Add support for handling secure_features within test rules, and a small array of tests to verify that it's taking effect when the starlark build config to drop arm64e slices is active.

Cherry-pick: 83c9cd9

Author: nglevin

apple/internal/rule_attrs.bzl

@@ -334,6 +334,12 @@ binaries/libraries will be created combining all architectures specified by
 def _test_bundle_attrs():
     """Attributes required for rules that are built to support test rules like ios_unit_test."""
     return {
+        "secure_features": attr.string_list(
+            doc = """
+A list of strings representing Apple Enhanced Security crosstool features that should be enabled for
+this test bundle, independent of the test host (if any).
+""",
+        ),
         # We need to add an explicit output attribute so that the output file name from the test
         # bundle target matches the test name, otherwise, it we'd be breaking the assumption that
         # ios_unit_test(name = "Foo") creates a :Foo.zip target.

apple/internal/testing/BUILD

@@ -36,6 +36,7 @@ bzl_library(
         "//apple/internal:providers",
         "//apple/internal:resources",
         "//apple/internal:rule_support",
+        "//apple/internal:secure_features_support",
         "//apple/internal:swift_support",
         "//apple/internal/utils:clang_rt_dylibs",
         "@bazel_skylib//lib:types",

apple/internal/testing/apple_test_assembler.bzl

@@ -35,6 +35,7 @@ _BUNDLE_ATTRS = {
         "linkopts",
         "provisioning_profile",
         "resources",
+        "secure_features",
         "stamp",
     ]
 }

apple/internal/testing/apple_test_bundle_support.bzl

@@ -79,6 +79,10 @@ load(
     "//apple/internal:rule_support.bzl",
     "rule_support",
 )
+load(
+    "//apple/internal:secure_features_support.bzl",
+    "secure_features_support",
+)
 load(
     "//apple/internal:swift_support.bzl",
     "swift_support",
@@ -365,6 +369,7 @@ def _apple_test_bundle_impl(*, ctx, product_type):
     actions = ctx.actions
     apple_mac_toolchain_info = ctx.attr._mac_toolchain[AppleMacToolsToolchainInfo]
     apple_xplat_toolchain_info = ctx.attr._xplat_toolchain[AppleXPlatToolsToolchainInfo]
+    cc_configured_features_init = features_support.make_cc_configured_features_init(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     executable_name = ctx.attr.executable_name
     features = features_support.compute_enabled_features(
@@ -395,6 +400,14 @@ def _apple_test_bundle_impl(*, ctx, product_type):
         test_host = test_host,
     )
 
+    # Check that the requested secure features are supported and enabled for the toolchain.
+    secure_features_support.validate_secure_features_support(
+        cc_configured_features_init = cc_configured_features_init,
+        cc_toolchain_forwarder = cc_toolchain_forwarder,
+        rule_label = label,
+        secure_features = ctx.attr.secure_features,
+    )
+
     predeclared_outputs = ctx.outputs
     provisioning_profile = ctx.file.provisioning_profile
     resource_deps = ctx.attr.deps + ctx.attr.resources

test/starlark_tests/ios_ui_test_tests.bzl

@@ -199,9 +199,39 @@ def ios_ui_test_test_suite(name):
         tags = [name],
     )
 
-    # TODO: b/449684779 - Check how enhanced security entitlements propagate from test to test host.
+    archive_contents_test(
+        name = "{}_pointer_authentication_arm64e_device_archs_with_pointer_authentication_test".format(name),
+        build_type = "device",
+        target_under_test = "//test/starlark_tests/targets_under_test/ios:simple_pointer_authentication_ui_test",
+        cpus = {
+            "ios_multi_cpus": ["arm64", "arm64e"],
+            "watchos_cpus": [],
+        },
+        binary_test_file = "$BINARY",
+        binary_test_architecture = "arm64e",
+        macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
+        tags = [name],
+    )
+    archive_contents_test(
+        name = "{}_pointer_authentication_arm64_device_archs_with_pointer_authentication_test".format(name),
+        build_type = "device",
+        target_under_test = "//test/starlark_tests/targets_under_test/ios:simple_pointer_authentication_ui_test",
+        cpus = {
+            "ios_multi_cpus": ["arm64", "arm64e"],
+            "watchos_cpus": [],
+        },
+        binary_test_file = "$BINARY",
+        binary_test_architecture = "arm64",
+        macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
+        tags = [name],
+    )
 
-    # TODO: b/449684779 - Use arm64e support to test binary contents and how they propagate.
+    analysis_failure_message_test(
+        name = "{}_secure_features_disabled_at_rule_level_should_fail_test".format(name),
+        target_under_test = "//test/starlark_tests/targets_under_test/ios:simple_enhanced_security_ui_test_with_rule_level_disabled_features",
+        expected_error = "Attempted to enable the secure feature `trivial_auto_var_init` for the target at `//test/starlark_tests/targets_under_test/ios:simple_enhanced_security_ui_test_with_rule_level_disabled_features.__internal__.__test_bundle`",
+        tags = [name],
+    )
 
     native.test_suite(
         name = name,

test/starlark_tests/ios_unit_test_tests.bzl

@@ -312,9 +312,39 @@ def ios_unit_test_test_suite(name):
         tags = [name],
     )
 
-    # TODO: b/449684779 - Check how enhanced security entitlements propagate from test to test host.
+    archive_contents_test(
+        name = "{}_pointer_authentication_arm64e_device_archs_with_pointer_authentication_test".format(name),
+        build_type = "device",
+        target_under_test = "//test/starlark_tests/targets_under_test/ios:simple_pointer_authentication_unit_test",
+        cpus = {
+            "ios_multi_cpus": ["arm64", "arm64e"],
+            "watchos_cpus": [],
+        },
+        binary_test_file = "$BINARY",
+        binary_test_architecture = "arm64e",
+        macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
+        tags = [name],
+    )
+    archive_contents_test(
+        name = "{}_pointer_authentication_arm64_device_archs_with_pointer_authentication_test".format(name),
+        build_type = "device",
+        target_under_test = "//test/starlark_tests/targets_under_test/ios:simple_pointer_authentication_unit_test",
+        cpus = {
+            "ios_multi_cpus": ["arm64", "arm64e"],
+            "watchos_cpus": [],
+        },
+        binary_test_file = "$BINARY",
+        binary_test_architecture = "arm64",
+        macho_load_commands_contain = ["cmd LC_BUILD_VERSION", "platform IOS"],
+        tags = [name],
+    )
 
-    # TODO: b/449684779 - Use arm64e support to test binary contents and how they propagate.
+    analysis_failure_message_test(
+        name = "{}_secure_features_disabled_at_rule_level_should_fail_test".format(name),
+        target_under_test = "//test/starlark_tests/targets_under_test/ios:simple_enhanced_security_unit_test_with_rule_level_disabled_features",
+        expected_error = "Attempted to enable the secure feature `trivial_auto_var_init` for the target at `//test/starlark_tests/targets_under_test/ios:simple_enhanced_security_unit_test_with_rule_level_disabled_features.__internal__.__test_bundle`",
+        tags = [name],
+    )
 
     native.test_suite(
         name = name,

test/starlark_tests/targets_under_test/ios/BUILD

@@ -3667,6 +3667,58 @@ ios_ui_test(
     ],
 )
 
+ios_ui_test(
+    name = "simple_pointer_authentication_ui_test",
+    families = [
+        "iphone",
+    ],
+    infoplists = [
+        "//test/starlark_tests/resources:Info.plist",
+    ],
+    minimum_os_version = common.min_os_ios.baseline,
+    provisioning_profile = "//test/testdata/provisioning:integration_testing_ios.mobileprovision",
+    runner = "//test/starlark_tests/targets_under_test/apple:dummy_test_runner",
+    secure_features = [
+        "apple.xcode_26_minimum_opt_in",
+        "pointer_authentication",
+    ],
+    tags = common.fixture_tags,
+    test_host = ":app",
+    deps = [
+        "//test/starlark_tests/resources:objc_test_lib",
+    ],
+)
+
+ios_ui_test(
+    name = "simple_enhanced_security_ui_test_with_rule_level_disabled_features",
+    families = [
+        "iphone",
+    ],
+    features = [
+        "-apple.xcode_26_minimum_opt_in",
+        "-trivial_auto_var_init",
+    ],
+    infoplists = [
+        "//test/starlark_tests/resources:Info.plist",
+    ],
+    minimum_os_version = common.min_os_ios.baseline,
+    provisioning_profile = "//test/testdata/provisioning:integration_testing_ios.mobileprovision",
+    resources = [
+        "//test/starlark_tests/resources:example_filegroup",
+        "//test/starlark_tests/resources:resource_bundle",
+    ],
+    runner = "//test/starlark_tests/targets_under_test/apple:dummy_test_runner",
+    secure_features = [
+        "apple.xcode_26_minimum_opt_in",
+        "trivial_auto_var_init",
+    ],
+    tags = common.fixture_tags,
+    test_host = ":app",
+    deps = [
+        "//test/starlark_tests/resources:objc_test_lib",
+    ],
+)
+
 xctrunner(
     name = "ui_test_xctrunner_app",
     testonly = True,
@@ -3947,6 +3999,62 @@ ios_unit_test(
     ],
 )
 
+ios_unit_test(
+    name = "simple_pointer_authentication_unit_test",
+    families = [
+        "iphone",
+    ],
+    infoplists = [
+        "//test/starlark_tests/resources:Info.plist",
+    ],
+    minimum_os_version = common.min_os_ios.baseline,
+    provisioning_profile = "//test/testdata/provisioning:integration_testing_ios.mobileprovision",
+    resources = [
+        "//test/starlark_tests/resources:example_filegroup",
+        "//test/starlark_tests/resources:resource_bundle",
+    ],
+    runner = "//test/starlark_tests/targets_under_test/apple:dummy_test_runner",
+    secure_features = [
+        "apple.xcode_26_minimum_opt_in",
+        "pointer_authentication",
+    ],
+    tags = common.fixture_tags,
+    test_host = ":app",
+    deps = [
+        "//test/starlark_tests/resources:objc_test_lib",
+    ],
+)
+
+ios_unit_test(
+    name = "simple_enhanced_security_unit_test_with_rule_level_disabled_features",
+    families = [
+        "iphone",
+    ],
+    features = [
+        "-apple.xcode_26_minimum_opt_in",
+        "-trivial_auto_var_init",
+    ],
+    infoplists = [
+        "//test/starlark_tests/resources:Info.plist",
+    ],
+    minimum_os_version = common.min_os_ios.baseline,
+    provisioning_profile = "//test/testdata/provisioning:integration_testing_ios.mobileprovision",
+    resources = [
+        "//test/starlark_tests/resources:example_filegroup",
+        "//test/starlark_tests/resources:resource_bundle",
+    ],
+    runner = "//test/starlark_tests/targets_under_test/apple:dummy_test_runner",
+    secure_features = [
+        "apple.xcode_26_minimum_opt_in",
+        "trivial_auto_var_init",
+    ],
+    tags = common.fixture_tags,
+    test_host = ":app",
+    deps = [
+        "//test/starlark_tests/resources:objc_test_lib",
+    ],
+)
+
 # ---------------------------------------------------------------------------------------
 # Targets for the app/test resource deduping test.