DockerCLI/cli/command/service/trust.go

package service

import (
	"encoding/hex"

	"github.com/distribution/reference"
	"github.com/docker/cli/cli/command"
	"github.com/docker/cli/cli/trust"
	"github.com/docker/docker/api/types/swarm"
	"github.com/docker/docker/registry"
	"github.com/opencontainers/go-digest"
	"github.com/pkg/errors"
	"github.com/sirupsen/logrus"
	"github.com/theupdateframework/notary/tuf/data"
)

func resolveServiceImageDigestContentTrust(dockerCli command.Cli, service *swarm.ServiceSpec) error {
	if !dockerCli.ContentTrustEnabled() {
		// When not using content trust, digest resolution happens later when
		// contacting the registry to retrieve image information.
		return nil
	}

	ref, err := reference.ParseAnyReference(service.TaskTemplate.ContainerSpec.Image)
	if err != nil {
		return errors.Wrapf(err, "invalid reference %s", service.TaskTemplate.ContainerSpec.Image)
	}

	// If reference does not have digest (is not canonical nor image id)
	if _, ok := ref.(reference.Digested); !ok {
		namedRef, ok := ref.(reference.Named)
		if !ok {
			return errors.New("failed to resolve image digest using content trust: reference is not named")
		}
		namedRef = reference.TagNameOnly(namedRef)
		taggedRef, ok := namedRef.(reference.NamedTagged)
		if !ok {
			return errors.New("failed to resolve image digest using content trust: reference is not tagged")
		}

		resolvedImage, err := trustedResolveDigest(dockerCli, taggedRef)
		if err != nil {
			return errors.Wrap(err, "failed to resolve image digest using content trust")
		}
		resolvedFamiliar := reference.FamiliarString(resolvedImage)
		logrus.Debugf("resolved image tag to %s using content trust", resolvedFamiliar)
		service.TaskTemplate.ContainerSpec.Image = resolvedFamiliar
	}

	return nil
}

func trustedResolveDigest(cli command.Cli, ref reference.NamedTagged) (reference.Canonical, error) {
	repoInfo, err := registry.ParseRepositoryInfo(ref)
	if err != nil {
		return nil, err
	}

	authConfig := command.ResolveAuthConfig(cli.ConfigFile(), repoInfo.Index)

	notaryRepo, err := trust.GetNotaryRepository(cli.In(), cli.Out(), command.UserAgent(), repoInfo, &authConfig, "pull")
	if err != nil {
		return nil, errors.Wrap(err, "error establishing connection to trust repository")
	}

	t, err := notaryRepo.GetTargetByName(ref.Tag(), trust.ReleasesRole, data.CanonicalTargetsRole)
	if err != nil {
		return nil, trust.NotaryError(repoInfo.Name.Name(), err)
	}
	// Only get the tag if it's in the top level targets role or the releases delegation role
	// ignore it if it's in any other delegation roles
	if t.Role != trust.ReleasesRole && t.Role != data.CanonicalTargetsRole {
		return nil, trust.NotaryError(repoInfo.Name.Name(), errors.Errorf("No trust data for %s", reference.FamiliarString(ref)))
	}

	logrus.Debugf("retrieving target for %s role\n", t.Role)
	h, ok := t.Hashes["sha256"]
	if !ok {
		return nil, errors.New("no valid hash, expecting sha256")
	}

	dgst := digest.NewDigestFromHex("sha256", hex.EncodeToString(h))

	// Allow returning canonical reference with tag
	return reference.WithDigest(ref, dgst)
}
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`package service`

			`import (`
			`"encoding/hex"`

migrate reference github.com/distribution/reference The "reference" package was moved to a separate module, which was extracted from https://github.com/distribution/distribution/commit/b9b19409cf458dcb9e1253ff44ba75bd0620faa6 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-08-30 18:36:58 -04:00			`"github.com/distribution/reference"`
Update imports. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-04-17 18:07:56 -04:00			`"github.com/docker/cli/cli/command"`
			`"github.com/docker/cli/cli/trust"`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`"github.com/docker/docker/api/types/swarm"`
			`"github.com/docker/docker/registry"`
*: use opencontainers/go-digest package The `digest` data type, used throughout docker for image verification and identity, has been broken out into `opencontainers/go-digest`. This PR updates the dependencies and moves uses over to the new type. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2017-01-06 20:23:18 -05:00			`"github.com/opencontainers/go-digest"`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`"github.com/pkg/errors"`
updated vendoring Signed-off-by: Simon Ferquel <simon.ferquel@docker.com> 2017-08-07 05:52:40 -04:00			`"github.com/sirupsen/logrus"`
Move notary to its new location The https://github.com/docker/notary repository has moved to https://github.com/theupdateframework/notary Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2017-10-30 12:21:41 -04:00			`"github.com/theupdateframework/notary/tuf/data"`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`)`

Service create/update set QueryRegistry appropriately Signed-off-by: Nishant Totla <nishanttotla@gmail.com> 2017-05-11 05:07:35 -04:00			`func resolveServiceImageDigestContentTrust(dockerCli command.Cli, service *swarm.ServiceSpec) error {`
Only read trust setting from options Rename IsTrusted to ContentTrustEnabled Signed-off-by: Daniel Nephin <dnephin@docker.com> 2018-03-08 14:56:56 -05:00			`if !dockerCli.ContentTrustEnabled() {`
Service create/update set QueryRegistry appropriately Signed-off-by: Nishant Totla <nishanttotla@gmail.com> 2017-05-11 05:07:35 -04:00			`// When not using content trust, digest resolution happens later when`
			`// contacting the registry to retrieve image information.`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`return nil`
			`}`

Remove use of forked reference package for cli Use resolving to repo info as the split point between the legitimate reference package and forked reference package. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2017-01-11 16:54:52 -05:00			`ref, err := reference.ParseAnyReference(service.TaskTemplate.ContainerSpec.Image)`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`if err != nil {`
Remove use of forked reference package for cli Use resolving to repo info as the split point between the legitimate reference package and forked reference package. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2017-01-11 16:54:52 -05:00			`return errors.Wrapf(err, "invalid reference %s", service.TaskTemplate.ContainerSpec.Image)`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`}`

Remove use of forked reference package for cli Use resolving to repo info as the split point between the legitimate reference package and forked reference package. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2017-01-11 16:54:52 -05:00			`// If reference does not have digest (is not canonical nor image id)`
			`if _, ok := ref.(reference.Digested); !ok {`
			`namedRef, ok := ref.(reference.Named)`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`if !ok {`
Remove use of forked reference package for cli Use resolving to repo info as the split point between the legitimate reference package and forked reference package. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2017-01-11 16:54:52 -05:00			`return errors.New("failed to resolve image digest using content trust: reference is not named")`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`}`
Use distribution reference Remove forked reference package. Use normalized named values everywhere and familiar functions to convert back to familiar strings for UX and storage compatibility. Enforce that the source repository in the distribution metadata is always a normalized string, ignore invalid values which are not. Update distribution tests to use normalized values. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2017-01-25 19:54:18 -05:00			`namedRef = reference.TagNameOnly(namedRef)`
			`taggedRef, ok := namedRef.(reference.NamedTagged)`
			`if !ok {`
			`return errors.New("failed to resolve image digest using content trust: reference is not tagged")`
			`}`
Remove use of forked reference package for cli Use resolving to repo info as the split point between the legitimate reference package and forked reference package. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2017-01-11 16:54:52 -05:00
cli/command: ResolveAuthConfig, GetDefaultAuthConfig: take ConfigFile as arg Both these functions took the whole DockerCLI as argument, but only needed the ConfigFile. ResolveAuthConfig also had an unused context.Context as argument. This patch updates both functions to accept a ConfigFile, and removes the unused context.Context. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-07-10 11:24:07 -04:00			`resolvedImage, err := trustedResolveDigest(dockerCli, taggedRef)`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`if err != nil {`
Remove use of forked reference package for cli Use resolving to repo info as the split point between the legitimate reference package and forked reference package. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2017-01-11 16:54:52 -05:00			`return errors.Wrap(err, "failed to resolve image digest using content trust")`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`}`
Remove use of forked reference package for cli Use resolving to repo info as the split point between the legitimate reference package and forked reference package. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2017-01-11 16:54:52 -05:00			`resolvedFamiliar := reference.FamiliarString(resolvedImage)`
			`logrus.Debugf("resolved image tag to %s using content trust", resolvedFamiliar)`
			`service.TaskTemplate.ContainerSpec.Image = resolvedFamiliar`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`}`
Remove use of forked reference package for cli Use resolving to repo info as the split point between the legitimate reference package and forked reference package. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2017-01-11 16:54:52 -05:00
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`return nil`
			`}`

cli/command: ResolveAuthConfig, GetDefaultAuthConfig: take ConfigFile as arg Both these functions took the whole DockerCLI as argument, but only needed the ConfigFile. ResolveAuthConfig also had an unused context.Context as argument. This patch updates both functions to accept a ConfigFile, and removes the unused context.Context. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-07-10 11:24:07 -04:00			`func trustedResolveDigest(cli command.Cli, ref reference.NamedTagged) (reference.Canonical, error) {`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`repoInfo, err := registry.ParseRepositoryInfo(ref)`
			`if err != nil {`
			`return nil, err`
			`}`

cli/command: ResolveAuthConfig, GetDefaultAuthConfig: take ConfigFile as arg Both these functions took the whole DockerCLI as argument, but only needed the ConfigFile. ResolveAuthConfig also had an unused context.Context as argument. This patch updates both functions to accept a ConfigFile, and removes the unused context.Context. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-07-10 11:24:07 -04:00			`authConfig := command.ResolveAuthConfig(cli.ConfigFile(), repoInfo.Index)`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00
cli: introduce NotaryClient getter Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com> 2017-09-12 12:39:13 -04:00			`notaryRepo, err := trust.GetNotaryRepository(cli.In(), cli.Out(), command.UserAgent(), repoInfo, &authConfig, "pull")`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`if err != nil {`
			`return nil, errors.Wrap(err, "error establishing connection to trust repository")`
			`}`

			`t, err := notaryRepo.GetTargetByName(ref.Tag(), trust.ReleasesRole, data.CanonicalTargetsRole)`
			`if err != nil {`
Use distribution reference Remove forked reference package. Use normalized named values everywhere and familiar functions to convert back to familiar strings for UX and storage compatibility. Enforce that the source repository in the distribution metadata is always a normalized string, ignore invalid values which are not. Update distribution tests to use normalized values. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2017-01-25 19:54:18 -05:00			`return nil, trust.NotaryError(repoInfo.Name.Name(), err)`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`}`
			`// Only get the tag if it's in the top level targets role or the releases delegation role`
			`// ignore it if it's in any other delegation roles`
			`if t.Role != trust.ReleasesRole && t.Role != data.CanonicalTargetsRole {`
Replace fmt.Errorf() with errors.Errorf() in the cli Signed-off-by: Daniel Nephin <dnephin@docker.com> 2017-03-09 13:23:45 -05:00			`return nil, trust.NotaryError(repoInfo.Name.Name(), errors.Errorf("No trust data for %s", reference.FamiliarString(ref)))`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`}`

			`logrus.Debugf("retrieving target for %s role\n", t.Role)`
			`h, ok := t.Hashes["sha256"]`
			`if !ok {`
			`return nil, errors.New("no valid hash, expecting sha256")`
			`}`

			`dgst := digest.NewDigestFromHex("sha256", hex.EncodeToString(h))`

Remove use of forked reference package for cli Use resolving to repo info as the split point between the legitimate reference package and forked reference package. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2017-01-11 16:54:52 -05:00			`// Allow returning canonical reference with tag`
			`return reference.WithDigest(ref, dgst)`
cli: Pin image to digest using content trust Implement notary-based digest lookup in the client when DOCKER_CONTENT_TRUST=1. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-12-05 20:02:26 -05:00			`}`