def _validate_entitlements_against_profile()

in tools/plisttool/plisttool.py [0:0]


  def _validate_entitlements_against_profile(self, entitlements):
    """Checks that the given entitlements are valid for the current profile.

    Args:
      entitlements: The entitlements.
    Raises:
      PlistToolError: For any issues found.
    """
    # com.apple.developer.team-identifier vs profile's TeamIdentifier
    # Not verifying against profile's ApplicationIdentifierPrefix here, because
    # it isn't always equal to the Team ID.
    # https://developer.apple.com/library/archive/technotes/tn2415/_index.html#//apple_ref/doc/uid/DTS40016427-CH1-ENTITLEMENTSLIST
    src_team_id = entitlements.get('com.apple.developer.team-identifier')
    if src_team_id:
      key = 'TeamIdentifier'
      from_profile = self._profile_metadata.get(key, [])
      if src_team_id not in from_profile:
        self._report(
            ENTITLEMENTS_TEAM_ID_PROFILE_MISMATCH % (
              self.target, src_team_id, key, from_profile))

    profile_entitlements = self._profile_metadata.get('Entitlements')

    # application-identifier
    src_app_id = entitlements.get('application-identifier')
    if src_app_id and profile_entitlements:
      profile_app_id = profile_entitlements.get('application-identifier')
      if profile_app_id and not self._does_id_match(
          src_app_id, profile_app_id, allowed_supports_wildcards=True,
          id_supports_wildcards=True):
        self._report(
            ENTITLEMENTS_APP_ID_PROFILE_MISMATCH % (
              self.target, src_app_id, profile_app_id))

    for entitlement in _ENTITLEMENTS_TO_VALIDATE_WITH_PROFILE:
      self._check_entitlement_matches_profile_value(
          entitlement=entitlement,
          entitlements=entitlements,
          profile_entitlements=profile_entitlements)

    for entitlement in _POTENTIAL_LIST_KEYS:
      self._check_entitlement_matches_profile_value(
          entitlement=entitlement,
          entitlements=entitlements,
          profile_entitlements=profile_entitlements,
          validate_value_in_list=True)

    # If beta-reports-active is in either the profile or the entitlements file
    # it must be in both or the upload will get rejected by Apple
    beta_reports_active = entitlements.get('beta-reports-active')
    profile_key = (profile_entitlements or {}).get('beta-reports-active')
    if beta_reports_active is not None and profile_key != beta_reports_active:
      error_msg = ENTITLEMENTS_BETA_REPORTS_ACTIVE_MISMATCH % (
        self.target, beta_reports_active, profile_key)
      if profile_key is None:
        error_msg = ENTITLEMENTS_BETA_REPORTS_ACTIVE_MISSING_PROFILE % (
          self.target, beta_reports_active)
      self._report(error_msg)

    # keychain-access-groups
    self._check_entitlements_array(
        entitlements, profile_entitlements,
        'keychain-access-groups', self.target,
        supports_wildcards=True)

    # com.apple.security.application-groups
    # (This check does not apply to macOS-only provisioning profiles.)
    if self._profile_metadata.get('Platform', []) != ['OSX']:
      self._check_entitlements_array(
        entitlements, profile_entitlements,
        'com.apple.security.application-groups', self.target)

    # com.apple.developer.associated-domains
    self._check_entitlements_array(
        entitlements, profile_entitlements,
        'com.apple.developer.associated-domains', self.target,
        supports_wildcards=True,
        allow_wildcards_in_entitlements=True)

    # com.apple.developer.nfc.readersession.formats
    self._check_entitlements_array(
        entitlements,
        profile_entitlements,
        'com.apple.developer.nfc.readersession.formats',
        self.target)