require 'babosa' require 'faraday' # HTTP Client require 'faraday-cookie_jar' require 'faraday_middleware' require 'logger' require 'tmpdir' require 'cgi' require 'tempfile' require 'openssl' require 'fastlane/version' require_relative 'helper/net_http_generic_request' require_relative 'helper/plist_middleware' require_relative 'helper/rels_middleware' require_relative 'ui' require_relative 'errors' require_relative 'tunes/errors' require_relative 'globals' require_relative 'provider' require_relative 'stats_middleware' Faraday::Utils.default_params_encoder = Faraday::FlatParamsEncoder module Spaceship # rubocop:disable Metrics/ClassLength class Client PROTOCOL_VERSION = "QH65B2" USER_AGENT = "Spaceship #{Fastlane::VERSION}" AUTH_TYPES = ["sa", "hsa", "non-sa", "hsa2"] attr_reader :client # The user that is currently logged in attr_accessor :user # The email of the user that is currently logged in attr_accessor :user_email # The logger in which all requests are logged # /tmp/spaceship[time]_[pid].log by default attr_accessor :logger attr_accessor :csrf_tokens attr_accessor :provider # legacy support BasicPreferredInfoError = Spaceship::BasicPreferredInfoError InvalidUserCredentialsError = Spaceship::InvalidUserCredentialsError NoUserCredentialsError = Spaceship::NoUserCredentialsError ProgramLicenseAgreementUpdated = Spaceship::ProgramLicenseAgreementUpdated InsufficientPermissions = Spaceship::InsufficientPermissions UnexpectedResponse = Spaceship::UnexpectedResponse AppleTimeoutError = Spaceship::AppleTimeoutError UnauthorizedAccessError = Spaceship::UnauthorizedAccessError GatewayTimeoutError = Spaceship::GatewayTimeoutError InternalServerError = Spaceship::InternalServerError BadGatewayError = Spaceship::BadGatewayError AccessForbiddenError = Spaceship::AccessForbiddenError def self.hostname raise "You must implement self.hostname" end ##################################################### # @!group Teams + User ##################################################### # @return (Array) A list of all available teams def teams user_details_data['associatedAccounts'].sort_by do |team| [ team['contentProvider']['name'], team['contentProvider']['contentProviderId'] ] end end # Fetch the general information of the user, is used by various methods across spaceship # Sample return value # => {"associatedAccounts"=> # [{"contentProvider"=>{"contentProviderId"=>11142800, "name"=>"Felix Krause", "contentProviderTypes"=>["Purple Software"]}, "roles"=>["Developer"], "lastLogin"=>1468784113000}], # "sessionToken"=>{"dsId"=>"8501011116", "contentProviderId"=>18111111, "expirationDate"=>nil, "ipAddress"=>nil}, # "permittedActivities"=> # {"EDIT"=> # ["UserManagementSelf", # "GameCenterTestData", # "AppAddonCreation"], # "REPORT"=> # ["UserManagementSelf", # "AppAddonCreation"], # "VIEW"=> # ["TestFlightAppExternalTesterManagement", # ... # "HelpGeneral", # "HelpApplicationLoader"]}, # "preferredCurrencyCode"=>"EUR", # "preferredCountryCode"=>nil, # "countryOfOrigin"=>"AT", # "isLocaleNameReversed"=>false, # "feldsparToken"=>nil, # "feldsparChannelName"=>nil, # "hasPendingFeldsparBindingRequest"=>false, # "isLegalUser"=>false, # "userId"=>"1771111155", # "firstname"=>"Detlef", # "lastname"=>"Mueller", # "isEmailInvalid"=>false, # "hasContractInfo"=>false, # "canEditITCUsersAndRoles"=>false, # "canViewITCUsersAndRoles"=>true, # "canEditIAPUsersAndRoles"=>false, # "transporterEnabled"=>false, # "contentProviderFeatures"=>["APP_SILOING", "PROMO_CODE_REDESIGN", ...], # "contentProviderType"=>"Purple Software", # "displayName"=>"Detlef", # "contentProviderId"=>"18742800", # "userFeatures"=>[], # "visibility"=>true, # "DYCVisibility"=>false, # "contentProvider"=>"Felix Krause", # "userName"=>"detlef@krausefx.com"} def user_details_data return @_cached_user_details if @_cached_user_details r = request(:get, '/WebObjects/iTunesConnect.woa/ra/user/detail') @_cached_user_details = parse_response(r, 'data') end # @return (String) The currently selected Team ID def team_id return @current_team_id if @current_team_id if teams.count > 1 puts("The current user is in #{teams.count} teams. Pass a team ID or call `select_team` to choose a team. Using the first one for now.") end @current_team_id ||= teams[0]['contentProvider']['contentProviderId'] end # Set a new team ID which will be used from now on def team_id=(team_id) # First, we verify the team actually exists, because otherwise iTC would return the # following confusing error message # # invalid content provider id # available_teams = teams.collect do |team| { team_id: (team["contentProvider"] || {})["contentProviderId"], public_team_id: (team["contentProvider"] || {})["contentProviderPublicId"], team_name: (team["contentProvider"] || {})["name"] } end result = available_teams.find do |available_team| team_id.to_s == available_team[:team_id].to_s end unless result error_string = "Could not set team ID to '#{team_id}', only found the following available teams:\n\n#{available_teams.map { |team| "- #{team[:team_id]} (#{team[:team_name]})" }.join("\n")}\n" raise Tunes::Error.new, error_string end response = request(:post) do |req| req.url("https://appstoreconnect.apple.com/olympus/v1/providerSwitchRequests") req.body = { "data": { "type": "providerSwitchRequests", "relationships": { "provider": { "data": { "type": "providers", "id": result[:public_team_id] } } } } }.to_json req.headers['Content-Type'] = 'application/json' end handle_itc_response(response.body) @current_team_id = team_id end # @return (Hash) Fetches all information of the currently used team def team_information teams.find do |t| t['teamId'] == team_id end end # @return (String) Fetches name from currently used team def team_name (team_information || {})['name'] end ##################################################### # @!group Client Init ##################################################### # Instantiates a client but with a cookie derived from another client. # # HACK: since the `@cookie` is not exposed, we use this hacky way of sharing the instance. def self.client_with_authorization_from(another_client) self.new(cookie: another_client.instance_variable_get(:@cookie), current_team_id: another_client.team_id) end def initialize(cookie: nil, current_team_id: nil, csrf_tokens: nil, timeout: nil) options = { request: { timeout: (ENV["SPACESHIP_TIMEOUT"] || timeout || 300).to_i, open_timeout: (ENV["SPACESHIP_TIMEOUT"] || timeout || 300).to_i } } @current_team_id = current_team_id @csrf_tokens = csrf_tokens @cookie = cookie || HTTP::CookieJar.new @client = Faraday.new(self.class.hostname, options) do |c| c.response(:json, content_type: /\bjson$/) c.response(:plist, content_type: /\bplist$/) c.use(:cookie_jar, jar: @cookie) c.use(FaradayMiddleware::RelsMiddleware) c.use(Spaceship::StatsMiddleware) c.adapter(Faraday.default_adapter) if ENV['SPACESHIP_DEBUG'] # for debugging only # This enables tracking of networking requests using Charles Web Proxy c.proxy = "https://127.0.0.1:8888" c.ssl[:verify_mode] = OpenSSL::SSL::VERIFY_NONE elsif ENV["SPACESHIP_PROXY"] c.proxy = ENV["SPACESHIP_PROXY"] c.ssl[:verify_mode] = OpenSSL::SSL::VERIFY_NONE if ENV["SPACESHIP_PROXY_SSL_VERIFY_NONE"] end if ENV["DEBUG"] puts("To run spaceship through a local proxy, use SPACESHIP_DEBUG") end end end ##################################################### # @!group Request Logger ##################################################### # The logger in which all requests are logged # /tmp/spaceship[time]_[pid]_["threadid"].log by default def logger unless @logger if ENV["VERBOSE"] @logger = Logger.new(STDOUT) else # Log to file by default path = "/tmp/spaceship#{Time.now.to_i}_#{Process.pid}_#{Thread.current.object_id}.log" @logger = Logger.new(path) end @logger.formatter = proc do |severity, datetime, progname, msg| severity = format('%-5.5s', severity) "#{severity} [#{datetime.strftime('%H:%M:%S')}]: #{msg}\n" end end @logger end ##################################################### # @!group Session Cookie ##################################################### ## # Return the session cookie. # # @return (String) the cookie-string in the RFC6265 format: https://tools.ietf.org/html/rfc6265#section-4.2.1 def cookie @cookie.map(&:to_s).join(';') end def store_cookie(path: nil) path ||= persistent_cookie_path FileUtils.mkdir_p(File.expand_path("..", path)) # really important to specify the session to true # otherwise myacinfo and more won't be stored @cookie.save(path, :yaml, session: true) return File.read(path) end # This is a duplicate method of fastlane_core/fastlane_core.rb#fastlane_user_dir def fastlane_user_dir path = File.expand_path(File.join(Dir.home, ".fastlane")) FileUtils.mkdir_p(path) unless File.directory?(path) return path end # Returns preferred path for storing cookie # for two step verification. def persistent_cookie_path if ENV["SPACESHIP_COOKIE_PATH"] path = File.expand_path(File.join(ENV["SPACESHIP_COOKIE_PATH"], "spaceship", self.user, "cookie")) else [File.join(self.fastlane_user_dir, "spaceship"), "~/.spaceship", "/var/tmp/spaceship", "#{Dir.tmpdir}/spaceship"].each do |dir| dir_parts = File.split(dir) if directory_accessible?(File.expand_path(dir_parts.first)) path = File.expand_path(File.join(dir, self.user, "cookie")) break end end end return path end ##################################################### # @!group Automatic Paging ##################################################### # The page size we want to request, defaults to 500 def page_size @page_size ||= 500 end # Handles the paging for you... for free # Just pass a block and use the parameter as page number def paging page = 0 results = [] loop do page += 1 current = yield(page) results += current break if (current || []).count < page_size # no more results end return results end ##################################################### # @!group Login and Team Selection ##################################################### # Authenticates with Apple's web services. This method has to be called once # to generate a valid session. The session will automatically be used from then # on. # # This method will automatically use the username from the Appfile (if available) # and fetch the password from the Keychain (if available) # # @param user (String) (optional): The username (usually the email address) # @param password (String) (optional): The password # # @raise InvalidUserCredentialsError: raised if authentication failed # # @return (Spaceship::Client) The client the login method was called for def self.login(user = nil, password = nil) instance = self.new if instance.login(user, password) instance else raise InvalidUserCredentialsError.new, "Invalid User Credentials" end end # Authenticates with Apple's web services. This method has to be called once # to generate a valid session. The session will automatically be used from then # on. # # This method will automatically use the username from the Appfile (if available) # and fetch the password from the Keychain (if available) # # @param user (String) (optional): The username (usually the email address) # @param password (String) (optional): The password # # @raise InvalidUserCredentialsError: raised if authentication failed # # @return (Spaceship::Client) The client the login method was called for def login(user = nil, password = nil) if user.to_s.empty? || password.to_s.empty? require 'credentials_manager/account_manager' puts("Reading keychain entry, because either user or password were empty") if Spaceship::Globals.verbose? keychain_entry = CredentialsManager::AccountManager.new(user: user, password: password) user ||= keychain_entry.user password = keychain_entry.password end if user.to_s.strip.empty? || password.to_s.strip.empty? raise NoUserCredentialsError.new, "No login data provided" end self.user = user @password = password begin do_login(user, password) # calls `send_login_request` in sub class (which then will redirect back here to `send_shared_login_request`, below) rescue InvalidUserCredentialsError => ex raise ex unless keychain_entry if keychain_entry.invalid_credentials login(user) else raise ex end end end # This method is used for both the Apple Dev Portal and App Store Connect # This will also handle 2 step verification and 2 factor authentication # # It is called in `send_login_request` of sub classes (which the method `login`, above, transferred over to via `do_login`) def send_shared_login_request(user, password) # Check if we have a cached/valid session # # Background: # December 4th 2017 Apple introduced a rate limit - which is of course fine by itself - # but unfortunately also rate limits successful logins. If you call multiple tools in a # lane (e.g. call match 5 times), this would lock you out of the account for a while. # By loading existing sessions and checking if they're valid, we're sending less login requests. # More context on why this change was necessary https://github.com/fastlane/fastlane/pull/11108 # # If there was a successful manual login before, we have a session on disk if load_session_from_file # Check if the session is still valid here begin # We use the olympus session to determine if the old session is still valid # As this will raise an exception if the old session has expired # If the old session is still valid, we don't have to do anything else in this method # that's why we return true return true if fetch_olympus_session rescue # If the `fetch_olympus_session` method raises an exception # we'll land here, and therefore continue doing a full login process # This happens if the session we loaded from the cache isn't valid any more # which is common, as the session automatically invalidates after x hours (we don't know x) # In this case we don't actually care about the exact exception, and why it was failing # because either way, we'll have to do a fresh login, where we do the actual error handling puts("Available session is not valid any more. Continuing with normal login.") end end # # The user can pass the session via environment variable (Mainly used in CI environments) if load_session_from_env # see above begin # see above return true if fetch_olympus_session rescue puts("Session loaded from environment variable is not valid. Continuing with normal login.") # see above end end # # After this point, we sure have no valid session any more and have to create a new one # data = { accountName: user, password: password, rememberMe: true } begin # The below workaround is only needed for 2 step verified machines # Due to escaping of cookie values we have a little workaround here # By default the cookie jar would generate the following header # DES5c148...=HSARM.......xaA/O69Ws/CHfQ==SRVT # However we need the following # DES5c148...="HSARM.......xaA/O69Ws/CHfQ==SRVT" # There is no way to get the cookie jar value with " around the value # so we manually modify the cookie (only this one) to be properly escaped # Afterwards we pass this value manually as a header # It's not enough to just modify @cookie, it needs to be done after self.cookie # as a string operation important_cookie = @cookie.store.entries.find { |a| a.name.include?("DES") } if important_cookie modified_cookie = self.cookie # returns a string of all cookies unescaped_important_cookie = "#{important_cookie.name}=#{important_cookie.value}" escaped_important_cookie = "#{important_cookie.name}=\"#{important_cookie.value}\"" modified_cookie.gsub!(unescaped_important_cookie, escaped_important_cookie) end response = request(:post) do |req| req.url("https://idmsa.apple.com/appleauth/auth/signin") req.body = data.to_json req.headers['Content-Type'] = 'application/json' req.headers['X-Requested-With'] = 'XMLHttpRequest' req.headers['X-Apple-Widget-Key'] = self.itc_service_key req.headers['Accept'] = 'application/json, text/javascript' req.headers["Cookie"] = modified_cookie if modified_cookie end rescue UnauthorizedAccessError raise InvalidUserCredentialsError.new, "Invalid username and password combination. Used '#{user}' as the username." end # Now we know if the login is successful or if we need to do 2 factor case response.status when 403 raise InvalidUserCredentialsError.new, "Invalid username and password combination. Used '#{user}' as the username." when 200 fetch_olympus_session return response when 409 # 2 step/factor is enabled for this account, first handle that handle_two_step_or_factor(response) # and then get the olympus session fetch_olympus_session return true else if (response.body || "").include?('invalid="true"') # User Credentials are wrong raise InvalidUserCredentialsError.new, "Invalid username and password combination. Used '#{user}' as the username." elsif response.status == 412 && AUTH_TYPES.include?(response.body["authType"]) # Need to acknowledge Apple ID and Privacy statement - https://github.com/fastlane/fastlane/issues/12577 # Looking for status of 412 might be enough but might be safer to keep looking only at what is being reported raise AppleIDAndPrivacyAcknowledgementNeeded.new, "Need to acknowledge to Apple's Apple ID and Privacy statement. Please manually log into https://appleid.apple.com (or https://appstoreconnect.apple.com) to acknowledge the statement." elsif (response['Set-Cookie'] || "").include?("itctx") raise "Looks like your Apple ID is not enabled for App Store Connect, make sure to be able to login online" else info = [response.body, response['Set-Cookie']] raise Tunes::Error.new, info.join("\n") end end end # Get the `itctx` from the new (22nd May 2017) API endpoint "olympus" # Update (29th March 2019) olympus migrates to new appstoreconnect API def fetch_olympus_session response = request(:get, "https://appstoreconnect.apple.com/olympus/v1/session") body = response.body if body body = JSON.parse(body) if body.kind_of?(String) user_map = body["user"] if user_map self.user_email = user_map["emailAddress"] end provider = body["provider"] if provider self.provider = Spaceship::Provider.new(provider_hash: provider) return true end end return false end def itc_service_key return @service_key if @service_key # Check if we have a local cache of the key itc_service_key_path = "/tmp/spaceship_itc_service_key.txt" return File.read(itc_service_key_path) if File.exist?(itc_service_key_path) # Fixes issue https://github.com/fastlane/fastlane/issues/13281 # Even though we are using https://appstoreconnect.apple.com, the service key needs to still use a # hostname through itunesconnect.apple.com response = request(:get, "https://appstoreconnect.apple.com/olympus/v1/app/config?hostname=itunesconnect.apple.com") @service_key = response.body["authServiceKey"].to_s raise "Service key is empty" if @service_key.length == 0 # Cache the key locally File.write(itc_service_key_path, @service_key) return @service_key rescue => ex puts(ex.to_s) raise AppleTimeoutError.new, "Could not receive latest API key from App Store Connect, this might be a server issue." end ##################################################### # @!group Session ##################################################### def load_session_from_file begin if File.exist?(persistent_cookie_path) puts("Loading session from '#{persistent_cookie_path}'") if Spaceship::Globals.verbose? @cookie.load(persistent_cookie_path) return true end rescue => ex puts(ex.to_s) puts("Continuing with normal login.") end return false end def load_session_from_env return if self.class.spaceship_session_env.to_s.length == 0 puts("Loading session from environment variable") if Spaceship::Globals.verbose? file = Tempfile.new('cookie.yml') file.write(self.class.spaceship_session_env.gsub("\\n", "\n")) file.close begin @cookie.load(file.path) rescue => ex puts("Error loading session from environment") puts("Make sure to pass the session in a valid format") raise ex ensure file.unlink end end # Fetch the session cookie from the environment # (if exists) def self.spaceship_session_env ENV["FASTLANE_SESSION"] || ENV["SPACESHIP_SESSION"] end # Get contract messages from App Store Connect's "olympus" endpoint def fetch_program_license_agreement_messages all_messages = [] messages_request = request(:get, "https://appstoreconnect.apple.com/olympus/v1/contractMessages") body = messages_request.body if body body = JSON.parse(body) if body.kind_of?(String) body.map do |messages| all_messages.push(messages["message"]) end end return all_messages end ##################################################### # @!group Helpers ##################################################### def with_retry(tries = 5, &_block) return yield rescue \ Faraday::ConnectionFailed, Faraday::TimeoutError, BadGatewayError, AppleTimeoutError, GatewayTimeoutError, AccessForbiddenError => ex tries -= 1 unless tries.zero? msg = "Timeout received: '#{ex.class}', '#{ex.message}'. Retrying after 3 seconds (remaining: #{tries})..." puts(msg) if Spaceship::Globals.verbose? logger.warn(msg) sleep(3) unless Object.const_defined?("SpecHelper") retry end raise ex # re-raise the exception rescue \ Faraday::ParsingError, #