WinGetCommandLineInterfaces Group Policy Exception for COM API Calls

[WHY:] Currently, the policy check within Command::Execute, which is executed for all command implementations, also inadvertently blocks COM API calls due to inheritance from the command class. [FIX:] Allow COM API calls while the WinGetCommandLineInterfaces group policy is disabled. The fix involves bypassing the policy check for calls originating from COM API, identified by a context flag set in the overridden Execute method in COMCommand. [TODOs:] - Test run to make sure fix works as expected
Madhusudhan-MSFT · Mar 20, 2024 · dfc73b6 · dfc73b6
1 parent 256c385
commit dfc73b6
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 10 deletions.
diff --git a/src/AppInstallerCLICore/Command.cpp b/src/AppInstallerCLICore/Command.cpp
@@ -164,7 +164,7 @@ namespace AppInstaller::CLI
         if (!commandAliases.empty())
         {
             infoOut << Resource::String::AvailableCommandAliases << std::endl;
-            
+
             for (const auto& commandAlias : commandAliases)
             {
                 infoOut << "  "_liv << Execution::HelpCommandEmphasis << commandAlias << std::endl;
@@ -283,7 +283,7 @@ namespace AppInstaller::CLI
             if (
                 Utility::CaseInsensitiveEquals(*itr, command->Name()) ||
                 Utility::CaseInsensitiveContains(command->Aliases(), *itr)
-            )
+                )
             {
                 if (!ExperimentalFeature::IsEnabled(command->Feature()))
                 {
@@ -555,7 +555,7 @@ namespace AppInstaller::CLI
                 if (
                     Utility::CaseInsensitiveEquals(argName, arg.Name()) ||
                     Utility::CaseInsensitiveEquals(argName, arg.AlternateName())
-                   )
+                    )
                 {
                     if (arg.Type() == ArgumentType::Flag)
                     {
@@ -668,7 +668,7 @@ namespace AppInstaller::CLI
         }
 
         if (execArgs.Contains(Execution::Args::Type::CustomHeader) && !execArgs.Contains(Execution::Args::Type::Source) &&
-           !execArgs.Contains(Execution::Args::Type::SourceName))
+            !execArgs.Contains(Execution::Args::Type::SourceName))
         {
             throw CommandException(Resource::String::HeaderArgumentNotApplicableWithoutSource(Argument::ForType(Execution::Args::Type::CustomHeader).Name()));
         }
@@ -864,8 +864,12 @@ namespace AppInstaller::CLI
             throw GroupPolicyException(Settings::TogglePolicy::Policy::WinGet);
         }
 
-        // Block CLI execution if WinGetCommandLineInterfaces is disabled by Policy
-        if (!Settings::GroupPolicies().IsEnabled(Settings::TogglePolicy::Policy::WinGetCommandLineInterfaces))
+        bool comApiCall = WI_IsFlagSet(context.GetFlags(), Execution::ContextFlag::WinGetCOMApiCall);
+
+        // Block command-line interface operations if WinGetCommandLineInterfaces is turned off by policy,
+        // but maintain access to COM API calls.
+        if (!comApiCall &&
+            !Settings::GroupPolicies().IsEnabled(Settings::TogglePolicy::Policy::WinGetCommandLineInterfaces))
         {
             AICLI_LOG(CLI, Error, << "WinGet is disabled by group policy");
             throw GroupPolicyException(Settings::TogglePolicy::Policy::WinGetCommandLineInterfaces);
@@ -929,7 +933,7 @@ namespace AppInstaller::CLI
         context.Reporter.Error() << Resource::String::CommandDoesNotSupportResumeMessage << std::endl;
         AICLI_TERMINATE_CONTEXT(E_NOTIMPL);
     }
-    
+
     void Command::SelectCurrentCommandIfUnrecognizedSubcommandFound(bool value)
     {
         m_selectCurrentCommandIfUnrecognizedSubcommandFound = value;

diff --git a/src/AppInstallerCLICore/Commands/COMCommand.cpp b/src/AppInstallerCLICore/Commands/COMCommand.cpp
@@ -28,6 +28,12 @@ namespace AppInstaller::CLI
             Workflow::SetDownloadDirectory <<
             Workflow::DownloadPackageDependencies <<
             Workflow::DownloadInstaller;
+    }
+
+    void COMDownloadCommand::Execute(Context& context) const
+    {
+        context.SetFlags(Execution::ContextFlag::WinGetCOMApiCall);
+        Command::Execute(context);
     }
 
     // IMPORTANT: To use this command, the caller should have already executed the COMDownloadCommand
@@ -37,6 +43,12 @@ namespace AppInstaller::CLI
             Workflow::InstallDependencies <<
             Workflow::ReverifyInstallerHash << 
             Workflow::InstallPackageInstaller;
+    }
+
+    void COMInstallCommand::Execute(Context& context) const
+    {
+        context.SetFlags(Execution::ContextFlag::WinGetCOMApiCall);
+        Command::Execute(context);
     }
 
     // IMPORTANT: To use this command, the caller should have already retrieved the InstalledPackageVersion and added it to the Context Data
@@ -45,4 +57,10 @@ namespace AppInstaller::CLI
         context <<
             Workflow::UninstallSinglePackage;
     }
+
+    void COMUninstallCommand::Execute(Execution::Context& context) const
+    {
+        context.SetFlags(Execution::ContextFlag::WinGetCOMApiCall);
+        Command::Execute(context);
+    }
 }
diff --git a/src/AppInstallerCLICore/Commands/COMCommand.h b/src/AppInstallerCLICore/Commands/COMCommand.h
@@ -9,7 +9,9 @@ namespace AppInstaller::CLI
     struct COMDownloadCommand final : public Command
     {
         constexpr static std::string_view CommandName = "download"sv;
-        COMDownloadCommand(std::string_view parent) : Command(CommandName, parent) {}
+        COMDownloadCommand(std::string_view parent) : Command(CommandName, parent) {}
+
+        void Execute(Execution::Context& context) const override;
 
     protected:
         void ExecuteInternal(Execution::Context& context) const override;
@@ -19,7 +21,9 @@ namespace AppInstaller::CLI
     struct COMInstallCommand final : public Command
     {
         constexpr static std::string_view CommandName = "install"sv;
-        COMInstallCommand(std::string_view parent) : Command(CommandName, parent) {}
+        COMInstallCommand(std::string_view parent) : Command(CommandName, parent) {}
+
+        void Execute(Execution::Context& context) const override;
 
     protected:
         void ExecuteInternal(Execution::Context& context) const override;
@@ -29,7 +33,9 @@ namespace AppInstaller::CLI
     struct COMUninstallCommand final : public Command
     {
         constexpr static std::string_view CommandName = "uninstall"sv;
-        COMUninstallCommand(std::string_view parent) : Command(CommandName, parent) {}
+        COMUninstallCommand(std::string_view parent) : Command(CommandName, parent) {}
+
+        void Execute(Execution::Context& context) const override;
 
     protected:
         void ExecuteInternal(Execution::Context& context) const override;

diff --git a/src/AppInstallerCLICore/ExecutionContext.h b/src/AppInstallerCLICore/ExecutionContext.h
@@ -75,6 +75,7 @@ namespace AppInstaller::CLI::Execution
         RebootRequired = 0x400,
         RegisterResume = 0x800,
         InstallerExecutionUseRepair = 0x1000,
+        WinGetCOMApiCall = 0x2000,
     };
 
     DEFINE_ENUM_FLAG_OPERATORS(ContextFlag);