image lookup: apply checks for matching digest

When looking up an image by digest, make sure that the matching image is also subject to further attribute checks (e.g., manifest list checks) as specified by the user. Fixes: containers/podman/issues/12729 Signed-off-by: Valentin Rothberg <[email protected]>
vrothberg · Jan 10, 2022 · 93f48f5 · 93f48f5
1 parent 9781478
commit 93f48f5
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 4 deletions.
diff --git a/libimage/image_test.go b/libimage/image_test.go
@@ -14,8 +14,9 @@ import (
 func TestImageFunctions(t *testing.T) {
 	// Note: this will resolve pull from the GCR registry (see
 	// testdata/registries.conf).
-	busyboxLatest := "docker.io/library/busybox:latest"
-	busyboxDigest := "docker.io/library/busybox@"
+	busybox := "docker.io/library/busybox"
+	busyboxLatest := busybox + ":latest"
+	busyboxDigest := busybox + "@"
 
 	runtime, cleanup := testNewRuntime(t)
 	defer cleanup()
@@ -62,6 +63,14 @@ func TestImageFunctions(t *testing.T) {
 	require.Len(t, digests, 2)
 	require.Equal(t, origDigest.String(), digests[0].String(), "first recoreded digest should be the one of the image")
 
+	// containers/podman/issues/12729: make sure manifest lookup returns
+	// the correct error for both digests.
+	for _, digest := range digests {
+		_, err := runtime.LookupManifestList(busybox + "@" + digest.String())
+		require.Error(t, err, "Manifest lookup should fail on an ordinary image")
+		require.Equal(t, ErrNotAManifestList, errors.Cause(err))
+	}
+
 	// Below mostly smoke tests.
 	require.False(t, image.IsReadOnly())
 	isDangling, err := image.IsDangling(ctx)

diff --git a/libimage/runtime.go b/libimage/runtime.go
@@ -406,9 +406,15 @@ func (r *Runtime) lookupImageInDigestsAndRepoTags(name string, options *LookupIm
 		digest := digested.Digest()
 		for _, image := range allImages {
 			for _, d := range image.Digests() {
-				if d == digest {
-					return image, name, nil
+				if d != digest {
+					continue
+				}
+				// Also make sure that the matching image fits all criteria (e.g., manifest list).
+				if _, err := r.lookupImageInLocalStorage(name, image.ID(), options); err != nil {
+					return nil, "", err
 				}
+				return image, name, nil
+
 			}
 		}
 		return nil, "", errors.Wrap(storage.ErrImageUnknown, name)