(#8662) Fix Puppet.features.root? on Windows

This commit changes Puppet::Util::SUIDManager.root? (and
Puppet.features.root?) to only return true if the user is running with
elevated privileges (granted via UAC). If this check fails because
elevated privileges are not supported, e.g. pre-Vista, then we fall
back to checking if the user is a member of the builtin Administrators
group.

This means if you are logged in as Administrator on 2008,
Puppet.features.root? will return false, unless you are explicitly
running puppet as an administrator, e.g.

 runas /user:Administrator "puppet apply manifest.pp"

This commit also adds tests to ensure SUIDManager.asuser is a no-op on
Windows, since Windows does not (easily) support switching user
contexts without providing a password.

1 files changed, 14 insertions, 1 deletions

diff --git a/lib/puppet/util/suidmanager.rb b/lib/puppet/util/suidmanager.rb
index 697bce111..d2772002e 100644
--- a/lib/puppet/util/suidmanager.rb
+++ b/lib/puppet/util/suidmanager.rb
@@ -37,7 +37,20 @@ module Puppet::Util::SUIDManager
   module_function :groups=
 
   def self.root?
-    Process.uid == 0
+    return Process.uid == 0 unless Puppet.features.microsoft_windows?
+
+    require 'sys/admin'
+    require 'win32/security'
+
+    # if Vista or later, check for unrestricted process token
+    begin
+      return Win32::Security.elevated_security?
+    rescue Win32::Security::Error => e
+      raise e unless e.to_s =~ /Incorrect function/i
+    end
+
+    group = Sys::Admin.get_group("Administrators", :sid => Win32::Security::SID::BuiltinAdministrators)
+    group and group.members.index(Sys::Admin.get_login) != nil
   end
 
   # Runs block setting uid and gid if provided then restoring original ids