Merge pull request #945 from vdemeester/trust-follow-up

Small content trust enhancement
2018-03-16 11:09:00 +01:00 · 2018-03-16 11:09:00 +01:00 · a5bd2973b1
parent 37eebe5cb6 63ebcae382
commit a5bd2973b1
3 changed files with 9 additions and 8 deletions
--- a/cli/command/cli.go
+++ b/cli/command/cli.go
@ -123,7 +123,7 @@ func (cli *DockerCli) ClientInfo() ClientInfo {
 	return cli.clientInfo
 }

-// ContentTrustEnabled returns if content trust has been enabled by an
+// ContentTrustEnabled returns whether content trust has been enabled by an
 // environment variable.
 func (cli *DockerCli) ContentTrustEnabled() bool {
 	return cli.contentTrust
--- a/cli/command/image/build.go
+++ b/cli/command/image/build.go
@ -297,7 +297,7 @@ func runBuild(dockerCli command.Cli, options buildOptions) error {
 			buildCtx = replaceDockerfileForContentTrust(ctx, buildCtx, relDockerfile, translator, &resolvedTags)
 		} else if dockerfileCtx != nil {
 			// if there was not archive context still do the possible replacements in Dockerfile
-			newDockerfile, _, err := rewriteDockerfileFrom(ctx, dockerfileCtx, translator, !options.untrusted)
+			newDockerfile, _, err := rewriteDockerfileFromForContentTrust(ctx, dockerfileCtx, translator)
 			if err != nil {
 				return err
 			}
@ -500,11 +500,12 @@ type resolvedTag struct {
 	tagRef    reference.NamedTagged
 }

-// rewriteDockerfileFrom rewrites the given Dockerfile by resolving images in
+// rewriteDockerfileFromForContentTrust rewrites the given Dockerfile by resolving images in
 // "FROM <image>" instructions to a digest reference. `translator` is a
 // function that takes a repository name and tag reference and returns a
 // trusted digest reference.
-func rewriteDockerfileFrom(ctx context.Context, dockerfile io.Reader, translator translatorFunc, istrusted bool) (newDockerfile []byte, resolvedTags []*resolvedTag, err error) {
+// This should be called *only* when content trust is enabled
+func rewriteDockerfileFromForContentTrust(ctx context.Context, dockerfile io.Reader, translator translatorFunc) (newDockerfile []byte, resolvedTags []*resolvedTag, err error) {
 	scanner := bufio.NewScanner(dockerfile)
 	buf := bytes.NewBuffer(nil)

@ -521,7 +522,7 @@ func rewriteDockerfileFrom(ctx context.Context, dockerfile io.Reader, translator
 				return nil, nil, err
 			}
 			ref = reference.TagNameOnly(ref)
-			if ref, ok := ref.(reference.NamedTagged); ok && istrusted {
+			if ref, ok := ref.(reference.NamedTagged); ok {
 				trustedRef, err := translator(ctx, ref)
 				if err != nil {
 					return nil, nil, err
@ -574,7 +575,7 @@ func replaceDockerfileForContentTrust(ctx context.Context, inputTarStream io.Rea
 				// generated from a directory on the local filesystem, the
 				// Dockerfile will only appear once in the archive.
 				var newDockerfile []byte
-				newDockerfile, *resolvedTags, err = rewriteDockerfileFrom(ctx, content, translator, true)
+				newDockerfile, *resolvedTags, err = rewriteDockerfileFromForContentTrust(ctx, content, translator)
 				if err != nil {
 					pipeWriter.CloseWithError(err)
 					return
--- a/cmd/docker/docker.go
+++ b/cmd/docker/docker.go
@ -156,7 +156,7 @@ func main() {
 	stdin, stdout, stderr := term.StdStreams()
 	logrus.SetOutput(stderr)

-	dockerCli := command.NewDockerCli(stdin, stdout, stderr, isContentTrustEnabled())
+	dockerCli := command.NewDockerCli(stdin, stdout, stderr, contentTrustEnabled())
 	cmd := newDockerCommand(dockerCli)

 	if err := cmd.Execute(); err != nil {
@ -176,7 +176,7 @@ func main() {
 	}
 }

-func isContentTrustEnabled() bool {
+func contentTrustEnabled() bool {
 	if e := os.Getenv("DOCKER_CONTENT_TRUST"); e != "" {
 		if t, err := strconv.ParseBool(e); t || err != nil {
 			// treat any other value as true