Move ScopedTokenPrivilege to chrome/installer/util

If the Chrome Cleaner requires a reboot of the machine to complete the cleanup operation, Chrome will need to offer a reboot to the user. In order to initiate a shutdown + restart, Chrome needs to acquire SeShutdownPrivilege. The ScopedTokenPrivilege from chrome/installer/setup/setup_util provides that functionality. This CL moves it to chrome/installer/util where it can be used by both Chrome and Setup. BUG=728136 Review-Url: https://codereview.chromium.org/2925383002 Cr-Commit-Position: refs/heads/master@{#478357}

Move ScopedTokenPrivilege to chrome/installer/util
If the Chrome Cleaner requires a reboot of the machine to complete the cleanup operation, Chrome will need to offer a reboot to the user. In order to initiate a shutdown + restart, Chrome needs to acquire SeShutdownPrivilege. The ScopedTokenPrivilege from chrome/installer/setup/setup_util provides that functionality. This CL moves it to chrome/installer/util where it can be used by both Chrome and Setup. BUG=728136 Review-Url: https://codereview.chromium.org/2925383002 Cr-Commit-Position: refs/heads/master@{#478357}
524fdc6e · alito · Commit Bot · 6d116f3f · 524fdc6e · 524fdc6e
Commit 524fdc6e authored Jun 09, 2017 by alito Committed by Commit Bot Jun 09, 2017
8 changed files
--- a/chrome/installer/setup/setup_util.cc
+++ b/chrome/installer/setup/setup_util.cc
@@ -848,45 +848,4 @@ base::Time GetConsoleSessionStartTime() {
  return base::Time::FromFileTime(filetime);
 }
-ScopedTokenPrivilege::ScopedTokenPrivilege(const wchar_t* privilege_name)
-    : is_enabled_(false) {
-  HANDLE temp_handle;
-  if (!::OpenProcessToken(::GetCurrentProcess(),
-                          TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
-                          &temp_handle)) {
-    return;
-  }
-  token_.Set(temp_handle);
-  LUID privilege_luid;
-  if (!::LookupPrivilegeValue(NULL, privilege_name, &privilege_luid)) {
-    token_.Close();
-    return;
-  }
-  // Adjust the token's privileges to enable |privilege_name|. If this privilege
-  // was already enabled, |previous_privileges_|.PrivilegeCount will be set to 0
-  // and we then know not to disable this privilege upon destruction.
-  TOKEN_PRIVILEGES tp;
-  tp.PrivilegeCount = 1;
-  tp.Privileges[0].Luid = privilege_luid;
-  tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
-  DWORD return_length;
-  if (!::AdjustTokenPrivileges(token_.Get(), FALSE, &tp,
-                               sizeof(TOKEN_PRIVILEGES),
-                               &previous_privileges_, &return_length)) {
-    token_.Close();
-    return;
-  }
-  is_enabled_ = true;
-}
-ScopedTokenPrivilege::~ScopedTokenPrivilege() {
-  if (is_enabled_ && previous_privileges_.PrivilegeCount != 0) {
-    ::AdjustTokenPrivileges(token_.Get(), FALSE, &previous_privileges_,
-                            sizeof(TOKEN_PRIVILEGES), NULL, NULL);
-  }
-}
 }  // namespace installer
--- a/chrome/installer/setup/setup_util.h
+++ b/chrome/installer/setup/setup_util.h
@@ -9,16 +9,13 @@
 #ifndef CHROME_INSTALLER_SETUP_SETUP_UTIL_H_
 #define CHROME_INSTALLER_SETUP_SETUP_UTIL_H_
-#include <windows.h>
 #include <stdint.h>
 #include <memory>
 #include <vector>
-#include "base/macros.h"
 #include "base/strings/string16.h"
 #include "base/time/time.h"
-#include "base/win/scoped_handle.h"
 #include "chrome/installer/util/browser_distribution.h"
 #include "chrome/installer/util/lzma_util.h"
 #include "chrome/installer/util/util_constants.h"
@@ -154,35 +151,6 @@ void DoLegacyCleanups(const InstallerState& installer_state,
 // a null time in case of error.
 base::Time GetConsoleSessionStartTime();
-// This class will enable the privilege defined by |privilege_name| on the
-// current process' token. The privilege will be disabled upon the
-// ScopedTokenPrivilege's destruction (unless it was already enabled when the
-// ScopedTokenPrivilege object was constructed).
-// Some privileges might require admin rights to be enabled (check is_enabled()
-// to know whether |privilege_name| was successfully enabled).
-class ScopedTokenPrivilege {
- public:
-  explicit ScopedTokenPrivilege(const wchar_t* privilege_name);
-  ~ScopedTokenPrivilege();
-  // Always returns true unless the privilege could not be enabled.
-  bool is_enabled() const { return is_enabled_; }
- private:
-  // Always true unless the privilege could not be enabled.
-  bool is_enabled_;
-  // A scoped handle to the current process' token. This will be closed
-  // preemptively should enabling the privilege fail in the constructor.
-  base::win::ScopedHandle token_;
-  // The previous state of the privilege this object is responsible for. As set
-  // by AdjustTokenPrivileges() upon construction.
-  TOKEN_PRIVILEGES previous_privileges_;
-  DISALLOW_IMPLICIT_CONSTRUCTORS(ScopedTokenPrivilege);
-};
 }  // namespace installer
 #endif  // CHROME_INSTALLER_SETUP_SETUP_UTIL_H_
--- a/chrome/installer/setup/setup_util_unittest.cc
+++ b/chrome/installer/setup/setup_util_unittest.cc
@@ -38,59 +38,6 @@
 #include "chrome/installer/util/util_constants.h"
 #include "testing/gtest/include/gtest/gtest.h"
-namespace {
-// The privilege tested in ScopeTokenPrivilege tests below.
-// Use SE_RESTORE_NAME as it is one of the many privileges that is available,
-// but not enabled by default on processes running at high integrity.
-static const wchar_t kTestedPrivilege[] = SE_RESTORE_NAME;
-// Returns true if the current process' token has privilege |privilege_name|
-// enabled.
-bool CurrentProcessHasPrivilege(const wchar_t* privilege_name) {
-  HANDLE temp_handle;
-  if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY,
-                          &temp_handle)) {
-    ADD_FAILURE();
-    return false;
-  }
-  base::win::ScopedHandle token(temp_handle);
-  // First get the size of the buffer needed for |privileges| below.
-  DWORD size;
-  EXPECT_FALSE(::GetTokenInformation(token.Get(), TokenPrivileges, NULL, 0,
-                                     &size));
-  std::unique_ptr<BYTE[]> privileges_bytes(new BYTE[size]);
-  TOKEN_PRIVILEGES* privileges =
-      reinterpret_cast<TOKEN_PRIVILEGES*>(privileges_bytes.get());
-  if (!::GetTokenInformation(token.Get(), TokenPrivileges, privileges, size,
-                             &size)) {
-    ADD_FAILURE();
-    return false;
-  }
-  // There is no point getting a buffer to store more than |privilege_name|\0 as
-  // anything longer will obviously not be equal to |privilege_name|.
-  const DWORD desired_size = static_cast<DWORD>(wcslen(privilege_name));
-  const DWORD buffer_size = desired_size + 1;
-  std::unique_ptr<wchar_t[]> name_buffer(new wchar_t[buffer_size]);
-  for (int i = privileges->PrivilegeCount - 1; i >= 0 ; --i) {
-    LUID_AND_ATTRIBUTES& luid_and_att = privileges->Privileges[i];
-    DWORD size = buffer_size;
-    ::LookupPrivilegeName(NULL, &luid_and_att.Luid, name_buffer.get(), &size);
-    if (size == desired_size &&
-        wcscmp(name_buffer.get(), privilege_name) == 0) {
-      return luid_and_att.Attributes == SE_PRIVILEGE_ENABLED;
-    }
-  }
-  return false;
-}
-}  // namespace
 // Test that we are parsing Chrome version correctly.
 TEST(SetupUtilTest, GetMaxVersionFromArchiveDirTest) {
  // Create a version dir
@@ -144,52 +91,6 @@ TEST(SetupUtilTest, DeleteFileFromTempProcess) {
  EXPECT_FALSE(base::PathExists(test_file)) << test_file.value();
 }
-// Note: This test is only valid when run at high integrity (i.e. it will fail
-// at medium integrity).
-TEST(SetupUtilTest, ScopedTokenPrivilegeBasic) {
-  ASSERT_FALSE(CurrentProcessHasPrivilege(kTestedPrivilege));
-  if (!::IsUserAnAdmin()) {
-    LOG(WARNING) << "Skipping SetupUtilTest.ScopedTokenPrivilegeBasic due to "
-                    "not running as admin.";
-    return;
-  }
-  {
-    installer::ScopedTokenPrivilege test_scoped_privilege(kTestedPrivilege);
-    ASSERT_TRUE(test_scoped_privilege.is_enabled());
-    ASSERT_TRUE(CurrentProcessHasPrivilege(kTestedPrivilege));
-  }
-  ASSERT_FALSE(CurrentProcessHasPrivilege(kTestedPrivilege));
-}
-// Note: This test is only valid when run at high integrity (i.e. it will fail
-// at medium integrity).
-TEST(SetupUtilTest, ScopedTokenPrivilegeAlreadyEnabled) {
-  ASSERT_FALSE(CurrentProcessHasPrivilege(kTestedPrivilege));
-  if (!::IsUserAnAdmin()) {
-    LOG(WARNING) << "Skipping SetupUtilTest.ScopedTokenPrivilegeAlreadyEnabled "
-                    "due to not running as admin.";
-    return;
-  }
-  {
-    installer::ScopedTokenPrivilege test_scoped_privilege(kTestedPrivilege);
-    ASSERT_TRUE(test_scoped_privilege.is_enabled());
-    ASSERT_TRUE(CurrentProcessHasPrivilege(kTestedPrivilege));
-    {
-      installer::ScopedTokenPrivilege dup_scoped_privilege(kTestedPrivilege);
-      ASSERT_TRUE(dup_scoped_privilege.is_enabled());
-      ASSERT_TRUE(CurrentProcessHasPrivilege(kTestedPrivilege));
-    }
-    ASSERT_TRUE(CurrentProcessHasPrivilege(kTestedPrivilege));
-  }
-  ASSERT_FALSE(CurrentProcessHasPrivilege(kTestedPrivilege));
-}
 TEST(SetupUtilTest, GuidToSquid) {
  ASSERT_EQ(installer::GuidToSquid(L"EDA620E3-AA98-3846-B81E-3493CB2E0E02"),
            L"3E026ADE89AA64838BE14339BCE2E020");

--- a/chrome/installer/setup/user_hive_visitor.cc
+++ b/chrome/installer/setup/user_hive_visitor.cc
@@ -18,7 +18,7 @@
 #include "base/strings/string_piece.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/win/registry.h"
-#include "chrome/installer/setup/setup_util.h"
+#include "chrome/installer/util/scoped_token_privilege.h"
 #include "components/base32/base32.h"
 namespace installer {

--- a/chrome/installer/util/BUILD.gn
+++ b/chrome/installer/util/BUILD.gn
@@ -76,6 +76,8 @@ static_library("with_no_strings") {
      "product_operations.h",
      "registry_entry.cc",
      "registry_entry.h",
+      "scoped_token_privilege.cc",
+      "scoped_token_privilege.h",
      "scoped_user_protocol_entry.cc",
      "scoped_user_protocol_entry.h",
      "self_cleaning_temp_dir.cc",
@@ -310,6 +312,7 @@ if (is_win) {
      "registry_test_data.cc",
      "registry_test_data.h",
      "run_all_unittests.cc",
+      "scoped_token_privilege_unittest.cc",
      "scoped_user_protocol_entry_unittest.cc",
      "self_cleaning_temp_dir_unittest.cc",
      "set_reg_value_work_item_unittest.cc",

--- a/chrome/installer/util/scoped_token_privilege.cc
+++ b/chrome/installer/util/scoped_token_privilege.cc
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "chrome/installer/util/scoped_token_privilege.h"
+namespace installer {
+ScopedTokenPrivilege::ScopedTokenPrivilege(const wchar_t* privilege_name)
+    : is_enabled_(false) {
+  HANDLE temp_handle;
+  if (!::OpenProcessToken(::GetCurrentProcess(),
+                          TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
+                          &temp_handle)) {
+    return;
+  }
+  token_.Set(temp_handle);
+  LUID privilege_luid;
+  if (!::LookupPrivilegeValue(NULL, privilege_name, &privilege_luid)) {
+    token_.Close();
+    return;
+  }
+  // Adjust the token's privileges to enable |privilege_name|. If this privilege
+  // was already enabled, |previous_privileges_|.PrivilegeCount will be set to 0
+  // and we then know not to disable this privilege upon destruction.
+  TOKEN_PRIVILEGES tp;
+  tp.PrivilegeCount = 1;
+  tp.Privileges[0].Luid = privilege_luid;
+  tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+  DWORD return_length;
+  if (!::AdjustTokenPrivileges(token_.Get(), FALSE, &tp,
+                               sizeof(TOKEN_PRIVILEGES), &previous_privileges_,
+                               &return_length)) {
+    token_.Close();
+    return;
+  }
+  is_enabled_ = true;
+}
+ScopedTokenPrivilege::~ScopedTokenPrivilege() {
+  if (is_enabled_ && previous_privileges_.PrivilegeCount != 0) {
+    ::AdjustTokenPrivileges(token_.Get(), FALSE, &previous_privileges_,
+                            sizeof(TOKEN_PRIVILEGES), NULL, NULL);
+  }
+}
+}  // namespace installer
--- a/chrome/installer/util/scoped_token_privilege.h
+++ b/chrome/installer/util/scoped_token_privilege.h
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#ifndef CHROME_INSTALLER_UTIL_SCOPED_TOKEN_PRIVILEGE_H_
+#define CHROME_INSTALLER_UTIL_SCOPED_TOKEN_PRIVILEGE_H_
+#include <windows.h>
+#include "base/macros.h"
+#include "base/win/scoped_handle.h"
+namespace installer {
+// This class is available for Windows only and will enable the privilege
+// defined by |privilege_name| on the current process' token. The privilege will
+// be disabled upon the ScopedTokenPrivilege's destruction (unless it was
+// already enabled when the ScopedTokenPrivilege object was constructed).
+// Some privileges might require admin rights to be enabled (check is_enabled()
+// to know whether |privilege_name| was successfully enabled).
+class ScopedTokenPrivilege {
+ public:
+  explicit ScopedTokenPrivilege(const wchar_t* privilege_name);
+  ~ScopedTokenPrivilege();
+  // Always returns true unless the privilege could not be enabled.
+  bool is_enabled() const { return is_enabled_; }
+ private:
+  // Always true unless the privilege could not be enabled.
+  bool is_enabled_;
+  // A scoped handle to the current process' token. This will be closed
+  // preemptively should enabling the privilege fail in the constructor.
+  base::win::ScopedHandle token_;
+  // The previous state of the privilege this object is responsible for. As set
+  // by AdjustTokenPrivileges() upon construction.
+  TOKEN_PRIVILEGES previous_privileges_;
+  DISALLOW_IMPLICIT_CONSTRUCTORS(ScopedTokenPrivilege);
+};
+}  // namespace installer
+#endif  // CHROME_INSTALLER_UTIL_SCOPED_TOKEN_PRIVILEGE_H_
--- a/chrome/installer/util/scoped_token_privilege_unittest.cc
+++ b/chrome/installer/util/scoped_token_privilege_unittest.cc
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "chrome/installer/util/scoped_token_privilege.h"
+#include <shlobj.h>
+#include <memory>
+#include "testing/gtest/include/gtest/gtest.h"
+namespace installer {
+namespace {
+// The privilege tested in ScopeTokenPrivilege tests below.
+// Use SE_RESTORE_NAME as it is one of the many privileges that is available,
+// but not enabled by default on processes running at high integrity.
+constexpr wchar_t kTestedPrivilege[] = SE_RESTORE_NAME;
+// Returns true if the current process' token has privilege |privilege_name|
+// enabled.
+bool CurrentProcessHasPrivilege(const wchar_t* privilege_name) {
+  HANDLE temp_handle;
+  if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &temp_handle)) {
+    ADD_FAILURE();
+    return false;
+  }
+  base::win::ScopedHandle token(temp_handle);
+  // First get the size of the buffer needed for |privileges| below.
+  DWORD size;
+  EXPECT_FALSE(
+      ::GetTokenInformation(token.Get(), TokenPrivileges, NULL, 0, &size));
+  std::unique_ptr<BYTE[]> privileges_bytes(new BYTE[size]);
+  TOKEN_PRIVILEGES* privileges =
+      reinterpret_cast<TOKEN_PRIVILEGES*>(privileges_bytes.get());
+  if (!::GetTokenInformation(token.Get(), TokenPrivileges, privileges, size,
+                             &size)) {
+    ADD_FAILURE();
+    return false;
+  }
+  // There is no point getting a buffer to store more than |privilege_name|\0 as
+  // anything longer will obviously not be equal to |privilege_name|.
+  const DWORD desired_size = static_cast<DWORD>(wcslen(privilege_name));
+  const DWORD buffer_size = desired_size + 1;
+  std::unique_ptr<wchar_t[]> name_buffer(new wchar_t[buffer_size]);
+  for (int i = privileges->PrivilegeCount - 1; i >= 0; --i) {
+    LUID_AND_ATTRIBUTES& luid_and_att = privileges->Privileges[i];
+    DWORD size = buffer_size;
+    ::LookupPrivilegeName(NULL, &luid_and_att.Luid, name_buffer.get(), &size);
+    if (size == desired_size &&
+        wcscmp(name_buffer.get(), privilege_name) == 0) {
+      return luid_and_att.Attributes == SE_PRIVILEGE_ENABLED;
+    }
+  }
+  return false;
+}
+}  // namespace
+// Note: This test is only valid when run at high integrity (i.e. it will fail
+// at medium integrity).
+TEST(ScopedTokenPrivilegeTest, Basic) {
+  ASSERT_FALSE(CurrentProcessHasPrivilege(kTestedPrivilege));
+  if (!::IsUserAnAdmin()) {
+    LOG(WARNING) << "Skipping SetupUtilTest.ScopedTokenPrivilegeBasic due to "
+                    "not running as admin.";
+    return;
+  }
+  {
+    ScopedTokenPrivilege test_scoped_privilege(kTestedPrivilege);
+    ASSERT_TRUE(test_scoped_privilege.is_enabled());
+    ASSERT_TRUE(CurrentProcessHasPrivilege(kTestedPrivilege));
+  }
+  ASSERT_FALSE(CurrentProcessHasPrivilege(kTestedPrivilege));
+}
+// Note: This test is only valid when run at high integrity (i.e. it will fail
+// at medium integrity).
+TEST(ScopedTokenPrivilegeTest, AlreadyEnabled) {
+  ASSERT_FALSE(CurrentProcessHasPrivilege(kTestedPrivilege));
+  if (!::IsUserAnAdmin()) {
+    LOG(WARNING) << "Skipping SetupUtilTest.ScopedTokenPrivilegeAlreadyEnabled "
+                    "due to not running as admin.";
+    return;
+  }
+  {
+    ScopedTokenPrivilege test_scoped_privilege(kTestedPrivilege);
+    ASSERT_TRUE(test_scoped_privilege.is_enabled());
+    ASSERT_TRUE(CurrentProcessHasPrivilege(kTestedPrivilege));
+    {
+      ScopedTokenPrivilege dup_scoped_privilege(kTestedPrivilege);
+      ASSERT_TRUE(dup_scoped_privilege.is_enabled());
+      ASSERT_TRUE(CurrentProcessHasPrivilege(kTestedPrivilege));
+    }
+    ASSERT_TRUE(CurrentProcessHasPrivilege(kTestedPrivilege));
+  }
+  ASSERT_FALSE(CurrentProcessHasPrivilege(kTestedPrivilege));
+}
+}  // namespace installer