feat: extract admin rights check and do it also for windows (#1861)

alvarocabanas · web-flow · commit 17ca87b89734 · 2025-11-17T15:59:45.000+01:00
diff --git a/.github/workflows/push_pr_checks_tests.yml b/.github/workflows/push_pr_checks_tests.yml
@@ -455,16 +455,21 @@ jobs:
         if: '!cancelled()'
         run: cargo test --workspace --exclude 'newrelic_agent_control' --all-targets
 
-      - name: Run tests agent control lib excluding root-required tests (on-host)
+      - name: Run tests agent control lib
         if: '!cancelled()'
         shell: bash
         run: make -C agent-control test/onhost
 
-      - name: Run integration tests
+      - name: Run integration tests excluding non root-required tests only available for unix (on-host)
         if: '!cancelled()'
         shell: bash
         run: make -C agent-control test/onhost/integration
 
+      - name: Run onHost root-required integration-tests only (windows runner has elevated permissions)
+        if: '!cancelled()'
+        shell: bash
+        run: make -C agent-control test/onhost/root/integration
+
       - name: Run documentation tests
         if: '!cancelled()'
         run: cargo test --locked --doc
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -44,6 +44,7 @@ reqwest = { version = "0.12.24", default-features = false, features = [
 ] }
 rstest = "0.26.1"
 windows = "0.62.2"
+windows-sys = "0.61.2"
 
 [profile.release]
 # remove debug symbols from the release binary
diff --git a/agent-control/Cargo.toml b/agent-control/Cargo.toml
@@ -81,6 +81,9 @@ windows = { workspace = true, features = [
   "Win32_System_Threading",
 ] }
 
+[target.'cfg(target_os = "windows")'.dependencies]
+windows-sys = { workspace = true }
+
 [dev-dependencies]
 assert_cmd = { workspace = true }
 predicates = { workspace = true }
diff --git a/agent-control/src/bin/main_onhost.rs b/agent-control/src/bin/main_onhost.rs
@@ -12,6 +12,7 @@ use newrelic_agent_control::event::ApplicationEvent;
 use newrelic_agent_control::event::channel::{EventPublisher, pub_sub};
 use newrelic_agent_control::http::tls::install_rustls_default_crypto_provider;
 use newrelic_agent_control::instrumentation::tracing::TracingGuardBox;
+use newrelic_agent_control::utils::is_elevated::is_elevated;
 use std::error::Error;
 use std::process::ExitCode;
 use tracing::{error, info, trace};
@@ -36,9 +37,9 @@ fn _main(
     agent_control_run_config: AgentControlRunConfig,
     _tracer: Vec<TracingGuardBox>, // Needs to take ownership of the tracer as it can be shutdown on drop
 ) -> Result<(), Box<dyn Error>> {
-    #[cfg(all(target_family = "unix", not(feature = "disable-asroot")))]
-    if !nix::unistd::Uid::effective().is_root() {
-        return Err("Program must run as root".into());
+    #[cfg(not(feature = "disable-asroot"))]
+    if !is_elevated()? {
+        return Err("Program must run with elevated permissions".into());
     }
 
     #[cfg(not(feature = "multiple-instances"))]
diff --git a/agent-control/src/utils.rs b/agent-control/src/utils.rs
@@ -1,4 +1,5 @@
 pub mod binary_metadata;
+pub mod is_elevated;
 pub mod retry;
 pub mod thread_context;
 pub mod threads;
diff --git a/agent-control/src/utils/is_elevated.rs b/agent-control/src/utils/is_elevated.rs
@@ -0,0 +1,59 @@
+#[cfg(target_family = "windows")]
+use windows_sys::Win32::Foundation::{CloseHandle, HANDLE};
+#[cfg(target_family = "windows")]
+use windows_sys::Win32::Security::{
+    GetTokenInformation, TOKEN_ELEVATION, TOKEN_QUERY, TokenElevation,
+};
+#[cfg(target_family = "windows")]
+use windows_sys::Win32::System::Threading::{GetCurrentProcess, OpenProcessToken};
+
+#[derive(Debug, thiserror::Error)]
+#[error("{0}")]
+pub struct IsElevatedError(String);
+
+pub fn is_elevated() -> Result<bool, IsElevatedError> {
+    #[cfg(target_family = "unix")]
+    return Ok(nix::unistd::Uid::effective().is_root());
+
+    #[cfg(target_family = "windows")]
+    is_elevated_windows()
+}
+
+#[cfg(target_family = "windows")]
+fn is_elevated_windows() -> Result<bool, IsElevatedError> {
+    unsafe {
+        let mut token_handle: HANDLE = std::ptr::null_mut();
+        let process = GetCurrentProcess();
+
+        // https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken
+        // An access token contains the security information for a logon session and every process
+        // executed on behalf of the user has a copy of the token. Here we get that token.
+        if OpenProcessToken(process, TOKEN_QUERY, &mut token_handle) == 0 {
+            return Err(IsElevatedError("Failed to open process token.".to_string()));
+        }
+
+        let mut elevation = TOKEN_ELEVATION { TokenIsElevated: 0 };
+        let mut return_length = 0;
+
+        // https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-gettokeninformation
+        // GetTokenInformation requires a pointer to a buffer (elevation) the function fills with the requested information.
+        // The second parameter is the class (TokenElevation) we want to get information from the Token.
+        let result = GetTokenInformation(
+            token_handle,
+            TokenElevation,
+            &mut elevation as *mut _ as *mut _,
+            std::mem::size_of::<TOKEN_ELEVATION>() as u32,
+            &mut return_length,
+        );
+
+        CloseHandle(token_handle);
+
+        if result == 0 {
+            return Err(IsElevatedError(
+                "Failed to get token information to check user rights.".to_string(),
+            ));
+        }
+
+        Ok(elevation.TokenIsElevated != 0)
+    }
+}
diff --git a/agent-control/tests/on_host/cli.rs b/agent-control/tests/on_host/cli.rs
@@ -67,9 +67,9 @@ fn does_not_run_if_no_root() -> Result<(), Box<dyn std::error::Error>> {
     )?;
     let mut cmd = cargo_bin_cmd!("newrelic-agent-control");
     cmd.arg("--local-dir").arg(dir.path());
-    cmd.assert()
-        .failure()
-        .stdout(predicate::str::contains("Program must run as root"));
+    cmd.assert().failure().stdout(predicate::str::contains(
+        "Program must run with elevated permissions",
+    ));
     Ok(())
 }
 
diff --git a/agent-control/tests/on_host/logging/file_logging.rs b/agent-control/tests/on_host/logging/file_logging.rs
@@ -48,8 +48,10 @@ fn default_log_level_no_root() {
     // Expecting to fail as non_root
     // Asserting content is logged to stdout as well
     cmd.assert().failure().stdout(
-        predicate::str::is_match(TIME_FORMAT.to_owned() + "ERROR.*Program must run as root")
-            .unwrap(),
+        predicate::str::is_match(
+            TIME_FORMAT.to_owned() + "ERROR.*Program must run with elevated permissions",
+        )
+        .unwrap(),
     );
 
     // The behavior of the appender functionality is already unit tested as part of the sub-agent
diff --git a/agent-control/tests/on_host/logging/level.rs b/agent-control/tests/on_host/logging/level.rs
@@ -46,8 +46,10 @@ fn default_log_level_no_root() {
             .unwrap(),
         )
         .stdout(
-            predicate::str::is_match(TIME_FORMAT.to_owned() + "ERROR.*Program must run as root")
-                .unwrap(),
+            predicate::str::is_match(
+                TIME_FORMAT.to_owned() + "ERROR.*Program must run with elevated permissions",
+            )
+            .unwrap(),
         );
 }
 
@@ -122,8 +124,10 @@ fn debug_log_level_no_root() {
             .unwrap(),
         )
         .stdout(
-            predicate::str::is_match(TIME_FORMAT.to_owned() + "ERROR.*Program must run as root")
-                .unwrap(),
+            predicate::str::is_match(
+                TIME_FORMAT.to_owned() + "ERROR.*Program must run with elevated permissions",
+            )
+            .unwrap(),
         );
 }
 
diff --git a/agent-control/tests/on_host/opamp_auth.rs b/agent-control/tests/on_host/opamp_auth.rs
@@ -38,6 +38,8 @@ fn test_auth_local_provider_as_root() {
         then.status(200);
     });
 
+    // The key path is put in single quotes because windows considers paths with double quotes
+    // as Hexadecimals when parsing yaml, same applies for all occurrences in this tests
     let _config_path = create_temp_file(
         &dir.path()
             .join(FOLDER_NAME_LOCAL_DATA)
@@ -51,7 +53,7 @@ fleet_control:
     token_url: "{}"
     client_id: "fake"
     provider: "local"
-    private_key_path: "{}"
+    private_key_path: '{}'
   signature_validation:
     enabled: false
 log:
@@ -71,15 +73,31 @@ agents: {{}}
     let mut cmd = cmd_agent_control(dir.path(), remote_dir.path().into(), log_dir.path().into());
     // cmd_assert is not made for long running programs, so we kill it.
     // Enough time for the SA to start and send at least 1 AgentToServer OpAMP message.
-    cmd.timeout(Duration::from_secs(10));
-
+    cmd.timeout(Duration::from_secs(20));
+
+    // On Unix, this will return None if the process was terminated by a signal.
+    // Since Windows does not use signals in the same way as Unix-like systems,
+    // there isn't a direct equivalent to a "signal-interrupted"
+    // and we can't do this assertion since there is always an exit code.
+    // Explanation for the condition in previous test
+    #[cfg(target_family = "unix")]
     let output = cmd
         .assert()
         .try_interrupted()
         .expect("shouldn't have crashed")
         .get_output()
         .to_owned();
 
+    #[cfg(target_family = "windows")]
+    let output = cmd
+        .assert()
+        .try_interrupted()
+        .expect_err("should have failure because of interruption on windows")
+        .assert()
+        .failure()
+        .get_output()
+        .to_owned();
+
     println!("stdout:\n {}", String::from_utf8(output.stdout).unwrap(),);
 
     assert!(opamp_server_mock.calls() >= 1)
@@ -130,15 +148,27 @@ agents: {{}}
     let log_dir = TempDir::new().unwrap();
     let mut cmd = cmd_agent_control(dir.path(), remote_dir.path().into(), log_dir.path().into());
     // Enough time for the SA to start and send at least 1 AgentToServer OpAMP message.
-    cmd.timeout(Duration::from_secs(5));
+    cmd.timeout(Duration::from_secs(20));
 
+    // Explanation for the condition in previous test
+    #[cfg(target_family = "unix")]
     let output = cmd
         .assert()
         .try_interrupted()
         .expect("shouldn't have crashed")
         .get_output()
         .to_owned();
 
+    #[cfg(target_family = "windows")]
+    let output = cmd
+        .assert()
+        .try_interrupted()
+        .expect_err("should have failure because of interruption on windows")
+        .assert()
+        .failure()
+        .get_output()
+        .to_owned();
+
     println!("stdout:\n {}", String::from_utf8(output.stdout).unwrap(),);
 
     assert!(opamp_server_mock.calls() >= 1)
@@ -172,7 +202,7 @@ fleet_control:
     token_url: "{}"
     client_id: "fake"
     provider: "local"
-    private_key_path: "{}"
+    private_key_path: '{}'
   signature_validation:
     enabled: false
 log:

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`pub mod binary_metadata;`
	`2`	`+pub mod is_elevated;`
`2`	`3`	`pub mod retry;`
`3`	`4`	`pub mod thread_context;`
`4`	`5`	`pub mod threads;`
Original file line number	Diff line number	Diff line change
`@@ -46,8 +46,10 @@ fn default_log_level_no_root() {`
`46`	`46`	`.unwrap(),`
`47`	`47`	`)`
`48`	`48`	`.stdout(`
`49`		`- predicate::str::is_match(TIME_FORMAT.to_owned() + "ERROR.*Program must run as root")`
`50`		`- .unwrap(),`
	`49`	`+ predicate::str::is_match(`
	`50`	`+ TIME_FORMAT.to_owned() + "ERROR.*Program must run with elevated permissions",`
	`51`	`+ )`
	`52`	`+ .unwrap(),`
`51`	`53`	`);`
`52`	`54`	`}`
`53`	`55`
`@@ -122,8 +124,10 @@ fn debug_log_level_no_root() {`
`122`	`124`	`.unwrap(),`
`123`	`125`	`)`
`124`	`126`	`.stdout(`
`125`		`- predicate::str::is_match(TIME_FORMAT.to_owned() + "ERROR.*Program must run as root")`
`126`		`- .unwrap(),`
	`127`	`+ predicate::str::is_match(`
	`128`	`+ TIME_FORMAT.to_owned() + "ERROR.*Program must run with elevated permissions",`
	`129`	`+ )`
	`130`	`+ .unwrap(),`
`127`	`131`	`);`
`128`	`132`	`}`
`129`	`133`