@daemux/store-automator 0.10.93 → 0.10.94

package/templates/scripts/ci/ios-native/profile_manager.py

@@ -11,6 +11,27 @@ Talks to the App Store Connect API to:
 * Install the resulting ``.mobileprovision`` into every Xcode profile
   directory (Xcode 15 and Xcode 16+ use different paths).
 
+Caching
+-------
+
+``provision_all_bundles`` is now cache-aware. Callers pass the workspace
+``creds_dir`` and a ``cache_hit`` flag indicating whether the cert was
+itself reused from cache. The function:
+
+  * If the manifest's cached cert_id matches the current cert_id AND the
+    cert was reused, it tries to reuse each bundle's profile from disk
+    (``find_reusable_profile``) before falling back to a fresh
+    ``create_profile`` round-trip. Profile create on Apple's side is
+    rate-limited and disturbs the team's profile-list view, so caching
+    is worth it.
+  * If the cert changed (cap rotation, expiry, manual revoke) it forces
+    a full regen — Apple invalidates a profile the moment its leaf cert
+    goes away, so reusing the on-disk file would archive an unsigned
+    binary.
+  * After the loop it GCs orphan ``.mobileprovision`` files whose bundle
+    is no longer in ``bundle_ids`` (e.g. an extension was deleted from
+    the target list) and rewrites the manifest with the current set.
+
 Xcode pbxproj editing lives in ``pbxproj_editor.py``; this file is
 ASC-facing only.
 """
@@ -18,12 +39,14 @@ ASC-facing only.
 from __future__ import annotations
 
 import base64
-import plistlib
 import subprocess
+from datetime import datetime
 from pathlib import Path
 
+import creds_store
 from asc_common import get_json, request
 from pbxproj_editor import PROFILE_PREFIX
+from profile_io import decode_profile_plist, ensure_utc
 
 
 # Xcode 16+ moved the canonical profile directory. Older Xcode releases
@@ -121,65 +144,164 @@ def create_profile(
     return base64.b64decode(payload)
 
 
-def install_profile(profile_der: bytes) -> tuple[str, str]:
+def install_profile(profile_der: bytes) -> tuple[str, str, datetime]:
     """Install the raw profile into every Xcode-visible directory.
 
-    Returns ``(uuid, team_id)``. ``team_id`` is the team Apple assigned to
-    the profile — the effective team that Xcode expects to find in
-    ``DEVELOPMENT_TEAM``. It may differ from any team value in
-    ci.config.yaml; the ASC API key is bound to exactly one team and every
-    profile it issues inherits that team.
+    Returns ``(uuid, team_id, expiration)``. ``team_id`` is the team
+    Apple assigned to the profile — the effective team that Xcode
+    expects to find in ``DEVELOPMENT_TEAM``. ``expiration`` is the
+    profile's ``ExpirationDate`` normalised to UTC; the caller persists
+    it in the cache manifest.
     """
-    primary = _PROFILE_DIRS[0]
-    primary.mkdir(parents=True, exist_ok=True)
-    tmp_path = primary / "tmp.mobileprovision"
-    tmp_path.write_bytes(profile_der)
-    decoded = subprocess.check_output(
-        ["security", "cms", "-D", "-i", str(tmp_path)]
-    )
-    plist = plistlib.loads(decoded)
+    plist = decode_profile_plist(profile_der, _PROFILE_DIRS[0])
     uuid = plist["UUID"]
     team_ids = plist.get("TeamIdentifier") or []
     team_id = team_ids[0] if team_ids else ""
     profile_name = plist.get("Name") or "<unknown>"
+    expiration = ensure_utc(plist.get("ExpirationDate"))
     final_name = f"{uuid}.mobileprovision"
     for directory in _PROFILE_DIRS:
         directory.mkdir(parents=True, exist_ok=True)
         (directory / final_name).write_bytes(profile_der)
-    tmp_path.unlink(missing_ok=True)
     print(
         f"  profile {profile_name!r}: uuid={uuid} team={team_id} "
-        f"dirs={[str(d) for d in _PROFILE_DIRS]}"
+        f"exp={expiration.isoformat()} dirs={[str(d) for d in _PROFILE_DIRS]}"
     )
-    return uuid, team_id
+    return uuid, team_id, expiration
 
 
 # --------------------------------------------------------------------------- #
 # Orchestration                                                               #
 # --------------------------------------------------------------------------- #
 
+def _try_reuse_cached(
+    bid: str,
+    name: str,
+    cert_id: str,
+    creds_dir: Path,
+    manifest: dict,
+) -> tuple[str, str, dict] | None:
+    """Return ``(uuid, team, entry)`` if a cached profile reinstalls cleanly.
+
+    A corrupt .mobileprovision (truncated, manually edited, ``security
+    cms`` decode failure) must NEVER abort the build — log and return
+    ``None`` so the caller falls through to the fresh-create path.
+    """
+    cached = creds_store.find_reusable_profile(manifest, bid, cert_id, creds_dir)
+    if cached is None:
+        return None
+    try:
+        der = creds_store.profile_path(creds_dir, cached.uuid).read_bytes()
+        uuid, team_id, _ = install_profile(der)
+    except (OSError, subprocess.CalledProcessError, ValueError, KeyError) as exc:
+        print(
+            f"::warning::cached profile {cached.filename!r} unusable "
+            f"({exc!r}); regenerating"
+        )
+        return None
+    # cached.expiration is already UTC-aware (load_profile_manifest routes
+    # it through _parse_iso); no astimezone needed.
+    entry = {
+        "bundle_id": bid,
+        "name": cached.name or name,
+        "uuid": uuid,
+        "filename": f"{uuid}.mobileprovision",
+        "expiration": cached.expiration.isoformat(),
+    }
+    print(f"Reused cached profile {name} -> {uuid} ({bid})")
+    return uuid, team_id, entry
+
+
+def _provision_bundle(
+    token: str,
+    bid: str,
+    cert_id: str,
+    creds_dir: Path,
+    manifest: dict,
+    can_reuse: bool,
+) -> tuple[str, str, str, dict]:
+    """Provision one bundle; return ``(name, uuid, team, manifest_entry)``."""
+    name = profile_name_for(bid)
+    if can_reuse:
+        reused = _try_reuse_cached(bid, name, cert_id, creds_dir, manifest)
+        if reused is not None:
+            uuid, team_id, entry = reused
+            return name, uuid, team_id, entry
+
+    bundle_pk = ensure_bundle_id(token, bid)
+    delete_profile_by_name(token, name)
+    profile_der = create_profile(token, name, bundle_pk, cert_id)
+    uuid, team_id, expiration = install_profile(profile_der)
+    creds_store.write_cached_profile(creds_dir, uuid, profile_der)
+    entry = {
+        "bundle_id": bid,
+        "name": name,
+        "uuid": uuid,
+        "filename": f"{uuid}.mobileprovision",
+        "expiration": expiration.isoformat(),
+    }
+    print(f"Installed fresh profile {name} -> {uuid} ({bid})")
+    return name, uuid, team_id, entry
+
+
+def _gc_orphan_profiles(
+    creds_dir: Path, old_manifest: dict, new_entries: list[dict]
+) -> None:
+    """Remove cached .mobileprovision files for bundles no longer present."""
+    new_uuids = {e["uuid"] for e in new_entries}
+    for raw in old_manifest.get("profiles", []):
+        uuid = raw.get("uuid")
+        if not uuid or uuid in new_uuids:
+            continue
+        path = creds_store.profile_path(creds_dir, uuid)
+        if path.exists():
+            path.unlink(missing_ok=True)
+            print(f"GC'd orphan profile {uuid} ({raw.get('bundle_id')!r})")
+
+
 def provision_all_bundles(
     token: str,
     bundle_ids: list[str],
     cert_id: str,
+    *,
+    creds_dir: Path,
+    cache_hit: bool,
 ) -> tuple[list[tuple[str, str, str]], str]:
-    """Create + install a CI profile for each bundle id.
+    """Create + install a CI profile for each bundle id, with caching.
 
     Returns ``(mappings, team_id)`` where mappings is a list of
     ``(bundle_id, profile_name, uuid)`` tuples and ``team_id`` is the
     team Apple assigned to the profiles (shared — the ASC API key binds
     every profile it issues to a single team).
+
+    ``cache_hit`` says whether the cert came from cache. ``creds_dir``
+    is the workspace ``creds/`` root. When the manifest's cert_id
+    differs from ``cert_id`` we force a full regen — Apple invalidates
+    every profile bound to the prior cert the moment that cert is
+    revoked, so reusing on-disk profiles would archive unsigned bits.
     """
+    manifest = creds_store.load_profile_manifest(creds_dir)
+    can_reuse = cache_hit and manifest.get("cert_id") == cert_id
+    if cache_hit and not can_reuse:
+        print(
+            f"Manifest cert_id {manifest.get('cert_id')!r} differs from "
+            f"current {cert_id!r}; regenerating all profiles"
+        )
+
     results: list[tuple[str, str, str]] = []
+    new_entries: list[dict] = []
     effective_team = ""
     for bid in bundle_ids:
-        name = profile_name_for(bid)
-        bundle_pk = ensure_bundle_id(token, bid)
-        delete_profile_by_name(token, name)
-        profile_der = create_profile(token, name, bundle_pk, cert_id)
-        uuid, team_id = install_profile(profile_der)
+        name, uuid, team_id, entry = _provision_bundle(
+            token, bid, cert_id, creds_dir, manifest, can_reuse
+        )
         if team_id:
             effective_team = team_id
-        print(f"Installed provisioning profile {name} -> {uuid} ({bid})")
         results.append((bid, name, uuid))
+        new_entries.append(entry)
+
+    _gc_orphan_profiles(creds_dir, manifest, new_entries)
+    creds_store.write_profile_manifest(
+        creds_dir, {"cert_id": cert_id, "profiles": new_entries}
+    )
     return results, effective_team