Add registry authentication in runtime

src/windows/common/CMakeLists.txt

@@ -35,6 +35,8 @@ set(SOURCES
     SubProcess.cpp
     svccomm.cpp
     WSLCContainerLauncher.cpp
+    WSLCLocalRegistry.cpp
+    WslcCredentialStore.cpp
     VirtioNetworking.cpp
     WSLCProcessLauncher.cpp
     WslClient.cpp
@@ -116,6 +118,8 @@ set(HEADERS
     SubProcess.h
     svccomm.hpp
     WSLCContainerLauncher.h
+    WSLCLocalRegistry.h
+    WslcCredentialStore.h
     VirtioNetworking.h
     WSLCProcessLauncher.h
     WslClient.h
@@ -134,6 +138,7 @@ set(HEADERS
 
 add_library(common STATIC ${SOURCES} ${HEADERS})
 add_dependencies(common wslserviceidl wslcidl localization wslservicemc wslinstalleridl)
+target_link_libraries(common PRIVATE Crypt32.lib)
 
 target_precompile_headers(common PRIVATE precomp.h)
 set_target_properties(common PROPERTIES FOLDER windows)

src/windows/common/WSLCContainerLauncher.h

@@ -79,6 +79,7 @@ class WSLCContainerLauncher : private WSLCProcessLauncher
     void SetDnsSearchDomains(std::vector<std::string>&& DnsSearchDomains);
     void SetDnsOptions(std::vector<std::string>&& DnsOptions);
 
+    using WSLCProcessLauncher::FormatResult;
     using WSLCProcessLauncher::SetUser;
     using WSLCProcessLauncher::SetWorkingDirectory;
 

src/windows/common/WSLCLocalRegistry.cpp

@@ -0,0 +1,121 @@
+/*++
+
+Copyright (c) Microsoft. All rights reserved.
+
+Module Name:
+
+    WSLCLocalRegistry.cpp
+
+Abstract:
+
+    Implementation of WSLCLocalRegistry.
+
+--*/
+#include "WSLCLocalRegistry.h"
+
+using wsl::windows::common::RunningWSLCContainer;
+using wsl::windows::common::WSLCContainerLauncher;
+using wsl::windows::common::WSLCLocalRegistry;
+
+namespace {
+
+constexpr auto c_registryImage = "registry:3";
+constexpr auto c_htpasswdImage = "httpd:2";
+
+std::string GenerateHtpasswd(IWSLCSession& session, const std::string& username, const std::string& password)
+{
+    THROW_IF_FAILED(session.PullImage(c_htpasswdImage, nullptr, nullptr));
+
+    const auto command = std::format("htpasswd -Bbn '{}' '{}'", username, password);
+
+    WSLCContainerLauncher launcher(c_htpasswdImage, {}, {"/bin/sh", "-c", command});
+    launcher.SetContainerFlags(WSLCContainerFlagsRm);
+
+    auto container = launcher.Launch(session);
+    auto result = container.GetInitProcess().WaitAndCaptureOutput();
+
+    THROW_HR_IF_MSG(E_FAIL, result.Code != 0, "%hs", launcher.FormatResult(result).c_str());
+
+    auto output = result.Output[1];
+    output.erase(output.find_last_not_of("\n\r") + 1);
+
+    THROW_HR_IF_MSG(E_FAIL, output.empty(), "%hs", launcher.FormatResult(result).c_str());
+    return output;
+}
+
+std::vector<std::string> BuildRegistryEnv(IWSLCSession& session, const std::string& username, const std::string& password)
+{
+    std::vector<std::string> env = {
+        "REGISTRY_HTTP_ADDR=0.0.0.0:5000",
+    };
+
+    if (!username.empty())
+    {
+        auto htpasswdEntry = GenerateHtpasswd(session, username, password);
+
+        env.push_back(std::format("HTPASSWD_CONTENT={}", htpasswdEntry));
+        env.push_back("REGISTRY_AUTH=htpasswd");
+        env.push_back("REGISTRY_AUTH_HTPASSWD_REALM=WSLC Test Registry");
+        env.push_back("REGISTRY_AUTH_HTPASSWD_PATH=/htpasswd");
+    }
+
+    return env;
+}
+
+} // namespace
+
+WSLCLocalRegistry::WSLCLocalRegistry(
+    IWSLCSession& session,
+    RunningWSLCContainer&& container,
+    std::string&& username,
+    std::string&& password) :
+    m_session(wil::com_ptr<IWSLCSession>(&session)),
+    m_username(std::move(username)),
+    m_password(std::move(password)),
+    m_container(std::move(container))
+{
+}
+
+WSLCLocalRegistry::~WSLCLocalRegistry()
+{
+    // Delete the container first while the session is still active.
+    m_container.Reset();
+}
+
+WSLCLocalRegistry WSLCLocalRegistry::Start(
+    IWSLCSession& session, const std::string& username, const std::string& password)
+{
+    THROW_IF_FAILED(session.PullImage(c_registryImage, nullptr, nullptr));    
+
+    auto env = BuildRegistryEnv(session, username, password);
+
+    WSLCContainerLauncher launcher(c_registryImage, {}, {}, env);
+    launcher.AddPort(5000, 5000, AF_INET);
+
+    if (!username.empty())
+    {
+        launcher.SetEntrypoint({"/bin/sh", "-c", "echo \"$HTPASSWD_CONTENT\" > /htpasswd && registry serve /etc/distribution/config.yml"});
+    }
+    auto container = launcher.Launch(session, WSLCContainerStartFlagsNone);
+
+    return WSLCLocalRegistry(
+        session,
+        std::move(container),
+        std::string(username),
+        std::string(password));
+}
+
+const char* WSLCLocalRegistry::GetServerAddress() const
+{
+    return "127.0.0.1:5000";
+}
+
+const std::string& WSLCLocalRegistry::GetUsername() const
+{
+    return m_username;
+}
+
+const std::string& WSLCLocalRegistry::GetPassword() const
+{
+    return m_password;
+}

src/windows/common/WSLCLocalRegistry.h

@@ -0,0 +1,52 @@
+/*++
+
+Copyright (c) Microsoft. All rights reserved.
+
+Module Name:
+
+    WSLCLocalRegistry.h
+
+Abstract:
+
+    Helper class that starts a local Docker registry:3 container inside a WSLC
+    session, optionally configured with htpasswd basic authentication.  Intended
+    for use in both unit tests and E2E tests that need a private registry without
+    an external dependency.
+
+--*/
+
+#pragma once
+#include "WSLCContainerLauncher.h"
+
+namespace wsl::windows::common {
+
+class WSLCLocalRegistry
+{
+public:
+    NON_COPYABLE(WSLCLocalRegistry);
+    DEFAULT_MOVABLE(WSLCLocalRegistry);
+    ~WSLCLocalRegistry();
+
+    static WSLCLocalRegistry Start(
+        IWSLCSession& Session,
+        const std::string& Username = {},
+        const std::string& Password = {});
+
+    const char* GetServerAddress() const;
+    const std::string& GetUsername() const;
+    const std::string& GetPassword() const;
+
+private:
+    WSLCLocalRegistry(
+        IWSLCSession& session,
+        RunningWSLCContainer&& container,
+        std::string&& username,
+        std::string&& password);
+
+    wil::com_ptr<IWSLCSession> m_session;
+    std::string m_username;
+    std::string m_password;
+    RunningWSLCContainer m_container;
+};
+
+} // namespace wsl::windows::common

src/windows/common/WslcCredentialStore.cpp

@@ -0,0 +1,69 @@
+/*++
+
+Copyright (c) Microsoft. All rights reserved.
+
+Module Name:
+
+    WslcCredentialStore.cpp
+
+Abstract:
+
+    Implementation of credential store helpers.
+
+--*/
+
+#include "WslcCredentialStore.h"
+#include <format>
+#include <wincrypt.h>
+
+std::string wsl::windows::common::BuildRegistryAuthHeader(
+    const std::string& username, const std::string& password, const std::string& serverAddress)
+{
+    auto authJson = std::format(
+        R"({{"username":"{}","password":"{}","serveraddress":"{}"}})", username, password, serverAddress);
+
+    DWORD base64Size = 0;
+    THROW_IF_WIN32_BOOL_FALSE(CryptBinaryToStringA(
+        reinterpret_cast<const BYTE*>(authJson.c_str()),
+        static_cast<DWORD>(authJson.size()),
+        CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF,
+        nullptr,
+        &base64Size));
+
+    std::string result(base64Size, '\0');
+    THROW_IF_WIN32_BOOL_FALSE(CryptBinaryToStringA(
+        reinterpret_cast<const BYTE*>(authJson.c_str()),
+        static_cast<DWORD>(authJson.size()),
+        CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF,
+        result.data(),
+        &base64Size));
+
+    result.resize(base64Size);
+    return result;
+}
+
+std::string wsl::windows::common::BuildRegistryAuthHeader(
+    const std::string& identityToken, const std::string& serverAddress)
+{
+    auto authJson = std::format(
+        R"({{"identitytoken":"{}","serveraddress":"{}"}})", identityToken, serverAddress);
+
+    DWORD base64Size = 0;
+    THROW_IF_WIN32_BOOL_FALSE(CryptBinaryToStringA(
+        reinterpret_cast<const BYTE*>(authJson.c_str()),
+        static_cast<DWORD>(authJson.size()),
+        CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF,
+        nullptr,
+        &base64Size));
+
+    std::string result(base64Size, '\0');
+    THROW_IF_WIN32_BOOL_FALSE(CryptBinaryToStringA(
+        reinterpret_cast<const BYTE*>(authJson.c_str()),
+        static_cast<DWORD>(authJson.size()),
+        CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF,
+        result.data(),
+        &base64Size));
+
+    result.resize(base64Size);
+    return result;
+}

src/windows/common/WslcCredentialStore.h

@@ -0,0 +1,30 @@
+/*++
+
+Copyright (c) Microsoft. All rights reserved.
+
+Module Name:
+
+    WslcCredentialStore.h
+
+Abstract:
+
+    Helpers for building Docker/OCI registry credential payloads.
+
+--*/
+
+#pragma once
+#include <string>
+
+namespace wsl::windows::common {
+
+// Builds the base64-encoded X-Registry-Auth header value used by Docker APIs
+// (PullImage, PushImage, etc.) from the given credentials.
+std::string BuildRegistryAuthHeader(const std::string& username, const std::string& password, const std::string& serverAddress);
+
+// Builds the base64-encoded X-Registry-Auth header value from an identity token
+// returned by Authenticate().
+std::string BuildRegistryAuthHeader(const std::string& identityToken, const std::string& serverAddress);
+
+// TODO: Implement credential storage using WinCred
+
+} // namespace wsl::windows::common

src/windows/inc/docker_schema.h

@@ -48,6 +48,25 @@ struct EmptyRequest
     using TResponse = void;
 };
 
+struct AuthRequest
+{
+    using TResponse = struct AuthResponse;
+
+    std::string username;
+    std::string password;
+    std::string serveraddress;
+
+    NLOHMANN_DEFINE_TYPE_INTRUSIVE(AuthRequest, username, password, serveraddress);
+};
+
+struct AuthResponse
+{
+    std::string Status;
+    std::optional<std::string> IdentityToken;
+
+    NLOHMANN_DEFINE_TYPE_INTRUSIVE_WITH_DEFAULT(AuthResponse, Status, IdentityToken);
+};
+
 struct CreateVolume
 {
     using TResponse = void;

src/windows/service/inc/wslc.idl

@@ -591,7 +591,9 @@ interface IWSLCSession : IUnknown
     HRESULT ListImages([in, unique] const WSLCListImageOptions* Options, [out, size_is(, *Count)] WSLCImageInformation** Images, [out] ULONG* Count);
     HRESULT DeleteImage([in] const WSLCDeleteImageOptions* Options, [out, size_is(, *Count)] WSLCDeletedImageInformation** DeletedImages, [out] ULONG* Count);
     HRESULT TagImage([in] const WSLCTagImageOptions* Options);
+    HRESULT PushImage([in] LPCSTR Image, [in, unique] LPCSTR RegistryAuthenticationInformation, [in, unique] IProgressCallback* ProgressCallback);
     HRESULT InspectImage([in] LPCSTR ImageNameOrId, [out] LPSTR* Output);
+    HRESULT Authenticate([in] LPCSTR ServerAddress, [in] LPCSTR Username, [in] LPCSTR Password, [out] LPSTR* IdentityToken);
 
     // Container management.
     HRESULT CreateContainer([in] const WSLCContainerOptions* Options, [out] IWSLCContainer** Container);