Make config not experimental and add GP to control it (#3585)

Remove the configuration experimental feature and add a group policy for it instead.  This required moving the GP code and dependencies into the shared library.

Author: JohnMcPMS

doc/admx/DesktopAppInstaller.admx

@@ -156,5 +156,15 @@
         <decimal value="0" />
       </disabledValue>
     </policy>
+    <policy name="EnableWindowsPackageManagerConfiguration" class="Machine" displayName="$(string.EnableWindowsPackageManagerConfiguration)" explainText="$(string.EnableWindowsPackageManagerConfigurationExplanation)" key="Software\Policies\Microsoft\Windows\AppInstaller" valueName="EnableWindowsPackageManagerConfiguration">
+      <parentCategory ref="AppInstaller" />
+      <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS5" />
+      <enabledValue>
+        <decimal value="1" />
+      </enabledValue>
+      <disabledValue>
+        <decimal value="0" />
+      </disabledValue>
+    </policy>
   </policies>
 </policyDefinitions>

doc/admx/en-US/DesktopAppInstaller.adml

@@ -103,6 +103,12 @@ If you disable or do not configure this setting, users will not be able to insta
         If you enable, or do not configuring this policy, users will be able to execute the Windows Package Manager CLI commands, and PowerShell cmdlets. (Provided “Enable App Installer” policy is not disabled).
 
         This policy does not override the “Enable App Installer” policy.</string>
+      <string id="EnableWindowsPackageManagerConfiguration">Enable Windows Package Manager Configuration</string>
+      <string id="EnableWindowsPackageManagerConfigurationExplanation">This policy controls whether the Windows Package Manager configuration feature can be used by users.
+
+If you enable or do not configure this setting, users will be able to use the Windows Package Manager configuration feature.
+
+If you disable this setting, users will not be able to use the Windows Package Manager configuration feature.</string>
     </stringTable>
     <presentationTable>
       <presentation id="SourceAutoUpdateInterval">

src/AppInstallerCLICore/Commands/ConfigureCommand.cpp

@@ -14,7 +14,7 @@ using namespace AppInstaller::CLI::Workflow;
 namespace AppInstaller::CLI
 {
     ConfigureCommand::ConfigureCommand(std::string_view parent) :
-        Command("configure", { "configuration" }, parent, Settings::ExperimentalFeature::Feature::Configuration)
+        Command("configure", { "configuration" }, parent, Settings::TogglePolicy::Policy::Configuration)
     {
         SelectCurrentCommandIfUnrecognizedSubcommandFound(true);
     }

src/AppInstallerCLIE2ETests/ConfigureCommand.cs

@@ -23,7 +23,6 @@ public class ConfigureCommand
         [OneTimeSetUp]
         public void OneTimeSetup()
         {
-            WinGetSettingsHelper.ConfigureFeature("configuration", true);
             this.DeleteTxtFiles();
         }
 

src/AppInstallerCLIE2ETests/ConfigureShowCommand.cs

@@ -14,15 +14,6 @@ namespace AppInstallerCLIE2ETests
     /// </summary>
     public class ConfigureShowCommand
     {
-        /// <summary>
-        /// Setup done once before all the tests here.
-        /// </summary>
-        [OneTimeSetUp]
-        public void OneTimeSetup()
-        {
-            WinGetSettingsHelper.ConfigureFeature("configuration", true);
-        }
-
         /// <summary>
         /// Simple test to confirm that a resource without a module specified can be discovered in the PSGallery.
         /// </summary>

src/AppInstallerCLIE2ETests/ConfigureTestCommand.cs

@@ -24,7 +24,6 @@ public class ConfigureTestCommand
         [OneTimeSetUp]
         public void OneTimeSetup()
         {
-            WinGetSettingsHelper.ConfigureFeature("configuration", true);
             this.DeleteTxtFiles();
         }
 

src/AppInstallerCLIE2ETests/ConfigureValidateCommand.cs

@@ -16,15 +16,6 @@ public class ConfigureValidateCommand
     {
         private const string Command = "configure validate";
 
-        /// <summary>
-        /// Setup done once before all the tests here.
-        /// </summary>
-        [OneTimeSetUp]
-        public void OneTimeSetup()
-        {
-            WinGetSettingsHelper.ConfigureFeature("configuration", true);
-        }
-
         /// <summary>
         /// The configuration file is empty.
         /// </summary>

src/AppInstallerCLIE2ETests/GroupPolicy.cs

@@ -223,5 +223,19 @@ public void SourceAutoUpdateInterval()
             Assert.AreEqual(Constants.ErrorCode.S_OK, result.ExitCode);
             Assert.IsTrue(result.StdOut.Contains("Source Auto Update Interval In Minutes 123"));
         }
+
+        /// <summary>
+        /// Test configuration is disabled by policy.
+        /// </summary>
+        [Test]
+        public void EnableConfiguration()
+        {
+            GroupPolicyHelper.EnableConfiguration.Disable();
+            var result = TestCommon.RunAICLICommand("configure", TestCommon.GetTestDataFile("Configuration\\ShowDetails_TestRepo.yml"));
+            Assert.AreEqual(Constants.ErrorCode.ERROR_BLOCKED_BY_POLICY, result.ExitCode);
+
+            result = TestCommon.RunAICLICommand("configure show", TestCommon.GetTestDataFile("Configuration\\ShowDetails_TestRepo.yml"));
+            Assert.AreEqual(Constants.ErrorCode.ERROR_BLOCKED_BY_POLICY, result.ExitCode);
+        }
     }
 }

src/AppInstallerCLIE2ETests/GroupPolicyHelper.cs

@@ -113,6 +113,11 @@ private GroupPolicyHelper(string name, string elementId)
         /// </summary>
         public static GroupPolicyHelper EnableAllowedSources { get; private set; } = new GroupPolicyHelper("EnableAllowedSources", "AllowedSources");
 
+        /// <summary>
+        /// Gets the Enable Windows Package Manager Configuration Interfaces policy.
+        /// </summary>
+        public static GroupPolicyHelper EnableConfiguration { get; private set; } = new GroupPolicyHelper("EnableWindowsPackageManagerConfiguration");
+
         /// <summary>
         /// Gets the Enable auto update interval policy.
         /// </summary>
@@ -132,6 +137,7 @@ private GroupPolicyHelper(string name, string elementId)
             EnableAllowedSources,
             SourceAutoUpdateInterval,
             EnableWinGetCommandLineInterfaces,
+            EnableConfiguration,
         };
 
         /// <summary>

src/AppInstallerCLIE2ETests/Helpers/WinGetSettingsHelper.cs

@@ -207,7 +207,6 @@ public static void InitializeAllFeatures(bool status)
             ConfigureFeature("experimentalCmd", status);
             ConfigureFeature("directMSI", status);
             ConfigureFeature("pinning", status);
-            ConfigureFeature("configuration", status);
         }
 
         private static JObject GetJsonSettingsObject(string objectName)

src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw

@@ -2077,4 +2077,7 @@ Please specify one of them using the --source option to proceed.</value>
     <value>`--module-path` value must be `currentuser`, `allusers`, `default` or an absolute path.</value>
     <comment>{Locked="{--module-path}, {currentuser}, {allusers}, {default}}</comment>
   </data>
+  <data name="PolicyEnableWinGetConfiguration" xml:space="preserve">
+    <value>Enable Windows Package Manager Configuration</value>
+  </data>
 </root>

src/AppInstallerCLITests/Certificates.cpp

@@ -13,76 +13,76 @@ using namespace AppInstaller::Certificates;
 TEST_CASE("Certificates_NoPinningSucceeds", "[certificates]")
 {
     PinningDetails expected;
-    expected.LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2).SetPinning(PinningVerificationType::None);
+    expected.LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::None);
 
     PinningDetails actual;
-    actual.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2);
+    actual.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
 
     REQUIRE(expected.Validate(actual.GetCertificate()));
 }
 
 TEST_CASE("Certificates_PublicKeyMismatch", "[certificates]")
 {
     PinningDetails expected;
-    expected.LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2).SetPinning(PinningVerificationType::PublicKey);
+    expected.LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::PublicKey);
 
     PinningDetails actual;
-    actual.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2);
+    actual.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
 
     REQUIRE(!expected.Validate(actual.GetCertificate()));
 }
 
 TEST_CASE("Certificates_PublicKeyMatch", "[certificates]")
 {
     PinningDetails expected;
-    expected.LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2).SetPinning(PinningVerificationType::PublicKey);
+    expected.LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::PublicKey);
 
     PinningDetails actual;
-    actual.LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2);
+    actual.LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE);
 
     REQUIRE(expected.Validate(actual.GetCertificate()));
 }
 
 TEST_CASE("Certificates_SubjectMismatch", "[certificates]")
 {
     PinningDetails expected;
-    expected.LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2).SetPinning(PinningVerificationType::Subject);
+    expected.LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Subject);
 
     PinningDetails actual;
-    actual.LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2);
+    actual.LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2, CERTIFICATE_RESOURCE_TYPE);
 
     REQUIRE(!expected.Validate(actual.GetCertificate()));
 }
 
 TEST_CASE("Certificates_SubjectMatch", "[certificates]")
 {
     PinningDetails expected;
-    expected.LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2).SetPinning(PinningVerificationType::Subject);
+    expected.LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Subject);
 
     PinningDetails actual;
-    actual.LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2);
+    actual.LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2, CERTIFICATE_RESOURCE_TYPE);
 
     REQUIRE(expected.Validate(actual.GetCertificate()));
 }
 
 TEST_CASE("Certificates_IssuerMismatch", "[certificates]")
 {
     PinningDetails expected;
-    expected.LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2).SetPinning(PinningVerificationType::Issuer);
+    expected.LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Issuer);
 
     PinningDetails actual;
-    actual.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2);
+    actual.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
 
     REQUIRE(!expected.Validate(actual.GetCertificate()));
 }
 
 TEST_CASE("Certificates_IssuerMatch", "[certificates]")
 {
     PinningDetails expected;
-    expected.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2).SetPinning(PinningVerificationType::Issuer);
+    expected.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Issuer);
 
     PinningDetails actual;
-    actual.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2);
+    actual.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
 
     REQUIRE(expected.Validate(actual.GetCertificate()));
 }
@@ -91,15 +91,15 @@ TEST_CASE("Certificates_ChainLengthDiffers", "[certificates]")
 {
     PinningChain chain;
     auto chainElement = chain.Root();
-    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2).SetPinning(PinningVerificationType::PublicKey);
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::PublicKey);
     chainElement = chainElement.Next();
-    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
 
     PinningConfiguration config;
     config.AddChain(chain);
 
     PinningDetails details;
-    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2);
+    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
 
     REQUIRE(!config.Validate(details.GetCertificate()));
 }
@@ -112,7 +112,7 @@ TEST_CASE("Certificates_EmptyChainRejects", "[certificates]")
     config.AddChain(chain);
 
     PinningDetails details;
-    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2);
+    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
 
     REQUIRE(!config.Validate(details.GetCertificate()));
 }
@@ -121,17 +121,17 @@ TEST_CASE("Certificates_ChainOrderDiffers", "[certificates]")
 {
     PinningChain chain;
     auto chainElement = chain.Root();
-    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2).SetPinning(PinningVerificationType::PublicKey);
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::PublicKey);
     chainElement = chainElement.Next();
-    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
     chainElement = chainElement.Next();
-    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
 
     PinningConfiguration config;
     config.AddChain(chain);
 
     PinningDetails details;
-    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2);
+    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
 
     REQUIRE(!config.Validate(details.GetCertificate()));
 }
@@ -140,17 +140,17 @@ TEST_CASE("Certificates_StoreChain_BuiltInTest", "[certificates]")
 {
     PinningChain chain;
     auto chainElement = chain.Root();
-    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2).SetPinning(PinningVerificationType::PublicKey);
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::PublicKey);
     chainElement = chainElement.Next();
-    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
     chainElement = chainElement.Next();
-    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
 
     PinningConfiguration config;
     config.AddChain(chain);
 
     PinningDetails details;
-    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2);
+    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
 
     REQUIRE(config.Validate(details.GetCertificate()));
 }
@@ -159,27 +159,27 @@ TEST_CASE("Certificates_MultipleChains_Success", "[certificates]")
 {
     PinningChain chainOutOfOrder;
     auto chainElement = chainOutOfOrder.Root();
-    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2).SetPinning(PinningVerificationType::PublicKey);
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::PublicKey);
     chainElement = chainElement.Next();
-    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
     chainElement = chainElement.Next();
-    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
 
     PinningConfiguration config;
     config.AddChain(chainOutOfOrder);
 
     PinningChain chain;
     chainElement = chain.Root();
-    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2).SetPinning(PinningVerificationType::PublicKey);
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::PublicKey);
     chainElement = chainElement.Next();
-    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
     chainElement = chainElement.Next();
-    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
+    chainElement->LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE).SetPinning(PinningVerificationType::Subject | PinningVerificationType::Issuer);
 
     config.AddChain(chain);
 
     PinningDetails details;
-    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2);
+    details.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
 
     REQUIRE(config.Validate(details.GetCertificate()));
 }

src/AppInstallerCLITests/GroupPolicy.cpp

@@ -280,11 +280,11 @@ TEST_CASE("GroupPolicy_Sources", "[groupPolicy]")
         auto additionalSourcesKey = RegCreateVolatileSubKey(policiesKey.get(), AdditionalSourcesPolicyKeyName);
 
         PinningDetails rootCert;
-        rootCert.LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2);
+        rootCert.LoadCertificate(IDX_CERTIFICATE_STORE_ROOT_2, CERTIFICATE_RESOURCE_TYPE);
         PinningDetails intermediateCert;
-        intermediateCert.LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2);
+        intermediateCert.LoadCertificate(IDX_CERTIFICATE_STORE_INTERMEDIATE_2, CERTIFICATE_RESOURCE_TYPE);
         PinningDetails leafCert;
-        leafCert.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2);
+        leafCert.LoadCertificate(IDX_CERTIFICATE_STORE_LEAF_2, CERTIFICATE_RESOURCE_TYPE);
 
         auto getBytesString = [](const PinningDetails& details)
         {
@@ -375,6 +375,7 @@ TEST_CASE("GroupPolicy_AllEnabled", "[groupPolicy]")
     SetRegistryValue(policiesKey.get(), AllowedSourcesPolicyValueName, 1);
     SetRegistryValue(policiesKey.get(), BypassCertificatePinningForMicrosoftStoreValueName, 1);
     SetRegistryValue(policiesKey.get(), EnableWindowsPackageManagerCommandLineInterfaces, 1);
+    SetRegistryValue(policiesKey.get(), ConfigurationPolicyValueName, 1);
 
     GroupPolicy groupPolicy{ policiesKey.get() };
     for (const auto& policy : TogglePolicy::GetAllPolicies())