diff --git a/pkg/image/image.go b/pkg/image/image.go index a58de1b20..cc272d0bf 100644 --- a/pkg/image/image.go +++ b/pkg/image/image.go @@ -322,6 +322,8 @@ func (s *FileStore) imageInfo(fi os.FileInfo) (*Image, error) { } func (s *FileStore) listImagesUnlocked(filter string) ([]*Image, error) { + filter, digestSpec := SplitImageName(filter) + if linkDirExists, err := s.linkDirExists(); err != nil { return nil, err } else if !linkDirExists { @@ -339,13 +341,16 @@ func (s *FileStore) listImagesUnlocked(filter string) ([]*Image, error) { continue } image, err := s.imageInfo(fi) - if err != nil { + switch { + case err != nil: glog.Warningf("listing images: skipping image link %q: %v", fi.Name(), err) continue + case filter != "" && image.Name != filter: + continue + case digestSpec != "" && digest.Digest(image.Digest) != digestSpec: + continue } - if filter == "" || image.Name == filter { - r = append(r, image) - } + r = append(r, image) } return r, nil @@ -363,7 +368,15 @@ func (s *FileStore) imageStatusUnlocked(name string) (*Image, error) { // get info about the link itself, not its target switch fi, err := os.Lstat(linkFileName); { case err == nil: - return s.imageInfo(fi) + info, err := s.imageInfo(fi) + if err != nil { + return nil, err + } + _, digestSpec := SplitImageName(name) + if digestSpec != "" && digest.Digest(info.Digest) != digestSpec { + return nil, fmt.Errorf("image digest mismatch: %s instead of %s", info.Digest, digestSpec) + } + return info, nil case os.IsNotExist(err): return nil, nil default: diff --git a/pkg/image/image_test.go b/pkg/image/image_test.go index 1892d8556..4045a96a5 100644 --- a/pkg/image/image_test.go +++ b/pkg/image/image_test.go @@ -295,6 +295,8 @@ func TestPullListStatus(t *testing.T) { tst.pullImage(tst.images[2].Name, tst.refs[2]) tst.verifyListImages("", tst.images[1], tst.images[0], tst.images[2]) // alphabetically sorted by name tst.verifySubpathContents("links/foobar", "###baz") + + tst.verifyListImages(tst.refs[1], tst.images[1]) } func TestReplaceImage(t *testing.T) { @@ -486,9 +488,10 @@ func TestVerifyImageChecksum(t *testing.T) { tst.pullImage(tst.refs[0], tst.refs[0]) tst.verifyListImages("foobar") + refWithBadDigest := tst.images[0].Name + "@sha256:0000000000000000000000000000000000000000000000000000000000000000" _, err := tst.store.PullImage( context.Background(), - tst.images[0].Name+"@sha256:0000000000000000000000000000000000000000000000000000000000000000", + refWithBadDigest, tst.translateImageName) switch { case err == nil: @@ -496,4 +499,14 @@ func TestVerifyImageChecksum(t *testing.T) { case !strings.Contains(err.Error(), "image digest mismatch"): t.Errorf("PullImage() is expected to return invalid checksum error but returned %q", err) } + + switch _, err := tst.store.ImageStatus(refWithBadDigest); { + case err == nil: + tst.t.Errorf("ImageStatus() din't return any error for an image with mismatching digest") + case !strings.Contains(err.Error(), "image digest mismatch"): + t.Errorf("ImageStatus() is expected to return invalid checksum error but returned %q", err) + } + + // the bad digest should not match any images while listing + tst.verifyListImages(refWithBadDigest) }