Fix Powershell Execution Policy & Language Mode Logic (#2096)

* Set Execution Policy to Bypass.

For #2095
Also includes whitespace changes. I should probably just make a PR that does all of that sometime. You can hide the whitespace changes in the GH diff view.

See my read up there. Which I copied below.

# Context

There are language modes, which constrain powershell language features, and then execution policies, which constrain running scripts in general. I have had to set flags to enable running scripts by default from a powershell terminal, but there is no documentation indicating anything but that the language mode default is full language, or unrestricted. I also tried a sandbox and it was Full by default.

'FullLanguage is the default language mode for default sessions on all versions of Windows.'
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.4&viewFallbackFrom=powershell-7.3#:~:text=The%20FullLanguage%20mode%20permits%20all%20language%20elements%20in%20the%20session.%20FullLanguage%20is%20the%20default%20language%20mode%20for%20default%20sessions%20on%20all%20versions%20of%20Windows.

What causes our error to trigger is not Get-ExecutionPolicy but ExecutionContext.SessionState.LanguageMode.

We should try to set the execution policy to bypass instead of restricted in our code as it prompts a dialogue for permission by default on unrestricted which could be the cause of unknown failures/timeouts, which is an awesome insight from @jacdavis. Even if the script is signed.
Sadly this option does not seem to exist to bypass language mode like how you can for 1 script via execution policy.

The error that spawned this issue triggers by checking the language mode:

Your machine policy ConstrainedLanguage disables PowerShell language features that may be needed to install .NET. Read more at: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.3. If you cannot safely and confidently change the execution policy, try setting a custom existingDotnetPath following our instructions here: https://github.com/dotnet/vscode-dotnet-runtime/blob/main/Documentation/troubleshooting-runtime.md.
There is code I wrote that just fails it if ExecutionContext.SessionState.LanguageMode is set to ConstrainedLanguage or NoLanguage.

vscode-dotnet-runtime/vscode-dotnet-runtime-library/src/Acquisition/AcquisitionInvoker.ts

Line 195 in ef5299b

 if(languageMode === 'ConstrainedLanguage' || languageMode === 'NoLanguage')
I dont think those 2 to 4 daily people you see with that error are going to go away. The code is failing on them because it sees their language mode is restricted which is not by default and is set by a SysAdmin. If the install script team knows if we can run the script in a way with a constrained language mode, then we could do that, but that sounds impossible.

* Fix the error message about language mode and handle new error

The language mode error said it was for execution policy which is very confusing.
Now there are 2 separate errors and it has a clear message for both.

* Handle Each Error Better

* Consider that ubuntu 22 04 now supports .net 9

* Fix linting issue

* Improve Test Logic

* Fix Architecture Logic & Remove Old Code

The ubuntu 22 04 version sometimes has 9.0 but older patches of it may not. CI machines are stuck on this logic and fail depending on the machine instance version so we need to work with either case for now. Also, the architecture should not be null in the local state, we want the data to be in sync after the install is made, so I've updated this logic.

I removed the test language change that was there as well.

* Fix the version compare in the linux test

* Dont try to call powershell on non win os

* Url doesn't need specific PowerShell version in it.

Co-authored-by: Michael Yanni <[email protected]>

* Fix url formation

Co-authored-by: Michael Yanni <[email protected]>

---------

Co-authored-by: Michael Yanni <[email protected]>

Author: nagilson

sample/yarn.lock

@@ -42,6 +42,7 @@
   version "1.17.0"
   resolved "https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/registry/@azure/core-rest-pipeline/-/core-rest-pipeline-1.17.0.tgz"
   integrity sha1-Vdr6EJNVPFSe1tjbymmqUFx7OqM=
+  "resolved" "https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/registry/@azure/core-rest-pipeline/-/core-rest-pipeline-1.17.0.tgz"
   dependencies:
     "@azure/abort-controller" "^2.0.0"
     "@azure/core-auth" "^1.8.0"

vscode-dotnet-runtime-extension/src/test/functional/DotnetCoreAcquisitionExtension.test.ts

@@ -622,7 +622,7 @@ suite('DotnetCoreAcquisitionExtension End to End', function ()
     else
     {
       const distroVersion = await new LinuxVersionResolver(mockAcquisitionContext, getMockUtilityContext()).getRunningDistro();
-      assert.equal(result[0].version, Number(distroVersion) > 22.04 ? '9.0.1xx' : '8.0.1xx', 'The SDK did not recommend the version it was supposed to, which should be N.0.1xx based on surface level distro knowledge. If a new version is available, this test may need to be updated to the newest version.');
+      assert.equal(result[0].version, Number(distroVersion.version) >= 22.04 ? '9.0.1xx' : '8.0.1xx', `The SDK did not recommend the version (it said ${result[0].version}) it was supposed to, which should be N.0.1xx based on surface level distro knowledge, version ${distroVersion.version}. If a new version is available, this test may need to be updated to the newest version.`);
     }
   }).timeout(standardTimeoutTime);
 

vscode-dotnet-runtime-library/src/Acquisition/AcquisitionInvoker.ts

@@ -8,7 +8,8 @@ import path = require('path');
 
 /* eslint-disable */ // When editing this file, please remove this and fix the linting concerns.
 
-import {
+import
+{
     DotnetAcquisitionCompleted,
     DotnetAcquisitionInstallError,
     DotnetAcquisitionScriptError,
@@ -17,6 +18,8 @@ import {
     DotnetAcquisitionUnexpectedError,
     DotnetOfflineFailure,
     EventBasedError,
+    PowershellBadExecutionPolicy,
+    PowershellBadLanguageMode,
 } from '../EventStream/EventStreamEvents';
 
 import { timeoutConstants } from '../Utils/ErrorHandler'
@@ -34,20 +37,22 @@ import { DotnetInstall } from './DotnetInstall';
 import { DotnetInstallMode } from './DotnetInstallMode';
 import { WebRequestWorker } from '../Utils/WebRequestWorker';
 
-export class AcquisitionInvoker extends IAcquisitionInvoker {
+export class AcquisitionInvoker extends IAcquisitionInvoker
+{
     protected readonly scriptWorker: IInstallScriptAcquisitionWorker;
-    protected fileUtilities : FileUtilities;
+    protected fileUtilities: FileUtilities;
     private noPowershellError = `powershell.exe is not discoverable on your system. Is PowerShell added to your PATH and correctly installed? Please visit: https://learn.microsoft.com/powershell/scripting/install/installing-powershell-on-windows.
 You will need to restart VS Code after these changes. If PowerShell is still not discoverable, try setting a custom existingDotnetPath following our instructions here: https://github.com/dotnet/vscode-dotnet-runtime/blob/main/Documentation/troubleshooting-runtime.md.`
 
-    constructor(private readonly workerContext : IAcquisitionWorkerContext, private readonly utilityContext : IUtilityContext) {
+    constructor(private readonly workerContext: IAcquisitionWorkerContext, private readonly utilityContext: IUtilityContext)
+    {
 
         super(workerContext.eventStream);
         this.scriptWorker = new InstallScriptAcquisitionWorker(workerContext);
         this.fileUtilities = new FileUtilities();
     }
 
-    public async installDotnet(installContext: IDotnetInstallationContext, install : DotnetInstall): Promise<void>
+    public async installDotnet(installContext: IDotnetInstallationContext, install: DotnetInstall): Promise<void>
     {
         const winOS = os.platform() === 'win32';
         const installCommand = await this.getInstallCommand(installContext.version, installContext.installDir, installContext.installMode, installContext.architecture);
@@ -56,60 +61,76 @@ You will need to restart VS Code after these changes. If PowerShell is still not
         {
             try
             {
-                let windowsFullCommand = `powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy unrestricted -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12; & ${installCommand} }"`;
-                if(winOS)
+                let windowsFullCommand = `powershell.exe -NoProfile -NonInteractive -NoLogo -ExecutionPolicy bypass -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12; & ${installCommand} }"`;
+                let powershellReference = 'powershell.exe';
+                if (winOS)
                 {
-                    const powershellReference = await this.verifyPowershellCanRun(installContext, install);
+                    powershellReference = await this.verifyPowershellCanRun(installContext, install);
                     windowsFullCommand = windowsFullCommand.replace('powershell.exe', powershellReference);
                 }
 
                 cp.exec(winOS ? windowsFullCommand : installCommand,
-                        { cwd: process.cwd(), maxBuffer: 500 * 1024, timeout: 1000 * installContext.timeoutSeconds, killSignal: 'SIGKILL' },
-                        async (error, stdout, stderr) =>
-                {
-                    if (stdout)
+                    { cwd: process.cwd(), maxBuffer: 500 * 1024, timeout: 1000 * installContext.timeoutSeconds, killSignal: 'SIGKILL' },
+                    async (error, stdout, stderr) =>
                     {
+                        if (stdout)
+                        {
                             this.eventStream.post(new DotnetAcquisitionScriptOutput(install, TelemetryUtilities.HashAllPaths(stdout)));
-                    }
-                    if (stderr)
-                    {
+                        }
+                        if (stderr)
+                        {
                             this.eventStream.post(new DotnetAcquisitionScriptOutput(install, `STDERR: ${TelemetryUtilities.HashAllPaths(stderr)}`));
-                    }
-                    if (error)
-                    {
-                        if (!(await WebRequestWorker.isOnline(installContext.timeoutSeconds, this.eventStream)))
+                        }
+                        if (this.looksLikeBadExecutionPolicyError(stderr))
+                        {
+                            const badPolicyError = new EventBasedError('PowershellBadExecutionPolicy', `Your powershell execution policy does not allow script execution, so we can't automate the installation.
+Please read more at https://go.microsoft.com/fwlink/?LinkID=135170`);
+                            this.eventStream.post(new PowershellBadExecutionPolicy(badPolicyError, install));
+                            reject(badPolicyError);
+                        }
+                        if ((this.looksLikeBadLanguageModeError(stderr) || error?.code === 1) && this.badLanguageModeSet(powershellReference))
+                        {
+                            const badModeError = new EventBasedError('PowershellBadLanguageMode', `Your Language Mode disables PowerShell language features needed to install .NET. Read more at: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes.
+If you cannot change this flag, try setting a custom existingDotnetPath via the instructions here: https://github.com/dotnet/vscode-dotnet-runtime/blob/main/Documentation/troubleshooting-runtime.md.`);
+                            this.eventStream.post(new PowershellBadLanguageMode(badModeError, install));
+                            reject(badModeError);
+                        }
+                        if (error)
                         {
-                            const offlineError = new EventBasedError('DotnetOfflineFailure', 'No internet connection detected: Cannot install .NET');
-                            this.eventStream.post(new DotnetOfflineFailure(offlineError, install));
-                            reject(offlineError);
+                            if (!(await WebRequestWorker.isOnline(installContext.timeoutSeconds, this.eventStream)))
+                            {
+                                const offlineError = new EventBasedError('DotnetOfflineFailure', 'No internet connection detected: Cannot install .NET');
+                                this.eventStream.post(new DotnetOfflineFailure(offlineError, install));
+                                reject(offlineError);
+                            }
+                            else if (error.signal === 'SIGKILL')
+                            {
+                                const newError = new EventBasedError('DotnetAcquisitionTimeoutError',
+                                    `${timeoutConstants.timeoutMessage}, MESSAGE: ${error.message}, CODE: ${error.code}, KILLED: ${error.killed}`, error.stack);
+                                this.eventStream.post(new DotnetAcquisitionTimeoutError(error, install, installContext.timeoutSeconds));
+                                reject(newError);
+                            }
+                            else
+                            {
+                                const newError = new EventBasedError('DotnetAcquisitionInstallError',
+                                    `${timeoutConstants.timeoutMessage}, MESSAGE: ${error.message}, CODE: ${error.code}, SIGNAL: ${error.signal}`, error.stack);
+                                this.eventStream.post(new DotnetAcquisitionInstallError(newError, install));
+                                reject(newError);
+                            }
                         }
-                        else if (error.signal === 'SIGKILL') {
-                            const newError = new EventBasedError('DotnetAcquisitionTimeoutError',
-                                `${timeoutConstants.timeoutMessage}, MESSAGE: ${error.message}, CODE: ${error.code}, KILLED: ${error.killed}`, error.stack);
-                            this.eventStream.post(new DotnetAcquisitionTimeoutError(error, install, installContext.timeoutSeconds));
-                            reject(newError);
+                        else if (stderr && stderr.length > 0)
+                        {
+                            this.eventStream.post(new DotnetAcquisitionCompleted(install, installContext.dotnetPath, installContext.version));
+                            resolve();
                         }
                         else
                         {
-                            const newError = new EventBasedError('DotnetAcquisitionInstallError',
-                                `${timeoutConstants.timeoutMessage}, MESSAGE: ${error.message}, CODE: ${error.code}, SIGNAL: ${error.signal}`, error.stack);
-                            this.eventStream.post(new DotnetAcquisitionInstallError(newError, install));
-                            reject(newError);
+                            this.eventStream.post(new DotnetAcquisitionCompleted(install, installContext.dotnetPath, installContext.version));
+                            resolve();
                         }
-                    }
-                    else if (stderr && stderr.length > 0)
-                    {
-                        this.eventStream.post(new DotnetAcquisitionCompleted(install, installContext.dotnetPath, installContext.version));
-                        resolve();
-                    }
-                    else
-                    {
-                        this.eventStream.post(new DotnetAcquisitionCompleted(install, installContext.dotnetPath, installContext.version));
-                        resolve();
-                    }
-                });
+                    });
             }
-            catch (error : any)
+            catch (error: any)
             {
                 // Remove this when https://github.com/typescript-eslint/typescript-eslint/issues/2728 is done
                 // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
@@ -120,7 +141,53 @@ You will need to restart VS Code after these changes. If PowerShell is still not
         });
     }
 
-    private async getInstallCommand(version: string, dotnetInstallDir: string, installMode: DotnetInstallMode, architecture: string): Promise<string> {
+    private looksLikeBadExecutionPolicyError(stderr: string): boolean
+    {
+        // tls12 is from the command output and gets truncated like so with this error
+        // 135170 is the link id to the error, which may be subject to change but is a good language agnostic way to catch this
+        // about_Execution_Policies this is a relatively language agnostic way to check as well
+        return stderr.includes('+ ... ]::Tls12;') || stderr.includes('135170') || stderr.includes('about_Execution_Policies');
+    }
+
+    private looksLikeBadLanguageModeError(stderr: string): boolean
+    {
+        /*
+This is one possible output of a failed command for this right now, but the install script might change so we account for multiple possibilities.
+
+        Failed to resolve the exact version number.
+At dotnet-install.ps1:1189 char:5
++     throw "Failed to resolve the exact version number."
++     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    + CategoryInfo          : OperationStopped: (Failed to resol...version number.:String) [], RuntimeException
+    + FullyQualifiedErrorId : Failed to resolve the exact version number.
+        */
+
+        // Unexpected Token may also appear
+
+        return stderr.includes('FullyQualifiedErrorId') || stderr.includes('unexpectedToken')
+    }
+
+    private badLanguageModeSet(powershellReference: string): boolean
+    {
+        if (os.platform() !== 'win32')
+        {
+            return false;
+        }
+
+        try
+        {
+            const languageModeOutput = cp.spawnSync(powershellReference, [`-command`, `$ExecutionContext.SessionState.LanguageMode`], { cwd: path.resolve(__dirname), shell: true });
+            const languageMode = languageModeOutput.stdout.toString().trim();
+            return (languageMode === 'ConstrainedLanguage' || languageMode === 'NoLanguage');
+        }
+        catch (e: any)
+        {
+            return true;
+        }
+    }
+
+    private async getInstallCommand(version: string, dotnetInstallDir: string, installMode: DotnetInstallMode, architecture: string): Promise<string>
+    {
         const arch = this.fileUtilities.nodeArchToDotnetArch(architecture, this.eventStream);
         let args = [
             '-InstallDir', this.escapeFilePath(dotnetInstallDir),
@@ -131,20 +198,21 @@ You will need to restart VS Code after these changes. If PowerShell is still not
         {
             args = args.concat('-Runtime', 'dotnet');
         }
-        else if(installMode === 'aspnetcore')
+        else if (installMode === 'aspnetcore')
         {
             args = args.concat('-Runtime', 'aspnetcore');
         }
-        if(arch !== 'auto')
+        if (arch !== 'auto')
         {
             args = args.concat('-Architecture', arch);
         }
 
         const scriptPath = await this.scriptWorker.getDotnetInstallScriptPath();
-        return `${ this.escapeFilePath(scriptPath) } ${ args.join(' ') }`;
+        return `${this.escapeFilePath(scriptPath)} ${args.join(' ')}`;
     }
 
-    private escapeFilePath(pathToEsc: string): string {
+    private escapeFilePath(pathToEsc: string): string
+    {
         if (os.platform() === 'win32')
         {
             // Need to escape apostrophes with two apostrophes
@@ -163,52 +231,41 @@ You will need to restart VS Code after these changes. If PowerShell is still not
      * @remarks Some users have reported not having powershell.exe or having execution policy that fails property evaluation functions in powershell install scripts.
      * We use this function to throw better errors if powershell is not configured correctly.
      */
-    private async verifyPowershellCanRun(installContext : IDotnetInstallationContext, installId : DotnetInstall) : Promise<string>
+    private async verifyPowershellCanRun(installContext: IDotnetInstallationContext, installId: DotnetInstall): Promise<string>
     {
         let knownError = false;
         let error = null;
         let command = null;
 
         const possibleCommands =
-        [
-            CommandExecutor.makeCommand(`powershell.exe`, []),
-            CommandExecutor.makeCommand(`%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`, []),
-            CommandExecutor.makeCommand(`pwsh`, []),
-            CommandExecutor.makeCommand(`powershell`, []),
-            CommandExecutor.makeCommand(`pwsh.exe`, [])
-        ];
+            [
+                CommandExecutor.makeCommand(`powershell.exe`, []),
+                CommandExecutor.makeCommand(`%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`, []),
+                CommandExecutor.makeCommand(`pwsh`, []),
+                CommandExecutor.makeCommand(`powershell`, []),
+                CommandExecutor.makeCommand(`pwsh.exe`, [])
+            ];
 
         try
         {
             // Check if PowerShell exists and is on the path.
             command = await new CommandExecutor(this.workerContext, this.utilityContext).tryFindWorkingCommand(possibleCommands);
-            if(!command)
+            if (!command)
             {
                 knownError = true;
                 const err = Error(this.noPowershellError);
                 error = err;
             }
-
-            // Check Execution Policy
-            const execPolicyOutput = cp.spawnSync(command!.commandRoot, [`-command`, `$ExecutionContext.SessionState.LanguageMode`], {cwd : path.resolve(__dirname), shell: true});
-            const languageMode = execPolicyOutput.stdout.toString().trim();
-            if(languageMode === 'ConstrainedLanguage' || languageMode === 'NoLanguage')
-            {
-                knownError = true;
-                const err = Error(`Your machine policy ${languageMode} disables PowerShell language features that may be needed to install .NET. Read more at: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.3.
-If you cannot safely and confidently change the execution policy, try setting a custom existingDotnetPath following our instructions here: https://github.com/dotnet/vscode-dotnet-runtime/blob/main/Documentation/troubleshooting-runtime.md.`);
-                error = err;
-            }
         }
-        catch(err : any)
+        catch (err: any)
         {
-            if(!knownError)
+            if (!knownError)
             {
                 error = new Error(`${this.noPowershellError} More details: ${(err as Error).message}`);
             }
         }
 
-        if(error != null)
+        if (error != null)
         {
             this.eventStream.post(new DotnetAcquisitionScriptError(error as Error, installId));
             throw new EventBasedError('DotnetAcquisitionScriptError', error?.message, error?.stack);