Add tests for configure mixed elevation (#4487)

.github/actions/spelling/expect.txt

@@ -363,7 +363,7 @@ pseudocode
 PSHOST
 psobject
 ptstr
-publickey
+publickey
 PVD
 pvk
 pvm
@@ -413,8 +413,8 @@ servercert
 servercertificate
 setmetadatabymanifestid
 SETTINGCHANGE
-SETTINGMAPPING
-sfs
+SETTINGMAPPING
+sfs
 sfsclient
 SHCONTF
 SHGDN
@@ -436,7 +436,7 @@ Srinivasan
 srs
 startswith
 STARTUPINFOW
-STDMETHODCALLTYPE
+STDMETHODCALLTYPE
 storeapps
 storeorigin
 STRRET

azure-pipelines.yml

@@ -345,6 +345,7 @@ jobs:
       testSelector: 'testAssemblies'
       testAssemblyVer2: '**\Microsoft.Management.Configuration.UnitTests.dll'
       searchFolder: '$(buildOutDir)\Microsoft.Management.Configuration.UnitTests'
+      testFiltercriteria: 'Category=InProc'
       codeCoverageEnabled: false
       platform: '$(buildPlatform)'
       configuration: '$(BuildConfiguration)'

src/AppInstallerCLICore/ConfigurationDynamicRuntimeFactory.cpp

@@ -14,6 +14,28 @@ namespace AppInstaller::CLI::ConfigurationRemoting
 {
     namespace anonymous
     {
+#ifndef AICLI_DISABLE_TEST_HOOKS
+        constexpr std::wstring_view EnableTestModeTestGuid = L"1e62d683-2999-44e7-81f7-6f8f35e8d731";
+        constexpr std::wstring_view ForceHighIntegrityLevelUnitsTestGuid = L"f698d20f-3584-4f28-bc75-28037e08e651";
+        constexpr std::wstring_view EnableRestrictedIntegrityLevelTestGuid = L"5cae3226-185f-4289-815c-3c089d238dc6";
+
+        // Checks the configuration set metadata for a specific test guid that controls the behavior flow.
+        bool GetConfigurationSetMetadataOverride(const ConfigurationSet& configurationSet, const std::wstring_view& testGuid)
+        {
+            auto metadataOverride = configurationSet.Metadata().TryLookup(testGuid);
+            if (metadataOverride)
+            {
+                auto metadataOverrideProperty = metadataOverride.try_as<IPropertyValue>();
+                if (metadataOverrideProperty && metadataOverrideProperty.Type() == PropertyType::Boolean)
+                {
+                    return metadataOverrideProperty.GetBoolean();
+                }
+            }
+
+            return false;
+        }
+#endif
+
         struct DynamicProcessorInfo
         {
             IConfigurationSetProcessorFactory Factory;
@@ -26,7 +48,16 @@ namespace AppInstaller::CLI::ConfigurationRemoting
 
             DynamicSetProcessor(IConfigurationSetProcessorFactory defaultRemoteFactory, IConfigurationSetProcessor defaultRemoteSetProcessor, const ConfigurationSet& configurationSet) : m_configurationSet(configurationSet)
             {
+#ifndef AICLI_DISABLE_TEST_HOOKS
+                m_enableTestMode = GetConfigurationSetMetadataOverride(m_configurationSet, EnableTestModeTestGuid);
+                m_enableRestrictedIntegrityLevel = GetConfigurationSetMetadataOverride(m_configurationSet, EnableRestrictedIntegrityLevelTestGuid);
+                m_forceHighIntegrityLevelUnits = GetConfigurationSetMetadataOverride(m_configurationSet, ForceHighIntegrityLevelUnitsTestGuid);
+
+                m_currentIntegrityLevel = m_enableTestMode ? Security::IntegrityLevel::Medium : Security::GetEffectiveIntegrityLevel();
+#else
                 m_currentIntegrityLevel = Security::GetEffectiveIntegrityLevel();
+#endif
+
                 m_setProcessors.emplace(m_currentIntegrityLevel, DynamicProcessorInfo{ defaultRemoteFactory, defaultRemoteSetProcessor });
             }
 
@@ -56,7 +87,11 @@ namespace AppInstaller::CLI::ConfigurationRemoting
                     });
 
                 // Create set and unit processor for current unit.
+#ifndef AICLI_DISABLE_TEST_HOOKS
+                Security::IntegrityLevel requiredIntegrityLevel = m_forceHighIntegrityLevelUnits ? Security::IntegrityLevel::High : GetIntegrityLevelForUnit(unit);
+#else
                 Security::IntegrityLevel requiredIntegrityLevel = GetIntegrityLevelForUnit(unit);
+#endif
 
                 auto itr = m_setProcessors.find(requiredIntegrityLevel);
                 if (itr == m_setProcessors.end())
@@ -79,11 +114,20 @@ namespace AppInstaller::CLI::ConfigurationRemoting
                 }
                 else if (securityContextLower == L"restricted")
                 {
-                    // Not supporting elevated callers downgrading at the moment.
-                    THROW_WIN32(ERROR_NOT_SUPPORTED);
+#ifndef AICLI_DISABLE_TEST_HOOKS
+                    if (m_enableRestrictedIntegrityLevel)
+                    {
+                        return Security::IntegrityLevel::Medium;
+                    }
+                    else
+#endif
+                    {
+                        // Not supporting elevated callers downgrading at the moment.
+                        THROW_WIN32(ERROR_NOT_SUPPORTED);
 
-                    // Technically this means the default level of the user token, so if UAC is disabled it would be the only integrity level (aka current).
-                    //return Security::IntegrityLevel::Medium;
+                        // Technically this means the default level of the user token, so if UAC is disabled it would be the only integrity level (aka current).
+                        // return Security::IntegrityLevel::Medium;
+                    }
                 }
                 else if (securityContextLower == L"current")
                 {
@@ -172,7 +216,12 @@ namespace AppInstaller::CLI::ConfigurationRemoting
                 // If we got here, the only option is that the current integrity level is not High.
                 if (integrityLevel == Security::IntegrityLevel::High)
                 {
-                    factory = CreateOutOfProcessFactory(true, SerializeSetProperties(), SerializeHighIntegrityLevelSet());
+                    bool useRunAs = true;
+#ifndef AICLI_DISABLE_TEST_HOOKS
+                    useRunAs = !m_enableTestMode;
+#endif
+
+                    factory = CreateOutOfProcessFactory(useRunAs, SerializeSetProperties(), SerializeHighIntegrityLevelSet());
                 }
                 else
                 {
@@ -186,6 +235,12 @@ namespace AppInstaller::CLI::ConfigurationRemoting
             ProcessorMap m_setProcessors;
             ConfigurationSet m_configurationSet;
             std::once_flag m_createUnitSetProcessorsOnce;
+
+#ifndef AICLI_DISABLE_TEST_HOOKS
+            bool m_enableTestMode = false;
+            bool m_enableRestrictedIntegrityLevel = false;
+            bool m_forceHighIntegrityLevelUnits = false;
+#endif
         };
 
         // This is implemented completely in the packaged context for now, if we want to make it more configurable, we will probably want to move it to configuration and

src/AppInstallerCLICore/Workflows/ConfigurationFlow.cpp

@@ -100,8 +100,7 @@ namespace AppInstaller::CLI::Workflow
             IConfigurationSetProcessorFactory factory;
 
             // Since downgrading is not currently supported, only use dynamic if not running as admin.
-            if (Settings::ExperimentalFeature::IsEnabled(Settings::ExperimentalFeature::Feature::ConfigureSelfElevation) &&
-                !Runtime::IsRunningAsAdmin())
+            if (Settings::ExperimentalFeature::IsEnabled(Settings::ExperimentalFeature::Feature::ConfigureSelfElevation) && !Runtime::IsRunningAsAdmin())
             {
                 factory = ConfigurationRemoting::CreateDynamicRuntimeFactory();
                 // TODO: Implement SetProcessorFactory::IPwshConfigurationSetProcessorFactoryProperties on dynamic factory

src/AppInstallerCLIE2ETests/TestData/Configuration/Modules/xE2ETestResource/xE2ETestResource.psd1

@@ -1,4 +1,4 @@
-#
+#
 # Module manifest for module 'xE2ETestResource'
 #
 
@@ -22,6 +22,7 @@ DscResourcesToExport = @(
     'E2ETestResourceError'
     'E2ETestResourceTypes'
     'E2ETestResourceCrash'
+    'E2ETestResourcePID'
 )
 HelpInfoURI = 'https://www.contoso.com/help'
 

src/AppInstallerCLIE2ETests/TestData/Configuration/Modules/xE2ETestResource/xE2ETestResource.psm1

@@ -1,4 +1,4 @@
-# E2E module with resources.
+# E2E module with resources.
 
 enum Ensure
 {
@@ -288,3 +288,39 @@ class E2ETestResourceCrash
         [System.Environment]::Exit(0)
     }
 }
+
+# This resource writes the current PID to the provided file path. 
+[DscResource()]
+class E2ETestResourcePID
+{
+    [DscProperty(Key)]
+    [string] $key
+
+    [DscProperty(Mandatory)]
+    [string] $directoryPath
+
+    [E2ETestResourcePID] Get()
+    {
+        $result = @{
+            key = "E2ETestResourcePID"
+            directoryPath = $this.directoryPath
+        }
+
+        return $result
+    }
+
+    [bool] Test()
+    {
+        return $false
+    }
+
+    [void] Set()
+    {
+        if (Test-Path -Path $this.directoryPath)
+        {
+            $processId = [System.Diagnostics.Process]::GetCurrentProcess().Id
+            $filePath = Join-Path -Path $this.directoryPath -ChildPath "$processId.txt"
+            New-Item -Path $filePath -ItemType File -Force  
+        }
+    }
+}

src/Microsoft.Management.Configuration.Processor/Public/PowerShellConfigurationSetProcessorFactory.cs

@@ -8,9 +8,7 @@ namespace Microsoft.Management.Configuration.Processor
 {
     using System;
     using System.Collections.Generic;
-    using System.ComponentModel;
     using System.IO;
-    using System.Linq;
     using System.Management.Automation;
     using System.Runtime.CompilerServices;
     using System.Text;

src/Microsoft.Management.Configuration.UnitTests/Helpers/Constants.cs

@@ -1,4 +1,4 @@
-// -----------------------------------------------------------------------------
+// -----------------------------------------------------------------------------
 // <copyright file="Constants.cs" company="Microsoft Corporation">
 //     Copyright (c) Microsoft Corporation. Licensed under the MIT License.
 // </copyright>
@@ -20,5 +20,25 @@ public class Constants
         /// The namespace where xUnit traits will be defined.
         /// </summary>
         public const string NamespaceNameForTraits = "Microsoft.Management.Configuration.UnitTests.Helpers";
+
+        /// <summary>
+        /// The dynamic runtime factory handler identifier.
+        /// </summary>
+        public const string DynamicRuntimeHandlerIdentifier = "{73fea39f-6f4a-41c9-ba94-6fd14d633e40}";
+
+        /// <summary>
+        /// Test guid for enabling test mode for the dynamic runtime factory. Forces factory to exclude 'runas' verb and sets current IL to medium.
+        /// </summary>
+        public const string EnableDynamicFactoryTestMode = "1e62d683-2999-44e7-81f7-6f8f35e8d731";
+
+        /// <summary>
+        /// Test guid for allowing the restricted integrity level to be supported.
+        /// </summary>
+        public const string EnableRestrictedIntegrityLevelTestGuid = "5cae3226-185f-4289-815c-3c089d238dc6";
+
+        /// <summary>
+        /// Test guid for forcing units to have a high integrity level during the final routing of unit processor creation.
+        /// </summary>
+        public const string ForceHighIntegrityLevelUnitsTestGuid = "f698d20f-3584-4f28-bc75-28037e08e651";
     }
 }

src/Microsoft.Management.Configuration.UnitTests/Helpers/Errors.cs

@@ -47,6 +47,9 @@ internal static class Errors
         public static readonly int WINGET_CONFIG_ERROR_UNIT_IMPORT_MODULE_ADMIN             = unchecked((int)0x8A15C111);
         public static readonly int WINGET_CONFIG_ERROR_NOT_SUPPORTED_BY_PROCESSOR           = unchecked((int)0x8A15C112);
 
+        // Limitation Set Errors
+        public static readonly int CORE_INVALID_OPERATION = unchecked((int)0x80131509);
+
 #pragma warning restore SA1025 // Code should not contain multiple whitespace in a row
 #pragma warning restore SA1600 // Elements should be documented
 #pragma warning restore SA1310 // Field names should not contain underscore

src/Microsoft.Management.Configuration.UnitTests/Helpers/InProcAttribute.cs

@@ -0,0 +1,26 @@
+// -----------------------------------------------------------------------------
+// <copyright file="InProcAttribute.cs" company="Microsoft Corporation">
+//     Copyright (c) Microsoft Corporation. Licensed under the MIT License.
+// </copyright>
+// -----------------------------------------------------------------------------
+
+namespace Microsoft.Management.Configuration.UnitTests.Helpers
+{
+    using System;
+    using Xunit.Sdk;
+
+    /// <summary>
+    /// Trait used to mark a test as only for the in proc scenario.
+    /// </summary>
+    [TraitDiscoverer(InProcDiscoverer.TypeName, Constants.AssemblyNameForTraits)]
+    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false)]
+    public class InProcAttribute : Attribute, ITraitAttribute
+    {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="InProcAttribute"/> class.
+        /// </summary>
+        public InProcAttribute()
+        {
+        }
+    }
+}

src/Microsoft.Management.Configuration.UnitTests/Helpers/InProcDiscoverer.cs

@@ -0,0 +1,40 @@
+// -----------------------------------------------------------------------------
+// <copyright file="InProcDiscoverer.cs" company="Microsoft Corporation">
+//     Copyright (c) Microsoft Corporation. Licensed under the MIT License.
+// </copyright>
+// -----------------------------------------------------------------------------
+
+namespace Microsoft.Management.Configuration.UnitTests.Helpers
+{
+    using System.Collections.Generic;
+    using Xunit.Abstractions;
+    using Xunit.Sdk;
+
+    /// <summary>
+    /// Enables integration with xUnit trait system.
+    /// </summary>
+    public class InProcDiscoverer : ITraitDiscoverer
+    {
+        /// <summary>
+        /// The type name for this discoverer.
+        /// </summary>
+        public const string TypeName = Constants.NamespaceNameForTraits + ".InProcDiscoverer";
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="InProcDiscoverer"/> class.
+        /// </summary>
+        public InProcDiscoverer()
+        {
+        }
+
+        /// <summary>
+        /// Gets the trait information for the InProcAttribute.
+        /// </summary>
+        /// <param name="traitAttribute">The trait information.</param>
+        /// <returns>Trait name/value pairs.</returns>
+        public IEnumerable<KeyValuePair<string, string>> GetTraits(IAttributeInfo traitAttribute)
+        {
+            yield return new KeyValuePair<string, string>("Category", "InProc");
+        }
+    }
+}

src/Microsoft.Management.Configuration.UnitTests/Tests/ConfigurationDetailsTests.cs

@@ -1,4 +1,4 @@
-// -----------------------------------------------------------------------------
+// -----------------------------------------------------------------------------
 // <copyright file="ConfigurationDetailsTests.cs" company="Microsoft Corporation">
 //     Copyright (c) Microsoft Corporation. Licensed under the MIT License.
 // </copyright>
@@ -14,6 +14,7 @@ namespace Microsoft.Management.Configuration.UnitTests.Tests
     using Microsoft.Management.Configuration.Processor.Helpers;
     using Microsoft.Management.Configuration.Processor.Unit;
     using Microsoft.Management.Configuration.UnitTests.Fixtures;
+    using Microsoft.Management.Configuration.UnitTests.Helpers;
     using Windows.Security.Cryptography.Certificates;
     using Xunit;
     using Xunit.Abstractions;
@@ -22,6 +23,7 @@ namespace Microsoft.Management.Configuration.UnitTests.Tests
     /// Tests for ConfigurationUnitProcessorDetails and ConfigurationUnitSettingDetails.
     /// </summary>
     [Collection("UnitTestCollection")]
+    [InProc]
     public class ConfigurationDetailsTests
     {
         private readonly UnitTestFixture fixture;