Add an analysis time configurable option to customize the keys we compare values between entitlements xml and the assigned provisioning profile.

nglevin · luispadron · commit 23c30d1a93f4 · 2026-03-27T16:06:12.000-04:00
This only covers the simple case (exact match) and not the more complex cases that have special handling today in plisttool.py. These could also be pulled out as analysis time configurable options, with different arguments or additional arguments to tweak specific behavior. Cherry-pick: e9f9f61
diff --git a/tools/plisttool/plisttool.py b/tools/plisttool/plisttool.py
@@ -76,6 +76,8 @@
       `child_plists`), and the valures are a list of key/value pairs. The
       key/value pairs are encoded as a list of exactly two items, the key is
       actually an array of keys, so it can walk into the child plist.
+  entitlements_to_validate_with_profile: If present, a list of entitlements keys
+      that should be validated as being present in the provisioning profile.
 
 If info_plist_options is present, validation will be performed on the output
 file after merging is complete. If any of the following conditions are not
@@ -302,7 +304,9 @@
     'is not in the provisioning profiles potential values ("%s").'
 )
 
-_ENTITLEMENTS_TO_VALIDATE_WITH_PROFILE = (
+# TODO: b/474331541 - Remove this hard coded list and rely on values set at
+# analysis time in entitlements_support.bzl.
+_ENTITLEMENTS_TO_VALIDATE_WITH_PROFILE = [
     'aps-environment',
     'com.apple.developer.applesignin',
     'com.apple.developer.carplay-audio',
@@ -323,7 +327,7 @@
     # Keys which have a list of potential values in the profile, but only one in
     # the entitlements that must be in the profile's list of values
     'com.apple.developer.devicecheck.appattest-environment',
-)
+]
 
 ENTITLEMENTS_BETA_REPORTS_ACTIVE_MISMATCH = (
     'In target "%s"; the entitlements "beta-reports-active" ("%s") did not '
@@ -360,7 +364,10 @@
 
 # All valid keys in the entitlements_options control structure.
 _ENTITLEMENTS_OPTIONS_KEYS = frozenset([
-    'bundle_id', 'profile_metadata_file', 'validation_mode',
+    'bundle_id',
+    'extra_keys_to_match_profile',
+    'profile_metadata_file', 
+    'validation_mode',
 ])
 
 # Two regexes for variable matching/validation.
@@ -1190,7 +1197,15 @@ def validate_plist(self, plist):
       self._sanity_check_profile()
 
       if self._validation_mode != 'skip':
-        self._validate_entitlements_against_profile(plist)
+        extra_keys_to_match = self.options.get(
+            'extra_keys_to_match_profile',
+        )
+        if not extra_keys_to_match:
+          extra_keys_to_match = _ENTITLEMENTS_TO_VALIDATE_WITH_PROFILE
+        self._validate_entitlements_against_profile(
+            plist,
+            extra_keys_to_match,
+        )
 
   def _validate_bundle_id_covered(self, bundle_id, entitlements):
     """Checks that the bundle id is covered by the entitlements.
@@ -1241,11 +1256,21 @@ def _sanity_check_profile(self):
     # for setting up substitutions. At the moment no validation between them
     # is being done.
 
-  def _validate_entitlements_against_profile(self, entitlements):
+  def _validate_entitlements_against_profile(
+      self, entitlements, extra_keys_to_match
+  ):
     """Checks that the given entitlements are valid for the current profile.
 
     Args:
       entitlements: The entitlements.
+<<<<<<< HEAD
+||||||| parent of e9f9f61b (Add an analysis time configurable option to customize the keys we compare values between entitlements xml and the assigned provisioning profile.)
+
+=======
+      extra_keys_to_match: A list of additional entitlements keys to validate
+          that their values match those of the provisioning profile exactly.
+
+>>>>>>> e9f9f61b (Add an analysis time configurable option to customize the keys we compare values between entitlements xml and the assigned provisioning profile.)
     Raises:
       PlistToolError: For any issues found.
     """
@@ -1275,7 +1300,7 @@ def _validate_entitlements_against_profile(self, entitlements):
             ENTITLEMENTS_APP_ID_PROFILE_MISMATCH % (
                 self.target, src_app_id, profile_app_id))
 
-    for entitlement in _ENTITLEMENTS_TO_VALIDATE_WITH_PROFILE:
+    for entitlement in extra_keys_to_match:
       self._check_entitlement_matches_profile_value(
           entitlement=entitlement,
           entitlements=entitlements,
diff --git a/tools/plisttool/plisttool_unittest.py b/tools/plisttool/plisttool_unittest.py
@@ -1887,6 +1887,24 @@ def test_entitlements_aps_environment_missing_profile(self):
           },
       }, plist)
 
+  def test_entitlements_aps_environment_mismatch_default_validation(self):
+    with self.assertRaisesRegex(
+        plisttool.PlistToolError,
+        re.escape(plisttool.ENTITLEMENTS_VALUE_MISMATCH % (
+            _testing_target, 'aps-environment', 'production', 'development'))):
+      plist = {'aps-environment': 'production'}
+      self._assert_plisttool_result({
+          'plists': [plist],
+          'entitlements_options': {
+              'profile_metadata_file': {
+                  'Entitlements': {
+                      'aps-environment': 'development',
+                  },
+                  'Version': 1,
+              },
+          },
+      }, plist)
+
   def test_entitlements_aps_environment_mismatch(self):
     with self.assertRaisesRegex(
         plisttool.PlistToolError,
@@ -1896,6 +1914,9 @@ def test_entitlements_aps_environment_mismatch(self):
       self._assert_plisttool_result({
           'plists': [plist],
           'entitlements_options': {
+              'extra_keys_to_match_profile': [
+                  'aps-environment',
+              ],
               'profile_metadata_file': {
                   'Entitlements': {
                       'aps-environment': 'development',
@@ -1905,7 +1926,7 @@ def test_entitlements_aps_environment_mismatch(self):
           },
       }, plist)
 
-  def test_attest_valid(self):
+  def test_attest_valid_default_validation(self):
     plist = {
       'com.apple.developer.devicecheck.appattest-environment': 'development'}
     self._assert_plisttool_result({
@@ -1920,6 +1941,48 @@ def test_attest_valid(self):
         },
     }, plist)
 
+  def test_attest_valid(self):
+    plist = {
+        'com.apple.developer.devicecheck.appattest-environment': 'development'}
+    self._assert_plisttool_result(
+        {
+            'plists': [plist],
+            'entitlements_options': {
+                'extra_keys_to_match_profile': [
+                    'com.apple.developer.devicecheck.appattest-environment',
+                ],
+                'profile_metadata_file': {
+                    'Entitlements': {
+                        'com.apple.developer.devicecheck.appattest-environment':
+                            ['development', 'production'],
+                    },
+                    'Version': 1,
+                },
+            },
+        }, plist)
+
+  def test_attest_mismatch_default_validation(self):
+    with self.assertRaisesRegex(
+        plisttool.PlistToolError,
+        re.escape(plisttool.ENTITLEMENTS_VALUE_NOT_IN_LIST %
+                  (_testing_target,
+                   'com.apple.developer.devicecheck.appattest-environment',
+                   'foo', ['development']))):
+      plist = {'com.apple.developer.devicecheck.appattest-environment': 'foo'}
+      self._assert_plisttool_result(
+          {
+              'plists': [plist],
+              'entitlements_options': {
+                  'profile_metadata_file': {
+                      'Entitlements': {
+                          'com.apple.developer.devicecheck.appattest-environment':
+                              ['development'],
+                      },
+                      'Version': 1,
+                  },
+              },
+          }, plist)
+
   def test_attest_mismatch(self):
     with self.assertRaisesRegex(
         plisttool.PlistToolError,
@@ -1932,6 +1995,9 @@ def test_attest_mismatch(self):
       self._assert_plisttool_result({
           'plists': [plist],
           'entitlements_options': {
+              'extra_keys_to_match_profile': [
+                   'com.apple.developer.devicecheck.appattest-environment',
+              ],
               'profile_metadata_file': {
                   'Entitlements': {
                       'com.apple.developer.devicecheck.appattest-environment': ['development'],
@@ -1989,11 +2055,28 @@ def test_entitlements_profile_missing_beta_reports_active(self):
           },
       }, plist)
 
+  def test_entitlements_missing_wifi_info_active_default_validation(self):
+    plist = {}
+    self._assert_plisttool_result({
+        'plists': [plist],
+        'entitlements_options': {
+            'profile_metadata_file': {
+                'Entitlements': {
+                    'com.apple.developer.networking.wifi-info': True,
+                },
+                'Version': 1,
+            },
+        },
+    }, plist)
+
   def test_entitlements_missing_wifi_info_active(self):
     plist = {}
     self._assert_plisttool_result({
         'plists': [plist],
         'entitlements_options': {
+            'extra_keys_to_match_profile': [
+                'com.apple.developer.networking.wifi-info',
+            ],
             'profile_metadata_file': {
                 'Entitlements': {
                     'com.apple.developer.networking.wifi-info': True,
@@ -2003,6 +2086,25 @@ def test_entitlements_missing_wifi_info_active(self):
         },
     }, plist)
 
+  def test_entitlements_wifi_info_active_mismatch_default_validation(self):
+    with self.assertRaisesRegex(
+        plisttool.PlistToolError,
+        re.escape(plisttool.ENTITLEMENTS_VALUE_MISMATCH % (
+            _testing_target, 'com.apple.developer.networking.wifi-info',
+            'False', 'True'))):
+      plist = {'com.apple.developer.networking.wifi-info': False}
+      self._assert_plisttool_result({
+          'plists': [plist],
+          'entitlements_options': {
+              'profile_metadata_file': {
+                  'Entitlements': {
+                      'com.apple.developer.networking.wifi-info': True,
+                  },
+                  'Version': 1,
+              },
+          },
+      }, plist)
+
   def test_entitlements_wifi_info_active_mismatch(self):
     with self.assertRaisesRegex(
         plisttool.PlistToolError,
@@ -2013,6 +2115,9 @@ def test_entitlements_wifi_info_active_mismatch(self):
       self._assert_plisttool_result({
           'plists': [plist],
           'entitlements_options': {
+              'extra_keys_to_match_profile': [
+                  'com.apple.developer.networking.wifi-info',
+              ],
               'profile_metadata_file': {
                   'Entitlements': {
                       'com.apple.developer.networking.wifi-info': True,
@@ -2022,6 +2127,26 @@ def test_entitlements_wifi_info_active_mismatch(self):
           },
       }, plist)
 
+  def test_entitlements_profile_missing_wifi_info_active_default_validation(self):
+    with self.assertRaisesRegex(
+        plisttool.PlistToolError,
+        re.escape(
+            plisttool.ENTITLEMENTS_MISSING %
+            (_testing_target, 'com.apple.developer.networking.wifi-info'))):
+      plist = {'com.apple.developer.networking.wifi-info': True}
+      self._assert_plisttool_result({
+          'plists': [plist],
+          'entitlements_options': {
+              'profile_metadata_file': {
+                  'Entitlements': {
+                      'application-identifier': 'QWERTY.*',
+                      # No wifi-info
+                  },
+                  'Version': 1,
+              },
+          },
+      }, plist)
+
   def test_entitlements_profile_missing_wifi_info_active(self):
     with self.assertRaisesRegex(
         plisttool.PlistToolError,
@@ -2032,6 +2157,9 @@ def test_entitlements_profile_missing_wifi_info_active(self):
       self._assert_plisttool_result({
           'plists': [plist],
           'entitlements_options': {
+              'extra_keys_to_match_profile': [
+                  'com.apple.developer.networking.wifi-info',
+              ],
               'profile_metadata_file': {
                   'Entitlements': {
                       'application-identifier': 'QWERTY.*',
