Using Squish with sandboxed macOS applications

Using Squish with sandboxed macOS applications¶

Sandboxed macOS applications have the entitlement com.apple.security.app-sandbox set to true.

In addition to the hardened runtime requirements , sandboxed applications must have the entitlement com.apple.security.network.client to be testable with Squish.

If the application gets launched in an attachable state via Squish's startaut tool, or with the built-in hook (for listening on a TCP port), the entitlement com.apple.security.network.server is also required.

`NSOpenPanel`: Accessing files outside the sandbox¶

Sandboxed applications can only access files outside their sandbox with user consent. Having the user select a file or folder through NSOpenPanel is a way to get express consent. As a minimum, the entitlement com.apple.security.files.user-selected.read-write or com.apple.security.files.user-selected.read-only is needed for this to work.

That is typically not enough for automated testing since the access permission will be dropped when the AUT quits. Additional steps are needed for permanent access to an out-of-sandbox resource:

a security-scoped bookmark needs to be stored by the app and used for subsequent file access
the entitlement com.apple.security.files.bookmarks.app-scope and/or com.apple.security.files.bookmarks.document-scope

If your AUT uses security-scoped bookmarks and uses an NSOpenPanel to request broad permissions, e.g. to enumerate files in the user's home directory, make sure to request these permission before recording Squish test cases. If the permissions are requested during recording, Squish will record a chooseFile() statement that cannot be replayed since the bookmark will be used subsequently. Alternatively, you need to manually remove the chooseFile() statement after recording for the test to replay properly.

`chooseFile()` and sandboxed AUTs in a clean test environment¶

Above explanation assumes that a test case is run in the same environment as it was recorded in. Things are more difficult if tests must run in a clean environment, for example a VM that is reset after each test run.

For non-sandboxed AUTs, chooseFile() helps with operating NSOpenPanel to select a file. It does this by impersonating the NSOpenPanel class and passing the selected file URLs to the AUT.

In a sandboxed scenario, NSOpenPanel also negotiates the out-of-sandbox access permission with the operating system. This cannot be replicated by Squish when impersonating that class with chooseFile(). Therefore a sandboxed app will not be able to read files chosen via chooseFile() during test execution.