podman-remote does not support signature-policy

Fixes: https://github.com/containers/podman/issues/12357 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2021-11-18 20:47:33 -05:00 · 2021-11-18 20:47:33 -05:00 · 21629b0501
parent 2755d0255c
commit 21629b0501
12 changed files with 69 additions and 32 deletions
--- a/cmd/podman/common/create.go
+++ b/cmd/podman/common/create.go
@ -551,11 +551,6 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 		_ = cmd.RegisterFlagCompletionFunc(shmSizeFlagName, completion.AutocompleteNone)

 		stopSignalFlagName := "stop-signal"
-		createFlags.StringVar(
-			&cf.SignaturePolicy,
-			"signature-policy", "",
-			"`Pathname` of signature policy file (not usually used)",
-		)
 		createFlags.StringVar(
 			&cf.StopSignal,
 			stopSignalFlagName, "",
@ -702,10 +697,16 @@ func DefineCreateFlags(cmd *cobra.Command, cf *entities.ContainerCreateOptions,
 			"Write the container process ID to the file")
 		_ = cmd.RegisterFlagCompletionFunc(pidFileFlagName, completion.AutocompleteDefault)

-		_ = createFlags.MarkHidden("signature-policy")
 		if registry.IsRemote() {
 			_ = createFlags.MarkHidden("env-host")
 			_ = createFlags.MarkHidden("http-proxy")
+		} else {
+			createFlags.StringVar(
+				&cf.SignaturePolicy,
+				"signature-policy", "",
+				"`Pathname` of signature policy file (not usually used)",
+			)
+			_ = createFlags.MarkHidden("signature-policy")
 		}

 		createFlags.BoolVar(
--- a/cmd/podman/containers/runlabel.go
+++ b/cmd/podman/containers/runlabel.go
@ -70,7 +70,6 @@ func init() {
 	flags.BoolVarP(&runlabelOptions.Pull, "pull", "p", true, "Pull the image if it does not exist locally prior to executing the label contents")
 	flags.BoolVarP(&runlabelOptions.Quiet, "quiet", "q", false, "Suppress output information when installing images")
 	flags.BoolVar(&runlabelOptions.Replace, "replace", false, "Replace existing container with a new one from the image")
-	flags.StringVar(&runlabelOptions.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)")
 	flags.BoolVar(&runlabelOptions.TLSVerifyCLI, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries")

 	// Hide the optional flags.
@ -78,8 +77,10 @@ func init() {
 	_ = flags.MarkHidden("opt2")
 	_ = flags.MarkHidden("opt3")
 	_ = flags.MarkHidden("pull")
-	_ = flags.MarkHidden("signature-policy")
-
+	if !registry.IsRemote() {
+		flags.StringVar(&runlabelOptions.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)")
+		_ = flags.MarkHidden("signature-policy")
+	}
 	if err := flags.MarkDeprecated("pull", "podman will pull if not found in local storage"); err != nil {
 		logrus.Error("unable to mark pull flag deprecated")
 	}
--- a/cmd/podman/images/import.go
+++ b/cmd/podman/images/import.go
@ -77,8 +77,10 @@ func importFlags(cmd *cobra.Command) {
 	_ = cmd.RegisterFlagCompletionFunc(messageFlagName, completion.AutocompleteNone)

 	flags.BoolVarP(&importOpts.Quiet, "quiet", "q", false, "Suppress output")
-	flags.StringVar(&importOpts.SignaturePolicy, "signature-policy", "", "Path to a signature-policy file")
-	_ = flags.MarkHidden("signature-policy")
+	if !registry.IsRemote() {
+		flags.StringVar(&importOpts.SignaturePolicy, "signature-policy", "", "Path to a signature-policy file")
+		_ = flags.MarkHidden("signature-policy")
+	}
 }

 func importCon(cmd *cobra.Command, args []string) error {
--- a/cmd/podman/images/load.go
+++ b/cmd/podman/images/load.go
@ -64,8 +64,10 @@ func loadFlags(cmd *cobra.Command) {
 	_ = cmd.RegisterFlagCompletionFunc(inputFlagName, completion.AutocompleteDefault)

 	flags.BoolVarP(&loadOpts.Quiet, "quiet", "q", false, "Suppress the output")
-	flags.StringVar(&loadOpts.SignaturePolicy, "signature-policy", "", "Pathname of signature policy file")
-	_ = flags.MarkHidden("signature-policy")
+	if !registry.IsRemote() {
+		flags.StringVar(&loadOpts.SignaturePolicy, "signature-policy", "", "Pathname of signature policy file")
+		_ = flags.MarkHidden("signature-policy")
+	}
 }

 func load(cmd *cobra.Command, args []string) error {
--- a/cmd/podman/images/pull.go
+++ b/cmd/podman/images/pull.go
@ -101,7 +101,6 @@ func pullFlags(cmd *cobra.Command) {

 	flags.Bool("disable-content-trust", false, "This is a Docker specific option and is a NOOP")
 	flags.BoolVarP(&pullOptions.Quiet, "quiet", "q", false, "Suppress output information when pulling images")
-	flags.StringVar(&pullOptions.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)")
 	flags.BoolVar(&pullOptions.TLSVerifyCLI, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries")

 	authfileFlagName := "authfile"
@ -113,7 +112,10 @@ func pullFlags(cmd *cobra.Command) {
 		flags.StringVar(&pullOptions.CertDir, certDirFlagName, "", "`Pathname` of a directory containing TLS certificates and keys")
 		_ = cmd.RegisterFlagCompletionFunc(certDirFlagName, completion.AutocompleteDefault)
 	}
-	_ = flags.MarkHidden("signature-policy")
+	if !registry.IsRemote() {
+		flags.StringVar(&pullOptions.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)")
+		_ = flags.MarkHidden("signature-policy")
+	}
 }

 // imagePull is implement the command for pulling images.
--- a/cmd/podman/images/push.go
+++ b/cmd/podman/images/push.go
@ -101,7 +101,6 @@ func pushFlags(cmd *cobra.Command) {

 	flags.BoolVarP(&pushOptions.Quiet, "quiet", "q", false, "Suppress output information when pushing images")
 	flags.BoolVar(&pushOptions.RemoveSignatures, "remove-signatures", false, "Discard any pre-existing signatures in the image")
-	flags.StringVar(&pushOptions.SignaturePolicy, "signature-policy", "", "Path to a signature-policy file")

 	signByFlagName := "sign-by"
 	flags.StringVar(&pushOptions.SignBy, signByFlagName, "", "Add a signature at the destination using the specified key")
@ -117,7 +116,10 @@ func pushFlags(cmd *cobra.Command) {
 		_ = flags.MarkHidden("remove-signatures")
 		_ = flags.MarkHidden("sign-by")
 	}
-	_ = flags.MarkHidden("signature-policy")
+	if !registry.IsRemote() {
+		flags.StringVar(&pushOptions.SignaturePolicy, "signature-policy", "", "Path to a signature-policy file")
+		_ = flags.MarkHidden("signature-policy")
+	}
 }

 // imagePush is implement the command for pushing images.
--- a/cmd/podman/play/kube.go
+++ b/cmd/podman/play/kube.go
@ -108,8 +108,6 @@ func init() {
 		flags.StringVar(&kubeOptions.CertDir, certDirFlagName, "", "`Pathname` of a directory containing TLS certificates and keys")
 		_ = kubeCmd.RegisterFlagCompletionFunc(certDirFlagName, completion.AutocompleteDefault)

-		flags.StringVar(&kubeOptions.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)")
-
 		seccompProfileRootFlagName := "seccomp-profile-root"
 		flags.StringVar(&kubeOptions.SeccompProfileRoot, seccompProfileRootFlagName, defaultSeccompRoot, "Directory path for seccomp profiles")
 		_ = kubeCmd.RegisterFlagCompletionFunc(seccompProfileRootFlagName, completion.AutocompleteDefault)
@ -121,7 +119,12 @@ func init() {
 		buildFlagName := "build"
 		flags.BoolVar(&kubeOptions.Build, buildFlagName, false, "Build all images in a YAML (given Containerfiles exist)")
 	}
-	_ = flags.MarkHidden("signature-policy")
+
+	if !registry.IsRemote() {
+		flags.StringVar(&kubeOptions.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)")
+
+		_ = flags.MarkHidden("signature-policy")
+	}
 }

 func kube(cmd *cobra.Command, args []string) error {
--- a/test/e2e/create_test.go
+++ b/test/e2e/create_test.go
@ -363,14 +363,18 @@ var _ = Describe("Podman create", func() {
 	})

 	It("podman create --signature-policy", func() {
-		SkipIfRemote("SigPolicy not handled by remote")
 		session := podmanTest.Podman([]string{"create", "--pull=always", "--signature-policy", "/no/such/file", ALPINE})
 		session.WaitWithDefaultTimeout()
 		Expect(session).To(ExitWithError())

 		session = podmanTest.Podman([]string{"create", "--pull=always", "--signature-policy", "/etc/containers/policy.json", ALPINE})
 		session.WaitWithDefaultTimeout()
-		Expect(session).Should(Exit(0))
+		if IsRemote() {
+			Expect(session).To(ExitWithError())
+			Expect(session.ErrorToString()).To(ContainSubstring("unknown flag"))
+		} else {
+			Expect(session).Should(Exit(0))
+		}
 	})

 	It("podman create with unset label", func() {
--- a/test/e2e/import_test.go
+++ b/test/e2e/import_test.go
@ -170,6 +170,12 @@ var _ = Describe("Podman import", func() {

 		result := podmanTest.Podman([]string{"import", "--signature-policy", "/etc/containers/policy.json", outfile})
 		result.WaitWithDefaultTimeout()
+		if IsRemote() {
+			Expect(result).To(ExitWithError())
+			Expect(result.ErrorToString()).To(ContainSubstring("unknown flag"))
+			result := podmanTest.Podman([]string{"import", outfile})
+			result.WaitWithDefaultTimeout()
+		}
 		Expect(result).Should(Exit(0))
 	})
 })
--- a/test/e2e/load_test.go
+++ b/test/e2e/load_test.go
@ -104,7 +104,15 @@ var _ = Describe("Podman load", func() {

 		result := podmanTest.Podman([]string{"load", "--signature-policy", "/etc/containers/policy.json", "-i", outfile})
 		result.WaitWithDefaultTimeout()
-		Expect(result).Should(Exit(0))
+		if IsRemote() {
+			Expect(result).To(ExitWithError())
+			Expect(result.ErrorToString()).To(ContainSubstring("unknown flag"))
+			result = podmanTest.Podman([]string{"load", "-i", outfile})
+			result.WaitWithDefaultTimeout()
+			Expect(result).Should(Exit(0))
+		} else {
+			Expect(result).Should(Exit(0))
+		}
 	})

 	It("podman load with quiet flag", func() {
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@ -83,14 +83,18 @@ var _ = Describe("Podman run", func() {
 	})

 	It("podman run --signature-policy", func() {
-		SkipIfRemote("SigPolicy not handled by remote")
 		session := podmanTest.Podman([]string{"run", "--pull=always", "--signature-policy", "/no/such/file", ALPINE})
 		session.WaitWithDefaultTimeout()
 		Expect(session).To(ExitWithError())

 		session = podmanTest.Podman([]string{"run", "--pull=always", "--signature-policy", "/etc/containers/policy.json", ALPINE})
 		session.WaitWithDefaultTimeout()
-		Expect(session).Should(Exit(0))
+		if IsRemote() {
+			Expect(session).To(ExitWithError())
+			Expect(session.ErrorToString()).To(ContainSubstring("unknown flag"))
+		} else {
+			Expect(session).Should(Exit(0))
+		}
 	})

 	It("podman run --rm with --restart", func() {
--- a/test/e2e/save_test.go
+++ b/test/e2e/save_test.go
@ -194,14 +194,16 @@ default-docker:
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))

-		session = podmanTest.Podman([]string{"pull", "--tls-verify=false", "--signature-policy=sign/policy.json", "localhost:5000/alpine"})
-		session.WaitWithDefaultTimeout()
-		Expect(session).Should(Exit(0))
+		if !IsRemote() {
+			session = podmanTest.Podman([]string{"pull", "--tls-verify=false", "--signature-policy=sign/policy.json", "localhost:5000/alpine"})
+			session.WaitWithDefaultTimeout()
+			Expect(session).Should(Exit(0))

-		outfile := filepath.Join(podmanTest.TempDir, "temp.tar")
-		save := podmanTest.Podman([]string{"save", "remove-signatures=true", "-o", outfile, "localhost:5000/alpine"})
-		save.WaitWithDefaultTimeout()
-		Expect(save).To(ExitWithError())
+			outfile := filepath.Join(podmanTest.TempDir, "temp.tar")
+			save := podmanTest.Podman([]string{"save", "remove-signatures=true", "-o", outfile, "localhost:5000/alpine"})
+			save.WaitWithDefaultTimeout()
+			Expect(save).To(ExitWithError())
+		}
 	})

 	It("podman save image with digest reference", func() {