From ec8b553d2ba98b0eb74746329b420f9fa3395031 Mon Sep 17 00:00:00 2001 From: Rainer Killinger Date: Tue, 15 Mar 2022 17:56:15 +0100 Subject: [PATCH] refactor: handle ssh secrets as base64 encoded --- .gitlab-ci.yml | 2 ++ static/fastlane-ios/Fastfile | 64 ++++++++++++++++++------------------ static/scripts/ssh_deploy.sh | 26 ++++++++------- 3 files changed, 49 insertions(+), 43 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f398c7ac..69777991 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -26,6 +26,7 @@ web: - > if [ "$RELEASE_TYPE" == "staging" ]; then # USE GITLAB PROTECTED & MASKED CI VARIABLES TO PROVIDE THE FOLLOWING DATA! + # THUS $STAGING_TARGET_SSH_PRIVATE_KEY HAS TO BE BASE64 ENCODED # USE AN UNPRIVILIGED USER WITH ACCESS ONLY TO THIS DIRECTORY # example: $STAGING_SCP_TARGET = deployuser@staging.environment.com:/path/for/web/data sh static/scripts/ssh_deploy.sh $STAGING_SCP_TARGET $STAGING_TARGET_SSH_PRIVATE_KEY @@ -33,6 +34,7 @@ web: if [ "$RELEASE_TYPE" == "production" ]; then # USE GITLAB PROTECTED & MASKED CI VARIABLES TO PROVIDE THE FOLLOWING DATA! + # THUS $PRODUCTION_TARGET_SSH_PRIVATE_KEY HAS TO BE BASE64 ENCODED # USE AN UNPRIVILIGED USER WITH ACCESS ONLY TO THIS DIRECTORY # example: $PRODUCTION_SCP_TARGET = deployuser@production.environment.com:/path/for/web/data sh static/scripts/ssh_deploy.sh $PRODUCTION_SCP_TARGET $PRODUCTION_TARGET_SSH_PRIVATE_KEY diff --git a/static/fastlane-ios/Fastfile b/static/fastlane-ios/Fastfile index 201b6af0..ffb1ea19 100644 --- a/static/fastlane-ios/Fastfile +++ b/static/fastlane-ios/Fastfile @@ -13,38 +13,38 @@ # Uncomment the line if you want fastlane to automatically update itself # update_fastlane -require 'json' -require 'base64' - -default_platform(:ios) - -current_build_number = 1 -package_json = JSON.parse(File.read('../../../package.json')) - -api_key = app_store_connect_api_key( - key_id: ENV['APPLE_API_KEY_ID'], - issuer_id: ENV['APPLE_API_KEY_ISSUER_ID'], - key_content: "#{Base64.decode64(ENV['APPLE_API_KEY_CONTENT'])}".gsub('\n', '\\n'), - in_house: false -) - -platform :ios do - - lane :fetch_highest_build_number do - build_number_candidates = [1] - build_number_candidates << latest_testflight_build_number( - version: package_json['version'], - initial_build_number: 1, - app_identifier: ENV['IOS_BUNDLE_IDENTIFIER'], - api_key: api_key - ) - build_number_candidates << app_store_build_number( - version: package_json['version'], - initial_build_number: 1, - app_identifier: ENV['IOS_BUNDLE_IDENTIFIER'], - api_key: api_key - ) - current_build_number = build_number_candidates.max +require 'json' +require 'base64' + +default_platform(:ios) + +current_build_number = 1 +package_json = JSON.parse(File.read('../../../package.json')) + +api_key = app_store_connect_api_key( + key_id: ENV['APPLE_API_KEY_ID'], + issuer_id: ENV['APPLE_API_KEY_ISSUER_ID'], + key_content: "#{Base64.decode64(ENV['APPLE_API_KEY_CONTENT'])}".gsub('\n', '\\n'), + in_house: false +) + +platform :ios do + + lane :fetch_highest_build_number do + build_number_candidates = [1] + build_number_candidates << latest_testflight_build_number( + version: package_json['version'], + initial_build_number: 1, + app_identifier: ENV['IOS_BUNDLE_IDENTIFIER'], + api_key: api_key + ) + build_number_candidates << app_store_build_number( + version: package_json['version'], + initial_build_number: 1, + app_identifier: ENV['IOS_BUNDLE_IDENTIFIER'], + api_key: api_key + ) + current_build_number = build_number_candidates.max end lane :configure do diff --git a/static/scripts/ssh_deploy.sh b/static/scripts/ssh_deploy.sh index 2d1bab2d..56b5da2d 100644 --- a/static/scripts/ssh_deploy.sh +++ b/static/scripts/ssh_deploy.sh @@ -1,12 +1,12 @@ -#!/usr/bin/env bash +#!/usr/bin/env sh set -e SSH_DEPLOY_TARGET=$1 -SSH_DEPLOY_TARGET="${SSH_DEPLOY_TARGET:-"missingtarget"}" +SSH_DEPLOY_TARGET="${SSH_DEPLOY_TARGET:-'missingtarget'}" SSH_PRIVATE_KEY=$2 -SSH_PRIVATE_KEY="${SSH_PRIVATE_KEY:-"missingkey"}" +SSH_PRIVATE_KEY="${SSH_PRIVATE_KEY:-'missingkey'}" GOTO_FAIL=false @@ -24,28 +24,32 @@ if [ "$GOTO_FAIL" = true ]; then return 1 fi -IFS='@' read -ra TARGET_COMPONENTS <<< "$SSH_DEPLOY_TARGET" -SSH_DEPLOY_TARGET_USER="${TARGET_COMPONENTS[0]:-"missinguser"}" +TARGET_COMPONENTS=$(echo "$SSH_DEPLOY_TARGET" | tr '@' "\n") +TARGET_COMPONENTS=$(echo "$TARGET_COMPONENTS" | tr ':' "\n") -IFS=':' read -ra TARGET_COMPONENTS <<< "$TARGET_COMPONENTS" +SSH_DEPLOY_TARGET_USER=$(echo "$TARGET_COMPONENTS" | head -n 1 | tail -n 1) +SSH_DEPLOY_TARGET_HOST=$(echo "$TARGET_COMPONENTS" | head -n 2 | tail -n 1) +SSH_DEPLOY_TARGET_PATH=$(echo "$TARGET_COMPONENTS" | head -n 3 | tail -n 1) -SSH_DEPLOY_TARGET_HOST="${TARGET_COMPONENTS[0]:-"missinghost"}" -SSH_DEPLOY_TARGET_PATH="${TARGET_COMPONENTS[1]:-"missingpath"}" +SSH_DEPLOY_TARGET_USER="${SSH_DEPLOY_TARGET_USER:-'missinguser'}" +SSH_DEPLOY_TARGET_HOST="${SSH_DEPLOY_TARGET_HOST:-'missinghost'}" +SSH_DEPLOY_TARGET_PATH="${SSH_DEPLOY_TARGET_PATH:-'missingpath'}" ## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store ## We're using tr to fix line endings which makes ed25519 keys work ## without extra base64 encoding. ## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556 ## -echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - +mkdir -p ~/.ssh +chmod 700 ~/.ssh +eval `ssh-agent -s` +echo "$SSH_PRIVATE_KEY" | base64 -d | tr -d '\r' | ssh-add - ## ## Use ssh-keyscan to scan the keys of your private server. Replace gitlab.com ## with your own domain name. You can copy and repeat that command if you have ## more than one server to connect to. -mkdir -p ~/.ssh -chmod 700 ~/.ssh ssh-keyscan $SSH_DEPLOY_TARGET_HOST >> ~/.ssh/known_hosts chmod 644 ~/.ssh/known_hosts