allow incoming network connections

[paulz]

Describe the bug
When running UI tests for our Mac app we start the service that triggers firewall permissions alert.

Area for Triage:
Apple, Servers
Question, Bug, or Feature?:
Bug

Virtual environments affected

• macOS 10.15
• Ubuntu 16.04 LTS
• Ubuntu 18.04 LTS
• Windows Server 2016 R2
• Windows Server 2019

Expected behavior
Firewall rules to allow incoming connections or options to allow some.

Actual behavior
A description with steps to reproduce the issue. If your have a public example or repo to share,
please provide the link.

1. start a server from action
2. see firewall alert

[miketimofeev]

@paulz could you please provide steps to reproduce the issue? It'll ease the debug process

[paulz]

Thank you for looking into the issue, Mike.
Could you access our project here: https://github.com/sparta-science/scan-app/runs/729912285?

[miketimofeev]

@paulz unfortunately not

[miketimofeev]

@paulz by the way, does your app signed?
https://support.apple.com/en-us/HT201642

[miketimofeev]

And as a workaround, could you try to add this line as the first step of your workflow?
sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 0

[paulz]

the app is signed using development certificate but we need ability to download and run Elixir components, which are not signed.

Here is what we tried:
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
which works on a local machine, but did not help on virtual-environments macOS.

will try you suggestion again later.

We are looking for way to either have configuration option or action that can control firewall settings.

[paulz]

Here are the steps to reproduce the issue:

We start python server that comes with the image as part of our UI tests:
https://github.com/sparta-science/connect/runs/736373878?check_suite_focus=true

by running:
python -m SimpleHTTPServer
see in our action:
https://github.com/sparta-science/connect/actions/runs/124159981/workflow#L23

and we get firewall popup, see the screenshot below:

[paulz]

And as a workaround, could you try to add this line as the first step of your workflow?
sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 0

We tried that workaround, still seeing the firewall prompt, so it did not work for us, see this run:

https://github.com/sparta-science/connect/suites/752598440/artifacts/7743970
Github Action says it's successful, but the test is actually failing and screenshot is the same.

If you want to download artifacts, expand zip and rename folder with extension .xcresult
So you can open it in Xcode and See the screenshots and steps.

[al-cheb]

@paulz, Hi. Could you please run socketfilterfw with sudo?

1. setglobalstate with sudo
   sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off

2. add application to the list

brew install coreutils
app=$(realpath $(which python))
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add $app
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp $app 
python -m SimpleHTTPServer

or
app=$(python -c "import os; print(os.path.realpath('$(which python)'))")

[paulz]

Thank you, we tried that:
https://github.com/sparta-science/connect/runs/739669606?check_suite_focus=true

22s
23
Incoming connection to the application is permitted 
1
Run sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 0
11
Firewall already disabled
12
==> Downloading https://homebrew.bintray.com/bottles/coreutils-8.32.catalina.bottle.tar.gz
13
==> Downloading from https://akamai.bintray.com/67/67a4452d75a1882bd7fb977b384204edfa2758276d66290e595487922368e093?__gda__=exp=1591296496~hmac=38dc0ae6503bc9b463b487ed9c5208ad3da3c2e8809ca47df269aedc581f0504&response-content-disposition=attachment%3Bfilename%3D%22coreutils-8.32.catalina.bottle.tar.gz%22&response-content-type=application%2Fgzip&requestInfo=U2FsdGVkX19XYQsk8Uiwukag-wRfIX_x_9doVauYhYSN2Z01eo68JKSBqanBRXqEdsf-ZBLD_XhAb4hC3XcPSYc5OlW9-a4IR3ug1vSeU8YEnWCCU99N5xsIu2psbcGe2TPW_OUiihEain5Dp1rpsw&response-X-Checksum-Sha1=a3e01de37be8190b04bc7f39398272fb9ee30f2f&response-X-Checksum-Sha2=67a4452d75a1882bd7fb977b384204edfa2758276d66290e595487922368e093
14
==> Pouring coreutils-8.32.catalina.bottle.tar.gz
15
==> Caveats
16
Commands also provided by macOS have been installed with the prefix "g".
17
If you need to use these commands with their normal names, you
18
can add a "gnubin" directory to your PATH from your bashrc like:
19
  PATH="/usr/local/opt/coreutils/libexec/gnubin:$PATH"
20
==> Summary
21
🍺  /usr/local/Cellar/coreutils/8.32: 476 files, 9.2MB
22
Application at path ( /usr/local/Cellar/python@2/2.7.17_1/Frameworks/Python.framework/Versions/2.7/bin/python2.7 ) added to firewall 
23
Incoming connection to the application is permitted 

Still seeing the popup:

which mentions Python.app. Could this be different python then /System/Library/Frameworks/Python.framework/Versions/2.7/bin/python2.7?

[al-cheb]

@paulz, Check please with strict path:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
app="/usr/local/Cellar/python@2/2.7.17_1/Frameworks/Python.framework/Versions/2.7/Resources/Python.app"
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add $app
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp $app

[paulz]

Thank you, @al-cheb it helped, no more firewall popups.

Test still fails:
https://github.com/sparta-science/connect/runs/736373878?check_suite_focus=true

Because now we have another popup blocking UITests:

The name of your computer is already in use on this network. Guess it's another issue.

Thank you!

[al-cheb]

@paulz, Thank you.
Could you please test a firewall popup window with the settings?

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
sudo /usr/libexec/ApplicationFirewall/socketfilterfw -k

How to close notification window?

# Close Finder
launchctl unload /System/Library/LaunchAgents/com.apple.Finder.plist
# Close Notification window
killall UserNotificationCenter

The name of your computer is already in use on this network.

We are planning to roll-out a new image version with fix the window in one or two weeks.

[paulz]

Yes, that looks like worked, thank you @al-cheb

We have first successful test: https://github.com/sparta-science/connect/runs/736373878?check_suite_focus=true

I had to change
killall UserNotificationCenter
to
killall UserNotificationCenter || true
as it sometimes fails with process not found

Looking forward for the new macOS image!

[miketimofeev]

we've deployed the image with Apple Script support and we implemented an image build step that closes all Finder windows at the end of the build so no more windows at the beginning of the workflow, except that one about the same computer name
#978
I'm going to close the issue, but feel free to contact us if you have any concerns.