Add notary integration to `docker build`

The Dockerfile is rewritten with images references on FROM
instructions resolved to trusted digests. The rewritten Dockerfile
is swapped with the original one during context upload.

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)

api/client/build.go

@@ -1,6 +1,7 @@
 package client
 
 import (
+	"archive/tar"
 	"bufio"
 	"encoding/base64"
 	"encoding/json"
@@ -13,6 +14,7 @@ import (
 	"os/exec"
 	"path"
 	"path/filepath"
+	"regexp"
 	"runtime"
 	"strconv"
 	"strings"
@@ -112,6 +114,14 @@ func (cli *DockerCli) CmdBuild(args ...string) error {
 		contextDir = tempDir
 	}
 
+	// Resolve the FROM lines in the Dockerfile to trusted digest references
+	// using Notary.
+	newDockerfile, err := rewriteDockerfileFrom(filepath.Join(contextDir, relDockerfile), cli.trustedReference)
+	if err != nil {
+		return fmt.Errorf("unable to process Dockerfile: %v", err)
+	}
+	defer newDockerfile.Close()
+
 	// And canonicalize dockerfile name to a platform-independent one
 	relDockerfile, err = archive.CanonicalTarNameForPath(relDockerfile)
 	if err != nil {
@@ -142,14 +152,19 @@ func (cli *DockerCli) CmdBuild(args ...string) error {
 		includes = append(includes, ".dockerignore", relDockerfile)
 	}
 
-	if context, err = archive.TarWithOptions(contextDir, &archive.TarOptions{
+	context, err = archive.TarWithOptions(contextDir, &archive.TarOptions{
 		Compression:     archive.Uncompressed,
 		ExcludePatterns: excludes,
 		IncludeFiles:    includes,
-	}); err != nil {
+	})
+	if err != nil {
 		return err
 	}
 
+	// Wrap the tar archive to replace the Dockerfile entry with the rewritten
+	// Dockerfile which uses trusted pulls.
+	context = replaceDockerfileTarWrapper(context, newDockerfile, relDockerfile)
+
 	// Setup an upload progress bar
 	// FIXME: ProgressReader shouldn't be this annoying to use
 	sf := streamformatter.NewStreamFormatter()
@@ -439,3 +454,133 @@ func getContextFromLocalDir(localDir, dockerfileName string) (absContextDir, rel
 
 	return getDockerfileRelPath(localDir, dockerfileName)
 }
+
+var dockerfileFromLinePattern = regexp.MustCompile(`(?i)^[\s]*FROM[ \f\r\t\v]+(?P<image>[^ \f\r\t\v\n#]+)`)
+
+type trustedDockerfile struct {
+	*os.File
+	size int64
+}
+
+func (td *trustedDockerfile) Close() error {
+	td.File.Close()
+	return os.Remove(td.File.Name())
+}
+
+// rewriteDockerfileFrom rewrites the given Dockerfile by resolving images in
+// "FROM <image>" instructions to a digest reference. `translator` is a
+// function that takes a repository name and tag reference and returns a
+// trusted digest reference.
+func rewriteDockerfileFrom(dockerfileName string, translator func(string, registry.Reference) (registry.Reference, error)) (newDockerfile *trustedDockerfile, err error) {
+	dockerfile, err := os.Open(dockerfileName)
+	if err != nil {
+		return nil, fmt.Errorf("unable to open Dockerfile: %v", err)
+	}
+	defer dockerfile.Close()
+
+	scanner := bufio.NewScanner(dockerfile)
+
+	// Make a tempfile to store the rewritten Dockerfile.
+	tempFile, err := ioutil.TempFile("", "trusted-dockerfile-")
+	if err != nil {
+		return nil, fmt.Errorf("unable to make temporary trusted Dockerfile: %v", err)
+	}
+
+	trustedFile := &trustedDockerfile{
+		File: tempFile,
+	}
+
+	defer func() {
+		if err != nil {
+			// Close the tempfile if there was an error during Notary lookups.
+			// Otherwise the caller should close it.
+			trustedFile.Close()
+		}
+	}()
+
+	// Scan the lines of the Dockerfile, looking for a "FROM" line.
+	for scanner.Scan() {
+		line := scanner.Text()
+
+		matches := dockerfileFromLinePattern.FindStringSubmatch(line)
+		if matches != nil && matches[1] != "scratch" {
+			// Replace the line with a resolved "FROM repo@digest"
+			repo, tag := parsers.ParseRepositoryTag(matches[1])
+			if tag == "" {
+				tag = tags.DEFAULTTAG
+			}
+			ref := registry.ParseReference(tag)
+
+			if !ref.HasDigest() && isTrusted() {
+				trustedRef, err := translator(repo, ref)
+				if err != nil {
+					return nil, err
+				}
+
+				line = dockerfileFromLinePattern.ReplaceAllLiteralString(line, fmt.Sprintf("FROM %s", trustedRef.ImageName(repo)))
+			}
+		}
+
+		n, err := fmt.Fprintln(tempFile, line)
+		if err != nil {
+			return nil, err
+		}
+
+		trustedFile.size += int64(n)
+	}
+
+	tempFile.Seek(0, os.SEEK_SET)
+
+	return trustedFile, scanner.Err()
+}
+
+// replaceDockerfileTarWrapper wraps the given input tar archive stream and
+// replaces the entry with the given Dockerfile name with the contents of the
+// new Dockerfile. Returns a new tar archive stream with the replaced
+// Dockerfile.
+func replaceDockerfileTarWrapper(inputTarStream io.ReadCloser, newDockerfile *trustedDockerfile, dockerfileName string) io.ReadCloser {
+	pipeReader, pipeWriter := io.Pipe()
+
+	go func() {
+		tarReader := tar.NewReader(inputTarStream)
+		tarWriter := tar.NewWriter(pipeWriter)
+
+		defer inputTarStream.Close()
+
+		for {
+			hdr, err := tarReader.Next()
+			if err == io.EOF {
+				// Signals end of archive.
+				tarWriter.Close()
+				pipeWriter.Close()
+				return
+			}
+			if err != nil {
+				pipeWriter.CloseWithError(err)
+				return
+			}
+
+			var content io.Reader = tarReader
+
+			if hdr.Name == dockerfileName {
+				// This entry is the Dockerfile. Since the tar archive was
+				// generated from a directory on the local filesystem, the
+				// Dockerfile will only appear once in the archive.
+				hdr.Size = newDockerfile.size
+				content = newDockerfile
+			}
+
+			if err := tarWriter.WriteHeader(hdr); err != nil {
+				pipeWriter.CloseWithError(err)
+				return
+			}
+
+			if _, err := io.Copy(tarWriter, content); err != nil {
+				pipeWriter.CloseWithError(err)
+				return
+			}
+		}
+	}()
+
+	return pipeReader
+}