Feat/registries auth mecanism

docs/references/cli.md

@@ -646,6 +646,15 @@ msb pull [--image] [--image-group] <name> [options]
 **Examples:**
 
 ```bash
+# Pull a private image using env credentials (token)
+export MSB_REGISTRY_TOKEN=token123
+msb pull registry.example.com/org/app:1.0
+
+# Pull a private image using env credentials (username/password)
+export MSB_REGISTRY_USERNAME=user
+export MSB_REGISTRY_PASSWORD=pass
+msb pull registry.example.com/org/app:1.0
+
 # Pull an image
 msb pull --image python:3.11
 
@@ -686,6 +695,67 @@ msb push myapp:latest
 
 ===
 
+==- `msb login`
+Set registry credentials (persisted in microsandbox home).
+
+```bash
+msb login [registry] [--username <user>] [--password-stdin] [--token <token>]
+```
+
+| Option            | Description                        |
+| ----------------- | ---------------------------------- |
+| `--username`      | Registry username                  |
+| `--password-stdin`| Read password from stdin           |
+| `--token`         | Registry access token (bearer)     |
+
+**Examples:**
+
+```bash
+# Provide a token
+msb login ghcr.io --token token123
+
+# Provide username and password via stdin
+echo "pass" | msb login docker.io --username user --password-stdin
+
+# Use env fallback if CLI is invalid
+export MSB_REGISTRY_TOKEN=token123
+msb login ghcr.io --username user --password-stdin
+```
+
+!!!note
+`msb login` stores credentials locally but does not validate them against the registry.
+When pulling images, environment variables take priority over stored credentials.
+!!!
+
+!!!warning Security
+Credentials are stored in `~/.microsandbox/registry_auth.json`. Restrict file permissions and avoid sharing it.
+!!!
+
+===
+
+==- `msb logout`
+Remove stored registry credentials.
+
+```bash
+msb logout [registry] [--all]
+```
+
+| Option    | Description                              |
+| --------- | ---------------------------------------- |
+| `--all`   | Remove all stored registry credentials   |
+
+**Examples:**
+
+```bash
+# Remove credentials for a registry
+msb logout ghcr.io
+
+# Remove all stored credentials
+msb logout --all
+```
+
+===
+
 ---
 
 ### Maintenance

microsandbox-cli/bin/msb/handlers.rs

@@ -8,11 +8,15 @@ use microsandbox_core::{
         config::{self, Component, ComponentType, SandboxConfig},
         home, menv, orchestra, sandbox, toolchain,
     },
-    oci::Reference,
+    oci::{Reference, normalize_registry_host},
 };
 use microsandbox_server::MicrosandboxServerResult;
-use microsandbox_utils::{NAMESPACES_SUBDIR, env};
+use microsandbox_utils::{
+    NAMESPACES_SUBDIR, StoredRegistryCredentials, clear_registry_credentials, env,
+    remove_registry_credentials, store_registry_credentials,
+};
 use std::{collections::HashMap, path::PathBuf};
+use tokio::io::{self, AsyncReadExt};
 use typed_path::Utf8UnixPathBuf;
 
 //--------------------------------------------------------------------------------------------------
@@ -671,11 +675,60 @@ pub async fn server_status_subcommand(
     Ok(())
 }
 
-pub async fn login_subcommand() -> MicrosandboxCliResult<()> {
-    println!(
-        "{} login functionality is not yet implemented",
-        "error:".error()
-    );
+pub async fn login_subcommand(
+    registry: Option<String>,
+    username: Option<String>,
+    password_stdin: bool,
+    token: Option<String>,
+) -> MicrosandboxCliResult<()> {
+    let registry = resolve_registry_host(registry);
+    let creds = resolve_login_credentials(username, password_stdin, token).await?;
+
+    match creds {
+        LoginCredentials::Basic { username, password } => {
+            store_registry_credentials(
+                &registry,
+                StoredRegistryCredentials::Basic { username, password },
+            )
+            .map_err(|err| MicrosandboxCliError::ConfigError(err.to_string()))?;
+            println!(
+                "info: credentials saved for registry {} (not validated)",
+                registry
+            );
+        }
+        LoginCredentials::Token { token } => {
+            store_registry_credentials(&registry, StoredRegistryCredentials::Token { token })
+                .map_err(|err| MicrosandboxCliError::ConfigError(err.to_string()))?;
+            println!(
+                "info: token saved for registry {} (not validated)",
+                registry
+            );
+        }
+    }
+
+    Ok(())
+}
+
+pub async fn logout_subcommand(registry: Option<String>, all: bool) -> MicrosandboxCliResult<()> {
+    if all {
+        clear_registry_credentials()
+            .map_err(|err| MicrosandboxCliError::ConfigError(err.to_string()))?;
+        println!("info: cleared all stored registry credentials");
+        return Ok(());
+    }
+
+    let registry = resolve_registry_host(registry);
+    let removed = remove_registry_credentials(&registry)
+        .map_err(|err| MicrosandboxCliError::ConfigError(err.to_string()))?;
+    if removed {
+        println!("info: removed stored credentials for registry {}", registry);
+    } else {
+        println!(
+            "info: no stored credentials found for registry {}",
+            registry
+        );
+    }
+
     Ok(())
 }
 
@@ -741,6 +794,102 @@ fn parse_name_and_script(name_and_script: &str) -> (&str, Option<&str>) {
     (name, script)
 }
 
+//--------------------------------------------------------------------------------------------------
+// Functions: Login Helpers
+//--------------------------------------------------------------------------------------------------
+
+enum LoginCredentials {
+    Basic { username: String, password: String },
+    Token { token: String },
+}
+
+fn resolve_registry_host(registry: Option<String>) -> String {
+    let host = registry
+        .or_else(env::get_registry_host)
+        .unwrap_or_else(env::get_oci_registry);
+
+    normalize_registry_host(&host)
+}
+
+async fn resolve_login_credentials(
+    username: Option<String>,
+    password_stdin: bool,
+    token: Option<String>,
+) -> MicrosandboxCliResult<LoginCredentials> {
+    let cli_password = if password_stdin {
+        Some(read_password_from_stdin().await?)
+    } else {
+        None
+    };
+
+    let cli_provided = token.is_some() || username.is_some() || password_stdin;
+    if cli_provided {
+        let cli_result = if token.is_some() && (username.is_some() || cli_password.is_some()) {
+            Err(MicrosandboxCliError::InvalidArgument(
+                "token cannot be combined with username/password".to_string(),
+            ))
+        } else if let Some(token) = token {
+            Ok(LoginCredentials::Token { token })
+        } else {
+            match (username, cli_password) {
+                (Some(username), Some(password)) => {
+                    Ok(LoginCredentials::Basic { username, password })
+                }
+                (None, None) => Err(MicrosandboxCliError::InvalidArgument(
+                    "no credentials provided; use flags or environment variables".to_string(),
+                )),
+                _ => Err(MicrosandboxCliError::InvalidArgument(
+                    "both username and password are required".to_string(),
+                )),
+            }
+        };
+
+        if let Ok(creds) = cli_result {
+            return Ok(creds);
+        }
+
+        // CLI was provided but invalid; attempt env fallback.
+        tracing::debug!("login: CLI credentials invalid, falling back to environment variables");
+    }
+
+    let env_token = env::get_registry_token();
+    let env_username = env::get_registry_username();
+    let env_password = env::get_registry_password();
+
+    if env_token.is_some() && (env_username.is_some() || env_password.is_some()) {
+        return Err(MicrosandboxCliError::InvalidArgument(
+            "token cannot be combined with username/password".to_string(),
+        ));
+    }
+
+    if let Some(token) = env_token {
+        return Ok(LoginCredentials::Token { token });
+    }
+
+    match (env_username, env_password) {
+        (Some(username), Some(password)) => Ok(LoginCredentials::Basic { username, password }),
+        (None, None) => Err(MicrosandboxCliError::InvalidArgument(
+            "no credentials provided; use flags or environment variables".to_string(),
+        )),
+        _ => Err(MicrosandboxCliError::InvalidArgument(
+            "both username and password are required".to_string(),
+        )),
+    }
+}
+
+async fn read_password_from_stdin() -> MicrosandboxCliResult<String> {
+    let mut input = String::new();
+    let mut stdin = io::stdin();
+    stdin.read_to_string(&mut input).await?;
+    let password = input.trim_end_matches(&['\n', '\r'][..]).to_string();
+    if password.is_empty() {
+        return Err(MicrosandboxCliError::InvalidArgument(
+            "password provided via stdin is empty".to_string(),
+        ));
+    }
+    Ok(password)
+}
+
 /// Parse a file path into project path and config file name.
 ///
 /// If the file path is a directory, it is treated as the project path.

microsandbox-cli/bin/msb/main.rs

@@ -259,8 +259,16 @@ async fn main() -> MicrosandboxCliResult<()> {
                 handlers::server_ssh_subcommand(namespace, sandbox, name).await?;
             }
         },
-        Some(MicrosandboxSubcommand::Login) => {
-            handlers::login_subcommand().await?;
+        Some(MicrosandboxSubcommand::Login {
+            registry,
+            username,
+            password_stdin,
+            token,
+        }) => {
+            handlers::login_subcommand(registry, username, password_stdin, token).await?;
+        }
+        Some(MicrosandboxSubcommand::Logout { registry, all }) => {
+            handlers::logout_subcommand(registry, all).await?;
         }
         Some(MicrosandboxSubcommand::Push { image, name }) => {
             handlers::push_subcommand(image, name).await?;

microsandbox-cli/lib/args/msb.rs

@@ -520,7 +520,33 @@ pub enum MicrosandboxSubcommand {
 
     /// Login to a registry
     #[command(name = "login")]
-    Login,
+    Login {
+        /// Registry host (defaults to OCI_REGISTRY_DOMAIN or docker.io)
+        registry: Option<String>,
+
+        /// Registry username
+        #[arg(short, long)]
+        username: Option<String>,
+
+        /// Read password from stdin
+        #[arg(long)]
+        password_stdin: bool,
+
+        /// Registry token
+        #[arg(long)]
+        token: Option<String>,
+    },
+
+    /// Logout from a registry
+    #[command(name = "logout")]
+    Logout {
+        /// Registry host (defaults to OCI_REGISTRY_DOMAIN or docker.io)
+        registry: Option<String>,
+
+        /// Remove all stored registry credentials
+        #[arg(long)]
+        all: bool,
+    },
 
     /// Push image to a registry
     #[command(name = "push")]

microsandbox-core/lib/management/image.rs

@@ -0,0 +1,3 @@
+//! Compatibility re-exports for registry auth resolution.
+
+pub use crate::oci::resolve_registry_auth;

microsandbox-core/lib/management/mod.rs

@@ -22,6 +22,7 @@
 pub mod config;
 pub mod db;
 pub mod home;
+pub mod image;
 pub mod menv;
 pub mod orchestra;
 pub mod rootfs;