moby--moby/cli/command/trust.go

package command

import (
	"os"
	"strconv"

	"github.com/spf13/pflag"
)

var (
	// TODO: make this not global
	untrusted bool
)

// AddTrustVerificationFlags adds content trust flags to the provided flagset
func AddTrustVerificationFlags(fs *pflag.FlagSet) {
	trusted := getDefaultTrustState()
	fs.BoolVar(&untrusted, "disable-content-trust", !trusted, "Skip image verification")
}

// AddTrustSigningFlags adds "signing" flags to the provided flagset
func AddTrustSigningFlags(fs *pflag.FlagSet) {
	trusted := getDefaultTrustState()
	fs.BoolVar(&untrusted, "disable-content-trust", !trusted, "Skip image signing")
}

// getDefaultTrustState returns true if content trust is enabled through the $DOCKER_CONTENT_TRUST environment variable.
func getDefaultTrustState() bool {
	var trusted bool
	if e := os.Getenv("DOCKER_CONTENT_TRUST"); e != "" {
		if t, err := strconv.ParseBool(e); t || err != nil {
			// treat any other value as true
			trusted = true
		}
	}
	return trusted
}

// IsTrusted returns true if content trust is enabled, either through the $DOCKER_CONTENT_TRUST environment variable,
// or through `--disabled-content-trust=false` on a command.
func IsTrusted() bool {
	return !untrusted
}
Move api/client -> cli/command Using gomvpkg -from github.com/docker/docker/api/client -to github.com/docker/docker/cli/command -vcs_mv_cmd 'git mv {{.Src}} {{.Dst}}' Signed-off-by: Daniel Nephin <dnephin@docker.com> 2016-09-08 13:11:39 -04:00			`package command`
Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2015-07-15 16:42:45 -04:00
			`import (`
			`"os"`
			`"strconv"`

Convert 'docker run' to a cobra command and to use pflags Move container options into a struct so that tests should pass. Remove unused FlagSet arg from Parse Disable interspersed args on docker run Signed-off-by: Daniel Nephin <dnephin@docker.com> 2016-05-31 19:49:32 -04:00			`"github.com/spf13/pflag"`
Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2015-07-15 16:42:45 -04:00			`)`

Notary delegation integration into docker Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com> 2015-12-18 21:47:35 -05:00			`var (`
Move image trust related cli methods into the image package. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2016-08-29 14:45:29 -04:00			`// TODO: make this not global`
			`untrusted bool`
Notary delegation integration into docker Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com> 2015-12-18 21:47:35 -05:00			`)`
Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2015-07-15 16:42:45 -04:00
fix flag descriptions for content-trust Commit ed13c3abfb242905ec012e8255dc6f26dcf122f6 added flags for Docker Content Trust. Depending on the `verify` boolean, the message is "Skip image verification", or "Skip image signing". "Signing" is intended for `docker push` / `docker plugin push`. During the migration to Cobra, this boolean got flipped for `docker push` (9640e3a4514f96a890310757a09fd77a3c70e931), causing `docker push` to show the incorrect flag description. This patch changes the flags to use the correct description for `docker push`, and `docker plugin push`. To prevent this confusion in future, the boolean argument is removed, and a `AddTrustSigningFlags()` function is added. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2017-01-17 09:46:07 -05:00			`// AddTrustVerificationFlags adds content trust flags to the provided flagset`
			`func AddTrustVerificationFlags(fs *pflag.FlagSet) {`
			`trusted := getDefaultTrustState()`
			`fs.BoolVar(&untrusted, "disable-content-trust", !trusted, "Skip image verification")`
Convert 'docker run' to a cobra command and to use pflags Move container options into a struct so that tests should pass. Remove unused FlagSet arg from Parse Disable interspersed args on docker run Signed-off-by: Daniel Nephin <dnephin@docker.com> 2016-05-31 19:49:32 -04:00			`}`

fix flag descriptions for content-trust Commit ed13c3abfb242905ec012e8255dc6f26dcf122f6 added flags for Docker Content Trust. Depending on the `verify` boolean, the message is "Skip image verification", or "Skip image signing". "Signing" is intended for `docker push` / `docker plugin push`. During the migration to Cobra, this boolean got flipped for `docker push` (9640e3a4514f96a890310757a09fd77a3c70e931), causing `docker push` to show the incorrect flag description. This patch changes the flags to use the correct description for `docker push`, and `docker plugin push`. To prevent this confusion in future, the boolean argument is removed, and a `AddTrustSigningFlags()` function is added. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2017-01-17 09:46:07 -05:00			`// AddTrustSigningFlags adds "signing" flags to the provided flagset`
			`func AddTrustSigningFlags(fs *pflag.FlagSet) {`
			`trusted := getDefaultTrustState()`
			`fs.BoolVar(&untrusted, "disable-content-trust", !trusted, "Skip image signing")`
			`}`

			`// getDefaultTrustState returns true if content trust is enabled through the $DOCKER_CONTENT_TRUST environment variable.`
			`func getDefaultTrustState() bool {`
Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2015-07-15 16:42:45 -04:00			`var trusted bool`
Rename to flags and environment variables to content trust Update help line to allow 90 characters instead of 80 The trust flag pushes out the help description column wider, requiring more room to display help messages. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2015-07-24 04:59:42 -04:00			`if e := os.Getenv("DOCKER_CONTENT_TRUST"); e != "" {`
Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2015-07-15 16:42:45 -04:00			`if t, err := strconv.ParseBool(e); t \|\| err != nil {`
			`// treat any other value as true`
			`trusted = true`
			`}`
			`}`
fix flag descriptions for content-trust Commit ed13c3abfb242905ec012e8255dc6f26dcf122f6 added flags for Docker Content Trust. Depending on the `verify` boolean, the message is "Skip image verification", or "Skip image signing". "Signing" is intended for `docker push` / `docker plugin push`. During the migration to Cobra, this boolean got flipped for `docker push` (9640e3a4514f96a890310757a09fd77a3c70e931), causing `docker push` to show the incorrect flag description. This patch changes the flags to use the correct description for `docker push`, and `docker plugin push`. To prevent this confusion in future, the boolean argument is removed, and a `AddTrustSigningFlags()` function is added. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2017-01-17 09:46:07 -05:00			`return trusted`
Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2015-07-15 16:42:45 -04:00			`}`

fix flag descriptions for content-trust Commit ed13c3abfb242905ec012e8255dc6f26dcf122f6 added flags for Docker Content Trust. Depending on the `verify` boolean, the message is "Skip image verification", or "Skip image signing". "Signing" is intended for `docker push` / `docker plugin push`. During the migration to Cobra, this boolean got flipped for `docker push` (9640e3a4514f96a890310757a09fd77a3c70e931), causing `docker push` to show the incorrect flag description. This patch changes the flags to use the correct description for `docker push`, and `docker plugin push`. To prevent this confusion in future, the boolean argument is removed, and a `AddTrustSigningFlags()` function is added. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2017-01-17 09:46:07 -05:00			`// IsTrusted returns true if content trust is enabled, either through the $DOCKER_CONTENT_TRUST environment variable,`
			// or through `--disabled-content-trust=false` on a command.
Convert 'docker create' to use cobra and pflag Return the correct status code on flag parsins errors. Signed-off-by: Daniel Nephin <dnephin@docker.com> 2016-06-01 01:19:13 -04:00			`func IsTrusted() bool {`
Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2015-07-15 16:42:45 -04:00			`return !untrusted`
			`}`