Include debug entitlements by default when building non-release builds.

The new behavior can be disabled by building with -c opt or --nodevice_debug_entitlements. RELNOTES: iOS apps are signed with get-task-allow=1 unless building with -c opt. -- MOS_MIGRATED_REVID=120827024
fulldecent · Apr 27, 2016 · 8e226d6 · 8e226d6
1 parent 7124f56
commit 8e226d6
Show file tree

Hide file tree

Showing 6 changed files with 89 additions and 32 deletions.
diff --git a/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcCommandLineOptions.java b/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcCommandLineOptions.java
@@ -211,6 +211,16 @@ public class ObjcCommandLineOptions extends FragmentOptions {
   )
   public boolean experimentalAutoTopLevelUnionObjCProtos;
 
+  @Option(
+    name = "device_debug_entitlements",
+    defaultValue = "true",
+    category = "flags",
+    help =
+        "If set, and compilation mode is not 'opt', objc apps will include debug entitlements "
+            + "when signing."
+  )
+  public boolean deviceDebugEntitlements;
+
   @VisibleForTesting static final String DEFAULT_MINIMUM_IOS = "7.0";
 
   @Override

diff --git a/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcConfiguration.java b/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcConfiguration.java
@@ -76,6 +76,7 @@ public class ObjcConfiguration extends BuildConfiguration.Fragment {
   private final boolean debugWithGlibcxx;
   private final boolean experimentalAutoTopLevelUnionObjCProtos;
   @Nullable private final Label extraEntitlements;
+  private final boolean deviceDebugEntitlements;
 
   ObjcConfiguration(ObjcCommandLineOptions objcOptions, BuildConfiguration.Options options,
       @Nullable BlazeDirectories directories) {
@@ -103,6 +104,7 @@ public class ObjcConfiguration extends BuildConfiguration.Fragment {
     this.extraEntitlements = objcOptions.extraEntitlements;
     this.experimentalAutoTopLevelUnionObjCProtos =
         objcOptions.experimentalAutoTopLevelUnionObjCProtos;
+    this.deviceDebugEntitlements = objcOptions.deviceDebugEntitlements;
   }
 
   /**
@@ -282,4 +284,14 @@ public Label getExtraEntitlements() {
   public boolean experimentalAutoTopLevelUnionObjCProtos() {
     return experimentalAutoTopLevelUnionObjCProtos;
   }
+
+  /**
+   * Returns whether device debug entitlements should be included when signing an application.
+   *
+   * <p>Note that debug entitlements should not be included in compilation mode {@code opt}
+   * regardless of this setting.
+   */
+  public boolean useDeviceDebugEntitlements() {
+    return deviceDebugEntitlements;
+  }
 }
diff --git a/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcRuleClasses.java b/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcRuleClasses.java
@@ -922,6 +922,7 @@ public static class ReleaseBundlingRule implements RuleDefinition {
     static final String DEFAULT_PROVISIONING_PROFILE_ATTR = ":default_provisioning_profile";
     static final String ENTITLEMENTS_ATTR = "entitlements";
     static final String EXTRA_ENTITLEMENTS_ATTR = ":extra_entitlements";
+    static final String DEBUG_ENTITLEMENTS_ATTR = "$device_debug_entitlements";
     static final String LAUNCH_IMAGE_ATTR = "launch_image";
     static final String LAUNCH_STORYBOARD_ATTR = "launch_storyboard";
     static final String PROVISIONING_PROFILE_ATTR = "provisioning_profile";
@@ -941,11 +942,11 @@ public RuleClass build(Builder builder, RuleDefinitionEnvironment env) {
           <a href="https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html">their definitions in Apple's documentation</a>:
           $(AppIdentifierPrefix) and $(CFBundleIdentifier).
           <!-- #END_BLAZE_RULE.ATTRIBUTE -->*/
-          .add(attr(ENTITLEMENTS_ATTR, LABEL)
-              .allowedFileTypes(ENTITLEMENTS_TYPE))
+          .add(attr(ENTITLEMENTS_ATTR, LABEL).allowedFileTypes(ENTITLEMENTS_TYPE))
           .add(
               attr(EXTRA_ENTITLEMENTS_ATTR, LABEL)
                   .singleArtifact()
+                  .cfg(HOST)
                   .value(
                       new LateBoundLabel<BuildConfiguration>(ObjcConfiguration.class) {
                         @Override
@@ -956,7 +957,12 @@ public Label resolve(
                               .getExtraEntitlements();
                         }
                       })
-              .allowedFileTypes(ENTITLEMENTS_TYPE))
+                  .allowedFileTypes(ENTITLEMENTS_TYPE))
+          .add(
+              attr(DEBUG_ENTITLEMENTS_ATTR, LABEL)
+                  .singleArtifact()
+                  .cfg(HOST)
+                  .value(env.getToolsLabel("//tools/objc:device_debug_entitlements.plist")))
           /* <!-- #BLAZE_RULE($objc_release_bundling_rule).ATTRIBUTE(provisioning_profile) -->
           The provisioning profile (.mobileprovision file) to use when bundling
           the application.
@@ -975,8 +981,8 @@ The provisioning profile (.mobileprovision file) to use when bundling
                   .value(
                       new LateBoundLabel<BuildConfiguration>(ObjcConfiguration.class) {
                         @Override
-                        public Label resolve(Rule rule, AttributeMap attributes,
-                            BuildConfiguration configuration) {
+                        public Label resolve(
+                            Rule rule, AttributeMap attributes, BuildConfiguration configuration) {
                           AppleConfiguration appleConfiguration =
                               configuration.getFragment(AppleConfiguration.class);
                           if (appleConfiguration.getBundlingPlatform() != Platform.IOS_DEVICE) {

diff --git a/src/main/java/com/google/devtools/build/lib/rules/objc/ReleaseBundling.java b/src/main/java/com/google/devtools/build/lib/rules/objc/ReleaseBundling.java
@@ -144,11 +144,6 @@ public Builder setEntitlements(Artifact entitlements) {
       return this;
     }
 
-    public Builder setExtraEntitlements(Artifact extraEntitlements) {
-      this.extraEntitlements = extraEntitlements;
-      return this;
-    }
-
     public ReleaseBundling build() {
       Preconditions.checkNotNull(intermediateArtifacts, "intermediateArtifacts");
       Preconditions.checkNotNull(families, FAMILIES_ATTR);
@@ -227,8 +222,6 @@ public static ReleaseBundling releaseBundling(RuleContext ruleContext)
         .setTargetDeviceFamilies(families)
         .setIntermediateArtifacts(ObjcRuleClasses.intermediateArtifacts(ruleContext))
         .setEntitlements(ruleContext.getPrerequisiteArtifact("entitlements", Mode.TARGET))
-        .setExtraEntitlements(
-            ruleContext.getPrerequisiteArtifact(":extra_entitlements", Mode.TARGET))
         .build();
   }
 
@@ -250,7 +243,6 @@ public static ReleaseBundling releaseBundling(RuleContext ruleContext)
   private final Iterable<Artifact> infoPlistsFromRule;
   private final String artifactPrefix;
   private final Artifact entitlements;
-  private final Artifact extraEntitlements;
 
   private ReleaseBundling(
       Artifact ipaArtifact,
@@ -285,7 +277,6 @@ private ReleaseBundling(
     this.intermediateArtifacts = Preconditions.checkNotNull(intermediateArtifacts);
     this.artifactPrefix = artifactPrefix;
     this.entitlements = entitlements;
-    this.extraEntitlements = extraEntitlements;
   }
 
   /**
@@ -398,12 +389,4 @@ public String getArtifactPrefix() {
   public Artifact getEntitlements() {
     return entitlements;
   }
-
-  /**
-   * Returns an {@link Artifact} containing the extra entitlements passed via command line that is
-   * used to sign this bundle for non-simulator builds; can be null.
-   */
-  public Artifact getExtraEntitlements() {
-    return extraEntitlements;
-  }
 }
diff --git a/src/main/java/com/google/devtools/build/lib/rules/objc/ReleaseBundlingSupport.java b/src/main/java/com/google/devtools/build/lib/rules/objc/ReleaseBundlingSupport.java
@@ -18,6 +18,8 @@
 import static com.google.devtools.build.lib.packages.ImplicitOutputsFunction.fromTemplates;
 import static com.google.devtools.build.lib.rules.objc.ObjcProvider.Flag.USES_SWIFT;
 import static com.google.devtools.build.lib.rules.objc.ObjcRuleClasses.ReleaseBundlingRule.APP_ICON_ATTR;
+import static com.google.devtools.build.lib.rules.objc.ObjcRuleClasses.ReleaseBundlingRule.DEBUG_ENTITLEMENTS_ATTR;
+import static com.google.devtools.build.lib.rules.objc.ObjcRuleClasses.ReleaseBundlingRule.EXTRA_ENTITLEMENTS_ATTR;
 import static com.google.devtools.build.lib.rules.objc.TargetDeviceFamily.UI_DEVICE_FAMILY_VALUES;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -43,6 +45,7 @@
 import com.google.devtools.build.lib.analysis.actions.TemplateExpansionAction.Substitution;
 import com.google.devtools.build.lib.analysis.config.BuildConfiguration;
 import com.google.devtools.build.lib.analysis.config.BuildOptions;
+import com.google.devtools.build.lib.analysis.config.CompilationMode;
 import com.google.devtools.build.lib.collect.nestedset.NestedSet;
 import com.google.devtools.build.lib.collect.nestedset.NestedSetBuilder;
 import com.google.devtools.build.lib.collect.nestedset.Order;
@@ -532,24 +535,38 @@ private void registerEntitlementsActions() {
     }
 
     Artifact substitutedEntitlements = intermediateArtifacts.entitlements();
-    if (releaseBundling.getExtraEntitlements() != null) {
+    if (attributes.extraEntitlements() != null || includeDebugEntitlements()) {
       substitutedEntitlements =
           intermediateArtifacts.appendExtensionForEntitlementArtifact(".substituted");
-      registerMergeEntitlementsAction(substitutedEntitlements,
-          releaseBundling.getExtraEntitlements());
+
+      NestedSetBuilder<Artifact> entitlements =
+          NestedSetBuilder.<Artifact>stableOrder().add(substitutedEntitlements);
+      if (attributes.extraEntitlements() != null) {
+        entitlements.add(attributes.extraEntitlements());
+      }
+      if (includeDebugEntitlements()) {
+        entitlements.add(attributes.deviceDebugEntitlements());
+      }
+
+      registerMergeEntitlementsAction(entitlements.build());
     }
 
     registerEntitlementsVariableSubstitutionAction(
         entitlementsNeedingSubstitution, teamPrefixFile, substitutedEntitlements);
   }
 
-  private void registerMergeEntitlementsAction(
-      Artifact substitutedEntitlements, Artifact extraEntitlements) {
+  private boolean includeDebugEntitlements() {
+    return attributes.deviceDebugEntitlements() != null
+        && ruleContext.getConfiguration().getCompilationMode() != CompilationMode.OPT
+        && ObjcRuleClasses.objcConfiguration(ruleContext).useDeviceDebugEntitlements();
+  }
 
+  private void registerMergeEntitlementsAction(NestedSet<Artifact> entitlements) {
     PlMergeControlBytes controlBytes =
         PlMergeControlBytes.fromPlists(
-            NestedSetBuilder.create(Order.STABLE_ORDER, substitutedEntitlements, extraEntitlements),
-            intermediateArtifacts.entitlements(), PlMergeControlBytes.OutputFormat.XML);
+            entitlements,
+            intermediateArtifacts.entitlements(),
+            PlMergeControlBytes.OutputFormat.XML);
 
     Artifact plMergeControlArtifact = ObjcRuleClasses.artifactByAppendingToBaseName(ruleContext,
         artifactName(".merge-entitlements-control"));
@@ -567,8 +584,7 @@ private void registerMergeEntitlementsAction(
             .setExecutable(attributes.plmerge())
             .addArgument("--control")
             .addInputArgument(plMergeControlArtifact)
-            .addInput(substitutedEntitlements)
-            .addInput(extraEntitlements)
+            .addTransitiveInputs(entitlements)
             .addOutput(intermediateArtifacts.entitlements())
             .build(ruleContext));
   }
@@ -1220,10 +1236,32 @@ FilesToRunProvider swiftStdlibToolWrapper() {
     /**
      * Returns the location of the environment_plist.
      */
-    public FilesToRunProvider environmentPlist() {
+    FilesToRunProvider environmentPlist() {
       return ruleContext.getExecutablePrerequisite("$environment_plist", Mode.HOST);
     }
 
+    /**
+     * Returns a plist specified by the user via {@code --extra_entitlements} or {@code null}.
+     */
+    @Nullable
+    Artifact extraEntitlements() {
+      if (ruleContext.attributes().getAttributeDefinition(EXTRA_ENTITLEMENTS_ATTR) == null) {
+        return null;
+      }
+      return ruleContext.getPrerequisiteArtifact(EXTRA_ENTITLEMENTS_ATTR, Mode.HOST);
+    }
+
+    /**
+     * Returns a plist containing entitlements that allow the signed IPA to be debugged.
+     */
+    @Nullable
+    Artifact deviceDebugEntitlements() {
+      if (ruleContext.attributes().getAttributeDefinition(DEBUG_ENTITLEMENTS_ATTR) == null) {
+        return null;
+      }
+      return ruleContext.getPrerequisiteArtifact(DEBUG_ENTITLEMENTS_ATTR, Mode.HOST);
+    }
+
     ImmutableMap<String, Artifact> cpuSpecificBreakpadFiles() {
       return cpuSpecificArtifacts(ObjcProvider.BREAKPAD_FILE);
     }

diff --git a/tools/objc/device_debug_entitlements.plist b/tools/objc/device_debug_entitlements.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>get-task-allow</key>
+	<true/>
+</dict>
+</plist>