elastic
diff --git a/‎testing/installtest/checks.go
+69 b/‎testing/installtest/checks.go
+69
diff --git a/‎testing/installtest/checks_unix.go
+149 b/‎testing/installtest/checks_unix.go
+149
diff --git a/‎testing/installtest/checks_windows.go
+160 b/‎testing/installtest/checks_windows.go
+160
@@ -0,0 +1,69 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package installtest
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+
+	atesting "github.com/elastic/elastic-agent/pkg/testing"
+	"github.com/elastic/elastic-agent/pkg/testing/define"
+)
+
+func DefaultTopPath() string {
+	var defaultBasePath string
+	switch runtime.GOOS {
+	case "darwin":
+		defaultBasePath = `/Library`
+	case "linux":
+		defaultBasePath = `/opt`
+	case "windows":
+		defaultBasePath = `C:\Program Files`
+	}
+	return filepath.Join(defaultBasePath, "Elastic", "Agent")
+}
+
+func CheckSuccess(ctx context.Context, f *atesting.Fixture, topPath string, unprivileged bool) error {
+	// Use default topPath if one not defined.
+	if topPath == "" {
+		topPath = DefaultTopPath()
+	}
+
+	_, err := os.Stat(topPath)
+	if err != nil {
+		return fmt.Errorf("%s missing: %w", topPath, err)
+	}
+
+	// Check that a few expected installed files are present
+	installedBinPath := filepath.Join(topPath, exeOnWindows("elastic-agent"))
+	installedDataPath := filepath.Join(topPath, "data")
+	installMarkerPath := filepath.Join(topPath, ".installed")
+
+	_, err = os.Stat(installedBinPath)
+	if err != nil {
+		return fmt.Errorf("%s missing: %w", installedBinPath, err)
+	}
+	_, err = os.Stat(installedDataPath)
+	if err != nil {
+		return fmt.Errorf("%s missing: %w", installedDataPath, err)
+	}
+	_, err = os.Stat(installMarkerPath)
+	if err != nil {
+		return fmt.Errorf("%s missing: %w", installMarkerPath, err)
+	}
+
+	// Specific checks depending on the platform.
+	return checkPlatform(ctx, f, topPath, unprivileged)
+}
+
+func exeOnWindows(filename string) string {
+	if runtime.GOOS == define.Windows {
+		return filename + ".exe"
+	}
+	return filename
+}
@@ -0,0 +1,149 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+//go:build !windows
+
+package installtest
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"syscall"
+	"time"
+
+	"github.com/elastic/elastic-agent/internal/pkg/agent/application/paths"
+	"github.com/elastic/elastic-agent/internal/pkg/agent/install"
+	atesting "github.com/elastic/elastic-agent/pkg/testing"
+)
+
+func checkPlatform(ctx context.Context, _ *atesting.Fixture, topPath string, unprivileged bool) error {
+	if unprivileged {
+		// Check that the elastic-agent user/group exist.
+		uid, err := install.FindUID(install.ElasticUsername)
+		if err != nil {
+			return fmt.Errorf("failed to find %s user: %w", install.ElasticUsername, err)
+		}
+		gid, err := install.FindGID(install.ElasticGroupName)
+		if err != nil {
+			return fmt.Errorf("failed to find %s group: %w", install.ElasticGroupName, err)
+		}
+
+		// Ensure entire installation tree has the correct permissions.
+		err = validateFileTree(topPath, uint32(uid), uint32(gid))
+		if err != nil {
+			// context already added
+			return err
+		}
+
+		// Check that the socket is created with the correct permissions.
+		socketPath := filepath.Join(topPath, paths.ControlSocketName)
+		err = waitForNoError(ctx, func(_ context.Context) error {
+			_, err = os.Stat(socketPath)
+			if err != nil {
+				return fmt.Errorf("failed to stat socket path %s: %w", socketPath, err)
+			}
+			return nil
+		}, 3*time.Minute, 1*time.Second)
+		info, err := os.Stat(socketPath)
+		if err != nil {
+			return fmt.Errorf("failed to stat socket path %s: %w", socketPath, err)
+		}
+		fs, ok := info.Sys().(*syscall.Stat_t)
+		if !ok {
+			return fmt.Errorf("failed to convert info.Sys() into *syscall.Stat_t")
+		}
+		if fs.Uid != uint32(uid) {
+			return fmt.Errorf("%s not owned by %s user", socketPath, install.ElasticUsername)
+		}
+		if fs.Gid != uint32(gid) {
+			return fmt.Errorf("%s not owned by %s group", socketPath, install.ElasticGroupName)
+		}
+
+		// Executing `elastic-agent status` as the `elastic-agent-user` user should work.
+		var output []byte
+		err = waitForNoError(ctx, func(_ context.Context) error {
+			// #nosec G204 -- user cannot inject any parameters to this command
+			cmd := exec.Command("sudo", "-u", install.ElasticUsername, "elastic-agent", "status")
+			output, err = cmd.CombinedOutput()
+			if err != nil {
+				return fmt.Errorf("elastic-agent status failed: %w (output: %s)", err, output)
+			}
+			return nil
+		}, 3*time.Minute, 1*time.Second)
+
+		// Executing `elastic-agent status` as the original user should fail, because that
+		// user is not in the 'elastic-agent' group.
+		originalUser := os.Getenv("SUDO_USER")
+		if originalUser != "" {
+			// #nosec G204 -- user cannot inject any parameters to this command
+			cmd := exec.Command("sudo", "-u", originalUser, "elastic-agent", "status")
+			output, err := cmd.CombinedOutput()
+			if err == nil {
+				return fmt.Errorf("sudo -u %s elastic-agent didn't fail: got output: %s", originalUser, output)
+			}
+		}
+	} else {
+		// Ensure entire installation tree has the correct permissions.
+		err := validateFileTree(topPath, 0, 0)
+		if err != nil {
+			// context already added
+			return err
+		}
+	}
+	return nil
+}
+
+func validateFileTree(dir string, uid uint32, gid uint32) error {
+	return filepath.Walk(dir, func(file string, info os.FileInfo, err error) error {
+		if err != nil {
+			return fmt.Errorf("error traversing the file tree: %w", err)
+		}
+		if info.Mode().Type() == os.ModeSymlink {
+			// symlink don't check permissions
+			return nil
+		}
+		fs, ok := info.Sys().(*syscall.Stat_t)
+		if !ok {
+			return fmt.Errorf("failed to convert info.Sys() into *syscall.Stat_t")
+		}
+		if fs.Uid != uid {
+			return fmt.Errorf("%s doesn't have correct uid: has %d (expected %d)", file, fs.Uid, uid)
+		}
+		if fs.Gid != gid {
+			return fmt.Errorf("%s doesn't have correct gid: has %d (expected %d)", file, fs.Gid, gid)
+		}
+		if fs.Mode&0007 != 0 {
+			return fmt.Errorf("%s has world access", file)
+		}
+		return nil
+	})
+}
+
+func waitForNoError(ctx context.Context, fun func(ctx context.Context) error, timeout time.Duration, interval time.Duration) error {
+	ctx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	t := time.NewTicker(interval)
+	defer t.Stop()
+
+	var lastErr error
+	for {
+		select {
+		case <-ctx.Done():
+			if lastErr != nil {
+				return lastErr
+			}
+			return ctx.Err()
+		case <-t.C:
+			err := fun(ctx)
+			if err == nil {
+				return nil
+			}
+			lastErr = err
+		}
+	}
+}
@@ -0,0 +1,160 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+//go:build windows
+
+package installtest
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+
+	"github.com/elastic/elastic-agent/internal/pkg/agent/install"
+	atesting "github.com/elastic/elastic-agent/pkg/testing"
+)
+
+const ACCESS_ALLOWED_ACE_TYPE = 0
+const ACCESS_DENIED_ACE_TYPE = 1
+
+var (
+	advapi32 = syscall.NewLazyDLL("advapi32.dll")
+
+	procGetAce = advapi32.NewProc("GetAce")
+)
+
+type accessAllowedAce struct {
+	AceType    uint8
+	AceFlags   uint8
+	AceSize    uint16
+	AccessMask uint32
+	SidStart   uint32
+}
+
+func checkPlatform(ctx context.Context, f *atesting.Fixture, topPath string, unprivileged bool) error {
+	secInfo, err := windows.GetNamedSecurityInfo(topPath, windows.SE_FILE_OBJECT, windows.OWNER_SECURITY_INFORMATION|windows.DACL_SECURITY_INFORMATION)
+	if err != nil {
+		return fmt.Errorf("GetNamedSecurityInfo failed for %s: %w", topPath, err)
+	}
+	if !secInfo.IsValid() {
+		return fmt.Errorf("GetNamedSecurityInfo result is not valid for %s: %w", topPath, err)
+	}
+	owner, _, err := secInfo.Owner()
+	if err != nil {
+		return fmt.Errorf("secInfo.Owner() failed for %s: %w", topPath, err)
+	}
+	sids, err := getAllowedSIDs(secInfo)
+	if err != nil {
+		return fmt.Errorf("failed to get allowed SID's for %s: %w", topPath, err)
+	}
+	if unprivileged {
+		// Check that the elastic-agent user/group exist.
+		uid, err := install.FindUID(install.ElasticUsername)
+		if err != nil {
+			return fmt.Errorf("failed to find %s user: %w", install.ElasticUsername, err)
+		}
+		uidSID, err := windows.StringToSid(uid)
+		if err != nil {
+			return fmt.Errorf("failed to convert string to windows.SID %s: %w", uid, err)
+		}
+		gid, err := install.FindGID(install.ElasticGroupName)
+		if err != nil {
+			return fmt.Errorf("failed to find %s group: %w", install.ElasticGroupName, err)
+		}
+		gidSID, err := windows.StringToSid(gid)
+		if err != nil {
+			return fmt.Errorf("failed to convert string to windows.SID %s: %w", uid, err)
+		}
+		if !owner.Equals(uidSID) {
+			return fmt.Errorf("%s not owned by %s user", topPath, install.ElasticUsername)
+		}
+		if !hasSID(sids, uidSID) {
+			return fmt.Errorf("path %s should have ACE for %s user", topPath, install.ElasticUsername)
+		}
+		if !hasSID(sids, gidSID) {
+			return fmt.Errorf("path %s should have ACE for %s group", topPath, install.ElasticGroupName)
+		}
+		// administrators should have access as well
+		if !hasWellKnownSID(sids, windows.WinBuiltinAdministratorsSid) {
+			return fmt.Errorf("path %s should have ACE for Administrators", topPath)
+		}
+		// that is 3 unique SID's, it should not have anymore
+		if len(sids) > 3 {
+			return fmt.Errorf("DACL has more than allowed ACE for %s", topPath)
+		}
+	} else {
+		if !owner.IsWellKnown(windows.WinBuiltinAdministratorsSid) {
+			return fmt.Errorf("%s not owned by Administrators", topPath)
+		}
+		// that is 1 unique SID, it should not have anymore
+		if len(sids) > 1 {
+			return fmt.Errorf("DACL has more than allowed ACE for %s", topPath)
+		}
+	}
+	return nil
+}
+
+func hasSID(sids []*windows.SID, m *windows.SID) bool {
+	for _, s := range sids {
+		if s.Equals(m) {
+			return true
+		}
+	}
+	return false
+}
+
+func appendSID(sids []*windows.SID, a *windows.SID) []*windows.SID {
+	if hasSID(sids, a) {
+		return sids
+	}
+	return append(sids, a)
+}
+
+func hasWellKnownSID(sids []*windows.SID, m windows.WELL_KNOWN_SID_TYPE) bool {
+	for _, s := range sids {
+		if s.IsWellKnown(m) {
+			return true
+		}
+	}
+	return false
+}
+
+func getAllowedSIDs(secInfo *windows.SECURITY_DESCRIPTOR) ([]*windows.SID, error) {
+	dacl, _, err := secInfo.DACL()
+	if err != nil {
+		return nil, fmt.Errorf("secInfo.DACL() failed: %w", err)
+	}
+	if dacl == nil {
+		return nil, fmt.Errorf("no DACL set")
+	}
+
+	var sids []*windows.SID
+
+	// sadly the ACL information is not exported so reflect is needed to get the aceCount
+	// it's always field #3 because it's defined by the Windows API (so no real need to worry about it changing)
+	rs := reflect.ValueOf(dacl).Elem()
+	aceCount := rs.Field(3).Uint()
+	for i := uint64(0); i < aceCount; i++ {
+		ace := &accessAllowedAce{}
+		ret, _, _ := procGetAce.Call(uintptr(unsafe.Pointer(dacl)), uintptr(i), uintptr(unsafe.Pointer(&ace)))
+		if ret == 0 {
+			return nil, fmt.Errorf("while getting ACE: %w", windows.GetLastError())
+		}
+		if ace.AceType == ACCESS_DENIED_ACE_TYPE {
+			// we never set denied ACE, something is wrong
+			return nil, fmt.Errorf("denied ACE found (should not be set)")
+		}
+		if ace.AceType != ACCESS_ALLOWED_ACE_TYPE {
+			// unknown ace type
+			return nil, fmt.Errorf("unknown AceType: %d", ace.AceType)
+		}
+		aceSid := (*windows.SID)(unsafe.Pointer(&ace.SidStart))
+		sids = appendSID(sids, aceSid)
+	}
+	return sids, nil
+}