From efdfbd9bc31c8f23b3ac4cf7b698757d53f5c0b5 Mon Sep 17 00:00:00 2001
From: Matthew Oliver <mjo@google.com>
Date: Wed, 24 Aug 2022 07:10:50 -0700
Subject: [PATCH]  * Move Admin check logic to a PowerShell script.

PiperOrigin-RevId: 469718125
---
 cli/config/config_windows.go      | 17 +++--------------
 cli/config/config_windows_test.go | 11 +++++++----
 cli/config/defaults.go            |  7 ++++++-
 cli/scripts/check-admin.ps1       | 15 +++++++++++++++
 4 files changed, 31 insertions(+), 19 deletions(-)
 create mode 100644 cli/scripts/check-admin.ps1

diff --git a/cli/config/config_windows.go b/cli/config/config_windows.go
index 5a2b11f..010a4ba 100644
--- a/cli/config/config_windows.go
+++ b/cli/config/config_windows.go
@@ -19,15 +19,15 @@ package config
 
 import (
 	"fmt"
-	"os/exec"
 	"regexp"
 
 	"github.com/google/glazier/go/registry"
+	"github.com/google/winops/powershell"
 )
 
 var (
 	// Dependency injection for testing.
-	powershellCmd = powershell
+	powershellCmd = powershell.Command
 
 	// IsElevatedCmd injects the command to determine the elevation state of the
 	// user context.
@@ -43,8 +43,7 @@ var (
 // isAdmin determines if the current user is running the binary with elevated
 // permissions on Windows.
 func isAdmin() (bool, error) {
-	psBlock := `(([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match 'S-1-5-32-544')`
-	out, err := powershellCmd(psBlock)
+	out, err := powershellCmd(fmt.Sprintf("powershell.exe -File '%s'", adminScriptPath), nil, &powershell.PSConfig{ErrAction: powershell.Stop})
 	if err != nil {
 		return false, fmt.Errorf("%w: %v", errElevation, err)
 	}
@@ -65,13 +64,3 @@ func HasWritePermissions() error {
 	}
 	return nil
 }
-
-// Powershell represents the OS command used to run a powershell cmdlet on
-// Windows.
-func powershell(psBlock string) ([]byte, error) {
-	out, err := exec.Command("powershell.exe", "-NoProfile", "-Command", psBlock).CombinedOutput()
-	if err != nil {
-		return []byte{}, fmt.Errorf(`exec.Command("powershell.exe", "-NoProfile", "-Command", %s) command returned: %q: %v`, psBlock, out, err)
-	}
-	return out, nil
-}
diff --git a/cli/config/config_windows_test.go b/cli/config/config_windows_test.go
index 054d927..5c776a7 100644
--- a/cli/config/config_windows_test.go
+++ b/cli/config/config_windows_test.go
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build windows
 // +build windows
 
 package config
@@ -19,6 +20,8 @@ package config
 import (
 	"errors"
 	"testing"
+
+	"github.com/google/winops/powershell"
 )
 
 func TestIsAdmin(t *testing.T) {
@@ -31,25 +34,25 @@ func TestIsAdmin(t *testing.T) {
 
 	tests := []struct {
 		desc      string
-		fakePSCmd func(string) ([]byte, error)
+		fakePSCmd func(string, []string, *powershell.PSConfig) ([]byte, error)
 		want      bool
 		err       error
 	}{
 		{
 			desc:      "powershell error",
-			fakePSCmd: func(string) ([]byte, error) { return nil, errElevation },
+			fakePSCmd: func(string, []string, *powershell.PSConfig) ([]byte, error) { return nil, errElevation },
 			want:      false,
 			err:       errElevation,
 		},
 		{
 			desc:      "is not admin",
-			fakePSCmd: func(string) ([]byte, error) { return outNotAdmin, nil },
+			fakePSCmd: func(string, []string, *powershell.PSConfig) ([]byte, error) { return outNotAdmin, nil },
 			want:      false,
 			err:       nil,
 		},
 		{
 			desc:      "is admin",
-			fakePSCmd: func(string) ([]byte, error) { return outIsAdmin, nil },
+			fakePSCmd: func(string, []string, *powershell.PSConfig) ([]byte, error) { return outIsAdmin, nil },
 			want:      true,
 			err:       nil,
 		},
diff --git a/cli/config/defaults.go b/cli/config/defaults.go
index ea2d945..24a4f6b 100644
--- a/cli/config/defaults.go
+++ b/cli/config/defaults.go
@@ -14,7 +14,11 @@
 
 package config
 
-import "fmt"
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+)
 
 // distributions configures the options for different operating system
 // installers.
@@ -69,4 +73,5 @@ var (
 
 	// ErrUSBwriteAccess contains the Error message visible to users when USB write access if forbidden.
 	ErrUSBwriteAccess = fmt.Errorf("contact IT helpdesk for help")
+	adminScriptPath   = filepath.Join(os.Getenv("programfiles"), `\fresnel\scripts\check-admin.ps1`)
 )
diff --git a/cli/scripts/check-admin.ps1 b/cli/scripts/check-admin.ps1
new file mode 100644
index 0000000..e714364
--- /dev/null
+++ b/cli/scripts/check-admin.ps1
@@ -0,0 +1,15 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+(([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match 'S-1-5-32-544')