feat(eas-cli): Ensure non-exempt encryption status (#2843)

* Ensure non-exempt encryption status

* Update exemptEncryption.ts

* Update CHANGELOG.md

* add tests

* Update exemptEncryption.ts

* Update exemptEncryption.ts

* Update exemptEncryption.ts

Author: EvanBacon

CHANGELOG.md

@@ -8,6 +8,7 @@ This is the log of notable changes to EAS CLI and related packages.
 
 ### 🎉 New features
 
+- Prompt to set non-exempt encryption status for the iOS app to support faster store submissions. ([#2843](https://github.com/expo/eas-cli/pull/2843) by [@EvanBacon](https://github.com/EvanBacon))
 - Automatically create internal TestFlight group in EAS Submit command. ([#2839](https://github.com/expo/eas-cli/pull/2839) by [@evanbacon](https://github.com/evanbacon))
 - Sanitize and generate names for EAS Submit to prevent failures due to invalid characters or taken names. ([#2842](https://github.com/expo/eas-cli/pull/2842) by [@evanbacon](https://github.com/evanbacon))
 

packages/eas-cli/__mocks__/fs.ts

@@ -12,3 +12,6 @@ if (process.env.TMPDIR) {
 (fs.realpath as any).native = jest.fn();
 
 module.exports = fs;
+
+// Ensure requiring node:fs returns the mock too. This is needed for expo/config and expo/json-file.
+jest.mock('node:fs', () => fs);

packages/eas-cli/src/build/ios/build.ts

@@ -10,6 +10,7 @@ import { IosCredentials } from '../../credentials/ios/types';
 import { BuildParamsInput } from '../../graphql/generated';
 import { BuildMutation, BuildResult } from '../../graphql/mutations/BuildMutation';
 import { ensureBundleIdentifierIsDefinedForManagedProjectAsync } from '../../project/ios/bundleIdentifier';
+import { ensureNonExemptEncryptionIsDefinedForManagedProjectAsync } from '../../project/ios/exemptEncryption';
 import { resolveXcodeBuildContextAsync } from '../../project/ios/scheme';
 import { findApplicationTarget, resolveTargetsAsync } from '../../project/ios/target';
 import { BuildRequestSender, JobData, prepareBuildRequestForPlatformAsync } from '../build';
@@ -28,6 +29,7 @@ export async function createIosContextAsync(
 
   if (ctx.workflow === Workflow.MANAGED) {
     await ensureBundleIdentifierIsDefinedForManagedProjectAsync(ctx);
+    await ensureNonExemptEncryptionIsDefinedForManagedProjectAsync(ctx);
   }
 
   checkNodeEnvVariable(ctx);

packages/eas-cli/src/project/ios/__tests__/exemptEncryption-test.ts

@@ -0,0 +1,234 @@
+import { getConfig } from '@expo/config';
+import { vol } from 'memfs';
+
+import * as prompts from '../../../prompts';
+import { ensureNonExemptEncryptionIsDefinedForManagedProjectAsync } from '../exemptEncryption';
+
+jest.mock('fs');
+jest.mock('../../../prompts');
+
+beforeEach(async () => {
+  jest.resetAllMocks();
+  vol.reset();
+});
+
+test('prompts non-exempt encryption is not used', async () => {
+  const projectRoot = '/project';
+  vol.fromJSON(
+    {
+      'package.json': JSON.stringify({}),
+      'app.json': JSON.stringify({
+        expo: {
+          name: 'myproject',
+          slug: 'myproject',
+        },
+      }),
+    },
+    projectRoot
+  );
+
+  jest.mocked(prompts.confirmAsync).mockReset().mockResolvedValueOnce(true);
+
+  await ensureNonExemptEncryptionIsDefinedForManagedProjectAsync({
+    projectDir: projectRoot,
+    exp: getConfig(projectRoot, { skipSDKVersionRequirement: true }).exp,
+    nonInteractive: false,
+  });
+
+  expect(getConfig(projectRoot, { skipSDKVersionRequirement: true }).rootConfig).toEqual({
+    expo: {
+      ios: {
+        infoPlist: {
+          ITSAppUsesNonExemptEncryption: false,
+        },
+      },
+      name: 'myproject',
+      slug: 'myproject',
+    },
+  });
+});
+
+test('does not prompt if the value is already set', async () => {
+  const projectRoot = '/project';
+  vol.fromJSON(
+    {
+      'package.json': JSON.stringify({}),
+      'app.json': JSON.stringify({
+        name: 'myproject',
+        slug: 'myproject',
+        ios: {
+          infoPlist: {
+            ITSAppUsesNonExemptEncryption: false,
+          },
+        },
+      }),
+    },
+    projectRoot
+  );
+
+  // Reset but no mock values.
+  jest.mocked(prompts.confirmAsync).mockReset();
+
+  await ensureNonExemptEncryptionIsDefinedForManagedProjectAsync({
+    projectDir: projectRoot,
+    exp: getConfig(projectRoot, { skipSDKVersionRequirement: true }).exp,
+    nonInteractive: false,
+  });
+
+  expect(prompts.confirmAsync).toHaveBeenCalledTimes(0);
+
+  expect(getConfig(projectRoot, { skipSDKVersionRequirement: true }).rootConfig).toEqual({
+    ios: {
+      infoPlist: {
+        ITSAppUsesNonExemptEncryption: false,
+      },
+    },
+    name: 'myproject',
+    slug: 'myproject',
+  });
+});
+
+test('prompts non-exempt encryption in CI', async () => {
+  const projectRoot = '/project';
+  vol.fromJSON(
+    {
+      'package.json': JSON.stringify({}),
+      'app.json': JSON.stringify({
+        expo: {
+          name: 'myproject',
+          slug: 'myproject',
+        },
+      }),
+    },
+    projectRoot
+  );
+
+  // Reset but no mock values.
+  jest.mocked(prompts.confirmAsync).mockReset();
+
+  await ensureNonExemptEncryptionIsDefinedForManagedProjectAsync({
+    projectDir: projectRoot,
+    exp: getConfig(projectRoot, { skipSDKVersionRequirement: true }).exp,
+    nonInteractive: false,
+  });
+
+  expect(getConfig(projectRoot, { skipSDKVersionRequirement: true }).rootConfig).toEqual({
+    expo: {
+      ios: {
+        infoPlist: {
+          ITSAppUsesNonExemptEncryption: false,
+        },
+      },
+      name: 'myproject',
+      slug: 'myproject',
+    },
+  });
+});
+
+test('prompts non-exempt encryption is not used but app.config.js', async () => {
+  const projectRoot = '/project';
+  vol.fromJSON(
+    {
+      'package.json': JSON.stringify({}),
+      'app.config.js':
+        `module.exports = ` +
+        JSON.stringify({
+          expo: {
+            name: 'myproject',
+            slug: 'myproject',
+          },
+        }),
+    },
+    projectRoot
+  );
+
+  jest.mocked(prompts.confirmAsync).mockReset().mockResolvedValueOnce(true);
+
+  await ensureNonExemptEncryptionIsDefinedForManagedProjectAsync({
+    projectDir: projectRoot,
+    exp: getConfig(projectRoot, { skipSDKVersionRequirement: true }).exp,
+    nonInteractive: false,
+  });
+
+  // Not set.
+  expect(getConfig(projectRoot, { skipSDKVersionRequirement: true }).rootConfig).toEqual({});
+});
+
+test('prompts non-exempt encryption is used', async () => {
+  const projectRoot = '/project';
+  vol.fromJSON(
+    {
+      'package.json': JSON.stringify({}),
+      'app.json': JSON.stringify({
+        expo: {
+          name: 'myproject',
+          slug: 'myproject',
+        },
+      }),
+    },
+    projectRoot
+  );
+
+  jest
+    .mocked(prompts.confirmAsync)
+    .mockReset()
+    .mockResolvedValueOnce(false)
+    // Are you sure?
+    .mockResolvedValueOnce(true);
+
+  await ensureNonExemptEncryptionIsDefinedForManagedProjectAsync({
+    projectDir: projectRoot,
+    exp: getConfig(projectRoot, { skipSDKVersionRequirement: true }).exp,
+    nonInteractive: false,
+  });
+
+  expect(prompts.confirmAsync).toHaveBeenCalledTimes(2);
+
+  expect(getConfig(projectRoot, { skipSDKVersionRequirement: true }).rootConfig).toEqual({
+    expo: {
+      name: 'myproject',
+      slug: 'myproject',
+    },
+  });
+});
+
+test('prompts non-exempt encryption is used but backed out', async () => {
+  const projectRoot = '/project';
+  vol.fromJSON(
+    {
+      'package.json': JSON.stringify({}),
+      'app.json': JSON.stringify({
+        expo: {
+          name: 'myproject',
+          slug: 'myproject',
+        },
+      }),
+    },
+    projectRoot
+  );
+
+  jest
+    .mocked(prompts.confirmAsync)
+    .mockReset()
+    .mockResolvedValueOnce(false)
+    // Are you sure?
+    .mockResolvedValueOnce(false);
+
+  await ensureNonExemptEncryptionIsDefinedForManagedProjectAsync({
+    projectDir: projectRoot,
+    exp: getConfig(projectRoot, { skipSDKVersionRequirement: true }).exp,
+    nonInteractive: false,
+  });
+
+  expect(getConfig(projectRoot, { skipSDKVersionRequirement: true }).rootConfig).toEqual({
+    expo: {
+      name: 'myproject',
+      slug: 'myproject',
+      ios: {
+        infoPlist: {
+          ITSAppUsesNonExemptEncryption: false,
+        },
+      },
+    },
+  });
+});

packages/eas-cli/src/project/ios/exemptEncryption.ts

@@ -0,0 +1,116 @@
+import { ExpoConfig, getProjectConfigDescription, modifyConfigAsync } from '@expo/config';
+import chalk from 'chalk';
+
+import Log, { learnMore } from '../../log';
+import { confirmAsync } from '../../prompts';
+
+/** Non-exempt encryption must be set on every build in App Store Connect, we move it to before the build process to attempt only setting it once for the entire life-cycle of the project. */
+export async function ensureNonExemptEncryptionIsDefinedForManagedProjectAsync({
+  projectDir,
+  exp,
+  nonInteractive,
+}: {
+  projectDir: string;
+  exp: ExpoConfig;
+  nonInteractive: boolean;
+}): Promise<void> {
+  // TODO: We could add bare workflow support in the future.
+  // TODO: We could add wizard support for non-exempt encryption in the future.
+
+  if (exp.ios?.infoPlist?.ITSAppUsesNonExemptEncryption == null) {
+    await configureNonExemptEncryptionAsync({
+      projectDir,
+      exp,
+      nonInteractive,
+    });
+  } else {
+    Log.debug(`ITSAppUsesNonExemptEncryption is defined in the app config.`);
+  }
+}
+
+async function configureNonExemptEncryptionAsync({
+  projectDir,
+  exp,
+  nonInteractive,
+}: {
+  projectDir: string;
+  exp: ExpoConfig;
+  nonInteractive: boolean;
+}): Promise<void> {
+  const description = getProjectConfigDescription(projectDir);
+  if (nonInteractive) {
+    Log.warn(
+      chalk`${description} is missing {bold ios.infoPlist.ITSAppUsesNonExemptEncryption} boolean. Manual configuration is required in App Store Connect before the app can be tested.`
+    );
+  }
+
+  let onlyExemptEncryption = await confirmAsync({
+    message: `iOS app only uses standard/exempt encryption? ${chalk.dim(
+      learnMore(
+        'https://developer.apple.com/documentation/Security/complying-with-encryption-export-regulations'
+      )
+    )}`,
+    initial: true,
+  });
+
+  if (!onlyExemptEncryption) {
+    const confirm = await confirmAsync({
+      message: `Are you sure your app uses non-exempt encryption? Selecting 'Yes' will require annual self-classification reports for the US government.`,
+      initial: true,
+    });
+
+    if (!confirm) {
+      Log.warn(
+        chalk`Set {bold ios.infoPlist.ITSAppUsesNonExemptEncryption} in ${description} to release Apple builds faster.`
+      );
+      onlyExemptEncryption = true;
+    }
+  }
+
+  const ITSAppUsesNonExemptEncryption = !onlyExemptEncryption;
+
+  // Only set this value if the answer is no, this enables developers to see the more in-depth prompt in App Store Connect. They can set the value manually in the app.json to avoid the EAS prompt in subsequent builds.
+  if (ITSAppUsesNonExemptEncryption) {
+    Log.warn(
+      `You'll need to manually configure the encryption status in App Store Connect before your build can be tested.`
+    );
+    return;
+  }
+  // NOTE: Is is it possible to assert that the config needs to be modifiable before building the app?
+  const modification = await modifyConfigAsync(
+    projectDir,
+    {
+      ios: {
+        ...(exp.ios ?? {}),
+        infoPlist: {
+          ...(exp.ios?.infoPlist ?? {}),
+          ITSAppUsesNonExemptEncryption,
+        },
+      },
+    },
+    {
+      skipSDKVersionRequirement: true,
+    }
+  );
+
+  if (modification.type !== 'success') {
+    Log.log();
+    if (modification.type === 'warn') {
+      // The project is using a dynamic config, give the user a helpful log and bail out.
+      Log.log(chalk.yellow(modification.message));
+    }
+
+    const edits = {
+      ios: {
+        infoPlist: {
+          ITSAppUsesNonExemptEncryption,
+        },
+      },
+    };
+
+    Log.log(chalk.cyan(`Add the following to ${description}:`));
+    Log.log();
+    Log.log(JSON.stringify(edits, null, 2));
+    Log.log();
+  }
+}