Bug 232846 - [WebAuthn] WebKitTestRunner lacks an entitlement and bundle identifier to use required [ASCAgent performAuthorizationRequestsForContext]
Summary: [WebAuthn] WebKitTestRunner lacks an entitlement and bundle identifier to use...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P1 Normal
Assignee: j_pascoe@apple.com
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-11-08 13:32 PST by j_pascoe@apple.com
Modified: 2021-11-16 08:47 PST (History)
6 users (show)

See Also:


Attachments
Patch (1.78 KB, patch)
2021-11-08 13:36 PST, j_pascoe@apple.com
no flags Details | Formatted Diff | Diff
Patch (7.45 KB, patch)
2021-11-15 11:18 PST, j_pascoe@apple.com
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description j_pascoe@apple.com 2021-11-08 13:32:03 PST
WebKitTestRunner needs the "com.apple.authentication-services.allow-authentication-request-any-rpid" entitlement to make calls to [ASCAgent performAuthorizationRequestsForContext]
Comment 1 Radar WebKit Bug Importer 2021-11-08 13:32:18 PST
<rdar://problem/85170633>
Comment 2 j_pascoe@apple.com 2021-11-08 13:36:43 PST
Created attachment 443597 [details]
Patch
Comment 3 Alexey Proskuryakov 2021-11-08 15:06:09 PST
Comment on attachment 443597 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=443597&action=review

> Tools/ChangeLog:10
> +        WebKitTestRunner needs the "com.apple.authentication-services.allow-authentication-request-any-rpid" entitlement 
> +        to make calls to [ASCAgent performAuthorizationRequestsForContext]

I don't think that this can work in open source builds, being a restricted entitlement. If it could, then it would be of no value, as anyone could have it.

Am I missing something?
Comment 4 j_pascoe@apple.com 2021-11-08 15:32:52 PST
Yes, you're right, we would need to possibly do this in process-entitlements.sh
Comment 5 Brent Fulgham 2021-11-08 17:45:33 PST
I think we should adjust the case so that restricted entitlement is not necessary.
Comment 6 j_pascoe@apple.com 2021-11-10 15:52:43 PST
We can add an associated domain entitlement to WKTR and TWAPI in order to enable these tests against ASCAgent without a restricted entitlement, however it requires placing .well-known/apple-app-site-association on the associated domain with the <Application Identifier Prefix>.<Bundle Identifier> of WKTR/TWAPI, therefore who's doing the code signing would still matter.
Comment 7 j_pascoe@apple.com 2021-11-15 11:18:04 PST
Created attachment 444278 [details]
Patch
Comment 8 Brent Fulgham 2021-11-16 07:57:46 PST
Comment on attachment 444278 [details]
Patch

r=me. Looks like a good solution!
Comment 9 EWS 2021-11-16 08:47:47 PST
Committed r285864 (244290@main): <https://commits.webkit.org/244290@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 444278 [details].