From bef4ccc782709fbf73aeffb3591ab6c4329a3c71 Mon Sep 17 00:00:00 2001
From: Wang Yan <wangyan@vmware.com>
Date: Mon, 31 Jul 2023 15:11:21 +0800
Subject: [PATCH] fixes 19043 (#19054)

fixes #19043
Skip the policy checking when to pull the notation signature

Signed-off-by: wang yan <wangyan@vmware.com>
---
 src/server/middleware/util/util.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/server/middleware/util/util.go b/src/server/middleware/util/util.go
index 9e04e7b4b..3da057526 100644
--- a/src/server/middleware/util/util.go
+++ b/src/server/middleware/util/util.go
@@ -64,7 +64,7 @@ func SkipPolicyChecking(r *http.Request, projectID, artID int64) (bool, error) {
 
 	// 1, scanner pull access can bypass.
 	// 2, cosign/notation pull can bypass, it needs to pull the manifest before pushing the signature.
-	// 3, pull cosign signature can bypass.
+	// 3, pull cosign/notation signature can bypass.
 	if ok && secCtx.Name() == "v2token" {
 		if secCtx.Can(r.Context(), rbac.ActionScannerPull, project.NewNamespace(projectID).Resource(rbac.ResourceRepository)) ||
 			(secCtx.Can(r.Context(), rbac.ActionPush, project.NewNamespace(projectID).Resource(rbac.ResourceRepository)) &&
@@ -79,7 +79,7 @@ func SkipPolicyChecking(r *http.Request, projectID, artID int64) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	if len(accs) > 0 && accs[0].GetData().Type == model.TypeCosignSignature {
+	if len(accs) > 0 && (accs[0].GetData().Type == model.TypeCosignSignature || accs[0].GetData().Type == model.TypeNotationSignature) {
 		return true, nil
 	}