Bundle cimwriter dll and update tooling to consume json

Author: MahatiC

src/confcom/.gitignore

@@ -32,6 +32,12 @@ azext_confcom/bin/*
 **/dmverity-vhd
 **/bin/genpolicy*
 
+# Exception: CimWriter.dll is required for Windows container support
+# Downloaded from Microsoft.Windows.CimWriter.amd64fre NuGet package
+# Version: 10.0.28552.1000-260402-1747.br-current-directbase-backport-cwcow
+# Source: https://msazure.visualstudio.com/One/_artifacts/feed/Microsoft.Windows.CimWriter.amd64fre@Local
+!azext_confcom/bin/CimWriter.dll
+
 # metadata file for coverage reports
 **/.coverage
 

src/confcom/azext_confcom/bin/CimWriter.dll

@@ -127,6 +127,7 @@
 POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_RULE = "pattern"
 POLICY_FIELD_CONTAINERS_ELEMENTS_REQUIRED = "required"
 POLICY_FIELD_CONTAINERS_ELEMENTS_LAYERS = "layers"
+POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTED_CIM = "mounted_cim"
 POLICY_FIELD_CONTAINERS_ELEMENTS_WORKINGDIR = "working_dir"
 POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTS = "mounts"
 POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTS_SOURCE = "source"

src/confcom/azext_confcom/config.py

@@ -606,6 +606,7 @@ def __init__(
         self._command = command
         self._workingDir = workingDir
         self._layers = []
+        self._mounted_cim = []
         self._mounts = mounts
         self._allow_elevated = allow_elevated
         self._allow_stdio_access = allowStdioAccess
@@ -661,6 +662,12 @@ def get_layers(self) -> List[str]:
     def set_layers(self, layers: List[str]) -> None:
         self._layers = layers
 
+    def get_mounted_cim(self) -> List[str]:
+        return self._mounted_cim
+
+    def set_mounted_cim(self, mounted_cim: List[str]) -> None:
+        self._mounted_cim = mounted_cim
+
     def get_user(self) -> Dict:
         return self._user
 
@@ -784,6 +791,9 @@ def _populate_policy_json_elements(self, omit_id: bool = False) -> Dict[str, Any
             elements.update({
                 config.POLICY_FIELD_CONTAINERS_ELEMENTS_USER: self.get_user()["user_idname"]["pattern"],
             })
+            # Add mounted_cim for Windows if present
+            if self._mounted_cim:
+                elements[config.POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTED_CIM] = self._mounted_cim
 
 
         if not omit_id:

src/confcom/azext_confcom/container.py

@@ -5,12 +5,13 @@
 
 
 import hashlib
+import json
 import os
 import platform
 import stat
 import subprocess
 import sys
-from typing import List
+from typing import List, Dict
 
 import requests
 from azext_confcom.errors import eprint
@@ -91,7 +92,7 @@ def get_policy_image_layers(
         platform: str = "linux/amd64",
         tar_location: str = "",
         faster_hashing=False
-    ) -> List[str]:
+    ) -> Dict[str, List[str]]:
         image_name = f"{image}:{tag}"
         # populate layer info
         if self.layer_cache.get(image_name):
@@ -125,7 +126,7 @@ def get_policy_image_layers(
             check=False,
         )
 
-        output = []
+        result = {}
         if item.returncode != 0:
             if item.stderr.decode("utf-8") != "" and item.stderr.decode("utf-8") is not None:
                 logger.warning(item.stderr.decode("utf-8"))
@@ -137,13 +138,29 @@ def get_policy_image_layers(
                 )
             sys.exit(item.returncode)
         elif len(item.stdout) > 0:
-            output = item.stdout.decode("utf8").strip("\n").split("\n")
-            output = [i.split(": ", 1)[1] for i in output if len(i.split(": ", 1)) > 1]
+            stdout_str = item.stdout.decode("utf8").strip()
+
+            # Try parsing as JSON (both Linux and Windows now output JSON)
+            if stdout_str.startswith("{"):
+                try:
+                    json_output = json.loads(stdout_str)
+                    result["layers"] = json_output.get("layers", [])
+                    # mounted_cim is only present for Windows
+                    if "mounted_cim" in json_output:
+                        result["mounted_cim"] = json_output["mounted_cim"]
+                except json.JSONDecodeError as e:
+                    logger.error(f"Failed to parse JSON output: {e}")
+                    sys.exit(1)
+            else:
+                # Fallback: line-by-line parsing for older dmverity-vhd versions
+                lines = stdout_str.split("\n")
+                layers = [i.split(": ", 1)[1] for i in lines if len(i.split(": ", 1)) > 1]
+                result["layers"] = layers
         else:
             eprint(
                 "Could not get layer hashes"
             )
 
-        # cache output layers
-        self.layer_cache[image_name] = output
-        return output
+        # cache output
+        self.layer_cache[image_name] = result
+        return result

src/confcom/azext_confcom/rootfs_proxy.py

@@ -597,13 +597,17 @@ def populate_policy_content_for_all_images(
                 if isinstance(tar_mapping, dict):
                     tar_location = get_tar_location_from_mapping(tar_mapping, image_name)
                 # populate layer info
-                image.set_layers(proxy.get_policy_image_layers(
+                layer_info = proxy.get_policy_image_layers(
                     image.base,
                     image.tag,
                     platform=self._platform,
                     tar_location=tar_location if tar else "",
                     faster_hashing=faster_hashing,
-                ))
+                )
+                image.set_layers(layer_info.get("layers", []))
+                # Set mounted_cim for Windows containers
+                if "mounted_cim" in layer_info:
+                    image.set_mounted_cim(layer_info["mounted_cim"])
 
                 progress.update()
             progress.close()
@@ -812,7 +816,10 @@ def load_policy_from_arm_template_str(
             extract_probe(exec_processes, image_properties, config.ACI_FIELD_CONTAINERS_READINESS_PROBE)
             extract_probe(exec_processes, image_properties, config.ACI_FIELD_CONTAINERS_LIVENESS_PROBE)
 
-            platform = get_image_platform(image_name)
+            # Use platform from template if specified, otherwise try to auto-detect from image
+            platform = case_insensitive_dict_get(image_properties, "platform")
+            if not platform:
+                platform = get_image_platform(image_name)
 
             containers.append(
                 {