trust sign: add --local flag #575
Conversation
eiais
requested review from
mdlinville,
thaJeztah and
vdemeester
as code owners
Codecov Report
@@ Coverage Diff @@
## master #575 +/- ##
==========================================
- Coverage 50.09% 49.43% -0.67%
==========================================
Files 216 208 -8
Lines 17696 17170 -526
==========================================
- Hits 8865 8488 -377
+ Misses 8387 8249 -138
+ Partials 444 433 -11 |
| @@ -16,10 +16,14 @@ keywords: "sign, notary, trust" | |||
| # trust sign | |||
|
|
|||
| ```markdown | |||
| Usage: docker trust sign IMAGE:TAG | |||
| Usage: docker trust sign [OPTIONS] IMAGE:TAG | |||
There was a problem hiding this comment.
I think @riyazdf pulled [OPTIONS] out of a bunch of the other commands. Is it OK here?
There was a problem hiding this comment.
Yes, we pulled it out because they didn't have options yet. This one now does.
cli/command/trust/sign_test.go
Outdated
| @@ -295,3 +295,13 @@ func TestSignCommandChangeListIsCleanedOnError(t *testing.T) { | |||
| require.NoError(t, err) | |||
| assert.Equal(t, len(cl.List()), 0) | |||
| } | |||
|
|
|||
| func TestLocalFlag(t *testing.T) { | |||
There was a problem hiding this comment.
@eiais Not sure I clearly understand that test 🤔
Shouldn't we also test the happy path (i.e. "Signing and pushing trust data for local image" […]).
|
I also left a similar proposal in the original PR: #472 (review)
An alternative could be to have a |
|
@thaJeztah: yup - this is a followup PR that addresses your feedback, though in a slightly different fashion. In the context of docker, it doesn't really make sense to have a signature without a pushed image - so we've deliberately made the workflows such that if you sign an image there should always be an associated image in the registry unless you manually delete images in the registry or the signatures with notary. Taking this into account on This PR adds a |
cli/command/trust/sign.go
Outdated
| cmd := &cobra.Command{ | ||
| Use: "sign IMAGE:TAG", | ||
| Short: "Sign an image", | ||
| Args: cli.ExactArgs(1), | ||
| RunE: func(cmd *cobra.Command, args []string) error { | ||
| return runSignImage(dockerCli, args[0]) | ||
| return signImage(dockerCli, args[0], options) |
There was a problem hiding this comment.
Small thing, but would you mind making the args[0] part of options struct by adding an imageName field? We do this for most commands.
cli/command/trust/sign_test.go
Outdated
| @@ -295,3 +295,13 @@ func TestSignCommandChangeListIsCleanedOnError(t *testing.T) { | |||
| require.NoError(t, err) | |||
| assert.Equal(t, len(cl.List()), 0) | |||
| } | |||
|
|
|||
| func TestLocalFlag(t *testing.T) { | |||
There was a problem hiding this comment.
The test name should reflect the function that is being tested, so the name should be something like TestSignCommandLocalFlag
cli/command/trust/sign.go
Outdated
| return cmd | ||
| } | ||
|
|
||
| func runSignImage(cli command.Cli, imageName string) error { | ||
| func signImage(cli command.Cli, imageName string, options signOptions) error { |
There was a problem hiding this comment.
I think this should be runSignImage() (or runSign would be fine too). This is another convention we use in the cli. The run prefix refers to the fact this is the function called for RunE of the Command.
cli/command/trust/sign.go
Outdated
| }, | ||
| } | ||
| flags := cmd.Flags() | ||
| flags.BoolVarP(&options.local, "local", "l", false, "Sign a locally tagged image") |
There was a problem hiding this comment.
Can you remove the shorthand -l for now? Trying to be a bit conservative adding shorthands, unless a) frequently used, and b) we know it's not going to conflict with a possibly more-frequently-used option.
It's easier to add them later then removing/deprecating
|
|
||
| Sign an image | ||
|
|
||
| Options: | ||
| --help print usage | ||
| -l, --local force the signing of a local image |
There was a problem hiding this comment.
-l should be removed here as well
| cmd := newSignCommand(cli) | ||
| cmd.SetArgs([]string{"--local", "reg-name.io/image:red"}) | ||
| cmd.SetOutput(ioutil.Discard) | ||
| testutil.ErrorContains(t, cmd.Execute(), "error during connect: Get /images/reg-name.io/image:red/json: unsupported protocol scheme") |
There was a problem hiding this comment.
This seems like a strange expectation for a test case. Can't this use the notary fakes we have in client_test.go to make it a success case?
cli/command/trust/sign.go
Outdated
| // Fail fast if the image doesn't exist locally | ||
| if err := checkLocalImageExistence(ctx, cli, imageName); err != nil { | ||
| return err | ||
| } | ||
| fmt.Fprintf(cli.Out(), "Signing and pushing trust data for local image %s, may overwrite remote trust data\n", imageName) |
There was a problem hiding this comment.
This should use cli.Err() instead of cli.Out(). This message is informational (like logging), it's not part of "normal program output" (what the user asked for by running the command).
cli/command/trust/sign.go
Outdated
| cmd := &cobra.Command{ | ||
| Use: "sign IMAGE:TAG", | ||
| Short: "Sign an image", | ||
| Args: cli.ExactArgs(1), | ||
| RunE: func(cmd *cobra.Command, args []string) error { | ||
| return runSignImage(dockerCli, args[0]) | ||
| return runSignImage(dockerCli, args[0], options) |
There was a problem hiding this comment.
Minor: now that we have an options struct, the imageName can be passed as part of that struct, instead of a separate parameter. Not super important at this point since there is only a single arg, but it would be more consistent.
cli/command/trust/sign.go
Outdated
| }, | ||
| } | ||
| flags := cmd.Flags() | ||
| flags.BoolVarP(&options.local, "local", "", false, "Sign a locally tagged image") |
There was a problem hiding this comment.
I guess this should also use flags.BoolVar() now that it doesn't have a shorthand flag.
|
Linting failure, @eiais |
Signed-off-by: Kyle Spiers <kyle@spiers.me>
The --local flag will force the signing of a local image.
cc @riyazdf @ashfall
Signed-off-by: Kyle Spiers kyle@spiers.me