cli/command: remove NotaryClient from CLI interface

This method was a shallow wrapper around trust.GetNotaryRepository, but
due to its signature resulted in the trust package, and notary dependencies
to become a dependency of the CLI. Consequence of this was that cli-plugins,
which need the cli/command package, would also get notary and its
dependencies as a dependency.

Thie patch:

- Removes the NotaryClient method from the interface
- Inlines the code where needed, skipping the wrapper
- Define a local interface for some tests where a dummy notary client was used.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Author: thaJeztah

cli/command/cli.go

@@ -25,7 +25,6 @@ import (
 	manifeststore "github.com/docker/cli/cli/manifest/store"
 	registryclient "github.com/docker/cli/cli/registry/client"
 	"github.com/docker/cli/cli/streams"
-	"github.com/docker/cli/cli/trust"
 	"github.com/docker/cli/cli/version"
 	dopts "github.com/docker/cli/opts"
 	"github.com/docker/docker/api"
@@ -36,7 +35,6 @@ import (
 	"github.com/docker/go-connections/tlsconfig"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
-	notaryclient "github.com/theupdateframework/notary/client"
 )
 
 const defaultInitTimeout = 2 * time.Second
@@ -56,7 +54,6 @@ type Cli interface {
 	Apply(ops ...CLIOption) error
 	ConfigFile() *configfile.ConfigFile
 	ServerInfo() ServerInfo
-	NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (notaryclient.Repository, error)
 	DefaultVersion() string
 	CurrentVersion() string
 	ManifestStore() manifeststore.Store
@@ -405,11 +402,6 @@ func (cli *DockerCli) initializeFromClient() {
 	cli.client.NegotiateAPIVersionPing(ping)
 }
 
-// NotaryClient provides a Notary Repository to interact with signed metadata for an image
-func (cli *DockerCli) NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (notaryclient.Repository, error) {
-	return trust.GetNotaryRepository(cli.In(), cli.Out(), UserAgent(), imgRefAndAuth.RepoInfo(), imgRefAndAuth.AuthConfig(), actions...)
-}
-
 // ContextStore returns the ContextStore
 func (cli *DockerCli) ContextStore() store.Store {
 	return cli.contextStore

cli/command/image/trust.go

@@ -30,6 +30,20 @@ type target struct {
 	size   int64
 }
 
+// notaryClientProvider is used in tests to provide a dummy notary client.
+type notaryClientProvider interface {
+	NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error)
+}
+
+// newNotaryClient provides a Notary Repository to interact with signed metadata for an image.
+func newNotaryClient(cli command.Streams, imgRefAndAuth trust.ImageRefAndAuth) (client.Repository, error) {
+	if ncp, ok := cli.(notaryClientProvider); ok {
+		// notaryClientProvider is used in tests to provide a dummy notary client.
+		return ncp.NotaryClient(imgRefAndAuth, []string{"pull"})
+	}
+	return trust.GetNotaryRepository(cli.In(), cli.Out(), command.UserAgent(), imgRefAndAuth.RepoInfo(), imgRefAndAuth.AuthConfig(), "pull")
+}
+
 // TrustedPush handles content trust pushing of an image
 func TrustedPush(ctx context.Context, cli command.Cli, repoInfo *registry.RepositoryInfo, ref reference.Named, authConfig registrytypes.AuthConfig, options image.PushOptions) error {
 	responseBody, err := cli.Client().ImagePush(ctx, reference.FamiliarString(ref), options)
@@ -213,7 +227,7 @@ func trustedPull(ctx context.Context, cli command.Cli, imgRefAndAuth trust.Image
 }
 
 func getTrustedPullTargets(cli command.Cli, imgRefAndAuth trust.ImageRefAndAuth) ([]target, error) {
-	notaryRepo, err := cli.NotaryClient(imgRefAndAuth, trust.ActionsPullOnly)
+	notaryRepo, err := newNotaryClient(cli, imgRefAndAuth)
 	if err != nil {
 		return nil, errors.Wrap(err, "error establishing connection to trust repository")
 	}
@@ -293,7 +307,7 @@ func TrustedReference(ctx context.Context, cli command.Cli, ref reference.NamedT
 		return nil, err
 	}
 
-	notaryRepo, err := cli.NotaryClient(imgRefAndAuth, []string{"pull"})
+	notaryRepo, err := newNotaryClient(cli, imgRefAndAuth)
 	if err != nil {
 		return nil, errors.Wrap(err, "error establishing connection to trust repository")
 	}

cli/command/trust/common.go

@@ -49,6 +49,20 @@ type trustKey struct {
 	ID string `json:",omitempty"`
 }
 
+// notaryClientProvider is used in tests to provide a dummy notary client.
+type notaryClientProvider interface {
+	NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error)
+}
+
+// newNotaryClient provides a Notary Repository to interact with signed metadata for an image.
+func newNotaryClient(cli command.Streams, imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
+	if ncp, ok := cli.(notaryClientProvider); ok {
+		// notaryClientProvider is used in tests to provide a dummy notary client.
+		return ncp.NotaryClient(imgRefAndAuth, actions)
+	}
+	return trust.GetNotaryRepository(cli.In(), cli.Out(), command.UserAgent(), imgRefAndAuth.RepoInfo(), imgRefAndAuth.AuthConfig(), actions...)
+}
+
 // lookupTrustInfo returns processed signature and role information about a notary repository.
 // This information is to be pretty printed or serialized into a machine-readable format.
 func lookupTrustInfo(ctx context.Context, cli command.Cli, remote string) ([]trustTagRow, []client.RoleWithSignatures, []data.Role, error) {
@@ -57,7 +71,7 @@ func lookupTrustInfo(ctx context.Context, cli command.Cli, remote string) ([]tru
 		return []trustTagRow{}, []client.RoleWithSignatures{}, []data.Role{}, err
 	}
 	tag := imgRefAndAuth.Tag()
-	notaryRepo, err := cli.NotaryClient(imgRefAndAuth, trust.ActionsPullOnly)
+	notaryRepo, err := newNotaryClient(cli, imgRefAndAuth, trust.ActionsPullOnly)
 	if err != nil {
 		return []trustTagRow{}, []client.RoleWithSignatures{}, []data.Role{}, trust.NotaryError(imgRefAndAuth.Reference().Name(), err)
 	}

cli/command/trust/revoke.go

@@ -53,7 +53,7 @@ func revokeTrust(ctx context.Context, dockerCLI command.Cli, remote string, opti
 		}
 	}
 
-	notaryRepo, err := dockerCLI.NotaryClient(imgRefAndAuth, trust.ActionsPushAndPull)
+	notaryRepo, err := newNotaryClient(dockerCLI, imgRefAndAuth, trust.ActionsPushAndPull)
 	if err != nil {
 		return err
 	}

cli/command/trust/sign.go

@@ -52,7 +52,7 @@ func runSignImage(ctx context.Context, dockerCLI command.Cli, options signOption
 		return err
 	}
 
-	notaryRepo, err := dockerCLI.NotaryClient(imgRefAndAuth, trust.ActionsPushAndPull)
+	notaryRepo, err := newNotaryClient(dockerCLI, imgRefAndAuth, trust.ActionsPushAndPull)
 	if err != nil {
 		return trust.NotaryError(imgRefAndAuth.Reference().Name(), err)
 	}

cli/command/trust/signer_add.go

@@ -85,7 +85,7 @@ func addSignerToRepo(ctx context.Context, dockerCLI command.Cli, signerName stri
 		return err
 	}
 
-	notaryRepo, err := dockerCLI.NotaryClient(imgRefAndAuth, trust.ActionsPushAndPull)
+	notaryRepo, err := newNotaryClient(dockerCLI, imgRefAndAuth, trust.ActionsPushAndPull)
 	if err != nil {
 		return trust.NotaryError(imgRefAndAuth.Reference().Name(), err)
 	}

cli/command/trust/signer_remove.go

@@ -103,7 +103,7 @@ func removeSingleSigner(ctx context.Context, dockerCLI command.Cli, repoName, si
 	if signerDelegation == releasesRoleTUFName {
 		return false, errors.Errorf("releases is a reserved keyword and cannot be removed")
 	}
-	notaryRepo, err := dockerCLI.NotaryClient(imgRefAndAuth, trust.ActionsPushAndPull)
+	notaryRepo, err := newNotaryClient(dockerCLI, imgRefAndAuth, trust.ActionsPushAndPull)
 	if err != nil {
 		return false, trust.NotaryError(imgRefAndAuth.Reference().Name(), err)
 	}