From 05f463443d8d339f805942ea0945bf16c50772d2 Mon Sep 17 00:00:00 2001 From: Koen Van Looveren Date: Tue, 12 Dec 2023 20:41:45 +0100 Subject: [PATCH] fix: keychain access controll --- CHANGELOG.md | 5 + .../plugin/mac_os_keychain_plugin.dart | 92 +++++-------------- .../ci_cd/plugin/ci_cd_plugin.dart | 18 ++-- 3 files changed, 34 insertions(+), 81 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 52a9e73..0e4f41c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +# 0.10.6 + +# Fix: +- Keychain should be accessible to all from ci/cd plugin + # 0.10.5 # Fix: diff --git a/lib/src/integrations/apple_certificate/plugin/mac_os_keychain_plugin.dart b/lib/src/integrations/apple_certificate/plugin/mac_os_keychain_plugin.dart index 8bffde1..4beb2f2 100644 --- a/lib/src/integrations/apple_certificate/plugin/mac_os_keychain_plugin.dart +++ b/lib/src/integrations/apple_certificate/plugin/mac_os_keychain_plugin.dart @@ -20,28 +20,13 @@ class MacOsKeyChainPlugin extends ImpaktfullCliPlugin { final fullKeyChainName = _fullKeyChainName(keyChainName); final originalKeyChains = await _getUserKeyChains(); if (originalKeyChains.contains(fullKeyChainName)) { - throw ImpaktfullCliError( - '$fullKeyChainName already exists, make sure to remove it first.'); + throw ImpaktfullCliError('$fullKeyChainName already exists, make sure to remove it first.'); } ImpaktfullCliLogger.debug('Create Apple KeyChain ($fullKeyChainName)'); - await processRunner.runProcess([ - 'security', - 'create-keychain', - '-p', - '$globalKeyChainPassword', - fullKeyChainName - ]); + await processRunner.runProcess(['security', 'create-keychain', '-p', '$globalKeyChainPassword', fullKeyChainName]); final keyChain = await _getUserKeyChains(); - await processRunner.runProcess([ - 'security', - 'list-keychains', - '-d', - 'user', - '-s', - fullKeyChainName, - ...keyChain - ]); + await processRunner.runProcess(['security', 'list-keychains', '-d', 'user', '-s', fullKeyChainName, ...keyChain]); } Future unlockKeyChain( @@ -49,15 +34,8 @@ class MacOsKeyChainPlugin extends ImpaktfullCliPlugin { Secret globalKeyChainPassword, ) async { final fullKeyChainName = _fullKeyChainName(keyChainName); - await processRunner - .runProcess(['security', 'set-keychain-settings', fullKeyChainName]); - await processRunner.runProcess([ - 'security', - 'unlock-keychain', - '-p', - '$globalKeyChainPassword', - fullKeyChainName - ]); + await processRunner.runProcess(['security', 'set-keychain-settings', fullKeyChainName]); + await processRunner.runProcess(['security', 'unlock-keychain', '-p', globalKeyChainPassword.value, fullKeyChainName]); } Future addCertificateToKeyChain( @@ -70,44 +48,25 @@ class MacOsKeyChainPlugin extends ImpaktfullCliPlugin { ], }) async { final fullKeyChainName = _fullKeyChainName(keyChainName); - if (accessControlAll) { - await processRunner.runProcess([ - 'security', - 'import', - (certFile.path), - '-k', - fullKeyChainName, - '-P', - certPassword.value, - '-A' - ]); - } else if (accessControlApplications.isNotEmpty) { - await processRunner.runProcess([ - 'security', - 'import', - certFile.path, - '-k', - fullKeyChainName, - '-P', - certPassword.value, + await processRunner.runProcess([ + 'security', + 'import', + certFile.path, + '-k', + fullKeyChainName, + '-P', + certPassword.value, + if (accessControlAll) ...[ + '-A', + ] else ...[ for (final application in accessControlApplications) ...[ ...[ '-T', application, ] - ] - ]); - } else { - await processRunner.runProcess([ - 'security', - 'import', - certFile.path, - '-k', - fullKeyChainName, - '-P', - certPassword.value - ]); - } + ], + ], + ]); } Future removeKeyChain( @@ -115,18 +74,13 @@ class MacOsKeyChainPlugin extends ImpaktfullCliPlugin { ) async { final fullKeyChainName = _fullKeyChainName(keyChainName); ImpaktfullCliLogger.debug('Remove Apple KeyChain ($fullKeyChainName)'); - await processRunner - .runProcess(['security', 'delete-keychain', fullKeyChainName]); + await processRunner.runProcess(['security', 'delete-keychain', fullKeyChainName]); } Future> _getUserKeyChains() async { - final keychainsString = await processRunner - .runProcess(['security', 'list-keychains', '-d', 'user']); - final keychainsList = - keychainsString.split('\n').where((element) => element.isNotEmpty); - return keychainsList - .map((keychain) => keychain.replaceAll('"', '').trim()) - .toList(); + final keychainsString = await processRunner.runProcess(['security', 'list-keychains', '-d', 'user']); + final keychainsList = keychainsString.split('\n').where((element) => element.isNotEmpty); + return keychainsList.map((keychain) => keychain.replaceAll('"', '').trim()).toList(); } Future printKeyChainList() async { diff --git a/lib/src/integrations/ci_cd/plugin/ci_cd_plugin.dart b/lib/src/integrations/ci_cd/plugin/ci_cd_plugin.dart index 8374965..82a55ef 100644 --- a/lib/src/integrations/ci_cd/plugin/ci_cd_plugin.dart +++ b/lib/src/integrations/ci_cd/plugin/ci_cd_plugin.dart @@ -86,8 +86,7 @@ class CiCdPlugin extends ImpaktfullPlugin { if (playStoreUploadConfig != null) { await playStorePlugin.uploadToPlayStore( file: file, - serviceAccountCredentialsFile: - playStoreUploadConfig.serviceAccountCredentialsFile, + serviceAccountCredentialsFile: playStoreUploadConfig.serviceAccountCredentialsFile, ); } } @@ -149,8 +148,7 @@ class CiCdPlugin extends ImpaktfullPlugin { await testflightPlugin.uploadToTestflightWithEmailPassword( file: file, email: testflightUploadConfig.credentials?.userName, - appSpecificPassword: - testflightUploadConfig.credentials?.appSpecificPassword, + appSpecificPassword: testflightUploadConfig.credentials?.appSpecificPassword, type: testflightUploadConfig.type, ); } @@ -194,16 +192,12 @@ class CiCdPlugin extends ImpaktfullPlugin { Secret? globalKeyChainPassword, }) async { ImpaktfullCliEnvironment.requiresMacOs(reason: 'Building iOS/macOS apps'); - final globalKeyChainPasswordSecret = globalKeyChainPassword ?? - ImpaktfullCliEnvironmentVariables.getUnlockKeyChainPassword(); + final globalKeyChainPasswordSecret = globalKeyChainPassword ?? ImpaktfullCliEnvironmentVariables.getUnlockKeyChainPassword(); - await macOsKeyChainPlugin.createKeyChain( - keyChainName, globalKeyChainPasswordSecret); + await macOsKeyChainPlugin.createKeyChain(keyChainName, globalKeyChainPasswordSecret); try { - await macOsKeyChainPlugin.unlockKeyChain( - keyChainName, globalKeyChainPasswordSecret); - await macOsKeyChainPlugin.addCertificateToKeyChain( - keyChainName, certFile, certPassword); + await macOsKeyChainPlugin.unlockKeyChain(keyChainName, globalKeyChainPasswordSecret); + await macOsKeyChainPlugin.addCertificateToKeyChain(keyChainName, certFile, certPassword, accessControlAll: true); await onStartBuild(); } catch (e) { rethrow;