Merge branch 'XcodesOrg:main' into main

Author: wangzhizhou

.github/release-drafter.yml

@@ -11,7 +11,7 @@ categories:
       - 'documentation'
       - 'dependencies'
 template: |
-  If you installed xcodes with homebrew you can upgrade with `brew upgrade robotsandpencils/made/xcodes`.
+  If you installed xcodes with homebrew you can upgrade with `brew upgrade xcodesorg/made/xcodes`.
 
   ## Changes
 

.github/workflows/ci.yml

@@ -2,10 +2,10 @@ name: CI
 on: [push, pull_request]
 jobs:
   test:
-    runs-on: macos-12
+    runs-on: macos-15
     steps:
     - uses: actions/checkout@v4
     - name: Run tests
       env: 
-        DEVELOPER_DIR: /Applications/Xcode_13.4.1.app
+        DEVELOPER_DIR: /Applications/Xcode_16.4.app
       run: swift test

.swiftpm/xcode/xcshareddata/xcschemes/xcodes.xcscheme

@@ -128,9 +128,13 @@
             isEnabled = "NO">
          </CommandLineArgument>
          <CommandLineArgument
-            argument = "runtimes install &quot;visionOS 1.0-beta1&quot;"
+            argument = "runtimes install &quot;visionOS 26.0-beta3 arm64&quot;"
             isEnabled = "YES">
          </CommandLineArgument>
+         <CommandLineArgument
+            argument = "runtimes --include-betas"
+            isEnabled = "NO">
+         </CommandLineArgument>
          <CommandLineArgument
             argument = "install --help"
             isEnabled = "NO">

CONTRIBUTING.md

@@ -23,7 +23,7 @@ Pull requests are the best way to propose changes to the codebase  We actively w
 ## Any contributions you make will be under the MIT Software License
 In short, when you submit code changes, your submissions are understood to be under the same [MIT License](http://choosealicense.com/licenses/mit/) that covers the project. Feel free to contact the maintainers if that's a concern.
 
-## Report bugs using Github's [issues](https://github.com/robotsandpencils/xcodes/issues)
+## Report bugs using Github's [issues](https://github.com/xcodesorg/xcodes/issues)
 We use GitHub issues to track public bugs. Report a bug by [opening a new issue](); it's that easy!
 
 ## Write bug reports with detail, background, and sample code

Package.resolved

@@ -23,6 +23,7 @@ let package = Package(
         .package(url: "https://github.com/xcodereleases/data", revision: "fcf527b187817f67c05223676341f3ab69d4214d"),
         .package(url: "https://github.com/onevcat/Rainbow.git", .upToNextMinor(from: "3.2.0")),
         .package(url: "https://github.com/jpsim/Yams", .upToNextMinor(from: "5.0.1")),
+        .package(url: "https://github.com/xcodesOrg/swift-srp", branch: "main")
     ],
     targets: [
         .executableTarget(
@@ -50,7 +51,7 @@ let package = Package(
                 "Version",
                 .product(name: "XCModel", package: "data"),
                 "Rainbow",
-                "Yams",
+                "Yams"
             ]),
         .testTarget(
             name: "XcodesKitTests",
@@ -68,6 +69,7 @@ let package = Package(
                 "PromiseKit",
                 .product(name: "PMKFoundation", package: "Foundation"),
                 "Rainbow",
+                .product(name: "SRP", package: "swift-srp")
             ]),
         .testTarget(
             name: "AppleAPITests",

Package.swift

@@ -214,7 +214,8 @@ git push --follow-tags
 
 # Edit the draft release created by Release Drafter to point at the new tag
 # Set the release title to the new version
-# Add the xcodes.zip and xcodes-$VERSION.mojave.tar.gz files to the release
+# Duplicate xcodes-$VERSION.mojave.tar.gz and rename to xcodes-$VERSION.arm64_mojave.tar.gz, also create `xcodes-$VERSION.macos.i386.tar.gz` and `xcodes-$VERSION.macos.arm64.tar.gz`
+# Add the xcodes.zip, xcodes-$VERSION.mojave.tar.gz, xcodes-$VERSION.arm64_mojave.tar.gz files to the release
 # Publish the release
 
 # Update the Homebrew Bottle: https://github.com/XcodesOrg/homebrew-made/blob/master/Formula/xcodes.rb

README.md

@@ -2,6 +2,9 @@ import Foundation
 import PromiseKit
 import PMKFoundation
 import Rainbow
+import SRP
+import Crypto
+import CommonCrypto
 
 public class Client {
     private static let authTypes = ["sa", "hsa", "non-sa", "hsa2"]
@@ -15,18 +18,23 @@ public class Client {
         case incorrectSecurityCode
         case unexpectedSignInResponse(statusCode: Int, message: String?)
         case appleIDAndPrivacyAcknowledgementRequired
+        case serviceTemporarilyUnavailable
         case noTrustedPhoneNumbers
         case notAuthenticated
         case invalidHashcash
         case missingSecurityCodeInfo
         case accountUsesHardwareKey
+        case srpInvalidPublicKey
+        case srpError(String)
 
         public var errorDescription: String? {
             switch self {
             case .invalidUsernameOrPassword(let username):
                 return "Invalid username and password combination. Attempted to sign in with username \(username)."
             case .appleIDAndPrivacyAcknowledgementRequired:
                 return "You must sign in to https://appstoreconnect.apple.com and acknowledge the Apple ID & Privacy agreement."
+            case .serviceTemporarilyUnavailable:
+                return "The service is temporarily unavailable. Please try again later."
             case .invalidPhoneNumberIndex(let min, let max, let given):
                 return "Not a valid phone number index. Expecting a whole number between \(min)-\(max), but was given \(given ?? "nothing")."
             case .noTrustedPhoneNumbers:
@@ -56,6 +64,102 @@ public class Client {
             }
     }
 
+    /// SRPLogin - Secure Remote Password
+    /// https://tools.ietf.org/html/rfc2945
+    /// Forked from https://github.com/adam-fowler/swift-srp that provides the algorithm
+    public func srpLogin(accountName: String, password: String) -> Promise<Void> {
+        var serviceKey: String!
+        let client = SRPClient(configuration: SRPConfiguration<SHA256>(.N2048))
+        let clientKeys = client.generateKeys()
+        let a = clientKeys.public
+        
+        // Get the Service Key needed from olympus session needed in headers
+        return firstly { () -> Promise<(data: Data, response: URLResponse)> in
+            Current.network.dataTask(with: URLRequest.itcServiceKey)
+        }
+        .then { (data, _) -> Promise<(serviceKey: String, hashcash: String)> in
+            struct ServiceKeyResponse: Decodable {
+                let authServiceKey: String?
+            }
+            
+            let response = try JSONDecoder().decode(ServiceKeyResponse.self, from: data)
+            serviceKey = response.authServiceKey
+            
+            /// Load a hashcash of the account name
+            return self.loadHashcash(accountName: accountName, serviceKey: serviceKey).map { (serviceKey, $0) }
+        }
+        .then { (serviceKey, hashcash) -> Promise<(serviceKey: String, hashcash: String, data: Data)> in
+            /// Call the SRP /init endpoint to start the login
+            return Current.network.dataTask(with: URLRequest.SRPInit(serviceKey: serviceKey, a: Data(a.bytes).base64EncodedString(), accountName: accountName)).map { (serviceKey, hashcash, $0.data)}
+        }
+        .then { (serviceKey, hashcash, data) -> Promise<(data: Data, response: URLResponse)> in
+            let srpInit = try JSONDecoder().decode(ServerSRPInitResponse.self, from: data)
+            
+            guard let decodedB = Data(base64Encoded: srpInit.b) else {
+                throw Error.srpInvalidPublicKey
+            }
+            guard let decodedSalt = Data(base64Encoded: srpInit.salt) else {
+                throw Error.srpInvalidPublicKey
+            }
+            
+            let iterations = srpInit.iteration
+            
+            do {
+                guard let encryptedPassword = self.pbkdf2(password: password, saltData: decodedSalt, keyByteCount: 32, prf: CCPseudoRandomAlgorithm(kCCPRFHmacAlgSHA256), rounds: iterations) else {
+                    throw Error.srpInvalidPublicKey
+                }
+                
+                let sharedSecret = try client.calculateSharedSecret(password: encryptedPassword, salt: [UInt8](decodedSalt), clientKeys: clientKeys, serverPublicKey: .init([UInt8](decodedB)))
+                
+                let m1 = client.calculateClientProof(username: accountName, salt: [UInt8](decodedSalt), clientPublicKey: a, serverPublicKey: .init([UInt8](decodedB)), sharedSecret: .init(sharedSecret.bytes))
+                let m2 = client.calculateServerProof(clientPublicKey: a, clientProof: m1, sharedSecret: .init([UInt8](sharedSecret.bytes)))
+
+                /// call the /complete endpoint passing in the hashcash, servicekey, and the calculated proof. 
+                return Current.network.dataTask(with: URLRequest.SRPComplete(serviceKey: serviceKey, hashcash: hashcash, accountName: accountName, c: srpInit.c, m1: Data(m1).base64EncodedString(), m2: Data(m2).base64EncodedString()))
+            } catch {
+                throw Error.srpError(error.localizedDescription)
+            }
+        }
+        .then { (data, response) -> Promise<Void> in
+            struct SignInResponse: Decodable {
+                let authType: String?
+                let serviceErrors: [ServiceError]?
+                
+                struct ServiceError: Decodable, CustomStringConvertible {
+                    let code: String
+                    let message: String
+                    
+                    var description: String {
+                        return "\(code): \(message)"
+                    }
+                }
+            }
+            
+            let httpResponse = response as! HTTPURLResponse
+            do {
+                let responseBody = try JSONDecoder().decode(SignInResponse.self, from: data)
+                switch httpResponse.statusCode {
+                case 200:
+                    return Current.network.dataTask(with: URLRequest.olympusSession).asVoid()
+                case 401:
+                    throw Error.invalidUsernameOrPassword(username: accountName)
+                case 409:
+                    return self.handleTwoStepOrFactor(data: data, response: response, serviceKey: serviceKey)
+                case 412 where Client.authTypes.contains(responseBody.authType ?? ""):
+                    throw Error.appleIDAndPrivacyAcknowledgementRequired
+                default:
+                    throw Error.unexpectedSignInResponse(statusCode: httpResponse.statusCode,
+                                                         message: responseBody.serviceErrors?.map { $0.description }.joined(separator: ", "))
+                }
+            } catch DecodingError.dataCorrupted where httpResponse.statusCode == 503 {
+                throw Error.serviceTemporarilyUnavailable
+            } catch {
+                throw error
+            }
+        }
+    }
+    
+    @available(*, deprecated, message: "Please use srpLogin")
     public func login(accountName: String, password: String) -> Promise<Void> {
         var serviceKey: String!
 
@@ -92,20 +196,25 @@ public class Client {
             }
 
             let httpResponse = response as! HTTPURLResponse
-            let responseBody = try JSONDecoder().decode(SignInResponse.self, from: data)
-            
-            switch httpResponse.statusCode {
-            case 200:
-                return Current.network.dataTask(with: URLRequest.olympusSession).asVoid()
-            case 401:
-                throw Error.invalidUsernameOrPassword(username: accountName)
-            case 409:
-                return self.handleTwoStepOrFactor(data: data, response: response, serviceKey: serviceKey)
-            case 412 where Client.authTypes.contains(responseBody.authType ?? ""):
-                throw Error.appleIDAndPrivacyAcknowledgementRequired
-            default:
-                throw Error.unexpectedSignInResponse(statusCode: httpResponse.statusCode,
-                                                     message: responseBody.serviceErrors?.map { $0.description }.joined(separator: ", "))
+            do {
+                let responseBody = try JSONDecoder().decode(SignInResponse.self, from: data)
+                switch httpResponse.statusCode {
+                case 200:
+                    return Current.network.dataTask(with: URLRequest.olympusSession).asVoid()
+                case 401:
+                    throw Error.invalidUsernameOrPassword(username: accountName)
+                case 409:
+                    return self.handleTwoStepOrFactor(data: data, response: response, serviceKey: serviceKey)
+                case 412 where Client.authTypes.contains(responseBody.authType ?? ""):
+                    throw Error.appleIDAndPrivacyAcknowledgementRequired
+                default:
+                    throw Error.unexpectedSignInResponse(statusCode: httpResponse.statusCode,
+                                                         message: responseBody.serviceErrors?.map { $0.description }.joined(separator: ", "))
+                }
+            } catch DecodingError.dataCorrupted where httpResponse.statusCode == 503 {
+                throw Error.serviceTemporarilyUnavailable
+            } catch {
+                throw error
             }
         }
     }
@@ -264,6 +373,43 @@ public class Client {
             return .value(hashcash)
         }
     }
+    
+    private func sha256(data : Data) -> Data {
+        var hash = [UInt8](repeating: 0,  count: Int(CC_SHA256_DIGEST_LENGTH))
+        data.withUnsafeBytes {
+            _ = CC_SHA256($0.baseAddress, CC_LONG(data.count), &hash)
+        }
+        return Data(hash)
+    }
+
+    private func pbkdf2(password: String, saltData: Data, keyByteCount: Int, prf: CCPseudoRandomAlgorithm, rounds: Int) -> Data? {
+        guard let passwordData = password.data(using: .utf8) else { return nil }
+        let hashedPasswordData = sha256(data: passwordData)
+
+        var derivedKeyData = Data(repeating: 0, count: keyByteCount)
+        let derivedCount = derivedKeyData.count
+        let derivationStatus: Int32 = derivedKeyData.withUnsafeMutableBytes { derivedKeyBytes in
+            let keyBuffer: UnsafeMutablePointer<UInt8> =
+                derivedKeyBytes.baseAddress!.assumingMemoryBound(to: UInt8.self)
+            return saltData.withUnsafeBytes { saltBytes -> Int32 in
+                let saltBuffer: UnsafePointer<UInt8> = saltBytes.baseAddress!.assumingMemoryBound(to: UInt8.self)
+                return hashedPasswordData.withUnsafeBytes { hashedPasswordBytes -> Int32 in
+                    let passwordBuffer: UnsafePointer<UInt8> = hashedPasswordBytes.baseAddress!.assumingMemoryBound(to: UInt8.self)
+                    return CCKeyDerivationPBKDF(
+                        CCPBKDFAlgorithm(kCCPBKDF2),
+                        passwordBuffer,
+                        hashedPasswordData.count,
+                        saltBuffer,
+                        saltData.count,
+                        prf,
+                        UInt32(rounds),
+                        keyBuffer,
+                        derivedCount)
+                }
+            }
+        }
+        return derivationStatus == kCCSuccess ? derivedKeyData : nil
+    }
 }
 
 public extension Promise where T == (data: Data, response: URLResponse) {
@@ -363,3 +509,10 @@ enum SecurityCode {
         }
     }
 }
+
+public struct ServerSRPInitResponse: Decodable {
+    let iteration: Int
+    let salt: String
+    let b: String
+    let c: String
+}