Merged PR 40255: Fixing MSRC issue with registry credential re-use

**Description**
Added new set of env variables to allow separately specifying credentials for Pull and Push Registry operations. The old set of variables is used as a fallback for the Push Registry operations, and the pull operations _in the specific case_ where the push and pull registries are the same.

**Customer Impact**
Customers that used the environment variable approach (not incredibly common, but some key use cases like `azd` (they are changing) and used different source and target registries (e.g. mcr.microsoft.com for the source, ghcr.io or ACR for target) would send credentials intended for the target to the source.

**Regression**
No - this behavior has been around as long as we supported pull registry authentication.

**Risk**
Low - this includes new tests for the use of the various env vars in the various combinations of push/pull registry domain.

Author: MichalPavlik

src/Containers/Microsoft.NET.Build.Containers/AuthHandshakeMessageHandler.cs

@@ -2,6 +2,7 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Collections.Concurrent;
+using System.ComponentModel;
 using System.Diagnostics;
 using System.Diagnostics.CodeAnalysis;
 using System.Net;
@@ -36,12 +37,14 @@ private sealed record AuthInfo(string Realm, string? Service, string? Scope);
 
     private readonly string _registryName;
     private readonly ILogger _logger;
+    private readonly RegistryMode _registryMode;
     private static ConcurrentDictionary<string, AuthenticationHeaderValue?> _authenticationHeaders = new();
 
-    public AuthHandshakeMessageHandler(string registryName, HttpMessageHandler innerHandler, ILogger logger) : base(innerHandler)
+    public AuthHandshakeMessageHandler(string registryName, HttpMessageHandler innerHandler, ILogger logger, RegistryMode mode) : base(innerHandler)
     {
         _registryName = registryName;
         _logger = logger;
+        _registryMode = mode;
     }
 
     /// <summary>
@@ -136,8 +139,7 @@ public DateTimeOffset ResolvedExpiration {
     private async Task<(AuthenticationHeaderValue, DateTimeOffset)?> GetAuthenticationAsync(string registry, string scheme, AuthInfo? bearerAuthInfo, CancellationToken cancellationToken)
     {
         // Allow overrides for auth via environment variables
-        string? credU = Environment.GetEnvironmentVariable(ContainerHelpers.HostObjectUser);
-        string? credP = Environment.GetEnvironmentVariable(ContainerHelpers.HostObjectPass);
+        (string? credU, string? credP) = GetDockerCredentialsFromEnvironment(_registryMode);
 
         // fetch creds for the host
         DockerCredentials? privateRepoCreds;
@@ -175,6 +177,46 @@ public DateTimeOffset ResolvedExpiration {
         }
     }
 
+    /// <summary>
+    /// Gets docker credentials from the environment variables based on registry mode.
+    /// </summary>
+    internal static (string? credU, string? credP) GetDockerCredentialsFromEnvironment(RegistryMode mode)
+    {
+        if (mode == RegistryMode.Push)
+        {
+            string? credU = Environment.GetEnvironmentVariable(ContainerHelpers.PushHostObjectUser);
+            string? credP = Environment.GetEnvironmentVariable(ContainerHelpers.PushHostObjectPass);
+            if (string.IsNullOrEmpty(credU) || string.IsNullOrEmpty(credP))
+            {
+                // Fallback to the old environment variables
+                return (Environment.GetEnvironmentVariable(ContainerHelpers.HostObjectUser),
+                        Environment.GetEnvironmentVariable(ContainerHelpers.HostObjectPass));
+            }
+            return (credU, credP);
+        }
+        else if (mode == RegistryMode.Pull)
+        {
+            return (Environment.GetEnvironmentVariable(ContainerHelpers.PullHostObjectUser),
+                    Environment.GetEnvironmentVariable(ContainerHelpers.PullHostObjectPass));
+        }
+        else if (mode == RegistryMode.PullFromOutput)
+        {
+            string? credU = Environment.GetEnvironmentVariable(ContainerHelpers.PullHostObjectUser);
+            string? credP = Environment.GetEnvironmentVariable(ContainerHelpers.PullHostObjectPass);
+            if (string.IsNullOrEmpty(credU) || string.IsNullOrEmpty(credP))
+            {
+                // Fallback to the old environment variables
+                return (Environment.GetEnvironmentVariable(ContainerHelpers.HostObjectUser),
+                        Environment.GetEnvironmentVariable(ContainerHelpers.HostObjectPass));
+            }
+            return (credU, credP);
+        }
+        else
+        {
+            throw new InvalidEnumArgumentException(nameof(mode), (int)mode, typeof(RegistryMode));
+        }
+    }
+
     /// <summary>
     /// Implements the Docker OAuth2 Authentication flow as documented at <see href="https://docs.docker.com/registry/spec/auth/oauth/"/>.
     /// </summary

src/Containers/Microsoft.NET.Build.Containers/ContainerBuilder.cs

@@ -43,7 +43,8 @@ public static async Task<int> ContainerizeAsync(
         logger.LogTrace("Trace logging: enabled.");
 
         bool isLocalPull = string.IsNullOrEmpty(baseRegistry);
-        Registry? sourceRegistry = isLocalPull ? null : new Registry(baseRegistry, logger);
+        RegistryMode sourceRegistryMode = baseRegistry.Equals(outputRegistry, StringComparison.InvariantCultureIgnoreCase) ? RegistryMode.PullFromOutput : RegistryMode.Pull;
+        Registry? sourceRegistry = isLocalPull ? null : new Registry(baseRegistry, logger, sourceRegistryMode);
         SourceImageReference sourceImageReference = new(sourceRegistry, baseImageName, baseImageTag);
 
         DestinationImageReference destinationImageReference = DestinationImageReference.CreateFromSettings(

src/Containers/Microsoft.NET.Build.Containers/ContainerHelpers.cs

@@ -16,9 +16,14 @@ namespace Microsoft.NET.Build.Containers;
 public static class ContainerHelpers
 {
     internal const string HostObjectUser = "SDK_CONTAINER_REGISTRY_UNAME";
-
     internal const string HostObjectPass = "SDK_CONTAINER_REGISTRY_PWORD";
 
+    internal const string PushHostObjectUser = "SDK_CONTAINER_PUSH_REGISTRY_UNAME";
+    internal const string PushHostObjectPass = "SDK_CONTAINER_PUSH_REGISTRY_PWORD";
+
+    internal const string PullHostObjectUser = "SDK_CONTAINER_PULL_REGISTRY_UNAME";
+    internal const string PullHostObjectPass = "SDK_CONTAINER_PULL_REGISTRY_PWORD";
+
     internal const string DockerRegistryAlias = "docker.io";
 
     /// <summary>

src/Containers/Microsoft.NET.Build.Containers/DestinationImageReference.cs

@@ -75,7 +75,10 @@ public static DestinationImageReference CreateFromSettings(
         }
         else if (!string.IsNullOrEmpty(outputRegistry))
         {
-            destinationImageReference = new DestinationImageReference(new Registry(outputRegistry, loggerFactory.CreateLogger<Registry>()), repository, imageTags);
+            destinationImageReference = new DestinationImageReference(
+                new Registry(outputRegistry, loggerFactory.CreateLogger<Registry>(), RegistryMode.Push),
+                repository,
+                imageTags);
         }
         else
         {

src/Containers/Microsoft.NET.Build.Containers/Registry/DefaultRegistryAPI.cs

@@ -22,12 +22,12 @@ internal class DefaultRegistryAPI : IRegistryAPI
     // Making this a round 30 for convenience.
     private static TimeSpan LongRequestTimeout = TimeSpan.FromMinutes(30);
 
-    internal DefaultRegistryAPI(string registryName, Uri baseUri, ILogger logger)
+    internal DefaultRegistryAPI(string registryName, Uri baseUri, ILogger logger, RegistryMode mode)
     {
         bool isAmazonECRRegistry = baseUri.IsAmazonECRRegistry();
         _baseUri = baseUri;
         _logger = logger;
-        _client = CreateClient(registryName, baseUri, logger, isAmazonECRRegistry);
+        _client = CreateClient(registryName, baseUri, logger, isAmazonECRRegistry, mode);
         Manifest = new DefaultManifestOperations(_baseUri, registryName, _client, _logger);
         Blob = new DefaultBlobOperations(_baseUri, registryName, _client, _logger);
     }
@@ -36,7 +36,7 @@ internal DefaultRegistryAPI(string registryName, Uri baseUri, ILogger logger)
 
     public IManifestOperations Manifest { get; }
 
-    private static HttpClient CreateClient(string registryName, Uri baseUri, ILogger logger, bool isAmazonECRRegistry = false)
+    private static HttpClient CreateClient(string registryName, Uri baseUri, ILogger logger, bool isAmazonECRRegistry, RegistryMode mode)
     {
         var innerHandler = new SocketsHttpHandler()
         {
@@ -55,7 +55,7 @@ private static HttpClient CreateClient(string registryName, Uri baseUri, ILogger
             };
         }
 
-        HttpMessageHandler clientHandler = new AuthHandshakeMessageHandler(registryName, innerHandler, logger);
+        HttpMessageHandler clientHandler = new AuthHandshakeMessageHandler(registryName, innerHandler, logger, mode);
 
         if (isAmazonECRRegistry)
         {

src/Containers/Microsoft.NET.Build.Containers/Registry/Registry.cs

@@ -10,6 +10,13 @@
 
 namespace Microsoft.NET.Build.Containers;
 
+internal enum RegistryMode
+{
+    Push,
+    Pull,
+    PullFromOutput
+}
+
 internal sealed class Registry
 {
     private const string DockerHubRegistry1 = "registry-1.docker.io";
@@ -27,11 +34,23 @@ internal sealed class Registry
     /// </summary>
     public string RegistryName { get; }
 
-    internal Registry(string registryName, ILogger logger, IRegistryAPI? registryAPI = null, RegistrySettings? settings = null) :
-        this(ContainerHelpers.TryExpandRegistryToUri(registryName), logger, registryAPI, settings)
+    internal Registry(string registryName, ILogger logger, RegistryMode mode, RegistrySettings? settings = null) : this(
+        ContainerHelpers.TryExpandRegistryToUri(registryName), logger, new RegistryApiFactory(mode), settings)
+    { }
+
+    internal Registry(string registryName, ILogger logger, IRegistryAPI registryAPI, RegistrySettings? settings = null) : this(
+        ContainerHelpers.TryExpandRegistryToUri(registryName), logger, new RegistryApiFactory(registryAPI), settings)
     { }
 
-    internal Registry(Uri baseUri, ILogger logger, IRegistryAPI? registryAPI = null, RegistrySettings? settings = null)
+    internal Registry(Uri baseUri, ILogger logger, IRegistryAPI registryAPI, RegistrySettings? settings = null) :
+        this(baseUri, logger, new RegistryApiFactory(registryAPI), settings)
+    { }
+
+    internal Registry(Uri baseUri, ILogger logger, RegistryMode mode, RegistrySettings? settings = null) :
+        this(baseUri, logger, new RegistryApiFactory(mode), settings)
+    { }
+
+    private Registry(Uri baseUri, ILogger logger, RegistryApiFactory factory, RegistrySettings? settings = null)
     {
         RegistryName = DeriveRegistryName(baseUri);
 
@@ -44,7 +63,7 @@ internal Registry(Uri baseUri, ILogger logger, IRegistryAPI? registryAPI = null,
 
         _logger = logger;
         _settings = settings ?? new RegistrySettings();
-        _registryAPI = registryAPI ?? new DefaultRegistryAPI(RegistryName, BaseUri, logger);
+        _registryAPI = factory.Create(RegistryName, BaseUri, logger);
     }
 
     private static string DeriveRegistryName(Uri baseUri)
@@ -442,4 +461,24 @@ private async Task PushAsync(BuiltImage builtImage, SourceImageReference source,
             _logger.LogInformation(Strings.Registry_ManifestUploaded, RegistryName);
         }
     }
+
+    private readonly ref struct RegistryApiFactory
+    {
+        private readonly IRegistryAPI? _registryApi;
+        private readonly RegistryMode? _mode;
+        public RegistryApiFactory(IRegistryAPI registryApi)
+        {
+            _registryApi = registryApi;
+        }
+
+        public RegistryApiFactory(RegistryMode mode)
+        {
+            _mode = mode;
+        }
+
+        public IRegistryAPI Create(string registryName, Uri baseUri, ILogger logger)
+        {
+            return _registryApi ?? new DefaultRegistryAPI(registryName, baseUri, logger, _mode!.Value);
+        }
+    }
 }

src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateNewImage.cs

@@ -48,7 +48,8 @@ internal async Task<bool> ExecuteAsync(CancellationToken cancellationToken)
             return !Log.HasLoggedErrors;
         }
 
-        Registry? sourceRegistry = IsLocalPull ? null : new Registry(BaseRegistry, logger);
+        RegistryMode sourceRegistryMode = BaseRegistry.Equals(OutputRegistry, StringComparison.InvariantCultureIgnoreCase) ? RegistryMode.PullFromOutput : RegistryMode.Pull;
+        Registry? sourceRegistry = IsLocalPull ? null : new Registry(BaseRegistry, logger, sourceRegistryMode);
         SourceImageReference sourceImageReference = new(sourceRegistry, BaseImageName, BaseImageTag);
 
         DestinationImageReference destinationImageReference = DestinationImageReference.CreateFromSettings(

src/Tests/Microsoft.NET.Build.Containers.IntegrationTests/CreateNewImageTests.cs

@@ -225,7 +225,7 @@ public async System.Threading.Tasks.Task CreateNewImage_RootlessBaseImage()
         var logger = loggerFactory.CreateLogger(nameof(CreateNewImage_RootlessBaseImage));
 
         // Build a rootless base runtime image.
-        Registry registry = new Registry(DockerRegistryManager.LocalRegistry, logger);
+        Registry registry = new(DockerRegistryManager.LocalRegistry, logger, RegistryMode.Push);
 
         ImageBuilder imageBuilder = await registry.GetImageManifestAsync(
             DockerRegistryManager.RuntimeBaseImage,

src/Tests/Microsoft.NET.Build.Containers.IntegrationTests/DockerRegistryTests.cs

@@ -22,7 +22,7 @@ public async Task GetFromRegistry()
     {
         var loggerFactory = new TestLoggerFactory(_testOutput);
         var logger = loggerFactory.CreateLogger(nameof(GetFromRegistry));
-        Registry registry = new Registry(DockerRegistryManager.LocalRegistry, logger);
+        Registry registry = new(DockerRegistryManager.LocalRegistry, logger, RegistryMode.Push);
         var ridgraphfile = ToolsetUtils.GetRuntimeGraphFilePath();
 
         // Don't need rid graph for local registry image pulls - since we're only pushing single image manifests (not manifest lists)
@@ -73,9 +73,9 @@ public async Task WriteToPrivateBasicRegistry()
             // login to that registry
             ContainerCli.LoginCommand(_testOutput, "--username", "testuser", "--password", "testpassword", registryName).Execute().Should().Pass();
             // push an image to that registry using username/password
-            Registry localAuthed = new Registry(new Uri($"https://{registryName}"), logger, settings: new() { ParallelUploadEnabled = false, ForceChunkedUpload = true });
+            Registry localAuthed = new(new Uri($"https://{registryName}"), logger, RegistryMode.Push, settings: new() { ParallelUploadEnabled = false, ForceChunkedUpload = true });
             var ridgraphfile = ToolsetUtils.GetRuntimeGraphFilePath();
-            Registry mcr = new Registry(DockerRegistryManager.BaseImageSource, logger);
+            Registry mcr = new(DockerRegistryManager.BaseImageSource, logger, RegistryMode.Pull);
 
             var sourceImage = new SourceImageReference(mcr, DockerRegistryManager.RuntimeBaseImage, DockerRegistryManager.Net6ImageTag);
             var destinationImage = new DestinationImageReference(localAuthed, DockerRegistryManager.RuntimeBaseImage,new[] { DockerRegistryManager.Net6ImageTag });

src/Tests/Microsoft.NET.Build.Containers.IntegrationTests/EndToEndTests.cs

@@ -46,7 +46,7 @@ public async Task ApiEndToEndWithRegistryPushAndPull()
 
         // Build the image
 
-        Registry registry = new Registry(DockerRegistryManager.LocalRegistry, logger);
+        Registry registry = new(DockerRegistryManager.LocalRegistry, logger, RegistryMode.Push);
 
         ImageBuilder imageBuilder = await registry.GetImageManifestAsync(
             DockerRegistryManager.RuntimeBaseImage,
@@ -93,7 +93,7 @@ public async Task ApiEndToEndWithLocalLoad()
 
         // Build the image
 
-        Registry registry = new Registry(DockerRegistryManager.LocalRegistry, logger);
+        Registry registry = new(DockerRegistryManager.LocalRegistry, logger, RegistryMode.Push);
 
         ImageBuilder imageBuilder = await registry.GetImageManifestAsync(
             DockerRegistryManager.RuntimeBaseImage,
@@ -134,7 +134,7 @@ public async Task ApiEndToEndWithArchiveWritingAndLoad()
 
         // Build the image
 
-        Registry registry = new Registry(DockerRegistryManager.LocalRegistry, logger);
+        Registry registry = new(DockerRegistryManager.LocalRegistry, logger, RegistryMode.Push);
 
         ImageBuilder imageBuilder = await registry.GetImageManifestAsync(
             DockerRegistryManager.RuntimeBaseImage,
@@ -479,7 +479,7 @@ public async Task CanPackageForAllSupportedContainerRIDs(string dockerPlatform,
         string publishDirectory = BuildLocalApp(tfm: ToolsetInfo.CurrentTargetFramework, rid: rid);
 
         // Build the image
-        Registry registry = new(DockerRegistryManager.BaseImageSource, logger);
+        Registry registry = new(DockerRegistryManager.BaseImageSource, logger, RegistryMode.Pull);
         var isWin = rid.StartsWith("win");
         ImageBuilder? imageBuilder = await registry.GetImageManifestAsync(
             DockerRegistryManager.RuntimeBaseImage,