[Cocoa] Add support for overriding DNS resolution for WPT

https://bugs.webkit.org/show_bug.cgi?id=261038
rdar://82927182

Reviewed by Alex Christensen.

Patch by Matthew Finkel and Anne van Kesteren with minor modifications by Per Arne.

Some ports don't have support for resolving arbitrary domains, but
web-platform-tests rely on this capability. Currently, the Apple ports only
use localhost, and 127.0.0.1 as a workaround where it's necessary, but this
affects our test coverage. This patch adds a very basic DNS resolver and
introduces a new command-line argument for run-webkit-tests; this is disabled
by default.

In 254273@main, glib ports gained support for resolving arbitrary domains,
and this moves Apple ports closer to supporting that. We expect to enable
this by default, along with rebaselining, in a later commit.

Previous attempts were made in https://bugs.webkit.org/show_bug.cgi?id=245294,
and 264076@main introduced part of that behavior for a different reason. In
some situations, name resolutions falls back on that SPI, as well.

The basic DNS resolver only resolves A records for names ending with
"localhost" and for the host names defines by the port's localhost_aliases.
The server always returns 127.0.0.1 as the answer for those hosts. All other
queries return NXDomain. This resolver depends on the dnslib Python library.

On Apple ports, the iOS Simulator and Mac use different implementations. The
iOS simulator part is in the Network process because we need to define the
resolver in-process otherwise it won't be used. The way the resolver is
configured on Mac isn't supported on the simulator. On Mac, we use SPI and a
Network Extensions policy so this works when a VPN is enabled. We do this in
WebKitTestRunner so we don't need to add additional entitlements and weaken
the sandbox for the network process.

* Source/WebCore/PAL/pal/spi/cocoa/NetworkSPI.h:
* Source/WebKit/NetworkProcess/cocoa/NetworkProcessCocoa.mm:
(WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa):
* Tools/Scripts/webkitpy/__init__.py:
* Tools/Scripts/webkitpy/layout_tests/run_webkit_tests.py:
(parse_args):
* Tools/Scripts/webkitpy/layout_tests/servers/basic_dns_server.py: Added.
(Resolver):
(Resolver.__init__):
(Resolver.resolve):
* Tools/Scripts/webkitpy/layout_tests/servers/web_platform_test_server.py:
(WebPlatformTestServer.__init__):
(WebPlatformTestServer._spawn_process):
(WebPlatformTestServer._stop_running_server):
* Tools/Scripts/webkitpy/port/apple.py:
(ApplePort.__init__):
* Tools/Scripts/webkitpy/port/driver.py:
(Driver.cmd_line):
* Tools/Scripts/webkitpy/port/test.py:
* Tools/WebKitTestRunner/Configurations/WebKitTestRunner-internal.entitlements:
* Tools/WebKitTestRunner/Options.cpp:
(WTR::handleOptionLocalDNSResolver):
(WTR::OptionsHandler::OptionsHandler):
* Tools/WebKitTestRunner/Options.h:
* Tools/WebKitTestRunner/TestController.h:
* Tools/WebKitTestRunner/WebKitTestRunner.xcodeproj/project.pbxproj:
* Tools/WebKitTestRunner/cocoa/TestControllerCocoa.mm:
(WTR::TestController::cocoaPlatformInitialize):
(WTR::TestController::cocoaDNSInitialize):

Canonical link: https://commits.webkit.org/300026@main

Author: pvollan

Source/WebCore/PAL/pal/spi/cocoa/NetworkSPI.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2021-2023 Apple Inc. All rights reserved.
+ * Copyright (C) 2021-2025 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -33,6 +33,11 @@ DECLARE_SYSTEM_HEADER
 
 #import <nw/private.h>
 
+#if PLATFORM(MAC) && defined(__OBJC__)
+// Only needed for running tests.
+#import <NetworkExtension/NEPolicySession.h>
+#endif
+
 #else
 
 WTF_EXTERN_C_BEGIN
@@ -77,4 +82,52 @@ void nw_webtransport_options_set_allow_joining_before_ready(nw_protocol_options_
 
 WTF_EXTERN_C_END
 
+// ------------------------------------------------------------
+// The following declarations are only needed for running tests.
+
+WTF_EXTERN_C_BEGIN
+
+typedef enum {
+    nw_resolver_protocol_dns53 = 0,
+} nw_resolver_protocol_t;
+
+typedef enum {
+    nw_resolver_class_designated_direct = 2,
+} nw_resolver_class_t;
+
+nw_resolver_config_t nw_resolver_config_create(void);
+void nw_resolver_config_set_protocol(nw_resolver_config_t, nw_resolver_protocol_t);
+void nw_resolver_config_set_class(nw_resolver_config_t, nw_resolver_class_t);
+void nw_resolver_config_add_match_domain(nw_resolver_config_t, const char *);
+void nw_resolver_config_add_name_server(nw_resolver_config_t, const char *name_server);
+void nw_resolver_config_set_identifier(nw_resolver_config_t, const uuid_t identifier);
+bool nw_resolver_config_publish(nw_resolver_config_t);
+
+WTF_EXTERN_C_END
+
+#if defined(__OBJC__)
+typedef NS_ENUM(NSInteger, NEPolicySessionPriority) {
+    NEPolicySessionPriorityHigh = 300,
+};
+
+@interface NEPolicyCondition : NSObject
++ (NEPolicyCondition *)domain:(NSString *)domain;
+@end
+
+@interface NEPolicyResult : NSObject
++ (NEPolicyResult *)netAgentUUID:(NSUUID *)agentUUID;
+@end
+
+@interface NEPolicy : NSObject
+- (instancetype)initWithOrder:(uint32_t)order result:(NEPolicyResult *)result conditions:(NSArray<NEPolicyCondition *> *)conditions;
+@end
+
+@interface NEPolicySession : NSObject
+@property NEPolicySessionPriority priority;
+- (NSUInteger)addPolicy:(NEPolicy *)policy;
+- (BOOL)apply;
+@end
+#endif // defined(__OBJC__)
+// ------------------------------------------------------------
+
 #endif // USE(APPLE_INTERNAL_SDK)

Source/WebKit/NetworkProcess/cocoa/NetworkProcessCocoa.mm

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2025 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -60,6 +60,8 @@
 #import "WKProcessExtension.h"
 #endif
 
+#import <pal/spi/cocoa/NetworkSPI.h>
+
 namespace WebKit {
 
 static void initializeNetworkSettings()
@@ -118,6 +120,18 @@ static void initializeNetworkSettings()
 #endif
     m_enableModernDownloadProgress = parameters.enableModernDownloadProgress;
 
+#if PLATFORM(IOS_SIMULATOR)
+    // See TestController::cocoaPlatformInitialize for supporting a local DNS resolver on Mac.
+    if (parameters.localhostAliasesForTesting.contains("web-platform.test"_s)) {
+        nw_resolver_config_t resolverConfig = nw_resolver_config_create();
+        nw_resolver_config_set_protocol(resolverConfig, nw_resolver_protocol_dns53);
+        nw_resolver_config_set_class(resolverConfig, nw_resolver_class_designated_direct);
+        nw_resolver_config_add_name_server(resolverConfig, "127.0.0.1:8053");
+        nw_resolver_config_add_match_domain(resolverConfig, "test");
+        nw_privacy_context_require_encrypted_name_resolution(NW_DEFAULT_PRIVACY_CONTEXT, true, resolverConfig);
+    }
+#endif
+
     increaseFileDescriptorLimit();
 }
 

Tools/Scripts/webkitpy/__init__.py

@@ -1,5 +1,5 @@
 # Copyright (C) 2008-2020 Andrey Petrov and contributors.
-# Copyright (C) 2023 Apple Inc. All rights reserved.
+# Copyright (C) 2023-2025 Apple Inc. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -78,6 +78,7 @@
 AutoInstall.register(Package('configparser', Version(4, 0, 2), implicit_deps=['pyparsing'], aliases=['backports.configparser']))
 AutoInstall.register(Package('contextlib2', Version(0, 6, 0)))
 AutoInstall.register(Package('coverage', Version(7, 6, 1), wheel=True))
+AutoInstall.register(Package('dnslib', Version(0, 9, 26)))
 AutoInstall.register(Package('funcsigs', Version(1, 0, 2)))
 AutoInstall.register(Package('html5lib', Version(1, 1)))
 AutoInstall.register(Package('iniconfig', Version(1, 1, 1)))

Tools/Scripts/webkitpy/layout_tests/run_webkit_tests.py

@@ -1,6 +1,6 @@
 # Copyright (C) 2010 Google Inc. All rights reserved.
 # Copyright (C) 2010 Gabor Rapcsanyi ([email protected]), University of Szeged
-# Copyright (C) 2011, 2016, 2019 Apple Inc. All rights reserved.
+# Copyright (C) 2011-2025 Apple Inc. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -377,6 +377,7 @@ def parse_args(args):
     option_group_definitions.append(("Web Platform Test Server Options", [
         optparse.make_option("--disable-wpt-hostname-aliases", action="store_true", default=False, help="Disable running tests from WPT against the web-platform.test domain, if the port supports it."),
         optparse.make_option("--wptserver-doc-root", type="string", help=("Set web platform server document root, relative to LayoutTests directory")),
+        optparse.make_option("--local-dns-resolver", action="store_true", default=False, help="Run and use a local DNS resolver, if the port supports it.")
     ]))
 
     option_group_definitions.append(('Upload Options', upload_options()))

Tools/Scripts/webkitpy/layout_tests/servers/basic_dns_server.py

@@ -0,0 +1,57 @@
+# Copyright (C) 2023-2025 Apple Inc. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1.  Redistributions of source code must retain the above copyright
+#     notice, this list of conditions and the following disclaimer.
+# 2.  Redistributions in binary form must reproduce the above copyright
+#     notice, this list of conditions and the following disclaimer in the
+#     documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS BE LIABLE FOR
+# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+from dnslib import CLASS, QTYPE, RR, RCODE
+from dnslib.server import BaseResolver, DNSServer
+import logging
+from threading import Thread
+
+_log = logging.getLogger(__name__)
+
+
+class Resolver(BaseResolver):
+    def __init__(self, allowed_hosts=[]):
+        super().__init__()
+        self.hosts = list(map(lambda x: x if x.endswith(".") else x + ".", allowed_hosts))
+        _log.debug("Initializing Resolver with hosts: {}".format(self.hosts))
+
+    def resolve(self, request, handler):
+        question = request.q
+        reply = request.reply()
+        _log.debug("Received request for {}".format(question.qname))
+        if question.qtype == QTYPE.A and (question.qname in self.hosts or question.qname.matchSuffix("localhost")):
+            reply.add_answer(*RR.fromZone("{} 3600 A 127.0.0.1".format(question.qname)))
+        else:
+            reply.header.rcode = getattr(RCODE, "NXDOMAIN")
+        return reply
+
+
+if __name__ == "__main__":
+    # This script is not intended to be run on its own, and should only be used for testing purposes.
+    server = DNSServer(Resolver(["site.example"]), port=8053, address="127.0.0.1")
+    server.start_thread()
+    try:
+        Thread.join()
+    except Exception:
+        pass
+    finally:
+        server.stop()

Tools/Scripts/webkitpy/layout_tests/servers/web_platform_test_server.py

@@ -1,4 +1,4 @@
-#  Copyright (c) 2014, Canon Inc. All rights reserved.
+#  Copyright (c) 2014 Canon Inc. All rights reserved.
 #  Redistribution and use in source and binary forms, with or without
 #  modification, are permitted provided that the following conditions
 #  are met:
@@ -27,6 +27,10 @@
 import time
 
 from webkitpy.layout_tests.servers import http_server_base
+try:
+    from webkitpy.layout_tests.servers.basic_dns_server import DNSServer, Resolver
+except ImportError:
+    print("Error importing DNSServer, Resolver")
 
 _log = logging.getLogger(__name__)
 
@@ -127,6 +131,11 @@ def __init__(self, port_obj, name, pidfile=None):
         self._output_log_path = None
         self._wsout = None
         self._process = None
+        self._dns_server = None
+        if port_obj.supports_localhost_aliases and port_obj.get_option('local_dns_resolver') and not port_obj.get_option('disable_wpt_hostname_aliases'):
+            self._dns_server = DNSServer(Resolver(
+                allowed_hosts=port_obj.localhost_aliases()), port=8053, address="127.0.0.1")
+
         self._pid_file = pidfile
         if not self._pid_file:
             self._pid_file = self._filesystem.join(self._runtime_path, '%s.pid' % self._name)
@@ -178,6 +187,9 @@ def _spawn_process(self):
         self._process = self._executive.popen(self._start_cmd, cwd=self._doc_root_path, shell=False, stdin=self._executive.PIPE, stdout=self._wsout, stderr=self._wsout)
         self._filesystem.write_text_file(self._pid_file, str(self._process.pid))
 
+        if self._dns_server:
+            self._dns_server.start_thread()
+
         # Wait a second for the server to actually start so that tests do not start until server is running.
         time.sleep(1)
 
@@ -202,6 +214,9 @@ def _stop_running_server(self):
             self._wsout.close()
             self._wsout = None
 
+        if self._dns_server and hasattr(self._dns_server, "thread") and self._dns_server.isAlive():
+            self._dns_server.stop()
+
         if self._process is not None:
             self._process.poll()
 

Tools/Scripts/webkitpy/port/apple.py

@@ -83,6 +83,7 @@ def __init__(self, host, port_name, **kwargs):
 
         port_name = port_name.replace('-wk2', '')
         self._version = self._strip_port_name_prefix(port_name)
+        self.supports_localhost_aliases = False
 
     def setup_test_run(self, device_type=None):
         self._crash_logs_to_skip_for_host[self.host] = self.host.filesystem.files_under(self.path_to_crash_logs())

Tools/Scripts/webkitpy/port/driver.py

@@ -1,5 +1,5 @@
 # Copyright (C) 2011 Google Inc. All rights reserved.
-# Copyright (c) 2015-2019 Apple Inc. All rights reserved.
+# Copyright (c) 2015-2025 Apple Inc. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -582,6 +582,8 @@ def cmd_line(self, pixel_tests, per_test_args):
             cmd.append('--show-window')
         if self._port.get_option('accessibility_isolated_tree'):
             cmd.append('--accessibility-isolated-tree')
+        if self._port.get_option('local_dns_resolver'):
+            cmd.append('--local-dns-resolver')
 
         for allowed_host in self._port.allowed_hosts():
             cmd.append('--allowed-host')

Tools/Scripts/webkitpy/port/test.py

@@ -30,7 +30,8 @@
 
 from webkitcorepy import string_utils
 
-from webkitpy.port import Port, Driver, DriverOutput
+from webkitpy.port.base import Port
+from webkitpy.port.driver import Driver, DriverOutput
 from webkitpy.layout_tests.models.test_configuration import TestConfiguration
 from webkitpy.common.system.crashlogs import CrashLogs
 from webkitpy.common.version_name_map import PUBLIC_TABLE, VersionNameMap

Tools/WebKitTestRunner/Configurations/WebKitTestRunner-internal.entitlements

@@ -8,6 +8,12 @@
 	</array>
 	<key>com.apple.private.webkit.adattributiond.testing</key>
 	<true/>
+	<key>com.apple.private.nehelper.privileged</key>
+	<true/>
+	<key>com.apple.private.neagent</key>
+	<true/>
+	<key>com.apple.networkd.persistent_interface</key>
+	<true/>
 	<key>com.apple.security.temporary-exception.sbpl</key>
 	<array>
 		<string>(allow mach-issue-extension (require-all (extension-class &quot;com.apple.webkit.extension.mach&quot;)))</string>