diff --git a/cipd_packages/codesign/lib/src/file_codesign_visitor.dart b/cipd_packages/codesign/lib/src/file_codesign_visitor.dart index a7b0cbf32..2107aae15 100644 --- a/cipd_packages/codesign/lib/src/file_codesign_visitor.dart +++ b/cipd_packages/codesign/lib/src/file_codesign_visitor.dart @@ -71,6 +71,7 @@ class FileCodesignVisitor { 'CODESIGN_TEAM_ID': '', 'APP_SPECIFIC_PASSWORD': '', }; + Map redactedCredentials = {}; late final File entitlementsFile; @@ -131,12 +132,20 @@ update these file paths accordingly. return fileSystem.file(passwordFilePath).readAsString(); } + void redactPasswords() { + redactedCredentials[codesignAppstoreId] = ''; + redactedCredentials[codesignTeamId] = ''; + redactedCredentials[appSpecificPassword] = ''; + } + /// The entrance point of examining and code signing an engine artifact. Future validateAll() async { codesignAppstoreId = await readPassword(codesignAppstoreIDFilePath); codesignTeamId = await readPassword(codesignTeamIDFilePath); appSpecificPassword = await readPassword(appSpecificPasswordFilePath); + redactPasswords(); + await processRemoteZip(); log.info('Codesign completed. Codesigned zip is located at $outputZipPath.' @@ -416,15 +425,19 @@ update these file paths accordingly. 'notarytool', 'info', uuid, - '--password', - appSpecificPassword, '--apple-id', codesignAppstoreId, + '--password', + appSpecificPassword, '--team-id', codesignTeamId, ]; - log.info('checking notary status with ${args.join(' ')}'); + String argsWithoutCredentials = args.join(' '); + for (var key in redactedCredentials.keys) { + argsWithoutCredentials = argsWithoutCredentials.replaceAll(key, redactedCredentials[key]!); + } + log.info('checking notary info: $argsWithoutCredentials'); final io.ProcessResult result = processManager.runSync(args); final String combinedOutput = (result.stdout as String) + (result.stderr as String); @@ -432,7 +445,7 @@ update these file paths accordingly. if (match == null) { throw CodesignException( - 'Malformed output from "${args.join(' ')}"\n${combinedOutput.trim()}', + 'Malformed output from "$argsWithoutCredentials"\n${combinedOutput.trim()}', ); } @@ -465,11 +478,15 @@ update these file paths accordingly. '--verbose', ]; - log.info('uploading ${args.join(' ')}'); + String argsWithoutCredentials = args.join(' '); + for (var key in redactedCredentials.keys) { + argsWithoutCredentials = argsWithoutCredentials.replaceAll(key, redactedCredentials[key]!); + } + log.info('uploading to notary: $argsWithoutCredentials'); final io.ProcessResult result = processManager.runSync(args); if (result.exitCode != 0) { throw CodesignException( - 'Command "${args.join(' ')}" failed with exit code ${result.exitCode}\nStdout: ${result.stdout}\nStderr: ${result.stderr}', + 'Command "$argsWithoutCredentials" failed with exit code ${result.exitCode}\nStdout: ${result.stdout}\nStderr: ${result.stderr}', ); } @@ -478,7 +495,7 @@ update these file paths accordingly. match = _notarytoolRequestPattern.firstMatch(combinedOutput); if (match == null) { - log.warning('Failed to upload to the notary service with args: ${args.join(' ')}'); + log.warning('Failed to upload to the notary service with args: $argsWithoutCredentials'); log.warning('{combinedOutput.trim()}'); retryCount -= 1; log.warning('Trying again $retryCount more time${retryCount > 1 ? 's' : ''}...'); diff --git a/cipd_packages/codesign/test/file_codesign_visitor_test.dart b/cipd_packages/codesign/test/file_codesign_visitor_test.dart index a67d64153..a8dbe5a57 100644 --- a/cipd_packages/codesign/test/file_codesign_visitor_test.dart +++ b/cipd_packages/codesign/test/file_codesign_visitor_test.dart @@ -16,6 +16,10 @@ import './src/fake_process_manager.dart'; void main() { const String randomString = 'abcd1234'; + const String fakeAppleID = 'flutter-appleID'; + const String fakePassword = 'flutter-password'; + const String fakeTeamID = 'flutter-teamID'; + const String uuid = 'uuid'; const String appSpecificPasswordFilePath = '/tmp/passwords.txt'; const String codesignAppstoreIDFilePath = '/tmp/appID.txt'; const String codesignTeamIDFilePath = '/tmp/teamID.txt'; @@ -110,9 +114,10 @@ void main() { outputZipPath: outputZipPath, ); codesignVisitor.directoriesVisited.clear(); - codesignVisitor.appSpecificPassword = randomString; - codesignVisitor.codesignAppstoreId = randomString; - codesignVisitor.codesignTeamId = randomString; + codesignVisitor.appSpecificPassword = fakePassword; + codesignVisitor.codesignAppstoreId = fakeAppleID; + codesignVisitor.codesignTeamId = fakeTeamID; + codesignVisitor.redactPasswords(); }); test('procesRemotezip triggers correct workflow', () async { @@ -148,27 +153,27 @@ void main() { 'submit', codesignVisitor.outputZipPath, '--apple-id', - randomString, + fakeAppleID, '--password', - randomString, + fakePassword, '--team-id', - randomString, + fakeTeamID, '--verbose', ], - stdout: 'id: $randomString', + stdout: 'id: $uuid', ), const FakeCommand( command: [ 'xcrun', 'notarytool', 'info', - randomString, - '--password', - randomString, + uuid, '--apple-id', - randomString, + fakeAppleID, + '--password', + fakePassword, '--team-id', - randomString, + fakeTeamID, ], stdout: 'status: Accepted', ), @@ -200,19 +205,19 @@ void main() { expect( messages, contains( - 'uploading xcrun notarytool submit ${codesignVisitor.outputZipPath} --apple-id $randomString --password $randomString ' - '--team-id $randomString --verbose', + 'uploading to notary: xcrun notarytool submit ${codesignVisitor.outputZipPath} --apple-id --password ' + '--team-id --verbose', ), ); expect( messages, - contains('RequestUUID for ${codesignVisitor.outputZipPath} is: $randomString'), + contains('RequestUUID for ${codesignVisitor.outputZipPath} is: $uuid'), ); expect( messages, contains( - 'checking notary status with xcrun notarytool info $randomString --password $randomString --apple-id $randomString ' - '--team-id $randomString', + 'checking notary info: xcrun notarytool info $uuid --apple-id --password ' + '--team-id ', ), ); expect( @@ -762,9 +767,10 @@ file_c''', rootDirectory: rootDirectory, ); codesignVisitor.directoriesVisited.clear(); - codesignVisitor.appSpecificPassword = randomString; - codesignVisitor.codesignAppstoreId = randomString; - codesignVisitor.codesignTeamId = randomString; + codesignVisitor.appSpecificPassword = fakePassword; + codesignVisitor.codesignAppstoreId = fakeAppleID; + codesignVisitor.codesignTeamId = fakeTeamID; + codesignVisitor.redactPasswords(); }); test('successful notarization check returns true', () async { @@ -774,13 +780,13 @@ file_c''', 'xcrun', 'notarytool', 'info', - randomString, - '--password', - randomString, + uuid, '--apple-id', - randomString, + fakeAppleID, + '--password', + fakePassword, '--team-id', - randomString, + fakeTeamID, ], stdout: '''createdDate: 2021-04-29T01:38:09.498Z id: 2efe2717-52ef-43a5-96dc-0797e4ca1041 @@ -790,7 +796,7 @@ status: Accepted''', ]); expect( - codesignVisitor.checkNotaryJobFinished(randomString), + codesignVisitor.checkNotaryJobFinished(uuid), true, ); }); @@ -802,13 +808,13 @@ status: Accepted''', 'xcrun', 'notarytool', 'info', - randomString, - '--password', - randomString, + uuid, '--apple-id', - randomString, + fakeAppleID, + '--password', + fakePassword, '--team-id', - randomString, + fakeTeamID, ], stdout: '''RequestUUID: 2EFE2717-52EF-43A5-96DC-0797E4CA1041 Date: 2021-07-02 20:32:01 +0000 @@ -820,7 +826,7 @@ Status Message: Package Invalid''', ]); expect( - () => codesignVisitor.checkNotaryJobFinished(randomString), + () => codesignVisitor.checkNotaryJobFinished(uuid), throwsA( isA(), ), @@ -834,13 +840,13 @@ Status Message: Package Invalid''', 'xcrun', 'notarytool', 'info', - randomString, - '--password', - randomString, + uuid, '--apple-id', - randomString, + fakeAppleID, + '--password', + fakePassword, '--team-id', - randomString, + fakeTeamID, ], stdout: '''createdDate: 2021-04-29T01:38:09.498Z id: 2efe2717-52ef-43a5-96dc-0797e4ca1041 @@ -850,7 +856,7 @@ status: In Progress''', ]); expect( - codesignVisitor.checkNotaryJobFinished(randomString), + codesignVisitor.checkNotaryJobFinished(uuid), false, ); }); @@ -862,13 +868,13 @@ status: In Progress''', 'xcrun', 'notarytool', 'info', - randomString, - '--password', - randomString, + uuid, '--apple-id', - randomString, + fakeAppleID, + '--password', + fakePassword, '--team-id', - randomString, + fakeTeamID, ], stdout: '''createdDate: 2021-04-29T01:38:09.498Z id: 2efe2717-52ef-43a5-96dc-0797e4ca1041 @@ -878,7 +884,7 @@ status: Invalid''', ]); expect( - () => codesignVisitor.checkNotaryJobFinished(randomString), + () => codesignVisitor.checkNotaryJobFinished(uuid), throwsA( isA(), ), @@ -895,11 +901,11 @@ status: Invalid''', 'submit', '${rootDirectory.absolute.path}/temp', '--apple-id', - randomString, + fakeAppleID, '--password', - randomString, + fakePassword, '--team-id', - randomString, + fakeTeamID, '--verbose', ], stdout: '''Error uploading file. @@ -913,11 +919,11 @@ status: Invalid''', 'submit', '${rootDirectory.absolute.path}/temp', '--apple-id', - randomString, + fakeAppleID, '--password', - randomString, + fakePassword, '--team-id', - randomString, + fakeTeamID, '--verbose', ], stdout: '''Successfully uploaded file. @@ -940,7 +946,7 @@ status: Invalid''', messages, contains('Failed to upload to the notary service with args: ' 'xcrun notarytool submit ${rootDirectory.absolute.path}/temp ' - '--apple-id abcd1234 --password abcd1234 --team-id abcd1234 ' + '--apple-id --password --team-id ' '--verbose'), ); expect( @@ -959,11 +965,11 @@ status: Invalid''', 'submit', '${rootDirectory.absolute.path}/temp', '--apple-id', - randomString, + fakeAppleID, '--password', - randomString, + fakePassword, '--team-id', - randomString, + fakeTeamID, '--verbose', ], stdout: '''Error uploading file. @@ -995,11 +1001,11 @@ status: Invalid''', 'submit', '${rootDirectory.absolute.path}/temp', '--apple-id', - randomString, + fakeAppleID, '--password', - randomString, + fakePassword, '--team-id', - randomString, + fakeTeamID, '--verbose', ], stdout: '''Error uploading file. @@ -1013,11 +1019,11 @@ status: Invalid''', 'submit', '${rootDirectory.absolute.path}/temp', '--apple-id', - randomString, + fakeAppleID, '--password', - randomString, + fakePassword, '--team-id', - randomString, + fakeTeamID, '--verbose', ], stdout: '''Error uploading file. @@ -1031,11 +1037,11 @@ status: Invalid''', 'submit', '${rootDirectory.absolute.path}/temp', '--apple-id', - randomString, + fakeAppleID, '--password', - randomString, + fakePassword, '--team-id', - randomString, + fakeTeamID, '--verbose', ], stdout: '''Error uploading file. @@ -1083,18 +1089,18 @@ status: Invalid''', notarizationTimerDuration: const Duration(seconds: 0), ); codesignVisitor.directoriesVisited.clear(); - codesignVisitor.appSpecificPassword = randomString; - codesignVisitor.codesignAppstoreId = randomString; - codesignVisitor.codesignTeamId = randomString; + codesignVisitor.appSpecificPassword = fakePassword; + codesignVisitor.codesignAppstoreId = fakeAppleID; + codesignVisitor.codesignTeamId = fakeTeamID; fileSystem.file(codesignAppstoreIDFilePath) ..createSync(recursive: true) - ..writeAsStringSync(randomString); + ..writeAsStringSync(fakeAppleID); fileSystem.file(codesignTeamIDFilePath) ..createSync(recursive: true) - ..writeAsStringSync(randomString); + ..writeAsStringSync(fakeTeamID); fileSystem.file(appSpecificPasswordFilePath) ..createSync(recursive: true) - ..writeAsStringSync(randomString); + ..writeAsStringSync(fakePassword); }); test('codesign optional switches artifacts when dryrun is true', () async { @@ -1128,27 +1134,27 @@ status: Invalid''', 'submit', codesignVisitor.outputZipPath, '--apple-id', - randomString, + fakeAppleID, '--password', - randomString, + fakePassword, '--team-id', - randomString, + fakeTeamID, '--verbose', ], - stdout: 'id: $randomString', + stdout: 'id: $uuid', ), const FakeCommand( command: [ 'xcrun', 'notarytool', 'info', - randomString, - '--password', - randomString, + uuid, '--apple-id', - randomString, + fakeAppleID, + '--password', + fakePassword, '--team-id', - randomString, + fakeTeamID, ], stdout: 'status: Accepted', ), @@ -1196,27 +1202,27 @@ status: Invalid''', 'submit', codesignVisitor.outputZipPath, '--apple-id', - randomString, + fakeAppleID, '--password', - randomString, + fakePassword, '--team-id', - randomString, + fakeTeamID, '--verbose', ], - stdout: 'id: $randomString', + stdout: 'id: $uuid', ), const FakeCommand( command: [ 'xcrun', 'notarytool', 'info', - randomString, - '--password', - randomString, + uuid, '--apple-id', - randomString, + fakeAppleID, + '--password', + fakePassword, '--team-id', - randomString, + fakeTeamID, ], stdout: 'status: Accepted', ), @@ -1234,9 +1240,9 @@ status: Invalid''', notarizationTimerDuration: const Duration(seconds: 0), dryrun: false, ); - codesignVisitor.appSpecificPassword = randomString; - codesignVisitor.codesignAppstoreId = randomString; - codesignVisitor.codesignTeamId = randomString; + codesignVisitor.appSpecificPassword = fakePassword; + codesignVisitor.codesignAppstoreId = fakeAppleID; + codesignVisitor.codesignTeamId = fakeTeamID; codesignVisitor.directoriesVisited.clear(); await codesignVisitor.validateAll(); final Set messages = records