Skip to content
This repository has been archived by the owner on Nov 7, 2024. It is now read-only.

containers: Patch skopeo to have --deny-default-insecure #79

Open
cgwalters opened this issue Sep 15, 2021 · 1 comment
Open

containers: Patch skopeo to have --deny-default-insecure #79

cgwalters opened this issue Sep 15, 2021 · 1 comment
Labels

Comments

@cgwalters
Copy link
Member

cgwalters commented Sep 15, 2021

We should add skopeo copy --deny-default-insecure to implement SignatureSource::ContainerPolicy properly, which tries to deny fetching unsigned images.

I started on this:

diff --git a/signature/policy_eval.go b/signature/policy_eval.go
index edcbf52..dfec8f5 100644
--- a/signature/policy_eval.go
+++ b/signature/policy_eval.go
@@ -131,7 +131,7 @@ func policyIdentityLogName(ref types.ImageReference) string {
 }
 
 // requirementsForImageRef selects the appropriate requirements for ref.
-func (pc *PolicyContext) requirementsForImageRef(ref types.ImageReference) PolicyRequirements {
+func (pc *PolicyContext) requirementsForImageRef(ref types.ImageReference, allowDefault bool) PolicyRequirements {
 	// Do we have a PolicyTransportScopes for this transport?
 	transportName := ref.Transport().Name()
 	if transportScopes, ok := pc.Policy.Transports[transportName]; ok {
@@ -157,8 +157,11 @@ func (pc *PolicyContext) requirementsForImageRef(ref types.ImageReference) Polic
 		}
 	}
 
-	logrus.Debugf(" Using default policy section")
-	return pc.Policy.Default
+	if allowDefault {
+		logrus.Debugf(" Using default policy section")
+		return pc.Policy.Default
+	}
+	return []PolicyRequirement{}
 }
 
 // GetSignaturesWithAcceptedAuthor returns those signatures from an image
@@ -186,7 +189,7 @@ func (pc *PolicyContext) GetSignaturesWithAcceptedAuthor(ctx context.Context, im
 	}()
 
 	logrus.Debugf("GetSignaturesWithAcceptedAuthor for image %s", policyIdentityLogName(image.Reference()))
-	reqs := pc.requirementsForImageRef(image.Reference())
+	reqs := pc.requirementsForImageRef(image.Reference(), true)
 
 	// FIXME: rename Signatures to UnverifiedSignatures
 	// FIXME: pass context.Context
@@ -250,12 +253,7 @@ func (pc *PolicyContext) GetSignaturesWithAcceptedAuthor(ctx context.Context, im
 	return res, nil
 }
 
-// IsRunningImageAllowed returns true iff the policy allows running the image.
-// If it returns false, err must be non-nil, and should be an PolicyRequirementError if evaluation
-// succeeded but the result was rejection.
-// WARNING: This validates signatures and the manifest, but does not download or validate the
-// layers. Users must validate that the layers match their expected digests.
-func (pc *PolicyContext) IsRunningImageAllowed(ctx context.Context, image types.UnparsedImage) (res bool, finalErr error) {
+func (pc *PolicyContext) isRunningImageAllowedImpl(ctx context.Context, image types.UnparsedImage, allowDefault bool) (res bool, finalErr error) {
 	if err := pc.changeState(pcReady, pcInUse); err != nil {
 		return false, err
 	}
@@ -267,7 +265,7 @@ func (pc *PolicyContext) IsRunningImageAllowed(ctx context.Context, image types.
 	}()
 
 	logrus.Debugf("IsRunningImageAllowed for image %s", policyIdentityLogName(image.Reference()))
-	reqs := pc.requirementsForImageRef(image.Reference())
+	reqs := pc.requirementsForImageRef(image.Reference(), allowDefault)
 
 	if len(reqs) == 0 {
 		return false, PolicyRequirementError("List of verification policy requirements must not be empty")
@@ -286,3 +284,18 @@ func (pc *PolicyContext) IsRunningImageAllowed(ctx context.Context, image types.
 	logrus.Debugf("Overall: allowed")
 	return true, nil
 }
+
+// IsRunningImageAllowed returns true iff the policy allows running the image.
+// If it returns false, err must be non-nil, and should be an PolicyRequirementError if evaluation
+// succeeded but the result was rejection.
+// WARNING: This validates signatures and the manifest, but does not download or validate the
+// layers. Users must validate that the layers match their expected digests.
+func (pc *PolicyContext) IsRunningImageAllowed(ctx context.Context, image types.UnparsedImage) (res bool, finalErr error) {
+	return pc.isRunningImageAllowedImpl(ctx, image, true)
+}
+
+// IsRunningImageExplicitlyAllowed returns true iff the policy allows running the image without falling through to the global `default`.
+// This is a variation of IsRunningImageAllowed - see that function for more information.
+func (pc *PolicyContext) IsRunningImageExplictlyAllowed(ctx context.Context, image types.UnparsedImage) (res bool, finalErr error) {
+	return pc.isRunningImageAllowedImpl(ctx, image, false)
+}
diff --git a/signature/policy_eval_test.go b/signature/policy_eval_test.go
index 8cabb3e..77a16d9 100644
--- a/signature/policy_eval_test.go
+++ b/signature/policy_eval_test.go
@@ -135,7 +135,7 @@ func TestPolicyContextRequirementsForImageRefNotRegisteredTransport(t *testing.T
 	require.NoError(t, err)
 	ref, err := reference.ParseNormalizedNamed("registry.access.redhat.com/rhel7:latest")
 	require.NoError(t, err)
-	reqs := pc.requirementsForImageRef(pcImageReferenceMock{"docker", ref})
+	reqs := pc.requirementsForImageRef(pcImageReferenceMock{"docker", ref}, true)
 	assert.True(t, &(reqs[0]) == &(pr[0]))
 	assert.True(t, len(reqs) == len(pr))
 
@@ -204,7 +204,7 @@ func TestPolicyContextRequirementsForImageRef(t *testing.T) {
 
 		ref, err := reference.ParseNormalizedNamed(c.input)
 		require.NoError(t, err)
-		reqs := pc.requirementsForImageRef(pcImageReferenceMock{c.inputTransport, ref})
+		reqs := pc.requirementsForImageRef(pcImageReferenceMock{c.inputTransport, ref}, true)
 		comment := fmt.Sprintf("case %s:%s: %#v", c.inputTransport, c.input, reqs[0])
 		// Do not use assert.Equal, which would do a deep contents comparison; we want to compare
 		// the pointers. Also, == does not work on slices; so test that the slices start at the
@cgwalters
Copy link
Member Author

This should actually become a feature of https://github.com/cgwalters/container-image-proxy instead. (May require containers/image work)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

1 participant