From 63ebcae382f083dce20f7c7ca852493260f13fff Mon Sep 17 00:00:00 2001 From: Vincent Demeester Date: Wed, 14 Mar 2018 17:36:23 +0100 Subject: [PATCH] Small content trust enhancement - `replaceDockerfileForContentTrust` is only used when content trust is enabled, so remove the boolean. - rename `isContentTrustEnabled` to `contentTrustEnabled` Signed-off-by: Vincent Demeester --- cli/command/cli.go | 2 +- cli/command/image/build.go | 11 ++++++----- cmd/docker/docker.go | 4 ++-- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/cli/command/cli.go b/cli/command/cli.go index 68ac0e6c91..55a6c436d4 100644 --- a/cli/command/cli.go +++ b/cli/command/cli.go @@ -123,7 +123,7 @@ func (cli *DockerCli) ClientInfo() ClientInfo { return cli.clientInfo } -// ContentTrustEnabled returns if content trust has been enabled by an +// ContentTrustEnabled returns whether content trust has been enabled by an // environment variable. func (cli *DockerCli) ContentTrustEnabled() bool { return cli.contentTrust diff --git a/cli/command/image/build.go b/cli/command/image/build.go index 15da4d4318..1e87f1ee6a 100644 --- a/cli/command/image/build.go +++ b/cli/command/image/build.go @@ -297,7 +297,7 @@ func runBuild(dockerCli command.Cli, options buildOptions) error { buildCtx = replaceDockerfileForContentTrust(ctx, buildCtx, relDockerfile, translator, &resolvedTags) } else if dockerfileCtx != nil { // if there was not archive context still do the possible replacements in Dockerfile - newDockerfile, _, err := rewriteDockerfileFrom(ctx, dockerfileCtx, translator, !options.untrusted) + newDockerfile, _, err := rewriteDockerfileFromForContentTrust(ctx, dockerfileCtx, translator) if err != nil { return err } @@ -500,11 +500,12 @@ type resolvedTag struct { tagRef reference.NamedTagged } -// rewriteDockerfileFrom rewrites the given Dockerfile by resolving images in +// rewriteDockerfileFromForContentTrust rewrites the given Dockerfile by resolving images in // "FROM " instructions to a digest reference. `translator` is a // function that takes a repository name and tag reference and returns a // trusted digest reference. -func rewriteDockerfileFrom(ctx context.Context, dockerfile io.Reader, translator translatorFunc, istrusted bool) (newDockerfile []byte, resolvedTags []*resolvedTag, err error) { +// This should be called *only* when content trust is enabled +func rewriteDockerfileFromForContentTrust(ctx context.Context, dockerfile io.Reader, translator translatorFunc) (newDockerfile []byte, resolvedTags []*resolvedTag, err error) { scanner := bufio.NewScanner(dockerfile) buf := bytes.NewBuffer(nil) @@ -521,7 +522,7 @@ func rewriteDockerfileFrom(ctx context.Context, dockerfile io.Reader, translator return nil, nil, err } ref = reference.TagNameOnly(ref) - if ref, ok := ref.(reference.NamedTagged); ok && istrusted { + if ref, ok := ref.(reference.NamedTagged); ok { trustedRef, err := translator(ctx, ref) if err != nil { return nil, nil, err @@ -574,7 +575,7 @@ func replaceDockerfileForContentTrust(ctx context.Context, inputTarStream io.Rea // generated from a directory on the local filesystem, the // Dockerfile will only appear once in the archive. var newDockerfile []byte - newDockerfile, *resolvedTags, err = rewriteDockerfileFrom(ctx, content, translator, true) + newDockerfile, *resolvedTags, err = rewriteDockerfileFromForContentTrust(ctx, content, translator) if err != nil { pipeWriter.CloseWithError(err) return diff --git a/cmd/docker/docker.go b/cmd/docker/docker.go index 57c52f381b..b96c1e2a98 100644 --- a/cmd/docker/docker.go +++ b/cmd/docker/docker.go @@ -156,7 +156,7 @@ func main() { stdin, stdout, stderr := term.StdStreams() logrus.SetOutput(stderr) - dockerCli := command.NewDockerCli(stdin, stdout, stderr, isContentTrustEnabled()) + dockerCli := command.NewDockerCli(stdin, stdout, stderr, contentTrustEnabled()) cmd := newDockerCommand(dockerCli) if err := cmd.Execute(); err != nil { @@ -176,7 +176,7 @@ func main() { } } -func isContentTrustEnabled() bool { +func contentTrustEnabled() bool { if e := os.Getenv("DOCKER_CONTENT_TRUST"); e != "" { if t, err := strconv.ParseBool(e); t || err != nil { // treat any other value as true