From 76a14985d6f571083d98152f78f4c73ed2b7276f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= <mitr@redhat.com>
Date: Thu, 2 Jun 2016 16:26:01 +0200
Subject: [PATCH] Implement policy enforcement in (skopeo copy)

Finally, load and enforce the policy.

NOTE that this breaks a simple ./skopeo from a built directory if you
don't have /etc/atomic/policy.json installed for other reasons;
use (./skopeo --policy default-policy.json) instead.
---
 cmd/skopeo/copy.go | 21 ++++++++++++++++-----
 docs/skopeo.1.md   |  2 ++
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/cmd/skopeo/copy.go b/cmd/skopeo/copy.go
index 14e3577a..e2104826 100644
--- a/cmd/skopeo/copy.go
+++ b/cmd/skopeo/copy.go
@@ -80,6 +80,12 @@ func copyHandler(context *cli.Context) error {
 		return errors.New("Usage: copy source destination")
 	}
 
+	policyContext, err := getPolicyContext(context)
+	if err != nil {
+		return fmt.Errorf("Error loading verification policy: %v", err)
+	}
+	defer policyContext.Destroy()
+
 	dest, err := parseImageDestination(context, context.Args()[1])
 	if err != nil {
 		return fmt.Errorf("Error initializing %s: %v", context.Args()[1], err)
@@ -93,11 +99,21 @@ func copyHandler(context *cli.Context) error {
 
 	signBy := context.String("sign-by")
 
+	// Please keep this policy check BEFORE reading any other information about the image.
+	if allowed, err := policyContext.IsRunningImageAllowed(src); !allowed || err != nil { // Be paranoid and fail if either return value indicates so.
+		return fmt.Errorf("Source image rejected: %v", err)
+	}
+
 	manifest, _, err := src.Manifest()
 	if err != nil {
 		return fmt.Errorf("Error reading manifest: %v", err)
 	}
 
+	sigs, err := src.Signatures()
+	if err != nil {
+		return fmt.Errorf("Error reading signatures: %v", err)
+	}
+
 	blobDigests, err := src.BlobDigests()
 	if err != nil {
 		return fmt.Errorf("Error parsing manifest: %v", err)
@@ -128,11 +144,6 @@ func copyHandler(context *cli.Context) error {
 		}
 	}
 
-	sigs, err := src.Signatures()
-	if err != nil {
-		return fmt.Errorf("Error reading signatures: %v", err)
-	}
-
 	if signBy != "" {
 		mech, err := signature.NewGPGSigningMechanism()
 		if err != nil {
diff --git a/docs/skopeo.1.md b/docs/skopeo.1.md
index 957f4211..a761f2cb 100644
--- a/docs/skopeo.1.md
+++ b/docs/skopeo.1.md
@@ -59,6 +59,8 @@ Most commands refer to container images, using a _transport_`:`_details_ format.
 
 Copy an image (manifest, filesystem layers, signatures) from one location to another.
 
+Uses the system's signature verification policy to validate images, refuses to copy images rejected by the policy.
+
   _source-image_ use the "image name" format described above
 
   _destination-image_ use the "image name" format described above