Add latest changes from gitlab-org/gitlab@master

8 files changed, 249 insertions, 1 deletions

diff --git a/Gemfile b/Gemfile
index ac38fbfd530..d4fc7e03d5a 100644
--- a/Gemfile
+++ b/Gemfile
@@ -579,3 +579,6 @@ gem 'cvss-suite', '~> 3.0.1', require: 'cvss_suite'
 
 # Work with RPM packages
 gem 'arr-pm', '~> 0.0.12'
+
+# Apple plist parsing
+gem 'CFPropertyList'
diff --git a/Gemfile.checksum b/Gemfile.checksum
index a258da072f5..cbb692d81c8 100644
--- a/Gemfile.checksum
+++ b/Gemfile.checksum
@@ -1,4 +1,5 @@
 [
+{"name":"CFPropertyList","version":"3.0.5","platform":"ruby","checksum":"a78551cd4768d78ebca98488c27e33652ef818be64697a54676d34e6434674a4"},
 {"name":"RedCloth","version":"4.3.2","platform":"ruby","checksum":"1ee7bc55c8dcec92cf7741a2132a9a6cd19e4b884fbc1b3aca23e1a4fcd92d55"},
 {"name":"acme-client","version":"2.0.11","platform":"ruby","checksum":"edf6da9f3c5dbe3ab0c6738eb3b97978b7a60e3500445480d2a72fcc610089de"},
 {"name":"actioncable","version":"6.1.6.1","platform":"ruby","checksum":"11f079141cf032026881e4a79ae0cc93753351089c1b6ca1ed30a8a6a21f961b"},
diff --git a/Gemfile.lock b/Gemfile.lock
index 4f62d212ab8..550dce622a1 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -85,6 +85,8 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
+    CFPropertyList (3.0.5)
+      rexml
     RedCloth (4.3.2)
     acme-client (2.0.11)
       faraday (>= 1.0, < 3.0.0)
@@ -1532,6 +1534,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  CFPropertyList
   RedCloth (~> 4.3.2)
   acme-client (~> 2.0)
   activerecord-explain-analyze (~> 0.1)
diff --git a/app/models/ci/secure_file.rb b/app/models/ci/secure_file.rb
index d9e717df1d0..ffff7eebbee 100644
--- a/app/models/ci/secure_file.rb
+++ b/app/models/ci/secure_file.rb
@@ -7,7 +7,7 @@ module Ci
 
     FILE_SIZE_LIMIT = 5.megabytes.freeze
     CHECKSUM_ALGORITHM = 'sha256'
-    PARSABLE_EXTENSIONS = %w[cer p12].freeze
+    PARSABLE_EXTENSIONS = %w[cer p12 mobileprovision].freeze
 
     self.limit_scope = :project
     self.limit_name = 'project_ci_secure_files'
@@ -51,6 +51,8 @@ module Ci
         Gitlab::Ci::SecureFiles::Cer.new(file.read)
       when 'p12'
         Gitlab::Ci::SecureFiles::P12.new(file.read)
+      when 'mobileprovision'
+        Gitlab::Ci::SecureFiles::MobileProvision.new(file.read)
       end
     end
 
diff --git a/lib/gitlab/ci/secure_files/mobile_provision.rb b/lib/gitlab/ci/secure_files/mobile_provision.rb
new file mode 100644
index 00000000000..4ea74e20310
--- /dev/null
+++ b/lib/gitlab/ci/secure_files/mobile_provision.rb
@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+require 'cfpropertylist'
+
+module Gitlab
+  module Ci
+    module SecureFiles
+      class MobileProvision
+        include Gitlab::Utils::StrongMemoize
+
+        attr_reader :error
+
+        def initialize(filedata)
+          @filedata = filedata
+        end
+
+        def decoded_plist
+          p7 = OpenSSL::PKCS7.new(@filedata)
+          p7.verify(nil, OpenSSL::X509::Store.new, nil, OpenSSL::PKCS7::NOVERIFY)
+          p7.data
+        rescue ArgumentError, OpenSSL::PKCS7::PKCS7Error => err
+          @error = err.to_s
+          nil
+        end
+        strong_memoize_attr :decoded_plist
+
+        def properties
+          list = CFPropertyList::List.new(data: decoded_plist, format: CFPropertyList::List::FORMAT_XML).value
+          CFPropertyList.native_types(list)
+        rescue CFFormatError, CFPlistError, CFTypeError => err
+          @error = err.to_s
+          nil
+        end
+        strong_memoize_attr :properties
+
+        def metadata
+          return {} unless properties
+
+          {
+            id: id,
+            expires_at: expires_at,
+            platforms: properties["Platform"],
+            team_name: properties['TeamName'],
+            team_id: properties['TeamIdentifier'],
+            app_name: properties['AppIDName'],
+            app_id: properties['Name'],
+            app_id_prefix: properties['ApplicationIdentifierPrefix'],
+            xcode_managed: properties['IsXcodeManaged'],
+            entitlements: properties['Entitlements'],
+            devices: properties['ProvisionedDevices'],
+            certificate_ids: certificate_ids
+          }
+        end
+        strong_memoize_attr :metadata
+
+        private
+
+        def id
+          properties['UUID']
+        end
+
+        def expires_at
+          properties['ExpirationDate']
+        end
+
+        def certificate_ids
+          return [] if developer_certificates.empty?
+
+          developer_certificates.map { |c| c.metadata[:id] }
+        end
+
+        def developer_certificates
+          certificates = properties['DeveloperCertificates']
+          return if certificates.empty?
+
+          certs = []
+          certificates.each_with_object([]) do |cert, obj|
+            certs << Cer.new(cert)
+          end
+
+          certs
+        end
+      end
+    end
+  end
+end
diff --git a/spec/fixtures/ci_secure_files/sample.mobileprovision b/spec/fixtures/ci_secure_files/sample.mobileprovision
new file mode 100644
index 00000000000..89bf7246b75
--- /dev/null
+++ b/spec/fixtures/ci_secure_files/sample.mobileprovision
diff --git a/spec/lib/gitlab/ci/secure_files/mobile_provision_spec.rb b/spec/lib/gitlab/ci/secure_files/mobile_provision_spec.rb
new file mode 100644
index 00000000000..fb382174c64
--- /dev/null
+++ b/spec/lib/gitlab/ci/secure_files/mobile_provision_spec.rb
@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Ci::SecureFiles::MobileProvision do
+  context 'when the supplied profile cannot be parsed' do
+    context 'when the supplied certificate cannot be parsed' do
+      let(:invalid_profile) { described_class.new('xyzabc') }
+
+      describe '#decoded_plist' do
+        it 'assigns the error message and returns nil' do
+          expect(invalid_profile.decoded_plist).to be nil
+          expect(invalid_profile.error).to eq('Could not parse the PKCS7: not enough data')
+        end
+      end
+
+      describe '#properties' do
+        it 'returns nil' do
+          expect(invalid_profile.properties).to be_nil
+        end
+      end
+
+      describe '#metadata' do
+        it 'returns an empty hash' do
+          expect(invalid_profile.metadata).to eq({})
+        end
+      end
+
+      describe '#expires_at' do
+        it 'returns nil' do
+          expect(invalid_profile.metadata[:expires_at]).to be_nil
+        end
+      end
+    end
+  end
+
+  context 'when the supplied profile can be parsed' do
+    let(:sample_file) { fixture_file('ci_secure_files/sample.mobileprovision') }
+    let(:subject) { described_class.new(sample_file) }
+
+    describe '#decoded_plist' do
+      it 'returns an XML string' do
+        expect(subject.decoded_plist.class).to be(String)
+        expect(subject.decoded_plist.starts_with?('<?xml version="1.0"')).to be true
+      end
+    end
+
+    describe '#properties' do
+      it 'returns the property list of the decoded plist provided' do
+        expect(subject.properties.class).to be(Hash)
+        expect(subject.properties.keys).to match_array(%w[AppIDName ApplicationIdentifierPrefix CreationDate
+                                                          Platform IsXcodeManaged DeveloperCertificates
+                                                          DER-Encoded-Profile PPQCheck Entitlements ExpirationDate
+                                                          Name ProvisionedDevices TeamIdentifier TeamName
+                                                          TimeToLive UUID Version])
+      end
+
+      it 'returns nil if the property list fails to be parsed from the decoded plist' do
+        allow(subject).to receive(:decoded_plist).and_return('foo/bar')
+        expect(subject.properties).to be nil
+        expect(subject.error).to start_with('invalid XML')
+      end
+    end
+
+    describe '#metadata' do
+      it 'returns a hash with the expected keys' do
+        expect(subject.metadata.keys).to match_array([:id, :expires_at, :app_id, :app_id_prefix, :app_name,
+                                                      :certificate_ids, :devices, :entitlements, :platforms,
+                                                      :team_id, :team_name, :xcode_managed])
+      end
+    end
+
+    describe '#id' do
+      it 'returns the profile UUID' do
+        expect(subject.metadata[:id]).to eq('6b9fcce1-b9a9-4b37-b2ce-ec4da2044abf')
+      end
+    end
+
+    describe '#expires_at' do
+      it 'returns the expiration timestamp of the profile' do
+        expect(subject.metadata[:expires_at].utc).to eq('2023-08-01 23:15:13 UTC')
+      end
+    end
+
+    describe '#platforms' do
+      it 'returns the platforms assigned to the profile' do
+        expect(subject.metadata[:platforms]).to match_array(['iOS'])
+      end
+    end
+
+    describe '#team_name' do
+      it 'returns the team name in the profile' do
+        expect(subject.metadata[:team_name]).to eq('Darby Frey')
+      end
+    end
+
+    describe '#team_id' do
+      it 'returns the team ids in the profile' do
+        expect(subject.metadata[:team_id]).to match_array(['N7SYAN8PX8'])
+      end
+    end
+
+    describe '#app_name' do
+      it 'returns the app name in the profile' do
+        expect(subject.metadata[:app_name]).to eq('iOS Demo')
+      end
+    end
+
+    describe '#app_id' do
+      it 'returns the app id in the profile' do
+        expect(subject.metadata[:app_id]).to eq('match Development com.gitlab.ios-demo')
+      end
+    end
+
+    describe '#app_id_prefix' do
+      it 'returns the app id prefixes in the profile' do
+        expect(subject.metadata[:app_id_prefix]).to match_array(['N7SYAN8PX8'])
+      end
+    end
+
+    describe '#xcode_managed' do
+      it 'returns the xcode_managed property in the profile' do
+        expect(subject.metadata[:xcode_managed]).to be false
+      end
+    end
+
+    describe '#entitlements' do
+      it 'returns the entitlements in the profile' do
+        expect(subject.metadata[:entitlements].keys).to match_array(['application-identifier',
+                                                                     'com.apple.developer.game-center',
+                                                                     'com.apple.developer.team-identifier',
+                                                                     'get-task-allow',
+                                                                     'keychain-access-groups'])
+      end
+    end
+
+    describe '#devices' do
+      it 'returns the devices attached to the profile' do
+        expect(subject.metadata[:devices]).to match_array(["00008101-001454860C10001E"])
+      end
+    end
+
+    describe '#certificate_ids' do
+      it 'returns the certificate ids attached to the profile' do
+        expect(subject.metadata[:certificate_ids]).to match_array(["23380136242930206312716563638445789376"])
+      end
+    end
+  end
+end
diff --git a/spec/models/ci/secure_file_spec.rb b/spec/models/ci/secure_file_spec.rb
index 81caae8ac09..20f64d40865 100644
--- a/spec/models/ci/secure_file_spec.rb
+++ b/spec/models/ci/secure_file_spec.rb
@@ -117,6 +117,11 @@ RSpec.describe Ci::SecureFile do
       expect(file.metadata_parser).to be_an_instance_of(Gitlab::Ci::SecureFiles::P12)
     end
 
+    it 'returns an instance of Gitlab::Ci::SecureFiles::MobileProvision when a .mobileprovision file is supplied' do
+      file = build(:ci_secure_file, name: 'file1.mobileprovision')
+      expect(file.metadata_parser).to be_an_instance_of(Gitlab::Ci::SecureFiles::MobileProvision)
+    end
+
     it 'returns nil when the file type is not supported by any parsers' do
       file = build(:ci_secure_file, name: 'file1.foo')
       expect(file.metadata_parser).to be nil