From 34e8cbd322260641a1e9623f37a63feda9c5d8e7 Mon Sep 17 00:00:00 2001
From: AmirMS <104940545+AmelBawa-msft@users.noreply.github.com>
Date: Mon, 7 Nov 2022 10:03:54 -0800
Subject: [PATCH] Group policy control for
 BypassCertificatePinningForMicrosoftStore (#2637)

---
 doc/admx/DesktopAppInstaller.admx             | 10 +++++++
 doc/admx/en-US/DesktopAppInstaller.adml       |  6 ++++
 .../Shared/Strings/en-us/winget.resw          |  3 ++
 src/AppInstallerCLITests/GroupPolicy.cpp      |  1 +
 src/AppInstallerCLITests/Sources.cpp          | 29 +++++++++++++++++++
 src/AppInstallerCLITests/TestSettings.h       |  1 +
 src/AppInstallerCommonCore/AdminSettings.cpp  | 23 +++++++++++----
 src/AppInstallerCommonCore/GroupPolicy.cpp    |  2 ++
 .../Public/winget/GroupPolicy.h               |  1 +
 .../Public/winget/Resources.h                 |  1 +
 10 files changed, 71 insertions(+), 6 deletions(-)

diff --git a/doc/admx/DesktopAppInstaller.admx b/doc/admx/DesktopAppInstaller.admx
index 44be8a54eb..d3dcbdf51a 100644
--- a/doc/admx/DesktopAppInstaller.admx
+++ b/doc/admx/DesktopAppInstaller.admx
@@ -53,6 +53,16 @@
         <decimal value="0" />
       </disabledValue>
     </policy>
+    <policy name="EnableBypassCertificatePinningForMicrosoftStore" class="Machine" displayName="$(string.EnableBypassCertificatePinningForMicrosoftStore)" explainText="$(string.EnableBypassCertificatePinningForMicrosoftStoreExplanation)" key="Software\Policies\Microsoft\Windows\AppInstaller" valueName="EnableBypassCertificatePinningForMicrosoftStore">
+      <parentCategory ref="AppInstaller" />
+      <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS5" />
+      <enabledValue>
+        <decimal value="1" />
+      </enabledValue>
+      <disabledValue>
+        <decimal value="0" />
+      </disabledValue>
+    </policy>
     <policy name="EnableHashOverride" class="Machine" displayName="$(string.EnableHashOverride)" explainText="$(string.EnableHashOverrideExplanation)" key="Software\Policies\Microsoft\Windows\AppInstaller" valueName="EnableHashOverride">
       <parentCategory ref="AppInstaller" />
       <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS5" />
diff --git a/doc/admx/en-US/DesktopAppInstaller.adml b/doc/admx/en-US/DesktopAppInstaller.adml
index 3c602c0307..c0b73f12c2 100644
--- a/doc/admx/en-US/DesktopAppInstaller.adml
+++ b/doc/admx/en-US/DesktopAppInstaller.adml
@@ -31,6 +31,12 @@ If you disable this setting, users will not be able to enable experimental featu
 If you enable or do not configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.
 
 If you disable this setting, users will not be able to install packages with local manifests using the Windows Package Manager.</string>
+      <string id="EnableBypassCertificatePinningForMicrosoftStore">Enable App Installer Microsoft Store Source Pinned Certificate Bypass</string>
+      <string id="EnableBypassCertificatePinningForMicrosoftStoreExplanation">This policy controls whether the Windows Package Manager can be configured to disable the requirement to use a pinned certificate for the Microsoft Store source.
+
+If you enable or do not configure this setting, users will be able to bypass the pinned certificate used to validate the Microsoft Store source.
+
+If you disable this setting, users will not be able to bypass the pinned certificate used to validate the Microsoft Store source.</string>
       <string id="EnableHashOverride">Enable App Installer Hash Override</string>
       <string id="EnableHashOverrideExplanation">This policy controls whether or not the Windows Package Manager can be configured to enable the ability override the SHA256 security validation in settings.
 
diff --git a/src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw b/src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw
index a86aaeade1..02fb808e4c 100644
--- a/src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw
+++ b/src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw
@@ -885,6 +885,9 @@ They can be configured through the settings file 'winget settings'.</value>
   <data name="PolicyEnableLocalManifests" xml:space="preserve">
     <value>Enable Windows App Installer Local Manifest Files</value>
   </data>
+  <data name="PolicyEnableBypassCertificatePinningForMicrosoftStore" xml:space="preserve">
+    <value>Enable Windows App Installer Microsoft Store Source Pinned Certificate Bypass</value>
+  </data>
   <data name="SettingsWarningField" xml:space="preserve">
     <value>Field:</value>
   </data>
diff --git a/src/AppInstallerCLITests/GroupPolicy.cpp b/src/AppInstallerCLITests/GroupPolicy.cpp
index 1b7f714bf8..121b4ec60d 100644
--- a/src/AppInstallerCLITests/GroupPolicy.cpp
+++ b/src/AppInstallerCLITests/GroupPolicy.cpp
@@ -372,6 +372,7 @@ TEST_CASE("GroupPolicy_AllEnabled", "[groupPolicy]")
     SetRegistryValue(policiesKey.get(), MSStoreSourcePolicyValueName, 1);;
     SetRegistryValue(policiesKey.get(), AdditionalSourcesPolicyValueName, 1);
     SetRegistryValue(policiesKey.get(), AllowedSourcesPolicyValueName, 1);
+    SetRegistryValue(policiesKey.get(), BypassCertificatePinningForMicrosoftStoreValueName, 1);
 
     GroupPolicy groupPolicy{ policiesKey.get() };
     for (const auto& policy : TogglePolicy::GetAllPolicies())
diff --git a/src/AppInstallerCLITests/Sources.cpp b/src/AppInstallerCLITests/Sources.cpp
index 3eab22addb..f35ea9ed45 100644
--- a/src/AppInstallerCLITests/Sources.cpp
+++ b/src/AppInstallerCLITests/Sources.cpp
@@ -1265,3 +1265,32 @@ TEST_CASE("RepoSources_RestoringWellKnownSource", "[sources]")
         REQUIRE(storeAfterAdd.GetDetails().CertificatePinningConfiguration.IsEmpty());
     }
 }
+
+TEST_CASE("RepoSources_GroupPolicy_BypassCertificatePinningForMicrosoftStore", "[sources][groupPolicy]")
+{
+    TestHook_ClearSourceFactoryOverrides();
+
+    SECTION("Not configured")
+    {
+        GroupPolicyTestOverride policies;
+        policies.SetState(TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore, PolicyState::NotConfigured);
+        Source source(WellKnownSource::MicrosoftStore);
+        REQUIRE_FALSE(source.GetDetails().CertificatePinningConfiguration.IsEmpty());
+    }
+
+    SECTION("Enabled")
+    {
+        GroupPolicyTestOverride policies;
+        policies.SetState(TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore, PolicyState::Enabled);
+        Source source(WellKnownSource::MicrosoftStore);
+        REQUIRE(source.GetDetails().CertificatePinningConfiguration.IsEmpty());
+    }
+
+    SECTION("Disabled")
+    {
+        GroupPolicyTestOverride policies;
+        policies.SetState(TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore, PolicyState::Disabled);
+        Source source(WellKnownSource::MicrosoftStore);
+        REQUIRE_FALSE(source.GetDetails().CertificatePinningConfiguration.IsEmpty());
+    }
+}
diff --git a/src/AppInstallerCLITests/TestSettings.h b/src/AppInstallerCLITests/TestSettings.h
index 24cbd15a5f..934feb9e6c 100644
--- a/src/AppInstallerCLITests/TestSettings.h
+++ b/src/AppInstallerCLITests/TestSettings.h
@@ -18,6 +18,7 @@ namespace TestCommon
     const std::wstring MSStoreSourcePolicyValueName = L"EnableMicrosoftStoreSource";
     const std::wstring AdditionalSourcesPolicyValueName = L"EnableAdditionalSources";
     const std::wstring AllowedSourcesPolicyValueName = L"EnableAllowedSources";
+    const std::wstring BypassCertificatePinningForMicrosoftStoreValueName = L"EnableBypassCertificatePinningForMicrosoftStore";
 
     const std::wstring SourceUpdateIntervalPolicyValueName = L"SourceAutoUpdateInterval";
     const std::wstring SourceUpdateIntervalPolicyOldValueName = L"SourceAutoUpdateIntervalInMinutes";
diff --git a/src/AppInstallerCommonCore/AdminSettings.cpp b/src/AppInstallerCommonCore/AdminSettings.cpp
index 7d8457f2a4..2195b95535 100644
--- a/src/AppInstallerCommonCore/AdminSettings.cpp
+++ b/src/AppInstallerCommonCore/AdminSettings.cpp
@@ -193,16 +193,27 @@ namespace AppInstaller::Settings
         adminSettingsInternal.SetAdminSetting(setting, false);
     }
 
+    TogglePolicy::Policy GetAdminSettingPolicy(AdminSetting setting)
+    {
+        switch (setting)
+        {
+        case AdminSetting::LocalManifestFiles:
+            return TogglePolicy::Policy::LocalManifestFiles;
+        case AdminSetting::BypassCertificatePinningForMicrosoftStore:
+            return TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore;
+        default:
+            return TogglePolicy::Policy::None;
+        }
+    }
+
     bool IsAdminSettingEnabled(AdminSetting setting)
     {
         // Check for a policy that overrides this setting.
-        if (setting == AdminSetting::LocalManifestFiles)
+        auto policy = GetAdminSettingPolicy(setting);
+        auto policyState = GroupPolicies().GetState(policy);
+        if (policyState != PolicyState::NotConfigured)
         {
-            PolicyState localManifestFilesPolicy = GroupPolicies().GetState(TogglePolicy::Policy::LocalManifestFiles);
-            if (localManifestFilesPolicy != PolicyState::NotConfigured)
-            {
-                return localManifestFilesPolicy == PolicyState::Enabled;
-            }
+            return policyState == PolicyState::Enabled;
         }
 
         AdminSettingsInternal adminSettingsInternal;
diff --git a/src/AppInstallerCommonCore/GroupPolicy.cpp b/src/AppInstallerCommonCore/GroupPolicy.cpp
index 2861e3d69b..66a9b5a381 100644
--- a/src/AppInstallerCommonCore/GroupPolicy.cpp
+++ b/src/AppInstallerCommonCore/GroupPolicy.cpp
@@ -281,6 +281,8 @@ namespace AppInstaller::Settings
             return TogglePolicy(policy, "EnableAdditionalSources"sv, String::PolicyAdditionalSources);
         case TogglePolicy::Policy::AllowedSources:
             return TogglePolicy(policy, "EnableAllowedSources"sv, String::PolicyAllowedSources);
+        case TogglePolicy::Policy::BypassCertificatePinningForMicrosoftStore:
+            return TogglePolicy(policy, "EnableBypassCertificatePinningForMicrosoftStore"sv, String::PolicyEnableBypassCertificatePinningForMicrosoftStore);
         default:
             THROW_HR(E_UNEXPECTED);
         }
diff --git a/src/AppInstallerCommonCore/Public/winget/GroupPolicy.h b/src/AppInstallerCommonCore/Public/winget/GroupPolicy.h
index 2ac085a009..ce840fc13f 100644
--- a/src/AppInstallerCommonCore/Public/winget/GroupPolicy.h
+++ b/src/AppInstallerCommonCore/Public/winget/GroupPolicy.h
@@ -41,6 +41,7 @@ namespace AppInstaller::Settings
             MSStoreSource,
             AdditionalSources,
             AllowedSources,
+            BypassCertificatePinningForMicrosoftStore,
             Max,
         };
 
diff --git a/src/AppInstallerCommonCore/Public/winget/Resources.h b/src/AppInstallerCommonCore/Public/winget/Resources.h
index ec9e181e35..1d3c21ac04 100644
--- a/src/AppInstallerCommonCore/Public/winget/Resources.h
+++ b/src/AppInstallerCommonCore/Public/winget/Resources.h
@@ -35,6 +35,7 @@ namespace AppInstaller
             WINGET_DEFINE_RESOURCE_STRINGID(PolicyAdditionalSources);
             WINGET_DEFINE_RESOURCE_STRINGID(PolicyAllowedSources);
             WINGET_DEFINE_RESOURCE_STRINGID(PolicySourceAutoUpdateInterval);
+            WINGET_DEFINE_RESOURCE_STRINGID(PolicyEnableBypassCertificatePinningForMicrosoftStore);
 
             WINGET_DEFINE_RESOURCE_STRINGID(SettingsWarningInvalidFieldFormat);
             WINGET_DEFINE_RESOURCE_STRINGID(SettingsWarningInvalidFieldValue);