-
Notifications
You must be signed in to change notification settings - Fork 42
/
Copy pathkeychain.py
executable file
·402 lines (347 loc) · 15.6 KB
/
keychain.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
#!/usr/bin/env python3
from __future__ import annotations
import json
import os
import pathlib
import shutil
from datetime import datetime
from tempfile import NamedTemporaryFile
from typing import Iterable
from typing import List
from typing import Optional
from typing import Sequence
from codemagic import cli
from codemagic.cli import Colors
from codemagic.mixins import PathFinderMixin
from codemagic.models import Certificate
class Seconds(int):
pass
class Password(cli.EnvironmentArgumentValue[str]):
@classmethod
def _is_valid(cls, value: str) -> bool:
return True
class KeychainError(cli.CliAppException):
pass
class KeychainArgument(cli.Argument):
PATH = cli.ArgumentProperties(
flags=('-p', '--path'),
key='path',
type=pathlib.Path,
description=(
'Keychain path. If not provided, the system default '
'keychain will be used instead'
),
argparse_kwargs={'required': False},
)
PASSWORD = cli.ArgumentProperties(
flags=('-pw', '--password'),
key='password',
type=Password,
description='Keychain password',
argparse_kwargs={'required': False, 'default': ''},
)
TIMEOUT = cli.ArgumentProperties(
flags=('-t', '--timeout'),
key='timeout',
type=Seconds,
description='Keychain timeout in seconds, defaults to no timeout',
argparse_kwargs={'required': False, 'default': None},
)
CERTIFICATE_PATHS = cli.ArgumentProperties(
flags=('-c', '--certificate'),
key='certificate_path_patterns',
type=pathlib.Path,
description=(
'Path to pkcs12 certificate. Can be either a path literal, or '
'a glob pattern to match certificates.'
),
argparse_kwargs={
'required': False,
'nargs': '+',
'metavar': 'certificate-path',
'default': (Certificate.DEFAULT_LOCATION / '*.p12',),
},
)
CERTIFICATE_PASSWORD = cli.ArgumentProperties(
flags=('--certificate-password',),
key='certificate_password',
type=Password,
description='Encrypted p12 certificate password',
argparse_kwargs={'required': False, 'default': ''},
)
ALLOWED_APPLICATIONS = cli.ArgumentProperties(
flags=('-a', '--allow-app'),
key='allowed_applications',
description='Specify an application which may access the imported key without warning',
type=pathlib.Path,
argparse_kwargs={
'required': False,
'default': (pathlib.Path('codesign'), pathlib.Path('productsign')),
'nargs': '+',
'metavar': 'allowed-app',
},
)
ALLOW_ALL_APPLICATIONS = cli.ArgumentProperties(
flags=('-A', '--allow-all-applications'),
key='allow_all_applications',
type=bool,
description='Allow any application to access the imported key without warning',
argparse_kwargs={'required': False, 'action': 'store_true'},
)
DISALLOW_ALL_APPLICATIONS = cli.ArgumentProperties(
flags=('-D', '--disallow-all-applications'),
key='disallow_all_applications',
type=bool,
description='Do not allow any applications to access the imported key without warning',
argparse_kwargs={'required': False, 'action': 'store_true'},
)
@cli.common_arguments(KeychainArgument.PATH)
class Keychain(cli.CliApp, PathFinderMixin):
"""
Utility to manage macOS keychains and certificates
"""
def __init__(self, path: Optional[pathlib.Path] = None, **kwargs):
super().__init__(**kwargs)
self._path = path
@property
def path(self) -> pathlib.Path:
if self._path is None:
self._path = self._get_default()
return self._path
@cli.action('create', KeychainArgument.PASSWORD)
def create(self, password: Password = Password('')) -> pathlib.Path:
"""
Create a macOS keychain, add it to the search list
"""
self.logger.info(f'Create keychain {self.path}')
process = self.execute(
('security', 'create-keychain', '-p', password.value, self.path),
obfuscate_patterns=[password.value])
if process.returncode != 0:
raise KeychainError(f'Unable to create keychain {self.path}', process)
if not self.path.exists():
# In some cases `security` adds a '-db' suffix to the keychain name
self._path = pathlib.Path(f'{self.path}-db')
if not self.path.exists():
raise KeychainError('Keychain was not created')
process = self.execute(('security', 'list-keychains', '-d', 'user', '-s', 'login.keychain', self.path))
if process.returncode != 0:
raise KeychainError(f'Unable to add keychain {self.path} to keychain search list', process)
os.chmod(str(self.path), 0o600)
return self.path
@cli.action('delete')
def delete(self):
"""
Delete keychains and remove them from the search list
"""
self.logger.info(f'Delete keychain {self.path}')
process = self.execute(('security', 'delete-keychain', self.path))
if process.returncode != 0:
raise KeychainError(f'Failed to delete keychain {self.path}', process)
@cli.action('show-info')
def show_info(self):
"""
Show all settings for the keychain
"""
self.logger.info(f'Keychain {self.path} settings:')
process = self.execute(('security', 'show-keychain-info', self.path))
if process.returncode != 0:
raise KeychainError(f'Failed to show information for keychain {self.path}', process)
@cli.action('set-timeout', KeychainArgument.TIMEOUT)
def set_timeout(self, timeout: Optional[Seconds] = None):
"""
Set timeout settings for the keychain.
If seconds are not provided, then no-timeout will be set
"""
cmd_args = ['security', 'set-keychain-settings', str(self.path)]
if timeout is not None:
cmd_args[-1:-1] = ['-t', str(timeout)]
self.logger.info(f'Set keychain {self.path} timeout to {timeout} seconds')
else:
self.logger.info(f'Set keychain {self.path} timeout to "no timeout"')
process = self.execute(cmd_args)
if process.returncode != 0:
raise KeychainError(f'Unable to set timeout to the keychain {self.path}', process)
@cli.action('lock')
def lock(self):
"""
Lock the specified keychain
"""
self.logger.info(f'Lock keychain {self.path}')
process = self.execute(('security', 'lock-keychain', self.path))
if process.returncode != 0:
raise KeychainError(f'Unable to unlock keychain {self.path}', process)
@cli.action('unlock', KeychainArgument.PASSWORD)
def unlock(self, password: Password = Password('')):
"""
Unlock the specified keychain
"""
self.logger.info(f'Unlock keychain {self.path}')
process = self.execute(
('security', 'unlock-keychain', '-p', password.value, self.path),
obfuscate_patterns=[password.value])
if process.returncode != 0:
raise KeychainError(f'Unable to unlock keychain {self.path}', process)
@cli.action('get-default')
def get_default(self) -> pathlib.Path:
"""
Show the system default keychain
"""
self.logger.info('Get system default keychain')
default = self._get_default()
self.echo(str(default))
return default
def _get_default(self):
process = self.execute(('security', 'default-keychain'), show_output=False)
if process.returncode != 0:
raise KeychainError('Unable to get default keychain', process)
cleaned = process.stdout.strip().strip('"').strip("'")
return pathlib.Path(cleaned)
@cli.action('make-default')
def make_default(self):
"""
Set the keychain as the system default keychain
"""
self.logger.info(f'Set keychain {self.path} to system default keychain')
process = self.execute(('security', 'default-keychain', '-s', self.path))
if process.returncode != 0:
raise KeychainError(f'Unable to set {self.path} as default keychain', process)
@cli.action('use-login')
def use_login_keychain(self) -> Keychain:
"""
Use login keychain as the default keychain
"""
keychains_root = pathlib.Path('~/Library/Keychains/').expanduser()
for keychain_name in ('login.keychain-db', 'login.keychain'):
keychain_path = keychains_root / keychain_name
if keychain_path.is_file():
self._path = keychain_path
break
else:
raise KeychainError(f'Login keychain not found from {keychains_root}')
self.logger.info(Colors.GREEN('Use login keychain %s as system default keychain'), self.path)
self.make_default()
return self
@cli.action('initialize', KeychainArgument.PASSWORD, KeychainArgument.TIMEOUT)
def initialize(self, password: Password = Password(''), timeout: Optional[Seconds] = None) -> Keychain:
"""
Set up the keychain to be used for code signing. Create the keychain
at specified path with specified password with given timeout.
Make it default and unlock it for upcoming use
"""
if not self._path:
self._generate_path()
message = f'Initialize new keychain to store code signing certificates at {self.path}'
self.logger.info(Colors.GREEN(message))
self.create(password)
self.set_timeout(timeout=timeout)
self.make_default()
self.unlock(password)
return self
@cli.action('list-certificates')
def list_code_signing_certificates(self, should_print: bool = True) -> List[Certificate]:
"""
List available code signing certificates in specified keychain
"""
self.logger.info(f'List available code signing certificates in keychain {self.path}')
all_certificates = self._find_certificates()
certificates = [cert for cert in all_certificates if cert.is_code_signing_certificate()]
if should_print:
self.echo(json.dumps(certificates, sort_keys=True, indent=4))
return certificates
def _generate_path(self):
keychain_dir = pathlib.Path('~/Library/codemagic-cli-tools/keychains').expanduser()
keychain_dir.mkdir(parents=True, exist_ok=True)
date = datetime.now().strftime('%d-%m-%y')
with NamedTemporaryFile(prefix=f'{date}_', suffix='.keychain-db', dir=keychain_dir) as tf:
self._path = pathlib.Path(tf.name)
@cli.action('add-certificates',
KeychainArgument.CERTIFICATE_PATHS,
KeychainArgument.CERTIFICATE_PASSWORD,
KeychainArgument.ALLOWED_APPLICATIONS,
KeychainArgument.ALLOW_ALL_APPLICATIONS,
KeychainArgument.DISALLOW_ALL_APPLICATIONS)
def add_certificates(
self,
certificate_path_patterns: Sequence[pathlib.Path] = KeychainArgument.CERTIFICATE_PATHS.get_default(),
certificate_password: Password = Password(''),
allowed_applications: Sequence[pathlib.Path] = KeychainArgument.ALLOWED_APPLICATIONS.get_default(),
allow_all_applications: Optional[bool] = KeychainArgument.ALLOW_ALL_APPLICATIONS.get_default(),
disallow_all_applications: Optional[bool] = KeychainArgument.DISALLOW_ALL_APPLICATIONS.get_default()):
"""
Add p12 certificate to specified keychain
"""
add_for_all_apps = False
add_for_apps: List[str] = []
if allow_all_applications and disallow_all_applications:
raise KeychainArgument.ALLOW_ALL_APPLICATIONS.raise_argument_error(
f'Using mutually exclusive options '
f'{KeychainArgument.ALLOWED_APPLICATIONS.flag!r} and '
f'{KeychainArgument.DISALLOW_ALL_APPLICATIONS.flag!r}')
elif allow_all_applications:
add_for_all_apps = True
elif not disallow_all_applications:
add_for_apps = list(self._get_certificate_allowed_applications(allowed_applications))
self.logger.info('Add certificates to keychain %s', self.path)
certificate_paths = list(self.find_paths(*certificate_path_patterns))
if not certificate_paths:
raise KeychainError('Did not find any certificates from specified locations')
for certificate_path in certificate_paths:
self._add_certificate(certificate_path, certificate_password, add_for_all_apps, add_for_apps)
@classmethod
def _get_certificate_allowed_applications(
cls, given_allowed_applications: Sequence[pathlib.Path]) -> Iterable[str]:
for application in given_allowed_applications:
resolved_path = shutil.which(application)
if resolved_path is None:
# Only raise exception if user-specified path is not present
if application not in KeychainArgument.ALLOWED_APPLICATIONS.get_default():
raise KeychainArgument.ALLOWED_APPLICATIONS.raise_argument_error(
f'Application "{application}" does not exist or is not in PATH')
else:
yield str(resolved_path)
def _add_certificate(self,
certificate_path: pathlib.Path,
certificate_password: Optional[Password] = None,
allow_for_all_apps: bool = False,
allowed_applications: Sequence[str] = tuple()):
self.logger.info(f'Add certificate {certificate_path} to keychain {self.path}')
# If case of no password, we need to explicitly set -P '' flag. Otherwise,
# security tries to open an interactive dialog to prompt the user for a password,
# which fails in non-interactive CI environment.
if certificate_password is not None:
obfuscate_patterns = [certificate_password.value]
else:
certificate_password = Password('')
obfuscate_patterns = []
import_cmd = [
'security', 'import', certificate_path,
'-f', 'pkcs12',
'-k', self.path,
'-P', certificate_password.value,
]
if allow_for_all_apps:
import_cmd.append('-A')
for allowed_application in allowed_applications:
import_cmd.extend(['-T', allowed_application])
process = self.execute(import_cmd, obfuscate_patterns=obfuscate_patterns)
if process.returncode != 0:
if 'The specified item already exists in the keychain' in process.stderr:
pass # It is fine that the certificate is already in keychain
else:
raise KeychainError(f'Unable to add certificate {certificate_path} to keychain {self.path}', process)
def _find_certificates(self):
process = self.execute(('security', 'find-certificate', '-a', '-p', self.path), show_output=False)
if process.returncode != 0:
raise KeychainError(f'Unable to list certificates from keychain {self.path}', process)
pem = ''
for line in process.stdout.splitlines():
pem += line + '\n'
if line == '-----END CERTIFICATE-----':
try:
yield Certificate.from_pem(pem)
except ValueError:
self.logger.warning(Colors.YELLOW('Failed to read certificate from keychain'))
pem = ''
if __name__ == '__main__':
Keychain.invoke_cli()