Merge master

Author: allan2

Cargo.lock

@@ -30,7 +30,6 @@ lto = true
 strip = "symbols"
 
 [patch.crates-io]
-libsql = { git = "https://github.com/allan2/libsql", rev = "9364e90" }
 tracing-appender = { git = "https://github.com/CBenoit/tracing.git", rev = "42097daf92e683cf18da7639ddccb056721a796c" }
 
 [workspace.lints.rust]

Cargo.toml

@@ -12,6 +12,7 @@ use devolutions_pedm_shared::client::{self};
 use devolutions_pedm_shared::desktop;
 use parking_lot::{Mutex, RwLock};
 use tokio::sync::mpsc::{self, Receiver, Sender};
+use win_api_wrappers::fs::get_system32_path;
 use win_api_wrappers::process::{Module, Process};
 use win_api_wrappers::raw::core::{
     implement, interface, Error, IUnknown, IUnknown_Vtbl, Interface, Result, GUID, HRESULT, PWSTR,
@@ -218,6 +219,32 @@ fn find_main_explorer(session: u32) -> Option<u32> {
     })
 }
 
+fn resolve_msi(path: &Path) -> Option<LaunchPayload> {
+    if !matches!(path.extension().and_then(|e| e.to_str()), Some(ext) if ext.eq_ignore_ascii_case("msi")) {
+        return None;
+    }
+
+    let system32 = get_system32_path().ok()?;
+    let msiexec_path = Path::new(&system32).join("msiexec.exe");
+
+    let environment = environment_block(None, false).ok()?;
+
+    let exe_path = expand_environment_path(&msiexec_path, &environment).ok()?;
+
+    // By inspecting elevated .msi files launched from Explorer, we see that Explorer invokes %systemroot%\system32\msiexec,
+    // with the command line "%systemroot%\system32\msiexec" /i "{path-to-msi}".
+    // We achieve the same in the PEDM module by using the same command if the file extension is .msi.
+    // The .msi extension is already being trapped by the shell extension, but previously we would call
+    // CreateProcess on the .msi causing "file is not a valid Win32 executable".
+    Some(LaunchPayload {
+        executable_path: exe_path.as_os_str().to_str().map(str::to_owned),
+        command_line: Some(format!("\"{}\" /i \"{}\"", exe_path.display(), path.display())),
+        working_directory: None,
+        creation_flags: 0,
+        startup_info: None,
+    })
+}
+
 fn resolve_lnk(path: &Path) -> Option<LaunchPayload> {
     let link = Link::new(path);
 
@@ -253,13 +280,16 @@ fn start_listener() {
                     match command {
                         ChannelCommand::Exit => break,
                         ChannelCommand::Elevate(path) => {
-                            let mut payload = resolve_lnk(&path).unwrap_or_else(|| LaunchPayload {
-                                executable_path: path.as_os_str().to_str().map(str::to_owned),
-                                command_line: None,
-                                working_directory: None,
-                                creation_flags: 0,
-                                startup_info: None,
-                            });
+                            let mut payload =
+                                resolve_lnk(&path)
+                                    .or_else(|| resolve_msi(&path))
+                                    .unwrap_or_else(|| LaunchPayload {
+                                        executable_path: path.as_os_str().to_str().map(str::to_owned),
+                                        command_line: None,
+                                        working_directory: None,
+                                        creation_flags: 0,
+                                        startup_info: None,
+                                    });
 
                             payload.startup_info = Some(StartupInfoDto {
                                 parent_pid: find_main_explorer(

crates/devolutions-pedm-shell-ext/src/lib_win.rs

@@ -19,6 +19,8 @@ use win_api_wrappers::thread::{ThreadAttributeList, ThreadAttributeType};
 use win_api_wrappers::token::Token;
 use win_api_wrappers::utils::{environment_block, expand_environment_path, CommandLine, WideString};
 
+use crate::api::state::AppState;
+use crate::db::DbHandle;
 use crate::elevator;
 use crate::error::Error;
 use crate::policy::Policy;
@@ -87,7 +89,7 @@ fn win_canonicalize(path: &Path, token: Option<&Token>) -> Result<PathBuf, Error
 
 pub(crate) async fn post_launch(
     Extension(named_pipe_info): Extension<NamedPipeConnectInfo>,
-    NoApi(State(policy)): NoApi<State<Arc<RwLock<Policy>>>>,
+    NoApi(State(state)): NoApi<State<AppState>>,
     Json(mut payload): Json<LaunchPayload>,
 ) -> Result<Json<LaunchResponse>, Error> {
     payload.executable_path = payload
@@ -133,7 +135,8 @@ pub(crate) async fn post_launch(
     startup_info.attribute_list = Some(Some(attributes.raw()));
 
     let proc_info = elevator::try_start_elevated(
-        &policy,
+        &state.db_handle,
+        &state.policy,
         &named_pipe_info.token,
         parent_pid,
         payload.executable_path.as_deref(),

crates/devolutions-pedm/src/api/launch.rs

@@ -21,6 +21,7 @@ use tower_http::timeout::TimeoutLayer;
 use tower_service::Service;
 use tracing::{error, info};
 
+use devolutions_gateway_task::ShutdownSignal;
 use devolutions_pedm_shared::policy::User;
 use win_api_wrappers::handle::Handle;
 use win_api_wrappers::identity::sid::Sid;
@@ -34,7 +35,7 @@ use win_api_wrappers::utils::Pipe;
 
 use crate::account::{diff_accounts, list_accounts, ListAccountsError};
 use crate::config::Config;
-use crate::db::{Db, DbError, InitSchemaError};
+use crate::db::{Db, DbAsyncBridgeTask, DbError, InitSchemaError};
 use crate::error::{Error, ErrorResponse};
 use crate::utils::AccountExt;
 
@@ -173,10 +174,11 @@ async fn health_check() -> &'static str {
 }
 
 /// Initializes the appliation and starts the named pipe server.
-pub async fn serve(config: Config) -> Result<(), ServeError> {
+pub async fn serve(config: Config, shutdown_signal: ShutdownSignal) -> Result<(), ServeError> {
     let db = Db::new(&config).await?;
     db.setup().await?;
 
+<<<<<<< HEAD
     // Update the list of accounts in the database.
 
     // SAFETY: uses `NetUserEnum` and `LookupAccountNameW` from `windows`
@@ -188,6 +190,12 @@ pub async fn serve(config: Config) -> Result<(), ServeError> {
     db.update_accounts(&diff).await?;
 
     let state = AppState::new(db, &config.pipe_name).await?;
+=======
+    let (db_handle, db_async_bridge_task) = DbAsyncBridgeTask::new(db.clone());
+    let _db_async_bridge_task = devolutions_gateway_task::spawn_task(db_async_bridge_task, shutdown_signal);
+
+    let state = AppState::new(db, db_handle, &config.pipe_name).await?;
+>>>>>>> origin/master
 
     // a plain Axum router
     let hello_router = Router::new().route("/health", axum::routing::get(health_check));

crates/devolutions-pedm/src/api/mod.rs

@@ -8,7 +8,7 @@ use chrono::Utc;
 use hyper::StatusCode;
 use parking_lot::RwLock;
 
-use crate::db::{Database, Db, DbError};
+use crate::db::{Database, Db, DbError, DbHandle};
 use crate::model::StartupInfo;
 use crate::policy::{LoadPolicyError, Policy};
 
@@ -23,11 +23,12 @@ pub(crate) struct AppState {
     /// TODO: implement a check to ensure that there is only one PEDM instance running at any given time
     pub(crate) req_counter: Arc<AtomicI32>,
     pub(crate) db: Arc<dyn Database + Send + Sync>,
+    pub(crate) db_handle: DbHandle,
     pub(crate) policy: Arc<RwLock<Policy>>,
 }
 
 impl AppState {
-    pub(crate) async fn new(db: Db, pipe_name: &str) -> Result<Self, AppStateError> {
+    pub(crate) async fn new(db: Db, db_handle: DbHandle, pipe_name: &str) -> Result<Self, AppStateError> {
         let policy = Policy::load()?;
 
         let last_req_id = db.get_last_request_id().await?;
@@ -44,6 +45,7 @@ impl AppState {
             startup_info,
             req_counter: Arc::new(AtomicI32::new(last_req_id)),
             db: db.0,
+            db_handle,
             policy: Arc::new(RwLock::new(policy)),
         })
     }

crates/devolutions-pedm/src/api/state.rs

@@ -8,10 +8,16 @@ use std::ops::Deref;
 
 use async_trait::async_trait;
 use chrono::{DateTime, Utc};
+<<<<<<< HEAD
 use futures_util::{StreamExt, TryStreamExt};
 use libsql::params::IntoParams;
 use libsql::{params, Row, Value};
 use tracing::info;
+=======
+use devolutions_pedm_shared::policy::ElevationResult;
+use libsql::params::IntoParams;
+use libsql::{params, Row};
+>>>>>>> origin/master
 
 use crate::account::{AccountWithId, AccountsDiff, DomainId, Sid};
 
@@ -314,6 +320,11 @@ ORDER BY n.name";
         .await?;
         Ok(())
     }
+
+    async fn insert_jit_elevation_result(&self, result: &ElevationResult) -> Result<(), DbError> {
+        // TODO: execute the SQL query.
+        Ok(())
+    }
 }
 
 /// Converts a timestamp in microseconds to a `DateTime<Utc>`.

crates/devolutions-pedm/src/db/libsql.rs

@@ -8,7 +8,9 @@ use std::sync::Arc;
 
 use async_trait::async_trait;
 use chrono::{DateTime, Utc};
-use tracing::info;
+use devolutions_gateway_task::{ShutdownSignal, Task};
+use devolutions_pedm_shared::policy::ElevationResult;
+use tracing::{info, warn};
 
 mod err;
 mod util;
@@ -209,4 +211,110 @@ pub(crate) trait Database: Send + Sync {
     async fn update_accounts(&self, diff: &AccountsDiff) -> Result<(), DbError>;
 
     async fn insert_elevate_tmp_request(&self, req_id: i32, seconds: i32) -> Result<(), DbError>;
+
+    async fn insert_jit_elevation_result(&self, result: &ElevationResult) -> Result<(), DbError>;
+}
+
+// Bridge for DB operations from synchronous functions.
+// This may or may not be a temporary workaround.
+
+pub(crate) struct DbHandleError<T> {
+    pub(crate) db_error: Option<DbError>,
+    pub(crate) value: T,
+}
+
+#[derive(Clone)]
+pub(crate) struct DbHandle {
+    tx: tokio::sync::mpsc::Sender<DbRequest>,
+}
+
+impl DbHandle {
+    pub(crate) fn insert_jit_elevation_result(
+        &self,
+        result: ElevationResult,
+    ) -> Result<(), DbHandleError<ElevationResult>> {
+        let (tx, rx) = tokio::sync::oneshot::channel();
+
+        match self
+            .tx
+            .blocking_send(DbRequest::InsertJitElevationResult { result, tx })
+        {
+            Ok(()) => match rx.blocking_recv() {
+                Ok(db_result) => db_result,
+                Err(_) => {
+                    warn!("Did not receive the response from the async bridge task");
+                    Ok(())
+                }
+            },
+            Err(error) => {
+                let DbRequest::InsertJitElevationResult { result, .. } = error.0 else {
+                    unreachable!()
+                };
+
+                Err(DbHandleError {
+                    db_error: None,
+                    value: result,
+                })
+            }
+        }
+    }
+}
+
+pub(crate) enum DbRequest {
+    InsertJitElevationResult {
+        result: ElevationResult,
+        tx: tokio::sync::oneshot::Sender<Result<(), DbHandleError<ElevationResult>>>,
+    },
+}
+
+pub(crate) struct DbAsyncBridgeTask {
+    db: Db,
+    rx: tokio::sync::mpsc::Receiver<DbRequest>,
+}
+
+impl DbAsyncBridgeTask {
+    pub fn new(db: Db) -> (DbHandle, Self) {
+        let (tx, rx) = tokio::sync::mpsc::channel(8);
+        (DbHandle { tx }, Self { db, rx })
+    }
+}
+
+#[async_trait]
+impl Task for DbAsyncBridgeTask {
+    type Output = anyhow::Result<()>;
+
+    const NAME: &'static str = "db-async-bridge";
+
+    async fn run(mut self, mut shutdown_signal: ShutdownSignal) -> anyhow::Result<()> {
+        loop {
+            tokio::select! {
+                req = self.rx.recv() => {
+                    let Some(req) = req else {
+                        break;
+                    };
+
+                    match req {
+                        DbRequest::InsertJitElevationResult { result, tx } => {
+                            match self.db.insert_jit_elevation_result(&result).await {
+                                Ok(()) => {
+                                    let _ = tx.send(Ok(()));
+                                }
+                                Err(error) => {
+                                    let _ = tx.send(Err(DbHandleError {
+                                       db_error: Some(error),
+                                       value: result,
+                                    }));
+                                }
+                            }
+                        }
+                    }
+                }
+                _ = shutdown_signal.wait() => {
+                    break;
+                }
+            }
+        }
+
+        Ok(())
+    }
 }

crates/devolutions-pedm/src/db/mod.rs

@@ -9,8 +9,12 @@ use async_trait::async_trait;
 use bb8::Pool;
 use bb8_postgres::PostgresConnectionManager;
 use chrono::{DateTime, Utc};
+<<<<<<< HEAD
 use futures_util::try_join;
 use tokio_postgres::types::ToSql;
+=======
+use devolutions_pedm_shared::policy::ElevationResult;
+>>>>>>> origin/master
 use tokio_postgres::NoTls;
 
 use crate::account::{AccountWithId, AccountsDiff, DomainId, Sid};
@@ -328,6 +332,10 @@ ORDER BY n.name",
             .await?;
         Ok(())
     }
+
+    async fn insert_jit_elevation_result(&self, result: &ElevationResult) -> Result<(), DbError> {
+        unimplemented!()
+    }
 }
 
 /// Constructs query args like `($1), ($2), ($3)`.

crates/devolutions-pedm/src/db/pg.rs

@@ -22,6 +22,7 @@ use win_api_wrappers::Error;
 use local_admin_elevator::LocalAdminElevator;
 use virtual_account_elevator::VirtualAccountElevator;
 
+use crate::db::DbHandle;
 use crate::log;
 use crate::policy::{self, application_from_path, Policy};
 use crate::utils::{start_process, AccountExt};
@@ -66,6 +67,7 @@ fn elevate_token(policy: &RwLock<Policy>, token: &Token) -> Result<Token> {
 }
 
 fn validate_elevation(
+    db_handle: &DbHandle,
     policy: &RwLock<Policy>,
     client_token: &Token,
     client_pid: u32,
@@ -104,15 +106,18 @@ fn validate_elevation(
 
     let validation = policy.read().validate(client_token.session_id()?, &req);
 
-    log::log_elevation(&ElevationResult {
+    let elevation_result = ElevationResult {
         request: req,
         successful: validation.is_ok(),
-    })?;
+    };
+
+    log::log_elevation(db_handle, elevation_result);
 
     validation
 }
 
 pub(crate) fn try_start_elevated(
+    db_handle: &DbHandle,
     policy: &RwLock<Policy>,
     client_token: &Token,
     client_pid: u32,
@@ -123,6 +128,7 @@ pub(crate) fn try_start_elevated(
     startup_info: &mut StartupInfo,
 ) -> Result<ProcessInformation> {
     validate_elevation(
+        db_handle,
         policy,
         client_token,
         client_pid,