Override API connection via step inputs (#41)

* Override API connection via step inputs

* Add E2E test for connection override

* Don't run the same UI tests twice

* Pull latest go-xcode, better tests

* YAML lint fix

* Handle unset connection envs

README.md

@@ -37,6 +37,8 @@ Under **Automatic code signing**:
 3. **The minimum days the Provisioning Profile should be valid**: If this input is set to >0, the managed Provisioning Profile will be renewed if it expires within the configured number of days. Otherwise the Step renews the managed Provisioning Profile if it is expired.
 4. The **Code signing certificate URL**, the **Code signing certificate passphrase**, the **Keychain path**, and the **Keychain password** inputs are automatically populated if certificates are uploaded to Bitrise's **Code Signing** tab. If you store your files in a private repo, you can manually edit these fields.
 
+If you want to set the Apple service connection credentials on the step-level (instead of using the one configured in the App Settings), use the Step inputs in the **App Store Connect connection override** category. Note that this only works if **Automatic code signing method** is set to `api-key`.
+
 Under **Step Output configuration**:
 1. **Output directory path**: This directory contains the generated artifacts.
 
@@ -80,6 +82,9 @@ You can also run this step directly with [Bitrise CLI](https://github.com/bitris
 | `keychain_password` | Password for the provided Keychain. | required, sensitive | `$BITRISE_KEYCHAIN_PASSWORD` |
 | `output_dir` | This directory will contain the generated artifacts. | required | `$BITRISE_DEPLOY_DIR` |
 | `cache_level` | Defines what cache content should be automatically collected.  Available options: - `none`: Disable collecting cache content. - `swift_packages`: Collect Swift PM packages added to the Xcode project. | required | `swift_packages` |
+| `api_key_path` | Local path or remote URL to the private key (p8 file) for App Store Connect API. This overrides the Bitrise-managed API connection, only set this input if you want to control the API connection on a step-level. Most of the time it's easier to set up the connection on the App Settings page on Bitrise. The input value can be a file path (eg. `$TMPDIR/private_key.p8`) or an HTTPS URL. This input only takes effect if the other two connection override inputs are set too (`api_key_id`, `api_key_issuer_id`). |  |  |
+| `api_key_id` | Private key ID used for App Store Connect authentication. This overrides the Bitrise-managed API connection, only set this input if you want to control the API connection on a step-level. Most of the time it's easier to set up the connection on the App Settings page on Bitrise. This input only takes effect if the other two connection override inputs are set too (`api_key_path`, `api_key_issuer_id`). |  |  |
+| `api_key_issuer_id` | Private key issuer ID used for App Store Connect authentication. This overrides the Bitrise-managed API connection, only set this input if you want to control the API connection on a step-level. Most of the time it's easier to set up the connection on the App Settings page on Bitrise. This input only takes effect if the other two connection override inputs are set too (`api_key_path`, `api_key_id`). |  |  |
 | `verbose_log` | If this input is set, the Step will print additional logs for debugging. | required | `no` |
 </details>
 

e2e/bitrise.yml

@@ -10,6 +10,9 @@ app:
   - BITFALL_APPLE_APPLE_CERTIFICATE_URL_LIST: $BITFALL_APPLE_APPLE_CERTIFICATE_URL_LIST
   - BITFALL_APPLE_APPLE_CERTIFICATE_PASSPHRASE_LIST: $BITFALL_APPLE_APPLE_CERTIFICATE_PASSPHRASE_LIST
   - BITFALL_APPLE_IOS_CERTIFICATE_NOPASSPHRASE_URL: $BITFALL_APPLE_IOS_CERTIFICATE_NOPASSPHRASE_URL
+  - BITFALL_APPSTORECONNECT_API_KEY_URL: $BITFALL_APPSTORECONNECT_API_KEY_URL
+  - BITFALL_APPSTORECONNECT_API_KEY_ID: $BITFALL_APPSTORECONNECT_API_KEY_ID
+  - BITFALL_APPSTORECONNECT_API_KEY_ISSUER_ID: $BITFALL_APPSTORECONNECT_API_KEY_ISSUER_ID
 
 workflows:
   test_swiftpm:
@@ -92,6 +95,35 @@ workflows:
     after_run:
     - _run
 
+  test_uitest_api_key_override_signing:
+    envs:
+    - SAMPLE_APP_URL: https://github.com/bitrise-io/sample-apps-fastlane-test.git
+    - SAMPLE_APP_BRANCH: master
+    - BITRISE_PROJECT_PATH: sample-apps-fastlane-test.xcodeproj
+    - BITRISE_SCHEME: sample-apps-fastlane-test
+    - BITRISE_CONFIGURATION: Debug
+    - DESTINATION: generic/platform=iOS
+    - CODE_SIGNING_METHOD: api-key
+    - CERTIFICATE_URL_LIST: $BITFALL_APPLE_APPLE_CERTIFICATE_URL_LIST
+    - CERTIFICATE_PASSPHRASE_LIST: $BITFALL_APPLE_APPLE_CERTIFICATE_PASSPHRASE_LIST
+    - API_KEY_PATH: $BITFALL_APPSTORECONNECT_API_KEY_URL
+    - API_KEY_ID: $BITFALL_APPSTORECONNECT_API_KEY_ID
+    - API_KEY_ISSUER_ID: $BITFALL_APPSTORECONNECT_API_KEY_ISSUER_ID
+    steps:
+    - script:
+        title: Unset Bitrise API connection env vars
+        inputs:
+        - content: |-
+            #!/usr/bin/env bash
+            set -ex
+            envman add --key BITRISE_BUILD_URL_BACKUP --value $BITRISE_BUILD_URL
+            envman add --key BITRISE_BUILD_API_TOKEN_BACKUP --value $BITRISE_BUILD_API_TOKEN
+            envman unset --key BITRISE_BUILD_URL
+            envman unset --key BITRISE_BUILD_API_TOKEN
+    after_run:
+    - _run
+    - _restore_api_envs
+
   test_build_output_renamed:
     envs:
     - SAMPLE_APP_URL: https://github.com/bitrise-samples/sample-apps-ios-simple-objc-with-uitest.git
@@ -237,6 +269,9 @@ workflows:
         - certificate_url_list: $CERTIFICATE_URL_LIST
         - passphrase_list: $CERTIFICATE_PASSPHRASE_LIST
         - apple_team_id: $TEAM_ID
+        - api_key_path: $API_KEY_PATH
+        - api_key_id: $API_KEY_ID
+        - api_key_issuer_id: $API_KEY_ISSUER_ID
     - git::https://github.com/bitrise-steplib/bitrise-step-check-step-outputs.git@main:
         is_always_run: true
         inputs:
@@ -284,3 +319,13 @@ workflows:
             xcode_major_version=${BASH_REMATCH[1]}
             echo "Xcode major version: $xcode_major_version"
             envman add --key XCODE_MAJOR_VERSION --value $xcode_major_version
+
+  _restore_api_envs:
+    steps:
+    - script:
+        title: Restore Bitrise API connection env vars
+        inputs:
+        - content: |-
+            set -ex
+            envman add --key BITRISE_BUILD_URL --value $BITRISE_BUILD_URL_BACKUP
+            envman add --key BITRISE_BUILD_API_TOKEN --value $BITRISE_BUILD_API_TOKEN_BACKUP

go.mod

@@ -12,8 +12,8 @@ require (
 
 require (
 	github.com/bitrise-io/go-steputils/v2 v2.0.0-alpha.2
-	github.com/bitrise-io/go-utils/v2 v2.0.0-alpha.7
-	github.com/bitrise-io/go-xcode/v2 v2.0.0-alpha.18
+	github.com/bitrise-io/go-utils/v2 v2.0.0-alpha.11
+	github.com/bitrise-io/go-xcode/v2 v2.0.0-alpha.20
 	github.com/stretchr/testify v1.7.2
 )
 

go.sum

@@ -9,13 +9,12 @@ github.com/bitrise-io/go-utils v1.0.1/go.mod h1:ZY1DI+fEpZuFpO9szgDeICM4QbqoWVt0
 github.com/bitrise-io/go-utils v1.0.2 h1:w4Mz2IvrgDzrFJECuHdvsK1LHO30cdtuy9bBa7Lw2c0=
 github.com/bitrise-io/go-utils v1.0.2/go.mod h1:ZY1DI+fEpZuFpO9szgDeICM4QbqoWVt0RSY3tRI1heY=
 github.com/bitrise-io/go-utils/v2 v2.0.0-alpha.1/go.mod h1:sy+Ir1X8P3tAAx/qU/r+hqDjHDcrMjIzDEvId1wqNc4=
-github.com/bitrise-io/go-utils/v2 v2.0.0-alpha.7 h1:d0XDESvQwOO+V9afZrI8QGR7bJGDkmE4Q9ezIBB4TLw=
-github.com/bitrise-io/go-utils/v2 v2.0.0-alpha.7/go.mod h1:6i0Gt0JRIbXpsrFDJT1YWghFfdN8qF26/fnpc/6d/88=
-github.com/bitrise-io/go-xcode v1.0.6/go.mod h1:Y0Wu2dXm0MilJ/4D3+gPHaNMlUcP+1DjIPoLPykq7wY=
+github.com/bitrise-io/go-utils/v2 v2.0.0-alpha.11 h1:IacLMHL7hhgVcqtx15Bysq738P8FRCp6ckGk1NvioWo=
+github.com/bitrise-io/go-utils/v2 v2.0.0-alpha.11/go.mod h1:SJqGxzwjIAx2LVQxNGS4taN7X//eDPJLrFxJ1MpOuyA=
 github.com/bitrise-io/go-xcode v1.0.9 h1:+sbqOYidQ+aiFfCTDpf2LdGSQEM5RfbtDsiG27zJG+s=
 github.com/bitrise-io/go-xcode v1.0.9/go.mod h1:Y0Wu2dXm0MilJ/4D3+gPHaNMlUcP+1DjIPoLPykq7wY=
-github.com/bitrise-io/go-xcode/v2 v2.0.0-alpha.18 h1:Xt/xLjx19hMuPNZDq09P7F6Lg+Rpu/tkfwPr2/1CeDI=
-github.com/bitrise-io/go-xcode/v2 v2.0.0-alpha.18/go.mod h1:oYILBt4j8jn69avylknuqsUO/BSiRx9i+JaxcNOtWMA=
+github.com/bitrise-io/go-xcode/v2 v2.0.0-alpha.20 h1:MIH3eGNcAsc5VBACiU+EFcmUfqCyT6/fMSi2UjYR9+s=
+github.com/bitrise-io/go-xcode/v2 v2.0.0-alpha.20/go.mod h1:8WBcRgrVXY8tzR7NcjE4fw6WguOIfB3YcC7ZTcQYUEY=
 github.com/bitrise-io/pkcs12 v0.0.0-20211108084543-e52728e011c8 h1:kmvU8AxrNTxXsVPKepBHD8W+eCVmeaKyTkRuUJB2K38=
 github.com/bitrise-io/pkcs12 v0.0.0-20211108084543-e52728e011c8/go.mod h1:UiXKNs0essbC14a2TvGlnUKo9isP9m4guPrp8KJHJpU=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -72,6 +71,7 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220712014510-0a85c31ab51e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=

step.yml

@@ -31,6 +31,8 @@ description: |-
   3. **The minimum days the Provisioning Profile should be valid**: If this input is set to >0, the managed Provisioning Profile will be renewed if it expires within the configured number of days. Otherwise the Step renews the managed Provisioning Profile if it is expired.
   4. The **Code signing certificate URL**, the **Code signing certificate passphrase**, the **Keychain path**, and the **Keychain password** inputs are automatically populated if certificates are uploaded to Bitrise's **Code Signing** tab. If you store your files in a private repo, you can manually edit these fields.
 
+  If you want to set the Apple service connection credentials on the step-level (instead of using the one configured in the App Settings), use the Step inputs in the **App Store Connect connection override** category. Note that this only works if **Automatic code signing method** is set to `api-key`.
+
   Under **Step Output configuration**:
   1. **Output directory path**: This directory contains the generated artifacts.
 
@@ -298,6 +300,45 @@ inputs:
     - swift_packages
     is_required: true
 
+# App Store Connect connection override
+
+- api_key_path:
+  opts:
+    category: App Store Connect connection override
+    title: App Store Connect API private key
+    summary: Local path or remote URL to the private key (p8 file). This overrides the Bitrise-managed API connection.
+    description: |-
+      Local path or remote URL to the private key (p8 file) for App Store Connect API.
+      This overrides the Bitrise-managed API connection, only set this input if you want to control the API connection
+      on a step-level. Most of the time it's easier to set up the connection on the App Settings page on Bitrise.
+      The input value can be a file path (eg. `$TMPDIR/private_key.p8`) or an HTTPS URL.
+      This input only takes effect if the other two connection override inputs are set too (`api_key_id`, `api_key_issuer_id`).
+    is_required: false
+
+- api_key_id:
+  opts:
+    category: App Store Connect connection override
+    title: App Store Connect API key ID
+    summary: Private key ID used for App Store Connect authentication. This overrides the Bitrise-managed API connection.
+    description: |-
+      Private key ID used for App Store Connect authentication.
+      This overrides the Bitrise-managed API connection, only set this input if you want to control the API connection
+      on a step-level. Most of the time it's easier to set up the connection on the App Settings page on Bitrise.
+      This input only takes effect if the other two connection override inputs are set too (`api_key_path`, `api_key_issuer_id`).
+    is_required: false
+
+- api_key_issuer_id:
+  opts:
+    category: App Store Connect connection override
+    title: App Store Connect API issuer ID
+    summary: Private key issuer ID used for App Store Connect authentication. This overrides the Bitrise-managed API connection.
+    description: |-
+      Private key issuer ID used for App Store Connect authentication.
+      This overrides the Bitrise-managed API connection, only set this input if you want to control the API connection
+      on a step-level. Most of the time it's easier to set up the connection on the App Settings page on Bitrise.
+      This input only takes effect if the other two connection override inputs are set too (`api_key_path`, `api_key_id`).
+    is_required: false
+
 # Debugging
 
 - verbose_log: "no"

step/codesign.go

@@ -33,6 +33,9 @@ type CodesignManagerOpts struct {
 	BuildURL                  string
 	BuildAPIToken             stepconf.Secret
 	VerboseLog                bool
+	APIKeyPath                stepconf.Secret
+	APIKeyID                  string
+	APIKeyIssuerID            string
 }
 
 func createCodesignManager(managerOpts CodesignManagerOpts, xcodeMajorVersion int64, logger log.Logger, cmdFactory command.Factory) (codesign.Manager, error) {
@@ -61,15 +64,22 @@ func createCodesignManager(managerOpts CodesignManagerOpts, xcodeMajorVersion in
 		return codesign.Manager{}, fmt.Errorf("issue with input: %w", err)
 	}
 
-	var serviceConnection *devportalservice.AppleDeveloperConnection
 	devPortalClientFactory := devportalclient.NewFactory(logger)
-	if authType == codesign.APIKeyAuth || authType == codesign.AppleIDAuth {
+
+	var serviceConnection *devportalservice.AppleDeveloperConnection
+	if managerOpts.BuildURL != "" && managerOpts.BuildAPIToken != "" {
 		if serviceConnection, err = devPortalClientFactory.CreateBitriseConnection(managerOpts.BuildURL, string(managerOpts.BuildAPIToken)); err != nil {
 			return codesign.Manager{}, err
 		}
 	}
 
-	appleAuthCredentials, err := codesign.SelectConnectionCredentials(authType, serviceConnection, logger)
+	overrideInputs := codesign.ConnectionOverrideInputs{
+		APIKeyPath:     managerOpts.APIKeyPath,
+		APIKeyID:       managerOpts.APIKeyID,
+		APIKeyIssuerID: managerOpts.APIKeyIssuerID,
+	}
+
+	appleAuthCredentials, err := codesign.SelectConnectionCredentials(authType, serviceConnection, overrideInputs, logger)
 	if err != nil {
 		return codesign.Manager{}, err
 	}
@@ -96,10 +106,14 @@ func createCodesignManager(managerOpts CodesignManagerOpts, xcodeMajorVersion in
 	}
 
 	client := retry.NewHTTPClient().StandardClient()
+	var testDevices []devportalservice.TestDevice
+	if serviceConnection != nil {
+		testDevices = serviceConnection.TestDevices
+	}
 	return codesign.NewManagerWithProject(
 		opts,
 		appleAuthCredentials,
-		serviceConnection,
+		testDevices,
 		devPortalClientFactory,
 		certdownloader.NewDownloader(codesignConfig.CertificatesAndPassphrases, client),
 		profiledownloader.New(codesignConfig.FallbackProvisioningProfiles, client),

step/step.go

@@ -72,6 +72,10 @@ type Input struct {
 	OutputDir string `env:"output_dir,required"`
 	// Caching
 	CacheLevel string `env:"cache_level,opt[none,swift_packages]"`
+	// App Store Connect connection override
+	APIKeyPath     stepconf.Secret `env:"api_key_path"`
+	APIKeyID       string          `env:"api_key_id"`
+	APIKeyIssuerID string          `env:"api_key_issuer_id"`
 	// Debugging
 	VerboseLog bool `env:"verbose_log,opt[yes,no]"`
 }
@@ -190,6 +194,9 @@ func (b XcodebuildBuilder) ProcessConfig() (Config, error) {
 			BuildURL:                  input.BuildURL,
 			BuildAPIToken:             input.BuildAPIToken,
 			VerboseLog:                input.VerboseLog,
+			APIKeyPath:                input.APIKeyPath,
+			APIKeyID:                  input.APIKeyID,
+			APIKeyIssuerID:            input.APIKeyIssuerID,
 		}, xcodebuildVersion.MajorVersion, b.logger, factory)
 		if err != nil {
 			return Config{}, err