[match] Added s3_skip_encryption parameter (#21018)

fastlane · Sep 4, 2023 · 6627c28 · 6627c28
1 parent 8c1fc73
commit 6627c28
Show file tree

Hide file tree

Showing 17 changed files with 212 additions and 221 deletions.
diff --git a/match/lib/match/change_password.rb b/match/lib/match/change_password.rb
@@ -19,19 +19,13 @@ def self.update(params: nil)
       new_password = FastlaneCore::Helper.ask_password(message: "New passphrase for Git Repo: ", confirm: true)
 
       # Choose the right storage and encryption implementations
-      storage = Storage.for_mode(params[:storage_mode], {
-        git_url: params[:git_url],
-        shallow_clone: params[:shallow_clone],
-        skip_docs: params[:skip_docs],
-        git_branch: params[:git_branch],
-        git_full_name: params[:git_full_name],
-        git_user_email: params[:git_user_email],
-        clone_branch_directly: params[:clone_branch_directly]
-      })
+      storage = Storage.from_params(params)
       storage.download
 
       encryption = Encryption.for_storage_mode(params[:storage_mode], {
         git_url: params[:git_url],
+        s3_bucket: params[:s3_bucket],
+        s3_skip_encryption: params[:s3_skip_encryption],
         working_directory: storage.working_directory
       })
       encryption.decrypt_files

diff --git a/match/lib/match/commands_generator.rb b/match/lib/match/commands_generator.rb
@@ -118,16 +118,13 @@ def run
           params = FastlaneCore::Configuration.create(Match::Options.available_options, options.__hash__)
           params.load_configuration_file("Matchfile")
 
-          storage = Storage.for_mode(params[:storage_mode], {
-            git_url: params[:git_url],
-            shallow_clone: params[:shallow_clone],
-            git_branch: params[:git_branch],
-            clone_branch_directly: params[:clone_branch_directly]
-          })
+          storage = Storage.from_params(params)
           storage.download
 
           encryption = Encryption.for_storage_mode(params[:storage_mode], {
             git_url: params[:git_url],
+            s3_bucket: params[:s3_bucket],
+            s3_skip_encryption: params[:s3_skip_encryption],
             working_directory: storage.working_directory
           })
           encryption.decrypt_files if encryption

diff --git a/match/lib/match/encryption.rb b/match/lib/match/encryption.rb
@@ -17,7 +17,7 @@ def backends
           },
           "s3" => lambda { |params|
             params[:keychain_name] = params[:s3_bucket]
-            return Encryption::OpenSSL.configure(params)
+            return params[:s3_skip_encryption] ? nil : Encryption::OpenSSL.configure(params)
           },
           "gitlab_secure_files" => lambda { |params|
             return nil

diff --git a/match/lib/match/importer.rb b/match/lib/match/importer.rb
@@ -15,42 +15,14 @@ def import_cert(params, cert_path: nil, p12_path: nil, profile_path: nil)
       profile_path = ensure_valid_file_path(profile_path, "Provisioning profile", ".mobileprovision or .provisionprofile", optional: true)
 
       # Storage
-      storage = Storage.for_mode(params[:storage_mode], {
-        git_url: params[:git_url],
-        shallow_clone: params[:shallow_clone],
-        skip_docs: params[:skip_docs],
-        git_branch: params[:git_branch],
-        git_full_name: params[:git_full_name],
-        git_user_email: params[:git_user_email],
-        git_private_key: params[:git_private_key],
-        git_basic_authorization: params[:git_basic_authorization],
-        git_bearer_authorization: params[:git_bearer_authorization],
-        clone_branch_directly: params[:clone_branch_directly],
-        type: params[:type].to_s,
-        platform: params[:platform].to_s,
-        google_cloud_bucket_name: params[:google_cloud_bucket_name].to_s,
-        google_cloud_keys_file: params[:google_cloud_keys_file].to_s,
-        google_cloud_project_id: params[:google_cloud_project_id].to_s,
-        skip_google_cloud_account_confirmation: params[:skip_google_cloud_account_confirmation],
-        s3_bucket: params[:s3_bucket],
-        s3_region: params[:s3_region],
-        s3_access_key: params[:s3_access_key],
-        s3_secret_access_key: params[:s3_secret_access_key],
-        s3_object_prefix: params[:s3_object_prefix],
-        gitlab_project: params[:gitlab_project],
-        gitlab_host: params[:gitlab_host],
-        readonly: params[:readonly],
-        username: params[:username],
-        team_id: params[:team_id],
-        team_name: params[:team_name],
-        api_key_path: params[:api_key_path],
-        api_key: params[:api_key]
-      })
+      storage = Storage.from_params(params)
       storage.download
 
       # Encryption
       encryption = Encryption.for_storage_mode(params[:storage_mode], {
         git_url: params[:git_url],
+        s3_bucket: params[:s3_bucket],
+        s3_skip_encryption: params[:s3_skip_encryption],
         working_directory: storage.working_directory
       })
       encryption.decrypt_files if encryption

diff --git a/match/lib/match/migrate.rb b/match/lib/match/migrate.rb
@@ -13,13 +13,15 @@ def migrate(params)
 
       # We init the Google storage client before the git client
       # to ask for all the missing inputs *before* cloning the git repo
-      google_cloud_storage = Storage.for_mode("google_cloud", {
+      google_cloud_storage = Storage.from_params({
+        storage_mode: "google_cloud",
         google_cloud_bucket_name: params[:google_cloud_bucket_name],
         google_cloud_keys_file: params[:google_cloud_keys_file],
         google_cloud_project_id: params[:google_cloud_project_id]
       })
 
-      git_storage = Storage.for_mode("git", {
+      git_storage = Storage.from_params({
+        storage_mode: "git",
         git_url: params[:git_url],
         shallow_clone: params[:shallow_clone],
         git_branch: params[:git_branch],
@@ -29,6 +31,8 @@ def migrate(params)
 
       encryption = Encryption.for_storage_mode(params[:storage_mode], {
         git_url: params[:git_url],
+        s3_bucket: params[:s3_bucket],
+        s3_skip_encryption: params[:s3_skip_encryption],
         working_directory: git_storage.working_directory
       })
       encryption.decrypt_files if encryption

diff --git a/match/lib/match/nuke.rb b/match/lib/match/nuke.rb
@@ -34,36 +34,14 @@ def run(params, type: nil)
 
       spaceship_login
 
-      self.storage = Storage.for_mode(params[:storage_mode], {
-        git_url: params[:git_url],
-        shallow_clone: params[:shallow_clone],
-        skip_docs: params[:skip_docs],
-        git_branch: params[:git_branch],
-        git_full_name: params[:git_full_name],
-        git_user_email: params[:git_user_email],
-
-        git_private_key: params[:git_private_key],
-        git_basic_authorization: params[:git_basic_authorization],
-        git_bearer_authorization: params[:git_bearer_authorization],
-
-        clone_branch_directly: params[:clone_branch_directly],
-        google_cloud_bucket_name: params[:google_cloud_bucket_name].to_s,
-        google_cloud_keys_file: params[:google_cloud_keys_file].to_s,
-        google_cloud_project_id: params[:google_cloud_project_id].to_s,
-        s3_region: params[:s3_region].to_s,
-        s3_access_key: params[:s3_access_key].to_s,
-        s3_secret_access_key: params[:s3_secret_access_key].to_s,
-        s3_bucket: params[:s3_bucket].to_s,
-        s3_object_prefix: params[:s3_object_prefix].to_s,
-        gitlab_project: params[:gitlab_project],
-        gitlab_host: params[:gitlab_host],
-        team_id: params[:team_id] || Spaceship::ConnectAPI.client.portal_team_id
-      })
+      self.storage = Storage.from_params(params)
       self.storage.download
 
       # After the download was complete
       self.encryption = Encryption.for_storage_mode(params[:storage_mode], {
         git_url: params[:git_url],
+        s3_bucket: params[:s3_bucket],
+        s3_skip_encryption: params[:s3_skip_encryption],
         working_directory: storage.working_directory
       })
       self.encryption.decrypt_files if self.encryption

diff --git a/match/lib/match/options.rb b/match/lib/match/options.rb
@@ -4,6 +4,7 @@
 require_relative 'module'
 
 module Match
+  # rubocop:disable Metrics/ClassLength
   class Options
     # This is match specific, as users can append storage specific options
     def self.append_option(option)
@@ -222,6 +223,11 @@ def self.available_options
                                      env_name: "MATCH_S3_OBJECT_PREFIX",
                                      description: "Prefix to be used on all objects uploaded to S3",
                                      optional: true),
+        FastlaneCore::ConfigItem.new(key: :s3_skip_encryption,
+                                     env_name: "MATCH_S3_SKIP_ENCRYPTION",
+                                     description: "Skip encryption of all objects uploaded to S3. WARNING: only enable this on S3 buckets with sufficiently restricted permissions and server-side encryption enabled. See https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html",
+                                     type: Boolean,
+                                     default_value: false),
 
         # Storage: GitLab Secure Files
         FastlaneCore::ConfigItem.new(key: :gitlab_project,
@@ -349,4 +355,5 @@ def self.available_options
       ]
     end
   end
+  # rubocop:enable Metrics/ClassLength
 end
diff --git a/match/lib/match/runner.rb b/match/lib/match/runner.rb
@@ -31,43 +31,16 @@ def run(params)
       update_optional_values_depending_on_storage_type(params)
 
       # Choose the right storage and encryption implementations
-      self.storage = Storage.for_mode(params[:storage_mode], {
-        git_url: params[:git_url],
-        shallow_clone: params[:shallow_clone],
-        skip_docs: params[:skip_docs],
-        git_branch: params[:git_branch],
-        git_full_name: params[:git_full_name],
-        git_user_email: params[:git_user_email],
-        clone_branch_directly: params[:clone_branch_directly],
-        git_basic_authorization: params[:git_basic_authorization],
-        git_bearer_authorization: params[:git_bearer_authorization],
-        git_private_key: params[:git_private_key],
-        type: params[:type].to_s,
-        generate_apple_certs: params[:generate_apple_certs],
-        platform: params[:platform].to_s,
-        google_cloud_bucket_name: params[:google_cloud_bucket_name].to_s,
-        google_cloud_keys_file: params[:google_cloud_keys_file].to_s,
-        google_cloud_project_id: params[:google_cloud_project_id].to_s,
-        skip_google_cloud_account_confirmation: params[:skip_google_cloud_account_confirmation],
-        s3_region: params[:s3_region],
-        s3_access_key: params[:s3_access_key],
-        s3_secret_access_key: params[:s3_secret_access_key],
-        s3_bucket: params[:s3_bucket],
-        s3_object_prefix: params[:s3_object_prefix],
-        gitlab_project: params[:gitlab_project],
-        gitlab_host: params[:gitlab_host],
-        readonly: params[:readonly],
-        username: params[:readonly] ? nil : params[:username], # only pass username if not readonly
-        team_id: params[:team_id],
-        team_name: params[:team_name],
-        api_key_path: params[:api_key_path],
-        api_key: params[:api_key]
-      })
+      storage_params = params
+      storage_params[:username] = params[:readonly] ? nil : params[:username] # only pass username if not readonly
+      self.storage = Storage.from_params(storage_params)
       storage.download
 
       # Init the encryption only after the `storage.download` was called to have the right working directory
       encryption = Encryption.for_storage_mode(params[:storage_mode], {
         git_url: params[:git_url],
+        s3_bucket: params[:s3_bucket],
+        s3_skip_encryption: params[:s3_skip_encryption],
         working_directory: storage.working_directory
       })
       encryption.decrypt_files if encryption

diff --git a/match/lib/match/setup.rb b/match/lib/match/setup.rb
@@ -15,7 +15,7 @@ def run(path, is_swift_fastfile: false)
         self.storage_options
       )
 
-      storage = Storage.for_mode(storage_mode, {})
+      storage = Storage.from_params({ storage_mode: storage_mode })
 
       specific_content = storage.generate_matchfile_content
       UI.crash!("Looks like `generate_matchfile_content` was `nil` for `#{storage_mode}`") if specific_content.nil?

diff --git a/match/lib/match/storage.rb b/match/lib/match/storage.rb
@@ -10,16 +10,66 @@ class << self
       def backends
         @backends ||= {
           "git" => lambda { |params|
-            return Storage::GitStorage.configure(params)
+            return Storage::GitStorage.configure({
+              type: params[:type],
+              platform: params[:platform],
+              git_url: params[:git_url],
+              shallow_clone: params[:shallow_clone],
+              skip_docs: params[:skip_docs],
+              git_branch: params[:git_branch],
+              git_full_name: params[:git_full_name],
+              git_user_email: params[:git_user_email],
+              clone_branch_directly: params[:clone_branch_directly],
+              git_basic_authorization: params[:git_basic_authorization],
+              git_bearer_authorization: params[:git_bearer_authorization],
+              git_private_key: params[:git_private_key]
+            })
           },
           "google_cloud" => lambda { |params|
-            return Storage::GoogleCloudStorage.configure(params)
+            return Storage::GoogleCloudStorage.configure({
+              type: params[:type],
+              platform: params[:platform],
+              google_cloud_bucket_name: params[:google_cloud_bucket_name],
+              google_cloud_keys_file: params[:google_cloud_keys_file],
+              google_cloud_project_id: params[:google_cloud_project_id],
+              readonly: params[:readonly],
+              username: params[:username],
+              team_id: params[:team_id],
+              team_name: params[:team_name],
+              api_key_path: params[:api_key_path],
+              api_key: params[:api_key],
+              skip_google_cloud_account_confirmation: params[:skip_google_cloud_account_confirmation]
+            })
           },
           "s3" => lambda { |params|
-            return Storage::S3Storage.configure(params)
+            return Storage::S3Storage.configure({
+              s3_region: params[:s3_region],
+              s3_access_key: params[:s3_access_key],
+              s3_secret_access_key: params[:s3_secret_access_key],
+              s3_bucket: params[:s3_bucket],
+              s3_object_prefix: params[:s3_object_prefix],
+              readonly: params[:readonly],
+              username: params[:username],
+              team_id: params[:team_id],
+              team_name: params[:team_name],
+              api_key_path: params[:api_key_path],
+              api_key: params[:api_key]
+            })
           },
           "gitlab_secure_files" => lambda { |params|
-            return Storage::GitLabSecureFiles.configure(params)
+            return Storage::GitLabSecureFiles.configure({
+              gitlab_host: params[:gitlab_host],
+              gitlab_project: params[:gitlab_project],
+              git_url: params[:git_url], # enables warning about unnecessary git_url
+              job_token: params[:job_token],
+              private_token: params[:private_token],
+              readonly: params[:readonly],
+              username: params[:username],
+              team_id: params[:team_id],
+              team_name: params[:team_name],
+              api_key_path: params[:api_key_path],
+              api_key: params[:api_key]
+            })
           }
         }
       end
@@ -39,7 +89,8 @@ def register_backend(type: nil, storage_class: nil, &configurator)
         end
       end
 
-      def for_mode(storage_mode, params)
+      def from_params(params)
+        storage_mode = params[:storage_mode]
         configurator = backends[storage_mode.to_s]
         return configurator.call(params) if configurator
 

diff --git a/match/spec/change_password_spec.rb b/match/spec/change_password_spec.rb
@@ -25,7 +25,12 @@
         git_branch: "master",
         git_full_name: nil,
         git_user_email: nil,
-        clone_branch_directly: false
+        clone_branch_directly: false,
+        git_basic_authorization: nil,
+        git_bearer_authorization: nil,
+        git_private_key: nil,
+        type: config[:type],
+        platform: config[:platform]
       ).and_return(fake_storage)
 
       allow(fake_storage).to receive(:download)

diff --git a/match/spec/commands_generator_spec.rb b/match/spec/commands_generator_spec.rb
@@ -79,8 +79,18 @@ def expect_githelper_clone_with(git_url, shallow_clone, git_branch)
       expect(Match::Storage::GitStorage).to receive(:configure).with({
         git_url: git_url,
         shallow_clone: shallow_clone,
+        skip_docs: false,
         git_branch: git_branch[:branch],
-        clone_branch_directly: git_branch[:clone_branch_directly]
+        clone_branch_directly: git_branch[:clone_branch_directly],
+        git_full_name: nil,
+        git_user_email: nil,
+
+        git_private_key: nil,
+        git_basic_authorization: nil,
+        git_bearer_authorization: nil,
+
+        type: "development",
+        platform: "ios"
       }).and_return(fake_storage)
 
       expect(fake_storage).to receive(:download)
@@ -89,6 +99,8 @@ def expect_githelper_clone_with(git_url, shallow_clone, git_branch)
 
       expect(Match::Encryption).to receive(:for_storage_mode).with("git", {
         git_url: git_url,
+        s3_bucket: nil,
+        s3_skip_encryption: false,
         working_directory: fake_working_directory
       }).and_return(fake_encryption)