Add device-specific Certificate Providers

Reviewed By: mweststrate

Differential Revision: D33821880

fbshipit-source-id: c75c71db4d7dc680f75cf41ba2d5dad009a5fd03

desktop/flipper-server-core/src/devices/android/AndroidCertificateProvider.tsx

@@ -0,0 +1,116 @@
+/**
+ * Copyright (c) Meta Platforms, Inc. and affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ *
+ * @format
+ */
+
+import CertificateProvider from '../../utils/CertificateProvider';
+import {Client} from 'adbkit';
+import {KeytarManager} from '../../utils/keytar';
+import * as androidUtil from './androidContainerUtility';
+import {csrFileName} from '../../utils/certificateUtils';
+
+const logTag = 'AndroidCertificateProvider';
+
+export default class AndroidCertificateProvider extends CertificateProvider {
+  constructor(keytarManager: KeytarManager, private adb: Client) {
+    super(keytarManager);
+  }
+
+  async getTargetDeviceId(
+    appName: string,
+    appDirectory: string,
+    csr: string,
+  ): Promise<string> {
+    const devicesInAdb = await this.adb.listDevices();
+    if (devicesInAdb.length === 0) {
+      throw new Error('No Android devices found');
+    }
+    const deviceMatchList = devicesInAdb.map(async (device) => {
+      try {
+        const result = await this.androidDeviceHasMatchingCSR(
+          appDirectory,
+          device.id,
+          appName,
+          csr,
+        );
+        return {id: device.id, ...result, error: null};
+      } catch (e) {
+        console.warn(
+          `Unable to check for matching CSR in ${device.id}:${appName}`,
+          logTag,
+          e,
+        );
+        return {id: device.id, isMatch: false, foundCsr: null, error: e};
+      }
+    });
+    const devices = await Promise.all(deviceMatchList);
+    const matchingIds = devices.filter((m) => m.isMatch).map((m) => m.id);
+    if (matchingIds.length == 0) {
+      const erroredDevice = devices.find((d) => d.error);
+      if (erroredDevice) {
+        throw erroredDevice.error;
+      }
+      const foundCsrs = devices
+        .filter((d) => d.foundCsr !== null)
+        .map((d) => (d.foundCsr ? encodeURI(d.foundCsr) : 'null'));
+      console.warn(`Looking for CSR (url encoded):
+
+            ${encodeURI(this.santitizeString(csr))}
+
+            Found these:
+
+            ${foundCsrs.join('\n\n')}`);
+      throw new Error(`No matching device found for app: ${appName}`);
+    }
+    if (matchingIds.length > 1) {
+      console.warn(
+        new Error('[conn] More than one matching device found for CSR'),
+        csr,
+      );
+    }
+    return matchingIds[0];
+  }
+
+  protected async handleFSBasedDeploy(
+    destination: string,
+    filename: string,
+    contents: string,
+    csr: string,
+    appName: string,
+  ) {
+    const deviceId = await this.getTargetDeviceId(appName, destination, csr);
+    await androidUtil.push(
+      this.adb,
+      deviceId,
+      appName,
+      destination + filename,
+      contents,
+    );
+  }
+
+  private async androidDeviceHasMatchingCSR(
+    directory: string,
+    deviceId: string,
+    processName: string,
+    csr: string,
+  ): Promise<{isMatch: boolean; foundCsr: string}> {
+    const deviceCsr = await androidUtil.pull(
+      this.adb,
+      deviceId,
+      processName,
+      directory + csrFileName,
+    );
+    // Santitize both of the string before comparation
+    // The csr string extraction on client side return string in both way
+    const [sanitizedDeviceCsr, sanitizedClientCsr] = [
+      deviceCsr.toString(),
+      csr,
+    ].map((s) => this.santitizeString(s));
+    const isMatch = sanitizedDeviceCsr === sanitizedClientCsr;
+    return {isMatch: isMatch, foundCsr: sanitizedDeviceCsr};
+  }
+}

desktop/flipper-server-core/src/devices/android/androidDeviceManager.tsx

@@ -19,10 +19,24 @@ import {
   getServerPortsConfig,
   getFlipperServerConfig,
 } from '../../FlipperServerConfig';
+import AndroidCertificateProvider from './AndroidCertificateProvider';
+import {assertNotNull} from '../../comms/Utilities';
 
 export class AndroidDeviceManager {
+  private adbClient?: ADBClient;
   constructor(public flipperServer: FlipperServerImpl) {}
 
+  public get certificateProvider() {
+    assertNotNull(
+      this.adbClient,
+      'AndroidDeviceManager.certificateProvider -> missing adbClient',
+    );
+    return new AndroidCertificateProvider(
+      this.flipperServer.keytarManager,
+      this.adbClient,
+    );
+  }
+
   private createDevice(
     adbClient: ADBClient,
     device: Device,
@@ -177,6 +191,8 @@ export class AndroidDeviceManager {
         );
       }
 
+      this.adbClient = client;
+
       client
         .trackDevices()
         .then((tracker) => {

desktop/flipper-server-core/src/devices/desktop/DesktopCertificateProvider.tsx

@@ -0,0 +1,28 @@
+/**
+ * Copyright (c) Meta Platforms, Inc. and affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ *
+ * @format
+ */
+
+import CertificateProvider from '../../utils/CertificateProvider';
+import fs from 'fs-extra';
+
+export default class DesktopCertificateProvider extends CertificateProvider {
+  async getTargetDeviceId(): Promise<string> {
+    // TODO: Could we use some real device serial? Currently, '' corresponds to a local device.
+    // Whats if some app connects from a remote device?
+    // What if two apps connect from several different remote devices?
+    return '';
+  }
+
+  protected async handleFSBasedDeploy(
+    destination: string,
+    filename: string,
+    contents: string,
+  ) {
+    await fs.writeFile(destination + filename, contents);
+  }
+}

desktop/flipper-server-core/src/devices/ios/iOSCertificateProvider.tsx

@@ -0,0 +1,189 @@
+/**
+ * Copyright (c) Meta Platforms, Inc. and affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ *
+ * @format
+ */
+
+import {IdbConfig} from './idbConfig';
+import {KeytarManager} from '../../utils/keytar';
+import CertificateProvider from '../../utils/CertificateProvider';
+import iosUtil from './iOSContainerUtility';
+import fs from 'fs-extra';
+import {promisify} from 'util';
+import tmp, {DirOptions} from 'tmp';
+import {csrFileName} from '../../utils/certificateUtils';
+import path from 'path';
+
+const tmpDir = promisify(tmp.dir) as (options?: DirOptions) => Promise<string>;
+
+// eslint-disable-next-line @typescript-eslint/naming-convention
+export default class iOSCertificateProvider extends CertificateProvider {
+  constructor(keytarManager: KeytarManager, private idbConfig: IdbConfig) {
+    super(keytarManager);
+  }
+
+  async getTargetDeviceId(
+    appName: string,
+    appDirectory: string,
+    csr: string,
+  ): Promise<string> {
+    const matches = /\/Devices\/([^/]+)\//.exec(appName);
+    if (matches && matches.length == 2) {
+      // It's a simulator, the deviceId is in the filepath.
+      return matches[1];
+    }
+    const targets = await iosUtil.targets(
+      this.idbConfig.idbPath,
+      this.idbConfig.enablePhysicalIOS,
+    );
+    if (targets.length === 0) {
+      throw new Error('No iOS devices found');
+    }
+    const deviceMatchList = targets.map(async (target) => {
+      const isMatch = await this.iOSDeviceHasMatchingCSR(
+        appDirectory,
+        target.udid,
+        appName,
+        csr,
+      );
+      return {id: target.udid, isMatch};
+    });
+    const devices = await Promise.all(deviceMatchList);
+    const matchingIds = devices.filter((m) => m.isMatch).map((m) => m.id);
+    if (matchingIds.length == 0) {
+      throw new Error(`No matching device found for app: ${appName}`);
+    }
+    if (matchingIds.length > 1) {
+      console.warn(`Multiple devices found for app: ${appName}`);
+    }
+    return matchingIds[0];
+  }
+
+  protected async handleFSBasedDeploy(
+    destination: string,
+    filename: string,
+    contents: string,
+    csr: string,
+    appName: string,
+  ) {
+    try {
+      await fs.writeFile(destination + filename, contents);
+    } catch (err) {
+      // Writing directly to FS failed. It's probably a physical device.
+      const relativePathInsideApp =
+        this.getRelativePathInAppContainer(destination);
+      const udid = await this.getTargetDeviceId(appName, destination, csr);
+      await this.pushFileToiOSDevice(
+        udid,
+        appName,
+        relativePathInsideApp,
+        filename,
+        contents,
+      );
+    }
+  }
+
+  private getRelativePathInAppContainer(absolutePath: string) {
+    const matches = /Application\/[^/]+\/(.*)/.exec(absolutePath);
+    if (matches && matches.length === 2) {
+      return matches[1];
+    }
+    throw new Error("Path didn't match expected pattern: " + absolutePath);
+  }
+
+  private async pushFileToiOSDevice(
+    udid: string,
+    bundleId: string,
+    destination: string,
+    filename: string,
+    contents: string,
+  ): Promise<void> {
+    const dir = await tmpDir({unsafeCleanup: true});
+    const filePath = path.resolve(dir, filename);
+    await fs.writeFile(filePath, contents);
+
+    await iosUtil.push(
+      udid,
+      filePath,
+      bundleId,
+      destination,
+      this.idbConfig.idbPath,
+    );
+  }
+
+  private async iOSDeviceHasMatchingCSR(
+    directory: string,
+    deviceId: string,
+    bundleId: string,
+    csr: string,
+  ): Promise<boolean> {
+    const originalFile = this.getRelativePathInAppContainer(
+      path.resolve(directory, csrFileName),
+    );
+    const dir = await tmpDir({unsafeCleanup: true});
+
+    // Workaround for idb weirdness
+    // Originally started at D27590885
+    // Re-appared at https://github.com/facebook/flipper/issues/3009
+    //
+    // People reported various workarounds. None of them worked consistently for everyone.
+    // Usually, the workarounds included re-building idb from source or re-installing it.
+    //
+    // The only more or less reasonable explanation I was able to find is that the final behavior depends on whether the idb_companion is local or not.
+    //
+    // This is how idb_companion sets its locality
+    // https://github.com/facebook/idb/blob/main/idb_companion/Server/FBIDBServiceHandler.mm#L1507
+    // idb sends a connection request and provides a file path to a temporary file. idb_companion checks if it can access that file.
+    //
+    // So when it is "local", the pulled filed is written directly to the destination path
+    // https://github.com/facebook/idb/blob/main/idb/grpc/client.py#L698
+    // So it is expected that the destination path ends with a file to write to.
+    // However, if the companion is remote,  then we seem to get here https://github.com/facebook/idb/blob/71791652efa2d5e6f692cb8985ff0d26b69bf08f/idb/common/tar.py#L232
+    // Where we create a tree of directories and write the file stream there.
+    //
+    // So the only explanation I could come up with is that somehow, by re-installing idb and playing with the env, people could affect the locality of the idb_companion.
+    //
+    // The ultimate workaround is to try pulling the cert file without the cert name attached first, if it fails, try to append it.
+    try {
+      await iosUtil.pull(
+        deviceId,
+        originalFile,
+        bundleId,
+        dir,
+        this.idbConfig.idbPath,
+      );
+    } catch (e) {
+      console.warn(
+        'Original idb pull failed. Most likely it is a physical device that requires us to handle the dest path dirrently. Forcing a re-try with the updated dest path. See D32106952 for details. Original error:',
+        e,
+      );
+      await iosUtil.pull(
+        deviceId,
+        originalFile,
+        bundleId,
+        path.join(dir, csrFileName),
+        this.idbConfig.idbPath,
+      );
+      console.info(
+        'Subsequent idb pull succeeded. Nevermind previous wranings.',
+      );
+    }
+
+    const items = await fs.readdir(dir);
+    if (items.length > 1) {
+      throw new Error('Conflict in temp dir');
+    }
+    if (items.length === 0) {
+      throw new Error('Failed to pull CSR from device');
+    }
+    const fileName = items[0];
+    const copiedFile = path.resolve(dir, fileName);
+    console.debug('Trying to read CSR from', copiedFile);
+    const data = await fs.readFile(copiedFile);
+    const csrFromDevice = this.santitizeString(data.toString());
+    return csrFromDevice === this.santitizeString(csr);
+  }
+}

desktop/flipper-server-core/src/devices/ios/iOSDeviceManager.tsx

@@ -23,6 +23,8 @@ import {
 import {FlipperServerImpl} from '../../FlipperServerImpl';
 import {getFlipperServerConfig} from '../../FlipperServerConfig';
 import {IdbConfig, setIdbConfig} from './idbConfig';
+import {assertNotNull} from '../../comms/Utilities';
+import iOSCertificateProvider from './iOSCertificateProvider';
 
 export class IOSDeviceManager {
   private portForwarders: Array<ChildProcess> = [];
@@ -39,6 +41,17 @@ export class IOSDeviceManager {
 
   constructor(private flipperServer: FlipperServerImpl) {}
 
+  public get certificateProvider() {
+    assertNotNull(
+      this.idbConfig,
+      'IOSDeviceManager.certificateProvider -> missing idbConfig',
+    );
+    return new iOSCertificateProvider(
+      this.flipperServer.keytarManager,
+      this.idbConfig,
+    );
+  }
+
   private forwardPort(port: number, multiplexChannelPort: number) {
     const child = childProcess.execFile(
       this.portforwardingClient,