token-privilege 0.1.1

Safe Rust wrapper around Windows process token privilege and elevation detection APIs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

//! Integration tests for the `token-privilege` crate.
//!
//! Windows-specific tests validate actual Win32 API behavior.
//! Non-Windows tests verify that all public functions return
//! [`token_privilege::TokenPrivilegeError::UnsupportedPlatform`].

#[cfg(target_os = "windows")]
mod windows_tests {
    #[test]
    fn elevation_and_privileges_are_consistent() {
        let elevated_result = token_privilege::is_elevated();
        assert!(elevated_result.is_ok(), "is_elevated should succeed");

        let privs_result = token_privilege::enumerate_privileges();
        assert!(privs_result.is_ok(), "enumerate_privileges should succeed");

        if let Ok(privs) = privs_result {
            // All Windows processes have at least SeChangeNotifyPrivilege
            assert!(!privs.is_empty(), "should have at least one privilege");

            let change_notify = privs.iter().find(|p| p.name == "SeChangeNotifyPrivilege");
            assert!(
                change_notify.is_some(),
                "should have SeChangeNotifyPrivilege"
            );
            if let Some(cn) = change_notify {
                assert!(cn.enabled, "SeChangeNotifyPrivilege should be enabled");
                assert!(
                    cn.enabled_by_default,
                    "SeChangeNotifyPrivilege should be enabled by default"
                );
            }
        }
    }

    #[test]
    fn is_privilege_enabled_matches_enumeration() {
        let check_result =
            token_privilege::is_privilege_enabled(token_privilege::privileges::SE_CHANGE_NOTIFY);
        assert!(check_result.is_ok(), "check should succeed");

        let privs_result = token_privilege::enumerate_privileges();
        assert!(privs_result.is_ok(), "enumerate should succeed");

        if let (Ok(enabled_via_check), Ok(privs)) = (check_result, privs_result) {
            let enabled_via_enum = privs
                .iter()
                .find(|p| p.name == token_privilege::privileges::SE_CHANGE_NOTIFY)
                .is_some_and(|p| p.enabled);

            assert_eq!(
                enabled_via_check, enabled_via_enum,
                "is_privilege_enabled and enumerate should agree"
            );
        }
    }

    #[test]
    fn has_privilege_returns_true_for_change_notify() {
        let result = token_privilege::has_privilege(token_privilege::privileges::SE_CHANGE_NOTIFY);
        assert!(result.is_ok(), "should succeed");
        if let Ok(has_priv) = result {
            assert!(has_priv, "SeChangeNotifyPrivilege should be present");
        }
    }

    #[test]
    fn has_privilege_returns_false_for_absent_privilege() {
        // SeTcbPrivilege is almost never present on standard user tokens
        let result = token_privilege::has_privilege(token_privilege::privileges::SE_TCB);
        assert!(result.is_ok(), "should succeed for valid privilege name");
        // We don't assert the value since elevated processes might have it,
        // but we verify it doesn't error for a valid privilege name.
    }

    #[test]
    fn invalid_privilege_name_returns_correct_error_variant() {
        let result = token_privilege::is_privilege_enabled("SeTotallyFakePrivilege");
        assert!(
            matches!(
                result,
                Err(token_privilege::TokenPrivilegeError::InvalidPrivilegeName { .. })
            ),
            "should return InvalidPrivilegeName for invalid privilege, got: {result:?}"
        );
    }

    #[test]
    fn has_privilege_invalid_name_returns_correct_error_variant() {
        let result = token_privilege::has_privilege("SeTotallyFakePrivilege");
        assert!(
            matches!(
                result,
                Err(token_privilege::TokenPrivilegeError::InvalidPrivilegeName { .. })
            ),
            "should return InvalidPrivilegeName for invalid privilege, got: {result:?}"
        );
    }

    #[test]
    fn empty_privilege_name_returns_error() {
        let result = token_privilege::is_privilege_enabled("");
        assert!(result.is_err(), "empty string should fail");
    }

    #[test]
    fn privilege_constants_are_valid_names() {
        let constants = [
            token_privilege::privileges::SE_CHANGE_NOTIFY,
            token_privilege::privileges::SE_SHUTDOWN,
            token_privilege::privileges::SE_UNDOCK,
        ];

        for name in constants {
            let result = token_privilege::has_privilege(name);
            assert!(
                result.is_ok(),
                "has_privilege({name}) should not error for valid privilege names"
            );
        }
    }
}

#[cfg(not(target_os = "windows"))]
mod non_windows_tests {
    #[test]
    fn is_elevated_returns_unsupported() {
        assert!(matches!(
            token_privilege::is_elevated(),
            Err(token_privilege::TokenPrivilegeError::UnsupportedPlatform)
        ));
    }

    #[test]
    fn is_privilege_enabled_returns_unsupported() {
        assert!(matches!(
            token_privilege::is_privilege_enabled("SeDebugPrivilege"),
            Err(token_privilege::TokenPrivilegeError::UnsupportedPlatform)
        ));
    }

    #[test]
    fn has_privilege_returns_unsupported() {
        assert!(matches!(
            token_privilege::has_privilege("SeDebugPrivilege"),
            Err(token_privilege::TokenPrivilegeError::UnsupportedPlatform)
        ));
    }

    #[test]
    fn enumerate_privileges_returns_unsupported() {
        assert!(matches!(
            token_privilege::enumerate_privileges(),
            Err(token_privilege::TokenPrivilegeError::UnsupportedPlatform)
        ));
    }

    #[test]
    fn privilege_constants_exist() {
        // Verify constants are available even on non-Windows
        let _ = token_privilege::privileges::SE_DEBUG;
        let _ = token_privilege::privileges::SE_BACKUP;
        let _ = token_privilege::privileges::SE_CHANGE_NOTIFY;
        let _ = token_privilege::privileges::SE_SHUTDOWN;
        let _ = token_privilege::privileges::SE_SECURITY;
        let _ = token_privilege::privileges::SE_TAKE_OWNERSHIP;
        let _ = token_privilege::privileges::SE_LOAD_DRIVER;
        let _ = token_privilege::privileges::SE_IMPERSONATE;
        let _ = token_privilege::privileges::SE_CREATE_GLOBAL;
        let _ = token_privilege::privileges::SE_TCB;
    }
}