docker
diff --git a/‎cli/command/container/create_test.go‎
Lines changed: 47 additions & 0 deletions b/‎cli/command/container/create_test.go‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎cli/command/container/run_test.go‎
Lines changed: 48 additions & 0 deletions b/‎cli/command/container/run_test.go‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎cli/command/image/build_linux_test.go‎
Lines changed: 1 addition & 0 deletions b/‎cli/command/image/build_linux_test.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cli/command/image/build_test.go‎
Lines changed: 2 additions & 0 deletions b/‎cli/command/image/build_test.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎cli/command/image/pull.go‎
Lines changed: 1 addition & 1 deletion b/‎cli/command/image/pull.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/command/image/pull_test.go‎
Lines changed: 1 addition & 1 deletion b/‎cli/command/image/pull_test.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/command/image/trust.go‎
Lines changed: 5 additions & 16 deletions b/‎cli/command/image/trust.go‎
Lines changed: 5 additions & 16 deletions
diff --git a/‎cli/command/trust/common.go‎
Lines changed: 1 addition & 1 deletion b/‎cli/command/trust/common.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/command/trust/revoke.go‎
Lines changed: 1 addition & 1 deletion b/‎cli/command/trust/revoke.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/command/trust/sign.go‎
Lines changed: 1 addition & 1 deletion b/‎cli/command/trust/sign.go‎
Lines changed: 1 addition & 1 deletion
@@ -2,6 +2,7 @@ package container
 
 import (
 	"context"
+	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
@@ -10,6 +11,7 @@ import (
 	"testing"
 
 	"github.com/docker/cli/internal/test"
+	"github.com/docker/cli/internal/test/notary"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
@@ -119,6 +121,51 @@ func TestCreateContainerPullsImageIfMissing(t *testing.T) {
 	assert.Check(t, is.Contains(stderr, "Unable to find image 'does-not-exist-locally:latest' locally"))
 }
 
+func TestNewCreateCommandWithContentTrustErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+		notaryFunc    test.NotaryClientFuncType
+	}{
+		{
+			name:          "offline-notary-server",
+			notaryFunc:    notary.GetOfflineNotaryRepository,
+			expectedError: "client is offline",
+			args:          []string{"image:tag"},
+		},
+		{
+			name:          "uninitialized-notary-server",
+			notaryFunc:    notary.GetUninitializedNotaryRepository,
+			expectedError: "remote trust data does not exist",
+			args:          []string{"image:tag"},
+		},
+		{
+			name:          "empty-notary-server",
+			notaryFunc:    notary.GetEmptyTargetsNotaryRepository,
+			expectedError: "No valid trust data for tag",
+			args:          []string{"image:tag"},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			createContainerFunc: func(config *container.Config,
+				hostConfig *container.HostConfig,
+				networkingConfig *network.NetworkingConfig,
+				containerName string,
+			) (container.ContainerCreateCreatedBody, error) {
+				return container.ContainerCreateCreatedBody{}, fmt.Errorf("shouldn't try to pull image")
+			},
+		}, test.EnableContentTrust)
+		cli.SetNotaryClient(tc.notaryFunc)
+		cmd := NewCreateCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		err := cmd.Execute()
+		assert.ErrorContains(t, err, tc.expectedError)
+	}
+}
+
 type fakeNotFound struct{}
 
 func (f fakeNotFound) NotFound() bool { return true }
 
@@ -1,12 +1,15 @@
 package container
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/docker/cli/internal/test"
+	"github.com/docker/cli/internal/test/notary"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
 	"github.com/gotestyourself/gotestyourself/assert"
+	is "github.com/gotestyourself/gotestyourself/assert/cmp"
 )
 
 func TestRunLabel(t *testing.T) {
@@ -23,3 +26,48 @@ func TestRunLabel(t *testing.T) {
 	cmd.SetArgs([]string{"--label", "foo", "busybox"})
 	assert.NilError(t, cmd.Execute())
 }
+
+func TestRunCommandWithContentTrustErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+		notaryFunc    test.NotaryClientFuncType
+	}{
+		{
+			name:          "offline-notary-server",
+			notaryFunc:    notary.GetOfflineNotaryRepository,
+			expectedError: "client is offline",
+			args:          []string{"image:tag"},
+		},
+		{
+			name:          "uninitialized-notary-server",
+			notaryFunc:    notary.GetUninitializedNotaryRepository,
+			expectedError: "remote trust data does not exist",
+			args:          []string{"image:tag"},
+		},
+		{
+			name:          "empty-notary-server",
+			notaryFunc:    notary.GetEmptyTargetsNotaryRepository,
+			expectedError: "No valid trust data for tag",
+			args:          []string{"image:tag"},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			createContainerFunc: func(config *container.Config,
+				hostConfig *container.HostConfig,
+				networkingConfig *network.NetworkingConfig,
+				containerName string,
+			) (container.ContainerCreateCreatedBody, error) {
+				return container.ContainerCreateCreatedBody{}, fmt.Errorf("shouldn't try to pull image")
+			},
+		}, test.EnableContentTrust)
+		cli.SetNotaryClient(tc.notaryFunc)
+		cmd := NewRunCommand(cli)
+		cmd.SetArgs(tc.args)
+		err := cmd.Execute()
+		assert.Assert(t, err != nil)
+		assert.Assert(t, is.Contains(cli.ErrBuffer().String(), tc.expectedError))
+	}
+}
@@ -41,6 +41,7 @@ func TestRunBuildResetsUidAndGidInContext(t *testing.T) {
 
 	options := newBuildOptions()
 	options.context = dir.Path()
+	options.untrusted = true
 
 	err := runBuild(cli, options)
 	assert.NilError(t, err)
 
@@ -57,6 +57,7 @@ func TestRunBuildDockerfileFromStdinWithCompress(t *testing.T) {
 	options.compress = true
 	options.dockerfileName = "-"
 	options.context = dir
+	options.untrusted = true
 
 	err = runBuild(cli, options)
 	assert.NilError(t, err)
@@ -191,6 +192,7 @@ RUN echo hello world
 	cli := test.NewFakeCli(&fakeClient{imageBuildFunc: fakeImageBuild})
 	options := newBuildOptions()
 	options.context = tmpDir.Join("context-link")
+	options.untrusted = true
 	assert.NilError(t, runBuild(cli, options))
 
 	assert.DeepEqual(t, files, []string{"Dockerfile"})
 
@@ -59,7 +59,7 @@ func runPull(cli command.Cli, opts pullOptions) error {
 	}
 
 	ctx := context.Background()
-	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, AuthResolver(cli), distributionRef.String())
+	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, AuthResolver(cli), distributionRef.String())
 	if err != nil {
 		return err
 	}
 
@@ -93,7 +93,7 @@ func TestNewPullCommandWithContentTrustErrors(t *testing.T) {
 			args:          []string{"image:tag"},
 		},
 		{
-			name:          "empty-notary-server",
+			name:          "uninitialized-notary-server",
 			notaryFunc:    notary.GetUninitializedNotaryRepository,
 			expectedError: "remote trust data does not exist",
 			args:          []string{"image:tag"},
 
@@ -198,7 +198,7 @@ func trustedPull(ctx context.Context, cli command.Cli, imgRefAndAuth trust.Image
 		if err != nil {
 			return err
 		}
-		updatedImgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, AuthResolver(cli), trustedRef.String())
+		updatedImgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, AuthResolver(cli), trustedRef.String())
 		if err != nil {
 			return err
 		}
@@ -293,35 +293,24 @@ func imagePullPrivileged(ctx context.Context, cli command.Cli, imgRefAndAuth tru
 
 // TrustedReference returns the canonical trusted reference for an image reference
 func TrustedReference(ctx context.Context, cli command.Cli, ref reference.NamedTagged, rs registry.Service) (reference.Canonical, error) {
-	var (
-		repoInfo *registry.RepositoryInfo
-		err      error
-	)
-	if rs != nil {
-		repoInfo, err = rs.ResolveRepository(ref)
-	} else {
-		repoInfo, err = registry.ParseRepositoryInfo(ref)
-	}
+	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, rs, AuthResolver(cli), ref.String())
 	if err != nil {
 		return nil, err
 	}
 
-	// Resolve the Auth config relevant for this server
-	authConfig := command.ResolveAuthConfig(ctx, cli, repoInfo.Index)
-
-	notaryRepo, err := trust.GetNotaryRepository(cli.In(), cli.Out(), command.UserAgent(), repoInfo, &authConfig, "pull")
+	notaryRepo, err := cli.NotaryClient(imgRefAndAuth, []string{"pull"})
 	if err != nil {
 		return nil, errors.Wrap(err, "error establishing connection to trust repository")
 	}
 
 	t, err := notaryRepo.GetTargetByName(ref.Tag(), trust.ReleasesRole, data.CanonicalTargetsRole)
 	if err != nil {
-		return nil, trust.NotaryError(repoInfo.Name.Name(), err)
+		return nil, trust.NotaryError(imgRefAndAuth.RepoInfo().Name.Name(), err)
 	}
 	// Only list tags in the top level targets role or the releases delegation role - ignore
 	// all other delegation roles
 	if t.Role != trust.ReleasesRole && t.Role != data.CanonicalTargetsRole {
-		return nil, trust.NotaryError(repoInfo.Name.Name(), client.ErrNoSuchTarget(ref.Tag()))
+		return nil, trust.NotaryError(imgRefAndAuth.RepoInfo().Name.Name(), client.ErrNoSuchTarget(ref.Tag()))
 	}
 	r, err := convertTarget(t.Target)
 	if err != nil {
 
@@ -66,7 +66,7 @@ type trustKey struct {
 // This information is to be pretty printed or serialized into a machine-readable format.
 func lookupTrustInfo(cli command.Cli, remote string) (trustTagRowList, []client.RoleWithSignatures, []data.Role, error) {
 	ctx := context.Background()
-	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, image.AuthResolver(cli), remote)
+	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, image.AuthResolver(cli), remote)
 	if err != nil {
 		return trustTagRowList{}, []client.RoleWithSignatures{}, []data.Role{}, err
 	}
 
@@ -36,7 +36,7 @@ func newRevokeCommand(dockerCli command.Cli) *cobra.Command {
 
 func revokeTrust(cli command.Cli, remote string, options revokeOptions) error {
 	ctx := context.Background()
-	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, image.AuthResolver(cli), remote)
+	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, image.AuthResolver(cli), remote)
 	if err != nil {
 		return err
 	}
 
@@ -42,7 +42,7 @@ func newSignCommand(dockerCli command.Cli) *cobra.Command {
 func runSignImage(cli command.Cli, options signOptions) error {
 	imageName := options.imageName
 	ctx := context.Background()
-	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, image.AuthResolver(cli), imageName)
+	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, image.AuthResolver(cli), imageName)
 	if err != nil {
 		return err
 	}
Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ func runPull(cli command.Cli, opts pullOptions) error {`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`ctx := context.Background()`
`62`		`- imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, AuthResolver(cli), distributionRef.String())`
	`62`	`+ imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, AuthResolver(cli), distributionRef.String())`
`63`	`63`	`if err != nil {`
`64`	`64`	`return err`
`65`	`65`	`}`
Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ func TestNewPullCommandWithContentTrustErrors(t *testing.T) {`
`93`	`93`	`args: []string{"image:tag"},`
`94`	`94`	`},`
`95`	`95`	`{`
`96`		`- name: "empty-notary-server",`
	`96`	`+ name: "uninitialized-notary-server",`
`97`	`97`	`notaryFunc: notary.GetUninitializedNotaryRepository,`
`98`	`98`	`expectedError: "remote trust data does not exist",`
`99`	`99`	`args: []string{"image:tag"},`
Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ type trustKey struct {`
`66`	`66`	`// This information is to be pretty printed or serialized into a machine-readable format.`
`67`	`67`	`func lookupTrustInfo(cli command.Cli, remote string) (trustTagRowList, []client.RoleWithSignatures, []data.Role, error) {`
`68`	`68`	`ctx := context.Background()`
`69`		`- imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, image.AuthResolver(cli), remote)`
	`69`	`+ imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, image.AuthResolver(cli), remote)`
`70`	`70`	`if err != nil {`
`71`	`71`	`return trustTagRowList{}, []client.RoleWithSignatures{}, []data.Role{}, err`
`72`	`72`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ func newRevokeCommand(dockerCli command.Cli) *cobra.Command {`
`36`	`36`
`37`	`37`	`func revokeTrust(cli command.Cli, remote string, options revokeOptions) error {`
`38`	`38`	`ctx := context.Background()`
`39`		`- imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, image.AuthResolver(cli), remote)`
	`39`	`+ imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, image.AuthResolver(cli), remote)`
`40`	`40`	`if err != nil {`
`41`	`41`	`return err`
`42`	`42`	`}`
Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ func newSignCommand(dockerCli command.Cli) *cobra.Command {`
`42`	`42`	`func runSignImage(cli command.Cli, options signOptions) error {`
`43`	`43`	`imageName := options.imageName`
`44`	`44`	`ctx := context.Background()`
`45`		`- imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, image.AuthResolver(cli), imageName)`
	`45`	`+ imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, image.AuthResolver(cli), imageName)`
`46`	`46`	`if err != nil {`
`47`	`47`	`return err`
`48`	`48`	`}`