From edaafbd2d011c91feed9f75712d05f2c4478994e Mon Sep 17 00:00:00 2001
From: RishabhSaini <rsaini@redhat.com>
Date: Tue, 11 Jul 2023 18:49:37 -0400
Subject: [PATCH] Check for unsigned images policy_eval: Checks for
 insecureAcceptAnything defined in policy.json for the target image

Signed-off-by: RishabhSaini <rsaini@redhat.com>
---
 signature/policy_eval.go | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/signature/policy_eval.go b/signature/policy_eval.go
index 4f8d0da389..008920b434 100644
--- a/signature/policy_eval.go
+++ b/signature/policy_eval.go
@@ -253,6 +253,32 @@ func (pc *PolicyContext) GetSignaturesWithAcceptedAuthor(ctx context.Context, pu
 	return res, nil
 }
 
+// IsImagePolicySigned true iff the policy requirement for the image is not insecureAcceptAnything
+func (pc *PolicyContext) IsImagePolicySigned(publicImage types.UnparsedImage) (res bool, finalErr error) {
+	if err := pc.changeState(pcReady, pcInUse); err != nil {
+		return false, err
+	}
+	defer func() {
+		if err := pc.changeState(pcInUse, pcReady); err != nil {
+			res = false
+			finalErr = err
+		}
+	}()
+
+	image := unparsedimage.FromPublic(publicImage)
+
+	logrus.Debugf("IsImagePolicySigned for image %s", policyIdentityLogName(image.Reference()))
+	reqs := pc.requirementsForImageRef(image.Reference())
+
+	for _, req := range reqs {
+		if req == NewPRInsecureAcceptAnything() {
+			return false, PolicyRequirementError("The policy defined for the image must not be InsecureAcceptAnything")
+		}
+	}
+
+	return true, nil
+}
+
 // IsRunningImageAllowed returns true iff the policy allows running the image.
 // If it returns false, err must be non-nil, and should be an PolicyRequirementError if evaluation
 // succeeded but the result was rejection.