Call out a few more bits that can be set at analysis time without additional accomodations, and allow for resetting the list of extra_keys_to_match_profile with an empty list.

Cherry-pick: 9899cc4

Author: nglevin

tools/plisttool/plisttool.py

@@ -327,6 +327,7 @@
     # Keys which have a list of potential values in the profile, but only one in
     # the entitlements that must be in the profile's list of values
     'com.apple.developer.devicecheck.appattest-environment',
+    'com.apple.developer.nfc.readersession.formats',
 ]
 
 ENTITLEMENTS_BETA_REPORTS_ACTIVE_MISMATCH = (
@@ -1206,11 +1207,12 @@ def validate_plist(self, plist):
       self._sanity_check_profile()
 
       if self._validation_mode != 'skip':
+        # TODO: b/474331541 - Remove the fallback once its values are always set
+        # at analysis time in entitlements_support.bzl.
         extra_keys_to_match = self.options.get(
             'extra_keys_to_match_profile',
+            _ENTITLEMENTS_TO_VALIDATE_WITH_PROFILE,
         )
-        if not extra_keys_to_match:
-          extra_keys_to_match = _ENTITLEMENTS_TO_VALIDATE_WITH_PROFILE
         self._validate_entitlements_against_profile(
             plist,
             extra_keys_to_match,
@@ -1272,14 +1274,9 @@ def _validate_entitlements_against_profile(
 
     Args:
       entitlements: The entitlements.
-<<<<<<< HEAD
-||||||| parent of e9f9f61b (Add an analysis time configurable option to customize the keys we compare values between entitlements xml and the assigned provisioning profile.)
-
-=======
       extra_keys_to_match: A list of additional entitlements keys to validate
-          that their values match those of the provisioning profile exactly.
-
->>>>>>> e9f9f61b (Add an analysis time configurable option to customize the keys we compare values between entitlements xml and the assigned provisioning profile.)
+          that their values match those of the provisioning profile exactly if
+          the value is not a list, and a subset if the value is a list.
     Raises:
       PlistToolError: For any issues found.
     """
@@ -1333,6 +1330,11 @@ def _validate_entitlements_against_profile(
         'keychain-access-groups', self.target,
         supports_wildcards=True)
 
+    # TODO: b/474331541 - Remove this specific check once extra_keys_to_match is
+    # configured exclusively at analysis time, allowing us to add the
+    # com.apple.security.application-groups entitlement check for all Apple
+    # platforms except macOS.
+    #
     # com.apple.security.application-groups
     # (This check does not apply to macOS-only provisioning profiles.)
     if self._profile_metadata.get('Platform', []) != ['OSX']:
@@ -1347,13 +1349,6 @@ def _validate_entitlements_against_profile(
         supports_wildcards=True,
         allow_wildcards_in_entitlements=True)
 
-    # com.apple.developer.nfc.readersession.formats
-    self._check_entitlements_array(
-        entitlements,
-        profile_entitlements,
-        'com.apple.developer.nfc.readersession.formats',
-        self.target)
-
   def _check_entitlement_matches_profile_value(
       self,
       entitlement,

tools/plisttool/plisttool_unittest.py

@@ -2129,6 +2129,22 @@ def test_entitlements_wifi_info_active_mismatch(self):
           },
       }, plist)
 
+  def test_entitlements_wifi_info_active_mismatch_with_no_extra_keys_to_match(self):
+    # This is really looking for the lack of an error being raised.
+    plist = {'com.apple.developer.networking.wifi-info': False}
+    self._assert_plisttool_result({
+        'plists': [plist],
+        'entitlements_options': {
+            'extra_keys_to_match_profile': [],
+            'profile_metadata_file': {
+                'Entitlements': {
+                    'com.apple.developer.networking.wifi-info': True,
+                },
+                'Version': 1,
+            },
+        },
+    }, plist)
+
   def test_entitlements_profile_missing_wifi_info_active_default_validation(self):
     with self.assertRaisesRegex(
         plisttool.PlistToolError,