Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2022-10-15 18:09:16 +00:00
parent 4e6d1709ab
commit 5b7ffe0a75
8 changed files with 249 additions and 1 deletions

View File

@ -579,3 +579,6 @@ gem 'cvss-suite', '~> 3.0.1', require: 'cvss_suite'
# Work with RPM packages
gem 'arr-pm', '~> 0.0.12'
# Apple plist parsing
gem 'CFPropertyList'

View File

@ -1,4 +1,5 @@
[
{"name":"CFPropertyList","version":"3.0.5","platform":"ruby","checksum":"a78551cd4768d78ebca98488c27e33652ef818be64697a54676d34e6434674a4"},
{"name":"RedCloth","version":"4.3.2","platform":"ruby","checksum":"1ee7bc55c8dcec92cf7741a2132a9a6cd19e4b884fbc1b3aca23e1a4fcd92d55"},
{"name":"acme-client","version":"2.0.11","platform":"ruby","checksum":"edf6da9f3c5dbe3ab0c6738eb3b97978b7a60e3500445480d2a72fcc610089de"},
{"name":"actioncable","version":"6.1.6.1","platform":"ruby","checksum":"11f079141cf032026881e4a79ae0cc93753351089c1b6ca1ed30a8a6a21f961b"},

View File

@ -85,6 +85,8 @@ PATH
GEM
remote: https://rubygems.org/
specs:
CFPropertyList (3.0.5)
rexml
RedCloth (4.3.2)
acme-client (2.0.11)
faraday (>= 1.0, < 3.0.0)
@ -1532,6 +1534,7 @@ PLATFORMS
ruby
DEPENDENCIES
CFPropertyList
RedCloth (~> 4.3.2)
acme-client (~> 2.0)
activerecord-explain-analyze (~> 0.1)

View File

@ -7,7 +7,7 @@ module Ci
FILE_SIZE_LIMIT = 5.megabytes.freeze
CHECKSUM_ALGORITHM = 'sha256'
PARSABLE_EXTENSIONS = %w[cer p12].freeze
PARSABLE_EXTENSIONS = %w[cer p12 mobileprovision].freeze
self.limit_scope = :project
self.limit_name = 'project_ci_secure_files'
@ -51,6 +51,8 @@ module Ci
Gitlab::Ci::SecureFiles::Cer.new(file.read)
when 'p12'
Gitlab::Ci::SecureFiles::P12.new(file.read)
when 'mobileprovision'
Gitlab::Ci::SecureFiles::MobileProvision.new(file.read)
end
end

View File

@ -0,0 +1,85 @@
# frozen_string_literal: true
require 'cfpropertylist'
module Gitlab
module Ci
module SecureFiles
class MobileProvision
include Gitlab::Utils::StrongMemoize
attr_reader :error
def initialize(filedata)
@filedata = filedata
end
def decoded_plist
p7 = OpenSSL::PKCS7.new(@filedata)
p7.verify(nil, OpenSSL::X509::Store.new, nil, OpenSSL::PKCS7::NOVERIFY)
p7.data
rescue ArgumentError, OpenSSL::PKCS7::PKCS7Error => err
@error = err.to_s
nil
end
strong_memoize_attr :decoded_plist
def properties
list = CFPropertyList::List.new(data: decoded_plist, format: CFPropertyList::List::FORMAT_XML).value
CFPropertyList.native_types(list)
rescue CFFormatError, CFPlistError, CFTypeError => err
@error = err.to_s
nil
end
strong_memoize_attr :properties
def metadata
return {} unless properties
{
id: id,
expires_at: expires_at,
platforms: properties["Platform"],
team_name: properties['TeamName'],
team_id: properties['TeamIdentifier'],
app_name: properties['AppIDName'],
app_id: properties['Name'],
app_id_prefix: properties['ApplicationIdentifierPrefix'],
xcode_managed: properties['IsXcodeManaged'],
entitlements: properties['Entitlements'],
devices: properties['ProvisionedDevices'],
certificate_ids: certificate_ids
}
end
strong_memoize_attr :metadata
private
def id
properties['UUID']
end
def expires_at
properties['ExpirationDate']
end
def certificate_ids
return [] if developer_certificates.empty?
developer_certificates.map { |c| c.metadata[:id] }
end
def developer_certificates
certificates = properties['DeveloperCertificates']
return if certificates.empty?
certs = []
certificates.each_with_object([]) do |cert, obj|
certs << Cer.new(cert)
end
certs
end
end
end
end
end

Binary file not shown.

View File

@ -0,0 +1,149 @@
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Gitlab::Ci::SecureFiles::MobileProvision do
context 'when the supplied profile cannot be parsed' do
context 'when the supplied certificate cannot be parsed' do
let(:invalid_profile) { described_class.new('xyzabc') }
describe '#decoded_plist' do
it 'assigns the error message and returns nil' do
expect(invalid_profile.decoded_plist).to be nil
expect(invalid_profile.error).to eq('Could not parse the PKCS7: not enough data')
end
end
describe '#properties' do
it 'returns nil' do
expect(invalid_profile.properties).to be_nil
end
end
describe '#metadata' do
it 'returns an empty hash' do
expect(invalid_profile.metadata).to eq({})
end
end
describe '#expires_at' do
it 'returns nil' do
expect(invalid_profile.metadata[:expires_at]).to be_nil
end
end
end
end
context 'when the supplied profile can be parsed' do
let(:sample_file) { fixture_file('ci_secure_files/sample.mobileprovision') }
let(:subject) { described_class.new(sample_file) }
describe '#decoded_plist' do
it 'returns an XML string' do
expect(subject.decoded_plist.class).to be(String)
expect(subject.decoded_plist.starts_with?('<?xml version="1.0"')).to be true
end
end
describe '#properties' do
it 'returns the property list of the decoded plist provided' do
expect(subject.properties.class).to be(Hash)
expect(subject.properties.keys).to match_array(%w[AppIDName ApplicationIdentifierPrefix CreationDate
Platform IsXcodeManaged DeveloperCertificates
DER-Encoded-Profile PPQCheck Entitlements ExpirationDate
Name ProvisionedDevices TeamIdentifier TeamName
TimeToLive UUID Version])
end
it 'returns nil if the property list fails to be parsed from the decoded plist' do
allow(subject).to receive(:decoded_plist).and_return('foo/bar')
expect(subject.properties).to be nil
expect(subject.error).to start_with('invalid XML')
end
end
describe '#metadata' do
it 'returns a hash with the expected keys' do
expect(subject.metadata.keys).to match_array([:id, :expires_at, :app_id, :app_id_prefix, :app_name,
:certificate_ids, :devices, :entitlements, :platforms,
:team_id, :team_name, :xcode_managed])
end
end
describe '#id' do
it 'returns the profile UUID' do
expect(subject.metadata[:id]).to eq('6b9fcce1-b9a9-4b37-b2ce-ec4da2044abf')
end
end
describe '#expires_at' do
it 'returns the expiration timestamp of the profile' do
expect(subject.metadata[:expires_at].utc).to eq('2023-08-01 23:15:13 UTC')
end
end
describe '#platforms' do
it 'returns the platforms assigned to the profile' do
expect(subject.metadata[:platforms]).to match_array(['iOS'])
end
end
describe '#team_name' do
it 'returns the team name in the profile' do
expect(subject.metadata[:team_name]).to eq('Darby Frey')
end
end
describe '#team_id' do
it 'returns the team ids in the profile' do
expect(subject.metadata[:team_id]).to match_array(['N7SYAN8PX8'])
end
end
describe '#app_name' do
it 'returns the app name in the profile' do
expect(subject.metadata[:app_name]).to eq('iOS Demo')
end
end
describe '#app_id' do
it 'returns the app id in the profile' do
expect(subject.metadata[:app_id]).to eq('match Development com.gitlab.ios-demo')
end
end
describe '#app_id_prefix' do
it 'returns the app id prefixes in the profile' do
expect(subject.metadata[:app_id_prefix]).to match_array(['N7SYAN8PX8'])
end
end
describe '#xcode_managed' do
it 'returns the xcode_managed property in the profile' do
expect(subject.metadata[:xcode_managed]).to be false
end
end
describe '#entitlements' do
it 'returns the entitlements in the profile' do
expect(subject.metadata[:entitlements].keys).to match_array(['application-identifier',
'com.apple.developer.game-center',
'com.apple.developer.team-identifier',
'get-task-allow',
'keychain-access-groups'])
end
end
describe '#devices' do
it 'returns the devices attached to the profile' do
expect(subject.metadata[:devices]).to match_array(["00008101-001454860C10001E"])
end
end
describe '#certificate_ids' do
it 'returns the certificate ids attached to the profile' do
expect(subject.metadata[:certificate_ids]).to match_array(["23380136242930206312716563638445789376"])
end
end
end
end

View File

@ -117,6 +117,11 @@ RSpec.describe Ci::SecureFile do
expect(file.metadata_parser).to be_an_instance_of(Gitlab::Ci::SecureFiles::P12)
end
it 'returns an instance of Gitlab::Ci::SecureFiles::MobileProvision when a .mobileprovision file is supplied' do
file = build(:ci_secure_file, name: 'file1.mobileprovision')
expect(file.metadata_parser).to be_an_instance_of(Gitlab::Ci::SecureFiles::MobileProvision)
end
it 'returns nil when the file type is not supported by any parsers' do
file = build(:ci_secure_file, name: 'file1.foo')
expect(file.metadata_parser).to be nil