token-privilege 0.1.1

Safe Rust wrapper around Windows process token privilege and elevation detection APIs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351

//! All unsafe Win32 FFI calls live in this module.
//!
//! This is the ONLY module that contains `unsafe` code. Every unsafe block
//! has a `// SAFETY:` comment documenting its invariants.

#![allow(unsafe_code)]

use std::io;

use windows::Win32::Foundation::{
    CloseHandle, ERROR_INSUFFICIENT_BUFFER, ERROR_NO_SUCH_PRIVILEGE, HANDLE, LUID,
};
use windows::Win32::Security::{
    GetTokenInformation, LUID_AND_ATTRIBUTES, LookupPrivilegeNameW, LookupPrivilegeValueW,
    PRIVILEGE_SET, PrivilegeCheck, SE_PRIVILEGE_ENABLED, SE_PRIVILEGE_ENABLED_BY_DEFAULT,
    SE_PRIVILEGE_REMOVED, TOKEN_ELEVATION, TOKEN_PRIVILEGES, TOKEN_QUERY,
};
use windows::Win32::System::Threading::{GetCurrentProcess, OpenProcessToken};
use windows::core::BOOL;

use crate::PrivilegeInfo;
use crate::error::TokenPrivilegeError;

/// `PRIVILEGE_SET_ALL_NECESSARY` — all privileges in the set must be held.
/// Defined in the Windows SDK but not exposed by the `windows` crate.
const PRIVILEGE_SET_ALL_NECESSARY: u32 = 1;

// Compile-time guarantee that `TOKEN_ELEVATION` fits in a `u32` size parameter.
#[allow(clippy::as_conversions)] // Compile-time const, safe
const _: () = assert!(
    std::mem::size_of::<TOKEN_ELEVATION>() <= u32::MAX as usize,
    "TOKEN_ELEVATION size must fit in u32"
);

/// RAII wrapper for Win32 `HANDLE` that calls `CloseHandle` on drop.
pub struct OwnedHandle(HANDLE);

impl std::fmt::Debug for OwnedHandle {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("OwnedHandle").finish_non_exhaustive()
    }
}

impl Drop for OwnedHandle {
    fn drop(&mut self) {
        if !self.0.is_invalid() {
            // SAFETY: `CloseHandle` is safe to call on a valid, open handle that
            // we own. The RAII pattern ensures this is called exactly once, when
            // the `OwnedHandle` is dropped. The `is_invalid()` guard skips the
            // call for default-initialized or explicitly invalidated handles.
            unsafe {
                let close_result = CloseHandle(self.0);
                debug_assert!(close_result.is_ok(), "CloseHandle failed: {close_result:?}");
            }
        }
    }
}

/// Open the current process token with `TOKEN_QUERY` access.
pub fn open_current_process_token() -> Result<OwnedHandle, TokenPrivilegeError> {
    let mut handle = HANDLE::default();

    // SAFETY: `GetCurrentProcess()` returns a pseudo-handle that is always valid
    // and does not need to be closed. `OpenProcessToken` writes to `handle` only
    // on success; on failure we return the IO error.
    unsafe {
        OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &raw mut handle)
            .map_err(|e| TokenPrivilegeError::OpenTokenFailed(io::Error::from(e)))?;
    }

    Ok(OwnedHandle(handle))
}

/// Query whether the token is elevated (UAC elevation).
pub fn query_elevation(token: &OwnedHandle) -> Result<bool, TokenPrivilegeError> {
    // Safe: compile-time assertion above guarantees this fits in u32.
    #[allow(clippy::as_conversions, clippy::cast_possible_truncation)]
    const ELEVATION_SIZE: u32 = std::mem::size_of::<TOKEN_ELEVATION>() as u32;

    let mut elevation = TOKEN_ELEVATION::default();
    let mut return_length = 0_u32;

    // SAFETY: We pass a valid token handle and a correctly-sized buffer.
    // `GetTokenInformation` writes at most `elevation_size` bytes into
    // `elevation` and sets `return_length` to the actual bytes written.
    unsafe {
        GetTokenInformation(
            token.0,
            windows::Win32::Security::TokenElevation,
            Some(std::ptr::from_mut(&mut elevation).cast()),
            ELEVATION_SIZE,
            &raw mut return_length,
        )
        .map_err(|e| TokenPrivilegeError::QueryFailed(io::Error::from(e)))?;
    }

    Ok(elevation.TokenIsElevated != 0)
}

/// Look up a privilege LUID by name.
pub fn lookup_privilege_value(name: &str) -> Result<LUID, TokenPrivilegeError> {
    let wide_name: Vec<u16> = name.encode_utf16().chain(std::iter::once(0)).collect();
    let mut luid = LUID::default();

    // SAFETY: We pass a null-terminated wide string and a valid LUID pointer.
    // `LookupPrivilegeValueW` writes the LUID on success.
    unsafe {
        LookupPrivilegeValueW(
            None,
            windows::core::PCWSTR(wide_name.as_ptr()),
            &raw mut luid,
        )
        .map_err(|e| {
            if e.code() == ERROR_NO_SUCH_PRIVILEGE.to_hresult() {
                TokenPrivilegeError::InvalidPrivilegeName {
                    name: name.to_owned(),
                }
            } else {
                TokenPrivilegeError::LookupFailed {
                    name: name.to_owned(),
                    source: io::Error::from(e),
                }
            }
        })?;
    }

    Ok(luid)
}

/// Check if a specific privilege (by LUID) is enabled on the token.
pub fn check_privilege_enabled(
    token: &OwnedHandle,
    luid: LUID,
) -> Result<bool, TokenPrivilegeError> {
    let mut privilege_set = PRIVILEGE_SET {
        PrivilegeCount: 1,
        Control: PRIVILEGE_SET_ALL_NECESSARY,
        Privilege: [LUID_AND_ATTRIBUTES {
            Luid: luid,
            Attributes: SE_PRIVILEGE_ENABLED,
        }],
    };
    let mut result = BOOL::default();

    // SAFETY: We pass a valid token handle and a correctly initialized
    // PRIVILEGE_SET with count=1. `PrivilegeCheck` writes the result.
    unsafe {
        PrivilegeCheck(token.0, &raw mut privilege_set, &raw mut result)
            .map_err(|e| TokenPrivilegeError::CheckFailed(io::Error::from(e)))?;
    }

    Ok(result.as_bool())
}

/// Enumerate all privileges on the token.
pub fn enumerate_token_privileges(
    token: &OwnedHandle,
) -> Result<Vec<PrivilegeInfo>, TokenPrivilegeError> {
    // First call to get required buffer size
    let mut return_length = 0_u32;

    // SAFETY: First call with null buffer to query the required size.
    // Expected to fail with ERROR_INSUFFICIENT_BUFFER, which we handle.
    let size_result = unsafe {
        GetTokenInformation(
            token.0,
            windows::Win32::Security::TokenPrivileges,
            None,
            0,
            &raw mut return_length,
        )
    };

    // Expected failure — we need the buffer size
    match size_result {
        Ok(()) => {
            return Err(TokenPrivilegeError::QueryFailed(io::Error::other(
                "GetTokenInformation unexpectedly succeeded with null buffer",
            )));
        }
        Err(ref e) if e.code() == ERROR_INSUFFICIENT_BUFFER.to_hresult() => {
            // Expected: buffer was too small, return_length now holds the required size
        }
        Err(e) => {
            return Err(TokenPrivilegeError::QueryFailed(io::Error::from(e)));
        }
    }
    if return_length == 0 {
        return Err(TokenPrivilegeError::QueryFailed(io::Error::other(
            "GetTokenInformation returned zero required length",
        )));
    }

    // Allocate with proper alignment for TOKEN_PRIVILEGES.
    // We use Vec<u64> to guarantee at least 8-byte alignment, which satisfies
    // TOKEN_PRIVILEGES alignment requirements on all Windows platforms.
    #[allow(clippy::as_conversions)] // u32 -> usize safe on all Windows platforms
    let byte_len = return_length as usize;
    let u64_len = byte_len.div_ceil(size_of::<u64>());
    let mut buffer = vec![0_u64; u64_len];

    // SAFETY: We pass a buffer of at least `return_length` bytes as reported
    // by the previous call. `GetTokenInformation` will write TOKEN_PRIVILEGES
    // data into this buffer.
    unsafe {
        GetTokenInformation(
            token.0,
            windows::Win32::Security::TokenPrivileges,
            Some(buffer.as_mut_ptr().cast()),
            return_length,
            &raw mut return_length,
        )
        .map_err(|e| TokenPrivilegeError::QueryFailed(io::Error::from(e)))?;
    }

    // SAFETY: Buffer was filled by GetTokenInformation with TOKEN_PRIVILEGES data.
    // The cast is safe because Vec<u64> guarantees 8-byte alignment, which
    // satisfies TOKEN_PRIVILEGES alignment requirements (align 4 on 32-bit,
    // align 8 on 64-bit Windows).
    let token_privileges = unsafe { &*(buffer.as_ptr().cast::<TOKEN_PRIVILEGES>()) };
    #[allow(clippy::as_conversions)] // u32 -> usize safe on all Windows platforms
    let count = token_privileges.PrivilegeCount as usize;

    // SAFETY: The privileges array in TOKEN_PRIVILEGES is a variable-length
    // array. We access `count` elements, which is what Windows wrote.
    let privileges_slice =
        unsafe { std::slice::from_raw_parts(token_privileges.Privileges.as_ptr(), count) };

    let mut result = Vec::with_capacity(count);
    for attr in privileges_slice {
        let name = lookup_privilege_name(attr.Luid)?;
        let attributes = attr.Attributes;

        result.push(PrivilegeInfo {
            name,
            enabled: (attributes & SE_PRIVILEGE_ENABLED).0 != 0,
            enabled_by_default: (attributes & SE_PRIVILEGE_ENABLED_BY_DEFAULT).0 != 0,
            removed: (attributes & SE_PRIVILEGE_REMOVED).0 != 0,
        });
    }

    Ok(result)
}

/// Look up the name of a privilege by its LUID.
fn lookup_privilege_name(luid: LUID) -> Result<String, TokenPrivilegeError> {
    let mut name_len = 0_u32;

    // SAFETY: First call with null buffer to get the required name length.
    let size_result =
        unsafe { LookupPrivilegeNameW(None, &raw const luid, None, &raw mut name_len) };

    if name_len == 0 {
        return Err(TokenPrivilegeError::QueryFailed(
            size_result.err().map_or_else(
                || io::Error::other("LookupPrivilegeNameW returned zero length without error"),
                io::Error::from,
            ),
        ));
    }

    #[allow(clippy::as_conversions)] // u32 -> usize safe on all Windows platforms
    let mut name_buf = vec![0_u16; name_len as usize];

    // SAFETY: We pass a buffer of the size reported by the first call.
    // `LookupPrivilegeNameW` writes the privilege name as a wide string.
    unsafe {
        LookupPrivilegeNameW(
            None,
            &raw const luid,
            Some(windows::core::PWSTR(name_buf.as_mut_ptr())),
            &raw mut name_len,
        )
        .map_err(|e| TokenPrivilegeError::QueryFailed(io::Error::from(e)))?;
    }

    // name_len now holds the length WITHOUT the null terminator
    #[allow(clippy::as_conversions)] // u32 -> usize safe on all Windows platforms
    let len = name_len as usize;
    let name_slice = name_buf.get(..len).ok_or_else(|| {
        TokenPrivilegeError::QueryFailed(io::Error::other("name buffer indexing failed"))
    })?;
    String::from_utf16(name_slice).map_err(|_utf16_err| {
        TokenPrivilegeError::QueryFailed(io::Error::other(
            "privilege name contained invalid UTF-16",
        ))
    })
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn open_and_drop_token_handle() {
        let token = open_current_process_token();
        assert!(token.is_ok(), "should open current process token");
        // OwnedHandle drops here — verifies RAII doesn't panic
    }

    #[test]
    fn query_elevation_returns_bool() {
        let token = open_current_process_token();
        assert!(token.is_ok(), "should open current process token");
        if let Ok(tok) = token {
            let result = query_elevation(&tok);
            assert!(result.is_ok(), "should query elevation");
        }
    }

    #[test]
    fn lookup_known_privilege() {
        let result = lookup_privilege_value("SeChangeNotifyPrivilege");
        assert!(result.is_ok(), "SeChangeNotifyPrivilege should exist");
    }

    #[test]
    fn lookup_invalid_privilege() {
        let result = lookup_privilege_value("SeTotallyFakePrivilege");
        assert!(result.is_err(), "fake privilege should fail");
    }

    #[test]
    fn check_change_notify_enabled() {
        let token = open_current_process_token();
        assert!(token.is_ok(), "should open current process token");
        let luid = lookup_privilege_value("SeChangeNotifyPrivilege");
        assert!(luid.is_ok(), "SeChangeNotifyPrivilege should exist");
        if let (Ok(tok), Ok(l)) = (token, luid) {
            let result = check_privilege_enabled(&tok, l);
            assert!(result.is_ok(), "check should succeed");
            assert!(
                matches!(result, Ok(true)),
                "SeChangeNotifyPrivilege should be enabled"
            );
        }
    }

    #[test]
    fn enumerate_privileges_non_empty() {
        let token = open_current_process_token();
        assert!(token.is_ok(), "should open current process token");
        if let Ok(tok) = token {
            let result = enumerate_token_privileges(&tok);
            assert!(result.is_ok(), "enumeration should succeed");
            if let Ok(list) = result {
                assert!(!list.is_empty(), "should have at least one privilege");
            }
        }
    }
}