Group policy control for BypassCertificatePinningForMicrosoftStore (#…

…2637)
microsoft · Nov 7, 2022 · 34e8cbd · 34e8cbd
1 parent fb37675
commit 34e8cbd
Show file tree

Hide file tree

Showing 10 changed files with 71 additions and 6 deletions.
diff --git a/doc/admx/DesktopAppInstaller.admx b/doc/admx/DesktopAppInstaller.admx
@@ -53,6 +53,16 @@
         <decimal value="0" />
       </disabledValue>
     </policy>
+    <policy name="EnableBypassCertificatePinningForMicrosoftStore" class="Machine" displayName="$(string.EnableBypassCertificatePinningForMicrosoftStore)" explainText="$(string.EnableBypassCertificatePinningForMicrosoftStoreExplanation)" key="Software\Policies\Microsoft\Windows\AppInstaller" valueName="EnableBypassCertificatePinningForMicrosoftStore">
+      <parentCategory ref="AppInstaller" />
+      <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS5" />
+      <enabledValue>
+        <decimal value="1" />
+      </enabledValue>
+      <disabledValue>
+        <decimal value="0" />
+      </disabledValue>
+    </policy>
     <policy name="EnableHashOverride" class="Machine" displayName="$(string.EnableHashOverride)" explainText="$(string.EnableHashOverrideExplanation)" key="Software\Policies\Microsoft\Windows\AppInstaller" valueName="EnableHashOverride">
       <parentCategory ref="AppInstaller" />
       <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS5" />

diff --git a/doc/admx/en-US/DesktopAppInstaller.adml b/doc/admx/en-US/DesktopAppInstaller.adml
@@ -31,6 +31,12 @@ If you disable this setting, users will not be able to enable experimental featu
 If you enable or do not configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.
 
 If you disable this setting, users will not be able to install packages with local manifests using the Windows Package Manager.</string>
+      <string id="EnableBypassCertificatePinningForMicrosoftStore">Enable App Installer Microsoft Store Source Pinned Certificate Bypass</string>
+      <string id="EnableBypassCertificatePinningForMicrosoftStoreExplanation">This policy controls whether the Windows Package Manager can be configured to disable the requirement to use a pinned certificate for the Microsoft Store source.
+
+If you enable or do not configure this setting, users will be able to bypass the pinned certificate used to validate the Microsoft Store source.
+
+If you disable this setting, users will not be able to bypass the pinned certificate used to validate the Microsoft Store source.</string>
       <string id="EnableHashOverride">Enable App Installer Hash Override</string>
       <string id="EnableHashOverrideExplanation">This policy controls whether or not the Windows Package Manager can be configured to enable the ability override the SHA256 security validation in settings.
 

diff --git a/src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw b/src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw
@@ -885,6 +885,9 @@ They can be configured through the settings file 'winget settings'.</value>
   <data name="PolicyEnableLocalManifests" xml:space="preserve">
     <value>Enable Windows App Installer Local Manifest Files</value>
   </data>
+  <data name="PolicyEnableBypassCertificatePinningForMicrosoftStore" xml:space="preserve">
+    <value>Enable Windows App Installer Microsoft Store Source Pinned Certificate Bypass</value>
+  </data>
   <data name="SettingsWarningField" xml:space="preserve">
     <value>Field:</value>
   </data>

diff --git a/src/AppInstallerCLITests/GroupPolicy.cpp b/src/AppInstallerCLITests/GroupPolicy.cpp
@@ -372,6 +372,7 @@ TEST_CASE("GroupPolicy_AllEnabled", "[groupPolicy]")
     SetRegistryValue(policiesKey.get(), MSStoreSourcePolicyValueName, 1);;
     SetRegistryValue(policiesKey.get(), AdditionalSourcesPolicyValueName, 1);
     SetRegistryValue(policiesKey.get(), AllowedSourcesPolicyValueName, 1);
+    SetRegistryValue(policiesKey.get(), BypassCertificatePinningForMicrosoftStoreValueName, 1);
 
     GroupPolicy groupPolicy{ policiesKey.get() };
     for (const auto& policy : TogglePolicy::GetAllPolicies())

diff --git a/src/AppInstallerCLITests/Sources.cpp b/src/AppInstallerCLITests/Sources.cpp
@@ -1265,3 +1265,32 @@ TEST_CASE("RepoSources_RestoringWellKnownSource", "[sources]")
         REQUIRE(storeAfterAdd.GetDetails().CertificatePinningConfiguration.IsEmpty());
     }
 }
+
+TEST_CASE("RepoSources_GroupPolicy_BypassCertificatePinningForMicrosoftStore", "[sources][groupPolicy]")
+{
+    TestHook_ClearSourceFactoryOverrides();
+
+    SECTION("Not configured")
+    {
+        GroupPolicyTestOverride policies;
+        policies.SetState(TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore, PolicyState::NotConfigured);
+        Source source(WellKnownSource::MicrosoftStore);
+        REQUIRE_FALSE(source.GetDetails().CertificatePinningConfiguration.IsEmpty());
+    }
+
+    SECTION("Enabled")
+    {
+        GroupPolicyTestOverride policies;
+        policies.SetState(TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore, PolicyState::Enabled);
+        Source source(WellKnownSource::MicrosoftStore);
+        REQUIRE(source.GetDetails().CertificatePinningConfiguration.IsEmpty());
+    }
+
+    SECTION("Disabled")
+    {
+        GroupPolicyTestOverride policies;
+        policies.SetState(TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore, PolicyState::Disabled);
+        Source source(WellKnownSource::MicrosoftStore);
+        REQUIRE_FALSE(source.GetDetails().CertificatePinningConfiguration.IsEmpty());
+    }
+}
diff --git a/src/AppInstallerCLITests/TestSettings.h b/src/AppInstallerCLITests/TestSettings.h
@@ -18,6 +18,7 @@ namespace TestCommon
     const std::wstring MSStoreSourcePolicyValueName = L"EnableMicrosoftStoreSource";
     const std::wstring AdditionalSourcesPolicyValueName = L"EnableAdditionalSources";
     const std::wstring AllowedSourcesPolicyValueName = L"EnableAllowedSources";
+    const std::wstring BypassCertificatePinningForMicrosoftStoreValueName = L"EnableBypassCertificatePinningForMicrosoftStore";
 
     const std::wstring SourceUpdateIntervalPolicyValueName = L"SourceAutoUpdateInterval";
     const std::wstring SourceUpdateIntervalPolicyOldValueName = L"SourceAutoUpdateIntervalInMinutes";

diff --git a/src/AppInstallerCommonCore/AdminSettings.cpp b/src/AppInstallerCommonCore/AdminSettings.cpp
@@ -193,16 +193,27 @@ namespace AppInstaller::Settings
         adminSettingsInternal.SetAdminSetting(setting, false);
     }
 
+    TogglePolicy::Policy GetAdminSettingPolicy(AdminSetting setting)
+    {
+        switch (setting)
+        {
+        case AdminSetting::LocalManifestFiles:
+            return TogglePolicy::Policy::LocalManifestFiles;
+        case AdminSetting::BypassCertificatePinningForMicrosoftStore:
+            return TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore;
+        default:
+            return TogglePolicy::Policy::None;
+        }
+    }
+
     bool IsAdminSettingEnabled(AdminSetting setting)
     {
         // Check for a policy that overrides this setting.
-        if (setting == AdminSetting::LocalManifestFiles)
+        auto policy = GetAdminSettingPolicy(setting);
+        auto policyState = GroupPolicies().GetState(policy);
+        if (policyState != PolicyState::NotConfigured)
         {
-            PolicyState localManifestFilesPolicy = GroupPolicies().GetState(TogglePolicy::Policy::LocalManifestFiles);
-            if (localManifestFilesPolicy != PolicyState::NotConfigured)
-            {
-                return localManifestFilesPolicy == PolicyState::Enabled;
-            }
+            return policyState == PolicyState::Enabled;
         }
 
         AdminSettingsInternal adminSettingsInternal;

diff --git a/src/AppInstallerCommonCore/GroupPolicy.cpp b/src/AppInstallerCommonCore/GroupPolicy.cpp
@@ -281,6 +281,8 @@ namespace AppInstaller::Settings
             return TogglePolicy(policy, "EnableAdditionalSources"sv, String::PolicyAdditionalSources);
         case TogglePolicy::Policy::AllowedSources:
             return TogglePolicy(policy, "EnableAllowedSources"sv, String::PolicyAllowedSources);
+        case TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore:
+            return TogglePolicy(policy, "EnableBypassCertificatePinningForMicrosoftStore"sv, String::PolicyEnableBypassCertificatePinningForMicrosoftStore);
         default:
             THROW_HR(E_UNEXPECTED);
         }

diff --git a/src/AppInstallerCommonCore/Public/winget/GroupPolicy.h b/src/AppInstallerCommonCore/Public/winget/GroupPolicy.h
@@ -41,6 +41,7 @@ namespace AppInstaller::Settings
             MSStoreSource,
             AdditionalSources,
             AllowedSources,
+            BypassCertificatePinningForMicrosoftStore,
             Max,
         };
 

diff --git a/src/AppInstallerCommonCore/Public/winget/Resources.h b/src/AppInstallerCommonCore/Public/winget/Resources.h
@@ -35,6 +35,7 @@ namespace AppInstaller
             WINGET_DEFINE_RESOURCE_STRINGID(PolicyAdditionalSources);
             WINGET_DEFINE_RESOURCE_STRINGID(PolicyAllowedSources);
             WINGET_DEFINE_RESOURCE_STRINGID(PolicySourceAutoUpdateInterval);
+            WINGET_DEFINE_RESOURCE_STRINGID(PolicyEnableBypassCertificatePinningForMicrosoftStore);
 
             WINGET_DEFINE_RESOURCE_STRINGID(SettingsWarningInvalidFieldFormat);
             WINGET_DEFINE_RESOURCE_STRINGID(SettingsWarningInvalidFieldValue);