Remove ctx.fragments.objc.uses_device_debug_entitlements and clean up the docs a bit to clarify the exact scope of what the relevant helper in entitlements_support.bzl does.

Cherry-pick: 7866ee3

Author: nglevin

apple/internal/entitlements_support.bzl

@@ -81,19 +81,28 @@ def _new_entitlements_artifact(*, actions, extension, label_name):
         "entitlements/%s%s" % (label_name, extension),
     )
 
-def _include_debug_entitlements(*, platform_prerequisites):
-    """Returns a value indicating whether debug entitlements should be used.
+def _force_debug_entitlements(*, platform_prerequisites):
+    """Returns a value indicating whether the `get-task-allow` debug entitlements should be forced.
 
-    Debug entitlements are used if the --device_debug_entitlements command-line
-    option indicates that they should be included.
+    Debug entitlements are not forced on macOS at this level, regardless of the
+    apple.add_debugger_entitlement define.
 
-    Debug entitlements are also not used on macOS.
+    Debug entitlements are forced if the apple.add_debugger_entitlement define indicates that they
+    should be included, and if it is not present, they are not.
+
+    Note however that if `get-task-allow` is in the provisioning profile, `get-task-allow` will
+    still be included in the evaluated entitlements file for code signing even if this function
+    returns False, on account of plisttool's behavior.
+
+    Therefore, the ONLY practical effect of this function is to allow for debugging simulator
+    targets that don't have provisioning profiles assigned if apple.add_debugger_entitlement is set
+    to True.
 
     Args:
       platform_prerequisites: Struct containing information on the platform being targeted.
 
     Returns:
-      True if the debug entitlements should be included, otherwise False.
+      True if the `get-task-allow` debug entitlements should be forced, otherwise False.
     """
     if platform_prerequisites.platform_type == apple_common.platform_type.macos:
         return False
@@ -104,9 +113,13 @@ def _include_debug_entitlements(*, platform_prerequisites):
     )
     if add_debugger_entitlement != None:
         return add_debugger_entitlement
-    if not platform_prerequisites.objc_fragment.uses_device_debug_entitlements:
-        return False
-    return True
+
+    # TODO: b/473768498 - Consider if this should return True for the simulator with no provisioning
+    # profile case that needs to be handled here, and if we can entirely drop the
+    # apple.add_debugger_entitlement define support above in favor of that simplification. One means
+    # would be to have an explicit "if not device -> return True else False" as the entire
+    # implementation of this function.
+    return False
 
 def _include_app_clip_entitlements(*, product_type):
     """Returns a value indicating whether app clip entitlements should be used.
@@ -268,7 +281,7 @@ def _process_entitlements(
     forced_plists = []
     if signing_info.entitlements:
         plists.append(signing_info.entitlements)
-    if _include_debug_entitlements(platform_prerequisites = platform_prerequisites):
+    if _force_debug_entitlements(platform_prerequisites = platform_prerequisites):
         get_task_allow = {"get-task-allow": True}
         forced_plists.append(struct(**get_task_allow))
     if _include_app_clip_entitlements(product_type = product_type):
@@ -351,7 +364,7 @@ def _process_entitlements(
         )
 
     simulator_entitlements = None
-    if _include_debug_entitlements(platform_prerequisites = platform_prerequisites):
+    if _force_debug_entitlements(platform_prerequisites = platform_prerequisites):
         simulator_entitlements = actions.declare_file(
             "%s_entitlements.simulator.entitlements" % rule_label.name,
         )

test/ios_application_test.sh

@@ -233,7 +233,7 @@ function test_pkginfo_contents() {
 # Helper to test different values if a build adds the debugger entitlement.
 # First arg is "y|n" if provisioning profile should contain debugger entitlement
 # Second arg is "y|n" if debugger entitlement should be contained on signed app
-# Third arg is "y|n" if `_include_debug_entitlements` is `True` (mainly `--define=apple.add_debugger_entitlement=yes`)
+# Third arg is "y|n" if `_force_debug_entitlements` is `True` (mainly `--define=apple.add_debugger_entitlement=yes`)
 # Any other args are passed to `do_build`.
 function verify_debugger_entitlements_with_params() {
   readonly INCLUDE_DEBUGGER=$1; shift

test/starlark_tests/ios_application_tests.bzl

@@ -1280,6 +1280,49 @@ Found "com.bazel.app.example" which does not match previously defined "com.altba
         tags = [name],
     )
 
+    # Tests that get-task-allow is not added to the entitlements if no provisioning profile is
+    # assigned.
+    apple_verification_test(
+        name = "{}_no_get_task_allow_entitlements_by_default_simulator_test".format(name),
+        build_type = "simulator",
+        target_under_test = "//test/starlark_tests/targets_under_test/ios:app_minimal_no_provisioning_profile",
+        verifier_script = "verifier_scripts/entitlements_key_verifier.sh",
+        env = {
+            "CHECK_FOR_ABSENT_ENTITLEMENTS": ["True"],
+            "ENTITLEMENTS_KEY": ["get-task-allow"],
+        },
+        tags = [
+            name,
+        ],
+    )
+
+    # Tests that get-task-allow is added to the entitlements if a provisioning profile is assigned
+    # that declares get-task-allow.
+    apple_verification_test(
+        name = "{}_get_task_allow_entitlements_by_default_with_provisioning_profile_device_test".format(name),
+        build_type = "device",
+        target_under_test = "//test/starlark_tests/targets_under_test/ios:app_minimal",
+        verifier_script = "verifier_scripts/entitlements_key_verifier.sh",
+        env = {
+            "ENTITLEMENTS_KEY": ["get-task-allow"],
+        },
+        tags = [
+            name,
+        ],
+    )
+    apple_verification_test(
+        name = "{}_get_task_allow_entitlements_by_default_with_provisioning_profile_simulator_test".format(name),
+        build_type = "simulator",
+        target_under_test = "//test/starlark_tests/targets_under_test/ios:app_minimal",
+        verifier_script = "verifier_scripts/entitlements_key_verifier.sh",
+        env = {
+            "ENTITLEMENTS_KEY": ["get-task-allow"],
+        },
+        tags = [
+            name,
+        ],
+    )
+
     # Test that an app with a compiled binary resource coming from a resource attribute will fail to
     # build and present a user-actionable error message.
     analysis_failure_message_test(

test/starlark_tests/targets_under_test/ios/BUILD

@@ -140,6 +140,20 @@ ios_application(
     ],
 )
 
+ios_application(
+    name = "app_minimal_no_provisioning_profile",
+    bundle_id = "com.google.example",
+    families = ["iphone"],
+    infoplists = [
+        "//test/starlark_tests/resources:Info.plist",
+    ],
+    minimum_os_version = common.min_os_ios.baseline,
+    tags = common.fixture_tags,
+    deps = [
+        "//test/starlark_tests/resources:objc_main_lib",
+    ],
+)
+
 xcarchive(
     name = "app_minimal.xcarchive",
     bundle = ":app_minimal",