libimage: harden lookup by digest

[vrothberg]

When looking up an image by digest, make sure that the entire repository
of the specified value is considered. Previously, both the repository
and the tag have been ignored and we looked for some image with a
matching digest.

As outlined in #1248, Docker stopped ignoring the repository with
version v20.10.20 (Oct '22) which is a compelling reason to do the same.

To be clear, previously something@digest would look for any image with
digest while something is entirely ignored. With this change, both
something and digest must match the image.

This change breaks two e2e tests in Podman CI which relied on the
previous behavior. There is a risk of breaking users but there is a
strong security argument to perform this change: if the repository does
not match the (previously) returned image, there is a fair chance of a
user error.

Fixes: #1248
Signed-off-by: Valentin Rothberg [email protected]

[vrothberg]

OK, this is clearly breaking the fedora@sha256:add2f2878b383c6527a4f692c18f4aca039e7f24f5b24df1a6808f2a95280bbd matching which we need to preserve.

[vrothberg]

• buildah: DO NOT MERGE: testing containers/common/pull/1505 buildah#4867
• podman: DO NOT MERGE: testing containers/common/pull/1505 podman#18888

[vrothberg]

@mtrmac, this is still WIP but I expect it to pass Buildah/Podman CI.

With the current changes, we'd match Docker's behavior (see #1248).

[vrothberg]

Two test cases in Podman broke since they relied on the rather loose digest matching, see https://github.com/containers/podman/pull/18888/files#diff-748a695f7f517f8721b6b3b248f5bb31a5257caaba1f8275dcd43dbb51bb7ea5.

[vrothberg]

@mtrmac @nalind @giuseppe @rhatdan @Luap99 PTAL

@containers/podman-maintainers PTAL as well since this change imposes a risk of breaking

[vrothberg]

• buildah: DO NOT MERGE: testing containers/common/pull/1505 buildah#4867

  • podman: DO NOT MERGE: testing containers/common/pull/1505 podman#18888

Both PRs are green

[mtrmac]

@vrothberg FWIW your comments suggest that there might be some changes that weren’t pushed to this PR so far.

Can you point out which? Apologies in case I missed something.

The last push I see is commit 403bda7 from Jun 27 10am, before my review around Jun 27 10pm.

And review comments like #1505 (comment) (“an entirely new set of tests for LookupImage”) suggest that you have made further changes since.

[vrothberg]

@mtrmac it's all up now.

PRs pass without further changes:

• podman pr: DO NOT MERGE: testing containers/common/pull/1505 podman#18888
• buildah pr: DO NOT MERGE: testing containers/common/pull/1505 buildah#4867

[vrothberg]

@mtrmac OK with merging?

[vrothberg]

Leaving breadcrumbs here as well: once this PR gets in, we need to backport it to the v0.55 branch, then cut a new .1 release and vendor that into the v4.6 branch in Podman and backport containers/podman#19092.

[vrothberg]

@Luap99 @giuseppe, let's get this in.

[giuseppe]

LGTM

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [giuseppe,vrothberg]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Luap99]

Shouldn't we wait for a final ack from @mtrmac?

[vrothberg]

I am confident the changes are OK as is - for now. We can wait one more day or so but this PR is blocking backports at the moment.

[vrothberg]

Friendly ping, @mtrmac. Apologies for being pushy; I know there's much on your table at the moment.

[mtrmac]

/lgtm

[mtrmac]

/lgtm

[mtrmac]

(I have filed #1559 implementing some of the cleanups, so that the time I spent thinking about that pays off.)

[rhatdan]

/hold cancel