From 812818d381f7125ad7eae64f186a871a25d987bc Mon Sep 17 00:00:00 2001
From: stevenhorsman <steven@uk.ibm.com>
Date: Mon, 12 Sep 2022 17:01:49 +0100
Subject: [PATCH] agent: Enable security_validate if required

If we are using the offline_fs_kbc and have created a resource json
then switch security_validate on the image_client to enable
the signature verification feature for image-rs

Fixes: #4581
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
---
 src/agent/src/image_rpc.rs | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/agent/src/image_rpc.rs b/src/agent/src/image_rpc.rs
index 76242038d9..f10ce63215 100644
--- a/src/agent/src/image_rpc.rs
+++ b/src/agent/src/image_rpc.rs
@@ -35,6 +35,7 @@ const OCICRYPT_CONFIG_PATH: &str = "/tmp/ocicrypt_config.json";
 const KATA_CC_IMAGE_WORK_DIR: &str = "/run/image/";
 const KATA_CC_PAUSE_BUNDLE: &str = "/pause_bundle";
 const CONFIG_JSON: &str = "config.json";
+const OFFLINE_FS_KBC_RESOURCE_PATH: &str = "/etc/aa-offline_fs_kbc-resources.json";
 
 // Convenience macro to obtain the scope logger
 macro_rules! sl {
@@ -273,6 +274,14 @@ impl ImageService {
 
             Self::unpack_image(&cid)?;
         } else {
+            // TODO #4888 - Create a better way to enable signature verification. This is temporary for the PoC
+            if aa_kbc_params.eq("offline_fs_kbc::null")
+                && Path::new(OFFLINE_FS_KBC_RESOURCE_PATH).exists()
+            {
+                info!(sl!(), "Enabling security_validate on image_client");
+                self.image_client.lock().await.config.security_validate = true;
+            }
+
             let bundle_path = Path::new(CONTAINER_BASE).join(&cid);
             fs::create_dir_all(&bundle_path)?;