Class: Spaceship::Client

Inherits:
Object
  • Object
show all
Defined in:
spaceship/lib/spaceship/client.rb,
spaceship/lib/spaceship/ui.rb,
spaceship/lib/spaceship/portal/ui/select_team.rb,
spaceship/lib/spaceship/two_step_or_factor_client.rb

Overview

rubocop:disable Metrics/ClassLength

Defined Under Namespace

Classes: UserInterface

Constant Summary collapse

PROTOCOL_VERSION =
"QH65B2"
USER_AGENT =
"Spaceship #{Fastlane::VERSION}"
AUTH_TYPES =
["sa", "hsa", "non-sa", "hsa2"]
BasicPreferredInfoError =

legacy support

Spaceship::BasicPreferredInfoError
InvalidUserCredentialsError =
Spaceship::InvalidUserCredentialsError
NoUserCredentialsError =
Spaceship::NoUserCredentialsError
ProgramLicenseAgreementUpdated =
Spaceship::ProgramLicenseAgreementUpdated
InsufficientPermissions =
Spaceship::InsufficientPermissions
UnexpectedResponse =
Spaceship::UnexpectedResponse
AppleTimeoutError =
Spaceship::AppleTimeoutError
UnauthorizedAccessError =
Spaceship::UnauthorizedAccessError
GatewayTimeoutError =
Spaceship::GatewayTimeoutError
InternalServerError =
Spaceship::InternalServerError
BadGatewayError =
Spaceship::BadGatewayError
AccessForbiddenError =
Spaceship::AccessForbiddenError

Request Logger collapse

Helpers collapse

Instance Attribute Summary collapse

Teams + User collapse

Client Init collapse

Session Cookie collapse

Automatic Paging collapse

Login and Team Selection collapse

Session collapse

Helpers collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(cookie: nil, current_team_id: nil, timeout: nil) ⇒ Client

Returns a new instance of Client.


197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
# File 'spaceship/lib/spaceship/client.rb', line 197

def initialize(cookie: nil, current_team_id: nil, timeout: nil)
  options = {
   request: {
      timeout:       (ENV["SPACESHIP_TIMEOUT"] || timeout || 300).to_i,
      open_timeout:  (ENV["SPACESHIP_TIMEOUT"] || timeout || 300).to_i
    }
  }
  @current_team_id = current_team_id
  @cookie = cookie || HTTP::CookieJar.new

  @client = Faraday.new(self.class.hostname, options) do |c|
    c.response(:json, content_type: /\bjson$/)
    c.response(:xml, content_type: /\bxml$/)
    c.response(:plist, content_type: /\bplist$/)
    c.use(:cookie_jar, jar: @cookie)
    c.use(FaradayMiddleware::RelsMiddleware)
    c.adapter(Faraday.default_adapter)

    if ENV['SPACESHIP_DEBUG']
      # for debugging only
      # This enables tracking of networking requests using Charles Web Proxy
      c.proxy = "https://127.0.0.1:8888"
      c.ssl[:verify_mode] = OpenSSL::SSL::VERIFY_NONE
    elsif ENV["SPACESHIP_PROXY"]
      c.proxy = ENV["SPACESHIP_PROXY"]
      c.ssl[:verify_mode] = OpenSSL::SSL::VERIFY_NONE if ENV["SPACESHIP_PROXY_SSL_VERIFY_NONE"]
    end

    if ENV["DEBUG"]
      puts("To run spaceship through a local proxy, use SPACESHIP_DEBUG")
    end
  end
end

Instance Attribute Details

#clientObject (readonly)

Returns the value of attribute client


29
30
31
# File 'spaceship/lib/spaceship/client.rb', line 29

def client
  @client
end

#csrf_tokensObject

memorize the last csrf tokens from responses


676
677
678
# File 'spaceship/lib/spaceship/client.rb', line 676

def csrf_tokens
  @csrf_tokens
end

#loggerObject

The logger in which all requests are logged /tmp/spaceship[pid][“threadid”].log by default


39
40
41
# File 'spaceship/lib/spaceship/client.rb', line 39

def logger
  @logger
end

#providerObject

Returns the value of attribute provider


43
44
45
# File 'spaceship/lib/spaceship/client.rb', line 43

def provider
  @provider
end

#userObject

The user that is currently logged in


32
33
34
# File 'spaceship/lib/spaceship/client.rb', line 32

def user
  @user
end

#user_emailObject

The email of the user that is currently logged in


35
36
37
# File 'spaceship/lib/spaceship/client.rb', line 35

def user_email
  @user_email
end

Class Method Details

.client_with_authorization_from(another_client) ⇒ Object

Instantiates a client but with a cookie derived from another client.

HACK: since the `@cookie` is not exposed, we use this hacky way of sharing the instance.


193
194
195
# File 'spaceship/lib/spaceship/client.rb', line 193

def self.client_with_authorization_from(another_client)
  self.new(cookie: another_client.instance_variable_get(:@cookie), current_team_id: another_client.team_id)
end

.hostnameObject


59
60
61
# File 'spaceship/lib/spaceship/client.rb', line 59

def self.hostname
  raise "You must implement self.hostname"
end

.login(user = nil, password = nil) ⇒ Spaceship::Client

Authenticates with Apple's web services. This method has to be called once to generate a valid session. The session will automatically be used from then on.

This method will automatically use the username from the Appfile (if available) and fetch the password from the Keychain (if available)

Parameters:

  • user (String) (defaults to: nil)

    (optional): The username (usually the email address)

  • password (String) (defaults to: nil)

    (optional): The password

Returns:

Raises:

  • InvalidUserCredentialsError: raised if authentication failed


346
347
348
349
350
351
352
353
# File 'spaceship/lib/spaceship/client.rb', line 346

def self.(user = nil, password = nil)
  instance = self.new
  if instance.(user, password)
    instance
  else
    raise InvalidUserCredentialsError.new, "Invalid User Credentials"
  end
end

.spaceship_session_envObject

Fetch the session cookie from the environment (if exists)


602
603
604
# File 'spaceship/lib/spaceship/client.rb', line 602

def self.spaceship_session_env
  ENV["FASTLANE_SESSION"] || ENV["SPACESHIP_SESSION"]
end

Instance Method Details

#ask_for_2fa_code(text) ⇒ Object

extracted into its own method for testing


224
225
226
# File 'spaceship/lib/spaceship/two_step_or_factor_client.rb', line 224

def ask_for_2fa_code(text)
  ask(text)
end

#choose_phone_number(opts) ⇒ Object

extracted into its own method for testing


229
230
231
# File 'spaceship/lib/spaceship/two_step_or_factor_client.rb', line 229

def choose_phone_number(opts)
  choose(*opts)
end

Return the session cookie.

Returns:


264
265
266
# File 'spaceship/lib/spaceship/client.rb', line 264

def cookie
  @cookie.map(&:to_s).join(';')
end

#detect_most_common_errors_and_raise_exceptions(body) ⇒ Object


737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
# File 'spaceship/lib/spaceship/client.rb', line 737

def detect_most_common_errors_and_raise_exceptions(body)
  # Check if the failure is due to missing permissions (App Store Connect)
  if body["messages"] && body["messages"]["error"].include?("Forbidden")
    raise_insufficient_permission_error!
  elsif body["messages"] && body["messages"]["error"].include?("insufficient privileges")
    # Passing a specific `caller_location` here to make sure we return the correct method
    # With the default location the error would say that `parse_response` is the caller
    raise_insufficient_permission_error!(caller_location: 3)
  elsif body.to_s.include?("Internal Server Error - Read")
    raise InternalServerError, "Received an internal server error from App Store Connect / Developer Portal, please try again later"
  elsif body.to_s.include?("Gateway Timeout - In read")
    raise GatewayTimeoutError, "Received a gateway timeout error from App Store Connect / Developer Portal, please try again later"
  elsif (body["userString"] || "").include?("Program License Agreement")
    raise ProgramLicenseAgreementUpdated, "#{body['userString']} Please manually log into your Apple Developer account to review and accept the updated agreement."
  end
end

#fastlane_user_dirObject

This is a duplicate method of fastlane_core/fastlane_core.rb#fastlane_user_dir


279
280
281
282
283
# File 'spaceship/lib/spaceship/client.rb', line 279

def fastlane_user_dir
  path = File.expand_path(File.join(Dir.home, ".fastlane"))
  FileUtils.mkdir_p(path) unless File.directory?(path)
  return path
end

#fetch_olympus_sessionObject

Get the `itctx` from the new (22nd May 2017) API endpoint “olympus” Update (29th March 2019) olympus migrates to new appstoreconnect API


519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
# File 'spaceship/lib/spaceship/client.rb', line 519

def fetch_olympus_session
  response = request(:get, "https://appstoreconnect.apple.com/olympus/v1/session")
  body = response.body
  if body
    body = JSON.parse(body) if body.kind_of?(String)
    user_map = body["user"]
    if user_map
      self.user_email = user_map["emailAddress"]
    end

    provider = body["provider"]
    if provider
      self.provider = Spaceship::Provider.new(provider_hash: provider)
      return true
    end
  end

  return false
end

#fetch_program_license_agreement_messagesObject

Get contract messages from App Store Connect's “olympus” endpoint


607
608
609
610
611
612
613
614
615
616
617
618
619
620
# File 'spaceship/lib/spaceship/client.rb', line 607

def fetch_program_license_agreement_messages
  all_messages = []

  messages_request = request(:get, "https://appstoreconnect.apple.com/olympus/v1/contractMessages")
  body = messages_request.body
  if body
    body = JSON.parse(body) if body.kind_of?(String)
    body.map do |messages|
      all_messages.push(messages["message"])
    end
  end

  return all_messages
end

#handle_two_factor(response, depth = 0) ⇒ Object


103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
# File 'spaceship/lib/spaceship/two_step_or_factor_client.rb', line 103

def handle_two_factor(response, depth = 0)
  if depth == 0
    puts("Two-factor Authentication (6 digits code) is enabled for account '#{self.user}'")
    puts("More information about Two-factor Authentication: https://support.apple.com/en-us/HT204915")
    puts("")

    two_factor_url = "https://github.com/fastlane/fastlane/tree/master/spaceship#2-step-verification"
    puts("If you're running this in a non-interactive session (e.g. server or CI)")
    puts("check out #{two_factor_url}")
  end

  # "verification code" has already be pushed to devices

  security_code = response.body["securityCode"]
  # "securityCode": {
  # 	"length": 6,
  # 	"tooManyCodesSent": false,
  # 	"tooManyCodesValidated": false,
  # 	"securityCodeLocked": false
  # },
  code_length = security_code["length"]

  puts("")
  env_2fa_sms_default_phone_number = ENV["SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER"]

  if env_2fa_sms_default_phone_number
    raise Tunes::Error.new, "Environment variable SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER is set, but empty." if env_2fa_sms_default_phone_number.empty?

    puts("Environment variable `SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER` is set, automatically requesting 2FA token via SMS to that number")
    puts("SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER = #{env_2fa_sms_default_phone_number}")
    puts("")

    phone_number = env_2fa_sms_default_phone_number
    phone_id = phone_id_from_number(response.body["trustedPhoneNumbers"], phone_number)
    # don't request sms if no trusted devices and env default is the only trusted number,
    # code was automatically sent
    should_request_code = !sms_automatically_sent(response)
    code_type = 'phone'
    body = request_two_factor_code_from_phone(phone_id, phone_number, code_length, should_request_code)
  elsif sms_automatically_sent(response) # sms fallback, code was automatically sent
    fallback_number = response.body["trustedPhoneNumbers"].first
    phone_number = fallback_number["numberWithDialCode"]
    phone_id = fallback_number["id"]

    code_type = 'phone'
    body = request_two_factor_code_from_phone(phone_id, phone_number, code_length, false)
  elsif sms_fallback(response) # sms fallback but code wasn't sent bec > 1 phone number
    code_type = 'phone'
    body = request_two_factor_code_from_phone_choose(response.body["trustedPhoneNumbers"], code_length)
  else
    puts("(Input `sms` to escape this prompt and select a trusted phone number to send the code as a text message)")
    puts("")
    puts("(You can also set the environment variable `SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER` to automate this)")
    puts("(Read more at: https://github.com/fastlane/fastlane/blob/master/spaceship/docs/Authentication.md#auto-select-sms-via-spaceship_2fa_sms_default_phone_number)")
    puts("")

    code = ask_for_2fa_code("Please enter the #{code_length} digit code:")
    code_type = 'trusteddevice'
    body = { "securityCode" => { "code" => code.to_s } }.to_json

    # User exited by entering `sms` and wants to choose phone number for SMS
    if code == 'sms'
      code_type = 'phone'
      body = request_two_factor_code_from_phone_choose(response.body["trustedPhoneNumbers"], code_length)
    end
  end

  puts("Requesting session...")

  # Send "verification code" back to server to get a valid session
  r = request(:post) do |req|
    req.url("https://idmsa.apple.com/appleauth/auth/verify/#{code_type}/securitycode")
    req.headers['Content-Type'] = 'application/json'
    req.body = body
    update_request_headers(req)
  end

  begin
    # we use `Spaceship::TunesClient.new.handle_itc_response`
    # since this might be from the Dev Portal, but for 2 factor
    Spaceship::TunesClient.new.handle_itc_response(r.body) # this will fail if the code is invalid
  rescue => ex
    # If the code was entered wrong
    # {
    #   "service_errors": [{
    #     "code": "-21669",
    #     "title": "Incorrect Verification Code",
    #     "message": "Incorrect verification code."
    #   }],
    #   "hasError": true
    # }

    if ex.to_s.include?("verification code") # to have a nicer output
      puts("Error: Incorrect verification code")
      depth += 1
      return handle_two_factor(response, depth)
    end

    raise ex
  end

  store_session

  return true
end

#handle_two_step(response) ⇒ Object


26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# File 'spaceship/lib/spaceship/two_step_or_factor_client.rb', line 26

def handle_two_step(response)
  if response.body.fetch("securityCode", {})["tooManyCodesLock"].to_s.length > 0
    raise Tunes::Error.new, "Too many verification codes have been sent. Enter the last code you received, use one of your devices, or try again later."
  end

  puts("Two-step Verification (4 digits code) is enabled for account '#{self.user}'")
  puts("More information about Two-step Verification: https://support.apple.com/en-us/HT204152")
  puts("")

  puts("Please select a trusted device to verify your identity")
  available = response.body["trustedDevices"].collect do |current|
    "#{current['name']}\t#{current['modelName'] || 'SMS'}\t(#{current['id']})"
  end
  result = choose(*available)

  device_id = result.match(/.*\t.*\t\((.*)\)/)[1]
  handle_two_step_for_device(device_id)
end

#handle_two_step_for_device(device_id) ⇒ Object

this is extracted into its own method so it can be called multiple times (see end)


46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# File 'spaceship/lib/spaceship/two_step_or_factor_client.rb', line 46

def handle_two_step_for_device(device_id)
  # Request token to device
  r = request(:put) do |req|
    req.url("https://idmsa.apple.com/appleauth/auth/verify/device/#{device_id}/securitycode")
    update_request_headers(req)
  end

  # we use `Spaceship::TunesClient.new.handle_itc_response`
  # since this might be from the Dev Portal, but for 2 step
  Spaceship::TunesClient.new.handle_itc_response(r.body)

  puts("Successfully requested notification")
  code = ask("Please enter the 4 digit code: ")
  puts("Requesting session...")

  # Send token to server to get a valid session
  r = request(:post) do |req|
    req.url("https://idmsa.apple.com/appleauth/auth/verify/device/#{device_id}/securitycode")
    req.headers['Content-Type'] = 'application/json'
    req.body = { "code" => code.to_s }.to_json
    update_request_headers(req)
  end

  begin
    Spaceship::TunesClient.new.handle_itc_response(r.body) # this will fail if the code is invalid
  rescue => ex
    # If the code was entered wrong
    # {
    #   "securityCode": {
    #     "code": "1234"
    #   },
    #   "securityCodeLocked": false,
    #   "recoveryKeyLocked": false,
    #   "recoveryKeySupported": true,
    #   "manageTrustedDevicesLinkName": "appleid.apple.com",
    #   "suppressResend": false,
    #   "authType": "hsa",
    #   "accountLocked": false,
    #   "validationErrors": [{
    #     "code": "-21669",
    #     "title": "Incorrect Verification Code",
    #     "message": "Incorrect verification code."
    #   }]
    # }
    if ex.to_s.include?("verification code") # to have a nicer output
      puts("Error: Incorrect verification code")
      return handle_two_step_for_device(device_id)
    end

    raise ex
  end

  store_session

  return true
end

#handle_two_step_or_factor(response) ⇒ Object


6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# File 'spaceship/lib/spaceship/two_step_or_factor_client.rb', line 6

def handle_two_step_or_factor(response)
  # extract `x-apple-id-session-id` and `scnt` from response, to be used by `update_request_headers`
  @x_apple_id_session_id = response["x-apple-id-session-id"]
  @scnt = response["scnt"]

  # get authentication options
  r = request(:get) do |req|
    req.url("https://idmsa.apple.com/appleauth/auth")
    update_request_headers(req)
  end

  if r.body.kind_of?(Hash) && r.body["trustedDevices"].kind_of?(Array)
    handle_two_step(r)
  elsif r.body.kind_of?(Hash) && r.body["trustedPhoneNumbers"].kind_of?(Array) && r.body["trustedPhoneNumbers"].first.kind_of?(Hash)
    handle_two_factor(r)
  else
    raise "Although response from Apple indicated activated Two-step Verification or Two-factor Authentication, spaceship didn't know how to handle this response: #{r.body}"
  end
end

#itc_service_keyObject


539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
# File 'spaceship/lib/spaceship/client.rb', line 539

def itc_service_key
  return @service_key if @service_key

  # Check if we have a local cache of the key
  itc_service_key_path = "/tmp/spaceship_itc_service_key.txt"
  return File.read(itc_service_key_path) if File.exist?(itc_service_key_path)

  # Fixes issue https://github.com/fastlane/fastlane/issues/13281
  # Even though we are using https://appstoreconnect.apple.com, the service key needs to still use a
  # hostname through itunesconnect.apple.com
  response = request(:get, "https://appstoreconnect.apple.com/olympus/v1/app/config?hostname=itunesconnect.apple.com")
  @service_key = response.body["authServiceKey"].to_s

  raise "Service key is empty" if @service_key.length == 0

  # Cache the key locally
  File.write(itc_service_key_path, @service_key)

  return @service_key
rescue => ex
  puts(ex.to_s)
  raise AppleTimeoutError.new, "Could not receive latest API key from App Store Connect, this might be a server issue."
end

#load_session_from_envObject


581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
# File 'spaceship/lib/spaceship/client.rb', line 581

def load_session_from_env
  return if self.class.spaceship_session_env.to_s.length == 0
  puts("Loading session from environment variable") if Spaceship::Globals.verbose?

  file = Tempfile.new('cookie.yml')
  file.write(self.class.spaceship_session_env.gsub("\\n", "\n"))
  file.close

  begin
    @cookie.load(file.path)
  rescue => ex
    puts("Error loading session from environment")
    puts("Make sure to pass the session in a valid format")
    raise ex
  ensure
    file.unlink
  end
end

#load_session_from_fileObject


567
568
569
570
571
572
573
574
575
576
577
578
579
# File 'spaceship/lib/spaceship/client.rb', line 567

def load_session_from_file
  begin
    if File.exist?(persistent_cookie_path)
      puts("Loading session from '#{persistent_cookie_path}'") if Spaceship::Globals.verbose?
      @cookie.load(persistent_cookie_path)
      return true
    end
  rescue => ex
    puts(ex.to_s)
    puts("Continuing with normal login.")
  end
  return false
end

#login(user = nil, password = nil) ⇒ Spaceship::Client

Authenticates with Apple's web services. This method has to be called once to generate a valid session. The session will automatically be used from then on.

This method will automatically use the username from the Appfile (if available) and fetch the password from the Keychain (if available)

Parameters:

  • user (String) (defaults to: nil)

    (optional): The username (usually the email address)

  • password (String) (defaults to: nil)

    (optional): The password

Returns:

Raises:

  • InvalidUserCredentialsError: raised if authentication failed


368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
# File 'spaceship/lib/spaceship/client.rb', line 368

def (user = nil, password = nil)
  if user.to_s.empty? || password.to_s.empty?
    require 'credentials_manager/account_manager'

    puts("Reading keychain entry, because either user or password were empty") if Spaceship::Globals.verbose?

    keychain_entry = CredentialsManager::AccountManager.new(user: user, password: password)
    user ||= keychain_entry.user
    password = keychain_entry.password
  end

  if user.to_s.strip.empty? || password.to_s.strip.empty?
    raise NoUserCredentialsError.new, "No login data provided"
  end

  self.user = user
  @password = password
  begin
    (user, password) # calls `send_login_request` in sub class (which then will redirect back here to `send_shared_login_request`, below)
  rescue InvalidUserCredentialsError => ex
    raise ex unless keychain_entry

    if keychain_entry.invalid_credentials
      (user)
    else
      raise ex
    end
  end
end

#page_sizeObject

The page size we want to request, defaults to 500


308
309
310
# File 'spaceship/lib/spaceship/client.rb', line 308

def page_size
  @page_size ||= 500
end

#pagingObject

Handles the paging for you… for free Just pass a block and use the parameter as page number


314
315
316
317
318
319
320
321
322
323
324
325
326
327
# File 'spaceship/lib/spaceship/client.rb', line 314

def paging
  page = 0
  results = []
  loop do
    page += 1
    current = yield(page)

    results += current

    break if (current || []).count < page_size # no more results
  end

  return results
end

#parse_response(response, expected_key = nil) ⇒ Object


702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
# File 'spaceship/lib/spaceship/client.rb', line 702

def parse_response(response, expected_key = nil)
  if response.body
    # If we have an `expected_key`, select that from response.body Hash
    # Else, don't.

    # the returned error message and info, is html encoded ->  &quot;issued&quot; -> make this readable ->  "issued"
    response.body["userString"] = CGI.unescapeHTML(response.body["userString"]) if response.body["userString"]
    response.body["resultString"] = CGI.unescapeHTML(response.body["resultString"]) if response.body["resultString"]

    content = expected_key ? response.body[expected_key] : response.body
  end

  # if content (filled with whole body or just expected_key) is missing
  if content.nil?
    detect_most_common_errors_and_raise_exceptions(response.body) if response.body
    raise UnexpectedResponse, response.body
  # else if it is a hash and `resultString` includes `NotAllowed`
  elsif content.kind_of?(Hash) && (content["resultString"] || "").include?("NotAllowed")
    # example content when doing a Developer Portal action with not enough permission
    # => {"responseId"=>"e5013d83-c5cb-4ba0-bb62-734a8d56007f",
    #    "resultCode"=>1200,
    #    "resultString"=>"webservice.certificate.downloadNotAllowed",
    #    "userString"=>"You are not permitted to download this certificate.",
    #    "creationTimestamp"=>"2017-01-26T22:44:13Z",
    #    "protocolVersion"=>"QH65B2",
    #    "userLocale"=>"en_US",
    #    "requestUrl"=>"https://developer.apple.com/services-account/QH65B2/account/ios/certificate/downloadCertificateContent.action",
    #    "httpCode"=>200}
    raise_insufficient_permission_error!(additional_error_string: content["userString"])
  else
    store_csrf_tokens(response)
    content
  end
end

Returns preferred path for storing cookie for two step verification.


287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
# File 'spaceship/lib/spaceship/client.rb', line 287

def persistent_cookie_path
  if ENV["SPACESHIP_COOKIE_PATH"]
    path = File.expand_path(File.join(ENV["SPACESHIP_COOKIE_PATH"], "spaceship", self.user, "cookie"))
  else
    [File.join(self.fastlane_user_dir, "spaceship"), "~/.spaceship", "/var/tmp/spaceship", "#{Dir.tmpdir}/spaceship"].each do |dir|
      dir_parts = File.split(dir)
      if directory_accessible?(File.expand_path(dir_parts.first))
        path = File.expand_path(File.join(dir, self.user, "cookie"))
        break
      end
    end
  end

  return path
end

#phone_id_from_masked_number(phone_numbers, masked_number) ⇒ Object


272
273
274
275
276
# File 'spaceship/lib/spaceship/two_step_or_factor_client.rb', line 272

def phone_id_from_masked_number(phone_numbers, masked_number)
  phone_numbers.each do |phone|
    return phone['id'] if phone['numberWithDialCode'] == masked_number
  end
end

#phone_id_from_number(phone_numbers, phone_number) ⇒ Object

Raises:


233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
# File 'spaceship/lib/spaceship/two_step_or_factor_client.rb', line 233

def phone_id_from_number(phone_numbers, phone_number)
  characters_to_remove_from_phone_numbers = ' \-()"'

  # start with e.g. +49 162 1234585 or +1-123-456-7866
  phone_number = phone_number.tr(characters_to_remove_from_phone_numbers, '')
  # cleaned: +491621234585 or +11234567866

  phone_numbers.each do |phone|
    # rubocop:disable Style/AsciiComments
    # start with: +49 •••• •••••85 or +1 (•••) •••-••66
    number_with_dialcode_masked = phone['numberWithDialCode'].tr(characters_to_remove_from_phone_numbers, '')
    # cleaned: +49•••••••••85 or +1••••••••66
    # rubocop:enable Style/AsciiComments

    maskings_count = number_with_dialcode_masked.count('') # => 9 or 8
    pattern = /^([0-9+]{2,4})([•]{#{maskings_count}})([0-9]{2})$/
    # following regex: range from maskings_count-2 because sometimes the masked number has 1 or 2 dots more than the actual number
    # e.g. https://github.com/fastlane/fastlane/issues/14969
    replacement = "\\1([0-9]{#{maskings_count - 2},#{maskings_count}})\\3"
    number_with_dialcode_regex_part = number_with_dialcode_masked.gsub(pattern, replacement)
    # => +49([0-9]{8,9})85 or +1([0-9]{7,8})66

    backslash = '\\'
    number_with_dialcode_regex_part = backslash + number_with_dialcode_regex_part
    number_with_dialcode_regex = /^#{number_with_dialcode_regex_part}$/
    # => /^\+49([0-9]{8})85$/ or /^\+1([0-9]{7,8})66$/

    return phone['id'] if phone_number =~ number_with_dialcode_regex
    # +491621234585 matches /^\+49([0-9]{8})85$/
  end

  # Handle case of phone_number not existing in phone_numbers because ENV var is wrong or matcher is broken
  raise Tunes::Error.new, %(
Could not find a matching phone number to #{phone_number} in #{phone_numbers}.
Make sure your environment variable is set to the correct phone number.
If it is, please open an issue at https://github.com/fastlane/fastlane/issues/new and include this output so we can fix our matcher. Thanks.
)
end

#raise_insufficient_permission_error!(additional_error_string: nil, caller_location: 2) ⇒ Object

This also gets called from subclasses


755
756
757
758
759
760
761
762
763
764
765
766
767
768
# File 'spaceship/lib/spaceship/client.rb', line 755

def raise_insufficient_permission_error!(additional_error_string: nil, caller_location: 2)
  # get the method name of the request that failed
  # `block in` is used very often for requests when surrounded for paging or retrying blocks
  # The ! is part of some methods when they modify or delete a resource, so we don't want to show it
  # Using `sub` instead of `delete` as we don't want to allow multiple matches
  calling_method_name = caller_locations(caller_location, 2).first.label.sub("block in", "").delete("!").strip

  # calling the computed property self.team_id can get us into an exception handling loop
  team_id = @current_team_id ? "(Team ID #{@current_team_id}) " : ""

  error_message = "User #{self.user} #{team_id}doesn't have enough permission for the following action: #{calling_method_name}"
  error_message += " (#{additional_error_string})" if additional_error_string.to_s.length > 0
  raise InsufficientPermissions, error_message
end

#request(method, url_or_path = nil, params = nil, headers = {}, auto_paginate = false, &block) ⇒ Object


680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
# File 'spaceship/lib/spaceship/client.rb', line 680

def request(method, url_or_path = nil, params = nil, headers = {}, auto_paginate = false, &block)
  headers.merge!(csrf_tokens)
  headers['User-Agent'] = USER_AGENT

  # Before encoding the parameters, log them
  log_request(method, url_or_path, params, headers, &block)

  # form-encode the params only if there are params, and the block is not supplied.
  # this is so that certain requests can be made using the block for more control
  if method == :post && params && !block_given?
    params, headers = encode_params(params, headers)
  end

  response = if auto_paginate
               send_request_auto_paginate(method, url_or_path, params, headers, &block)
             else
               send_request(method, url_or_path, params, headers, &block)
             end

  return response
end

#request_two_factor_code_from_phone(phone_id, phone_number, code_length, should_request_code = true) ⇒ Object

this is used in two places: after choosing a phone number and when a phone number is set via ENV var


291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
# File 'spaceship/lib/spaceship/two_step_or_factor_client.rb', line 291

def request_two_factor_code_from_phone(phone_id, phone_number, code_length, should_request_code = true)
  if should_request_code
    # Request code
    r = request(:put) do |req|
      req.url("https://idmsa.apple.com/appleauth/auth/verify/phone")
      req.headers['Content-Type'] = 'application/json'
      req.body = { "phoneNumber" => { "id" => phone_id }, "mode" => "sms" }.to_json
      update_request_headers(req)
    end

    # we use `Spaceship::TunesClient.new.handle_itc_response`
    # since this might be from the Dev Portal, but for 2 step
    Spaceship::TunesClient.new.handle_itc_response(r.body)

    puts("Successfully requested text message to #{phone_number}")
  end

  code = ask_for_2fa_code("Please enter the #{code_length} digit code you received at #{phone_number}:")

  return { "securityCode" => { "code" => code.to_s }, "phoneNumber" => { "id" => phone_id }, "mode" => "sms" }.to_json
end

#request_two_factor_code_from_phone_choose(phone_numbers, code_length) ⇒ Object


278
279
280
281
282
283
284
285
286
287
288
# File 'spaceship/lib/spaceship/two_step_or_factor_client.rb', line 278

def request_two_factor_code_from_phone_choose(phone_numbers, code_length)
  puts("Please select a trusted phone number to send code to:")

  available = phone_numbers.collect do |current|
    current['numberWithDialCode']
  end
  chosen = choose_phone_number(available)
  phone_id = phone_id_from_masked_number(phone_numbers, chosen)

  request_two_factor_code_from_phone(phone_id, chosen, code_length)
end

#send_shared_login_request(user, password) ⇒ Object

This method is used for both the Apple Dev Portal and App Store Connect This will also handle 2 step verification and 2 factor authentication

It is called in `send_login_request` of sub classes (which the method `login`, above, transferred over to via `do_login`)


402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
# File 'spaceship/lib/spaceship/client.rb', line 402

def (user, password)
  # Check if we have a cached/valid session
  #
  # Background:
  # December 4th 2017 Apple introduced a rate limit - which is of course fine by itself -
  # but unfortunately also rate limits successful logins. If you call multiple tools in a
  # lane (e.g. call match 5 times), this would lock you out of the account for a while.
  # By loading existing sessions and checking if they're valid, we're sending less login requests.
  # More context on why this change was necessary https://github.com/fastlane/fastlane/pull/11108
  #
  # If there was a successful manual login before, we have a session on disk
  if load_session_from_file
    # Check if the session is still valid here
    begin
      # We use the olympus session to determine if the old session is still valid
      # As this will raise an exception if the old session has expired
      # If the old session is still valid, we don't have to do anything else in this method
      # that's why we return true
      return true if fetch_olympus_session
    rescue
      # If the `fetch_olympus_session` method raises an exception
      # we'll land here, and therefore continue doing a full login process
      # This happens if the session we loaded from the cache isn't valid any more
      # which is common, as the session automatically invalidates after x hours (we don't know x)
      # In this case we don't actually care about the exact exception, and why it was failing
      # because either way, we'll have to do a fresh login, where we do the actual error handling
      puts("Available session is not valid any more. Continuing with normal login.")
    end
  end
  #
  # The user can pass the session via environment variable (Mainly used in CI environments)
  if load_session_from_env
    # see above
    begin
      # see above
      return true if fetch_olympus_session
    rescue
      puts("Session loaded from environment variable is not valid. Continuing with normal login.")
      # see above
    end
  end
  #
  # After this point, we sure have no valid session any more and have to create a new one
  #

  data = {
    accountName: user,
    password: password,
    rememberMe: true
  }

  begin
    # The below workaround is only needed for 2 step verified machines
    # Due to escaping of cookie values we have a little workaround here
    # By default the cookie jar would generate the following header
    #   DES5c148...=HSARM.......xaA/O69Ws/CHfQ==SRVT
    # However we need the following
    #   DES5c148...="HSARM.......xaA/O69Ws/CHfQ==SRVT"
    # There is no way to get the cookie jar value with " around the value
    # so we manually modify the cookie (only this one) to be properly escaped
    # Afterwards we pass this value manually as a header
    # It's not enough to just modify @cookie, it needs to be done after self.cookie
    # as a string operation
    important_cookie = @cookie.store.entries.find { |a| a.name.include?("DES") }
    if important_cookie
      modified_cookie = self.cookie # returns a string of all cookies
      unescaped_important_cookie = "#{important_cookie.name}=#{important_cookie.value}"
      escaped_important_cookie = "#{important_cookie.name}=\"#{important_cookie.value}\""
      modified_cookie.gsub!(unescaped_important_cookie, escaped_important_cookie)
    end

    response = request(:post) do |req|
      req.url("https://idmsa.apple.com/appleauth/auth/signin")
      req.body = data.to_json
      req.headers['Content-Type'] = 'application/json'
      req.headers['X-Requested-With'] = 'XMLHttpRequest'
      req.headers['X-Apple-Widget-Key'] = self.itc_service_key
      req.headers['Accept'] = 'application/json, text/javascript'
      req.headers["Cookie"] = modified_cookie if modified_cookie
    end
  rescue UnauthorizedAccessError
    raise InvalidUserCredentialsError.new, "Invalid username and password combination. Used '#{user}' as the username."
  end

  # Now we know if the login is successful or if we need to do 2 factor

  case response.status
  when 403
    raise InvalidUserCredentialsError.new, "Invalid username and password combination. Used '#{user}' as the username."
  when 200
    fetch_olympus_session
    return response
  when 409
    # 2 step/factor is enabled for this account, first handle that
    handle_two_step_or_factor(response)
    # and then get the olympus session
    fetch_olympus_session
    return true
  else
    if (response.body || "").include?('invalid="true"')
      # User Credentials are wrong
      raise InvalidUserCredentialsError.new, "Invalid username and password combination. Used '#{user}' as the username."
    elsif response.status == 412 && AUTH_TYPES.include?(response.body["authType"])
      # Need to acknowledge Apple ID and Privacy statement - https://github.com/fastlane/fastlane/issues/12577
      # Looking for status of 412 might be enough but might be safer to keep looking only at what is being reported
      raise AppleIDAndPrivacyAcknowledgementNeeded.new, "Need to acknowledge to Apple's Apple ID and Privacy statement. Please manually log into https://appleid.apple.com (or https://appstoreconnect.apple.com) to acknowledge the statement."
    elsif (response['Set-Cookie'] || "").include?("itctx")
      raise "Looks like your Apple ID is not enabled for App Store Connect, make sure to be able to login online"
    else
      info = [response.body, response['Set-Cookie']]
      raise Tunes::Error.new, info.join("\n")
    end
  end
end

#sms_automatically_sent(response) ⇒ Object

see `sms_fallback` + account has only one trusted number for receiving an sms


219
220
221
# File 'spaceship/lib/spaceship/two_step_or_factor_client.rb', line 219

def sms_automatically_sent(response)
  (response.body["trustedPhoneNumbers"] || []).count == 1 && sms_fallback(response)
end

#sms_fallback(response) ⇒ Object

Account is not signed into any devices that can display a verification code


214
215
216
# File 'spaceship/lib/spaceship/two_step_or_factor_client.rb', line 214

def sms_fallback(response)
  response.body["noTrustedDevices"]
end

268
269
270
271
272
273
274
275
276
# File 'spaceship/lib/spaceship/client.rb', line 268

def store_cookie(path: nil)
  path ||= persistent_cookie_path
  FileUtils.mkdir_p(File.expand_path("..", path))

  # really important to specify the session to true
  # otherwise myacinfo and more won't be stored
  @cookie.save(path, :yaml, session: true)
  return File.read(path)
end

#store_sessionObject


313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
# File 'spaceship/lib/spaceship/two_step_or_factor_client.rb', line 313

def store_session
  # If the request was successful, r.body is actually nil
  # The previous request will fail if the user isn't on a team
  # on App Store Connect, but it still works, so we're good

  # Tell iTC that we are trustworthy (obviously)
  # This will update our local cookies to something new
  # They probably have a longer time to live than the other poor cookies
  # Changed Keys
  # - myacinfo
  # - DES5c148586dfd451e55afb0175f62418f91
  # We actually only care about the DES value

  request(:get) do |req|
    req.url("https://idmsa.apple.com/appleauth/auth/2sv/trust")
    update_request_headers(req)
  end
  # This request will fail if the user isn't added to a team on iTC
  # However we don't really care, this request will still return the
  # correct DES... cookie

  self.store_cookie
end

#team_idString

Returns The currently selected Team ID.

Returns:

  • (String)

    The currently selected Team ID


128
129
130
131
132
133
134
135
# File 'spaceship/lib/spaceship/client.rb', line 128

def team_id
  return @current_team_id if @current_team_id

  if teams.count > 1
    puts("The current user is in #{teams.count} teams. Pass a team ID or call `select_team` to choose a team. Using the first one for now.")
  end
  @current_team_id ||= teams[0]['contentProvider']['contentProviderId']
end

#team_id=(team_id) ⇒ Object

Set a new team ID which will be used from now on


138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
# File 'spaceship/lib/spaceship/client.rb', line 138

def team_id=(team_id)
  # First, we verify the team actually exists, because otherwise iTC would return the
  # following confusing error message
  #
  #     invalid content provider id
  #
  available_teams = teams.collect do |team|
    {
      team_id: (team["contentProvider"] || {})["contentProviderId"],
      team_name: (team["contentProvider"] || {})["name"]
    }
  end

  result = available_teams.find do |available_team|
    team_id.to_s == available_team[:team_id].to_s
  end

  unless result
    error_string = "Could not set team ID to '#{team_id}', only found the following available teams:\n\n#{available_teams.map { |team| "- #{team[:team_id]} (#{team[:team_name]})" }.join("\n")}\n"
    raise Tunes::Error.new, error_string
  end

  response = request(:post) do |req|
    req.url("ra/v1/session/webSession")
    req.body = {
      contentProviderId: team_id,
      dsId: user_detail_data.ds_id # https://github.com/fastlane/fastlane/issues/6711
    }.to_json
    req.headers['Content-Type'] = 'application/json'
  end

  handle_itc_response(response.body)

  @current_team_id = team_id
end

#team_informationHash

Returns Fetches all information of the currently used team.

Returns:

  • (Hash)

    Fetches all information of the currently used team


175
176
177
178
179
# File 'spaceship/lib/spaceship/client.rb', line 175

def team_information
  teams.find do |t|
    t['teamId'] == team_id
  end
end

#team_nameString

Returns Fetches name from currently used team.

Returns:

  • (String)

    Fetches name from currently used team


182
183
184
# File 'spaceship/lib/spaceship/client.rb', line 182

def team_name
  (team_information || {})['name']
end

#teamsArray

Returns A list of all available teams.

Returns:

  • (Array)

    A list of all available teams


68
69
70
71
72
73
74
75
# File 'spaceship/lib/spaceship/client.rb', line 68

def teams
  user_details_data['associatedAccounts'].sort_by do |team|
    [
      team['contentProvider']['name'],
      team['contentProvider']['contentProviderId']
    ]
  end
end

#UIObject

Public getter for all UI related code rubocop:disable Style/MethodName


22
23
24
# File 'spaceship/lib/spaceship/ui.rb', line 22

def UI
  UserInterface.new(self)
end

#update_request_headers(req) ⇒ Object

Responsible for setting all required header attributes for the requests to succeed


339
340
341
342
343
344
# File 'spaceship/lib/spaceship/two_step_or_factor_client.rb', line 339

def update_request_headers(req)
  req.headers["X-Apple-Id-Session-Id"] = @x_apple_id_session_id
  req.headers["X-Apple-Widget-Key"] = self.itc_service_key
  req.headers["Accept"] = "application/json"
  req.headers["scnt"] = @scnt
end

#user_details_dataObject

Fetch the general information of the user, is used by various methods across spaceship Sample return value

>
 [{"contentProvider"=>{"contentProviderId"=>11142800, "name"=>"Felix Krause", "contentProviderTypes"=>["Purple Software"], "roles"=>["Developer"], "lastLogin"=>1468784113000}],
"sessionToken"=>"contentProviderId"=>18111111, "expirationDate"=>nil, "ipAddress"=>nil,
"permittedActivities"=>
    ["UserManagementSelf",
    "GameCenterTestData",
    "AppAddonCreation"],
  "REPORT"=>
   ["UserManagementSelf",
    "AppAddonCreation"],
  "VIEW"=>
   ["TestFlightAppExternalTesterManagement",
    ...
    "HelpGeneral",
    "HelpApplicationLoader"],
"preferredCurrencyCode"=>"EUR",
"preferredCountryCode"=>nil,
"countryOfOrigin"=>"AT",
"isLocaleNameReversed"=>false,
"feldsparToken"=>nil,
"feldsparChannelName"=>nil,
"hasPendingFeldsparBindingRequest"=>false,
"isLegalUser"=>false,
"userId"=>"1771111155",
"firstname"=>"Detlef",
"lastname"=>"Mueller",
"isEmailInvalid"=>false,
"hasContractInfo"=>false,
"canEditITCUsersAndRoles"=>false,
"canViewITCUsersAndRoles"=>true,
"canEditIAPUsersAndRoles"=>false,
"transporterEnabled"=>false,
"contentProviderFeatures"=>["APP_SILOING", "PROMO_CODE_REDESIGN", ...],
"contentProviderType"=>"Purple Software",
"displayName"=>"Detlef",
"contentProviderId"=>"18742800",
"userFeatures"=>[],
"visibility"=>true,
"DYCVisibility"=>false,
"contentProvider"=>"Felix Krause",
"userName"=>"[email protected]"}


121
122
123
124
125
# File 'spaceship/lib/spaceship/client.rb', line 121

def user_details_data
  return @_cached_user_details if @_cached_user_details
  r = request(:get, '/WebObjects/iTunesConnect.woa/ra/user/detail')
  @_cached_user_details = parse_response(r, 'data')
end

#with_retry(tries = 5, &_block) ⇒ Object


626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
# File 'spaceship/lib/spaceship/client.rb', line 626

def with_retry(tries = 5, &_block)
  return yield
rescue \
    Faraday::ConnectionFailed,
    Faraday::TimeoutError,
    BadGatewayError,
    AppleTimeoutError,
    GatewayTimeoutError,
    AccessForbiddenError => ex
  tries -= 1
  unless tries.zero?
    msg = "Timeout received: '#{ex.class}', '#{ex.message}'. Retrying after 3 seconds (remaining: #{tries})..."
    puts(msg) if Spaceship::Globals.verbose?
    logger.warn(msg)

    sleep(3) unless Object.const_defined?("SpecHelper")
    retry
  end
  raise ex # re-raise the exception
rescue \
    Faraday::ParsingError, # <h2>Internal Server Error</h2> with content type json
    InternalServerError => ex
  tries -= 1
  unless tries.zero?
    msg = "Internal Server Error received: '#{ex.class}', '#{ex.message}'. Retrying after 3 seconds (remaining: #{tries})..."
    puts(msg) if Spaceship::Globals.verbose?
    logger.warn(msg)

    sleep(3) unless Object.const_defined?("SpecHelper")
    retry
  end
  raise ex # re-raise the exception
rescue UnauthorizedAccessError => ex
  if @loggedin && !(tries -= 1).zero?
    msg = "Auth error received: '#{ex.class}', '#{ex.message}'. Login in again then retrying after 3 seconds (remaining: #{tries})..."
    puts(msg) if Spaceship::Globals.verbose?
    logger.warn(msg)

    if self.class.spaceship_session_env.to_s.length > 0
      raise UnauthorizedAccessError.new, "Authentication error, you passed an invalid session using the environment variable FASTLANE_SESSION or SPACESHIP_SESSION"
    end

    (self.user, @password)
    sleep(3) unless Object.const_defined?("SpecHelper")
    retry
  end
  raise ex # re-raise the exception
end