@viettelpost/react-native-ota 0.1.0

package/bin/cli/deploy.js

@@ -0,0 +1,224 @@
+'use strict';
+/**
+ * OTA deploy orchestrator — the core of `ota deploy`.
+ *
+ * Per-platform pipeline:
+ *   1. Resolve version (YYYY.MM.DD-NNN; auto-increments NNN on 409 Conflict)
+ *   2. Build  — react-native bundle → bundle file + assets-src/
+ *   3. Zip    — assets-src/ → assets.zip (platform-correct structure)
+ *   4. Hash   — SHA-256(bundle) + SHA-256(assets.zip)
+ *   5. Sign   — RSA-SHA256 over canonical payload; self-verify against public key
+ *   6. Upload — multipart POST to /api/ota/releases (skipped with --dry-run)
+ *   7. Report — print summary with version, sizes, hashes, releaseId, URLs, status
+ */
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const { buildBundle } = require('./bundle');
+const { zipAssets } = require('./assets-zip');
+const { sha256File, sign } = require('./sign');
+const { upload, publish } = require('./upload');
+
+/** Generate a date-base prefix: YYYY.MM.DD */
+function todayPrefix() {
+  const d = new Date();
+  const y = d.getFullYear();
+  const m = String(d.getMonth() + 1).padStart(2, '0');
+  const day = String(d.getDate()).padStart(2, '0');
+  return `${y}.${m}.${day}`;
+}
+
+/** Build a version string from a date prefix and a 3-digit sequence number. */
+function makeVersion(base, seq) {
+  return `${base}-${String(seq).padStart(3, '0')}`;
+}
+
+/**
+ * Run the full deploy pipeline for one platform.
+ *
+ * @param {object} opts
+ * @param {'ios'|'android'} opts.platform
+ * @param {string} opts.version         - starting version (will bump on 409)
+ * @param {string} opts.entryFile
+ * @param {string} opts.api             - required unless dryRun
+ * @param {string} opts.token           - required unless dryRun
+ * @param {string} opts.privateKey      - path to PEM private key
+ * @param {string} opts.publicKey       - path to PEM public key (for self-verify)
+ * @param {boolean} opts.dryRun
+ * @param {boolean} opts.activate       - publish to ACTIVE after upload
+ * @param {string} opts.workDir         - temp dir for this platform
+ * @returns {Promise<object>}
+ */
+async function deployPlatform({
+  platform, version, entryFile, api, token,
+  privateKey, publicKey, dryRun, activate, workDir,
+}) {
+  const log = msg => console.log(`  ${msg}`);
+
+  // ── 1. Build ──────────────────────────────────────────────────────────────
+  log('→ building bundle...');
+  const { bundlePath, assetsDir, fileName } = buildBundle({ platform, entryFile, workDir });
+  const bundleSize = fs.statSync(bundlePath).size;
+  log(`  bundle: ${fileName} (${(bundleSize / 1024).toFixed(1)} KB)`);
+
+  // ── 2. Zip assets ─────────────────────────────────────────────────────────
+  log('→ zipping assets...');
+  const zipPath = path.join(workDir, 'assets.zip');
+  const zipped = await zipAssets({ assetsDir, zipPath });
+  const assetsSize = zipped ? fs.statSync(zipped).size : 0;
+  if (zipped) {
+    log(`  assets.zip: ${(assetsSize / 1024).toFixed(1)} KB`);
+  } else {
+    log('  (no assets — bundle-only update)');
+  }
+
+  // ── 3. Hash ───────────────────────────────────────────────────────────────
+  log('→ hashing...');
+  const sha256 = sha256File(bundlePath).toLowerCase();
+  const assetsSha256 = zipped ? sha256File(zipped).toLowerCase() : null;
+  log(`  sha256:       ${sha256}`);
+  if (assetsSha256) log(`  assetsSha256: ${assetsSha256}`);
+
+  // ── 4. Sign (with self-verify) ────────────────────────────────────────────
+  log('→ signing...');
+  const { signature, canonicalPayload } = sign({
+    version,
+    platform,
+    fileName,
+    sha256,
+    assetsSha256,
+    privateKeyPath: privateKey,
+    publicKeyPath: publicKey,
+  });
+  log(`  signature: ${signature.slice(0, 16)}… (self-verified ✓)`);
+
+  const summary = {
+    version,
+    platform,
+    fileName,
+    sha256,
+    assetsSha256: assetsSha256 || undefined,
+    signature,
+    bundleSize,
+    assetsSize: assetsSize || undefined,
+  };
+
+  // ── 5. Dry run exit ───────────────────────────────────────────────────────
+  if (dryRun) {
+    log('→ dry-run: skipping upload\n');
+    const dryResult = { dryRun: true, ...summary };
+    console.log(JSON.stringify(dryResult, null, 2));
+    return dryResult;
+  }
+
+  // ── 6. Upload (with 409 version-bump retry) ───────────────────────────────
+  const versionBase = version.includes('-') ? version.replace(/-\d{3}$/, '') : version;
+  let seq = parseInt((version.match(/-(\d+)$/) || ['', '1'])[1], 10);
+  let result = null;
+
+  for (let attempt = 0; attempt < 10; attempt++) {
+    const v = makeVersion(versionBase, seq);
+    log(`→ uploading version ${v}...`);
+    try {
+      result = await upload({
+        api, token,
+        version: v, platform, fileName,
+        sha256, assetsSha256, signature, canonicalPayload,
+        bundlePath, assetsZipPath: zipped,
+      });
+      result.version = v;
+      break;
+    } catch (err) {
+      if (err.status === 409) {
+        log(`  version ${v} already exists — incrementing to -${String(seq + 1).padStart(3, '0')}...`);
+        seq++;
+        continue;
+      }
+      // Non-409 errors: show the BE response body to help debugging
+      if (err.responseBody) {
+        log(`  BE response: ${err.responseBody}`);
+      }
+      throw err;
+    }
+  }
+
+  // ── 7. Activate (optional) ────────────────────────────────────────────────
+  if (activate && result?.releaseId) {
+    log('→ activating release...');
+    await publish({ api, token, releaseId: result.releaseId });
+    result.status = 'ACTIVE';
+  }
+
+  const final = {
+    ...summary,
+    version: result.version,
+    releaseId: result?.releaseId,
+    bundleUrl: result?.bundleUrl,
+    assetsUrl: result?.assetsUrl,
+    status: result?.status || 'DRAFT',
+  };
+
+  console.log('\n  ✓ Released:');
+  console.log(JSON.stringify(final, null, 2));
+  return final;
+}
+
+/**
+ * Top-level deploy entry point — handles multi-platform and shared temp dir.
+ *
+ * @param {object} opts
+ * @param {'ios'|'android'|'all'} opts.platform
+ * @param {string} [opts.version]       - override; auto-generated when omitted
+ * @param {string} opts.entryFile
+ * @param {string} opts.api
+ * @param {string} opts.token
+ * @param {string} opts.privateKey
+ * @param {string} opts.publicKey
+ * @param {boolean} opts.dryRun
+ * @param {boolean} opts.activate
+ * @returns {Promise<object[]>}  one result per platform
+ */
+async function deploy(opts) {
+  const platforms = opts.platform === 'all' ? ['ios', 'android'] : [opts.platform];
+  const versionBase = opts.version || todayPrefix();
+  // If a bare YYYY.MM.DD was supplied, start at sequence 001
+  const version = /^\d{4}\.\d{2}\.\d{2}$/.test(versionBase)
+    ? makeVersion(versionBase, 1)
+    : versionBase;
+
+  const sessionDir = fs.mkdtempSync(path.join(os.tmpdir(), 'ota-deploy-'));
+  const cleanup = () => {
+    try {
+      fs.rmSync(sessionDir, { recursive: true, force: true });
+    } catch {
+      // best-effort
+    }
+  };
+  process.on('exit', cleanup);
+  process.on('SIGINT', () => { cleanup(); process.exit(1); });
+  process.on('SIGTERM', () => { cleanup(); process.exit(1); });
+
+  console.log(`\n[ota deploy] version=${version}  platforms=${platforms.join(',')}`);
+  if (opts.dryRun) console.log('[ota deploy] DRY RUN — no upload will occur');
+
+  const results = [];
+  for (const platform of platforms) {
+    console.log(`\n[ota deploy:${platform}]`);
+    const workDir = path.join(sessionDir, platform);
+    fs.mkdirSync(workDir, { recursive: true });
+    const result = await deployPlatform({ ...opts, platform, version, workDir });
+    results.push(result);
+  }
+
+  cleanup();
+  process.removeAllListeners('exit');
+  process.removeAllListeners('SIGINT');
+  process.removeAllListeners('SIGTERM');
+
+  console.log('\n[ota deploy] done.');
+  return results;
+}
+
+module.exports = { deploy };

package/bin/cli/sign.js

@@ -0,0 +1,97 @@
+'use strict';
+/**
+ * OTA signing utilities — canonical-payload, SHA-256 file hashing, RSA-SHA256 sign/verify.
+ *
+ * The canonical payload format is a published contract shared by this CLI,
+ * OTAUpdateSignatureVerifier.kt, and OTAUpdateSignatureVerifier.swift.
+ * Do NOT change field order or formatting without updating all three verifiers.
+ *
+ * Canonical payload (fixed order, \n-joined, NO trailing newline, lowercase hex):
+ *   version=<v>
+ *   platform=<ios|android>
+ *   fileName=<main.jsbundle|index.android.bundle>
+ *   sha256=<hex>
+ *   assetsSha256=<hex>   ← only when assets are present
+ */
+
+const crypto = require('crypto');
+const fs = require('fs');
+
+/**
+ * Compute lowercase-hex SHA-256 of a file.
+ * Byte-identical to OTAHashUtils on both native platforms.
+ */
+function sha256File(filePath) {
+  const hash = crypto.createHash('sha256');
+  hash.update(fs.readFileSync(filePath));
+  return hash.digest('hex');
+}
+
+/**
+ * Build the canonical payload string exactly as the native verifiers expect.
+ * @param {object} p
+ * @param {string} p.version
+ * @param {string} p.platform
+ * @param {string} p.fileName
+ * @param {string} p.sha256        - lowercase hex
+ * @param {string|null} [p.assetsSha256] - lowercase hex, omit when no assets
+ * @returns {string}
+ */
+function canonicalPayload({ version, platform, fileName, sha256, assetsSha256 }) {
+  const lines = [
+    `version=${version}`,
+    `platform=${platform}`,
+    `fileName=${fileName}`,
+    `sha256=${sha256}`,
+  ];
+  if (assetsSha256) {
+    lines.push(`assetsSha256=${assetsSha256}`);
+  }
+  return lines.join('\n');
+}
+
+/**
+ * Sign a bundle's metadata with RSA-SHA256 (PKCS#1 v1.5).
+ * If publicKeyPath is provided the signature is self-verified before returning —
+ * this catches key-pair mismatches before any upload happens.
+ *
+ * @param {object} opts
+ * @param {string} opts.version
+ * @param {string} opts.platform
+ * @param {string} opts.fileName
+ * @param {string} opts.sha256
+ * @param {string|null} [opts.assetsSha256]
+ * @param {string} opts.privateKeyPath  - path to PEM private key (gitignored, never committed)
+ * @param {string} [opts.publicKeyPath] - path to PEM public key, for self-verify
+ * @returns {{ signature: string, canonicalPayload: string }}
+ */
+function sign({ version, platform, fileName, sha256, assetsSha256, privateKeyPath, publicKeyPath }) {
+  if (!fs.existsSync(privateKeyPath)) {
+    throw new Error(`OTA private key not found at ${privateKeyPath}\nNever commit the private key — keep it in CI secrets or keys/ (gitignored).`);
+  }
+  const privateKey = fs.readFileSync(privateKeyPath, 'utf8');
+  const payload = canonicalPayload({ version, platform, fileName, sha256, assetsSha256 });
+  const signature = crypto
+    .sign('RSA-SHA256', Buffer.from(payload, 'utf8'), privateKey)
+    .toString('base64');
+
+  if (publicKeyPath) {
+    if (!fs.existsSync(publicKeyPath)) {
+      throw new Error(`OTA public key not found at ${publicKeyPath}`);
+    }
+    const publicKey = fs.readFileSync(publicKeyPath, 'utf8');
+    const verified = crypto.verify(
+      'RSA-SHA256',
+      Buffer.from(payload, 'utf8'),
+      publicKey,
+      Buffer.from(signature, 'base64'),
+    );
+    if (!verified) {
+      throw new Error('OTA signature self-verification failed — public key does not match the private key used for signing');
+    }
+  }
+
+  return { signature, canonicalPayload: payload };
+}
+
+module.exports = { sha256File, canonicalPayload, sign };

package/bin/cli/upload.js

@@ -0,0 +1,109 @@
+'use strict';
+/**
+ * Multipart upload to the OTA CMS backend.
+ *
+ * Uses Node 18+ native fetch + FormData + Blob — no extra HTTP dependencies.
+ *
+ * POST /api/ota/releases
+ *   Creates a new release in DRAFT status.
+ *   The BE re-validates sha256 hashes and the RSA signature before persisting.
+ *   Returns: { releaseId, version, platform, bundleUrl, assetsUrl?, status: "DRAFT" }
+ *   409 Conflict when version+platform already exists (CLI handles by bumping NNN).
+ *
+ * POST /api/ota/releases/:id/publish
+ *   Flips DRAFT → ACTIVE with optional rolloutPercent.
+ *   Returns: { id, status: "ACTIVE" }
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * Upload a signed bundle + optional assets.zip to the OTA CMS.
+ *
+ * @param {object} opts
+ * @param {string} opts.api              - base URL (e.g. https://ota.example.com)
+ * @param {string} opts.token            - Bearer token
+ * @param {string} opts.version
+ * @param {string} opts.platform
+ * @param {string} opts.fileName
+ * @param {string} opts.sha256           - lowercase hex
+ * @param {string|null} opts.assetsSha256
+ * @param {string} opts.signature        - Base64 RSA-SHA256
+ * @param {string} [opts.canonicalPayload] - for audit, optional
+ * @param {string} opts.bundlePath       - local path to the bundle file
+ * @param {string|null} opts.assetsZipPath - local path to assets.zip, or null
+ * @returns {Promise<{ releaseId: string, version: string, platform: string,
+ *                     bundleUrl: string, assetsUrl?: string, status: string }>}
+ */
+async function upload({
+  api, token,
+  version, platform, fileName,
+  sha256, assetsSha256, signature, canonicalPayload,
+  bundlePath, assetsZipPath,
+}) {
+  const form = new FormData();
+  form.set('version', version);
+  form.set('platform', platform);
+  form.set('fileName', fileName);
+  form.set('sha256', sha256);
+  if (assetsSha256) form.set('assetsSha256', assetsSha256);
+  form.set('signature', signature);
+  if (canonicalPayload) form.set('canonicalPayload', canonicalPayload);
+
+  // Attach bundle file
+  const bundleBytes = fs.readFileSync(bundlePath);
+  form.set('bundle', new Blob([bundleBytes], { type: 'application/octet-stream' }), fileName);
+
+  // Attach assets.zip when present
+  if (assetsZipPath) {
+    const assetsBytes = fs.readFileSync(assetsZipPath);
+    form.set('assets', new Blob([assetsBytes], { type: 'application/zip' }), 'assets.zip');
+  }
+
+  const response = await fetch(`${api}/api/ota/releases`, {
+    method: 'POST',
+    headers: { Authorization: `Bearer ${token}` },
+    body: form,
+  });
+
+  if (!response.ok) {
+    const body = await response.text().catch(() => '');
+    const err = new Error(`Upload failed: HTTP ${response.status} ${response.statusText}`);
+    err.status = response.status;
+    err.responseBody = body;
+    throw err;
+  }
+
+  return response.json();
+}
+
+/**
+ * Publish a DRAFT release to ACTIVE (optional, triggered by --activate).
+ *
+ * @param {object} opts
+ * @param {string} opts.api
+ * @param {string} opts.token
+ * @param {string} opts.releaseId
+ * @param {number} [opts.rolloutPercent=100]
+ * @returns {Promise<{ id: string, status: string }>}
+ */
+async function publish({ api, token, releaseId, rolloutPercent = 100 }) {
+  const response = await fetch(`${api}/api/ota/releases/${releaseId}/publish`, {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${token}`,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({ rolloutPercent }),
+  });
+
+  if (!response.ok) {
+    const body = await response.text().catch(() => '');
+    throw new Error(`Publish failed: HTTP ${response.status} ${response.statusText}\n${body}`);
+  }
+
+  return response.json();
+}
+
+module.exports = { upload, publish };

package/bin/ota.js

@@ -0,0 +1,200 @@
+#!/usr/bin/env node
+'use strict';
+/**
+ * ota — OTA deploy CLI entry point
+ *
+ * Usage:
+ *   yarn ota:deploy              # deploy all platforms (uses ota.config.js defaults)
+ *   yarn ota:deploy --dry-run    # build + sign only, no upload
+ *   ota deploy --platform ios --dry-run
+ *   ota sign --platform ios --bundle ./build/main.jsbundle ...
+ *
+ * Config file: ota.config.js in the project root (see ota.config.example.js).
+ * CLI flags always override config file values.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+// ── Arg parser ────────────────────────────────────────────────────────────────
+// Hand-rolled to keep the same style as scripts/ota-sign.js (no commander/yargs).
+function parseArgs(argv) {
+  const args = {};
+  for (let i = 0; i < argv.length; i++) {
+    const key = argv[i];
+    if (key.startsWith('--')) {
+      const name = key.slice(2);
+      const next = argv[i + 1];
+      if (!next || next.startsWith('--')) {
+        args[name] = true; // flag with no value
+      } else {
+        args[name] = next;
+        i++;
+      }
+    }
+  }
+  return args;
+}
+
+// ── Config loader ─────────────────────────────────────────────────────────────
+function loadConfig() {
+  const configPath = path.join(process.cwd(), 'ota.config.js');
+  if (fs.existsSync(configPath)) {
+    // eslint-disable-next-line import/no-dynamic-require
+    return require(configPath);
+  }
+  return {};
+}
+
+// ── Help text ─────────────────────────────────────────────────────────────────
+const HELP = `
+ota <command> [options]
+
+Commands:
+  deploy    Build bundles for one or both platforms, sign them, and upload to the OTA CMS.
+  sign      Sign a pre-built bundle file and print the signed metadata JSON.
+
+Options for \`deploy\`:
+  --platform        ios | android | all      (default: all)
+  --version         Override auto-generated version string (YYYY.MM.DD-NNN)
+  --api             OTA CMS base URL (e.g. https://ota.example.com)
+  --token           Bearer token for the /api/ota/releases upload endpoint
+  --private-key     Path to OTA RSA private key PEM  (default: ./keys/ota_private_key.pem)
+  --public-key      Path to OTA RSA public key PEM for self-verify (default: ./ios/ota_public_key.pem)
+  --entry-file      React Native JS entry file  (default: index.js)
+  --dry-run         Build + sign only; skip upload. Prints signed metadata.
+  --activate        Auto-publish to ACTIVE after upload (default: leaves release as DRAFT)
+
+Options for \`sign\`:
+  --version         Required — OTA version string
+  --platform        Required — ios | android
+  --bundle          Path to the pre-built bundle file (computes --sha256 automatically)
+  --sha256          Override sha256 (use --bundle OR --sha256)
+  --file-name       Bundle filename (inferred from --bundle when omitted)
+  --assets-sha256   SHA-256 of assets.zip (optional; omit for bundle-only updates)
+  --private-key     Path to OTA private key PEM
+  --public-key      Path to OTA public key PEM (for self-verify)
+
+Config file:
+  Create ota.config.js in the project root with defaults (see ota.config.example.js).
+  CLI flags override all config file values.
+
+Examples:
+  yarn ota:deploy                            # full deploy, both platforms
+  yarn ota:deploy --platform ios --dry-run   # iOS bundle, print signed metadata
+  yarn ota:deploy --activate                 # deploy + immediately publish to ACTIVE
+  ota sign --platform ios --bundle ./build/main.jsbundle \\
+    --private-key ./keys/ota_private_key.pem --version 2026.06.23-001
+`;
+
+// ── Main ──────────────────────────────────────────────────────────────────────
+async function main() {
+  const [, , subcommand, ...rest] = process.argv;
+
+  if (!subcommand || subcommand === 'help' || subcommand === '--help' || subcommand === '-h') {
+    console.log(HELP);
+    process.exit(0);
+  }
+
+  const config = loadConfig();
+  const flags = parseArgs(rest);
+
+  // Merge config + flags (flags win). Normalize kebab-case flag names → camelCase.
+  const opts = {
+    ...config,
+    ...flags,
+    privateKey: flags['private-key'] || flags.privateKey || config.privateKey || './keys/ota_private_key.pem',
+    publicKey:  flags['public-key']  || flags.publicKey  || config.publicKey  || './ios/ota_public_key.pem',
+    entryFile:  flags['entry-file']  || flags.entryFile  || config.entryFile  || 'index.js',
+    token:      flags.token          || config.token      || process.env.OTA_TOKEN,
+    api:        flags.api            || config.api,
+    platform:   flags.platform       || config.platform   || 'all',
+    dryRun:     !!(flags['dry-run']  || flags.dryRun),
+    activate:   !!(flags.activate),
+  };
+
+  // ── deploy ─────────────────────────────────────────────────────────────────
+  if (subcommand === 'deploy') {
+    if (!opts.dryRun) {
+      if (!opts.api) {
+        console.error('[ota deploy] Error: --api is required (or set api in ota.config.js)\nTip: yarn ota:deploy --dry-run to test without uploading.');
+        process.exit(1);
+      }
+      if (!opts.token) {
+        console.error('[ota deploy] Error: --token is required (or set token/OTA_TOKEN in ota.config.js)');
+        process.exit(1);
+      }
+    }
+    const { deploy } = require('./cli/deploy');
+    await deploy(opts);
+    return;
+  }
+
+  // ── sign ───────────────────────────────────────────────────────────────────
+  if (subcommand === 'sign') {
+    const { sha256File, sign } = require('./cli/sign');
+
+    const bundlePath = flags.bundle || flags['bundle-path'];
+    const providedSha256 = flags.sha256;
+
+    if (!bundlePath && !providedSha256) {
+      console.error('[ota sign] Error: --bundle or --sha256 is required');
+      process.exit(1);
+    }
+    if (!opts.version) {
+      console.error('[ota sign] Error: --version is required');
+      process.exit(1);
+    }
+    if (!opts.platform) {
+      console.error('[ota sign] Error: --platform (ios|android) is required');
+      process.exit(1);
+    }
+
+    const sha256 = providedSha256
+      ? providedSha256.toLowerCase()
+      : sha256File(bundlePath).toLowerCase();
+
+    const fileName = flags['file-name'] || flags.fileName
+      || (bundlePath ? path.basename(bundlePath) : undefined);
+    if (!fileName) {
+      console.error('[ota sign] Error: --file-name is required when --bundle is not provided');
+      process.exit(1);
+    }
+
+    const assetsSha256 = (flags['assets-sha256'] || flags.assetsSha256 || null)?.toLowerCase() || null;
+
+    const { signature, canonicalPayload } = sign({
+      version: opts.version,
+      platform: opts.platform.toLowerCase(),
+      fileName,
+      sha256,
+      assetsSha256,
+      privateKeyPath: opts.privateKey,
+      publicKeyPath: opts.publicKey,
+    });
+
+    const result = {
+      version: opts.version,
+      platform: opts.platform,
+      fileName,
+      sha256,
+      ...(assetsSha256 ? { assetsSha256 } : {}),
+      signature,
+      signatureVerified: !!opts.publicKey,
+      canonicalPayload,
+    };
+    process.stdout.write(JSON.stringify(result, null, 2) + '\n');
+    return;
+  }
+
+  console.error(`[ota] Unknown command: ${subcommand}\nRun \`ota help\` for usage.`);
+  process.exit(1);
+}
+
+main().catch(err => {
+  console.error('\n[ota] Fatal error:', err.message);
+  if (err.responseBody) {
+    console.error('  Backend response:', err.responseBody);
+  }
+  process.exit(1);
+});