Skip to content

Commit 5cd311f

Browse files
nglevinluispadron
authored andcommitted
Add an analysis time configurable option to customize the keys we compare values between entitlements xml and the assigned provisioning profile.
This only covers the simple case (exact match) and not the more complex cases that have special handling today in plisttool.py. These could also be pulled out as analysis time configurable options, with different arguments or additional arguments to tweak specific behavior. Cherry-pick: e9f9f61
1 parent 69b13be commit 5cd311f

File tree

2 files changed

+160
-7
lines changed

2 files changed

+160
-7
lines changed

tools/plisttool/plisttool.py

Lines changed: 31 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,8 @@
7676
`child_plists`), and the valures are a list of key/value pairs. The
7777
key/value pairs are encoded as a list of exactly two items, the key is
7878
actually an array of keys, so it can walk into the child plist.
79+
entitlements_to_validate_with_profile: If present, a list of entitlements keys
80+
that should be validated as being present in the provisioning profile.
7981
8082
If info_plist_options is present, validation will be performed on the output
8183
file after merging is complete. If any of the following conditions are not
@@ -302,7 +304,9 @@
302304
'is not in the provisioning profiles potential values ("%s").'
303305
)
304306

305-
_ENTITLEMENTS_TO_VALIDATE_WITH_PROFILE = (
307+
# TODO: b/474331541 - Remove this hard coded list and rely on values set at
308+
# analysis time in entitlements_support.bzl.
309+
_ENTITLEMENTS_TO_VALIDATE_WITH_PROFILE = [
306310
'aps-environment',
307311
'com.apple.developer.applesignin',
308312
'com.apple.developer.carplay-audio',
@@ -323,7 +327,7 @@
323327
# Keys which have a list of potential values in the profile, but only one in
324328
# the entitlements that must be in the profile's list of values
325329
'com.apple.developer.devicecheck.appattest-environment',
326-
)
330+
]
327331

328332
ENTITLEMENTS_BETA_REPORTS_ACTIVE_MISMATCH = (
329333
'In target "%s"; the entitlements "beta-reports-active" ("%s") did not '
@@ -360,7 +364,10 @@
360364

361365
# All valid keys in the entitlements_options control structure.
362366
_ENTITLEMENTS_OPTIONS_KEYS = frozenset([
363-
'bundle_id', 'profile_metadata_file', 'validation_mode',
367+
'bundle_id',
368+
'extra_keys_to_match_profile',
369+
'profile_metadata_file',
370+
'validation_mode',
364371
])
365372

366373
# Two regexes for variable matching/validation.
@@ -1199,7 +1206,15 @@ def validate_plist(self, plist):
11991206
self._sanity_check_profile()
12001207

12011208
if self._validation_mode != 'skip':
1202-
self._validate_entitlements_against_profile(plist)
1209+
extra_keys_to_match = self.options.get(
1210+
'extra_keys_to_match_profile',
1211+
)
1212+
if not extra_keys_to_match:
1213+
extra_keys_to_match = _ENTITLEMENTS_TO_VALIDATE_WITH_PROFILE
1214+
self._validate_entitlements_against_profile(
1215+
plist,
1216+
extra_keys_to_match,
1217+
)
12031218

12041219
def _validate_bundle_id_covered(self, bundle_id, entitlements):
12051220
"""Checks that the bundle id is covered by the entitlements.
@@ -1250,11 +1265,21 @@ def _sanity_check_profile(self):
12501265
# for setting up substitutions. At the moment no validation between them
12511266
# is being done.
12521267

1253-
def _validate_entitlements_against_profile(self, entitlements):
1268+
def _validate_entitlements_against_profile(
1269+
self, entitlements, extra_keys_to_match
1270+
):
12541271
"""Checks that the given entitlements are valid for the current profile.
12551272
12561273
Args:
12571274
entitlements: The entitlements.
1275+
<<<<<<< HEAD
1276+
||||||| parent of e9f9f61b (Add an analysis time configurable option to customize the keys we compare values between entitlements xml and the assigned provisioning profile.)
1277+
1278+
=======
1279+
extra_keys_to_match: A list of additional entitlements keys to validate
1280+
that their values match those of the provisioning profile exactly.
1281+
1282+
>>>>>>> e9f9f61b (Add an analysis time configurable option to customize the keys we compare values between entitlements xml and the assigned provisioning profile.)
12581283
Raises:
12591284
PlistToolError: For any issues found.
12601285
"""
@@ -1284,7 +1309,7 @@ def _validate_entitlements_against_profile(self, entitlements):
12841309
ENTITLEMENTS_APP_ID_PROFILE_MISMATCH % (
12851310
self.target, src_app_id, profile_app_id))
12861311

1287-
for entitlement in _ENTITLEMENTS_TO_VALIDATE_WITH_PROFILE:
1312+
for entitlement in extra_keys_to_match:
12881313
self._check_entitlement_matches_profile_value(
12891314
entitlement=entitlement,
12901315
entitlements=entitlements,

tools/plisttool/plisttool_unittest.py

Lines changed: 129 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1889,6 +1889,24 @@ def test_entitlements_aps_environment_missing_profile(self):
18891889
},
18901890
}, plist)
18911891

1892+
def test_entitlements_aps_environment_mismatch_default_validation(self):
1893+
with self.assertRaisesRegex(
1894+
plisttool.PlistToolError,
1895+
re.escape(plisttool.ENTITLEMENTS_VALUE_MISMATCH % (
1896+
_testing_target, 'aps-environment', 'production', 'development'))):
1897+
plist = {'aps-environment': 'production'}
1898+
self._assert_plisttool_result({
1899+
'plists': [plist],
1900+
'entitlements_options': {
1901+
'profile_metadata_file': {
1902+
'Entitlements': {
1903+
'aps-environment': 'development',
1904+
},
1905+
'Version': 1,
1906+
},
1907+
},
1908+
}, plist)
1909+
18921910
def test_entitlements_aps_environment_mismatch(self):
18931911
with self.assertRaisesRegex(
18941912
plisttool.PlistToolError,
@@ -1898,6 +1916,9 @@ def test_entitlements_aps_environment_mismatch(self):
18981916
self._assert_plisttool_result({
18991917
'plists': [plist],
19001918
'entitlements_options': {
1919+
'extra_keys_to_match_profile': [
1920+
'aps-environment',
1921+
],
19011922
'profile_metadata_file': {
19021923
'Entitlements': {
19031924
'aps-environment': 'development',
@@ -1907,7 +1928,7 @@ def test_entitlements_aps_environment_mismatch(self):
19071928
},
19081929
}, plist)
19091930

1910-
def test_attest_valid(self):
1931+
def test_attest_valid_default_validation(self):
19111932
plist = {
19121933
'com.apple.developer.devicecheck.appattest-environment': 'development'}
19131934
self._assert_plisttool_result({
@@ -1922,6 +1943,48 @@ def test_attest_valid(self):
19221943
},
19231944
}, plist)
19241945

1946+
def test_attest_valid(self):
1947+
plist = {
1948+
'com.apple.developer.devicecheck.appattest-environment': 'development'}
1949+
self._assert_plisttool_result(
1950+
{
1951+
'plists': [plist],
1952+
'entitlements_options': {
1953+
'extra_keys_to_match_profile': [
1954+
'com.apple.developer.devicecheck.appattest-environment',
1955+
],
1956+
'profile_metadata_file': {
1957+
'Entitlements': {
1958+
'com.apple.developer.devicecheck.appattest-environment':
1959+
['development', 'production'],
1960+
},
1961+
'Version': 1,
1962+
},
1963+
},
1964+
}, plist)
1965+
1966+
def test_attest_mismatch_default_validation(self):
1967+
with self.assertRaisesRegex(
1968+
plisttool.PlistToolError,
1969+
re.escape(plisttool.ENTITLEMENTS_VALUE_NOT_IN_LIST %
1970+
(_testing_target,
1971+
'com.apple.developer.devicecheck.appattest-environment',
1972+
'foo', ['development']))):
1973+
plist = {'com.apple.developer.devicecheck.appattest-environment': 'foo'}
1974+
self._assert_plisttool_result(
1975+
{
1976+
'plists': [plist],
1977+
'entitlements_options': {
1978+
'profile_metadata_file': {
1979+
'Entitlements': {
1980+
'com.apple.developer.devicecheck.appattest-environment':
1981+
['development'],
1982+
},
1983+
'Version': 1,
1984+
},
1985+
},
1986+
}, plist)
1987+
19251988
def test_attest_mismatch(self):
19261989
with self.assertRaisesRegex(
19271990
plisttool.PlistToolError,
@@ -1934,6 +1997,9 @@ def test_attest_mismatch(self):
19341997
self._assert_plisttool_result({
19351998
'plists': [plist],
19361999
'entitlements_options': {
2000+
'extra_keys_to_match_profile': [
2001+
'com.apple.developer.devicecheck.appattest-environment',
2002+
],
19372003
'profile_metadata_file': {
19382004
'Entitlements': {
19392005
'com.apple.developer.devicecheck.appattest-environment': ['development'],
@@ -1991,11 +2057,28 @@ def test_entitlements_profile_missing_beta_reports_active(self):
19912057
},
19922058
}, plist)
19932059

2060+
def test_entitlements_missing_wifi_info_active_default_validation(self):
2061+
plist = {}
2062+
self._assert_plisttool_result({
2063+
'plists': [plist],
2064+
'entitlements_options': {
2065+
'profile_metadata_file': {
2066+
'Entitlements': {
2067+
'com.apple.developer.networking.wifi-info': True,
2068+
},
2069+
'Version': 1,
2070+
},
2071+
},
2072+
}, plist)
2073+
19942074
def test_entitlements_missing_wifi_info_active(self):
19952075
plist = {}
19962076
self._assert_plisttool_result({
19972077
'plists': [plist],
19982078
'entitlements_options': {
2079+
'extra_keys_to_match_profile': [
2080+
'com.apple.developer.networking.wifi-info',
2081+
],
19992082
'profile_metadata_file': {
20002083
'Entitlements': {
20012084
'com.apple.developer.networking.wifi-info': True,
@@ -2005,6 +2088,25 @@ def test_entitlements_missing_wifi_info_active(self):
20052088
},
20062089
}, plist)
20072090

2091+
def test_entitlements_wifi_info_active_mismatch_default_validation(self):
2092+
with self.assertRaisesRegex(
2093+
plisttool.PlistToolError,
2094+
re.escape(plisttool.ENTITLEMENTS_VALUE_MISMATCH % (
2095+
_testing_target, 'com.apple.developer.networking.wifi-info',
2096+
'False', 'True'))):
2097+
plist = {'com.apple.developer.networking.wifi-info': False}
2098+
self._assert_plisttool_result({
2099+
'plists': [plist],
2100+
'entitlements_options': {
2101+
'profile_metadata_file': {
2102+
'Entitlements': {
2103+
'com.apple.developer.networking.wifi-info': True,
2104+
},
2105+
'Version': 1,
2106+
},
2107+
},
2108+
}, plist)
2109+
20082110
def test_entitlements_wifi_info_active_mismatch(self):
20092111
with self.assertRaisesRegex(
20102112
plisttool.PlistToolError,
@@ -2015,6 +2117,9 @@ def test_entitlements_wifi_info_active_mismatch(self):
20152117
self._assert_plisttool_result({
20162118
'plists': [plist],
20172119
'entitlements_options': {
2120+
'extra_keys_to_match_profile': [
2121+
'com.apple.developer.networking.wifi-info',
2122+
],
20182123
'profile_metadata_file': {
20192124
'Entitlements': {
20202125
'com.apple.developer.networking.wifi-info': True,
@@ -2024,6 +2129,26 @@ def test_entitlements_wifi_info_active_mismatch(self):
20242129
},
20252130
}, plist)
20262131

2132+
def test_entitlements_profile_missing_wifi_info_active_default_validation(self):
2133+
with self.assertRaisesRegex(
2134+
plisttool.PlistToolError,
2135+
re.escape(
2136+
plisttool.ENTITLEMENTS_MISSING %
2137+
(_testing_target, 'com.apple.developer.networking.wifi-info'))):
2138+
plist = {'com.apple.developer.networking.wifi-info': True}
2139+
self._assert_plisttool_result({
2140+
'plists': [plist],
2141+
'entitlements_options': {
2142+
'profile_metadata_file': {
2143+
'Entitlements': {
2144+
'application-identifier': 'QWERTY.*',
2145+
# No wifi-info
2146+
},
2147+
'Version': 1,
2148+
},
2149+
},
2150+
}, plist)
2151+
20272152
def test_entitlements_profile_missing_wifi_info_active(self):
20282153
with self.assertRaisesRegex(
20292154
plisttool.PlistToolError,
@@ -2034,6 +2159,9 @@ def test_entitlements_profile_missing_wifi_info_active(self):
20342159
self._assert_plisttool_result({
20352160
'plists': [plist],
20362161
'entitlements_options': {
2162+
'extra_keys_to_match_profile': [
2163+
'com.apple.developer.networking.wifi-info',
2164+
],
20372165
'profile_metadata_file': {
20382166
'Entitlements': {
20392167
'application-identifier': 'QWERTY.*',

0 commit comments

Comments
 (0)