Theaninova/openstapps
1
0
Fork 0
mirror of https://gitlab.com/openstapps/openstapps.git synced 2026-01-04 04:22:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

refactor: handle ssh secrets as base64 encoded

Browse Source
This commit is contained in:
Rainer Killinger
2022-03-15 17:56:15 +01:00
parent 368c26ce8c
commit ec8b553d2b
3 changed files with 49 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitlab-ci.yml
View File

@@ -26,6 +26,7 @@ web:
- >
if [ "$RELEASE_TYPE" == "staging" ]; then
# USE GITLAB PROTECTED & MASKED CI VARIABLES TO PROVIDE THE FOLLOWING DATA!
# THUS $STAGING_TARGET_SSH_PRIVATE_KEY HAS TO BE BASE64 ENCODED
# USE AN UNPRIVILIGED USER WITH ACCESS ONLY TO THIS DIRECTORY
# example: $STAGING_SCP_TARGET = deployuser@staging.environment.com:/path/for/web/data
sh static/scripts/ssh_deploy.sh $STAGING_SCP_TARGET $STAGING_TARGET_SSH_PRIVATE_KEY
@@ -33,6 +34,7 @@ web:
if [ "$RELEASE_TYPE" == "production" ]; then
# USE GITLAB PROTECTED & MASKED CI VARIABLES TO PROVIDE THE FOLLOWING DATA!
# THUS $PRODUCTION_TARGET_SSH_PRIVATE_KEY HAS TO BE BASE64 ENCODED
# USE AN UNPRIVILIGED USER WITH ACCESS ONLY TO THIS DIRECTORY
# example: $PRODUCTION_SCP_TARGET = deployuser@production.environment.com:/path/for/web/data
sh static/scripts/ssh_deploy.sh $PRODUCTION_SCP_TARGET $PRODUCTION_TARGET_SSH_PRIVATE_KEY

64
static/fastlane-ios/Fastfile
View File

@@ -13,38 +13,38 @@
# Uncomment the line if you want fastlane to automatically update itself
# update_fastlane
require 'json'
require 'base64'
default_platform(:ios)
current_build_number = 1
package_json = JSON.parse(File.read('../../../package.json'))
api_key = app_store_connect_api_key(
key_id: ENV['APPLE_API_KEY_ID'],
issuer_id: ENV['APPLE_API_KEY_ISSUER_ID'],
key_content: "#{Base64.decode64(ENV['APPLE_API_KEY_CONTENT'])}".gsub('\n', '\\n'),
in_house: false
)
platform :ios do
lane :fetch_highest_build_number do
build_number_candidates = [1]
build_number_candidates << latest_testflight_build_number(
version: package_json['version'],
initial_build_number: 1,
app_identifier: ENV['IOS_BUNDLE_IDENTIFIER'],
api_key: api_key
)
build_number_candidates << app_store_build_number(
version: package_json['version'],
initial_build_number: 1,
app_identifier: ENV['IOS_BUNDLE_IDENTIFIER'],
api_key: api_key
)
current_build_number = build_number_candidates.max
require 'json'
require 'base64'
default_platform(:ios)
current_build_number = 1
package_json = JSON.parse(File.read('../../../package.json'))
api_key = app_store_connect_api_key(
key_id: ENV['APPLE_API_KEY_ID'],
issuer_id: ENV['APPLE_API_KEY_ISSUER_ID'],
key_content: "#{Base64.decode64(ENV['APPLE_API_KEY_CONTENT'])}".gsub('\n', '\\n'),
in_house: false
)
platform :ios do
lane :fetch_highest_build_number do
build_number_candidates = [1]
build_number_candidates << latest_testflight_build_number(
version: package_json['version'],
initial_build_number: 1,
app_identifier: ENV['IOS_BUNDLE_IDENTIFIER'],
api_key: api_key
)
build_number_candidates << app_store_build_number(
version: package_json['version'],
initial_build_number: 1,
app_identifier: ENV['IOS_BUNDLE_IDENTIFIER'],
api_key: api_key
)
current_build_number = build_number_candidates.max
end
lane :configure do

26
static/scripts/ssh_deploy.sh
View File

@@ -1,12 +1,12 @@
#!/usr/bin/env bash
#!/usr/bin/env sh
set -e
SSH_DEPLOY_TARGET=$1
SSH_DEPLOY_TARGET="${SSH_DEPLOY_TARGET:-"missingtarget"}"
SSH_DEPLOY_TARGET="${SSH_DEPLOY_TARGET:-'missingtarget'}"
SSH_PRIVATE_KEY=$2
SSH_PRIVATE_KEY="${SSH_PRIVATE_KEY:-"missingkey"}"
SSH_PRIVATE_KEY="${SSH_PRIVATE_KEY:-'missingkey'}"
GOTO_FAIL=false
@@ -24,28 +24,32 @@ if [ "$GOTO_FAIL" = true ]; then
return 1
fi
IFS='@' read -ra TARGET_COMPONENTS <<< "$SSH_DEPLOY_TARGET"
SSH_DEPLOY_TARGET_USER="${TARGET_COMPONENTS[0]:-"missinguser"}"
TARGET_COMPONENTS=$(echo "$SSH_DEPLOY_TARGET" | tr '@' "\n")
TARGET_COMPONENTS=$(echo "$TARGET_COMPONENTS" | tr ':' "\n")
IFS=':' read -ra TARGET_COMPONENTS <<< "$TARGET_COMPONENTS"
SSH_DEPLOY_TARGET_USER=$(echo "$TARGET_COMPONENTS" | head -n 1 | tail -n 1)
SSH_DEPLOY_TARGET_HOST=$(echo "$TARGET_COMPONENTS" | head -n 2 | tail -n 1)
SSH_DEPLOY_TARGET_PATH=$(echo "$TARGET_COMPONENTS" | head -n 3 | tail -n 1)
SSH_DEPLOY_TARGET_HOST="${TARGET_COMPONENTS[0]:-"missinghost"}"
SSH_DEPLOY_TARGET_PATH="${TARGET_COMPONENTS[1]:-"missingpath"}"
SSH_DEPLOY_TARGET_USER="${SSH_DEPLOY_TARGET_USER:-'missinguser'}"
SSH_DEPLOY_TARGET_HOST="${SSH_DEPLOY_TARGET_HOST:-'missinghost'}"
SSH_DEPLOY_TARGET_PATH="${SSH_DEPLOY_TARGET_PATH:-'missingpath'}"
## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
## We're using tr to fix line endings which makes ed25519 keys work
## without extra base64 encoding.
## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556
##
echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
mkdir -p ~/.ssh
chmod 700 ~/.ssh
eval `ssh-agent -s`
echo "$SSH_PRIVATE_KEY" | base64 -d | tr -d '\r' | ssh-add -
##
## Use ssh-keyscan to scan the keys of your private server. Replace gitlab.com
## with your own domain name. You can copy and repeat that command if you have
## more than one server to connect to.
mkdir -p ~/.ssh
chmod 700 ~/.ssh
ssh-keyscan $SSH_DEPLOY_TARGET_HOST >> ~/.ssh/known_hosts
chmod 644 ~/.ssh/known_hosts