From aa8efc5b947535bcf0c53e8d351e0af1e7aebaf9 Mon Sep 17 00:00:00 2001
From: ksubrmnn <kasubra@microsoft.com>
Date: Thu, 16 May 2019 12:12:02 -0700
Subject: [PATCH] Check User SIDs via os package

---
 cmd/kubeadm/app/preflight/checks_windows.go | 34 +++++++++++++--------
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/cmd/kubeadm/app/preflight/checks_windows.go b/cmd/kubeadm/app/preflight/checks_windows.go
index f7c06d49d1d..58ebcaa2a47 100644
--- a/cmd/kubeadm/app/preflight/checks_windows.go
+++ b/cmd/kubeadm/app/preflight/checks_windows.go
@@ -19,28 +19,38 @@ limitations under the License.
 package preflight
 
 import (
-	"os/exec"
-	"strings"
+	"os/user"
 
 	"github.com/pkg/errors"
 )
 
-// Check validates if an user has elevated (administrator) privileges.
+// The "Well-known SID" of Administrator group
+// https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
+const administratorSID = "S-1-5-32-544"
+
+// Check validates if a user has elevated (administrator) privileges.
 func (ipuc IsPrivilegedUserCheck) Check() (warnings, errorList []error) {
 	errorList = []error{}
 
-	// The "Well-known SID" of Administrator group is S-1-5-32-544
-	// The following powershell will return "True" if run as an administrator, "False" otherwise
-	// See https://msdn.microsoft.com/en-us/library/cc980032.aspx
-	args := []string{"[bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match \"S-1-5-32-544\")"}
-	isAdmin, err := exec.Command("powershell", args...).Output()
-
+	currUser, err := user.Current()
 	if err != nil {
-		errorList = append(errorList, errors.Wrap(err, "unable to determine if user is running as administrator"))
-	} else if strings.EqualFold(strings.TrimSpace(string(isAdmin)), "false") {
-		errorList = append(errorList, errors.New("user is not running as administrator"))
+		errorList = append(errorList, errors.New("cannot get current user"))
+		return nil, errorList
 	}
 
+	groupIds, err := currUser.GroupIds()
+	if err != nil {
+		errorList = append(errorList, errors.New("cannot get group IDs for current user"))
+		return nil, errorList
+	}
+
+	for _, sid := range groupIds {
+		if sid == administratorSID {
+			return nil, errorList
+		}
+	}
+
+	errorList = append(errorList, errors.New("user is not running as administrator"))
 	return nil, errorList
 }