Add facilities to check that cc toolchain features for enhanced security aren't being disabled when they're declared as enabled on the top level rule.

Automated testing is limited to what we're able to catch with Starlark analysis tests, i.e. the cases where we fail through the transition can't be effectively modelled in that type of test without bringing down the entire test suite

Cherry-pick: d594354

Author: nglevin

apple/BUILD

@@ -101,7 +101,6 @@ bzl_library(
         "//apple/internal:platform_support",
         "//apple/internal:providers",
         "@bazel_skylib//lib:dicts",
-        "@bazel_tools//tools/cpp:toolchain_utils.bzl",
         "@build_bazel_apple_support//lib:apple_support",
         "@rules_cc//cc/common",
     ],

apple/internal/BUILD

@@ -70,7 +70,6 @@ bzl_library(
         "@bazel_skylib//lib:partial",
         "@bazel_skylib//lib:paths",
         "@bazel_skylib//lib:sets",
-        "@bazel_tools//tools/cpp:toolchain_utils.bzl",
         "@build_bazel_rules_swift//swift",
     ],
 )
@@ -125,7 +124,6 @@ bzl_library(
         "//apple/internal/aspects:swift_usage_aspect",
         "@bazel_skylib//lib:dicts",
         "@bazel_skylib//lib:paths",
-        "@bazel_tools//tools/cpp:toolchain_utils.bzl",
         "@build_bazel_apple_support//lib:apple_support",
         "@build_bazel_rules_swift//swift",
     ],
@@ -336,7 +334,6 @@ bzl_library(
         "//apple/internal/utils:clang_rt_dylibs",
         "//apple/internal/utils:main_thread_checker_dylibs",
         "@bazel_skylib//lib:collections",
-        "@bazel_tools//tools/cpp:toolchain_utils.bzl",
         "@build_bazel_apple_support//lib:apple_support",
         "@build_bazel_rules_swift//swift",
         "@build_bazel_rules_swift//swift:providers",
@@ -609,7 +606,6 @@ bzl_library(
         "//apple/internal/testing:apple_test_bundle_support",
         "//apple/internal/testing:apple_test_rule_support",
         "@bazel_skylib//lib:dicts",
-        "@bazel_tools//tools/cpp:toolchain_utils.bzl",
         "@build_bazel_apple_support//lib:apple_support",
     ],
 )
@@ -643,6 +639,9 @@ bzl_library(
     visibility = [
         "//apple/internal:__subpackages__",
     ],
+    deps = [
+        "@rules_cc//cc/common",
+    ],
 )
 
 bzl_library(
@@ -735,7 +734,6 @@ bzl_library(
         "//apple/internal/aspects:resource_aspect_hint",
         "//apple/internal/utils:clang_rt_dylibs",
         "//apple/internal/utils:main_thread_checker_dylibs",
-        "@bazel_tools//tools/cpp:toolchain_utils.bzl",
         "@build_bazel_apple_support//lib:apple_support",
         "@build_bazel_rules_swift//swift",
         "@build_bazel_rules_swift//swift:providers",
@@ -776,7 +774,6 @@ bzl_library(
         "//apple/internal/utils:clang_rt_dylibs",
         "//apple/internal/utils:main_thread_checker_dylibs",
         "@bazel_skylib//lib:sets",
-        "@bazel_tools//tools/cpp:toolchain_utils.bzl",
         "@build_bazel_apple_support//lib:apple_support",
     ],
 )
@@ -813,7 +810,6 @@ bzl_library(
         "//apple/internal/utils:clang_rt_dylibs",
         "//apple/internal/utils:main_thread_checker_dylibs",
         "@bazel_skylib//lib:sets",
-        "@bazel_tools//tools/cpp:toolchain_utils.bzl",
         "@build_bazel_apple_support//lib:apple_support",
     ],
 )

apple/internal/entitlements_support.bzl

@@ -200,6 +200,10 @@ def _process_entitlements(
         apple_mac_toolchain_info,
         apple_xplat_toolchain_info,
         bundle_id,
+        cc_configured_features_init,
+        cc_toolchain,
+        disabled_features,
+        enabled_features,
         entitlements_file,
         platform_prerequisites,
         product_type,
@@ -232,6 +236,11 @@ def _process_entitlements(
         apple_xplat_toolchain_info: The `struct` of tools from the shared Apple
             cross platform toolchain.
         bundle_id: The bundle identifier.
+        cc_configured_features_init: The function to initialize the feature configuration for a
+            given cc_toolchain.
+        cc_toolchain: A cc_toolchain as found from the rule context's toolchains.
+        disabled_features: The features requested to be disabled for the target.
+        enabled_features: The features requested for the target.
         entitlements_file: The `File` containing the unprocessed entitlements
             (or `None` if none were provided).
         platform_prerequisites: The platform prerequisites.
@@ -276,7 +285,19 @@ def _process_entitlements(
     if secure_features:
         if not apple_xplat_toolchain_info.build_settings.enable_wip_features:
             fail("secure_features are still a work in progress and not yet supported in the rules.")
+
+        # Calculate the effective set of Crosstool features for this target, as we do want to double
+        # check that the secure features are supported and enabled.
+        feature_configuration = cc_configured_features_init(
+            cc_toolchain = cc_toolchain,
+            requested_features = enabled_features,
+            unsupported_features = disabled_features,
+        )
+
+        # Retrieve the entitlements required by the requested secure features, if there are any.
         secure_features_entitlements = secure_features_support.entitlements_from_secure_features(
+            feature_configuration = feature_configuration,
+            rule_label = rule_label,
             secure_features = secure_features,
             xcode_version = platform_prerequisites.xcode_version_config.xcode_version(),
         )

apple/internal/features_support.bzl

@@ -15,6 +15,7 @@
 """Support macros to assist in detecting build features."""
 
 load("@bazel_skylib//lib:new_sets.bzl", "sets")
+load("@rules_cc//cc/common:cc_common.bzl", "cc_common")
 
 def _compute_enabled_features(*, requested_features, unsupported_features):
     """Returns a list of features for the given build.
@@ -33,6 +34,21 @@ def _compute_enabled_features(*, requested_features, unsupported_features):
     )
     return sets.to_list(enabled_features_set)
 
+def _make_cc_configured_features_init(ctx):
+    """Captures the rule ctx for a deferred `cc_common.configure_features(...)` call.
+
+    Args:
+      ctx: The rule context, expected to be captured directly in the rule context and NOT within a
+        partial or helper method.
+
+    Returns:
+      A lambda that has the captured instance of the rule context, which will always set that rule
+        context as the `ctx` argument of `cc_common.configure_features(...)` and will forward any
+        arguments it is given to `cc_common.configure_features(...)`.
+    """
+    return lambda *args, **kwargs: cc_common.configure_features(ctx = ctx, *args, **kwargs)
+
 features_support = struct(
     compute_enabled_features = _compute_enabled_features,
+    make_cc_configured_features_init = _make_cc_configured_features_init,
 )

apple/internal/ios_rules.bzl

@@ -180,6 +180,7 @@ def _ios_application_impl(ctx):
         shared_capabilities = ctx.attr.shared_capabilities,
     )
     bundle_verification_targets = [struct(target = ext) for ext in ctx.attr.extensions]
+    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     embeddable_targets = (
         ctx.attr.frameworks +
@@ -234,6 +235,10 @@ def _ios_application_impl(ctx):
         apple_mac_toolchain_info = apple_mac_toolchain_info,
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
+        cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
+        cc_toolchain = cc_toolchain,
+        disabled_features = ctx.disabled_features,
+        enabled_features = ctx.features,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -578,6 +583,7 @@ def _ios_app_clip_impl(ctx):
         suffix_default = ctx.attr._bundle_id_suffix_default,
         shared_capabilities = ctx.attr.shared_capabilities,
     )
+    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     bundle_verification_targets = [struct(target = ext) for ext in ctx.attr.extensions]
     embeddable_targets = (
@@ -628,6 +634,10 @@ def _ios_app_clip_impl(ctx):
         apple_mac_toolchain_info = apple_mac_toolchain_info,
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
+        cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
+        cc_toolchain = cc_toolchain,
+        disabled_features = ctx.disabled_features,
+        enabled_features = ctx.features,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -1158,6 +1168,7 @@ def _ios_extension_impl(ctx):
         suffix_default = ctx.attr._bundle_id_suffix_default,
         shared_capabilities = ctx.attr.shared_capabilities,
     )
+    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     features = features_support.compute_enabled_features(
         requested_features = ctx.features,
@@ -1203,6 +1214,10 @@ def _ios_extension_impl(ctx):
         apple_mac_toolchain_info = apple_mac_toolchain_info,
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
+        cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
+        cc_toolchain = cc_toolchain,
+        disabled_features = ctx.disabled_features,
+        enabled_features = ctx.features,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -1907,6 +1922,7 @@ def _ios_imessage_application_impl(ctx):
         unsupported_features = ctx.disabled_features,
     )
     bundle_verification_targets = [struct(target = ctx.attr.extension)]
+    cc_toolchain = find_cpp_toolchain(ctx)
     embeddable_targets = [ctx.attr.extension]
     label = ctx.label
     platform_prerequisites = platform_support.platform_prerequisites(
@@ -1946,6 +1962,10 @@ def _ios_imessage_application_impl(ctx):
         apple_mac_toolchain_info = apple_mac_toolchain_info,
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
+        cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
+        cc_toolchain = cc_toolchain,
+        disabled_features = ctx.disabled_features,
+        enabled_features = ctx.features,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -2113,6 +2133,7 @@ def _ios_imessage_extension_impl(ctx):
         shared_capabilities = ctx.attr.shared_capabilities,
     )
     executable_name = ctx.attr.executable_name
+    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     features = features_support.compute_enabled_features(
         requested_features = ctx.features,
@@ -2156,6 +2177,10 @@ def _ios_imessage_extension_impl(ctx):
         apple_mac_toolchain_info = apple_mac_toolchain_info,
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
+        cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
+        cc_toolchain = cc_toolchain,
+        disabled_features = ctx.disabled_features,
+        enabled_features = ctx.features,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -2387,6 +2412,7 @@ def _ios_sticker_pack_extension_impl(ctx):
         suffix_default = ctx.attr._bundle_id_suffix_default,
         shared_capabilities = ctx.attr.shared_capabilities,
     )
+    cc_toolchain = find_cpp_toolchain(ctx)
     executable_name = ctx.attr.executable_name
     features = features_support.compute_enabled_features(
         requested_features = ctx.features,
@@ -2430,6 +2456,10 @@ def _ios_sticker_pack_extension_impl(ctx):
         apple_mac_toolchain_info = apple_mac_toolchain_info,
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
+        cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
+        cc_toolchain = cc_toolchain,
+        disabled_features = ctx.disabled_features,
+        enabled_features = ctx.features,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,

apple/internal/macos_rules.bzl

@@ -188,6 +188,7 @@ def _macos_application_impl(ctx):
         shared_capabilities = ctx.attr.shared_capabilities,
     )
     bundle_verification_targets = [struct(target = ext) for ext in verification_targets]
+    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     executable_name = ctx.attr.executable_name
     features = features_support.compute_enabled_features(
@@ -232,6 +233,10 @@ def _macos_application_impl(ctx):
         apple_mac_toolchain_info = apple_mac_toolchain_info,
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
+        cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
+        cc_toolchain = cc_toolchain,
+        disabled_features = ctx.disabled_features,
+        enabled_features = ctx.features,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -503,6 +508,7 @@ def _macos_bundle_impl(ctx):
         suffix_default = ctx.attr._bundle_id_suffix_default,
         shared_capabilities = ctx.attr.shared_capabilities,
     )
+    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     executable_name = ctx.attr.executable_name
     features = features_support.compute_enabled_features(
@@ -547,6 +553,10 @@ def _macos_bundle_impl(ctx):
         apple_mac_toolchain_info = apple_mac_toolchain_info,
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
+        cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
+        cc_toolchain = cc_toolchain,
+        disabled_features = ctx.disabled_features,
+        enabled_features = ctx.features,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -753,6 +763,7 @@ def _macos_extension_impl(ctx):
         suffix_default = ctx.attr._bundle_id_suffix_default,
         shared_capabilities = ctx.attr.shared_capabilities,
     )
+    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     executable_name = ctx.attr.executable_name
     features = features_support.compute_enabled_features(
@@ -797,6 +808,10 @@ def _macos_extension_impl(ctx):
         apple_mac_toolchain_info = apple_mac_toolchain_info,
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
+        cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
+        cc_toolchain = cc_toolchain,
+        disabled_features = ctx.disabled_features,
+        enabled_features = ctx.features,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -1038,6 +1053,7 @@ def _macos_quick_look_plugin_impl(ctx):
         suffix_default = ctx.attr._bundle_id_suffix_default,
         shared_capabilities = ctx.attr.shared_capabilities,
     )
+    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     executable_name = ctx.attr.executable_name
     features = features_support.compute_enabled_features(
@@ -1081,6 +1097,10 @@ def _macos_quick_look_plugin_impl(ctx):
         apple_mac_toolchain_info = apple_mac_toolchain_info,
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
+        cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
+        cc_toolchain = cc_toolchain,
+        disabled_features = ctx.disabled_features,
+        enabled_features = ctx.features,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -1290,6 +1310,7 @@ def _macos_kernel_extension_impl(ctx):
         suffix_default = ctx.attr._bundle_id_suffix_default,
         shared_capabilities = ctx.attr.shared_capabilities,
     )
+    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     executable_name = ctx.attr.executable_name
     features = features_support.compute_enabled_features(
@@ -1330,6 +1351,10 @@ def _macos_kernel_extension_impl(ctx):
         apple_mac_toolchain_info = apple_mac_toolchain_info,
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
+        cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
+        cc_toolchain = cc_toolchain,
+        disabled_features = ctx.disabled_features,
+        enabled_features = ctx.features,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -1548,6 +1573,7 @@ def _macos_spotlight_importer_impl(ctx):
         suffix_default = ctx.attr._bundle_id_suffix_default,
         shared_capabilities = ctx.attr.shared_capabilities,
     )
+    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     executable_name = ctx.attr.executable_name
     features = features_support.compute_enabled_features(
@@ -1583,6 +1609,10 @@ def _macos_spotlight_importer_impl(ctx):
         apple_mac_toolchain_info = apple_mac_toolchain_info,
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
+        cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
+        cc_toolchain = cc_toolchain,
+        disabled_features = ctx.disabled_features,
+        enabled_features = ctx.features,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -1791,6 +1821,7 @@ def _macos_xpc_service_impl(ctx):
         suffix_default = ctx.attr._bundle_id_suffix_default,
         shared_capabilities = ctx.attr.shared_capabilities,
     )
+    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     executable_name = ctx.attr.executable_name
     features = features_support.compute_enabled_features(
@@ -1826,6 +1857,10 @@ def _macos_xpc_service_impl(ctx):
         apple_mac_toolchain_info = apple_mac_toolchain_info,
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
+        cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
+        cc_toolchain = cc_toolchain,
+        disabled_features = ctx.disabled_features,
+        enabled_features = ctx.features,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,