From 5b7ffe0a758eaeeccdd7b7af90355b13779083b9 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Sat, 15 Oct 2022 18:09:16 +0000
Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master

---
 Gemfile                                       |   3 +
 Gemfile.checksum                              |   1 +
 Gemfile.lock                                  |   3 +
 app/models/ci/secure_file.rb                  |   4 +-
 .../ci/secure_files/mobile_provision.rb       |  85 ++++++++++
 .../ci_secure_files/sample.mobileprovision    | Bin 0 -> 12278 bytes
 .../ci/secure_files/mobile_provision_spec.rb  | 149 ++++++++++++++++++
 spec/models/ci/secure_file_spec.rb            |   5 +
 8 files changed, 249 insertions(+), 1 deletion(-)
 create mode 100644 lib/gitlab/ci/secure_files/mobile_provision.rb
 create mode 100644 spec/fixtures/ci_secure_files/sample.mobileprovision
 create mode 100644 spec/lib/gitlab/ci/secure_files/mobile_provision_spec.rb

diff --git a/Gemfile b/Gemfile
index ac38fbfd530..d4fc7e03d5a 100644
--- a/Gemfile
+++ b/Gemfile
@@ -579,3 +579,6 @@ gem 'cvss-suite', '~> 3.0.1', require: 'cvss_suite'
 
 # Work with RPM packages
 gem 'arr-pm', '~> 0.0.12'
+
+# Apple plist parsing
+gem 'CFPropertyList'
diff --git a/Gemfile.checksum b/Gemfile.checksum
index a258da072f5..cbb692d81c8 100644
--- a/Gemfile.checksum
+++ b/Gemfile.checksum
@@ -1,4 +1,5 @@
 [
+{"name":"CFPropertyList","version":"3.0.5","platform":"ruby","checksum":"a78551cd4768d78ebca98488c27e33652ef818be64697a54676d34e6434674a4"},
 {"name":"RedCloth","version":"4.3.2","platform":"ruby","checksum":"1ee7bc55c8dcec92cf7741a2132a9a6cd19e4b884fbc1b3aca23e1a4fcd92d55"},
 {"name":"acme-client","version":"2.0.11","platform":"ruby","checksum":"edf6da9f3c5dbe3ab0c6738eb3b97978b7a60e3500445480d2a72fcc610089de"},
 {"name":"actioncable","version":"6.1.6.1","platform":"ruby","checksum":"11f079141cf032026881e4a79ae0cc93753351089c1b6ca1ed30a8a6a21f961b"},
diff --git a/Gemfile.lock b/Gemfile.lock
index 4f62d212ab8..550dce622a1 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -85,6 +85,8 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
+    CFPropertyList (3.0.5)
+      rexml
     RedCloth (4.3.2)
     acme-client (2.0.11)
       faraday (>= 1.0, < 3.0.0)
@@ -1532,6 +1534,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  CFPropertyList
   RedCloth (~> 4.3.2)
   acme-client (~> 2.0)
   activerecord-explain-analyze (~> 0.1)
diff --git a/app/models/ci/secure_file.rb b/app/models/ci/secure_file.rb
index d9e717df1d0..ffff7eebbee 100644
--- a/app/models/ci/secure_file.rb
+++ b/app/models/ci/secure_file.rb
@@ -7,7 +7,7 @@ module Ci
 
     FILE_SIZE_LIMIT = 5.megabytes.freeze
     CHECKSUM_ALGORITHM = 'sha256'
-    PARSABLE_EXTENSIONS = %w[cer p12].freeze
+    PARSABLE_EXTENSIONS = %w[cer p12 mobileprovision].freeze
 
     self.limit_scope = :project
     self.limit_name = 'project_ci_secure_files'
@@ -51,6 +51,8 @@ module Ci
         Gitlab::Ci::SecureFiles::Cer.new(file.read)
       when 'p12'
         Gitlab::Ci::SecureFiles::P12.new(file.read)
+      when 'mobileprovision'
+        Gitlab::Ci::SecureFiles::MobileProvision.new(file.read)
       end
     end
 
diff --git a/lib/gitlab/ci/secure_files/mobile_provision.rb b/lib/gitlab/ci/secure_files/mobile_provision.rb
new file mode 100644
index 00000000000..4ea74e20310
--- /dev/null
+++ b/lib/gitlab/ci/secure_files/mobile_provision.rb
@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+require 'cfpropertylist'
+
+module Gitlab
+  module Ci
+    module SecureFiles
+      class MobileProvision
+        include Gitlab::Utils::StrongMemoize
+
+        attr_reader :error
+
+        def initialize(filedata)
+          @filedata = filedata
+        end
+
+        def decoded_plist
+          p7 = OpenSSL::PKCS7.new(@filedata)
+          p7.verify(nil, OpenSSL::X509::Store.new, nil, OpenSSL::PKCS7::NOVERIFY)
+          p7.data
+        rescue ArgumentError, OpenSSL::PKCS7::PKCS7Error => err
+          @error = err.to_s
+          nil
+        end
+        strong_memoize_attr :decoded_plist
+
+        def properties
+          list = CFPropertyList::List.new(data: decoded_plist, format: CFPropertyList::List::FORMAT_XML).value
+          CFPropertyList.native_types(list)
+        rescue CFFormatError, CFPlistError, CFTypeError => err
+          @error = err.to_s
+          nil
+        end
+        strong_memoize_attr :properties
+
+        def metadata
+          return {} unless properties
+
+          {
+            id: id,
+            expires_at: expires_at,
+            platforms: properties["Platform"],
+            team_name: properties['TeamName'],
+            team_id: properties['TeamIdentifier'],
+            app_name: properties['AppIDName'],
+            app_id: properties['Name'],
+            app_id_prefix: properties['ApplicationIdentifierPrefix'],
+            xcode_managed: properties['IsXcodeManaged'],
+            entitlements: properties['Entitlements'],
+            devices: properties['ProvisionedDevices'],
+            certificate_ids: certificate_ids
+          }
+        end
+        strong_memoize_attr :metadata
+
+        private
+
+        def id
+          properties['UUID']
+        end
+
+        def expires_at
+          properties['ExpirationDate']
+        end
+
+        def certificate_ids
+          return [] if developer_certificates.empty?
+
+          developer_certificates.map { |c| c.metadata[:id] }
+        end
+
+        def developer_certificates
+          certificates = properties['DeveloperCertificates']
+          return if certificates.empty?
+
+          certs = []
+          certificates.each_with_object([]) do |cert, obj|
+            certs << Cer.new(cert)
+          end
+
+          certs
+        end
+      end
+    end
+  end
+end
diff --git a/spec/fixtures/ci_secure_files/sample.mobileprovision b/spec/fixtures/ci_secure_files/sample.mobileprovision
new file mode 100644
index 0000000000000000000000000000000000000000..89bf7246b75350377d62bdacfb413da5744d27a1
GIT binary patch
literal 12278
zcmd6Nd6?VO)qZ9&S%HL<KoTHivOp3h6HDI4rbB{c$+B$AwrqKY0=DFlWlP><Tec}n
z1_(5PQYf?uYalG8(6XeEmbH`}T6Wqb4Ft;41wu*KOAFtTJ!``9{r>6qo9FQ}y3*b6
zIq!MTITsl;?43OA*tM>;pB&UNrE}Au;SFTau&cA913dtlHhEIdjES9xPnv)XF8Fe^
zTF0ir1@CtaE_k<pbzPCWYw5Bo74pX~LRTV-y3={SAV_)f_(fsP*=t+0de!v)g@oV1
z#RFt_QI^z7cOZ;=X-D^>UV{NE7Ui_TKyXBNz)Od?Zs@~cAbpFv7iB7y;&BFprfDma
zdaadwLD4I!hCsPcOqVMSFLc%m4OR*jVG#_|?tR>J;H@C>l~vQH_2<%!RWKY)_>xMx
z-=G)aty(F=WLHW4P&biQ3jKzm7o!biiBDEweYB9ySEK<cT@IAf15$mYi)6W+9NU+#
zFBHdowm{4_wl~8_HGO19Io;}%NLEJYB0yo45iuHj5nC^Uaz@i}sO31+l;}6KJ`K$&
zASWvWg|f2W1jerB>xZV*7@Sa=N#>JcS{UhMAStV9!|+BC=~`OWci90O4U2{?NUI}t
zhnF&~ALf-@#n7}<%Q_smrzBz;jbkFsl8IEJqM>G%%n1pG3W=c@s}YzF7jvadPNM7@
zf@7@e#0VT^!mP%MaU#O91VL1A-i51)5FSgJ+-kxl6cbcf3{nweB3iHURHQ*W-ExX@
zBFU(|$~SN#5p%<Hq8K-}-_fKK6{t*&S7ap3kzNMNQ5YH~9h&9{Hkmrv#Dci!i{My+
zapasDPt|3bl&kTEx$bCU?)JAhhshC+!Oby(qZ<q%Y79p=86vFtoCW<IJdeI((1Iq$
z#X6P6;<#9F=cJ@NXQ0&tM&blk^!vjWGK>}}U#^m5I7VaGq4he7!|Npzu>`EkuBD=p
zsz4NA&CW(VpA&<5x10`P1(x%LxopD4k(p>j%8glv3hOYN!l;aM*$f*c#4+FWH3l=h
z;<nIaqLGN@_Fp4S<8*f4vmu=r=67JM4TJN=9ij)GNvzyZ{R1UuHmVw&RaI27F*Tm^
z1+b!Kb|ow(JJV+|$B=j*k#*KZ2UW6@F*9$?M9`?1sNjSZ^`Rc2&PN3cYc-iNO*#~A
zB$GDRKqOQ!rfNj2B5Q7&g%CKUFUFS;UXDunS{(CmF^LWN;%1pJ4Oq%%#u-d&CAlv}
z$x*^$^^_{*a3p3320erw&u0|g)l&(Ff{e$=rI|{Y4%>vVC0F*uQ*NVTlYHTV<|{dB
z5mY0ZnQWRjmTC!uy~YFyx60envQkhKCC=xW+Ca7hT?b@>Y6yhQJ`l2nShs|hxLP1i
zC2}Q>Q0g{L^?5S^yM-MHJ7|Vi8>}&3cG~^%g1;gXl+}_Vxj@$GK>YO@5~+B2HJg)2
zf1=zIFCw@`6Bvu(1vBmN6AlNK)l~)LBZzPq>oVXNtziT<pv$Ez#E=w$MMa!-8&oWk
z3n;Y&Rtk~joZ_JvM(%0k)hw>zqFBa7(uuP?=vgqwP_*V{<FrSM<2W03F_?#<qZveS
zVODR$p4D}TZ&)&I-Lqs<Mx-W~gdDH%O|KG^`7Bl+)2D{T<8sm!M0lc5^BV10-h@@-
zF<eVg;cDDyuMEA@m<DPRjKM~t$!I=(Z9%iHivo>>;5n>`A{o@>i(un!Pa#2PYC<-F
zg>i;<8Q@2Z858!!fmg%^uA;jB%bAqolWEFcrCq^7GRBB;W27NavXYGYG6G<Rt~>Fl
z#X`IA44)5LXv*2-O_54MuN(EjnsEfaX8~(!2?<A%&<1crPDxN7Fi7twt^hW;e0sfH
zJm${9STe7mP3WtdaNw{{mRvFxEW&?yXIE%fq?rf-6znq>p0exx>2qkc+Yhr`cmw7H
zI0kFd$BPB!77n<WDnsy;!=X|b8+L-M;7+Mh5L`ixZ^GW2;FR_`xA9{~GD0j^04yyE
zu3U}5<E{O7vm|cNScbt0WBO(Y21i=o36YKBcn}q6U%-gC7$iW|Qa*RY8^)6arQs<8
z^S9)Ywc*%+jl?m=ftxXn)Z(7ebBu#6XpQ5*+5Nu}fQ>MR*0<5~=Y4=PUZ_uiY~UE~
zu<=~FS&io$fk2M~uQ$py)>f{&h*(UrXz4)GluS8MQ@N4uD`j&zHmUIiuSF?4D|wT%
zVn|k;QQjSOBrrDbDfP()t;o9!W<1SkQh>^Gyv>=GeSL(tR&d4Z^_(@}Fbt&1nP{*O
zabu#2xa+Y>VxY>=RK3Owl$w+&Do3+%K_YTx0!8a~Cgly7ZGyj?kC#d@1-B(^n$J*-
z57?{*ylHCoxS~-f7Rh?8DYlU;r(}mUVZ>aSSkdm4BJP|q=T_+i?`Mc8ij=(7f>o$B
z?737WZ%YaJ3?Um#))e1I^%bO~V3AZulB6SMS}Kc1JL3Wi>BEV1MD)kdg4AcOmvGTy
z$eG<0Qd0+VYH+|>A%dK>R<{Rz88qoL#kGcde2Y>fb#p&VOorG6K?ZwCox`PtULaZn
zl01%}w5+`^HlnTiY4MH%P5U@t07ST;TZuZ+)UAmuW^y8)U>Opm04zOde_f;;p%N9M
zQzn8XU04#{X*p6987C756yz|5z=SAhM^m@%y7Vv@!Z-lO!eL(_5%raIL}YYvlR@jE
zk#GvB7X>Bkz(i+-!AZTY3fiN9#8((B%wR@25N=`|fmz%<ngNXs%3Rc0jYkDpx6Xj9
z5dxESE9?%EmP{%dW*ii>Y2aicis~8zeFo)t6!pVT25U|N5=iL~PVq{_0vf{*q_2^P
zw%G?*Z6p!oeN2|t`~+5KvP|8_k<DlpOT!$(P_Gh-f_CSF#e^d3$O>yN`hBP`!G_J|
zuv0WMxQ!ul5i?K84OokgE-+?Lc4|n2X<}v=5dM=W!}*d77#t^xH&Vt#F-1klWXy*E
z^N~R7^>*QO42L-jOel=HBV+_NNM$Ib#d<~<)42J_IIJa6gvstdFNen9&PXH_W*Ik;
zko?g^Hf{{py;0f{=W-PvMK^s7RAK;`z0pY4M+GxX7DIfLQ%Yp93V{XNd+3N%U_IHS
z1NL|<>uDh>QcW0T1Q?#=Rpc7qKy$5gAV`LUxur~rB5#yyDJ7EAS)q=Yd=pC%cus=}
z!=95G6GGsbM0^};_GNK`;V>vWoeZHe&Tvo`l!%%#;WD3tw(WDs>iY}*NVo&bxYa^T
z$sq--F9K%6S}CYGR_&=*{b_4YK&~~KWYv?`@^*=H;5|SBgHa0tRzQV$>gU?zX;)E~
zU6poafh96dW&D17qcW@s+Q2?1Vl?9#&)(V=R1t~-RnNpFOEG0)DhVo5Nj0$?f!lTK
zJYsF({RlJmDuOP*6|ewR0hn@2S76_0qpy|<jac{G@Selidc904gaXUf+vwIa(%4@f
z8HP{<S#Y3WnS5n$)TshfHMRTC!TKt4I_fLLqjD9#flNf2aBg{Cv7@|;(Oepk=d8d*
z!%n~7iO2m8bBVyluS1~h<wVpf!k-NofrD)VHt@=@M?rh}81Oc)Gh_*C4iT6Pu!Uw8
zA>m}TM3YQ0c$?*8nigW)OhgPT_L|@TauLERG|4xaP+W8C%!*~b;CKu(?{D)UzzZOC
zt4KOT%`@D02$+L6JL+BF8O9Nbz*;k)`y2~w2UtEQ*8Lo2jOy>2x$*C^c%BKW8a3<*
z;O^o1gi=O3LX$q6b|9kevADBXuI-hmj4M3sv5b>l&~>xO#v;IC><y4b3ln5CvfZ}_
z&U3hLcS-?9!K#|0{f#0ucO=}zjew~X-T-W7%yy7n3J+Cr9K$5cNMpD=Tl6+jj4yGO
zT*KWEgA8v9IwCecn&t8?-ifCYL^Z15p`t0_stj=1ELW}9$x6(Cy87acxNLG;<G~cy
z!~<lcfEgm0IN^z*M5FG*5uOu-QcSi8H73%mcr0iiP1NGm2$zTzm7HHDJxtQ)04t)o
z^f?C+KaR&qr?;w^O3pZAmXbxflrWX8cB|EpY&1e;2D7zT45_skhLgcybptky(7ntc
z5@@q(meAMPW<c$AgIOUkqlht7*uk(4!pgfyr)*BfI5uufn`(AS^J8SfTlMucf*F^S
zFqo8dp^+&nHNPeX!uddytLH=JWTmG>*P#yzRiq5zK`~R9vl)GC(~3xnUuKMb*_2R-
zRgCOF!^tQ;@r)!8Ij<9~dBaJOvEric)HFQ0&8)_OCA%vHFnJhDgOO!?eKpCzQDSx9
zxib`Br<z!zEh`K|4tuvwcP(XNMHV4NZwPmR?NAs8+m>lf6NY7)9miS$V<j9P!yfnX
zDu?Cpn>=UI#1P;;XZ0V`U}W8MhW`Xz2iw@fYsOj7`0VI>Kz~Q(6E?|Bz$egMS;r~B
zlVJ}Zbc1038+wsoaAurdI2=Pdq5*$FKsT^Nx#&#P1`@VB!kdlRBAtq;XxOI&J&i=L
zpbV7Vw5w0DN5p{1?=D&Evdi1(tNE=gUcpE%=&C2(C8L;k<YcJ|{86z72Arj=IKXS-
z0C<AhSWhsl0guKF&3(PWP@n3vW}<|jR!Sj{B3OHB>1xfWs<~1Vr^a|u;0>}?J#yjG
zF?7Tmq$rOv;tkf~CZFbQ+br3u=(fY&dI$ai*lpd*ivZuSBM@=P10ON9Jb|E%1nsFZ
zj)v$dVTFv8Xn84q$p&rR>OTFoJ<XUdm%(g2s(YEf26z=h+p92>PLU0#b7`xe1|m+1
zQcyMaWb1`oy2%nACHK|33>fB++WazZ1o_U8z&*p*zIuWgdC+mz!Qf%06z`+TmP9dW
zO%IqN%`k?_YFYM%<4n>kR2`;z(pz`LnxazmmDRM*#_()DT}u0<0b^OvXf4h$qAip+
z^u+lF#1iQQff~~&l|w|jCX_8AU3Aq^u85kvoK%-eQG*(Ho5*4S4RM-*DK)^>5x8#a
zKn8}QXEcGD>6qJBMi6WtTSxzYtSeZ$#ZNgP>>S&GC|ASB;Yt0SkHdhgg5Gnak;z7q
z3~8==vRGjlr|1ZvjFT3_E_Y2(<QDf&MlE^TIm~OrV%R9>Q;J*#TmS!LkE0yM;UW)F
z$E-iV(m3eC&@+SMn$Lk@oY>c=)?F+Xp-TQjE?EjQRMw$+MJpbXJgEq7vl=4~i7JZK
z3>!x<s>f)JyD~vz7MGC{S}LfPa7u7ePP-8`N_9+j(G4vL(Hxx9&o!+6FQPd?Yp}0i
zmNMa7$l<1%DQkd|f_*-WDJ3~vpYxb#4vT^w>Jh|o`s*Hz=6s9(`hfS7;IuHBm}o}>
zAR2>bA-W<p;fL)LiE*h~ddyf5-PKZTy&R!3MTow(B1gl~SBRwO?~qgjm*5%YjgcHp
zMa*$y9iC;Kr$PiIQR5|C5r97d->jwbj0k6qfX@d$nFbLU8}OJ`B&j7230EX5xb%pP
zB?nQZ21Iw;5nG6uq>R9UOz>-%$8!Te-z1EtvWyzCu9P+2Q?VnsV$Bm}56@uj2o%xg
z2EZz4mq=iNk;t^s2OL}XS@**Y2ZjJQAR)xZ63wj1))%YMu?Aak)=8tR(xy<hQp<>{
z4-uqVGMowslH2ICv9#z;#l$pH=uspsX%elTu+QYpyEQdsblVK6g4N|n=Z&dAzLsF>
zqUeh15i!6I93;1ganWP!95c%QoIVSXFgX>%-QaV`36mS5UM-ug^Ihb>z;!{m?P-Uz
z!6oe=sTe{zq7EvAIb{r@IuNbG3g8DZ_&A^6jWr><GbRgwL(IrEB6E5?A?IXR+xVzE
z7q06Oc8@qLo2_~X6GSxNJNw5PJfvq-&w=M<vD(-%9V}a?MOL&KWj|`c3m(oY8aPLg
z4fwKTh{oiwp&2MyJP00)nT!4!4&y*PaVSFB8au#*!y4PfhQ?`SGyuo-sF;o~?K0?!
z1EVnwqFXJ01#%KTkT<{tOvAOf)1#SzgYx@-4~hHYJ{ip7B(QNyl2-(&M<G*IY(T^7
z9u7&66{kZIL<17?Hxfuvb!Bq6n#E`_AaYtHRri~S9;{q8;}n5dDz!RYl_McLCwdA#
z#nxjmla$ju8WEZ{_HQ~ATB)-@fOTZjd~PHOR4G^We9=(Yh=kl2_<#!J$VT%-L#a3D
zLhq*C4`lI%@_E8=j%lR`8M$5_nx@Oc-B0Tu>R)d-+FH*94&~!|rICc(XrrO*-DnC<
z&l;{2VQR_LN~xgs3geS}<2r}L9G^)_`Q9YYr&YCAEElT9k=0D=A4z+`QuZI{*fA+L
zeX&C|M%P;b?vfu{X(aSEevM+f(pyQYx!$BK7qro}edUIXc0anEm2^`1-|f!W+32Cb
zvAI&RUX;pTpQJQ>bCU9_lB`Oy!e=1O+Da|zlG6Rnhtrn3a-k;a`Q@|#EhRXZ;T;)0
zkKw&W;LnC4XfJ}GW{cToMIc@Q&*YeOj&6FZdk*$$G_(8lU5`rCH}~~b>n0%R+vs+d
z(~Yrh^)xUiDQT|Ym1?6gRtdB~OqW-gtd@SmaA8Qv!eN>inc|RqSyT1_5LdJ}Wl!3B
z%_&n~Z_3E0d(*sGNE#8dIhh*Rci2cfV?WZ>@G$6@5r>7L-_S~{ui7+t&}w9`%Zv<8
zJaW^-&W_H`sr+A$TzJ*tKVFI)G;%kf;{doUpuz$4Or99-nt0%nR)W7<3S{5_yGN7B
zaGu>*wUQ~6rAh<sMvl^}A8_EDud8tgGE1*9{lMw%4(U9<vUNiNUQRxwGaN#WnsboR
zh?vkm;9z#tmVja(6s@gdUjm7v7R1z^)QWMFg3Ld}x!W=ZR{`{b9`x=GNn#$#=(i6&
z*s*Br7IaLSFmbSBCS026nBF<q(J|qH`rA}xf#nT$*{?U8c=6|jEt_swc53wEhGn`u
z`#Nd6^yb;~{;}oxHJdM<ddAkHp1b*H8$LmanOFVvBJ~L@^Uv%g_TNqQwRzwF<DIYX
zSo)8xPp`P>FLO^zZ+Ib@=tq`(_l#+!zxSW<p!Cwisk!lo(RHV3Z!fxQ)*IA@t$)4h
zhrjuGa?O?>?XfXW_;2kx`UUFBo8SH$clN0h68E04cy;$I<-Rw1U*DYUzi9Pqx8u7W
z{O1XC>o5J}oW_@3<;R0pZaeL~-ThZ~P5tx1KRE4sE4w$|d&}PcggY|tul$vQYtL4?
zQY$NwEmznl-o6NZW%>iSoP1^P%`cw&kCTJP-0=BR-isd+XRMpKp4)reLf`Jri5(L<
zHm`XLS@Rd<KsbW=hjes&+0}_mKo;nw#a(le!_Jyr*mK$3)Jd;BvFFj<^4uq1dr=5(
z=tfSMJhf+X$D~P9Iyyk~j0iGZMmp9m8M+}-;ML-oD<XOkG4&>;BA-P15Q9F%g05xA
zG02ili#BzyJ!+^KUzW$TYE@qe?~wU=gBe|ib<NKIZ0}vm?RLYTKE7z}&tF=*bw=t>
z{m2ac^GtmKT@yQ}oQ2FBl6_v7d|X#2NdI_c07>YW@QY37thQYF`Q)Xp)HTa~e&eZU
zr_P>lIEj*$erJc`df~S9yUv<(`Hbs-fA{nt^45-J%a8rs;9PpU@4+jU-#;kt`uh!U
zJ^0<L=KlVX3CF%%e{9~K!SmEF0uM~#%$+^!#S{KX#-08hk381vI?o%PTG>*3X!43<
z?(+Zgs_Cokzl%Kh$xkQ!$NteJcN}>8@BZ@WOY|1AxpwU>-@m?VujgF*#8b4y&hm=w
z%e&sZ@#4MO5r3XEYs%|KFa51qe6_hE=e_TtIq#mnw4fY&G`eQ<pWm1lTXC(QI`!yR
z7IuDd*vpT<R2SSA7|umA(f;E;dga8+|JHfhns;tG?CQ;PPQP*TGyTq6XA$n3Z^>ML
zy{q5$W55jpaAU;~Zk)tF^`^To^yEHUg`~!5^oZgeGFIo|6yX564mf0fTZz98Fb+dz
z>-8oca!|Wouu!OU1AhmYK>H92iU2P3nGk>p6M`B|x|x8##QzO;eH(y0NoG4{t~$GG
z?c@J`aOcVIAGPMaIf%+1v+~vBn@j%i<5hk;bx-wy4}SZ?p7?dQEcjyj+WzgmmrvO{
zBlnx-7axAgqUr1Rlw*^A>GcqgHf}nr|Mv4=yWqg3=X`J8Tj$NQKK;g{wXL^*h?Ut7
zC!KV*=Q`y^_Sbuk*>&2<zepeW*qs~L3+_Gr2=7C_C#F9B!fxS!U%hg~h5i#xKjI?S
zPcAv}gXcD!vHia5=grudychdk$L~+nnx`*$Zs&`kFCX6d=%p*}PB1^5yV!pJ_Q!&&
zp5Oc7(d(`~_PqaWJJ7kD{c`sl`3Fbm&U<j3H2WIunuibFn%QzbdH*?YPwvEonZG!8
z*{=_M^0ixUT6a&m%Y0}3f=}-}cL+e<Mb`Ws^bPc{1t61<iJ*q#Fr?=>iMq5l?TZg{
z7p^?v#!o2b%&8|M#4u(6hS(4*VjeC7hAjJL4AJkMl|ga<NmlCPF6df{9E~jAv~bgc
zwe!CcNA%kJz{pnu+c+5Mn2a1ed3x&>9>7TFcfJlsj(hgj4HrIeN%z8Ozqss!J5E~o
zFKchKo2aP5B~!Qj<knA=pZ@Davu)|K-*LX!KkNM|Pj39t9nb%5*0dYmxFIL=Q&(So
z^uJ!-c%}F4x1RaoolNH4^|x%k&cANfp{sVz?m6-?;_ia@=!yQzmiL}_((0XOAEo(s
z@8E9g{p%rX9^xP24miRyJ-ckt)R+1$`Tm*WvQut5e)ZN{<MVB1A@QEcJr5_AKl0Sv
z-0Kg8dV4=)es}1{Cga@to?{B@n0GGqZvNYsGq+4!pWgA#%5CYuH9N0aw+sE*Io!@*
z5PRXyL*}DS>iknyz4!3m3l?`>_Rg*ARt?INuUYxVddKCd6U_&GxbfK)@7+^gJ8$s~
z|Nh}!fFt(;j%;q@NJr;b0GR~P`(FYOU51PnBWgxWRvkbrV3;8E(<=T~=J0KJ@#e)h
zPg`*DpO2yf?@Zc#a^sxdcdXY%z2SG)&-=lvpLyhurrfd!>HOQ=Ri6f?y?7?}vkjj;
z|J1;hOLDWG+kEevM;!a`g3GRM9(X;q{=}CK>oYz5$V}#$+0ye*&MSZPy%{f`dCC=g
zkDho>_#)<e2kj9oix2f28lS)A(oa6V^6F;;_dFB}h!;)$Rre=P-@2l^P`rC}2Xety
z$Fno9I{t$mdfDMmeDTa(znQW9<Rkz1^znBc_lpl_&X{n?0e37sY-Q!;{)7IUI_#Fs
zrAw$#_@Ubj*p^Q}f1~(^w>NvqGZuJrfuCSMc%+g#;NY{d^Gxg3+=0a2O>`MA$ZWZ2
z{;O&AOY!9Nee|~4HKy6=Yqd+C>}})4U`G=uSZ%z;236Y+K}Ie9SK`N5lJb=m20L_e
zI={PXuwyEW*ag1{BdlOj2eM`_a_lhXbaoupA|UF1S6h=h*zidMvgYBD%ALrXyANNp
zC770_WS&oV18c5iB(<9#y_MMwu0=B6=q@JVMr?OdRjW!`?bbcmVx`??0NSMWU%p!(
z1Kj5n&|4M03dyq24NkWL4e|nbV|hW+uez$;g@Nv>nqDz(pke{q>VrYek@0mRUo0p2
z3V3FEpOtn9VC6ol*`h%wSvPun>sxnUaK+9Kv@7=3UeFN#LkrG5``jZo9#8e{z4?k0
zez@YLJAU+?Z4Z2?Uh&=w!px@|e)G2LR()3gGWW!kcTcyUy*||aqV1789=zN?J@;kL
zzvDMen)dxUCq!l)Re5pi`o-U+Hosh0@|Sm>-&))?lYD*YQ+t&9?!VqOXU@-dp0UXC
z)X^_*pZUk!OV=$~JnNHdZ@oxebLwM9oH)&J$(^4PuJ=#1U47_B#~&khuQO#oIcV_N
zSKrxe_$-t?QTQ!y(mpwE%8JN4J7zANvEv?fp8u}x)-xYEFTDMxjlVJCpKp7)boCk6
z2Dct@|Bvw{-#Pa2ne*>vt~{B4!gJP~z|YscyyMM(KR0bk-|f}vLUge6Tx76w4cx9q
z&ip@N8e@F6(aYVN*6c*)j(Bj>CZY$76sB|_M~)PxO+sh3oGe?5F<IbZGO~E|YZnTX
z`P>DZ^YQ8jADItbzan&>cgG`H<|1VIXeBdxBy#wei{;mjVawn*A;HnAGf@(8Ak!yL
zZQo9xI0Y1W__?#QbHZ65Vx#4b6ObwG>*`a+zh5?15@85X(h0Y1fBq`@tzW%0_qN*A
z!c{rt(}8I_?l1h5p7!ys40+$--`()m?Yr<Ncinm*J@tf*mtOpasy?w*{tTV+vFA^l
zR=hCd_dnWgdGU}L+pg$4=jL-?xaN${?oOR`{Ywj<-ZpQ;f){^&{^K`2{OVTkU7z0j
z;;)}3SL}K34;%0N)Omii=ipbx+artb-JO2shHY!Rd~*{oAAayF+Er_&ytiT3Y|C{Y
z--fR3NWFgJgKy1Sa{Ny}z3sxa8<+2>ThM;v)90OZ!3yfv+a7nl`uBr<jrSjYw6oqj
zGd%mTiaYtsfmdQ1=02$emjCuo2Vc4TvhDL$UpQ&m><f1tY<cU+j<tI~H$S@hyXMPN
U|LXqN7pHIi!~N?X?{QrAKN#{QX8-^I

literal 0
HcmV?d00001

diff --git a/spec/lib/gitlab/ci/secure_files/mobile_provision_spec.rb b/spec/lib/gitlab/ci/secure_files/mobile_provision_spec.rb
new file mode 100644
index 00000000000..fb382174c64
--- /dev/null
+++ b/spec/lib/gitlab/ci/secure_files/mobile_provision_spec.rb
@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Ci::SecureFiles::MobileProvision do
+  context 'when the supplied profile cannot be parsed' do
+    context 'when the supplied certificate cannot be parsed' do
+      let(:invalid_profile) { described_class.new('xyzabc') }
+
+      describe '#decoded_plist' do
+        it 'assigns the error message and returns nil' do
+          expect(invalid_profile.decoded_plist).to be nil
+          expect(invalid_profile.error).to eq('Could not parse the PKCS7: not enough data')
+        end
+      end
+
+      describe '#properties' do
+        it 'returns nil' do
+          expect(invalid_profile.properties).to be_nil
+        end
+      end
+
+      describe '#metadata' do
+        it 'returns an empty hash' do
+          expect(invalid_profile.metadata).to eq({})
+        end
+      end
+
+      describe '#expires_at' do
+        it 'returns nil' do
+          expect(invalid_profile.metadata[:expires_at]).to be_nil
+        end
+      end
+    end
+  end
+
+  context 'when the supplied profile can be parsed' do
+    let(:sample_file) { fixture_file('ci_secure_files/sample.mobileprovision') }
+    let(:subject) { described_class.new(sample_file) }
+
+    describe '#decoded_plist' do
+      it 'returns an XML string' do
+        expect(subject.decoded_plist.class).to be(String)
+        expect(subject.decoded_plist.starts_with?('<?xml version="1.0"')).to be true
+      end
+    end
+
+    describe '#properties' do
+      it 'returns the property list of the decoded plist provided' do
+        expect(subject.properties.class).to be(Hash)
+        expect(subject.properties.keys).to match_array(%w[AppIDName ApplicationIdentifierPrefix CreationDate
+                                                          Platform IsXcodeManaged DeveloperCertificates
+                                                          DER-Encoded-Profile PPQCheck Entitlements ExpirationDate
+                                                          Name ProvisionedDevices TeamIdentifier TeamName
+                                                          TimeToLive UUID Version])
+      end
+
+      it 'returns nil if the property list fails to be parsed from the decoded plist' do
+        allow(subject).to receive(:decoded_plist).and_return('foo/bar')
+        expect(subject.properties).to be nil
+        expect(subject.error).to start_with('invalid XML')
+      end
+    end
+
+    describe '#metadata' do
+      it 'returns a hash with the expected keys' do
+        expect(subject.metadata.keys).to match_array([:id, :expires_at, :app_id, :app_id_prefix, :app_name,
+                                                      :certificate_ids, :devices, :entitlements, :platforms,
+                                                      :team_id, :team_name, :xcode_managed])
+      end
+    end
+
+    describe '#id' do
+      it 'returns the profile UUID' do
+        expect(subject.metadata[:id]).to eq('6b9fcce1-b9a9-4b37-b2ce-ec4da2044abf')
+      end
+    end
+
+    describe '#expires_at' do
+      it 'returns the expiration timestamp of the profile' do
+        expect(subject.metadata[:expires_at].utc).to eq('2023-08-01 23:15:13 UTC')
+      end
+    end
+
+    describe '#platforms' do
+      it 'returns the platforms assigned to the profile' do
+        expect(subject.metadata[:platforms]).to match_array(['iOS'])
+      end
+    end
+
+    describe '#team_name' do
+      it 'returns the team name in the profile' do
+        expect(subject.metadata[:team_name]).to eq('Darby Frey')
+      end
+    end
+
+    describe '#team_id' do
+      it 'returns the team ids in the profile' do
+        expect(subject.metadata[:team_id]).to match_array(['N7SYAN8PX8'])
+      end
+    end
+
+    describe '#app_name' do
+      it 'returns the app name in the profile' do
+        expect(subject.metadata[:app_name]).to eq('iOS Demo')
+      end
+    end
+
+    describe '#app_id' do
+      it 'returns the app id in the profile' do
+        expect(subject.metadata[:app_id]).to eq('match Development com.gitlab.ios-demo')
+      end
+    end
+
+    describe '#app_id_prefix' do
+      it 'returns the app id prefixes in the profile' do
+        expect(subject.metadata[:app_id_prefix]).to match_array(['N7SYAN8PX8'])
+      end
+    end
+
+    describe '#xcode_managed' do
+      it 'returns the xcode_managed property in the profile' do
+        expect(subject.metadata[:xcode_managed]).to be false
+      end
+    end
+
+    describe '#entitlements' do
+      it 'returns the entitlements in the profile' do
+        expect(subject.metadata[:entitlements].keys).to match_array(['application-identifier',
+                                                                     'com.apple.developer.game-center',
+                                                                     'com.apple.developer.team-identifier',
+                                                                     'get-task-allow',
+                                                                     'keychain-access-groups'])
+      end
+    end
+
+    describe '#devices' do
+      it 'returns the devices attached to the profile' do
+        expect(subject.metadata[:devices]).to match_array(["00008101-001454860C10001E"])
+      end
+    end
+
+    describe '#certificate_ids' do
+      it 'returns the certificate ids attached to the profile' do
+        expect(subject.metadata[:certificate_ids]).to match_array(["23380136242930206312716563638445789376"])
+      end
+    end
+  end
+end
diff --git a/spec/models/ci/secure_file_spec.rb b/spec/models/ci/secure_file_spec.rb
index 81caae8ac09..20f64d40865 100644
--- a/spec/models/ci/secure_file_spec.rb
+++ b/spec/models/ci/secure_file_spec.rb
@@ -117,6 +117,11 @@ RSpec.describe Ci::SecureFile do
       expect(file.metadata_parser).to be_an_instance_of(Gitlab::Ci::SecureFiles::P12)
     end
 
+    it 'returns an instance of Gitlab::Ci::SecureFiles::MobileProvision when a .mobileprovision file is supplied' do
+      file = build(:ci_secure_file, name: 'file1.mobileprovision')
+      expect(file.metadata_parser).to be_an_instance_of(Gitlab::Ci::SecureFiles::MobileProvision)
+    end
+
     it 'returns nil when the file type is not supported by any parsers' do
       file = build(:ci_secure_file, name: 'file1.foo')
       expect(file.metadata_parser).to be nil