Bug 232846

Summary: [WebAuthn] WebKitTestRunner lacks an entitlement and bundle identifier to use required [ASCAgent performAuthorizationRequestsForContext]
Product: WebKit Reporter: pascoe <pascoe>
Component: WebKit Misc.Assignee: pascoe <pascoe>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, bfulgham, ews-watchlist, jiewen_tan, pascoe, webkit-bug-importer
Priority: P1 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

pascoe@apple.com
Reported 2021-11-08 13:32:03 PST
WebKitTestRunner needs the "com.apple.authentication-services.allow-authentication-request-any-rpid" entitlement to make calls to [ASCAgent performAuthorizationRequestsForContext]
Attachments
Patch (1.78 KB, patch)
2021-11-08 13:36 PST, pascoe@apple.com 		no flags
DetailsFormatted DiffDiff
Patch (7.45 KB, patch)
2021-11-15 11:18 PST, pascoe@apple.com 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-11-08 13:32:18 PST
<rdar://problem/85170633>
pascoe@apple.com
Comment 2 2021-11-08 13:36:43 PST
Created attachment 443597 [details] Patch
Alexey Proskuryakov
Comment 3 2021-11-08 15:06:09 PST
Comment on attachment 443597 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=443597&action=review > Tools/ChangeLog:10 > + WebKitTestRunner needs the "com.apple.authentication-services.allow-authentication-request-any-rpid" entitlement > + to make calls to [ASCAgent performAuthorizationRequestsForContext] I don't think that this can work in open source builds, being a restricted entitlement. If it could, then it would be of no value, as anyone could have it. Am I missing something?
pascoe@apple.com
Comment 4 2021-11-08 15:32:52 PST
Yes, you're right, we would need to possibly do this in process-entitlements.sh
Brent Fulgham
Comment 5 2021-11-08 17:45:33 PST
I think we should adjust the case so that restricted entitlement is not necessary.
pascoe@apple.com
Comment 6 2021-11-10 15:52:43 PST
We can add an associated domain entitlement to WKTR and TWAPI in order to enable these tests against ASCAgent without a restricted entitlement, however it requires placing .well-known/apple-app-site-association on the associated domain with the <Application Identifier Prefix>.<Bundle Identifier> of WKTR/TWAPI, therefore who's doing the code signing would still matter.
pascoe@apple.com
Comment 7 2021-11-15 11:18:04 PST
Created attachment 444278 [details] Patch
Brent Fulgham
Comment 8 2021-11-16 07:57:46 PST
Comment on attachment 444278 [details] Patch r=me. Looks like a good solution!
EWS
Comment 9 2021-11-16 08:47:47 PST
Committed r285864 (244290@main): <https://commits.webkit.org/244290@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 444278 [details].
Note You need to log in before you can comment on or make changes to this bug.