From f236b5efdc09a57c23a8eb329352daee47dcded6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= <mitr@redhat.com>
Date: Tue, 18 Jul 2023 20:27:27 +0200
Subject: [PATCH] Fix handling the unexpected return value combination from
 IsRunningImageAllowed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
---
 cmd/skopeo/proxy.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cmd/skopeo/proxy.go b/cmd/skopeo/proxy.go
index a8948c05..aab85365 100644
--- a/cmd/skopeo/proxy.go
+++ b/cmd/skopeo/proxy.go
@@ -279,11 +279,11 @@ func (h *proxyHandler) openImageImpl(args []any, allowNotFound bool) (retReplyBu
 
 	unparsedTopLevel := image.UnparsedInstance(imgsrc, nil)
 	allowed, err := policyContext.IsRunningImageAllowed(context.Background(), unparsedTopLevel)
-	if !allowed || err != nil {
+	if err != nil {
 		return ret, err
 	}
-	if !allowed && err == nil {
-		return ret, fmt.Errorf("policy verification failed unexpectedly")
+	if !allowed {
+		return ret, fmt.Errorf("internal inconsistency: policy verification failed without returning an error")
 	}
 
 	// Note that we never return zero as an imageid; this code doesn't yet