Implement readUser on Windows

solver/llbsolver/file/backend.go

@@ -27,46 +27,6 @@ func timestampToTime(ts int64) *time.Time {
 	return &tm
 }
 
-func mapUserToChowner(user *copy.User, idmap *idtools.IdentityMapping) (copy.Chowner, error) {
-	if user == nil {
-		return func(old *copy.User) (*copy.User, error) {
-			if old == nil {
-				if idmap == nil {
-					return nil, nil
-				}
-				old = &copy.User{} // root
-				// non-nil old is already mapped
-				if idmap != nil {
-					identity, err := idmap.ToHost(idtools.Identity{
-						UID: old.UID,
-						GID: old.GID,
-					})
-					if err != nil {
-						return nil, err
-					}
-					return &copy.User{UID: identity.UID, GID: identity.GID}, nil
-				}
-			}
-			return old, nil
-		}, nil
-	}
-	u := *user
-	if idmap != nil {
-		identity, err := idmap.ToHost(idtools.Identity{
-			UID: user.UID,
-			GID: user.GID,
-		})
-		if err != nil {
-			return nil, err
-		}
-		u.UID = identity.UID
-		u.GID = identity.GID
-	}
-	return func(*copy.User) (*copy.User, error) {
-		return &u, nil
-	}, nil
-}
-
 func mkdir(ctx context.Context, d string, action pb.FileActionMkDir, user *copy.User, idmap *idtools.IdentityMapping) error {
 	p, err := fs.RootPath(d, action.Path)
 	if err != nil {
@@ -250,7 +210,21 @@ func docopy(ctx context.Context, src, dest string, action pb.FileActionCopy, u *
 	return nil
 }
 
+// NewFileOpBackend returns a new file operation backend. The executor is currently only used for Windows,
+// and it is used to construct the readUserFn field set in the returned Backend.
+func NewFileOpBackend(readUser ReadUserCallback) (*Backend, error) {
+	if readUser == nil {
+		return nil, errors.New("readUser callback must be provided")
+	}
+	return &Backend{
+		readUser: readUser,
+	}, nil
+}
+
+type ReadUserCallback func(chopt *pb.ChownOpt, mu, mg snapshot.Mountable) (*copy.User, error)
+
 type Backend struct {
+	readUser ReadUserCallback
 }
 
 func (fb *Backend) Mkdir(ctx context.Context, m, user, group fileoptypes.Mount, action pb.FileActionMkDir) error {
@@ -266,7 +240,7 @@ func (fb *Backend) Mkdir(ctx context.Context, m, user, group fileoptypes.Mount,
 	}
 	defer lm.Unmount()
 
-	u, err := readUser(action.Owner, user, group)
+	u, err := fb.readUserWrapper(action.Owner, user, group)
 	if err != nil {
 		return err
 	}
@@ -287,7 +261,7 @@ func (fb *Backend) Mkfile(ctx context.Context, m, user, group fileoptypes.Mount,
 	}
 	defer lm.Unmount()
 
-	u, err := readUser(action.Owner, user, group)
+	u, err := fb.readUserWrapper(action.Owner, user, group)
 	if err != nil {
 		return err
 	}
@@ -335,14 +309,41 @@ func (fb *Backend) Copy(ctx context.Context, m1, m2, user, group fileoptypes.Mou
 	}
 	defer lm2.Unmount()
 
-	u, err := readUser(action.Owner, user, group)
+	u, err := fb.readUserWrapper(action.Owner, user, group)
 	if err != nil {
 		return err
 	}
 
 	return docopy(ctx, src, dest, action, u, mnt2.m.IdentityMapping())
 }
 
+func (fb *Backend) readUserWrapper(owner *pb.ChownOpt, user, group fileoptypes.Mount) (*copy.User, error) {
+	var userMountable, groupMountable snapshot.Mountable
+	if user != nil {
+		usr, ok := user.(*Mount)
+		if !ok {
+			return nil, errors.Errorf("invalid mount type %T", user)
+		}
+		userMountable = usr.Mountable()
+	}
+
+	if group != nil {
+		grp, ok := group.(*Mount)
+		if !ok {
+			return nil, errors.Errorf("invalid mount type %T", group)
+		}
+		groupMountable = grp.Mountable()
+	}
+
+	// We don't check the mountables for nil here. Depending on the ChownOpt value,
+	// one of them may be nil. Allow the readUser function to handle this.
+	u, err := fb.readUser(owner, userMountable, groupMountable)
+	if err != nil {
+		return nil, err
+	}
+	return u, nil
+}
+
 func cleanPath(s string) (string, error) {
 	s, err := system.CheckSystemDriveAndRemoveDriveLetter(s, runtime.GOOS)
 	if err != nil {

solver/llbsolver/file/backend_unix.go

@@ -0,0 +1,49 @@
+//go:build !windows
+// +build !windows
+
+package file
+
+import (
+	"github.com/docker/docker/pkg/idtools"
+	copy "github.com/tonistiigi/fsutil/copy"
+)
+
+func mapUserToChowner(user *copy.User, idmap *idtools.IdentityMapping) (copy.Chowner, error) {
+	if user == nil {
+		return func(old *copy.User) (*copy.User, error) {
+			if old == nil {
+				if idmap == nil {
+					return nil, nil
+				}
+				old = &copy.User{} // root
+				// non-nil old is already mapped
+				if idmap != nil {
+					identity, err := idmap.ToHost(idtools.Identity{
+						UID: old.UID,
+						GID: old.GID,
+					})
+					if err != nil {
+						return nil, err
+					}
+					return &copy.User{UID: identity.UID, GID: identity.GID}, nil
+				}
+			}
+			return old, nil
+		}, nil
+	}
+	u := *user
+	if idmap != nil {
+		identity, err := idmap.ToHost(idtools.Identity{
+			UID: user.UID,
+			GID: user.GID,
+		})
+		if err != nil {
+			return nil, err
+		}
+		u.UID = identity.UID
+		u.GID = identity.GID
+	}
+	return func(*copy.User) (*copy.User, error) {
+		return &u, nil
+	}, nil
+}

solver/llbsolver/file/backend_windows.go

@@ -0,0 +1,22 @@
+package file
+
+import (
+	"github.com/docker/docker/pkg/idtools"
+	copy "github.com/tonistiigi/fsutil/copy"
+)
+
+func mapUserToChowner(user *copy.User, idmap *idtools.IdentityMapping) (copy.Chowner, error) {
+	if user == nil || user.SID == "" {
+		return func(old *copy.User) (*copy.User, error) {
+			if old == nil || old.SID == "" {
+				old = &copy.User{
+					SID: idtools.ContainerAdministratorSidString,
+				}
+			}
+			return old, nil
+		}, nil
+	}
+	return func(*copy.User) (*copy.User, error) {
+		return user, nil
+	}, nil
+}

solver/llbsolver/file/refmanager.go

@@ -79,6 +79,10 @@ type Mount struct {
 	readonly bool
 }
 
+func (m *Mount) Mountable() snapshot.Mountable {
+	return m.m
+}
+
 func (m *Mount) Release(ctx context.Context) error {
 	if m.mr != nil {
 		return m.mr.Release(ctx)

solver/llbsolver/ops/file.go

@@ -167,7 +167,12 @@ func (f *fileOp) Exec(ctx context.Context, g session.Group, inputs []solver.Resu
 		inpRefs = append(inpRefs, workerRef.ImmutableRef)
 	}
 
-	fs := NewFileOpSolver(f.w, &file.Backend{}, f.refManager)
+	backend, err := file.NewFileOpBackend(getReadUserFn(f.w))
+	if err != nil {
+		return nil, err
+	}
+
+	fs := NewFileOpSolver(f.w, backend, f.refManager)
 	outs, err := fs.Solve(ctx, inpRefs, f.op.Actions, g)
 	if err != nil {
 		return nil, err

solver/llbsolver/file/user_linux.go → solver/llbsolver/ops/user_linux.go

@@ -1,19 +1,23 @@
-package file
+package ops
 
 import (
 	"os"
 	"syscall"
 
 	"github.com/containerd/continuity/fs"
 	"github.com/moby/buildkit/snapshot"
-	"github.com/moby/buildkit/solver/llbsolver/ops/fileoptypes"
 	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/worker"
 	"github.com/opencontainers/runc/libcontainer/user"
 	"github.com/pkg/errors"
 	copy "github.com/tonistiigi/fsutil/copy"
 )
 
-func readUser(chopt *pb.ChownOpt, mu, mg fileoptypes.Mount) (*copy.User, error) {
+func getReadUserFn(worker worker.Worker) func(chopt *pb.ChownOpt, mu, mg snapshot.Mountable) (*copy.User, error) {
+	return readUser
+}
+
+func readUser(chopt *pb.ChownOpt, mu, mg snapshot.Mountable) (*copy.User, error) {
 	if chopt == nil {
 		return nil, nil
 	}
@@ -24,11 +28,8 @@ func readUser(chopt *pb.ChownOpt, mu, mg fileoptypes.Mount) (*copy.User, error)
 			if mu == nil {
 				return nil, errors.Errorf("invalid missing user mount")
 			}
-			mmu, ok := mu.(*Mount)
-			if !ok {
-				return nil, errors.Errorf("invalid mount type %T", mu)
-			}
-			lm := snapshot.LocalMounter(mmu.m)
+
+			lm := snapshot.LocalMounter(mu)
 			dir, err := lm.Mount()
 			if err != nil {
 				return nil, err
@@ -78,11 +79,8 @@ func readUser(chopt *pb.ChownOpt, mu, mg fileoptypes.Mount) (*copy.User, error)
 			if mg == nil {
 				return nil, errors.Errorf("invalid missing group mount")
 			}
-			mmg, ok := mg.(*Mount)
-			if !ok {
-				return nil, errors.Errorf("invalid mount type %T", mg)
-			}
-			lm := snapshot.LocalMounter(mmg.m)
+
+			lm := snapshot.LocalMounter(mg)
 			dir, err := lm.Mount()
 			if err != nil {
 				return nil, err

solver/llbsolver/ops/user_other.go

@@ -0,0 +1,23 @@
+//go:build !linux && !windows
+// +build !linux,!windows
+
+package ops
+
+import (
+	"github.com/moby/buildkit/snapshot"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/worker"
+	"github.com/pkg/errors"
+	copy "github.com/tonistiigi/fsutil/copy"
+)
+
+func getReadUserFn(worker worker.Worker) func(chopt *pb.ChownOpt, mu, mg snapshot.Mountable) (*copy.User, error) {
+	return readUser
+}
+
+func readUser(chopt *pb.ChownOpt, mu, mg snapshot.Mountable) (*copy.User, error) {
+	if chopt == nil {
+		return nil, nil
+	}
+	return nil, errors.New("only implemented in linux and windows")
+}

solver/llbsolver/ops/user_windows.go

@@ -0,0 +1,48 @@
+package ops
+
+import (
+	"context"
+
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/moby/buildkit/snapshot"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/util/windows"
+	"github.com/moby/buildkit/worker"
+	"github.com/pkg/errors"
+	copy "github.com/tonistiigi/fsutil/copy"
+)
+
+func getReadUserFn(worker worker.Worker) func(chopt *pb.ChownOpt, mu, mg snapshot.Mountable) (*copy.User, error) {
+	return func(chopt *pb.ChownOpt, mu, mg snapshot.Mountable) (*copy.User, error) {
+		return readUser(chopt, mu, mg, worker)
+	}
+}
+
+func readUser(chopt *pb.ChownOpt, mu, mg snapshot.Mountable, worker worker.Worker) (*copy.User, error) {
+	if chopt == nil {
+		return nil, nil
+	}
+
+	if chopt.User != nil {
+		switch u := chopt.User.User.(type) {
+		case *pb.UserOpt_ByName:
+			if mu == nil {
+				return nil, errors.Errorf("invalid missing user mount")
+			}
+
+			rootMounts, release, err := mu.Mount()
+			if err != nil {
+				return nil, err
+			}
+			defer release()
+			ident, err := windows.ResolveUsernameToSID(context.Background(), worker.Executor(), rootMounts, u.ByName.Name)
+			if err != nil {
+				return nil, err
+			}
+			return &copy.User{SID: ident.SID}, nil
+		default:
+			return &copy.User{SID: idtools.ContainerAdministratorSidString}, nil
+		}
+	}
+	return &copy.User{SID: idtools.ContainerAdministratorSidString}, nil
+}