Bug 232846

Summary: [WebAuthn] WebKitTestRunner lacks an entitlement and bundle identifier to use required [ASCAgent performAuthorizationRequestsForContext]
Product: WebKit Reporter: j_pascoe <j_pascoe>
Component: WebKit Misc.Assignee: j_pascoe <j_pascoe>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, bfulgham, ews-watchlist, jiewen_tan, j_pascoe, webkit-bug-importer
Priority: P1 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Description j_pascoe@apple.com 2021-11-08 13:32:03 PST
WebKitTestRunner needs the "com.apple.authentication-services.allow-authentication-request-any-rpid" entitlement to make calls to [ASCAgent performAuthorizationRequestsForContext]
Comment 1 Radar WebKit Bug Importer 2021-11-08 13:32:18 PST
<rdar://problem/85170633>
Comment 2 j_pascoe@apple.com 2021-11-08 13:36:43 PST
Created attachment 443597 [details]
Patch
Comment 3 Alexey Proskuryakov 2021-11-08 15:06:09 PST
Comment on attachment 443597 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=443597&action=review

> Tools/ChangeLog:10
> +        WebKitTestRunner needs the "com.apple.authentication-services.allow-authentication-request-any-rpid" entitlement 
> +        to make calls to [ASCAgent performAuthorizationRequestsForContext]

I don't think that this can work in open source builds, being a restricted entitlement. If it could, then it would be of no value, as anyone could have it.

Am I missing something?
Comment 4 j_pascoe@apple.com 2021-11-08 15:32:52 PST
Yes, you're right, we would need to possibly do this in process-entitlements.sh
Comment 5 Brent Fulgham 2021-11-08 17:45:33 PST
I think we should adjust the case so that restricted entitlement is not necessary.
Comment 6 j_pascoe@apple.com 2021-11-10 15:52:43 PST
We can add an associated domain entitlement to WKTR and TWAPI in order to enable these tests against ASCAgent without a restricted entitlement, however it requires placing .well-known/apple-app-site-association on the associated domain with the <Application Identifier Prefix>.<Bundle Identifier> of WKTR/TWAPI, therefore who's doing the code signing would still matter.
Comment 7 j_pascoe@apple.com 2021-11-15 11:18:04 PST
Created attachment 444278 [details]
Patch
Comment 8 Brent Fulgham 2021-11-16 07:57:46 PST
Comment on attachment 444278 [details]
Patch

r=me. Looks like a good solution!
Comment 9 EWS 2021-11-16 08:47:47 PST
Committed r285864 (244290@main): <https://commits.webkit.org/244290@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 444278 [details].