Assign the entitlements that need to match the provisioning profile's - subset for lists - at analysis time.

Other entitlement validation modes to handle trickier relations, such as entitlements that must always be defined for a given provisioning profile, and variations on wildcard handling, will be addressed in subsequent changes.

Cherry-pick: 7c9b36d

Author: nglevin

apple/internal/entitlements_support.bzl

@@ -317,8 +317,37 @@ def _process_entitlements(
         "%s_entitlements.entitlements" % rule_label.name,
     )
 
+    extra_keys_to_match_profile = [
+        # Keys for values that are not lists, which must be in the profile if they are defined
+        # in the entitlements.
+        "aps-environment",
+        "com.apple.developer.applesignin",
+        "com.apple.developer.carplay-audio",
+        "com.apple.developer.carplay-charging",
+        "com.apple.developer.carplay-maps",
+        "com.apple.developer.carplay-messaging",
+        "com.apple.developer.carplay-parking",
+        "com.apple.developer.carplay-quick-ordering",
+        "com.apple.developer.declared-age-range",
+        "com.apple.developer.playable-content",
+        "com.apple.developer.networking.wifi-info",
+        "com.apple.developer.passkit.pass-presentation-suppression",
+        "com.apple.developer.payment-pass-provisioning",
+        "com.apple.developer.proximity-reader.payment.acceptance",
+        "com.apple.developer.siri",
+        "com.apple.developer.usernotifications.critical-alerts",
+        "com.apple.developer.usernotifications.time-sensitive",
+        # Keys which have a list of potential values in the profile, but only one in
+        # the entitlements that must be in the profile's list of values
+        "com.apple.developer.devicecheck.appattest-environment",
+        "com.apple.developer.nfc.readersession.formats",
+    ]
+    if platform_prerequisites.platform_type != "macos":
+        extra_keys_to_match_profile.append("com.apple.security.application-groups")
+
     entitlements_options = {
         "bundle_id": bundle_id,
+        "extra_keys_to_match_profile": extra_keys_to_match_profile,
     }
     if signing_info.profile_metadata:
         inputs.append(signing_info.profile_metadata)

tools/plisttool/plisttool.py

@@ -304,32 +304,6 @@
     'is not in the provisioning profiles potential values ("%s").'
 )
 
-# TODO: b/474331541 - Remove this hard coded list and rely on values set at
-# analysis time in entitlements_support.bzl.
-_ENTITLEMENTS_TO_VALIDATE_WITH_PROFILE = [
-    'aps-environment',
-    'com.apple.developer.applesignin',
-    'com.apple.developer.carplay-audio',
-    'com.apple.developer.carplay-charging',
-    'com.apple.developer.carplay-maps',
-    'com.apple.developer.carplay-messaging',
-    'com.apple.developer.carplay-parking',
-    'com.apple.developer.carplay-quick-ordering',
-    'com.apple.developer.declared-age-range',
-    'com.apple.developer.playable-content',
-    'com.apple.developer.networking.wifi-info',
-    'com.apple.developer.passkit.pass-presentation-suppression',
-    'com.apple.developer.payment-pass-provisioning',
-    'com.apple.developer.proximity-reader.payment.acceptance',
-    'com.apple.developer.siri',
-    'com.apple.developer.usernotifications.critical-alerts',
-    'com.apple.developer.usernotifications.time-sensitive',
-    # Keys which have a list of potential values in the profile, but only one in
-    # the entitlements that must be in the profile's list of values
-    'com.apple.developer.devicecheck.appattest-environment',
-    'com.apple.developer.nfc.readersession.formats',
-]
-
 ENTITLEMENTS_BETA_REPORTS_ACTIVE_MISMATCH = (
     'In target "%s"; the entitlements "beta-reports-active" ("%s") did not '
     'match the value in the provisioning profile ("%s").'
@@ -1211,7 +1185,7 @@ def validate_plist(self, plist):
         # at analysis time in entitlements_support.bzl.
         extra_keys_to_match = self.options.get(
             'extra_keys_to_match_profile',
-            _ENTITLEMENTS_TO_VALIDATE_WITH_PROFILE,
+            [],
         )
         self._validate_entitlements_against_profile(
             plist,
@@ -1330,18 +1304,6 @@ def _validate_entitlements_against_profile(
         'keychain-access-groups', self.target,
         supports_wildcards=True)
 
-    # TODO: b/474331541 - Remove this specific check once extra_keys_to_match is
-    # configured exclusively at analysis time, allowing us to add the
-    # com.apple.security.application-groups entitlement check for all Apple
-    # platforms except macOS.
-    #
-    # com.apple.security.application-groups
-    # (This check does not apply to macOS-only provisioning profiles.)
-    if self._profile_metadata.get('Platform', []) != ['OSX']:
-      self._check_entitlements_array(
-          entitlements, profile_entitlements,
-          'com.apple.security.application-groups', self.target)
-
     # com.apple.developer.associated-domains
     self._check_entitlements_array(
         entitlements, profile_entitlements,

tools/plisttool/plisttool_unittest.py

@@ -1749,6 +1749,9 @@ def test_entitlements_app_groups_match(self):
                 },
                 'Version': 1,
             },
+            'extra_keys_to_match_profile': [
+                'com.apple.security.application-groups',
+            ],
         },
     }, plist1)
 
@@ -1770,6 +1773,9 @@ def test_entitlements_app_groups_wildcard_no_match(self):
                   },
                   'Version': 1,
               },
+              'extra_keys_to_match_profile': [
+                  'com.apple.security.application-groups',
+              ],
           },
       })
 
@@ -1793,7 +1799,7 @@ def test_entitlements_no_app_groups_requested(self):
   def test_entitlements_app_groups_not_allowed(self):
     with self.assertRaisesRegex(
         plisttool.PlistToolError,
-        re.escape(plisttool.ENTITLEMENTS_HAS_GROUP_PROFILE_DOES_NOT % (
+        re.escape(plisttool.ENTITLEMENTS_MISSING % (
             _testing_target, 'com.apple.security.application-groups'))):
       _plisttool_result({
           'plists': [{
@@ -1808,6 +1814,9 @@ def test_entitlements_app_groups_not_allowed(self):
                   },
                   'Version': 1,
               },
+              'extra_keys_to_match_profile': [
+                  'com.apple.security.application-groups',
+              ],
           },
       })
 
@@ -1832,6 +1841,9 @@ def test_entitlements_app_groups_mismatch(self):
                   },
                   'Version': 1,
               },
+              'extra_keys_to_match_profile': [
+                  'com.apple.security.application-groups',
+              ],
           },
       })
 
@@ -1886,24 +1898,9 @@ def test_entitlements_aps_environment_missing_profile(self):
                   },
                   'Version': 1,
               },
-          },
-      }, plist)
-
-  def test_entitlements_aps_environment_mismatch_default_validation(self):
-    with self.assertRaisesRegex(
-        plisttool.PlistToolError,
-        re.escape(plisttool.ENTITLEMENTS_VALUE_MISMATCH % (
-            _testing_target, 'aps-environment', 'production', 'development'))):
-      plist = {'aps-environment': 'production'}
-      self._assert_plisttool_result({
-          'plists': [plist],
-          'entitlements_options': {
-              'profile_metadata_file': {
-                  'Entitlements': {
-                      'aps-environment': 'development',
-                  },
-                  'Version': 1,
-              },
+              'extra_keys_to_match_profile': [
+                  'aps-environment',
+              ],
           },
       }, plist)
 
@@ -1928,21 +1925,6 @@ def test_entitlements_aps_environment_mismatch(self):
           },
       }, plist)
 
-  def test_attest_valid_default_validation(self):
-    plist = {
-      'com.apple.developer.devicecheck.appattest-environment': 'development'}
-    self._assert_plisttool_result({
-        'plists': [plist],
-        'entitlements_options': {
-            'profile_metadata_file': {
-                'Entitlements': {
-                    'com.apple.developer.devicecheck.appattest-environment': ['development', 'production'],
-                },
-                'Version': 1,
-            },
-        },
-    }, plist)
-
   def test_attest_valid(self):
     plist = {
         'com.apple.developer.devicecheck.appattest-environment': 'development'}
@@ -1963,28 +1945,6 @@ def test_attest_valid(self):
             },
         }, plist)
 
-  def test_attest_mismatch_default_validation(self):
-    with self.assertRaisesRegex(
-        plisttool.PlistToolError,
-        re.escape(plisttool.ENTITLEMENTS_VALUE_NOT_IN_LIST %
-                  (_testing_target,
-                   'com.apple.developer.devicecheck.appattest-environment',
-                   'foo', ['development']))):
-      plist = {'com.apple.developer.devicecheck.appattest-environment': 'foo'}
-      self._assert_plisttool_result(
-          {
-              'plists': [plist],
-              'entitlements_options': {
-                  'profile_metadata_file': {
-                      'Entitlements': {
-                          'com.apple.developer.devicecheck.appattest-environment':
-                              ['development'],
-                      },
-                      'Version': 1,
-                  },
-              },
-          }, plist)
-
   def test_attest_mismatch(self):
     with self.assertRaisesRegex(
         plisttool.PlistToolError,
@@ -2057,20 +2017,6 @@ def test_entitlements_profile_missing_beta_reports_active(self):
           },
       }, plist)
 
-  def test_entitlements_missing_wifi_info_active_default_validation(self):
-    plist = {}
-    self._assert_plisttool_result({
-        'plists': [plist],
-        'entitlements_options': {
-            'profile_metadata_file': {
-                'Entitlements': {
-                    'com.apple.developer.networking.wifi-info': True,
-                },
-                'Version': 1,
-            },
-        },
-    }, plist)
-
   def test_entitlements_missing_wifi_info_active(self):
     plist = {}
     self._assert_plisttool_result({
@@ -2088,25 +2034,6 @@ def test_entitlements_missing_wifi_info_active(self):
         },
     }, plist)
 
-  def test_entitlements_wifi_info_active_mismatch_default_validation(self):
-    with self.assertRaisesRegex(
-        plisttool.PlistToolError,
-        re.escape(plisttool.ENTITLEMENTS_VALUE_MISMATCH % (
-            _testing_target, 'com.apple.developer.networking.wifi-info',
-            'False', 'True'))):
-      plist = {'com.apple.developer.networking.wifi-info': False}
-      self._assert_plisttool_result({
-          'plists': [plist],
-          'entitlements_options': {
-              'profile_metadata_file': {
-                  'Entitlements': {
-                      'com.apple.developer.networking.wifi-info': True,
-                  },
-                  'Version': 1,
-              },
-          },
-      }, plist)
-
   def test_entitlements_wifi_info_active_mismatch(self):
     with self.assertRaisesRegex(
         plisttool.PlistToolError,
@@ -2145,26 +2072,6 @@ def test_entitlements_wifi_info_active_mismatch_with_no_extra_keys_to_match(self
         },
     }, plist)
 
-  def test_entitlements_profile_missing_wifi_info_active_default_validation(self):
-    with self.assertRaisesRegex(
-        plisttool.PlistToolError,
-        re.escape(
-            plisttool.ENTITLEMENTS_MISSING %
-            (_testing_target, 'com.apple.developer.networking.wifi-info'))):
-      plist = {'com.apple.developer.networking.wifi-info': True}
-      self._assert_plisttool_result({
-          'plists': [plist],
-          'entitlements_options': {
-              'profile_metadata_file': {
-                  'Entitlements': {
-                      'application-identifier': 'QWERTY.*',
-                      # No wifi-info
-                  },
-                  'Version': 1,
-              },
-          },
-      }, plist)
-
   def test_entitlements_profile_missing_wifi_info_active(self):
     with self.assertRaisesRegex(
         plisttool.PlistToolError,