if ENV['MOTION_PROVISIONING_EMAIL'].nil? && !File.exist?(config_path)
+        answer = Utils.ask("Info", "Do you want to save the email to the config file ('provisioning/config.yaml') so you dont have to type it again? (Y/n):")
+        if answer.downcase == 'y'
+          FileUtils.mkdir_p(File.expand_path('./provisioning'))
+          File.write(config_path, { 'email' => email }.to_yaml)
+        end
+      end
+
+      password = ENV['MOTION_PROVISIONING_PASSWORD']
+
+      server_name = "motionprovisioning.#{email}"
+      item = Security::InternetPassword.find(server: server_name)
+      password ||= item.password if item
+
+      if password.nil?
+        puts "The login information you enter will be stored safely in the macOS keychain."
+        password = Utils.ask_password("Info", "Password for #{email}:")
+        Security::InternetPassword.add(server_name, email, password)
+      end
+
+      Utils.log("Info", "Logging into the Developer Portal with email '#{email}'.")
+      begin
+        client.user = email
+        client.send("do_login", email, password)
+      rescue Spaceship::Client::InvalidUserCredentialsError => ex
+        Utils.log("Error", "There was an error logging into your account. Your password may be wrong.")
+
+        if Utils.ask("Info", 'Do you want to reenter your password? (Y/n):').downcase == 'y'
+
+          # The 'delete' method is very verbose, temporarily disable output
+          orig_stdout = $stdout.dup
+          $stdout.reopen('/dev/null', 'w')
+          Security::InternetPassword.delete(server: server_name)
+          $stdout.reopen(orig_stdout)
+
+          password = Utils.ask_password("Info", "Password for #{email}:")
+          Security::InternetPassword.add(server_name, email, password)
+          retry
+        else
+          abort
+        end
+      end
+
+      if self.free
+        client.teams.each do |team|
+          if team['currentTeamMember']['roles'].include?('XCODE_FREE_USER')
+            client.team_id = team['teamId']
+            self.team = team
+          end
+        end
+
+        if client.team_id.nil?
+          raise "could not find free team"
+        end
+      else
+        if team_id = MotionProvisioning.config['team_id'] || ENV['MOTION_PROVISIONING_TEAM_ID']
+          found = false
+          client.teams.each do |team|
+            if team_id == team['teamId']
+              client.team_id = team_id
+              self.team = team
+              found = true
+            end
+          end
+
+          if found == false
+            raise "The current user does not belong to team with ID '#{team_id}' selected in config.yml."
+          end
+        else
+
+          team_id = client.select_team
+
+          if File.exist?(config_path) && ENV['MOTION_PROVISIONING_TEAM_ID'].nil?
+            answer = Utils.ask("Info", "Do you want to save the team id (#{team_id}) in the config file ('provisioning/config.yaml') so you dont have to select it again? (Y/n):")
+            if answer.downcase == 'y'
+              config = YAML.load(File.read(config_path))
+              config['team_id'] = team_id
+              File.write(config_path, config.to_yaml)
+            end
+          end
+
+          self.team = client.teams.detect { |team| team['teamId'] == team_id }
+        end
+      end
+
+      Utils.log("Info", "Selected team '#{self.team['name']} (#{self.team['teamId']})'.")
+
+      Spaceship::App.set_client(client)
+      Spaceship::AppGroup.set_client(client)
+      Spaceship::Device.set_client(client)
+      Spaceship::Certificate.set_client(client)
+      Spaceship::ProvisioningProfile.set_client(client)
+
+      client
+    end
+  end
+
+  def self.config
+    return @config if @config
+    config_path = File.expand_path('./provisioning/config.yaml')
+    if File.exist?(config_path)
+      @config = YAML.load(File.read(config_path)) || {}
+    else
+      @config = {}
+    end
+  end
+
+  def self.services
+    @services ||= []
+  end
+
+  def self.services=(services)
+    @services = services
+  end
+
+  def self.entitlements
+    self.services.map(&:to_hash).inject({}, &:merge!)
+  end
+
+  def self.certificate(opts = {})
+    unless opts[:platform]
+      Utils.log("Error", "Certificate 'platform' is required")
+      exit(1)
+    end
+
+    unless opts[:type]
+      Utils.log("Error", "Certificate 'type' is required")
+      exit(1)
+    end
+
+    if opts[:free] == true && opts[:type] != :development
+      Utils.log("Error", "You can only create a 'free' certificate for type 'development'. You selected type '#{opts[:type].to_s}'")
+      exit(1)
+    end
+
+    opts[:platform] = :ios if opts[:platform] == :tvos
+
+    supported_platforms = [:ios, :mac]
+    unless supported_platforms.include?(opts[:platform])
+      Utils.log("Error", "Invalid value'#{opts[:platform]}'for 'platorm'. Supported values: #{supported_platforms}")
+      exit(1)
+    end
+
+    supported_types = [:distribution, :development, :developer_id]
+    unless supported_types.include?(opts[:type])
+      Utils.log("Error", "Invalid value '#{opts[:type]}'for 'type'. Supported values: #{supported_types}")
+      exit(1)
+    end
+
+    MotionProvisioning.free = opts[:free]
+    Certificate.new.certificate_name(opts[:type], opts[:platform])
+  end
+
+
+  def self.profile(opts = {})
+    unless opts[:bundle_identifier]
+      Utils.log("Error", "'bundle_identifier' is required")
+      exit(1)
+    end
+
+    unless opts[:app_name]
+      Utils.log("Error", "'app_name' is required")
+      exit(1)
+    end
+
+    supported_platforms = [:ios, :tvos, :mac]
+    unless supported_platforms.include?(opts[:platform])
+      Utils.log("Error", "Invalid value'#{opts[:platform]}'for 'platorm'. Supported values: #{supported_platforms}")
+      exit(1)
+    end
+
+    supported_types = [:distribution, :adhoc, :development]
+    unless supported_types.include?(opts[:type])
+      Utils.log("Error", "Invalid value '#{opts[:type]}'for 'type'. Supported values: #{supported_types}")
+      exit(1)
+    end
+
+    if opts[:free] == true && opts[:type] != :development
+      Utils.log("Error", "You can only create a 'free' provisioning profile for type 'development'. You selected type '#{opts[:type].to_s}'")
+      exit(1)
+    end
+
+    MotionProvisioning.free = opts[:free]
+    ProvisioningProfile.new.provisioning_profile(opts[:bundle_identifier], opts[:app_name], opts[:platform], opts[:type])
+  end
+
+end

data/lib/motion-provisioning/application.rb

@@ -0,0 +1,53 @@
+module MotionProvisioning
+  class Application
+
+    # Finds or create app for the given bundle id and name
+    def self.find_or_create(bundle_id: nil, name: nil, mac: mac = false)
+      app = Spaceship::Portal::App.find(bundle_id, mac: mac)
+      if app
+        app = app.details if app.features.nil?
+      else
+        begin
+          app = Spaceship::Portal::App.create!(bundle_id: bundle_id, name: name, mac: mac)
+          app = app.details if app.features.nil?
+        rescue Spaceship::Client::UnexpectedResponse => e
+          if e.to_s.include?("is not a valid identifier")
+            Utils.log("Error", "'#{bundle_id}' is not a valid identifier for an app. Please choose an identifier containing only alphanumeric characters, dots and asterisk")
+            exit 1
+          elsif e.to_s.include?("is not available")
+            Utils.log("Error", "'#{bundle_id}' has already been taken. Please enter a different string.")
+            exit 1
+          else
+            raise e
+          end
+        end
+      end
+
+      # services = MotionProvisioning.services
+
+      # Disable all app services not enabled via entitlements
+      # app.enabled_features.each do |feature_id|
+      #   # These services are always enabled and cannot be disabled
+      #   next if ['inAppPurchase', 'gameCenter', 'push'].include?(feature_id)
+      #   service = services.detect { |s| s.identifier == feature_id }
+      #   if service.nil?
+      #     Utils.log('Info', "Disabling unused app service '#{feature_id}' for '#{bundle_id}'")
+      #     # To disable Data Protection we need to send an empty string as value
+      #     value = feature_id == 'dataProtection' ? '' : false
+      #     app.update_service(Spaceship::Portal::AppService.new(feature_id, value))
+      #   end
+      # end
+
+      # # Enable all app services enabled via entitlements (or which have a different value)
+      # services.each do |service|
+      #   value = service.identifier == 'dataProtection' ? 'complete' : true
+      #   if app.features[service.identifier] != value
+      #     Utils.log('Info', "Enabling app service '#{service.name.split("::").last}' for '#{bundle_id}'")
+      #     app.update_service(Spaceship::Portal::AppService.new(service.identifier, value))
+      #   end
+      # end
+
+      app
+    end
+  end
+end

data/lib/motion-provisioning/certificate.rb

@@ -0,0 +1,278 @@
+module Spaceship
+  module Portal
+    class Certificate
+      # The PLIST request for the free certificate returns the certificate content
+      # in the certContent variable. It's stored in this attribute for later use.
+      attr_accessor :motionprovisioning_certContent,
+                    :motionprovisioning_serialNumber
+    end
+  end
+end
+
+module MotionProvisioning
+  class Certificate
+
+    attr_accessor :type, :output_path, :platform
+
+    def client
+      MotionProvisioning.client
+    end
+
+    def mac?
+      self.platform == :mac
+    end
+
+    def certificate_name(type, platform)
+      self.type = type
+      self.platform = platform
+      self.output_path = File.expand_path('./provisioning')
+      certificate_path = File.expand_path("./provisioning/#{platform}_#{type}_certificate.cer")
+      private_key_path = File.expand_path("./provisioning/#{platform}_#{type}_private_key.p12")
+
+      # First check if there is a certificate and key file, and if it is installed
+      identities = available_identities
+      if File.exist?(certificate_path) && File.exist?(private_key_path) && ENV['recreate_certificate'].nil?
+        fingerprint = sha1_fingerprint(certificate_path)
+        installed_cert = identities.detect { |e| e[:fingerprint] == fingerprint }
+        if installed_cert
+          Utils.log("Info", "Using certificate '#{installed_cert[:name]}'.")
+          return installed_cert[:name]
+        else
+          # The certificate is not installed, so we install the cert and the key
+          import_file(private_key_path)
+          import_file(certificate_path)
+          name =  common_name(certificate_path)
+          Utils.log("Info", "Using certificate '#{name}'.")
+          return name
+        end
+      end
+
+      # Create the folder to store the certs
+      FileUtils.mkdir_p(File.expand_path('./provisioning'))
+
+      # Make sure a client is created and logged in
+      client
+
+      # All the certificates for the specified type
+      user_certificates = certificates
+
+      # Lets see if any of the user certificates is in the keychain
+      installed_certificate = nil
+      if !certificates.empty?
+        installed_certs_sha1 = identities.map { |e| e[:fingerprint] }
+        installed_certificate = certificates.detect do |certificate|
+          sha1 = OpenSSL::Digest::SHA1.new(certificate.motionprovisioning_certContent || certificate.download_raw)
+          installed_certs_sha1.include?(sha1.to_s.upcase)
+        end
+      end
+
+      # There are no certificates in the server so we create a new one
+      if user_certificates.empty?
+        Utils.log("Warning", "Couldn't find any existing certificates... creating a new one.")
+        if certificate = create_certificate
+          return common_name(certificate)
+        else
+          Utils.log("Error", "Something went wrong when trying to create a new certificate.")
+          abort
+        end
+      # There are certificates in the server, but none is installed locally. Revoke all and create a new one.
+      elsif installed_certificate.nil?
+        Utils.log("Error", "None of the available certificates (#{user_certificates.count}) is installed on the local machine. Revoking...")
+
+        # For distribution, ask before revoking
+        if self.type == :distribution && !$test_mode
+          answer = Utils.ask("Info", "There are #{user_certificates.count} distribution certificates in your account, but none installed locally.\n" \
+                    "Before revoking and creating a new one, ask other team members who might have them installed to share them with you.\n" \
+                    "Do you want to continue revoking the certificates? (Y/n):")
+          abort if answer.downcase != "y"
+        end
+
+        # Revoke all and create new one
+        if MotionProvisioning.free
+          user_certificates.each do |certificate|
+            client.revoke_development_certificate(certificate.motionprovisioning_serialNumber)
+          end
+        else
+          user_certificates.each(&:revoke!)
+        end
+
+        if certificate = create_certificate
+          return common_name(certificate)
+        else
+          Utils.log("Error", "Something went wrong when trying to create a new certificate...")
+          abort
+        end
+      # There are certificates on the server, and one of them is installed locally.
+      else
+        path = store_certificate_raw(installed_certificate.motionprovisioning_certContent ||installed_certificate.download_raw)
+        private_key_path = File.expand_path(File.join(output_path, "#{installed_certificate.id}.p12"))
+
+        # This certificate is installed on the local machine
+        Utils.log("Info", "Using certificate '#{installed_certificate.name}'.")
+
+        return common_name(path)
+      end
+    end
+
+    # All certificates of this type
+    def certificates
+      @certificates ||= begin
+        if MotionProvisioning.free
+          client.development_certificates(mac: mac?).map do |cert|
+            certificate = Spaceship::Portal::Certificate.factory(cert)
+            certificate.motionprovisioning_certContent = cert['certContent'].read
+            certificate.motionprovisioning_serialNumber = cert['serialNumber']
+            certificate
+          end
+        else
+          certificates = certificate_type.all
+          # Filter out development certificates belonging to other team members
+          if self.type == :development
+            user_id = MotionProvisioning.team['currentTeamMember']['teamMemberId']
+            certificates.select! { |c| c.owner_id == user_id }
+          end
+          certificates
+        end
+      end
+    end
+
+    # The kind of certificate we're interested in
+    def certificate_type
+      cert_type = nil
+      case platform
+      when :ios, :tvos
+        cert_type = Spaceship.certificate.production
+        cert_type = Spaceship.certificate.in_house if Spaceship.client.in_house?
+        cert_type = Spaceship.certificate.development if self.type == :development
+      when :mac
+        cert_type = Spaceship.certificate.mac_development
+        cert_type = Spaceship.certificate.mac_app_distribution if self.type == :distribution
+        cert_type = Spaceship.certificate.developer_i_d_application if self.type == :developer_id
+      end
+      cert_type
+    end
+
+    def create_certificate_signing_request
+      $motion_provisioninig_csr || Spaceship.certificate.create_certificate_signing_request
+    end
+
+    def create_certificate
+      # Create a new certificate signing request
+      csr, pkey = create_certificate_signing_request
+
+      # Store all that onto the filesystem
+      request_path = File.expand_path(File.join(self.output_path, "#{platform}_#{type}.certSigningRequest"))
+      File.write(request_path, csr.to_pem)
+
+      private_key_path = File.expand_path(File.join(self.output_path, "#{platform}_#{type}_private_key.p12"))
+      File.write(private_key_path, pkey.export)
+
+      # Use the signing request to create a new distribution certificate
+      begin
+        certificate = nil
+        certificate_attrs = nil
+        if MotionProvisioning.free
+          certificate_attrs = client.create_development_certificate(csr.to_pem)
+          # Fetch the certificate again because the response does not contain
+          # the certContent key
+          certificate_attrs = client.development_certificates(mac: mac?).detect do |cert|
+            cert['certificateId'] == certificate_attrs['certificateId']
+          end
+          certificate_attrs['certificateTypeDisplayId'] = certificate_attrs['certificateType']['certificateTypeDisplayId']
+          certificate = Spaceship::Portal::Certificate.factory(certificate_attrs)
+          certificate.motionprovisioning_certContent = certificate_attrs['certContent'].read
+          certificate
+        else
+          certificate = certificate_type.create!(csr: csr)
+        end
+      rescue => ex
+        if ex.to_s.include?("You already have a current")
+          FileUtils.rm(private_key_path)
+          FileUtils.rm(request_path)
+          Utils.log("Error", "Could not create another certificate, reached the maximum number of available certificates. Manually revoke certificates in the Developer Portal.")
+          abort
+        end
+        raise ex
+      end
+      Utils.log("Info", "Successfully created certificate.")
+
+      cert_path = store_certificate_raw(certificate.motionprovisioning_certContent || certificate.download_raw)
+
+      # Import all the things into the Keychain
+      import_file(private_key_path)
+      import_file(cert_path)
+      Utils.log("Info", "Successfully installed certificate.")
+
+      if self.type == :distribution
+        Utils.log("Warning", "You have just created a distribution certificate. These certificates must be shared with other team members by sending them the private key (.p12) and certificate (.cer) files in your /provisioning folder and install them in the keychain.")
+      else
+        Utils.log("Warning", "You have just created a development certificate. If you want to use this certificate on another machine, transfer the private key (.p12) and certificate (.cer) files in your /provisioning folder and install them in the keychain.")
+      end
+      Utils.ask("Info", "Press any key to continue...") if !$test_mode
+
+      return cert_path
+    end
+
+    def store_certificate_raw(raw_data)
+      path = File.expand_path(File.join(self.output_path, "#{platform}_#{type}_certificate.cer"))
+      File.write(path, raw_data)
+      path
+    end
+
+    def available_identities
+      ids = []
+      keychain = $keychain || "#{Dir.home}/Library/Keychains/login.keychain"
+      available = `security find-identity -v -p codesigning #{keychain}`
+      available.split("\n").each do |current|
+        next if current.include? "REVOKED"
+        begin
+          id = current.match(/.*\) (.*) \"(.*)\"/)
+          ids << {
+            fingerprint: id[1],
+            name: id[2]
+          }
+        rescue
+          # the last line does not match
+        end
+      end
+      ids
+    end
+
+    def sha1_fingerprint(path)
+      result = `openssl x509 -in "#{path}" -inform der -noout -sha1 -fingerprint`
+      begin
+        result = result.match(/SHA1 Fingerprint=(.*)/)[1]
+        result.delete!(':')
+        return result
+      rescue
+        puts result
+        Utils.log("Error", "Error parsing certificate '#{path}'")
+      end
+    end
+
+    def common_name(path)
+      result = `openssl x509 -in "#{path}" -inform der -noout -sha1 -subject`
+      begin
+        return result.match(/\/CN=(.*?)\//)[1]
+      rescue
+        puts result
+        Utils.log("Error", "Error parsing certificate '#{path}'")
+      end
+    end
+
+    def import_file(path)
+      unless File.exist?(path)
+        Utils.log("Error", "Could not find file '#{path}'")
+        abort
+      end
+
+      keychain = $keychain || "#{Dir.home}/Library/Keychains/login.keychain"
+
+      command = "security import #{path.shellescape} -k '#{keychain}' -P ''"
+      command << " -T /usr/bin/codesign"
+      command << " -T /usr/bin/security"
+
+      `#{command} 2>&1`
+    end
+  end
+end