Skip to content

Commit

Permalink
Check for unsigned images
Browse files Browse the repository at this point in the history
policy_eval: Checks for insecureAcceptAnything defined in policy.json for the target image

Signed-off-by: RishabhSaini <[email protected]>
  • Loading branch information
RishabhSaini committed Jul 11, 2023
1 parent 9b3e4a4 commit 4a14692
Showing 1 changed file with 24 additions and 0 deletions.
24 changes: 24 additions & 0 deletions signature/policy_eval.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (

"github.com/containers/image/v5/internal/private"
"github.com/containers/image/v5/internal/unparsedimage"
"github.com/containers/image/v5/signature/internal"
"github.com/containers/image/v5/types"
"github.com/sirupsen/logrus"
)
Expand Down Expand Up @@ -253,6 +254,29 @@ func (pc *PolicyContext) GetSignaturesWithAcceptedAuthor(ctx context.Context, pu
return res, nil
}

// IsImagePolicySigned true iff the policy requirement for the image is not insecureAcceptAnything
func (pc *policyContext) IsImagePolicySigned(publicImage types.UnparsedImage) (res bool, finalErr error) {
if err := pc.changeState(pcReady, pcInUse); err != nil {
return false, err
}
defer func() {
if err := pc.changeState(pcInUse, pcReady); err != nil {
res = false
finalErr = err
}
}()

image := unparsedimage.FromPublic(publicImage)

logrus.Debugf("IsImagePolicySigned for image %s", policyIdentityLogName(image.Reference()))
reqs := pc.requirementsForImageRef(image.Reference())

if contains(reqs, prTypeInsecureAcceptAnything) {
return false, PolicyRequirementError("The policy defined for the image must not be InsecureAcceptAnything")
}
return true, nil
}

// IsRunningImageAllowed returns true iff the policy allows running the image.
// If it returns false, err must be non-nil, and should be an PolicyRequirementError if evaluation
// succeeded but the result was rejection.
Expand Down

0 comments on commit 4a14692

Please sign in to comment.