Implement Windows superuser check (facebookincubator#568)

Summary:

Previously, TTPForge would only log a warning when a TTP required superuser privileges on Windows but wouldn't actually enforce the requirement. This change implements proper administrator privilege checking on Windows using `golang.org/x/sys/windows` to check if the process token is elevated.

The implementation uses Go build tags to provide platform-specific implementations of superuser checking. Unix-based systems continue to use `os.Geteuid() == 0` while Windows now uses token elevation checking.

Reviewed By: RoboticPrism

Differential Revision: D85156306

Author: isaac-fletcher

example-ttps/requirements/os-and-superuser.yaml

@@ -20,4 +20,4 @@ steps:
   - name: demo
     print_str: |
       If you see this string, you are executing this TTP
-      with superuser privileges within a compabile OS/Architecture environment.
+      with superuser privileges within a compatible OS/Architecture environment.

pkg/blocks/requirements.go

@@ -20,9 +20,7 @@ THE SOFTWARE.
 package blocks
 
 import (
-	"errors"
 	"fmt"
-	"os"
 	"runtime"
 
 	"github.com/facebookincubator/ttpforge/pkg/checks"
@@ -93,13 +91,12 @@ func (rc *RequirementsConfig) Verify(ctx checks.VerificationContext) error {
 
 	// check superuser requirement
 	if rc.ExpectSuperuser {
+		if !isSuperuser() {
+			return fmt.Errorf("must be running with elevated privileges to run this TTP")
+		}
 		if runtime.GOOS == "windows" {
-			logging.L().Warnf("not enforcing superuser requirement because it is not supported on windows yet")
+			logging.L().Debug("[+] Running as administrator")
 		} else {
-			if os.Geteuid() != 0 {
-				err := errors.New("must be root (UID 0) to run this TTP")
-				return err
-			}
 			logging.L().Debug("[+] Running as root")
 		}
 	}

pkg/blocks/requirements_unix.go

@@ -0,0 +1,30 @@
+//go:build unix
+
+/*
+Copyright © 2023-present, Meta Platforms, Inc. and affiliates
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+*/
+
+package blocks
+
+import "os"
+
+// isSuperuser checks if the current process is running with superuser privileges
+// on Unix-like systems (Linux, macOS, BSD, etc.) by checking if the effective user ID is 0 (root).
+func isSuperuser() bool {
+	return os.Geteuid() == 0
+}

pkg/blocks/requirements_windows.go

@@ -0,0 +1,31 @@
+//go:build windows
+
+/*
+Copyright © 2023-present, Meta Platforms, Inc. and affiliates
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+*/
+
+package blocks
+
+import "golang.org/x/sys/windows"
+
+// isSuperuser checks if the current process is running with administrator privileges
+// on Windows by checking if the process token is elevated.
+func isSuperuser() bool {
+	token := windows.GetCurrentProcessToken()
+	return token.IsElevated()
+}