Warn before the user runs a new commandline elevated

.github/actions/spelling/allow/allow.txt

@@ -1,3 +1,4 @@
+admins
 apc
 calt
 ccmp

.github/actions/spelling/allow/apis.txt

@@ -1,5 +1,7 @@
 ACCEPTFILES
 ACCESSDENIED
+acl
+aclapi
 alignas
 alignof
 APPLYTOSUBMENUS
@@ -19,6 +21,7 @@ comparand
 cstdint
 CXICON
 CYICON
+Dacl
 dataobject
 dcomp
 DERR
@@ -114,9 +117,12 @@ OSVERSIONINFOEXW
 otms
 OUTLINETEXTMETRICW
 overridable
+PACL
 PAGESCROLL
+PEXPLICIT
 PICKFOLDERS
 pmr
+ptstr
 rcx
 REGCLS
 RETURNCMD

src/cascadia/LocalTests_SettingsModel/pch.h

@@ -61,6 +61,9 @@ Author(s):
 // Manually include til after we include Windows.Foundation to give it winrt superpowers
 #include "til.h"
 
+#include <til/mutex.h>
+#include <til/throttled_func.h>
+
 // Common includes for most tests:
 #include "../../inc/argb.h"
 #include "../../inc/conattrs.hpp"

src/cascadia/TerminalApp/AdminWarningPlaceholder.cpp

@@ -0,0 +1,74 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+#pragma once
+
+#include "pch.h"
+#include "AdminWarningPlaceholder.h"
+#include "AdminWarningPlaceholder.g.cpp"
+#include <LibraryResources.h>
+using namespace winrt::Windows::UI::Xaml;
+
+namespace winrt::TerminalApp::implementation
+{
+    AdminWarningPlaceholder::AdminWarningPlaceholder(const winrt::Microsoft::Terminal::Control::TermControl& control, const winrt::hstring& cmdline) :
+        _control{ control },
+        _Commandline{ cmdline }
+    {
+        InitializeComponent();
+        // If the content we're hosting is a TermControl, then use the control's
+        // BG as our BG, to give the impression that it's there, under the
+        // dialog.
+        if (const auto termControl{ control.try_as<winrt::Microsoft::Terminal::Control::TermControl>() })
+        {
+            RootGrid().Background(termControl.BackgroundBrush());
+        }
+    }
+    void AdminWarningPlaceholder::_primaryButtonClick(winrt::Windows::Foundation::IInspectable const& /*sender*/,
+                                                      RoutedEventArgs const& e)
+    {
+        _PrimaryButtonClickedHandlers(*this, e);
+    }
+    void AdminWarningPlaceholder::_cancelButtonClick(winrt::Windows::Foundation::IInspectable const& /*sender*/,
+                                                     RoutedEventArgs const& e)
+    {
+        _CancelButtonClickedHandlers(*this, e);
+    }
+    winrt::Windows::UI::Xaml::Controls::UserControl AdminWarningPlaceholder::Control()
+    {
+        return _control;
+    }
+
+    // Method Description:
+    // - Move the focus to the cancel button by default. This has the LOAD
+    //   BEARING side effect of also triggering Narrator to read out the
+    //   contents of the dialog. It's unclear why doing this works, but it does.
+    // - Using a LayoutUpdated event to trigger the focus change when we're
+    //   added to the UI tree did not seem to work.
+    // - Whoever is adding us to the UI tree is responsible for calling this!
+    // Arguments:
+    // - <none>
+    // Return Value:
+    // - <none>
+    void AdminWarningPlaceholder::FocusOnLaunch()
+    {
+        CancelButton().Focus(FocusState::Programmatic);
+    }
+
+    winrt::hstring AdminWarningPlaceholder::ControlName()
+    {
+        return RS_(L"AdminWarningPlaceholderName");
+    }
+
+    void AdminWarningPlaceholder::_keyUpHandler(IInspectable const& /*sender*/,
+                                                Windows::UI::Xaml::Input::KeyRoutedEventArgs const& e)
+    {
+        // If the user presses escape, close the dialog (without confirming)
+        const auto key = e.OriginalKey();
+        if (key == winrt::Windows::System::VirtualKey::Escape)
+        {
+            _CancelButtonClickedHandlers(*this, e);
+            e.Handled(true);
+        }
+    }
+}

src/cascadia/TerminalApp/AdminWarningPlaceholder.h

@@ -0,0 +1,51 @@
+/*++
+Copyright (c) Microsoft Corporation
+Licensed under the MIT license.
+
+Module Name:
+- AdminWarningPlaceholder
+
+Abstract:
+- The AdminWarningPlaceholder is a control used to fill space in a pane and
+  present a warning to the user. It holds on to a real control that it should be
+  replaced with. It looks just like a ContentDialog, except it exists per-pane,
+  whereas a ContentDialog can only be added to take up the whole window.
+- The caller should make sure to bind our PrimaryButtonClicked and
+  CancelButtonClicked events, to be informed as to which was pressed.
+
+Author(s):
+- Mike Griese - September 2021
+
+--*/
+
+#pragma once
+
+#include "AdminWarningPlaceholder.g.h"
+#include "../../cascadia/inc/cppwinrt_utils.h"
+
+namespace winrt::TerminalApp::implementation
+{
+    struct AdminWarningPlaceholder : AdminWarningPlaceholderT<AdminWarningPlaceholder>
+    {
+        AdminWarningPlaceholder(const winrt::Microsoft::Terminal::Control::TermControl& control, const winrt::hstring& cmdline);
+        void FocusOnLaunch();
+        winrt::Windows::UI::Xaml::Controls::UserControl Control();
+        winrt::hstring ControlName();
+        WINRT_CALLBACK(PropertyChanged, Windows::UI::Xaml::Data::PropertyChangedEventHandler);
+        WINRT_OBSERVABLE_PROPERTY(winrt::hstring, Commandline, _PropertyChangedHandlers);
+        TYPED_EVENT(PrimaryButtonClicked, TerminalApp::AdminWarningPlaceholder, winrt::Windows::UI::Xaml::RoutedEventArgs);
+        TYPED_EVENT(CancelButtonClicked, TerminalApp::AdminWarningPlaceholder, winrt::Windows::UI::Xaml::RoutedEventArgs);
+
+    private:
+        friend struct AdminWarningPlaceholderT<AdminWarningPlaceholder>; // friend our parent so it can bind private event handlers
+
+        winrt::Microsoft::Terminal::Control::TermControl _control{ nullptr };
+
+        void _primaryButtonClick(winrt::Windows::Foundation::IInspectable const& sender,
+                                 winrt::Windows::UI::Xaml::RoutedEventArgs const& e);
+        void _cancelButtonClick(winrt::Windows::Foundation::IInspectable const& sender,
+                                winrt::Windows::UI::Xaml::RoutedEventArgs const& e);
+        void _keyUpHandler(Windows::Foundation::IInspectable const& sender,
+                           Windows::UI::Xaml::Input::KeyRoutedEventArgs const& e);
+    };
+}

src/cascadia/TerminalApp/AdminWarningPlaceholder.idl

@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+namespace TerminalApp
+{
+    [default_interface] runtimeclass AdminWarningPlaceholder : Windows.UI.Xaml.Controls.UserControl,
+                                                               Windows.UI.Xaml.Data.INotifyPropertyChanged
+    {
+        String Commandline { get; };
+        String ControlName { get; };
+    }
+}

src/cascadia/TerminalApp/AdminWarningPlaceholder.xaml

@@ -0,0 +1,93 @@
+<!--
+    Copyright (c) Microsoft Corporation. All rights reserved. Licensed under
+    the MIT License. See LICENSE in the project root for license information.
+-->
+<UserControl x:Class="TerminalApp.AdminWarningPlaceholder"
+             xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
+             xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
+             xmlns:d="http://schemas.microsoft.com/expression/blend/2008"
+             xmlns:local="using:TerminalApp"
+             xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
+             xmlns:mux="using:Microsoft.UI.Xaml.Controls"
+             AutomationProperties.AccessibilityView="Content"
+             AutomationProperties.IsDialog="True"
+             AutomationProperties.Name="{x:Bind ControlName, Mode=OneWay}"
+             PreviewKeyUp="_keyUpHandler"
+             mc:Ignorable="d">
+
+    <!--
+        We have to use two grids to be tricky here:
+        - The outer grid will get its background from the control it hosts, and
+        expands to fit its container. This will make it look like the background
+        fills the space available.
+        - The inner grid is set to Center,Center, so that the "dialog" appears
+        centered
+    -->
+
+    <Grid x:Name="RootGrid"
+          HorizontalAlignment="Stretch"
+          VerticalAlignment="Stretch">
+        <Grid HorizontalAlignment="Center"
+              VerticalAlignment="Center">
+            <Border Margin="8,8,8,8"
+                    Padding="16,8,16,8"
+                    AllowFocusOnInteraction="True"
+                    AutomationProperties.AccessibilityView="Raw"
+                    AutomationProperties.IsDialog="True"
+                    Background="{ThemeResource SystemControlBackgroundAltHighBrush}"
+                    BorderBrush="{ThemeResource SystemAccentColor}"
+                    BorderThickness="2,2,2,2"
+                    CornerRadius="{ThemeResource OverlayCornerRadius}">
+                <StackPanel Orientation="Vertical">
+                    <TextBlock x:Name="ApproveCommandlineWarningTitle"
+                               x:Uid="ApproveCommandlineWarningTitle"
+                               Padding="0,0,0,16"
+                               HorizontalAlignment="Left"
+                               FontSize="20"
+                               FontWeight="Normal"
+                               TextWrapping="WrapWholeWords" />
+
+                    <TextBlock x:Name="PrefixTextBlock"
+                               x:Uid="ApproveCommandlineWarningPrefixTextBlock"
+                               HorizontalAlignment="Left"
+                               TextWrapping="WrapWholeWords" />
+
+                    <TextBlock x:Name="CommandlineText"
+                               Margin="0,16,0,16"
+                               HorizontalAlignment="Left"
+                               FontFamily="Cascadia Mono"
+                               Text="{x:Bind Commandline, Mode=OneWay}"
+                               TextWrapping="WrapWholeWords" />
+
+                    <TextBlock x:Name="SuffixTextBlock"
+                               x:Uid="ApproveCommandlineWarningSuffixTextBlock"
+                               HorizontalAlignment="Left"
+                               TextWrapping="WrapWholeWords" />
+                    <Grid Margin="0,8,0,8"
+                          HorizontalAlignment="Stretch"
+                          XYFocusKeyboardNavigation="Enabled">
+                        <Grid.ColumnDefinitions>
+                            <ColumnDefinition Width="*" />
+                            <ColumnDefinition Width="*" />
+                        </Grid.ColumnDefinitions>
+                        <Button x:Name="PrimaryButton"
+                                x:Uid="ApproveCommandlineWarning_PrimaryButton"
+                                Grid.Column="0"
+                                Margin="0,0,8,0"
+                                HorizontalAlignment="Stretch"
+                                Click="_primaryButtonClick"
+                                IsTabStop="True"
+                                Style="{StaticResource AccentButtonStyle}" />
+                        <Button x:Name="CancelButton"
+                                x:Uid="ApproveCommandlineWarning_CancelButton"
+                                Grid.Column="1"
+                                HorizontalAlignment="Stretch"
+                                Click="_cancelButtonClick"
+                                IsTabStop="True" />
+                    </Grid>
+                </StackPanel>
+            </Border>
+        </Grid>
+    </Grid>
+
+</UserControl>

src/cascadia/TerminalApp/AppLogic.cpp

@@ -12,6 +12,8 @@
 #include <WtExeUtils.h>
 #include <wil/token_helpers.h >
 
+#include "../../types/inc/utils.hpp"
+
 using namespace winrt::Windows::ApplicationModel;
 using namespace winrt::Windows::ApplicationModel::DataTransfer;
 using namespace winrt::Windows::UI::Xaml;
@@ -139,28 +141,8 @@ static Documents::Run _BuildErrorRun(const winrt::hstring& text, const ResourceD
 // Return Value:
 // - true if the user is an administrator
 static bool _isUserAdmin() noexcept
-try
 {
-    wil::unique_handle processToken{ GetCurrentProcessToken() };
-    const auto elevationType = wil::get_token_information<TOKEN_ELEVATION_TYPE>(processToken.get());
-    const auto elevationState = wil::get_token_information<TOKEN_ELEVATION>(processToken.get());
-    if (elevationType == TokenElevationTypeDefault && elevationState.TokenIsElevated)
-    {
-        // In this case, the user has UAC entirely disabled. This is sort of
-        // weird, we treat this like the user isn't an admin at all. There's no
-        // separation of powers, so the things we normally want to gate on
-        // "having special powers" doesn't apply.
-        //
-        // See GH#7754, GH#11096
-        return false;
-    }
-
-    return wil::test_token_membership(nullptr, SECURITY_NT_AUTHORITY, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS);
-}
-catch (...)
-{
-    LOG_CAUGHT_EXCEPTION();
-    return false;
+    return Microsoft::Console::Utils::IsElevated();
 }
 
 namespace winrt::TerminalApp::implementation
@@ -907,8 +889,6 @@ namespace winrt::TerminalApp::implementation
     void AppLogic::_RegisterSettingsChange()
     {
         const std::filesystem::path settingsPath{ std::wstring_view{ CascadiaSettings::SettingsPath() } };
-        const std::filesystem::path statePath{ std::wstring_view{ ApplicationState::SharedInstance().FilePath() } };
-
         _reader.create(
             settingsPath.parent_path().c_str(),
             false,
@@ -917,14 +897,20 @@ namespace winrt::TerminalApp::implementation
             // editors, who will write a temp file, then rename it to be the
             // actual file you wrote. So listen for that too.
             wil::FolderChangeEvents::FileName | wil::FolderChangeEvents::LastWriteTime,
-            [this, settingsBasename = settingsPath.filename(), stateBasename = statePath.filename()](wil::FolderChangeEvent, PCWSTR fileModified) {
-                const auto modifiedBasename = std::filesystem::path{ fileModified }.filename();
+            [this, settingsBasename = settingsPath.filename()](wil::FolderChangeEvent, PCWSTR fileModified) {
+                // DO NOT create a static reference to
+                // ApplicationState::SharedInstance here. See
+                // https://github.com/microsoft/terminal/pull/11222/files/9ff2775122a496fb8b1bcc7a0b83a64ce5b26c5f#r719627541
+                // for why. ApplicationState::SharedInstance already caches it's
+                // own static ref.
+
+                const winrt::hstring modifiedBasename{ std::filesystem::path{ fileModified }.filename().c_str() };
 
                 if (modifiedBasename == settingsBasename)
                 {
                     _reloadSettings->Run();
                 }
-                else if (modifiedBasename == stateBasename)
+                else if (ApplicationState::SharedInstance().IsStatePath(modifiedBasename))
                 {
                     _reloadState();
                 }