From a3bbc3a2cab4759146dc5a66ec3f9bd9782b6131 Mon Sep 17 00:00:00 2001 From: Ismael Arias Date: Thu, 13 Jul 2023 22:13:31 +0200 Subject: [PATCH 1/4] Fix trust not using local policy file When running the `trust` command, only the global policy.json file was being taken into account. Fixes #19073 [NO NEW TESTS NEEDED] Signed-off-by: Ismael Arias --- pkg/trust/policy.go | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/pkg/trust/policy.go b/pkg/trust/policy.go index aa14fc7e15..6befb01676 100644 --- a/pkg/trust/policy.go +++ b/pkg/trust/policy.go @@ -14,9 +14,13 @@ import ( "github.com/containers/common/pkg/config" "github.com/containers/image/v5/types" + "github.com/containers/storage/pkg/homedir" "github.com/sirupsen/logrus" ) +// userPolicyFile is the path to the per user policy path. +var userPolicyFile = filepath.FromSlash(".config/containers/policy.json") + // policyContent is the overall structure of a policy.json file (= c/image/v5/signature.Policy) type policyContent struct { Default []repoContent `json:"default"` @@ -54,14 +58,16 @@ type genericRepoMap map[string]json.RawMessage // DefaultPolicyPath returns a path to the default policy of the system. func DefaultPolicyPath(sys *types.SystemContext) string { + if sys != nil && sys.SignaturePolicyPath != "" { + return sys.SignaturePolicyPath + } + userPolicyFilePath := filepath.Join(homedir.Get(), userPolicyFile) + if _, err := os.Stat(userPolicyFilePath); err == nil { + return userPolicyFilePath + } systemDefaultPolicyPath := config.DefaultSignaturePolicyPath - if sys != nil { - if sys.SignaturePolicyPath != "" { - return sys.SignaturePolicyPath - } - if sys.RootForImplicitAbsolutePaths != "" { - return filepath.Join(sys.RootForImplicitAbsolutePaths, systemDefaultPolicyPath) - } + if sys != nil && sys.RootForImplicitAbsolutePaths != "" { + return filepath.Join(sys.RootForImplicitAbsolutePaths, systemDefaultPolicyPath) } return systemDefaultPolicyPath } From ca9874ab7d6b72074861d049b986ebe70821ed51 Mon Sep 17 00:00:00 2001 From: Ismael Arias Date: Mon, 17 Jul 2023 14:12:01 +0200 Subject: [PATCH 2/4] Use pkg/homedir to get the home config directory Also, log a warning if there is an error when reading the local policy.json file, if the error is other than ENOEXIST [NO NEW TESTS NEEDED] Signed-off-by: Ismael Arias --- pkg/trust/policy.go | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/pkg/trust/policy.go b/pkg/trust/policy.go index 6befb01676..21222c3570 100644 --- a/pkg/trust/policy.go +++ b/pkg/trust/policy.go @@ -18,9 +18,6 @@ import ( "github.com/sirupsen/logrus" ) -// userPolicyFile is the path to the per user policy path. -var userPolicyFile = filepath.FromSlash(".config/containers/policy.json") - // policyContent is the overall structure of a policy.json file (= c/image/v5/signature.Policy) type policyContent struct { Default []repoContent `json:"default"` @@ -61,10 +58,17 @@ func DefaultPolicyPath(sys *types.SystemContext) string { if sys != nil && sys.SignaturePolicyPath != "" { return sys.SignaturePolicyPath } - userPolicyFilePath := filepath.Join(homedir.Get(), userPolicyFile) - if _, err := os.Stat(userPolicyFilePath); err == nil { + + confDir, _ := homedir.GetConfigHome() + userPolicyFilePath := filepath.Join(confDir, filepath.FromSlash("containers/policy.json")) + _, err := os.Stat(userPolicyFilePath) + if err == nil { return userPolicyFilePath } + if !os.IsNotExist(err) { + logrus.Warnf("Error trying to read local config file: %s", err.Error()) + } + systemDefaultPolicyPath := config.DefaultSignaturePolicyPath if sys != nil && sys.RootForImplicitAbsolutePaths != "" { return filepath.Join(sys.RootForImplicitAbsolutePaths, systemDefaultPolicyPath) From 47997857ff73f47bd3f00a1d56ac9423d09658a5 Mon Sep 17 00:00:00 2001 From: Ismael Arias Date: Mon, 17 Jul 2023 17:49:05 +0200 Subject: [PATCH 3/4] Replace error check for non-existent file Previously `os.IsNotExist(err)`, now `errors.Is(err, fs.ErrNotExist)` [NO NEW TESTS NEEDED] Signed-off-by: Ismael Arias --- pkg/trust/policy.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/trust/policy.go b/pkg/trust/policy.go index 21222c3570..8ede8f6a72 100644 --- a/pkg/trust/policy.go +++ b/pkg/trust/policy.go @@ -7,6 +7,7 @@ import ( "encoding/json" "errors" "fmt" + "io/fs" "os" "os/exec" "path/filepath" @@ -65,7 +66,7 @@ func DefaultPolicyPath(sys *types.SystemContext) string { if err == nil { return userPolicyFilePath } - if !os.IsNotExist(err) { + if !errors.Is(err, fs.ErrNotExist) { logrus.Warnf("Error trying to read local config file: %s", err.Error()) } From 5c0912b07b62247d5c09dc455445605b09f6b330 Mon Sep 17 00:00:00 2001 From: Ismael Arias Date: Mon, 17 Jul 2023 18:29:06 +0200 Subject: [PATCH 4/4] Revert the usage of `home.GetConfigHome()` Although this might be the correct thing to do, the idea is to keep the same behaviour across all three locations, and change all three at once. See https://github.com/containers/podman/pull/19231#discussion_r1265602832 [NO NEW TESTS NEEDED] Signed-off-by: Ismael Arias --- pkg/trust/policy.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/trust/policy.go b/pkg/trust/policy.go index 8ede8f6a72..b5d8e7a41c 100644 --- a/pkg/trust/policy.go +++ b/pkg/trust/policy.go @@ -60,8 +60,7 @@ func DefaultPolicyPath(sys *types.SystemContext) string { return sys.SignaturePolicyPath } - confDir, _ := homedir.GetConfigHome() - userPolicyFilePath := filepath.Join(confDir, filepath.FromSlash("containers/policy.json")) + userPolicyFilePath := filepath.Join(homedir.Get(), filepath.FromSlash(".config/containers/policy.json")) _, err := os.Stat(userPolicyFilePath) if err == nil { return userPolicyFilePath