Only read trust setting from options

Rename IsTrusted to ContentTrustEnabled

Signed-off-by: Daniel Nephin <dnephin@docker.com>
This commit is contained in:
Daniel Nephin 2018-03-08 14:56:56 -05:00
parent 6e21829af4
commit feae0e9756
13 changed files with 48 additions and 49 deletions

View File

@ -52,7 +52,7 @@ type Cli interface {
DefaultVersion() string DefaultVersion() string
ManifestStore() manifeststore.Store ManifestStore() manifeststore.Store
RegistryClient(bool) registryclient.RegistryClient RegistryClient(bool) registryclient.RegistryClient
IsTrusted() bool ContentTrustEnabled() bool
} }
// DockerCli is an instance the docker command line client. // DockerCli is an instance the docker command line client.
@ -65,7 +65,7 @@ type DockerCli struct {
client client.APIClient client client.APIClient
serverInfo ServerInfo serverInfo ServerInfo
clientInfo ClientInfo clientInfo ClientInfo
isTrusted bool contentTrust bool
} }
// DefaultVersion returns api.defaultVersion or DOCKER_API_VERSION if specified. // DefaultVersion returns api.defaultVersion or DOCKER_API_VERSION if specified.
@ -123,9 +123,10 @@ func (cli *DockerCli) ClientInfo() ClientInfo {
return cli.clientInfo return cli.clientInfo
} }
// IsTrusted returns if content trust is enabled for the cli // ContentTrustEnabled returns if content trust has been enabled by an
func (cli *DockerCli) IsTrusted() bool { // environment variable.
return cli.isTrusted func (cli *DockerCli) ContentTrustEnabled() bool {
return cli.contentTrust
} }
// ManifestStore returns a store for local manifests // ManifestStore returns a store for local manifests
@ -245,7 +246,7 @@ func (c ClientInfo) HasKubernetes() bool {
// NewDockerCli returns a DockerCli instance with IO output and error streams set by in, out and err. // NewDockerCli returns a DockerCli instance with IO output and error streams set by in, out and err.
func NewDockerCli(in io.ReadCloser, out, err io.Writer, isTrusted bool) *DockerCli { func NewDockerCli(in io.ReadCloser, out, err io.Writer, isTrusted bool) *DockerCli {
return &DockerCli{in: NewInStream(in), out: NewOutStream(out), err: err, isTrusted: isTrusted} return &DockerCli{in: NewInStream(in), out: NewOutStream(out), err: err, contentTrust: isTrusted}
} }
// NewAPIClientFromFlags creates a new APIClient from command line flags // NewAPIClientFromFlags creates a new APIClient from command line flags

View File

@ -54,7 +54,7 @@ func NewCreateCommand(dockerCli command.Cli) *cobra.Command {
flags.Bool("help", false, "Print usage") flags.Bool("help", false, "Print usage")
command.AddPlatformFlag(flags, &opts.platform) command.AddPlatformFlag(flags, &opts.platform)
command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.IsTrusted()) command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
copts = addFlags(flags) copts = addFlags(flags)
return cmd return cmd
} }
@ -159,7 +159,6 @@ func newCIDFile(path string) (*cidFile, error) {
return &cidFile{path: path, file: f}, nil return &cidFile{path: path, file: f}, nil
} }
// nolint: gocyclo
func createContainer(ctx context.Context, dockerCli command.Cli, containerConfig *containerConfig, opts *createOptions) (*container.ContainerCreateCreatedBody, error) { func createContainer(ctx context.Context, dockerCli command.Cli, containerConfig *containerConfig, opts *createOptions) (*container.ContainerCreateCreatedBody, error) {
config := containerConfig.Config config := containerConfig.Config
hostConfig := containerConfig.HostConfig hostConfig := containerConfig.HostConfig
@ -184,8 +183,7 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerConfig
if named, ok := ref.(reference.Named); ok { if named, ok := ref.(reference.Named); ok {
namedRef = reference.TagNameOnly(named) namedRef = reference.TagNameOnly(named)
isContentTrustEnabled := !opts.untrusted && dockerCli.IsTrusted() if taggedRef, ok := namedRef.(reference.NamedTagged); ok && !opts.untrusted {
if taggedRef, ok := namedRef.(reference.NamedTagged); ok && isContentTrustEnabled {
var err error var err error
trustedRef, err = image.TrustedReference(ctx, dockerCli, taggedRef, nil) trustedRef, err = image.TrustedReference(ctx, dockerCli, taggedRef, nil)
if err != nil { if err != nil {

View File

@ -110,6 +110,7 @@ func TestCreateContainerPullsImageIfMissing(t *testing.T) {
body, err := createContainer(context.Background(), cli, config, &createOptions{ body, err := createContainer(context.Background(), cli, config, &createOptions{
name: "name", name: "name",
platform: runtime.GOOS, platform: runtime.GOOS,
untrusted: true,
}) })
assert.NilError(t, err) assert.NilError(t, err)
expected := container.ContainerCreateCreatedBody{ID: containerID} expected := container.ContainerCreateCreatedBody{ID: containerID}

View File

@ -63,7 +63,7 @@ func NewRunCommand(dockerCli command.Cli) *cobra.Command {
flags.Bool("help", false, "Print usage") flags.Bool("help", false, "Print usage")
command.AddPlatformFlag(flags, &opts.platform) command.AddPlatformFlag(flags, &opts.platform)
command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.IsTrusted()) command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
copts = addFlags(flags) copts = addFlags(flags)
return cmd return cmd
} }

View File

@ -138,7 +138,7 @@ func NewBuildCommand(dockerCli command.Cli) *cobra.Command {
flags.StringVar(&options.target, "target", "", "Set the target build stage to build.") flags.StringVar(&options.target, "target", "", "Set the target build stage to build.")
flags.StringVar(&options.imageIDFile, "iidfile", "", "Write the image ID to the file") flags.StringVar(&options.imageIDFile, "iidfile", "", "Write the image ID to the file")
command.AddTrustVerificationFlags(flags, &options.untrusted, dockerCli.IsTrusted()) command.AddTrustVerificationFlags(flags, &options.untrusted, dockerCli.ContentTrustEnabled())
command.AddPlatformFlag(flags, &options.platform) command.AddPlatformFlag(flags, &options.platform)
flags.BoolVar(&options.squash, "squash", false, "Squash newly built layers into a single new layer") flags.BoolVar(&options.squash, "squash", false, "Squash newly built layers into a single new layer")
@ -286,8 +286,7 @@ func runBuild(dockerCli command.Cli, options buildOptions) error {
defer cancel() defer cancel()
var resolvedTags []*resolvedTag var resolvedTags []*resolvedTag
isContentTrustEnabled := !options.untrusted && dockerCli.IsTrusted() if !options.untrusted {
if isContentTrustEnabled {
translator := func(ctx context.Context, ref reference.NamedTagged) (reference.Canonical, error) { translator := func(ctx context.Context, ref reference.NamedTagged) (reference.Canonical, error) {
return TrustedReference(ctx, dockerCli, ref, nil) return TrustedReference(ctx, dockerCli, ref, nil)
} }
@ -295,10 +294,10 @@ func runBuild(dockerCli command.Cli, options buildOptions) error {
if buildCtx != nil { if buildCtx != nil {
// Wrap the tar archive to replace the Dockerfile entry with the rewritten // Wrap the tar archive to replace the Dockerfile entry with the rewritten
// Dockerfile which uses trusted pulls. // Dockerfile which uses trusted pulls.
buildCtx = replaceDockerfileTarWrapper(ctx, buildCtx, relDockerfile, translator, &resolvedTags, isContentTrustEnabled) buildCtx = replaceDockerfileForContentTrust(ctx, buildCtx, relDockerfile, translator, &resolvedTags)
} else if dockerfileCtx != nil { } else if dockerfileCtx != nil {
// if there was not archive context still do the possible replacements in Dockerfile // if there was not archive context still do the possible replacements in Dockerfile
newDockerfile, _, err := rewriteDockerfileFrom(ctx, dockerfileCtx, translator, isContentTrustEnabled) newDockerfile, _, err := rewriteDockerfileFrom(ctx, dockerfileCtx, translator, !options.untrusted)
if err != nil { if err != nil {
return err return err
} }
@ -462,7 +461,7 @@ func runBuild(dockerCli command.Cli, options buildOptions) error {
return err return err
} }
} }
if !options.untrusted && dockerCli.IsTrusted() { if !options.untrusted {
// Since the build was successful, now we must tag any of the resolved // Since the build was successful, now we must tag any of the resolved
// images from the above Dockerfile rewrite. // images from the above Dockerfile rewrite.
for _, resolved := range resolvedTags { for _, resolved := range resolvedTags {
@ -545,11 +544,10 @@ func rewriteDockerfileFrom(ctx context.Context, dockerfile io.Reader, translator
return buf.Bytes(), resolvedTags, scanner.Err() return buf.Bytes(), resolvedTags, scanner.Err()
} }
// replaceDockerfileTarWrapper wraps the given input tar archive stream and // replaceDockerfileForContentTrust wraps the given input tar archive stream and
// replaces the entry with the given Dockerfile name with the contents of the // uses the translator to replace the Dockerfile which uses a trusted reference.
// new Dockerfile. Returns a new tar archive stream with the replaced // Returns a new tar archive stream with the replaced Dockerfile.
// Dockerfile. func replaceDockerfileForContentTrust(ctx context.Context, inputTarStream io.ReadCloser, dockerfileName string, translator translatorFunc, resolvedTags *[]*resolvedTag) io.ReadCloser {
func replaceDockerfileTarWrapper(ctx context.Context, inputTarStream io.ReadCloser, dockerfileName string, translator translatorFunc, resolvedTags *[]*resolvedTag, istrusted bool) io.ReadCloser {
pipeReader, pipeWriter := io.Pipe() pipeReader, pipeWriter := io.Pipe()
go func() { go func() {
tarReader := tar.NewReader(inputTarStream) tarReader := tar.NewReader(inputTarStream)
@ -576,7 +574,7 @@ func replaceDockerfileTarWrapper(ctx context.Context, inputTarStream io.ReadClos
// generated from a directory on the local filesystem, the // generated from a directory on the local filesystem, the
// Dockerfile will only appear once in the archive. // Dockerfile will only appear once in the archive.
var newDockerfile []byte var newDockerfile []byte
newDockerfile, *resolvedTags, err = rewriteDockerfileFrom(ctx, content, translator, istrusted) newDockerfile, *resolvedTags, err = rewriteDockerfileFrom(ctx, content, translator, true)
if err != nil { if err != nil {
pipeWriter.CloseWithError(err) pipeWriter.CloseWithError(err)
return return

View File

@ -107,6 +107,7 @@ COPY data /data
options := newBuildOptions() options := newBuildOptions()
options.context = dir.Path() options.context = dir.Path()
options.dockerfileName = df.Path() options.dockerfileName = df.Path()
options.untrusted = true
err = runBuild(cli, options) err = runBuild(cli, options)
assert.NilError(t, err) assert.NilError(t, err)

View File

@ -39,7 +39,7 @@ func NewPullCommand(dockerCli command.Cli) *cobra.Command {
flags.BoolVarP(&opts.all, "all-tags", "a", false, "Download all tagged images in the repository") flags.BoolVarP(&opts.all, "all-tags", "a", false, "Download all tagged images in the repository")
command.AddPlatformFlag(flags, &opts.platform) command.AddPlatformFlag(flags, &opts.platform)
command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.IsTrusted()) command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
return cmd return cmd
} }
@ -66,7 +66,7 @@ func runPull(cli command.Cli, opts pullOptions) error {
// Check if reference has a digest // Check if reference has a digest
_, isCanonical := distributionRef.(reference.Canonical) _, isCanonical := distributionRef.(reference.Canonical)
if !opts.untrusted && cli.IsTrusted() && !isCanonical { if !opts.untrusted && !isCanonical {
err = trustedPull(ctx, cli, imgRefAndAuth, opts.platform) err = trustedPull(ctx, cli, imgRefAndAuth, opts.platform)
} else { } else {
err = imagePullPrivileged(ctx, cli, imgRefAndAuth, opts.all, opts.platform) err = imagePullPrivileged(ctx, cli, imgRefAndAuth, opts.all, opts.platform)

View File

@ -110,7 +110,7 @@ func TestNewPullCommandWithContentTrustErrors(t *testing.T) {
imagePullFunc: func(ref string, options types.ImagePullOptions) (io.ReadCloser, error) { imagePullFunc: func(ref string, options types.ImagePullOptions) (io.ReadCloser, error) {
return ioutil.NopCloser(strings.NewReader("")), fmt.Errorf("shouldn't try to pull image") return ioutil.NopCloser(strings.NewReader("")), fmt.Errorf("shouldn't try to pull image")
}, },
}, test.IsTrusted) }, test.EnableContentTrust)
cli.SetNotaryClient(tc.notaryFunc) cli.SetNotaryClient(tc.notaryFunc)
cmd := NewPullCommand(cli) cmd := NewPullCommand(cli)
cmd.SetOutput(ioutil.Discard) cmd.SetOutput(ioutil.Discard)

View File

@ -32,7 +32,7 @@ func NewPushCommand(dockerCli command.Cli) *cobra.Command {
flags := cmd.Flags() flags := cmd.Flags()
command.AddTrustSigningFlags(flags, &opts.untrusted, dockerCli.IsTrusted()) command.AddTrustSigningFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
return cmd return cmd
} }
@ -55,7 +55,7 @@ func runPush(dockerCli command.Cli, opts pushOptions) error {
authConfig := command.ResolveAuthConfig(ctx, dockerCli, repoInfo.Index) authConfig := command.ResolveAuthConfig(ctx, dockerCli, repoInfo.Index)
requestPrivilege := command.RegistryAuthenticationPrivilegedFunc(dockerCli, repoInfo.Index, "push") requestPrivilege := command.RegistryAuthenticationPrivilegedFunc(dockerCli, repoInfo.Index, "push")
if !opts.untrusted && dockerCli.IsTrusted() { if !opts.untrusted {
return TrustedPush(ctx, dockerCli, repoInfo, ref, authConfig, requestPrivilege) return TrustedPush(ctx, dockerCli, repoInfo, ref, authConfig, requestPrivilege)
} }

View File

@ -29,7 +29,7 @@ type pluginOptions struct {
func loadPullFlags(dockerCli command.Cli, opts *pluginOptions, flags *pflag.FlagSet) { func loadPullFlags(dockerCli command.Cli, opts *pluginOptions, flags *pflag.FlagSet) {
flags.BoolVar(&opts.grantPerms, "grant-all-permissions", false, "Grant all permissions necessary to run the plugin") flags.BoolVar(&opts.grantPerms, "grant-all-permissions", false, "Grant all permissions necessary to run the plugin")
command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.IsTrusted()) command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
} }
func newInstallCommand(dockerCli command.Cli) *cobra.Command { func newInstallCommand(dockerCli command.Cli) *cobra.Command {
@ -91,7 +91,7 @@ func buildPullConfig(ctx context.Context, dockerCli command.Cli, opts pluginOpti
remote := ref.String() remote := ref.String()
_, isCanonical := ref.(reference.Canonical) _, isCanonical := ref.(reference.Canonical)
if !opts.untrusted && dockerCli.IsTrusted() && !isCanonical { if !opts.untrusted && !isCanonical {
ref = reference.TagNameOnly(ref) ref = reference.TagNameOnly(ref)
nt, ok := ref.(reference.NamedTagged) nt, ok := ref.(reference.NamedTagged)
if !ok { if !ok {

View File

@ -32,7 +32,7 @@ func newPushCommand(dockerCli command.Cli) *cobra.Command {
flags := cmd.Flags() flags := cmd.Flags()
command.AddTrustSigningFlags(flags, &opts.untrusted, dockerCli.IsTrusted()) command.AddTrustSigningFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
return cmd return cmd
} }
@ -67,7 +67,7 @@ func runPush(dockerCli command.Cli, opts pushOptions) error {
} }
defer responseBody.Close() defer responseBody.Close()
if !opts.untrusted && dockerCli.IsTrusted() { if !opts.untrusted {
repoInfo.Class = "plugin" repoInfo.Class = "plugin"
return image.PushTrustedReference(dockerCli, repoInfo, named, authConfig, responseBody) return image.PushTrustedReference(dockerCli, repoInfo, named, authConfig, responseBody)
} }

View File

@ -16,7 +16,7 @@ import (
) )
func resolveServiceImageDigestContentTrust(dockerCli command.Cli, service *swarm.ServiceSpec) error { func resolveServiceImageDigestContentTrust(dockerCli command.Cli, service *swarm.ServiceSpec) error {
if !dockerCli.IsTrusted() { if !dockerCli.ContentTrustEnabled() {
// When not using content trust, digest resolution happens later when // When not using content trust, digest resolution happens later when
// contacting the registry to retrieve image information. // contacting the registry to retrieve image information.
return nil return nil

View File

@ -34,7 +34,7 @@ type FakeCli struct {
notaryClientFunc NotaryClientFuncType notaryClientFunc NotaryClientFuncType
manifestStore manifeststore.Store manifestStore manifeststore.Store
registryClient registryclient.RegistryClient registryClient registryclient.RegistryClient
isTrusted bool contentTrust bool
} }
// NewFakeCli returns a fake for the command.Cli interface // NewFakeCli returns a fake for the command.Cli interface
@ -158,12 +158,12 @@ func (c *FakeCli) SetRegistryClient(client registryclient.RegistryClient) {
c.registryClient = client c.registryClient = client
} }
// IsTrusted on the fake cli // ContentTrustEnabled on the fake cli
func (c *FakeCli) IsTrusted() bool { func (c *FakeCli) ContentTrustEnabled() bool {
return c.isTrusted return c.contentTrust
} }
// IsTrusted sets "enables" content trust on the fake cli // EnableContentTrust on the fake cli
func IsTrusted(c *FakeCli) { func EnableContentTrust(c *FakeCli) {
c.isTrusted = true c.contentTrust = true
} }