Merge pull request #1364 from jbennett/manage-secrets

Generalize handling of secrets and keys
This commit is contained in:
Maurice Parker 2019-11-27 16:54:24 -06:00 committed by GitHub
commit 748f4e64d3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 1415 additions and 42 deletions

4
.gitignore vendored
View File

@ -69,3 +69,7 @@ fastlane/Preview.html
fastlane/screenshots fastlane/screenshots
fastlane/test_output fastlane/test_output
/Shared/Secrets.swift
*.py[cod]

View File

@ -7,6 +7,7 @@
objects = { objects = {
/* Begin PBXBuildFile section */ /* Begin PBXBuildFile section */
3B3A33E7238D3D6800314204 /* Secrets.swift in Sources */ = {isa = PBXBuildFile; fileRef = 3B3A33E6238D3D6800314204 /* Secrets.swift */; };
3B826DA72385C81C00FC1ADB /* FeedWranglerAuthorizationResult.swift in Sources */ = {isa = PBXBuildFile; fileRef = 3B826D9E2385C81C00FC1ADB /* FeedWranglerAuthorizationResult.swift */; }; 3B826DA72385C81C00FC1ADB /* FeedWranglerAuthorizationResult.swift in Sources */ = {isa = PBXBuildFile; fileRef = 3B826D9E2385C81C00FC1ADB /* FeedWranglerAuthorizationResult.swift */; };
3B826DA82385C81C00FC1ADB /* FeedWranglerFeedItem.swift in Sources */ = {isa = PBXBuildFile; fileRef = 3B826D9F2385C81C00FC1ADB /* FeedWranglerFeedItem.swift */; }; 3B826DA82385C81C00FC1ADB /* FeedWranglerFeedItem.swift in Sources */ = {isa = PBXBuildFile; fileRef = 3B826D9F2385C81C00FC1ADB /* FeedWranglerFeedItem.swift */; };
3B826DA92385C81C00FC1ADB /* FeedWranglerAPICaller.swift in Sources */ = {isa = PBXBuildFile; fileRef = 3B826DA02385C81C00FC1ADB /* FeedWranglerAPICaller.swift */; }; 3B826DA92385C81C00FC1ADB /* FeedWranglerAPICaller.swift in Sources */ = {isa = PBXBuildFile; fileRef = 3B826DA02385C81C00FC1ADB /* FeedWranglerAPICaller.swift */; };
@ -219,6 +220,7 @@
/* End PBXContainerItemProxy section */ /* End PBXContainerItemProxy section */
/* Begin PBXFileReference section */ /* Begin PBXFileReference section */
3B3A33E6238D3D6800314204 /* Secrets.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; name = Secrets.swift; path = ../../Shared/Secrets.swift; sourceTree = "<group>"; };
3B826D9E2385C81C00FC1ADB /* FeedWranglerAuthorizationResult.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = FeedWranglerAuthorizationResult.swift; sourceTree = "<group>"; }; 3B826D9E2385C81C00FC1ADB /* FeedWranglerAuthorizationResult.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = FeedWranglerAuthorizationResult.swift; sourceTree = "<group>"; };
3B826D9F2385C81C00FC1ADB /* FeedWranglerFeedItem.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = FeedWranglerFeedItem.swift; sourceTree = "<group>"; }; 3B826D9F2385C81C00FC1ADB /* FeedWranglerFeedItem.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = FeedWranglerFeedItem.swift; sourceTree = "<group>"; };
3B826DA02385C81C00FC1ADB /* FeedWranglerAPICaller.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = FeedWranglerAPICaller.swift; sourceTree = "<group>"; }; 3B826DA02385C81C00FC1ADB /* FeedWranglerAPICaller.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = FeedWranglerAPICaller.swift; sourceTree = "<group>"; };
@ -563,6 +565,7 @@
848934EC1F62484F00CEBD24 = { 848934EC1F62484F00CEBD24 = {
isa = PBXGroup; isa = PBXGroup;
children = ( children = (
3B3A33E6238D3D6800314204 /* Secrets.swift */,
848935101F62486800CEBD24 /* Account.swift */, 848935101F62486800CEBD24 /* Account.swift */,
841974241F6DDCE4006346C4 /* AccountDelegate.swift */, 841974241F6DDCE4006346C4 /* AccountDelegate.swift */,
51BB7B83233531BC008E8144 /* AccountBehaviors.swift */, 51BB7B83233531BC008E8144 /* AccountBehaviors.swift */,
@ -773,10 +776,8 @@
buildConfigurationList = 8489350A1F62485000CEBD24 /* Build configuration list for PBXNativeTarget "Account" */; buildConfigurationList = 8489350A1F62485000CEBD24 /* Build configuration list for PBXNativeTarget "Account" */;
buildPhases = ( buildPhases = (
9E964EBB2375512300A7AF2E /* Run Script: Update OAuthAuthorizationClient+Feedly.swift */, 9E964EBB2375512300A7AF2E /* Run Script: Update OAuthAuthorizationClient+Feedly.swift */,
3B826DCF2385CE1B00FC1ADB /* Run Script: Update FeedWranglerConfig.swift */,
848934F11F62484F00CEBD24 /* Sources */, 848934F11F62484F00CEBD24 /* Sources */,
9E964EBC2375517100A7AF2E /* Run Script: Reset OAuthAuthorizationClient+Feedly.swift */, 9E964EBC2375517100A7AF2E /* Run Script: Reset OAuthAuthorizationClient+Feedly.swift */,
3B826DD02385CE9500FC1ADB /* Run Script: Reset FeedWranglerConfig.swift */,
848934F21F62484F00CEBD24 /* Frameworks */, 848934F21F62484F00CEBD24 /* Frameworks */,
848934F31F62484F00CEBD24 /* Headers */, 848934F31F62484F00CEBD24 /* Headers */,
848934F41F62484F00CEBD24 /* Resources */, 848934F41F62484F00CEBD24 /* Resources */,
@ -931,42 +932,6 @@
/* End PBXResourcesBuildPhase section */ /* End PBXResourcesBuildPhase section */
/* Begin PBXShellScriptBuildPhase section */ /* Begin PBXShellScriptBuildPhase section */
3B826DCF2385CE1B00FC1ADB /* Run Script: Update FeedWranglerConfig.swift */ = {
isa = PBXShellScriptBuildPhase;
buildActionMask = 2147483647;
files = (
);
inputFileListPaths = (
);
inputPaths = (
);
name = "Run Script: Update FeedWranglerConfig.swift";
outputFileListPaths = (
);
outputPaths = (
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
shellScript = "FAILED=false\n\nif [ -z \"${FEED_WRANGLER_KEY}\" ]; then\nFAILED=true\nfi\n\nif [ \"$FAILED\" = true ]; then\necho \"Missing Feed Wrangler Key. FeedWranglerConfig.swift not changed.\"\nexit 0\nfi\n\nsed -i .tmp \"s|{FEEDWRANGLERKEY}|${FEED_WRANGLER_KEY}|g; s|{FEEDWRANGLERKEY}|${FEED_WRANGLER_KEY}|g\" \"${SRCROOT}/FeedWrangler/FeedWranglerConfig.swift\"\n\nrm -f \"${SRCROOT}/FeedWrangler/FeedWranglerConfig.swift.tmp\"\n\necho \"All Feed Wrangler env values found!\"\n\n";
};
3B826DD02385CE9500FC1ADB /* Run Script: Reset FeedWranglerConfig.swift */ = {
isa = PBXShellScriptBuildPhase;
buildActionMask = 2147483647;
files = (
);
inputFileListPaths = (
);
inputPaths = (
);
name = "Run Script: Reset FeedWranglerConfig.swift";
outputFileListPaths = (
);
outputPaths = (
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
shellScript = "git checkout \"${SRCROOT}/FeedWrangler/FeedWranglerConfig.swift\"\n";
};
51C8F34C234FB14B0048ED95 /* Run Script: Verify No Build Settings */ = { 51C8F34C234FB14B0048ED95 /* Run Script: Verify No Build Settings */ = {
isa = PBXShellScriptBuildPhase; isa = PBXShellScriptBuildPhase;
buildActionMask = 2147483647; buildActionMask = 2147483647;
@ -1115,6 +1080,7 @@
9EAEC62823331C350085D7C9 /* FeedlyCategory.swift in Sources */, 9EAEC62823331C350085D7C9 /* FeedlyCategory.swift in Sources */,
3B826DAE2385C81C00FC1ADB /* FeedWranglerSubscriptionsRequest.swift in Sources */, 3B826DAE2385C81C00FC1ADB /* FeedWranglerSubscriptionsRequest.swift in Sources */,
9E964EB823754AC400A7AF2E /* OAuthAuthorizationClient+Feedly.swift in Sources */, 9E964EB823754AC400A7AF2E /* OAuthAuthorizationClient+Feedly.swift in Sources */,
3B3A33E7238D3D6800314204 /* Secrets.swift in Sources */,
9EF1B10923590E93000A486A /* FeedlyStreamIds.swift in Sources */, 9EF1B10923590E93000A486A /* FeedlyStreamIds.swift in Sources */,
84D09623217418DC00D77525 /* FeedbinTagging.swift in Sources */, 84D09623217418DC00D77525 /* FeedbinTagging.swift in Sources */,
84CAD7161FDF2E22000F0755 /* FeedbinEntry.swift in Sources */, 84CAD7161FDF2E22000F0755 /* FeedbinEntry.swift in Sources */,

View File

@ -10,7 +10,7 @@ import Foundation
enum FeedWranglerConfig { enum FeedWranglerConfig {
static let pageSize = 100 static let pageSize = 100
static let clientKey = "{FEEDWRANGLERKEY}" // Add FEED_WRANGLER_KEY = XYZ to SharedXcodeSettings/DeveloperSettings.xcconfig static let clientKey = Secrets.feedWranglerKey // Add FEED_WRANGLER_KEY = XYZ to SharedXcodeSettings/DeveloperSettings.xcconfig
static let clientPath = "https://feedwrangler.net/api/v2/" static let clientPath = "https://feedwrangler.net/api/v2/"
static let clientURL = { static let clientURL = {
URL(string: FeedWranglerConfig.clientPath)! URL(string: FeedWranglerConfig.clientPath)!

View File

@ -2890,6 +2890,7 @@
isa = PBXNativeTarget; isa = PBXNativeTarget;
buildConfigurationList = 849C647A1ED37A5D003D8FC0 /* Build configuration list for PBXNativeTarget "NetNewsWire" */; buildConfigurationList = 849C647A1ED37A5D003D8FC0 /* Build configuration list for PBXNativeTarget "NetNewsWire" */;
buildPhases = ( buildPhases = (
3B3A341B238D3FB200314204 /* Run Script: Update Secrets */,
51D6803823330CFF0097A009 /* Run Script: Update ArticleExtractorConfig.swift */, 51D6803823330CFF0097A009 /* Run Script: Update ArticleExtractorConfig.swift */,
849C645C1ED37A5D003D8FC0 /* Sources */, 849C645C1ED37A5D003D8FC0 /* Sources */,
517D2D82233A53D600FF3E35 /* Run Script: Reset ArticleExtractorConfig.swift */, 517D2D82233A53D600FF3E35 /* Run Script: Reset ArticleExtractorConfig.swift */,
@ -3509,6 +3510,24 @@
/* End PBXResourcesBuildPhase section */ /* End PBXResourcesBuildPhase section */
/* Begin PBXShellScriptBuildPhase section */ /* Begin PBXShellScriptBuildPhase section */
3B3A341B238D3FB200314204 /* Run Script: Update Secrets */ = {
isa = PBXShellScriptBuildPhase;
buildActionMask = 2147483647;
files = (
);
inputFileListPaths = (
);
inputPaths = (
);
name = "Run Script: Update Secrets";
outputFileListPaths = (
);
outputPaths = (
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
shellScript = "./updateSecrets.sh\n\n";
};
515D50802326D02600EE1167 /* Run Script: Verify No Build Settings */ = { 515D50802326D02600EE1167 /* Run Script: Verify No Build Settings */ = {
isa = PBXShellScriptBuildPhase; isa = PBXShellScriptBuildPhase;
buildActionMask = 2147483647; buildActionMask = 2147483647;

View File

@ -1,10 +1,28 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<Scheme <Scheme
LastUpgradeVersion = "0830" LastUpgradeVersion = "0830"
version = "1.3"> version = "1.7">
<BuildAction <BuildAction
parallelizeBuildables = "YES" parallelizeBuildables = "YES"
buildImplicitDependencies = "YES"> buildImplicitDependencies = "YES">
<PreActions>
<ExecutionAction
ActionType = "Xcode.IDEStandardExecutionActionsCore.ExecutionActionType.ShellScriptAction">
<ActionContent
title = "Run Script"
scriptText = "&quot;${PROJECT_DIR}/updateSecrets.sh&quot;&#10;">
<EnvironmentBuildable>
<BuildableReference
BuildableIdentifier = "primary"
BlueprintIdentifier = "65ED3FA2235DEF6C0081F399"
BuildableName = "NetNewsWire.app"
BlueprintName = "NetNewsWire MAS"
ReferencedContainer = "container:NetNewsWire.xcodeproj">
</BuildableReference>
</EnvironmentBuildable>
</ActionContent>
</ExecutionAction>
</PreActions>
<BuildActionEntries> <BuildActionEntries>
<BuildActionEntry <BuildActionEntry
buildForTesting = "YES" buildForTesting = "YES"

View File

@ -1,10 +1,28 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<Scheme <Scheme
LastUpgradeVersion = "1100" LastUpgradeVersion = "1100"
version = "1.3"> version = "1.7">
<BuildAction <BuildAction
parallelizeBuildables = "YES" parallelizeBuildables = "YES"
buildImplicitDependencies = "YES"> buildImplicitDependencies = "YES">
<PreActions>
<ExecutionAction
ActionType = "Xcode.IDEStandardExecutionActionsCore.ExecutionActionType.ShellScriptAction">
<ActionContent
title = "Run Script"
scriptText = "&quot;${PROJECT_DIR}/updateSecrets.sh&quot;&#10;">
<EnvironmentBuildable>
<BuildableReference
BuildableIdentifier = "primary"
BlueprintIdentifier = "840D617B2029031C009BC708"
BuildableName = "NetNewsWire.app"
BlueprintName = "NetNewsWire-iOS"
ReferencedContainer = "container:NetNewsWire.xcodeproj">
</BuildableReference>
</EnvironmentBuildable>
</ActionContent>
</ExecutionAction>
</PreActions>
<BuildActionEntries> <BuildActionEntries>
<BuildActionEntry <BuildActionEntry
buildForTesting = "YES" buildForTesting = "YES"

View File

@ -1,10 +1,28 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<Scheme <Scheme
LastUpgradeVersion = "1100" LastUpgradeVersion = "1100"
version = "1.3"> version = "1.7">
<BuildAction <BuildAction
parallelizeBuildables = "YES" parallelizeBuildables = "YES"
buildImplicitDependencies = "YES"> buildImplicitDependencies = "YES">
<PreActions>
<ExecutionAction
ActionType = "Xcode.IDEStandardExecutionActionsCore.ExecutionActionType.ShellScriptAction">
<ActionContent
title = "Run Script"
scriptText = "&quot;${PROJECT_DIR}/updateSecrets.sh&quot;&#10;">
<EnvironmentBuildable>
<BuildableReference
BuildableIdentifier = "primary"
BlueprintIdentifier = "849C645F1ED37A5D003D8FC0"
BuildableName = "NetNewsWire.app"
BlueprintName = "NetNewsWire"
ReferencedContainer = "container:NetNewsWire.xcodeproj">
</BuildableReference>
</EnvironmentBuildable>
</ActionContent>
</ExecutionAction>
</PreActions>
<BuildActionEntries> <BuildActionEntries>
<BuildActionEntry <BuildActionEntry
buildForTesting = "YES" buildForTesting = "YES"

53
Shared/Secrets.swift.gyb Normal file
View File

@ -0,0 +1,53 @@
// Generated by Secrets.swift.gyb
%{
import os
secrets = ['FEED_WRANGLER_KEY']
def chunks(seq, size):
return (seq[i:(i + size)] for i in range(0, len(seq), size))
def encode(string, salt):
bytes = string.encode("UTF-8")
return [ord(bytes[i]) ^ salt[i % len(salt)] for i in range(0, len(bytes))]
def snake_to_camel(snake_str):
components = snake_str.split('_')
return components[0].lower() + ''.join(x.title() for x in components[1:])
salt = [ord(byte) for byte in os.urandom(64)]
}%
enum Secrets {
% for secret in secrets:
static var ${snake_to_camel(secret)}: String {
let encoded: [UInt8] = [
% for chunk in chunks(encode(os.environ.get(secret) or "", salt), 8):
${"".join(["0x%02x, " % byte for byte in chunk])}
% end
]
return decode(encoded, salt: salt)
}
% end
%{
# custom example: static let myVariable = "${os.environ.get('MY_CUSTOM_VARIABLE')}"
}%
}
private extension Secrets {
private static let salt: [UInt8] = [
% for chunk in chunks(salt, 8):
${"".join(["0x%02x, " % byte for byte in chunk])}
% end
]
private static func decode(_ encoded: [UInt8], salt: [UInt8]) -> String {
String(decoding: encoded.enumerated().map { (offset, element) in
element ^ salt[offset % salt.count]
}, as: UTF8.self)
}
}

3
Vendor/gyb vendored Executable file
View File

@ -0,0 +1,3 @@
#!/usr/bin/env python2.7
import gyb
gyb.main()

1267
Vendor/gyb.py vendored Normal file

File diff suppressed because it is too large Load Diff

7
updateSecrets.sh Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
find "${PROJECT_DIR}" -name '*.gyb' |
while read file; do
echo "Generating ${file%.gyb}";
"${PROJECT_DIR}/Vendor/gyb" --line-directive '' -o "${file%.gyb}" "$file";
done