feat : PoC for automated Windows guest via autounattend.xml Implements issue #4852.

Signed-off-by: liketosweep <liketosweep@gmail.com>

Author: liketosweep

.gitignore

@@ -4,3 +4,5 @@ lima.REJECTED.yaml
 default-template.yaml
 schema-limayaml.json
 .config
+poc-windows-guest/images/
+poc-windows-guest/tmp/

pkg/windows/autounattend/autounattend.go

@@ -0,0 +1,111 @@
+package autounattend
+
+import (
+	_ "embed"
+	"bytes"
+	"encoding/base64"
+	"fmt"
+	"html/template"
+	"strings"
+)
+
+//go:embed template.xml
+var rawTemplate string
+
+var tmpl = template.Must(
+	template.New("autounattend").
+		Funcs(template.FuncMap{
+			"encodePassword": encodeUTF16LE,
+			"joinLines":      func(ss []string) string { return strings.Join(ss, "\n") },
+			"inc":            func(n int) int { return n + 1 },
+		}).
+		Parse(rawTemplate),
+)
+
+type Config struct {
+	Hostname            string
+	Username            string
+	Password            string
+	SSHPublicKeys       []string
+	Locale              string
+	TimeZone            string
+	WindowsEditionIndex int
+	ExtraCommands       []string
+}
+
+func (c *Config) setDefaults() {
+	if c.Username == "" {
+		c.Username = "limauser"
+	}
+	if c.Locale == "" {
+		c.Locale = "en-US"
+	}
+	if c.TimeZone == "" {
+		c.TimeZone = "GMT Standard Time"
+	}
+	if c.WindowsEditionIndex == 0 {
+		c.WindowsEditionIndex = 1
+	}
+}
+
+func (c *Config) validate() error {
+	switch {
+	case c.Hostname == "":
+		return fmt.Errorf("autounattend: Hostname is required")
+	case len(c.Hostname) > 15:
+		return fmt.Errorf("autounattend: Hostname %q exceeds 15-char NetBIOS limit", c.Hostname)
+	case c.Password == "":
+		return fmt.Errorf("autounattend: Password is required")
+	case len(c.SSHPublicKeys) == 0:
+		return fmt.Errorf("autounattend: at least one SSH public key is required")
+	case c.WindowsEditionIndex < 1:
+		return fmt.Errorf("autounattend: WindowsEditionIndex must be >= 1")
+	}
+	return nil
+}
+
+func Generate(cfg Config) ([]byte, error) {
+	cfg.setDefaults()
+	if err := cfg.validate(); err != nil {
+		return nil, err
+	}
+	var buf bytes.Buffer
+	if err := tmpl.Execute(&buf, cfg); err != nil {
+		return nil, fmt.Errorf("autounattend: render failed: %w", err)
+	}
+	return buf.Bytes(), nil
+}
+
+// encodeUTF16LE implements the Microsoft answer-file password encoding:
+// base64( UTF-16LE( plaintext + "Password" ) )
+func encodeUTF16LE(plaintext string) string {
+	s := plaintext + "Password"
+	b := make([]byte, len(s)*2)
+	for i, r := range s {
+		b[i*2] = byte(r)
+		b[i*2+1] = byte(r >> 8)
+	}
+	return base64.StdEncoding.EncodeToString(b)
+}
+
+// SanitiseHostname converts an arbitrary string into a valid Windows
+// NetBIOS computer name (<=15 chars, alphanumeric + hyphen, no leading/trailing hyphen).
+func SanitiseHostname(name string) string {
+	out := make([]byte, 0, len(name))
+	for _, r := range name {
+		switch {
+		case r >= 'a' && r <= 'z', r >= 'A' && r <= 'Z', r >= '0' && r <= '9':
+			out = append(out, byte(r))
+		default:
+			out = append(out, '-')
+		}
+	}
+	s := strings.Trim(string(out), "-")
+	if len(s) > 15 {
+		s = s[:15]
+	}
+	if s == "" {
+		return "lima-windows"
+	}
+	return s
+}

pkg/windows/autounattend/autounattend_test.go

@@ -0,0 +1,104 @@
+package autounattend_test
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/lima-vm/lima/v2/pkg/windows/autounattend"
+)
+
+func baseConfig() autounattend.Config {
+	return autounattend.Config{
+		Hostname:            "lima-win",
+		Username:            "limauser",
+		Password:            "T3stP@ssw0rd!",
+		SSHPublicKeys:       []string{"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA user@host"},
+		WindowsEditionIndex: 1,
+	}
+}
+
+func TestGenerate_ContainsRequiredPasses(t *testing.T) {
+	xml, err := autounattend.Generate(baseConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, pass := range []string{"windowsPE", "specialize", "oobeSystem"} {
+		if !strings.Contains(string(xml), pass) {
+			t.Errorf("missing pass: %s", pass)
+		}
+	}
+}
+
+func TestGenerate_ContainsVirtIODriverPaths(t *testing.T) {
+	xml, err := autounattend.Generate(baseConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, driver := range []string{"viostor", "NetKVM", "viofs"} {
+		if !strings.Contains(string(xml), driver) {
+			t.Errorf("missing VirtIO driver path for: %s", driver)
+		}
+	}
+}
+
+func TestGenerate_SSHKeyPresent(t *testing.T) {
+	xml, err := autounattend.Generate(baseConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !strings.Contains(string(xml), "ssh-ed25519") {
+		t.Error("SSH public key missing from output")
+	}
+}
+
+func TestGenerate_PasswordNeverPlaintext(t *testing.T) {
+	cfg := baseConfig()
+	xml, err := autounattend.Generate(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if strings.Contains(string(xml), cfg.Password) {
+		t.Error("SECURITY: plaintext password present in generated XML")
+	}
+	if !strings.Contains(string(xml), "<PlainText>false</PlainText>") {
+		t.Error("PlainText flag not set to false")
+	}
+}
+
+func TestGenerate_ValidationErrors(t *testing.T) {
+	cases := []struct {
+		name   string
+		mutate func(*autounattend.Config)
+	}{
+		{"empty hostname", func(c *autounattend.Config) { c.Hostname = "" }},
+		{"hostname too long", func(c *autounattend.Config) { c.Hostname = "this-is-way-too-long" }},
+		{"empty password", func(c *autounattend.Config) { c.Password = "" }},
+		{"no ssh keys", func(c *autounattend.Config) { c.SSHPublicKeys = nil }},
+		{"bad edition index", func(c *autounattend.Config) { c.WindowsEditionIndex = -1 }},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			cfg := baseConfig()
+			tc.mutate(&cfg)
+			if _, err := autounattend.Generate(cfg); err == nil {
+				t.Errorf("expected error for %q, got nil", tc.name)
+			}
+		})
+	}
+}
+
+func TestSanitiseHostname(t *testing.T) {
+	cases := []struct{ in, want string }{
+		{"my-vm", "my-vm"},
+		{"my_special_vm!", "my-special-vm"},
+		{"this-is-way-too-long-for-netbios", "this-is-way-too"},
+		{"---", "lima-windows"},
+		{"", "lima-windows"},
+	}
+	for _, tc := range cases {
+		got := autounattend.SanitiseHostname(tc.in)
+		if got != tc.want {
+			t.Errorf("SanitiseHostname(%q) = %q, want %q", tc.in, got, tc.want)
+		}
+	}
+}