From 608c7b605fb844a20e96a3eddc9b49ad2542adab Mon Sep 17 00:00:00 2001
From: Googler <plf@google.com>
Date: Tue, 16 Mar 2021 06:44:51 -0700
Subject: [PATCH] C++: Make permissions check optional in cc_shared_library

The cc_shared_library_permissions mechanism was introduced to add control over
which cc_shared_libraries can export a given cc_library. If the repo is big
enough, the owner of a cc_library might want to prevent someone else in a
different package making their library part of the ABI of a public shared
library because that makes it harder to change the cc_library. This does not
apply accross repositories because a dependant repository can overwrite
anything from a repository dependency anyway.

However, it is becoming more apparent than even though this mechanism should
exist, it should not be enabled by default since most people don't need it. To
enable it pass the flag --//examples:enable_permissions_check=True.

RELNOTES:none
PiperOrigin-RevId: 363171677
Change-Id: I8afb3294806bb3053ee1279c6e9c5355089bccbb
---
 .bazelci/presubmit.yml                      |  2 ++
 examples/BUILD                              |  6 ++++++
 examples/experimental_cc_shared_library.bzl | 13 +++++++++++--
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/.bazelci/presubmit.yml b/.bazelci/presubmit.yml
index c0dcbbd..680f7c2 100644
--- a/.bazelci/presubmit.yml
+++ b/.bazelci/presubmit.yml
@@ -55,10 +55,12 @@ tasks:
     build_flags:
     - "--experimental_cc_shared_library"
     - "--//examples:incompatible_link_once=True"
+    - "--//examples:enable_permissions_check=True"
     test_flags:
     - "--test_timeout=120"
     - "--experimental_cc_shared_library"
     - "--//examples:incompatible_link_once=True"
+    - "--//examples:enable_permissions_check=True"
     test_targets:
     - "//examples/test_cc_shared_library/..."
     - "//examples/test_cc_shared_library/diamond_inheritance/..."
diff --git a/examples/BUILD b/examples/BUILD
index c770074..c7da75d 100644
--- a/examples/BUILD
+++ b/examples/BUILD
@@ -24,6 +24,12 @@ bool_flag(
     visibility = ["//visibility:public"],
 )
 
+bool_flag(
+    name = "enable_permissions_check",
+    build_setting_default = False,
+    visibility = ["//visibility:public"],
+)
+
 bool_flag(
     name = "experimental_debug",
     build_setting_default = False,
diff --git a/examples/experimental_cc_shared_library.bzl b/examples/experimental_cc_shared_library.bzl
index 4ebc6db..905bd27 100644
--- a/examples/experimental_cc_shared_library.bzl
+++ b/examples/experimental_cc_shared_library.bzl
@@ -162,6 +162,9 @@ def _check_if_target_under_path(value, pattern):
     return pattern.package == value.package and pattern.name == value.name
 
 def _check_if_target_can_be_exported(target, current_label, permissions):
+    if permissions == None:
+        return True
+
     if (target.workspace_name != current_label.workspace_name or
         _same_package_or_above(current_label, target)):
         return True
@@ -271,7 +274,7 @@ def _filter_inputs(
                     linker_input.owner,
                     ctx.label,
                     ctx.attr.exports_filter,
-                    ctx.attr.permissions,
+                    _get_permissions(ctx),
                 ):
                     exports[owner] = True
                     can_be_linked_statically = True
@@ -301,6 +304,11 @@ def _same_package_or_above(label_a, label_b):
 
     return True
 
+def _get_permissions(ctx):
+    if ctx.attr._enable_permissions_check[BuildSettingInfo].value:
+        return ctx.attr.permissions
+    return None
+
 def _cc_shared_library_impl(ctx):
     cc_common.check_experimental_cc_shared_library()
     cc_toolchain = find_cc_toolchain(ctx)
@@ -318,7 +326,7 @@ def _cc_shared_library_impl(ctx):
             fail("Trying to export a library already exported by a different shared library: " +
                  str(export.label))
 
-        _check_if_target_should_be_exported_without_filter(export.label, ctx.label, ctx.attr.permissions)
+        _check_if_target_should_be_exported_without_filter(export.label, ctx.label, _get_permissions(ctx))
 
     preloaded_deps_direct_labels = {}
     preloaded_dep_merged_cc_info = None
@@ -457,6 +465,7 @@ cc_shared_library = rule(
         "static_deps": attr.string_list(),
         "user_link_flags": attr.string_list(),
         "_cc_toolchain": attr.label(default = "@bazel_tools//tools/cpp:current_cc_toolchain"),
+        "_enable_permissions_check": attr.label(default = "//examples:enable_permissions_check"),
         "_experimental_debug": attr.label(default = "//examples:experimental_debug"),
         "_incompatible_link_once": attr.label(default = "//examples:incompatible_link_once"),
     },