Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions shield/pkg/shield/image.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ import (
type ImageDecisionResult struct {
Type common.DecisionType `json:"type,omitempty"`
Verified bool `json:"verified,omitempty"`
Allowed bool `json:"allowed,omitempty"`
Message string `json:"message,omitempty"`
}

Expand Down Expand Up @@ -110,18 +111,31 @@ func (sci *SigCheckImages) imageVerifiedResultCheckByProfile() {
func makeImageCheckResult(images *SigCheckImages) *ImageDecisionResult {
res := &ImageDecisionResult{}
for _, img := range images.ImagesToVerify {
if img.Result.Error != nil {
res.Type = common.DecisionError
res.Allowed = false
res.Verified = true
res.Message = img.Result.Error.Error()
return res
}
if !img.Result.Allowed {
res.Verified = false
res.Type = common.DecisionDeny
res.Allowed = false
res.Verified = true
res.Message = img.Result.Reason
return res
}
if !img.ProfileCheckResult {
res.Verified = false
res.Type = common.DecisionDeny
res.Allowed = false
res.Verified = true
res.Message = "no image profile matches with this commonName:" + strings.Join(img.Result.CommonNames, ",")
return res
}
}
res.Allowed = true
res.Verified = true
res.Type = common.DecisionAllow
res.Message = "image " + images.ImagesToVerify[0].Result.Digest + " is signed by " + images.ImagesToVerify[0].Profile.CommonName
return res
}
Expand Down
4 changes: 4 additions & 0 deletions shield/pkg/shield/resource_handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -123,8 +123,12 @@ func (self *ResourceHandler) Check() *DecisionResult {
// image
func (self *ResourceHandler) ImageCheck() *ImageDecisionResult {
idr := &ImageDecisionResult{}
idr.Type = common.DecisionUndetermined
sigcheck, imageToVerify, msg := requestCheckForImageCheck(self.resc)
if !sigcheck {
idr.Verified = false
idr.Allowed = true
idr.Type = common.DecisionAllow
idr.Message = msg
return idr
}
Expand Down