From 4a14692ce2e8bb0ffaab7ac5eb3dc474896e444d Mon Sep 17 00:00:00 2001 From: RishabhSaini Date: Tue, 11 Jul 2023 18:49:37 -0400 Subject: [PATCH] Check for unsigned images policy_eval: Checks for insecureAcceptAnything defined in policy.json for the target image Signed-off-by: RishabhSaini --- signature/policy_eval.go | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/signature/policy_eval.go b/signature/policy_eval.go index 4f8d0da389..125e22e078 100644 --- a/signature/policy_eval.go +++ b/signature/policy_eval.go @@ -11,6 +11,7 @@ import ( "github.com/containers/image/v5/internal/private" "github.com/containers/image/v5/internal/unparsedimage" + "github.com/containers/image/v5/signature/internal" "github.com/containers/image/v5/types" "github.com/sirupsen/logrus" ) @@ -253,6 +254,29 @@ func (pc *PolicyContext) GetSignaturesWithAcceptedAuthor(ctx context.Context, pu return res, nil } +// IsImagePolicySigned true iff the policy requirement for the image is not insecureAcceptAnything +func (pc *policyContext) IsImagePolicySigned(publicImage types.UnparsedImage) (res bool, finalErr error) { + if err := pc.changeState(pcReady, pcInUse); err != nil { + return false, err + } + defer func() { + if err := pc.changeState(pcInUse, pcReady); err != nil { + res = false + finalErr = err + } + }() + + image := unparsedimage.FromPublic(publicImage) + + logrus.Debugf("IsImagePolicySigned for image %s", policyIdentityLogName(image.Reference())) + reqs := pc.requirementsForImageRef(image.Reference()) + + if contains(reqs, prTypeInsecureAcceptAnything) { + return false, PolicyRequirementError("The policy defined for the image must not be InsecureAcceptAnything") + } + return true, nil +} + // IsRunningImageAllowed returns true iff the policy allows running the image. // If it returns false, err must be non-nil, and should be an PolicyRequirementError if evaluation // succeeded but the result was rejection.