Implement comments from review (#8378)

Add get-task-allow entitlement on platforms other than macos
Add application-identifier entitlements when provisioning
Don't run getTaskAllowEntitlement(data:) test with xcode build system

Author: svmkr-dev

Sources/SwiftBuildSupport/SwiftBuildSystem.swift

@@ -112,30 +112,35 @@ func withSession(
 }
 
 private final class PlanningOperationDelegate: SWBPlanningOperationDelegate, Sendable {
-    private let shouldEnableMacOsDebuggingEntitlement: Bool
+    private let shouldEnableDebuggingEntitlement: Bool
 
-    init(shouldEnableMacOsDebuggingEntitlement: Bool) {
-        self.shouldEnableMacOsDebuggingEntitlement = shouldEnableMacOsDebuggingEntitlement
+    init(shouldEnableDebuggingEntitlement: Bool) {
+        self.shouldEnableDebuggingEntitlement = shouldEnableDebuggingEntitlement
     }
 
     public func provisioningTaskInputs(
         targetGUID: String,
         provisioningSourceData: SWBProvisioningTaskInputsSourceData
     ) async -> SWBProvisioningTaskInputs {
-        // if we need to add debug entitlement we have to do codesigning, so we need to ensure at least ad-hoc signing
-        let identity = if provisioningSourceData.signingCertificateIdentifier
-            .isEmpty && shouldEnableMacOsDebuggingEntitlement && provisioningSourceData.supportsEntitlements
-        {
-            "-"
-        } else {
-            provisioningSourceData.signingCertificateIdentifier
-        }
+        let identity = provisioningSourceData.signingCertificateIdentifier
+
+        if identity == "-" || identity.isEmpty {
+            let getTaskAllowEntitlementKey: String
+            let applicationIdentifierEntitlementKey: String
+
+            if provisioningSourceData.sdkRoot.contains("macos") || provisioningSourceData.sdkRoot
+                .contains("simulator")
+            {
+                getTaskAllowEntitlementKey = "com.apple.security.get-task-allow"
+                applicationIdentifierEntitlementKey = "com.apple.application-identifier"
+            } else {
+                getTaskAllowEntitlementKey = "get-task-allow"
+                applicationIdentifierEntitlementKey = "application-identifier"
+            }
 
-        if identity == "-" {
             let signedEntitlements = provisioningSourceData
-                .entitlementsDestination == "Signature" && provisioningSourceData.sdkRoot.contains("iphoneos")
-                ? provisioningSourceData.productTypeEntitlements.merging(
-                    ["application-identifier": .plString(provisioningSourceData.bundleIdentifier)],
+                .entitlementsDestination == "Signature" ? provisioningSourceData.productTypeEntitlements.merging(
+                    [applicationIdentifierEntitlementKey: .plString(provisioningSourceData.bundleIdentifier)],
                     uniquingKeysWith: { _, new in new }
                 ).merging(provisioningSourceData.projectEntitlements ?? [:], uniquingKeysWith: { _, new in new })
                 : [:]
@@ -149,12 +154,8 @@ private final class PlanningOperationDelegate: SWBPlanningOperationDelegate, Sen
 
             var additionalEntitlements: [String: SWBPropertyListItem] = [:]
 
-            if provisioningSourceData.sdkRoot.contains("simulator") {
-                additionalEntitlements["get-task-allow"] = .plBool(true)
-            }
-
-            if shouldEnableMacOsDebuggingEntitlement {
-                additionalEntitlements["com.apple.security.get-task-allow"] = .plBool(true)
+            if shouldEnableDebuggingEntitlement {
+                additionalEntitlements[getTaskAllowEntitlementKey] = .plBool(true)
             }
 
             return SWBProvisioningTaskInputs(
@@ -176,8 +177,6 @@ private final class PlanningOperationDelegate: SWBPlanningOperationDelegate, Sen
                 errors: [],
                 warnings: []
             )
-        } else if identity.isEmpty {
-            return SWBProvisioningTaskInputs()
         } else {
             return SWBProvisioningTaskInputs(
                 identityHash: "-",
@@ -751,9 +750,8 @@ public final class SwiftBuildSystem: SPMBuildCore.BuildSystem {
 
                     let operation = try await session.createBuildOperation(
                         request: request,
-                        delegate: PlanningOperationDelegate(shouldEnableMacOsDebuggingEntitlement: self.buildParameters
-                            .triple.darwinPlatform == .macOS && self.buildParameters.debuggingParameters
-                            .shouldEnableDebuggingEntitlement
+                        delegate: PlanningOperationDelegate(shouldEnableDebuggingEntitlement: self.buildParameters
+                            .debuggingParameters.shouldEnableDebuggingEntitlement
                         ),
                         retainBuildDescription: true
                     )

Tests/CommandsTests/BuildCommandTests.swift

@@ -1282,9 +1282,6 @@ struct BuildCommandTestCases {
     }
 
     @Test(
-        .SWBINTTODO(
-            "Implement get-task-allow entitlement for xcode build system"
-        ),
         .tags(
             .Feature.CommandLineArguments.DisableGetTaskAllowEntitlement,
             .Feature.CommandLineArguments.EnableGetTaskAllowEntitlement,
@@ -1293,131 +1290,127 @@ struct BuildCommandTestCases {
         .tags(
             .Feature.CommandLineArguments.BuildSystem,
         ),
-        arguments: getBuildData(for: SupportedBuildSystemOnPlatform),
+        arguments: getBuildData(for: SupportedBuildSystemOnAllPlatforms),
     )
     func getTaskAllowEntitlement(
         data: BuildData,
     ) async throws {
         let buildSystem = data.buildSystem
         let buildConfiguration = data.config
-        try await withKnownIssue(isIntermittent: ProcessInfo.hostOperatingSystem == .linux) {
-            try await fixture(name: "ValidLayouts/SingleModule/ExecutableNew") { fixturePath in
-                #if os(macOS)
-                func codesignDisplay(execPath: AbsolutePath) async throws
-                    -> (AsyncProcessResult.ExitStatus, PropertyListItem?)
+        try await fixture(name: "ValidLayouts/SingleModule/ExecutableNew") { fixturePath in
+            #if os(macOS)
+            func codesignDisplay(execPath: AbsolutePath) async throws
+                -> (AsyncProcessResult.ExitStatus, PropertyListItem?)
+            {
+                let args = ["codesign", "-d", "--entitlements", "-", "--xml", execPath.pathString]
+                let result = try await AsyncProcess.popen(arguments: args)
+                let entitlements: PropertyListItem? = if case .success(let output) = result.output,
+                                                         !output.isEmpty
                 {
-                    let args = ["codesign", "-d", "--entitlements", "-", "--xml", execPath.pathString]
-                    let result = try await AsyncProcess.popen(arguments: args)
-                    let entitlements: PropertyListItem? = if case .success(let output) = result.output,
-                                                             !output.isEmpty
-                    {
-                        try PropertyList.fromBytes(output)
-                    } else {
-                        nil
-                    }
-
-                    return (result.exitStatus, entitlements)
+                    try PropertyList.fromBytes(output)
+                } else {
+                    nil
                 }
 
-                func verify(entitlements: PropertyListItem?, getTaskAllowRequired: Bool) {
-                    if getTaskAllowRequired {
-                        guard let entitlements, case .plDict(let dict) = entitlements else {
-                            Issue.record("Missing expected entitlements")
-                            return
-                        }
+                return (result.exitStatus, entitlements)
+            }
 
-                        #expect(dict["com.apple.security.get-task-allow"] == .plBool(true))
-                    } else {
-                        #expect(entitlements == nil)
+            func verify(entitlements: PropertyListItem?, getTaskAllowRequired: Bool) {
+                guard let entitlements, case .plDict(let dict) = entitlements else {
+                    if getTaskAllowRequired {
+                        Issue.record("Missing expected entitlements")
                     }
+                    return
                 }
 
-                let execName = "ExecutableNew"
+                if getTaskAllowRequired {
+                    #expect(dict["com.apple.security.get-task-allow"] == .plBool(true))
+                }
+            }
 
-                var buildResult = try await build(
-                    ["-v"],
-                    packagePath: fixturePath,
-                    configuration: buildConfiguration,
-                    cleanAfterward: false,
-                    buildSystem: buildSystem
-                )
-                var (
-                    exitStatus,
-                    entitlements
-                ) = try await codesignDisplay(execPath: buildResult.binPath.appending(execName))
+            let execName = "ExecutableNew"
 
-                // codesign performs basic verification in display mode, which is enough to confirm ad-hoc signature
-                // if verification fails (eg. no  signature) termination code will be 1
-                // though on Apple Silicon binary will always be signed because linker signs it by default
-                #expect(exitStatus == .terminated(code: 0))
-                verify(entitlements: entitlements, getTaskAllowRequired: buildConfiguration == .debug)
+            var buildResult = try await build(
+                ["-v"],
+                packagePath: fixturePath,
+                configuration: buildConfiguration,
+                cleanAfterward: false,
+                buildSystem: buildSystem
+            )
+            var (
+                exitStatus,
+                entitlements
+            ) = try await codesignDisplay(execPath: buildResult.binPath.appending(execName))
 
-                try await executeSwiftPackage(fixturePath, extraArgs: ["clean"], buildSystem: buildSystem)
+            // codesign performs basic verification in display mode, which is enough to confirm ad-hoc signature
+            // if verification fails (eg. no  signature) termination code will be 1
+            // though on Apple Silicon binary will always be signed because linker signs it by default
+            #expect(exitStatus == .terminated(code: 0))
+            verify(entitlements: entitlements, getTaskAllowRequired: buildConfiguration == .debug)
 
-                buildResult = try await build(
-                    ["--enable-get-task-allow-entitlement"],
-                    packagePath: fixturePath,
-                    configuration: buildConfiguration,
-                    cleanAfterward: false,
-                    buildSystem: buildSystem
-                )
-                (
-                    exitStatus,
-                    entitlements
-                ) = try await codesignDisplay(execPath: buildResult.binPath.appending(execName))
+            try await executeSwiftPackage(fixturePath, extraArgs: ["clean"], buildSystem: buildSystem)
 
-                #expect(exitStatus == .terminated(code: 0))
-                verify(entitlements: entitlements, getTaskAllowRequired: true)
+            buildResult = try await build(
+                ["--enable-get-task-allow-entitlement"],
+                packagePath: fixturePath,
+                configuration: buildConfiguration,
+                cleanAfterward: false,
+                buildSystem: buildSystem
+            )
+            (
+                exitStatus,
+                entitlements
+            ) = try await codesignDisplay(execPath: buildResult.binPath.appending(execName))
 
-                try await executeSwiftPackage(fixturePath, extraArgs: ["clean"], buildSystem: buildSystem)
+            #expect(exitStatus == .terminated(code: 0))
+            verify(entitlements: entitlements, getTaskAllowRequired: true)
 
-                buildResult = try await build(
-                    ["--disable-get-task-allow-entitlement"],
-                    packagePath: fixturePath,
-                    configuration: buildConfiguration,
-                    cleanAfterward: false,
-                    buildSystem: buildSystem
-                )
-                (
-                    exitStatus,
-                    entitlements
-                ) = try await codesignDisplay(execPath: buildResult.binPath.appending(execName))
-
-                #expect(exitStatus == .terminated(code: 0))
-                verify(entitlements: entitlements, getTaskAllowRequired: false)
-                #else
-                var buildResult = try await build(
-                    ["-v"],
-                    packagePath: fixturePath,
-                    configuration: buildConfiguration,
-                    buildSystem: buildSystem
-                )
+            try await executeSwiftPackage(fixturePath, extraArgs: ["clean"], buildSystem: buildSystem)
 
-                #expect(!buildResult.stdout.contains("codesign --force --sign - --entitlements"))
+            buildResult = try await build(
+                ["--disable-get-task-allow-entitlement"],
+                packagePath: fixturePath,
+                configuration: buildConfiguration,
+                cleanAfterward: false,
+                buildSystem: buildSystem
+            )
+            (
+                exitStatus,
+                entitlements
+            ) = try await codesignDisplay(execPath: buildResult.binPath.appending(execName))
+
+            #expect(exitStatus == .terminated(code: 0))
+            verify(entitlements: entitlements, getTaskAllowRequired: false)
+            #else
+            var buildResult = try await build(
+                ["-v"],
+                packagePath: fixturePath,
+                configuration: buildConfiguration,
+                buildSystem: buildSystem
+            )
 
-                buildResult = try await build(
-                    ["--disable-get-task-allow-entitlement", "-v"],
-                    packagePath: fixturePath,
-                    configuration: buildConfiguration,
-                    buildSystem: buildSystem,
-                )
+            #expect(!buildResult.stdout.contains("codesign --force --sign - --entitlements"))
 
-                #expect(!buildResult.stdout.contains("codesign --force --sign - --entitlements"))
-                #expect(buildResult.stderr.contains(SwiftCommandState.entitlementsMacOSWarning))
+            buildResult = try await build(
+                ["--disable-get-task-allow-entitlement", "-v"],
+                packagePath: fixturePath,
+                configuration: buildConfiguration,
+                buildSystem: buildSystem,
+            )
 
-                buildResult = try await build(
-                    ["--enable-get-task-allow-entitlement", "-v"],
-                    packagePath: fixturePath,
-                    configuration: buildConfiguration,
-                    buildSystem: buildSystem,
-                )
+            #expect(!buildResult.stdout.contains("codesign --force --sign - --entitlements"))
+            #expect(buildResult.stderr.contains(SwiftCommandState.entitlementsMacOSWarning))
 
-                #expect(!buildResult.stdout.contains("codesign --force --sign - --entitlements"))
-                #expect(buildResult.stderr.contains(SwiftCommandState.entitlementsMacOSWarning))
-                #endif
-            }
-        } when: {
-            [.xcode].contains(buildSystem) && ProcessInfo.hostOperatingSystem != .linux
+            buildResult = try await build(
+                ["--enable-get-task-allow-entitlement", "-v"],
+                packagePath: fixturePath,
+                configuration: buildConfiguration,
+                buildSystem: buildSystem,
+            )
+
+            #expect(!buildResult.stdout.contains("codesign --force --sign - --entitlements"))
+            #expect(buildResult.stderr.contains(SwiftCommandState.entitlementsMacOSWarning))
+            #endif
         }
     }