Add an "expected_secure_features" attribute for import (xc)framework rules to declare the secure features that these precompiled artifacts were built with.

Cherry-pick: 07eaefb

Author: nglevin

apple/internal/BUILD

@@ -63,6 +63,7 @@ bzl_library(
         ":framework_import_support",
         ":resources",
         ":rule_attrs",
+        ":secure_features_support",
         "//apple:providers",
         "//apple:utils",
         "//apple/internal/aspects:swift_usage_aspect",
@@ -120,6 +121,7 @@ bzl_library(
         ":framework_import_support",
         ":intermediates",
         ":rule_attrs",
+        ":secure_features_support",
         "//apple:providers",
         "//apple/internal/aspects:swift_usage_aspect",
         "@bazel_skylib//lib:dicts",

apple/internal/apple_framework_import.bzl

@@ -65,6 +65,10 @@ load(
     "//apple/internal:rule_attrs.bzl",
     "rule_attrs",
 )
+load(
+    "//apple/internal:secure_features_support.bzl",
+    "secure_features_support",
+)
 load(
     "//apple/internal/aspects:swift_usage_aspect.bzl",
     "SwiftUsageInfo",
@@ -163,6 +167,13 @@ def _apple_dynamic_framework_import_impl(ctx):
     framework_imports = ctx.files.framework_imports
     label = ctx.label
 
+    secure_features_support.validate_expected_secure_features(
+        disabled_features = disabled_features,
+        expected_secure_features = ctx.attr.expected_secure_features,
+        features = features,
+        rule_label = label,
+    )
+
     # TODO(b/258492867): Add tree artifacts support when Bazel can handle remote actions with
     # symlinks. See https://github.com/bazelbuild/bazel/issues/16361.
     target_triplet = cc_toolchain_info_support.get_apple_clang_triplet(cc_toolchain)
@@ -280,6 +291,13 @@ def _apple_static_framework_import_impl(ctx):
     sdk_frameworks = ctx.attr.sdk_frameworks
     weak_sdk_frameworks = ctx.attr.weak_sdk_frameworks
 
+    secure_features_support.validate_expected_secure_features(
+        disabled_features = disabled_features,
+        expected_secure_features = ctx.attr.expected_secure_features,
+        features = features,
+        rule_label = label,
+    )
+
     providers = [
         DefaultInfo(runfiles = ctx.runfiles(files = ctx.files.data)),
     ]
@@ -413,9 +431,16 @@ apple_dynamic_framework_import = rule(
     attrs = dicts.add(
         rule_attrs.common_tool_attrs(),
         {
-            # TODO: b/449684779 - Add an "expected_secure_features" attribute to declare what
-            # features are expected to be present in the precompiled framework, so the rules can
-            # validate against that and set required entitlements if necessary.
+            "expected_secure_features": attr.string_list(
+                doc = """
+    A list of strings representing the secure features that are expected to be present in the
+    precompiled framework. This is used to validate that the framework was built with Enhanced Security
+    features matching those of its consumers on Apple platforms, through a "scout's honor" system.
+
+    This does not actually set the features on the precompiled artifacts, this merely acts as a
+    "checklist" for the consuming targets to verify what they are expecting to be present.
+    """,
+            ),
             "framework_imports": attr.label_list(
                 allow_empty = False,
                 allow_files = True,
@@ -485,9 +510,16 @@ apple_static_framework_import = rule(
     attrs = dicts.add(
         rule_attrs.common_tool_attrs(),
         {
-            # TODO: b/449684779 - Add an "expected_secure_features" attribute to declare what
-            # features are expected to be present in the precompiled framework, so the rules can
-            # validate against that and set required entitlements if necessary.
+            "expected_secure_features": attr.string_list(
+                doc = """
+A list of strings representing the secure features that are expected to be present in the
+precompiled framework. This is used to validate that the framework was built with Enhanced Security
+features matching those of its consumers on Apple platforms, through a "scout's honor" system.
+
+This does not actually set the features on the precompiled artifacts, this merely acts as a
+"checklist" for the consuming targets to verify what they are expecting to be present.
+""",
+            ),
             "framework_imports": attr.label_list(
                 allow_empty = False,
                 allow_files = True,

apple/internal/apple_xcframework_import.bzl

@@ -49,6 +49,10 @@ load(
     "new_appledynamicframeworkinfo",
 )
 load("//apple/internal:rule_attrs.bzl", "rule_attrs")
+load(
+    "//apple/internal:secure_features_support.bzl",
+    "secure_features_support",
+)
 load(
     "//apple/internal/aspects:swift_usage_aspect.bzl",
     "SwiftUsageInfo",
@@ -490,6 +494,13 @@ def _apple_dynamic_xcframework_import_impl(ctx):
     xcframework_imports = ctx.files.xcframework_imports
     xcode_config = ctx.attr._xcode_config[apple_common.XcodeVersionConfig]
 
+    secure_features_support.validate_expected_secure_features(
+        disabled_features = disabled_features,
+        expected_secure_features = ctx.attr.expected_secure_features,
+        features = features,
+        rule_label = label,
+    )
+
     # TODO(b/258492867): Add tree artifacts support when Bazel can handle remote actions with
     # symlinks. See https://github.com/bazelbuild/bazel/issues/16361.
     target_triplet = cc_toolchain_info_support.get_apple_clang_triplet(cc_toolchain)
@@ -604,6 +615,13 @@ def _apple_static_xcframework_import_impl(ctx):
     xcframework_imports = ctx.files.xcframework_imports
     xcode_config = ctx.attr._xcode_config[apple_common.XcodeVersionConfig]
 
+    secure_features_support.validate_expected_secure_features(
+        disabled_features = disabled_features,
+        expected_secure_features = ctx.attr.expected_secure_features,
+        features = features,
+        rule_label = label,
+    )
+
     xcframework = _classify_xcframework_imports(ctx.var, xcframework_imports)
     target_triplet = cc_toolchain_info_support.get_apple_clang_triplet(cc_toolchain)
 
@@ -753,9 +771,6 @@ objc_library(
     attrs = dicts.add(
         rule_attrs.common_tool_attrs(),
         {
-            # TODO: b/449684779 - Add an "expected_secure_features" attribute to declare what
-            # features are expected to be present in the precompiled framework, so the rules can
-            # validate against that and set required entitlements if necessary.
             "xcframework_imports": attr.label_list(
                 allow_empty = False,
                 allow_files = True,
@@ -776,6 +791,17 @@ linked into that target.
                 ],
                 aspects = [swift_clang_module_aspect],
             ),
+            "expected_secure_features": attr.string_list(
+                doc = """
+A list of strings representing the secure features that are expected to be present in the
+precompiled XCFramework. This is used to validate that the XCFramework was built with Enhanced
+Security features matching those of its consumers on Apple platforms, through a "scout's honor"
+system.
+
+This does not actually set the features on the precompiled artifacts, this merely acts as a
+"checklist" for the consuming targets to verify what they are expecting to be present.
+""",
+            ),
             "bundle_only": attr.bool(
                 default = False,
                 doc = """
@@ -829,9 +855,6 @@ objc_library(
     attrs = dicts.add(
         rule_attrs.common_tool_attrs(),
         {
-            # TODO: b/449684779 - Add an "expected_secure_features" attribute to declare what
-            # features are expected to be present in the precompiled framework, so the rules can
-            # validate against that and set required entitlements if necessary.
             "alwayslink": attr.bool(
                 default = False,
                 doc = """
@@ -861,6 +884,17 @@ List of files needed by this target at runtime.
 Files and targets named in the `data` attribute will appear in the `*.runfiles`
 area of this target, if it has one. This may include data files needed by a
 binary or library, or other programs needed by it.
+""",
+            ),
+            "expected_secure_features": attr.string_list(
+                doc = """
+A list of strings representing the secure features that are expected to be present in the
+precompiled XCFramework. This is used to validate that the XCFramework was built with Enhanced
+Security features matching those of its consumers on Apple platforms, through a "scout's honor"
+system.
+
+This does not actually set the features on the precompiled artifacts, this merely acts as a
+"checklist" for the consuming targets to verify what they are expecting to be present.
 """,
             ),
             "has_swift": attr.bool(

apple/internal/secure_features_support.bzl

@@ -202,6 +202,39 @@ def _environment_archs_from_secure_features(
         return other_archs
     return arm64e_archs + other_archs
 
+def _validate_expected_secure_features(
+        *,
+        disabled_features,
+        expected_secure_features,
+        features,
+        rule_label):
+    # Ignoring cc_common verification against the cc_toolchain this time as this method is expected
+    # to be used exclusively by library-level dependencies of an Apple rule; ctx.features and
+    # ctx.disabled_features are the best proxies at this point.
+    requested_features = set(features) - set(disabled_features)
+    requested_secure_features = requested_features & _SUPPORTED_SECURE_FEATURES
+    if not requested_secure_features:
+        return
+
+    missing_expected_secure_features = requested_secure_features - set(expected_secure_features)
+
+    if missing_expected_secure_features:
+        fail(
+            """
+The precompiled artifact at `{rule_label}` was expected to be compatible with the following secure \
+features requested from the build, but they were not indicated as supported by the target's \
+`expected_secure_features` attribute:
+- {missing_secure_features}
+
+Please contact the owner of this target to supply a precompiled artifact (likely a framework or \
+XCFramework) that is built with the required Enhanced Security features enabled, and update the \
+"expected_secure_features" attribute to match.
+""".format(
+                rule_label = str(rule_label),
+                missing_secure_features = "\n- ".join(list(missing_expected_secure_features)),
+            ),
+        )
+
 def _validate_secure_features_support(
         *,
         cc_configured_features_init,
@@ -263,5 +296,6 @@ secure_features_support = struct(
     entitlements_from_secure_features = _entitlements_from_secure_features,
     environment_arch_specific_features = _environment_arch_specific_features,
     environment_archs_from_secure_features = _environment_archs_from_secure_features,
+    validate_expected_secure_features = _validate_expected_secure_features,
     validate_secure_features_support = _validate_secure_features_support,
 )

test/starlark_tests/apple_dynamic_xcframework_import_tests.bzl

@@ -485,6 +485,26 @@ def apple_dynamic_xcframework_import_test_suite(name):
         tags = [name],
     )
 
+    analysis_failure_message_test(
+        name = "{}_secure_features_app_fails_importing_xcframework_with_no_expected_secure_features_test".format(name),
+        target_under_test = "//test/starlark_tests/targets_under_test/ios:secure_features_app_with_imported_dynamic_xcframework_and_no_expected_secure_features",
+        expected_error = """The precompiled artifact at `//test/starlark_tests/targets_under_test/ios:ios_imported_dynamic_xcframework_with_missing_pointer_authentication_secure_features` was expected to be compatible with the following secure features requested from the build, but they were not indicated as supported by the target's `expected_secure_features` attribute:
+- apple.xcode_26_minimum_opt_in
+
+Please contact the owner of this target to supply a precompiled artifact (likely a framework or XCFramework) that is built with the required Enhanced Security features enabled, and update the "expected_secure_features" attribute to match.""",
+        tags = [name],
+    )
+
+    analysis_failure_message_test(
+        name = "{}_secure_features_app_fails_importing_xcframework_with_mismatched_secure_features_test".format(name),
+        target_under_test = "//test/starlark_tests/targets_under_test/ios:secure_features_app_with_imported_dynamic_xcframework_and_mismatched_secure_features",
+        expected_error = """The precompiled artifact at `//test/starlark_tests/targets_under_test/ios:ios_imported_dynamic_xcframework` was expected to be compatible with the following secure features requested from the build, but they were not indicated as supported by the target's `expected_secure_features` attribute:
+- trivial_auto_var_init
+
+Please contact the owner of this target to supply a precompiled artifact (likely a framework or XCFramework) that is built with the required Enhanced Security features enabled, and update the "expected_secure_features" attribute to match.""",
+        tags = [name],
+    )
+
     native.test_suite(
         name = name,
         tags = [name],

test/starlark_tests/apple_static_xcframework_import_tests.bzl

@@ -18,6 +18,10 @@ load(
     "//apple/build_settings:build_settings.bzl",
     "build_settings_labels",
 )
+load(
+    "//test/starlark_tests/rules:analysis_failure_message_test.bzl",
+    "analysis_failure_message_test",
+)
 load(
     "//test/starlark_tests/rules:analysis_target_actions_test.bzl",
     "analysis_contains_xcframework_processor_action_test",
@@ -278,6 +282,27 @@ def apple_static_xcframework_import_test_suite(name):
         tags = [name],
     )
 
+    analysis_failure_message_test(
+        name = "{}_secure_features_app_fails_importing_xcframework_with_no_expected_secure_features_test".format(name),
+        target_under_test = "//test/starlark_tests/targets_under_test/ios:secure_features_app_with_imported_static_xcframework_and_no_expected_secure_features",
+        expected_error = """The precompiled artifact at `//test/starlark_tests/targets_under_test/ios:ios_imported_static_xcframework_with_missing_pointer_authentication_secure_features` was expected to be compatible with the following secure features requested from the build, but they were not indicated as supported by the target's `expected_secure_features` attribute:
+- apple.xcode_26_minimum_opt_in
+
+Please contact the owner of this target to supply a precompiled artifact (likely a framework or XCFramework) that is built with the required Enhanced Security features enabled, and update the "expected_secure_features" attribute to match.""",
+        tags = [name],
+    )
+
+    analysis_failure_message_test(
+        name = "{}_secure_features_app_fails_importing_xcframework_with_mismatched_secure_features_test".format(name),
+        target_under_test = "//test/starlark_tests/targets_under_test/ios:secure_features_app_with_imported_static_xcframework_and_mismatched_secure_features",
+        expected_error = """The precompiled artifact at `//test/starlark_tests/targets_under_test/ios:ios_imported_static_xcframework` was expected to be compatible with the following secure features requested from the build, but they were not indicated as supported by the target's `expected_secure_features` attribute:
+- trivial_auto_var_init
+
+Please contact the owner of this target to supply a precompiled artifact (likely a framework or XCFramework) that is built with the required Enhanced Security features enabled, and update the "expected_secure_features" attribute to match.
+""",
+        tags = [name],
+    )
+
     native.test_suite(
         name = name,
         tags = [name],