sign_in_with_apple_user_migrator 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: f60fa992a310fa6ba3ebcddb971abb31897d84293702c6f2e14bb6b26663c654
+  data.tar.gz: 498ac47a5d993cf75614c3c1b8278dab75e5fa01cf1d40d6d0a327a00cec1d27
+SHA512:
+  metadata.gz: 3731f221c5f566f1b530b2c147d9513e2a3be7220184ad7fe40da162d43c74309097e0b39c0c210cfd0216d5dc11cd973b608e24662749db18bf4c0f75f53364
+  data.tar.gz: 447c998bb2eb493b92632973281626a078ecceb0030e6a6ef8260431858693ab80c6ad09cacfc036918960344941f046a40098d76a13b3069bb7c22e71e165e1

data/bin/sign_in_with_apple_user_migrator

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require_relative '../lib/sign_in_with_apple_user_migrator'
+
+SignInWithAppleUserMigrator::CLI.start(ARGV)

data/lib/sign_in_with_apple_user_migrator/access_token_generator.rb

@@ -0,0 +1,61 @@
+require_relative 'base'
+
+module SignInWithAppleUserMigrator
+  class AccessTokenGenerator < Base
+    def initialize(client_id:, client_secret:)
+      @client_id   = client_id
+      @client_secret = client_secret
+      super()
+    end
+
+    ##
+    # Retrieves an access token from Apple's authentication servers
+    #
+    # @param [String] grant_type The type of grant to request (default: 'client_credentials')
+    # @param [String] scope The requested scope for the access token (default: 'user.migration')
+    #
+    # @return [String] The access token string from Apple's authentication server
+    #
+    # @example
+    #   generator = AccessTokenGenerator.new
+    #   token = generator.get_access_token
+    #   # => "eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp..."
+    #
+    # @raise [StandardError] If the token request fails
+    #
+    def get_access_token(grant_type: 'client_credentials', scope: 'user.migration')
+      logger.debug 'Retrieving access token...'
+
+      uri = URI('https://appleid.apple.com/auth/token')
+      params = {
+        'client_id' => @client_id,
+        'client_secret' => @client_secret,
+        'grant_type' => grant_type,
+        'scope' => scope,
+      }
+
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true
+
+      request = Net::HTTP::Post.new(uri)
+      request['Content-Type'] = 'application/x-www-form-urlencoded'
+      request.body = URI.encode_www_form(params)
+
+      response = http.request(request)
+
+      if response.code != '200'
+        logger.error "HTTP Status: #{response.code}"
+        logger.error "Response HEADER: #{response.to_hash}"
+        raise AuthorizationError.new <<~LOG
+          Failed to retrieve access token.
+          HTTP Status: #{response.code}
+          Response HEADER: #{response.to_hash}
+          error: #{response.inspect}
+        LOG
+      else
+        logger.debug response.body
+        JSON.parse(response.body)['access_token']
+      end
+    end
+  end
+end

data/lib/sign_in_with_apple_user_migrator/base.rb

@@ -0,0 +1,36 @@
+require 'jwt'
+require 'net/http'
+require 'json'
+require 'logger'
+require 'time'
+
+module SignInWithAppleUserMigrator
+  class AuthorizationError < StandardError; end
+
+  class Base
+    attr_reader :logger
+
+    def initialize()
+      @logger = setup_logger
+    end
+
+    private
+      def setup_logger
+        logger = Logger.new(STDOUT)
+        log_level = parse_log_level(ENV['LOG_LEVEL'])
+        logger.level = log_level
+        logger
+      end
+
+      def parse_log_level(level)
+        case level.to_s.upcase
+        when 'DEBUG' then Logger::DEBUG
+        when 'INFO'  then Logger::INFO
+        when 'WARN'  then Logger::WARN
+        when 'ERROR' then Logger::ERROR
+        when 'FATAL' then Logger::FATAL
+        else Logger::INFO
+        end
+      end
+  end
+end

data/lib/sign_in_with_apple_user_migrator/cli.rb

@@ -0,0 +1,111 @@
+require 'csv'
+require 'fileutils'
+require 'thor'
+require_relative '../sign_in_with_apple_user_migrator'
+
+module SignInWithAppleUserMigrator
+  class CLI < Thor
+    desc 'generate_user_transfer_ids', 'Generate user transfer IDs'
+    option :client_id, required: true, desc: 'Client ID'
+    option :key_id, required: true, desc: 'Key ID'
+    option :private_key_path, required: true, desc: 'Private Key Path'
+    option :team_id, required: true, desc: 'Team ID'
+    option :transfer_user_id_csv_path, required: true, desc: 'Transfer User ID CSV Path'
+    option :target_team_id, required: true, desc: 'Target Team ID'
+
+    def generate_user_transfer_ids
+      client_id = options[:client_id]
+      key_id = options[:key_id]
+      private_key_path = options[:private_key_path]
+      team_id = options[:team_id]
+      transfer_user_id_csv_path = options[:transfer_user_id_csv_path]
+      target_team_id = options[:target_team_id]
+
+      client_secret = SignInWithAppleUserMigrator::ClientSecretGenerator.new(
+        client_id: client_id,
+        key_id: key_id,
+        private_key_path: private_key_path,
+        team_id: team_id,
+      ).generate_client_secret
+
+      access_token = SignInWithAppleUserMigrator::AccessTokenGenerator.new(
+        client_id: client_id,
+        client_secret: client_secret,
+      ).get_access_token
+
+      transfer_id_generator_client = SignInWithAppleUserMigrator::TransferIdGenerator.new(
+        client_id: client_id,
+        client_secret: client_secret,
+        access_token: access_token,
+        target_team_id: target_team_id,
+      )
+
+      FileUtils.mkdir_p('tmp')
+      result_csv_name = "generated_transfer_ids_#{Time.now.strftime('%Y%m%d%H%M%S')}.csv"
+      result_path = File.join('tmp', result_csv_name)
+      File.write("tmp/#{result_csv_name}", "user_id,transfer_id,error\n")
+
+      CSV.open(result_path, 'w') do |csv|
+        csv << %w[user_id transfer_id error]
+
+        CSV.foreach(transfer_user_id_csv_path, headers: true) do |row|
+          user_id = row['user_id']
+          next if user_id.nil? || user_id.empty?
+
+          transfer_id, error = transfer_id_generator_client.generate_transfer_id(user_id)
+          csv << [user_id, transfer_id, error]
+        end
+      end
+    end
+
+    desc 'migrate_user_transfer_ids', 'Migrate user transfer IDs'
+    option :client_id, required: true, desc: 'Client ID'
+    option :key_id, required: true, desc: 'Key ID'
+    option :private_key_path, required: true, desc: 'Private Key Path'
+    option :team_id, required: true, desc: 'Team ID'
+    option :transfer_id_csv_path, required: true, desc: 'Transfer ID CSV Path'
+
+    def migrate_user_transfer_ids
+      client_id = options[:client_id]
+      key_id = options[:key_id]
+      private_key_path = options[:private_key_path]
+      team_id = options[:team_id]
+      transfer_id_csv_path = options[:transfer_id_csv_path]
+
+      client_secret = SignInWithAppleUserMigrator::ClientSecretGenerator.new(
+        client_id: client_id,
+        key_id: key_id,
+        private_key_path: private_key_path,
+        team_id: team_id,
+      ).generate_client_secret
+
+      access_token = SignInWithAppleUserMigrator::AccessTokenGenerator.new(
+        client_id: client_id,
+        client_secret: client_secret,
+      ).get_access_token
+
+      transfer_id_exchanger_client = SignInWithAppleUserMigrator::TransferIdExchanger.new(
+        client_id: client_id,
+        client_secret: client_secret,
+        access_token: access_token,
+      )
+
+      FileUtils.mkdir_p('tmp')
+      result_csv_name = "exchanged_transfer_ids_#{Time.now.strftime('%Y%m%d%H%M%S')}.csv"
+      result_path = File.join('tmp', result_csv_name)
+      File.write("tmp/#{result_csv_name}", "transfer_id,sub,error\n")
+
+      CSV.open(result_path, 'w') do |csv|
+        csv << %w[transfer_id sub email is_private_email error]
+
+        CSV.foreach(transfer_id_csv_path, headers: true) do |row|
+          transfer_id = row['transfer_id']
+          next if transfer_id.nil? || transfer_id.empty?
+
+          transfer_id, sub, email, is_private_email, error = transfer_id_exchanger_client.migrate(transfer_id)
+          csv << [transfer_id, sub, email, is_private_email, error]
+        end
+      end
+    end
+  end
+end

data/lib/sign_in_with_apple_user_migrator/client_secret_generator.rb

@@ -0,0 +1,45 @@
+require_relative 'base'
+
+module SignInWithAppleUserMigrator
+  class ClientSecretGenerator < Base
+    def initialize(client_id:, key_id:, private_key_path:, team_id:)
+      @client_id   = client_id
+      @key_id      = key_id
+      @private_key = File.read(private_key_path)
+      @team_id     = team_id
+      super()
+    end
+
+    ##
+    # Generates a JSON Web Token (JWT) for Sign in with Apple authentication (client_secret).
+    #
+    # @param [Integer] iat The issued at time (default: current Unix timestamp)
+    # @param [Integer] exp The expiration time (default: current time + 1 hour)
+    #
+    # @return [String] A signed JWT token that can be used as client_secret
+    #
+    # @example
+    #   generator = ClientSecretGenerator.new
+    #   jwt = generator.generate_client_secret
+    #   # => "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1..."
+    #
+    # @see https://developer.apple.com/documentation/accountorganizationaldatasharing/creating-a-client-secret
+    #
+    def generate_client_secret(iat: Time.now.to_i, exp: Time.now.to_i + 3600)
+      header = {
+        'kid' => @key_id,
+        'alg' => 'ES256',
+      }
+
+      payload = {
+        'iss' => @team_id,
+        'iat' => iat,
+        'exp' => exp,
+        'aud' => 'https://appleid.apple.com',
+        'sub' => @client_id,
+      }
+
+      JWT.encode(payload, OpenSSL::PKey::EC.new(@private_key), 'ES256', header)
+    end
+  end
+end

data/lib/sign_in_with_apple_user_migrator/transfer_id_exchanger.rb

@@ -0,0 +1,68 @@
+require_relative 'base'
+
+module SignInWithAppleUserMigrator
+  class TransferIdExchanger < Base
+    def initialize(client_id:, client_secret:, access_token:)
+      @client_id   = client_id
+      @client_secret = client_secret
+      @access_token = access_token
+      super()
+    end
+
+    ##
+    # Exchanges a transfer_id for user information in Sign in with Apple user migration process.
+    #
+    # @param transfer_id [String] The transfer_id obtained from the source team
+    #
+    # @return [Array<String, String, String, Boolean, String>]
+    #   Success: [transfer_id, sub, email, is_private_email, nil]
+    #   Failure: [transfer_id, nil, nil, nil, error_message]
+    #
+    # @example
+    #   exchanger = TransferIdExchanger.new(
+    #     client_id: 'your_client_id',
+    #     client_secret: 'your_client_secret',
+    #     access_token: 'your_access_token'
+    #   )
+    #   transfer_id, sub, email, is_private_email, error = exchanger.migrate('transfer_id')
+    #
+    # @raise [JSON::ParserError] When JSON parsing of response fails
+    #
+    # @see https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team
+    #
+    def migrate(transfer_id)
+      logger.debug "Migrate transfer_id for #{transfer_id}"
+
+      request_data = {
+        'transfer_sub' => transfer_id,
+        'client_id' => @client_id,
+        'client_secret' => @client_secret,
+      }
+
+      uri = URI('https://appleid.apple.com/auth/usermigrationinfo')
+      request = Net::HTTP::Post.new(uri)
+      request['Content-Type'] = 'application/x-www-form-urlencoded'
+      request['Authorization'] = "Bearer #{@access_token}"
+
+      request.body = URI.encode_www_form(request_data)
+
+      response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
+        http.request(request)
+      end
+
+      result = JSON.parse(response.body)
+
+      if result['error']
+        error_message = "HTTP Status: #{response.code}, Error: #{result.inspect}"
+        logger.error "Failed to exchange transfer_id: #{error_message}"
+        return [transfer_id, nil, nil, nil, error_message]
+      end
+
+      sub = result['sub']
+      email = result['email']
+      is_private_email = result['is_private_email']
+      logger.info "Success to migrate sub: #{transfer_id}"
+      [transfer_id, sub, email, is_private_email, nil]
+    end
+  end
+end

data/lib/sign_in_with_apple_user_migrator/transfer_id_generator.rb

@@ -0,0 +1,69 @@
+require_relative 'base'
+
+module SignInWithAppleUserMigrator
+  class TransferIdGenerator < Base
+    def initialize(client_id:, client_secret:, access_token:, target_team_id:)
+      @client_id = client_id
+      @client_secret = client_secret
+      @target_team_id = target_team_id
+      @access_token = access_token
+      super()
+    end
+
+    ##
+    # Generates transfer_id required for Sign in with Apple user migration.
+    #
+    # @param sub [String] The user identifier (sub) from Sign in with Apple
+    #
+    # @return [Array<String, String>]
+    #   Success: [transfer_id, nil]
+    #   Failure: [nil, error_message]
+    #
+    # @example
+    #   generator = TransferIdGenerator.new(
+    #     client_id: 'your_client_id',
+    #     client_secret: 'your_client_secret',
+    #     access_token: 'your_access_token',
+    #     target_team_id: 'target_team_id'
+    #   )
+    #   transfer_id, error = generator.generate_transfer_id('user_sub')
+    #
+    # @raise [JSON::ParserError] When JSON parsing of response fails
+    #
+    # @see https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team
+    #
+    def generate_transfer_id(sub)
+      logger.debug "Generated transfer_id for #{sub}"
+
+      request_data = {
+        'sub' => sub,
+        'target' => @target_team_id,
+        'client_id' => @client_id,
+        'client_secret' => @client_secret,
+      }
+
+      uri = URI('https://appleid.apple.com/auth/usermigrationinfo')
+      request = Net::HTTP::Post.new(uri)
+      request['Content-Type'] = 'application/x-www-form-urlencoded'
+      request['Authorization'] = "Bearer #{@access_token}"
+
+      request.body = URI.encode_www_form(request_data)
+
+      response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
+        http.request(request)
+      end
+
+      result = JSON.parse(response.body)
+
+      if result['error']
+        error_message = "HTTP Status: #{response.code}, Error: #{result.inspect}"
+        logger.error "Failed to generate transfer_id: #{error_message}"
+        return [nil, error_message]
+      end
+
+      transfer_id = result['transfer_sub']
+      logger.info "Success to generate transfer_id: #{transfer_id}"
+      [transfer_id, nil]
+    end
+  end
+end

data/lib/sign_in_with_apple_user_migrator/version.rb

@@ -0,0 +1,3 @@
+module SignInWithAppleUserMigrator
+  VERSION = '1.0.0'
+end

data/lib/sign_in_with_apple_user_migrator.rb

@@ -0,0 +1,9 @@
+require_relative 'sign_in_with_apple_user_migrator/access_token_generator'
+require_relative 'sign_in_with_apple_user_migrator/cli'
+require_relative 'sign_in_with_apple_user_migrator/client_secret_generator'
+require_relative 'sign_in_with_apple_user_migrator/transfer_id_exchanger'
+require_relative 'sign_in_with_apple_user_migrator/transfer_id_generator'
+require_relative 'sign_in_with_apple_user_migrator/version'
+
+module SignInWithAppleUserMigrator
+end

metadata

@@ -0,0 +1,124 @@
+--- !ruby/object:Gem::Specification
+name: sign_in_with_apple_user_migrator
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- sakurahigashi2
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2025-01-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+description: Tool for migrating Apple Sign In users between teams
+email:
+- joh.murata@gmail.com
+executables:
+- sign_in_with_apple_user_migrator
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/sign_in_with_apple_user_migrator
+- lib/sign_in_with_apple_user_migrator.rb
+- lib/sign_in_with_apple_user_migrator/access_token_generator.rb
+- lib/sign_in_with_apple_user_migrator/base.rb
+- lib/sign_in_with_apple_user_migrator/cli.rb
+- lib/sign_in_with_apple_user_migrator/client_secret_generator.rb
+- lib/sign_in_with_apple_user_migrator/transfer_id_exchanger.rb
+- lib/sign_in_with_apple_user_migrator/transfer_id_generator.rb
+- lib/sign_in_with_apple_user_migrator/version.rb
+homepage: https://github.com/sakurahigashi2/sign_in_with_apple_user_migrator
+licenses:
+- MIT
+metadata:
+  documentation_uri: https://github.com/sakurahigashi2/sign_in_with_apple_user_migrator
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.10
+signing_key:
+specification_version: 4
+summary: Apple Sign In User Migration Tool
+test_files: []