mirror of https://github.com/docker/cli.git
Only read trust setting from options
Rename IsTrusted to ContentTrustEnabled Signed-off-by: Daniel Nephin <dnephin@docker.com>
This commit is contained in:
parent
6e21829af4
commit
feae0e9756
|
@ -52,7 +52,7 @@ type Cli interface {
|
||||||
DefaultVersion() string
|
DefaultVersion() string
|
||||||
ManifestStore() manifeststore.Store
|
ManifestStore() manifeststore.Store
|
||||||
RegistryClient(bool) registryclient.RegistryClient
|
RegistryClient(bool) registryclient.RegistryClient
|
||||||
IsTrusted() bool
|
ContentTrustEnabled() bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// DockerCli is an instance the docker command line client.
|
// DockerCli is an instance the docker command line client.
|
||||||
|
@ -65,7 +65,7 @@ type DockerCli struct {
|
||||||
client client.APIClient
|
client client.APIClient
|
||||||
serverInfo ServerInfo
|
serverInfo ServerInfo
|
||||||
clientInfo ClientInfo
|
clientInfo ClientInfo
|
||||||
isTrusted bool
|
contentTrust bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// DefaultVersion returns api.defaultVersion or DOCKER_API_VERSION if specified.
|
// DefaultVersion returns api.defaultVersion or DOCKER_API_VERSION if specified.
|
||||||
|
@ -123,9 +123,10 @@ func (cli *DockerCli) ClientInfo() ClientInfo {
|
||||||
return cli.clientInfo
|
return cli.clientInfo
|
||||||
}
|
}
|
||||||
|
|
||||||
// IsTrusted returns if content trust is enabled for the cli
|
// ContentTrustEnabled returns if content trust has been enabled by an
|
||||||
func (cli *DockerCli) IsTrusted() bool {
|
// environment variable.
|
||||||
return cli.isTrusted
|
func (cli *DockerCli) ContentTrustEnabled() bool {
|
||||||
|
return cli.contentTrust
|
||||||
}
|
}
|
||||||
|
|
||||||
// ManifestStore returns a store for local manifests
|
// ManifestStore returns a store for local manifests
|
||||||
|
@ -245,7 +246,7 @@ func (c ClientInfo) HasKubernetes() bool {
|
||||||
|
|
||||||
// NewDockerCli returns a DockerCli instance with IO output and error streams set by in, out and err.
|
// NewDockerCli returns a DockerCli instance with IO output and error streams set by in, out and err.
|
||||||
func NewDockerCli(in io.ReadCloser, out, err io.Writer, isTrusted bool) *DockerCli {
|
func NewDockerCli(in io.ReadCloser, out, err io.Writer, isTrusted bool) *DockerCli {
|
||||||
return &DockerCli{in: NewInStream(in), out: NewOutStream(out), err: err, isTrusted: isTrusted}
|
return &DockerCli{in: NewInStream(in), out: NewOutStream(out), err: err, contentTrust: isTrusted}
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewAPIClientFromFlags creates a new APIClient from command line flags
|
// NewAPIClientFromFlags creates a new APIClient from command line flags
|
||||||
|
|
|
@ -54,7 +54,7 @@ func NewCreateCommand(dockerCli command.Cli) *cobra.Command {
|
||||||
flags.Bool("help", false, "Print usage")
|
flags.Bool("help", false, "Print usage")
|
||||||
|
|
||||||
command.AddPlatformFlag(flags, &opts.platform)
|
command.AddPlatformFlag(flags, &opts.platform)
|
||||||
command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.IsTrusted())
|
command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
|
||||||
copts = addFlags(flags)
|
copts = addFlags(flags)
|
||||||
return cmd
|
return cmd
|
||||||
}
|
}
|
||||||
|
@ -159,7 +159,6 @@ func newCIDFile(path string) (*cidFile, error) {
|
||||||
return &cidFile{path: path, file: f}, nil
|
return &cidFile{path: path, file: f}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// nolint: gocyclo
|
|
||||||
func createContainer(ctx context.Context, dockerCli command.Cli, containerConfig *containerConfig, opts *createOptions) (*container.ContainerCreateCreatedBody, error) {
|
func createContainer(ctx context.Context, dockerCli command.Cli, containerConfig *containerConfig, opts *createOptions) (*container.ContainerCreateCreatedBody, error) {
|
||||||
config := containerConfig.Config
|
config := containerConfig.Config
|
||||||
hostConfig := containerConfig.HostConfig
|
hostConfig := containerConfig.HostConfig
|
||||||
|
@ -184,8 +183,7 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerConfig
|
||||||
if named, ok := ref.(reference.Named); ok {
|
if named, ok := ref.(reference.Named); ok {
|
||||||
namedRef = reference.TagNameOnly(named)
|
namedRef = reference.TagNameOnly(named)
|
||||||
|
|
||||||
isContentTrustEnabled := !opts.untrusted && dockerCli.IsTrusted()
|
if taggedRef, ok := namedRef.(reference.NamedTagged); ok && !opts.untrusted {
|
||||||
if taggedRef, ok := namedRef.(reference.NamedTagged); ok && isContentTrustEnabled {
|
|
||||||
var err error
|
var err error
|
||||||
trustedRef, err = image.TrustedReference(ctx, dockerCli, taggedRef, nil)
|
trustedRef, err = image.TrustedReference(ctx, dockerCli, taggedRef, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -110,6 +110,7 @@ func TestCreateContainerPullsImageIfMissing(t *testing.T) {
|
||||||
body, err := createContainer(context.Background(), cli, config, &createOptions{
|
body, err := createContainer(context.Background(), cli, config, &createOptions{
|
||||||
name: "name",
|
name: "name",
|
||||||
platform: runtime.GOOS,
|
platform: runtime.GOOS,
|
||||||
|
untrusted: true,
|
||||||
})
|
})
|
||||||
assert.NilError(t, err)
|
assert.NilError(t, err)
|
||||||
expected := container.ContainerCreateCreatedBody{ID: containerID}
|
expected := container.ContainerCreateCreatedBody{ID: containerID}
|
||||||
|
|
|
@ -63,7 +63,7 @@ func NewRunCommand(dockerCli command.Cli) *cobra.Command {
|
||||||
flags.Bool("help", false, "Print usage")
|
flags.Bool("help", false, "Print usage")
|
||||||
|
|
||||||
command.AddPlatformFlag(flags, &opts.platform)
|
command.AddPlatformFlag(flags, &opts.platform)
|
||||||
command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.IsTrusted())
|
command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
|
||||||
copts = addFlags(flags)
|
copts = addFlags(flags)
|
||||||
return cmd
|
return cmd
|
||||||
}
|
}
|
||||||
|
|
|
@ -138,7 +138,7 @@ func NewBuildCommand(dockerCli command.Cli) *cobra.Command {
|
||||||
flags.StringVar(&options.target, "target", "", "Set the target build stage to build.")
|
flags.StringVar(&options.target, "target", "", "Set the target build stage to build.")
|
||||||
flags.StringVar(&options.imageIDFile, "iidfile", "", "Write the image ID to the file")
|
flags.StringVar(&options.imageIDFile, "iidfile", "", "Write the image ID to the file")
|
||||||
|
|
||||||
command.AddTrustVerificationFlags(flags, &options.untrusted, dockerCli.IsTrusted())
|
command.AddTrustVerificationFlags(flags, &options.untrusted, dockerCli.ContentTrustEnabled())
|
||||||
command.AddPlatformFlag(flags, &options.platform)
|
command.AddPlatformFlag(flags, &options.platform)
|
||||||
|
|
||||||
flags.BoolVar(&options.squash, "squash", false, "Squash newly built layers into a single new layer")
|
flags.BoolVar(&options.squash, "squash", false, "Squash newly built layers into a single new layer")
|
||||||
|
@ -286,8 +286,7 @@ func runBuild(dockerCli command.Cli, options buildOptions) error {
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
var resolvedTags []*resolvedTag
|
var resolvedTags []*resolvedTag
|
||||||
isContentTrustEnabled := !options.untrusted && dockerCli.IsTrusted()
|
if !options.untrusted {
|
||||||
if isContentTrustEnabled {
|
|
||||||
translator := func(ctx context.Context, ref reference.NamedTagged) (reference.Canonical, error) {
|
translator := func(ctx context.Context, ref reference.NamedTagged) (reference.Canonical, error) {
|
||||||
return TrustedReference(ctx, dockerCli, ref, nil)
|
return TrustedReference(ctx, dockerCli, ref, nil)
|
||||||
}
|
}
|
||||||
|
@ -295,10 +294,10 @@ func runBuild(dockerCli command.Cli, options buildOptions) error {
|
||||||
if buildCtx != nil {
|
if buildCtx != nil {
|
||||||
// Wrap the tar archive to replace the Dockerfile entry with the rewritten
|
// Wrap the tar archive to replace the Dockerfile entry with the rewritten
|
||||||
// Dockerfile which uses trusted pulls.
|
// Dockerfile which uses trusted pulls.
|
||||||
buildCtx = replaceDockerfileTarWrapper(ctx, buildCtx, relDockerfile, translator, &resolvedTags, isContentTrustEnabled)
|
buildCtx = replaceDockerfileForContentTrust(ctx, buildCtx, relDockerfile, translator, &resolvedTags)
|
||||||
} else if dockerfileCtx != nil {
|
} else if dockerfileCtx != nil {
|
||||||
// if there was not archive context still do the possible replacements in Dockerfile
|
// if there was not archive context still do the possible replacements in Dockerfile
|
||||||
newDockerfile, _, err := rewriteDockerfileFrom(ctx, dockerfileCtx, translator, isContentTrustEnabled)
|
newDockerfile, _, err := rewriteDockerfileFrom(ctx, dockerfileCtx, translator, !options.untrusted)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -462,7 +461,7 @@ func runBuild(dockerCli command.Cli, options buildOptions) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if !options.untrusted && dockerCli.IsTrusted() {
|
if !options.untrusted {
|
||||||
// Since the build was successful, now we must tag any of the resolved
|
// Since the build was successful, now we must tag any of the resolved
|
||||||
// images from the above Dockerfile rewrite.
|
// images from the above Dockerfile rewrite.
|
||||||
for _, resolved := range resolvedTags {
|
for _, resolved := range resolvedTags {
|
||||||
|
@ -545,11 +544,10 @@ func rewriteDockerfileFrom(ctx context.Context, dockerfile io.Reader, translator
|
||||||
return buf.Bytes(), resolvedTags, scanner.Err()
|
return buf.Bytes(), resolvedTags, scanner.Err()
|
||||||
}
|
}
|
||||||
|
|
||||||
// replaceDockerfileTarWrapper wraps the given input tar archive stream and
|
// replaceDockerfileForContentTrust wraps the given input tar archive stream and
|
||||||
// replaces the entry with the given Dockerfile name with the contents of the
|
// uses the translator to replace the Dockerfile which uses a trusted reference.
|
||||||
// new Dockerfile. Returns a new tar archive stream with the replaced
|
// Returns a new tar archive stream with the replaced Dockerfile.
|
||||||
// Dockerfile.
|
func replaceDockerfileForContentTrust(ctx context.Context, inputTarStream io.ReadCloser, dockerfileName string, translator translatorFunc, resolvedTags *[]*resolvedTag) io.ReadCloser {
|
||||||
func replaceDockerfileTarWrapper(ctx context.Context, inputTarStream io.ReadCloser, dockerfileName string, translator translatorFunc, resolvedTags *[]*resolvedTag, istrusted bool) io.ReadCloser {
|
|
||||||
pipeReader, pipeWriter := io.Pipe()
|
pipeReader, pipeWriter := io.Pipe()
|
||||||
go func() {
|
go func() {
|
||||||
tarReader := tar.NewReader(inputTarStream)
|
tarReader := tar.NewReader(inputTarStream)
|
||||||
|
@ -576,7 +574,7 @@ func replaceDockerfileTarWrapper(ctx context.Context, inputTarStream io.ReadClos
|
||||||
// generated from a directory on the local filesystem, the
|
// generated from a directory on the local filesystem, the
|
||||||
// Dockerfile will only appear once in the archive.
|
// Dockerfile will only appear once in the archive.
|
||||||
var newDockerfile []byte
|
var newDockerfile []byte
|
||||||
newDockerfile, *resolvedTags, err = rewriteDockerfileFrom(ctx, content, translator, istrusted)
|
newDockerfile, *resolvedTags, err = rewriteDockerfileFrom(ctx, content, translator, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
pipeWriter.CloseWithError(err)
|
pipeWriter.CloseWithError(err)
|
||||||
return
|
return
|
||||||
|
|
|
@ -107,6 +107,7 @@ COPY data /data
|
||||||
options := newBuildOptions()
|
options := newBuildOptions()
|
||||||
options.context = dir.Path()
|
options.context = dir.Path()
|
||||||
options.dockerfileName = df.Path()
|
options.dockerfileName = df.Path()
|
||||||
|
options.untrusted = true
|
||||||
|
|
||||||
err = runBuild(cli, options)
|
err = runBuild(cli, options)
|
||||||
assert.NilError(t, err)
|
assert.NilError(t, err)
|
||||||
|
|
|
@ -39,7 +39,7 @@ func NewPullCommand(dockerCli command.Cli) *cobra.Command {
|
||||||
flags.BoolVarP(&opts.all, "all-tags", "a", false, "Download all tagged images in the repository")
|
flags.BoolVarP(&opts.all, "all-tags", "a", false, "Download all tagged images in the repository")
|
||||||
|
|
||||||
command.AddPlatformFlag(flags, &opts.platform)
|
command.AddPlatformFlag(flags, &opts.platform)
|
||||||
command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.IsTrusted())
|
command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
|
||||||
|
|
||||||
return cmd
|
return cmd
|
||||||
}
|
}
|
||||||
|
@ -66,7 +66,7 @@ func runPull(cli command.Cli, opts pullOptions) error {
|
||||||
|
|
||||||
// Check if reference has a digest
|
// Check if reference has a digest
|
||||||
_, isCanonical := distributionRef.(reference.Canonical)
|
_, isCanonical := distributionRef.(reference.Canonical)
|
||||||
if !opts.untrusted && cli.IsTrusted() && !isCanonical {
|
if !opts.untrusted && !isCanonical {
|
||||||
err = trustedPull(ctx, cli, imgRefAndAuth, opts.platform)
|
err = trustedPull(ctx, cli, imgRefAndAuth, opts.platform)
|
||||||
} else {
|
} else {
|
||||||
err = imagePullPrivileged(ctx, cli, imgRefAndAuth, opts.all, opts.platform)
|
err = imagePullPrivileged(ctx, cli, imgRefAndAuth, opts.all, opts.platform)
|
||||||
|
|
|
@ -110,7 +110,7 @@ func TestNewPullCommandWithContentTrustErrors(t *testing.T) {
|
||||||
imagePullFunc: func(ref string, options types.ImagePullOptions) (io.ReadCloser, error) {
|
imagePullFunc: func(ref string, options types.ImagePullOptions) (io.ReadCloser, error) {
|
||||||
return ioutil.NopCloser(strings.NewReader("")), fmt.Errorf("shouldn't try to pull image")
|
return ioutil.NopCloser(strings.NewReader("")), fmt.Errorf("shouldn't try to pull image")
|
||||||
},
|
},
|
||||||
}, test.IsTrusted)
|
}, test.EnableContentTrust)
|
||||||
cli.SetNotaryClient(tc.notaryFunc)
|
cli.SetNotaryClient(tc.notaryFunc)
|
||||||
cmd := NewPullCommand(cli)
|
cmd := NewPullCommand(cli)
|
||||||
cmd.SetOutput(ioutil.Discard)
|
cmd.SetOutput(ioutil.Discard)
|
||||||
|
|
|
@ -32,7 +32,7 @@ func NewPushCommand(dockerCli command.Cli) *cobra.Command {
|
||||||
|
|
||||||
flags := cmd.Flags()
|
flags := cmd.Flags()
|
||||||
|
|
||||||
command.AddTrustSigningFlags(flags, &opts.untrusted, dockerCli.IsTrusted())
|
command.AddTrustSigningFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
|
||||||
|
|
||||||
return cmd
|
return cmd
|
||||||
}
|
}
|
||||||
|
@ -55,7 +55,7 @@ func runPush(dockerCli command.Cli, opts pushOptions) error {
|
||||||
authConfig := command.ResolveAuthConfig(ctx, dockerCli, repoInfo.Index)
|
authConfig := command.ResolveAuthConfig(ctx, dockerCli, repoInfo.Index)
|
||||||
requestPrivilege := command.RegistryAuthenticationPrivilegedFunc(dockerCli, repoInfo.Index, "push")
|
requestPrivilege := command.RegistryAuthenticationPrivilegedFunc(dockerCli, repoInfo.Index, "push")
|
||||||
|
|
||||||
if !opts.untrusted && dockerCli.IsTrusted() {
|
if !opts.untrusted {
|
||||||
return TrustedPush(ctx, dockerCli, repoInfo, ref, authConfig, requestPrivilege)
|
return TrustedPush(ctx, dockerCli, repoInfo, ref, authConfig, requestPrivilege)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -29,7 +29,7 @@ type pluginOptions struct {
|
||||||
|
|
||||||
func loadPullFlags(dockerCli command.Cli, opts *pluginOptions, flags *pflag.FlagSet) {
|
func loadPullFlags(dockerCli command.Cli, opts *pluginOptions, flags *pflag.FlagSet) {
|
||||||
flags.BoolVar(&opts.grantPerms, "grant-all-permissions", false, "Grant all permissions necessary to run the plugin")
|
flags.BoolVar(&opts.grantPerms, "grant-all-permissions", false, "Grant all permissions necessary to run the plugin")
|
||||||
command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.IsTrusted())
|
command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
|
||||||
}
|
}
|
||||||
|
|
||||||
func newInstallCommand(dockerCli command.Cli) *cobra.Command {
|
func newInstallCommand(dockerCli command.Cli) *cobra.Command {
|
||||||
|
@ -91,7 +91,7 @@ func buildPullConfig(ctx context.Context, dockerCli command.Cli, opts pluginOpti
|
||||||
remote := ref.String()
|
remote := ref.String()
|
||||||
|
|
||||||
_, isCanonical := ref.(reference.Canonical)
|
_, isCanonical := ref.(reference.Canonical)
|
||||||
if !opts.untrusted && dockerCli.IsTrusted() && !isCanonical {
|
if !opts.untrusted && !isCanonical {
|
||||||
ref = reference.TagNameOnly(ref)
|
ref = reference.TagNameOnly(ref)
|
||||||
nt, ok := ref.(reference.NamedTagged)
|
nt, ok := ref.(reference.NamedTagged)
|
||||||
if !ok {
|
if !ok {
|
||||||
|
|
|
@ -32,7 +32,7 @@ func newPushCommand(dockerCli command.Cli) *cobra.Command {
|
||||||
|
|
||||||
flags := cmd.Flags()
|
flags := cmd.Flags()
|
||||||
|
|
||||||
command.AddTrustSigningFlags(flags, &opts.untrusted, dockerCli.IsTrusted())
|
command.AddTrustSigningFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
|
||||||
|
|
||||||
return cmd
|
return cmd
|
||||||
}
|
}
|
||||||
|
@ -67,7 +67,7 @@ func runPush(dockerCli command.Cli, opts pushOptions) error {
|
||||||
}
|
}
|
||||||
defer responseBody.Close()
|
defer responseBody.Close()
|
||||||
|
|
||||||
if !opts.untrusted && dockerCli.IsTrusted() {
|
if !opts.untrusted {
|
||||||
repoInfo.Class = "plugin"
|
repoInfo.Class = "plugin"
|
||||||
return image.PushTrustedReference(dockerCli, repoInfo, named, authConfig, responseBody)
|
return image.PushTrustedReference(dockerCli, repoInfo, named, authConfig, responseBody)
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,7 +16,7 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
func resolveServiceImageDigestContentTrust(dockerCli command.Cli, service *swarm.ServiceSpec) error {
|
func resolveServiceImageDigestContentTrust(dockerCli command.Cli, service *swarm.ServiceSpec) error {
|
||||||
if !dockerCli.IsTrusted() {
|
if !dockerCli.ContentTrustEnabled() {
|
||||||
// When not using content trust, digest resolution happens later when
|
// When not using content trust, digest resolution happens later when
|
||||||
// contacting the registry to retrieve image information.
|
// contacting the registry to retrieve image information.
|
||||||
return nil
|
return nil
|
||||||
|
|
|
@ -34,7 +34,7 @@ type FakeCli struct {
|
||||||
notaryClientFunc NotaryClientFuncType
|
notaryClientFunc NotaryClientFuncType
|
||||||
manifestStore manifeststore.Store
|
manifestStore manifeststore.Store
|
||||||
registryClient registryclient.RegistryClient
|
registryClient registryclient.RegistryClient
|
||||||
isTrusted bool
|
contentTrust bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewFakeCli returns a fake for the command.Cli interface
|
// NewFakeCli returns a fake for the command.Cli interface
|
||||||
|
@ -158,12 +158,12 @@ func (c *FakeCli) SetRegistryClient(client registryclient.RegistryClient) {
|
||||||
c.registryClient = client
|
c.registryClient = client
|
||||||
}
|
}
|
||||||
|
|
||||||
// IsTrusted on the fake cli
|
// ContentTrustEnabled on the fake cli
|
||||||
func (c *FakeCli) IsTrusted() bool {
|
func (c *FakeCli) ContentTrustEnabled() bool {
|
||||||
return c.isTrusted
|
return c.contentTrust
|
||||||
}
|
}
|
||||||
|
|
||||||
// IsTrusted sets "enables" content trust on the fake cli
|
// EnableContentTrust on the fake cli
|
||||||
func IsTrusted(c *FakeCli) {
|
func EnableContentTrust(c *FakeCli) {
|
||||||
c.isTrusted = true
|
c.contentTrust = true
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue