windows: tell Windows that our release builds should always run as admin (#2838)

It'll show UAC when you first run the app. After that we can open and close the VPN network adapter without showing more UAC dialogs since we have sudo powers.
2026-01-27 18:18:55 +00:00 · 2023-12-12 11:49:32 -06:00
parent a339f5b437
commit cd3114cc1d
4 changed files with 54 additions and 2 deletions
--- a/rust/windows-client/src-tauri/Cargo.toml
+++ b/rust/windows-client/src-tauri/Cargo.toml
@@ -6,6 +6,7 @@ description = "Firezone Windows Client"
 edition = "2021"

 [build-dependencies]
+anyhow = { version = "1.0" }
 tauri-build = { version = "1.5", features = [] }

 [dependencies]
--- a/rust/windows-client/src-tauri/build.rs
+++ b/rust/windows-client/src-tauri/build.rs
@@ -1,3 +1,18 @@
-fn main() {
-    tauri_build::build()
+fn main() -> anyhow::Result<()> {
+    let win = tauri_build::WindowsAttributes::new().app_manifest(WINDOWS_MANIFEST);
+    let attr = tauri_build::Attributes::new().windows_attributes(win);
+    tauri_build::try_build(attr)?;
+    Ok(())
 }
+
+// If we ask for admin privilege in the manifest, we can't run in Cygwin,
+// which makes debugging hard on my dev system.
+// So always ask for it in Release, which is simpler for users, and in Release
+// mode we run as a GUI so we lose stdout/stderr anyway.
+// If you need admin privileges for debugging, you can right-click the debug exe.
+
+#[cfg(debug_assertions)]
+const WINDOWS_MANIFEST: &str = include_str!("firezone-windows-client-debug.manifest");
+
+#[cfg(not(debug_assertions))]
+const WINDOWS_MANIFEST: &str = include_str!("firezone-windows-client-release.manifest");
--- a/rust/windows-client/src-tauri/firezone-windows-client-debug.manifest
+++ b/rust/windows-client/src-tauri/firezone-windows-client-debug.manifest
@@ -0,0 +1,14 @@
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+    <dependency>
+        <dependentAssembly>
+            <assemblyIdentity
+            type="win32"
+            name="Microsoft.Windows.Common-Controls"
+            version="6.0.0.0"
+            processorArchitecture="*"
+            publicKeyToken="6595b64144ccf1df"
+            language="*"
+            />
+        </dependentAssembly>
+    </dependency>
+</assembly>
--- a/rust/windows-client/src-tauri/firezone-windows-client-release.manifest
+++ b/rust/windows-client/src-tauri/firezone-windows-client-release.manifest
@@ -0,0 +1,22 @@
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+    <dependency>
+        <dependentAssembly>
+            <assemblyIdentity
+            type="win32"
+            name="Microsoft.Windows.Common-Controls"
+            version="6.0.0.0"
+            processorArchitecture="*"
+            publicKeyToken="6595b64144ccf1df"
+            language="*"
+            />
+        </dependentAssembly>
+    </dependency>
+    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
+        <security>
+            <requestedPrivileges>
+                <!-- Ask Windows to always run us with admin privilege -->
+                <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
+            </requestedPrivileges>
+        </security>
+    </trustInfo>
+</assembly>