Class: Match::Runner

Inherits:
Object
  • Object
show all
Defined in:
match/lib/match/runner.rb

Overview

rubocop:disable Metrics/ClassLength

Constant Summary collapse

RENEWABLE_CERT_TYPES_VIA_API = 
[:mac_installer_distribution, :development, :distribution, :enterprise]

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#cacheObject

Returns the value of attribute cache.



27
28
29
 
# File 'match/lib/match/runner.rb', line 27

def cache
  @cache
end

#files_to_commitObject

Returns the value of attribute files_to_commit.



21
22
23
 
# File 'match/lib/match/runner.rb', line 21

def files_to_commit
  @files_to_commit
end

#files_to_deleteObject

Returns the value of attribute files_to_delete.



22
23
24
 
# File 'match/lib/match/runner.rb', line 22

def files_to_delete
  @files_to_delete
end

#spaceshipObject

Returns the value of attribute spaceship.



23
24
25
 
# File 'match/lib/match/runner.rb', line 23

def spaceship
  @spaceship
end

#storageObject

Returns the value of attribute storage.



25
26
27
 
# File 'match/lib/match/runner.rb', line 25

def storage
  @storage
end

Instance Method Details

#api_token(params) ⇒ Object

rubocop:enable Metrics/PerceivedComplexity



141
142
143
144
 
# File 'match/lib/match/runner.rb', line 141

def api_token(params)
  api_token = Spaceship::ConnectAPI::Token.from(hash: params[:api_key], filepath: params[:api_key_path])
  return api_token
end

#fetch_certificate(params: nil, renew_expired_certs: false, specific_cert_type: nil) ⇒ Object 



161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
 
# File 'match/lib/match/runner.rb', line 161

def fetch_certificate(params: nil, renew_expired_certs: false, specific_cert_type: nil)
  cert_type = Match.cert_type_sym(specific_cert_type || params[:type])

  certs = Dir[File.join(prefixed_working_directory, "certs", cert_type.to_s, "*.cer")]
  keys = Dir[File.join(prefixed_working_directory, "certs", cert_type.to_s, "*.p12")]

  storage_has_certs = certs.count != 0 && keys.count != 0

  # Determine if cert is renewable.
  # Can't renew developer_id certs with Connect API token. Account holder access is required.
   = Spaceship::ConnectAPI.token.nil?
  is_cert_renewable_via_api = RENEWABLE_CERT_TYPES_VIA_API.include?(cert_type)
  is_cert_renewable =  || is_cert_renewable_via_api

  # Validate existing certificate first.
  if renew_expired_certs && is_cert_renewable && storage_has_certs && !params[:readonly]
    cert_path = select_cert_or_key(paths: certs)

    unless Utils.is_cert_valid?(cert_path)
      UI.important("Removing invalid certificate '#{File.basename(cert_path)}'")

      # Remove expired cert.
      self.files_to_delete << cert_path
      File.delete(cert_path)

      # Key filename is the same as cert but with .p12 extension.
      key_path = cert_path.gsub(/\.cer$/, ".p12")
      # Remove expired key .p12 file.
      if File.exist?(key_path)
        self.files_to_delete << key_path
        File.delete(key_path)
      end

      certs = []
      keys = []
      storage_has_certs = false
    end
  end

  if !storage_has_certs
    UI.important("Couldn't find a valid code signing identity for #{cert_type}... creating one for you now")
    UI.crash!("No code signing identity found and cannot create a new one because you enabled `readonly`") if params[:readonly]
    cert_path = Generator.generate_certificate(params, cert_type, prefixed_working_directory, specific_cert_type: specific_cert_type)
    private_key_path = cert_path.gsub(".cer", ".p12")

    self.files_to_commit << cert_path
    self.files_to_commit << private_key_path

    # Reset certificates cache since we have a new cert.
    self.cache.reset_certificates
  else
    cert_path = select_cert_or_key(paths: certs)

    # Check validity of certificate
    if Utils.is_cert_valid?(cert_path)
      UI.verbose("Your certificate '#{File.basename(cert_path)}' is valid")
    else
      UI.user_error!("Your certificate '#{File.basename(cert_path)}' is not valid, please check end date and renew it if necessary")
    end

    if Helper.mac?
      UI.message("Installing certificate...")

      # Only looking for cert in "custom" (non login.keychain) keychain
      # Doing this for backwards compatibility
      keychain_name = params[:keychain_name] == "login.keychain" ? nil : params[:keychain_name]

      if FastlaneCore::CertChecker.installed?(cert_path, in_keychain: keychain_name)
        UI.verbose("Certificate '#{File.basename(cert_path)}' is already installed on this machine")
      else
        Utils.import(cert_path, params[:keychain_name], password: params[:keychain_password])

        # Import the private key
        # there seems to be no good way to check if it's already installed - so just install it
        # Key will only be added to the partition list if it isn't already installed
        Utils.import(select_cert_or_key(paths: keys), params[:keychain_name], password: params[:keychain_password])
      end
    else
      UI.message("Skipping installation of certificate as it would not work on this operating system.")
    end

    if params[:output_path]
      FileUtils.cp(cert_path, params[:output_path])
      FileUtils.cp(select_cert_or_key(paths: keys), params[:output_path])
    end

    # Get and print info of certificate
    info = Utils.get_cert_info(cert_path)
    TablePrinter.print_certificate_info(cert_info: info)
  end

  return File.basename(cert_path).gsub(".cer", "") # Certificate ID
end

#fetch_provisioning_profile(params: nil, profile_type:, certificate_id: nil, app_identifier: nil, working_directory: nil) ⇒ String

rubocop:disable Metrics/PerceivedComplexity

Returns:

  • (String)

    The UUID of the provisioning profile so we can verify it with the Apple Developer Portal



263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
 
# File 'match/lib/match/runner.rb', line 263

def fetch_provisioning_profile(params: nil, profile_type:, certificate_id: nil, app_identifier: nil, working_directory: nil)
  prov_type = Match.profile_type_sym(params[:type])

  names = [Match::Generator.profile_type_name(prov_type), app_identifier]
  if params[:platform].to_s == :tvos.to_s || params[:platform].to_s == :catalyst.to_s
    names.push(params[:platform])
  end

  profile_name = names.join("_").gsub("*", '\*') # this is important, as it shouldn't be a wildcard
  base_dir = File.join(prefixed_working_directory, "profiles", prov_type.to_s)

  extension = ".mobileprovision"
  if [:macos.to_s, :catalyst.to_s].include?(params[:platform].to_s)
    extension = ".provisionprofile"
  end

  profile_file = "#{profile_name}#{extension}"
  profiles = Dir[File.join(base_dir, profile_file)]
  if Helper.mac?
    keychain_path = FastlaneCore::Helper.keychain_path(params[:keychain_name]) unless params[:keychain_name].nil?
  end

  # Install the provisioning profiles
  stored_profile_path = profiles.last
  force = params[:force]

  if spaceship
    # check if profile needs to be updated only if not in readonly mode
    portal_profile = self.cache.portal_profile(stored_profile_path: stored_profile_path, keychain_path: keychain_path) if stored_profile_path

    if params[:force_for_new_devices]
      force ||= ProfileIncludes.should_force_include_all_devices?(params: params, portal_profile: portal_profile, cached_devices: self.cache.devices)
    end

    if params[:include_all_certificates]
      # Clearing specified certificate id which will prevent a profile being created with only one certificate
      certificate_id = nil
      force ||= ProfileIncludes.should_force_include_all_certificates?(params: params, portal_profile: portal_profile, cached_certificates: self.cache.certificates)
    end
  end

  is_new_profile_created = false
  if stored_profile_path.nil? || force
    if params[:readonly]
      UI.error("No matching provisioning profiles found for '#{profile_file}'")
      UI.error("A new one cannot be created because you enabled `readonly`")
      if Dir.exist?(base_dir) # folder for `prov_type` does not exist on first match use for that type
        all_profiles = Dir.entries(base_dir).reject { |f| f.start_with?(".") }
        UI.error("Provisioning profiles in your repo for type `#{prov_type}`:")
        all_profiles.each { |p| UI.error("- '#{p}'") }
      end
      UI.error("If you are certain that a profile should exist, double-check the recent changes to your match repository")
      UI.user_error!("No matching provisioning profiles found and cannot create a new one because you enabled `readonly`. Check the output above for more information.")
    end

    stored_profile_path = Generator.generate_provisioning_profile(
      params: params,
      prov_type: prov_type,
      certificate_id: certificate_id,
      app_identifier: app_identifier,
      force: force,
      cache: self.cache,
      working_directory: prefixed_working_directory
    )

    # Recreation of the profile means old profile is invalid.
    # Removing it from cache. We don't need a new profile in cache.
    self.cache.forget_portal_profile(portal_profile) if portal_profile

    self.files_to_commit << stored_profile_path

    is_new_profile_created = true
  end

  parsed = FastlaneCore::ProvisioningProfile.parse(stored_profile_path, keychain_path)
  uuid = parsed["UUID"]
  name = parsed["Name"]

  check_profile_existence = !is_new_profile_created && spaceship
  if check_profile_existence && !spaceship.profile_exists(profile_type: profile_type,
                                                          name: name,
                                                          username: params[:username],
                                                          uuid: uuid,
                                                          cached_profiles: self.cache.profiles)

    # This profile is invalid, let's remove the local file and generate a new one
    File.delete(stored_profile_path)
    # This method will be called again, no need to modify `files_to_commit`
    return nil
  end

  if Helper.mac?
    installed_profile = FastlaneCore::ProvisioningProfile.install(stored_profile_path, keychain_path)
  end

  if params[:output_path]
    FileUtils.cp(stored_profile_path, params[:output_path])
  end

  Utils.fill_environment(Utils.environment_variable_name(app_identifier: app_identifier,
                                                                   type: prov_type,
                                                               platform: params[:platform]),

                         uuid)

  # TeamIdentifier is returned as an array, but we're not sure why there could be more than one
  Utils.fill_environment(Utils.environment_variable_name_team_id(app_identifier: app_identifier,
                                                                           type: prov_type,
                                                                       platform: params[:platform]),
                         parsed["TeamIdentifier"].first)

  cert_info = Utils.get_cert_info(parsed["DeveloperCertificates"].first.string).to_h
  Utils.fill_environment(Utils.environment_variable_name_certificate_name(app_identifier: app_identifier,
                                                                                    type: prov_type,
                                                                                platform: params[:platform]),
                         cert_info["Common Name"])

  Utils.fill_environment(Utils.environment_variable_name_profile_name(app_identifier: app_identifier,
                                                                                type: prov_type,
                                                                            platform: params[:platform]),
                         parsed["Name"])

  Utils.fill_environment(Utils.environment_variable_name_profile_path(app_identifier: app_identifier,
                                                                                type: prov_type,
                                                                            platform: params[:platform]),
                         installed_profile)

  return uuid
end

#prefixed_working_directoryObject

Used when creating a new certificate or profile



147
148
149
 
# File 'match/lib/match/runner.rb', line 147

def prefixed_working_directory
  return self.storage.prefixed_working_directory
end

#run(params) ⇒ Object

rubocop:disable Metrics/PerceivedComplexity



30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
 
# File 'match/lib/match/runner.rb', line 30

def run(params)
  self.files_to_commit = []
  self.files_to_delete = []

  FileUtils.mkdir_p(params[:output_path]) if params[:output_path]

  FastlaneCore::PrintTable.print_values(config: params,
                                         title: "Summary for match #{Fastlane::VERSION}")

  update_optional_values_depending_on_storage_type(params)

  # Choose the right storage and encryption implementations
  storage_params = params
  storage_params[:username] = params[:readonly] ? nil : params[:username] # only pass username if not readonly
  self.storage = Storage.from_params(storage_params)
  storage.download

  # Init the encryption only after the `storage.download` was called to have the right working directory
  encryption = Encryption.for_storage_mode(params[:storage_mode], {
    git_url: params[:git_url],
    s3_bucket: params[:s3_bucket],
    s3_skip_encryption: params[:s3_skip_encryption],
    working_directory: storage.working_directory,
    force_legacy_encryption: params[:force_legacy_encryption]
  })
  encryption.decrypt_files if encryption

  unless params[:readonly]
    self.spaceship = SpaceshipEnsure.new(params[:username], params[:team_id], params[:team_name], api_token(params))
    if params[:type] == "enterprise" && !Spaceship.client.in_house?
      UI.user_error!("You defined the profile type 'enterprise', but your Apple account doesn't support In-House profiles")
    end
  end

  if params[:app_identifier].kind_of?(Array)
    app_identifiers = params[:app_identifier]
  else
    app_identifiers = params[:app_identifier].to_s.split(/\s*,\s*/).uniq
  end

  # sometimes we get an array with arrays, this is a bug. To unblock people using match, I suggest we flatten
  # then in the future address the root cause of https://github.com/fastlane/fastlane/issues/11324
  app_identifiers = app_identifiers.flatten.uniq

  if spaceship
    # Cache bundle ids, certificates, profiles, and devices.
    self.cache = Portal::Cache.build(
      params: params,
      bundle_id_identifiers: app_identifiers
    )

    # Verify the App ID (as we don't want 'match' to fail at a later point)
    app_identifiers.each do |app_identifier|
      spaceship.bundle_identifier_exists(username: params[:username], app_identifier: app_identifier, cached_bundle_ids: self.cache.bundle_ids)
    end
  end

  # Certificate
  cert_id = fetch_certificate(params: params, renew_expired_certs: false)

  # Mac Installer Distribution Certificate
  additional_cert_types = params[:additional_cert_types] || []
  cert_ids = additional_cert_types.map do |additional_cert_type|
    fetch_certificate(params: params, renew_expired_certs: false, specific_cert_type: additional_cert_type)
  end

  profile_type = Sigh.profile_type_for_distribution_type(
    platform: params[:platform],
    distribution_type: params[:type]
  )

  cert_ids << cert_id
  spaceship.certificates_exists(username: params[:username], certificate_ids: cert_ids, platform: params[:platform], profile_type: profile_type, cached_certificates: self.cache.certificates) if spaceship

  # Provisioning Profiles

  unless params[:skip_provisioning_profiles]
    app_identifiers.each do |app_identifier|
      loop do
        break if fetch_provisioning_profile(params: params,
                                      profile_type: profile_type,
                                    certificate_id: cert_id,
                                    app_identifier: app_identifier,
                                 working_directory: storage.working_directory)
      end
    end
  end

  has_file_changes = self.files_to_commit.count > 0 || self.files_to_delete.count > 0
  if has_file_changes && !params[:readonly]
    encryption.encrypt_files if encryption
    storage.save_changes!(files_to_commit: self.files_to_commit, files_to_delete: self.files_to_delete)
  end

  # Print a summary table for each app_identifier
  app_identifiers.each do |app_identifier|
    TablePrinter.print_summary(app_identifier: app_identifier, type: params[:type], platform: params[:platform])
  end

  UI.success("All required keys, certificates and provisioning profiles are installed 🙌".green)
rescue Spaceship::Client::UnexpectedResponse, Spaceship::Client::InvalidUserCredentialsError, Spaceship::Client::NoUserCredentialsError => ex
  UI.error("An error occurred while verifying your certificates and profiles with the Apple Developer Portal.")
  UI.error("If you already have your certificates stored in git, you can run `fastlane match` in readonly mode")
  UI.error("to just install the certificates and profiles without accessing the Dev Portal.")
  UI.error("To do so, just pass `readonly: true` to your match call.")
  raise ex
ensure
  storage.clear_changes if storage
end

#select_cert_or_key(paths:) ⇒ String

Returns Path to certificate or P12 key.

Returns:

  • (String)

    Path to certificate or P12 key



256
257
258
259
 
# File 'match/lib/match/runner.rb', line 256

def select_cert_or_key(paths:)
  cert_id_path = ENV['MATCH_CERTIFICATE_ID'] ? paths.find { |path| path.include?(ENV['MATCH_CERTIFICATE_ID']) } : nil
  cert_id_path || paths.last
end

#update_optional_values_depending_on_storage_type(params) ⇒ Object

Be smart about optional values here Depending on the storage mode, different values are required



153
154
155
156
157
 
# File 'match/lib/match/runner.rb', line 153

def update_optional_values_depending_on_storage_type(params)
  if params[:storage_mode] != "git"
    params.option_for_key(:git_url).optional = true
  end
end