Fix unexpected results when filtering images

The filtered image contains all Names of image. This causes the podman to list images that are not expected.

For example:
If an image `box:latest` is taged as `example:latest` and then images are filtered with `reference=example`, `box:latest` and `example:latest` will be output because the image has multiple names.

Fixes: containers/podman#25725
Fixes: https://issues.redhat.com/browse/RUN-2726

Signed-off-by: Jan Rodák <[email protected]>

Author: Honny1

libimage/filters.go

@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"path"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@@ -21,13 +22,23 @@ import (
 // indicates that the image matches the criteria.
 type filterFunc func(*Image, *layerTree) (bool, error)
 
-type compiledFilters map[string][]filterFunc
+// referenceFilterFunc is a prototype for a filter that returns a list of
+// references. The first return value indicates whether the image matches the
+// criteria. The second return value is a list of names that match the
+// criteria. The third return value is an error.
+type referenceFilterFunc func(*Image) (bool, []string, error)
+
+type compiledFilters struct {
+	Filters         map[string][]filterFunc
+	ReferenceFilter referenceFilterFunc
+}
 
 // Apply the specified filters.  All filters of each key must apply.
 // tree must be provided if compileImageFilters indicated it is necessary.
-func (i *Image) applyFilters(ctx context.Context, filters compiledFilters, tree *layerTree) (bool, error) {
-	for key := range filters {
-		for _, filter := range filters[key] {
+// WARNING: Application of referenceFilter sets the image names to matched names, but this only affects the values in memory, they are not written to storage.
+func (i *Image) applyFilters(ctx context.Context, f *compiledFilters, tree *layerTree) (bool, error) {
+	for key := range f.Filters {
+		for _, filter := range f.Filters[key] {
 			matches, err := filter(i, tree)
 			if err != nil {
 				// Some images may have been corrupted in the
@@ -45,13 +56,30 @@ func (i *Image) applyFilters(ctx context.Context, filters compiledFilters, tree
 			}
 		}
 	}
+	if f.ReferenceFilter != nil {
+		referenceMatch, names, err := f.ReferenceFilter(i)
+		if err != nil {
+			return false, err
+		}
+		if !referenceMatch {
+			return false, nil
+		}
+		if len(names) > 0 {
+			i.setEphemeralNames(names)
+		}
+	}
 	return true, nil
 }
 
 // filterImages returns a slice of images which are passing all specified
 // filters.
 // tree must be provided if compileImageFilters indicated it is necessary.
-func (r *Runtime) filterImages(ctx context.Context, images []*Image, filters compiledFilters, tree *layerTree) ([]*Image, error) {
+// WARNING: Application of referenceFilter sets the image names to matched names, but this only affects the values in memory, they are not written to storage.
+func (r *Runtime) filterImages(ctx context.Context, images []*Image, filters *compiledFilters, tree *layerTree) ([]*Image, error) {
+	if filters == nil {
+		logrus.Debug("No filters specified, returning all images")
+		return images, nil
+	}
 	result := []*Image{}
 	for i := range images {
 		match, err := images[i].applyFilters(ctx, filters, tree)
@@ -71,7 +99,7 @@ func (r *Runtime) filterImages(ctx context.Context, images []*Image, filters com
 //	after, since, before, containers, dangling, id, label, readonly, reference, intermediate
 //
 // compileImageFilters returns: compiled filters, if LayerTree is needed, error
-func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOptions) (compiledFilters, bool, error) {
+func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOptions) (*compiledFilters, bool, error) {
 	logrus.Tracef("Parsing image filters %s", options.Filters)
 	if len(options.Filters) == 0 {
 		return nil, false, nil
@@ -80,7 +108,7 @@ func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOp
 	filterInvalidValue := `invalid image filter %q: must be in the format "filter=value or filter!=value"`
 
 	var wantedReferenceMatches, unwantedReferenceMatches []string
-	filters := compiledFilters{}
+	filters := map[string][]filterFunc{}
 	needsLayerTree := false
 	duplicate := map[string]string{}
 	for _, f := range options.Filters {
@@ -187,12 +215,13 @@ func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOp
 		filters[key] = append(filters[key], filter)
 	}
 
-	// reference filters is a special case as it does an OR for positive matches
-	// and an AND logic for negative matches
-	filter := filterReferences(r, wantedReferenceMatches, unwantedReferenceMatches)
-	filters["reference"] = append(filters["reference"], filter)
-
-	return filters, needsLayerTree, nil
+	cf := compiledFilters{
+		Filters: filters,
+		// reference filters is a special case as it does an OR for positive matches
+		// and an AND logic for negative matches
+		ReferenceFilter: filterReferences(r, wantedReferenceMatches, unwantedReferenceMatches),
+	}
+	return &cf, needsLayerTree, nil
 }
 
 func negateFilter(f filterFunc) filterFunc {
@@ -265,62 +294,86 @@ func filterManifest(ctx context.Context, value bool) filterFunc {
 
 // filterReferences creates a reference filter for matching the specified wantedReferenceMatches value (OR logic)
 // and for matching the unwantedReferenceMatches values (AND logic)
-func filterReferences(r *Runtime, wantedReferenceMatches, unwantedReferenceMatches []string) filterFunc {
-	return func(img *Image, _ *layerTree) (bool, error) {
+func filterReferences(r *Runtime, wantedReferenceMatches, unwantedReferenceMatches []string) referenceFilterFunc {
+	return func(img *Image) (bool, []string, error) {
+		namesThatMatch := img.Names()
 		// Empty reference filters, return true
 		if len(wantedReferenceMatches) == 0 && len(unwantedReferenceMatches) == 0 {
-			return true, nil
+			return true, nil, nil
 		}
 
 		unwantedMatched := false
 		// Go through the unwanted matches first
+		// TODO 6.0 podman: remove unwanted matches from the output names. https://github.com/containers/common/pull/2413#discussion_r2031749013
 		for _, value := range unwantedReferenceMatches {
-			matches, err := imageMatchesReferenceFilter(r, img, value)
+			names, err := getMatchedImageNames(r, img, value)
 			if err != nil {
-				return false, err
+				return false, nil, err
 			}
-			if matches {
+			if len(names) > 0 {
 				unwantedMatched = true
 			}
 		}
 
 		// If there are no wanted match filters, then return false for the image
 		// that matched the unwanted value otherwise return true
 		if len(wantedReferenceMatches) == 0 {
-			return !unwantedMatched, nil
+			return !unwantedMatched, namesThatMatch, nil
 		}
 
+		if unwantedMatched {
+			return false, nil, nil
+		}
 		// Go through the wanted matches
 		// If an image matches the wanted filter but it also matches the unwanted
 		// filter, don't add it to the output
+		matchedNames := []string{}
 		for _, value := range wantedReferenceMatches {
-			matches, err := imageMatchesReferenceFilter(r, img, value)
+			names, err := getMatchedImageNames(r, img, value)
 			if err != nil {
-				return false, err
-			}
-			if matches && !unwantedMatched {
-				return true, nil
+				return false, nil, err
 			}
+			matchedNames = append(matchedNames, names...)
+		}
+		if len(matchedNames) > 0 {
+			// Removes non-compliant names from image names
+			namesThatMatch = slices.DeleteFunc(namesThatMatch, func(name string) bool {
+				return !slices.ContainsFunc(matchedNames, func(matchedName string) bool {
+					return name == matchedName
+				})
+			})
+			return true, namesThatMatch, nil
 		}
 
-		return false, nil
+		return false, nil, nil
 	}
 }
 
-// imageMatchesReferenceFilter returns true if an image matches the filter value given
-func imageMatchesReferenceFilter(r *Runtime, img *Image, value string) (bool, error) {
-	lookedUp, _, _ := r.LookupImage(value, nil)
+// getMatchedImageNames returns a list of matching image names that match the specified filter value, or an empty list if the image does not match the filter.
+func getMatchedImageNames(r *Runtime, img *Image, value string) ([]string, error) {
+	lookedUp, resolvedName, _ := r.LookupImage(value, nil)
 	if lookedUp != nil {
 		if lookedUp.ID() == img.ID() {
-			return true, nil
+			prefix, _, found := strings.Cut(resolvedName, "@")
+			if found {
+				out := []string{}
+				for _, name := range lookedUp.Names() {
+					if strings.HasPrefix(name, prefix) {
+						out = append(out, name)
+					}
+				}
+				return out, nil
+			}
+			return []string{resolvedName}, nil
 		}
 	}
 
 	refs, err := img.NamesReferences()
 	if err != nil {
-		return false, err
+		return nil, err
 	}
 
+	resolvedNames := []string{}
 	for _, ref := range refs {
 		refString := ref.String() // FQN with tag/digest
 		candidates := []string{refString}
@@ -348,12 +401,12 @@ func imageMatchesReferenceFilter(r *Runtime, img *Image, value string) (bool, er
 			// path.Match() is also used by Docker's reference.FamiliarMatch().
 			matched, _ := path.Match(value, candidate)
 			if matched {
-				return true, nil
+				resolvedNames = append(resolvedNames, refString)
+				break
 			}
 		}
 	}
-
-	return false, nil
+	return resolvedNames, nil
 }
 
 // filterLabel creates a label for matching the specified value.

libimage/filters_test.go

@@ -44,47 +44,48 @@ func TestFilterReference(t *testing.T) {
 	for _, test := range []struct {
 		filters []string
 		matches int
+		names   []string
 	}{
-		{[]string{"image"}, 2},
-		{[]string{"*mage*"}, 2},
-		{[]string{"image:*"}, 2},
-		{[]string{"image:tag"}, 1},
-		{[]string{"image:another-tag"}, 1},
-		{[]string{"localhost/image"}, 1},
-		{[]string{"localhost/image:tag"}, 1},
-		{[]string{"library/image"}, 1},
-		{[]string{"docker.io/library/image*"}, 1},
-		{[]string{"docker.io/library/image:*"}, 1},
-		{[]string{"docker.io/library/image:another-tag"}, 1},
-		{[]string{"localhost/*"}, 2},
-		{[]string{"localhost/image:*tag"}, 1},
-		{[]string{"localhost/*mage:*ag"}, 2},
-		{[]string{"quay.io/libpod/busybox"}, 1},
-		{[]string{"quay.io/libpod/alpine"}, 1},
-		{[]string{"quay.io/libpod"}, 0},
-		{[]string{"quay.io/libpod/*"}, 2},
-		{[]string{"busybox"}, 1},
-		{[]string{"alpine"}, 1},
-		{[]string{"alpine@" + alpine.Digest().String()}, 1},
-		{[]string{"alpine:latest@" + alpine.Digest().String()}, 1},
-		{[]string{"quay.io/libpod/alpine@" + alpine.Digest().String()}, 1},
-		{[]string{"quay.io/libpod/alpine:latest@" + alpine.Digest().String()}, 1},
+		{[]string{"image"}, 2, []string{"localhost/image:tag", "docker.io/library/image:another-tag"}},
+		{[]string{"*mage*"}, 2, []string{"localhost/image:tag", "localhost/another-image:tag", "docker.io/library/image:another-tag"}},
+		{[]string{"image:*"}, 2, []string{"localhost/image:tag", "docker.io/library/image:another-tag"}},
+		{[]string{"image:tag"}, 1, []string{"localhost/image:tag"}},
+		{[]string{"image:another-tag"}, 1, []string{"docker.io/library/image:another-tag"}},
+		{[]string{"localhost/image"}, 1, []string{"localhost/image:tag"}},
+		{[]string{"localhost/image:tag"}, 1, []string{"localhost/image:tag"}},
+		{[]string{"library/image"}, 1, []string{"docker.io/library/image:another-tag"}},
+		{[]string{"docker.io/library/image*"}, 1, []string{"docker.io/library/image:another-tag"}},
+		{[]string{"docker.io/library/image:*"}, 1, []string{"docker.io/library/image:another-tag"}},
+		{[]string{"docker.io/library/image:another-tag"}, 1, []string{"docker.io/library/image:another-tag"}},
+		{[]string{"localhost/*"}, 2, []string{"localhost/image:tag", "localhost/another-image:tag"}},
+		{[]string{"localhost/image:*tag"}, 1, []string{"localhost/image:tag"}},
+		{[]string{"localhost/*mage:*ag"}, 2, []string{"localhost/image:tag", "localhost/another-image:tag"}},
+		{[]string{"quay.io/libpod/busybox"}, 1, []string{"quay.io/libpod/busybox:latest"}},
+		{[]string{"quay.io/libpod/alpine"}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"quay.io/libpod"}, 0, []string{}},
+		{[]string{"quay.io/libpod/*"}, 2, []string{"quay.io/libpod/busybox:latest", "quay.io/libpod/alpine:latest"}},
+		{[]string{"busybox"}, 1, []string{"quay.io/libpod/busybox:latest"}},
+		{[]string{"alpine"}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"alpine@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"alpine:latest@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"quay.io/libpod/alpine@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"quay.io/libpod/alpine:latest@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
 		// Make sure negate works as expected
-		{[]string{"!alpine"}, 1},
-		{[]string{"!alpine", "!busybox"}, 0},
-		{[]string{"!alpine", "busybox"}, 1},
-		{[]string{"alpine", "busybox"}, 2},
-		{[]string{"*test", "!*box"}, 1},
+		{[]string{"!alpine"}, 1, []string{"quay.io/libpod/busybox:latest", "localhost/image:tag"}},
+		{[]string{"!alpine", "!busybox"}, 0, []string{}},
+		{[]string{"!alpine", "busybox"}, 1, []string{"quay.io/libpod/busybox:latest"}},
+		{[]string{"alpine", "busybox"}, 2, []string{"quay.io/libpod/busybox:latest", "quay.io/libpod/alpine:latest"}},
+		{[]string{"*test", "!*box"}, 1, []string{"quay.io/libpod/alpine:latest"}},
 		// Make sure that tags are ignored
-		{[]string{"alpine:ignoreme@" + alpine.Digest().String()}, 1},
-		{[]string{"alpine:123@" + alpine.Digest().String()}, 1},
-		{[]string{"quay.io/libpod/alpine:hurz@" + alpine.Digest().String()}, 1},
-		{[]string{"quay.io/libpod/alpine:456@" + alpine.Digest().String()}, 1},
+		{[]string{"alpine:ignoreme@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"alpine:123@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"quay.io/libpod/alpine:hurz@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"quay.io/libpod/alpine:456@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
 		// Make sure that repo and digest must match
-		{[]string{"alpine:busyboxdigest@" + busybox.Digest().String()}, 0},
-		{[]string{"alpine:busyboxdigest@" + busybox.Digest().String()}, 0},
-		{[]string{"quay.io/libpod/alpine:busyboxdigest@" + busybox.Digest().String()}, 0},
-		{[]string{"quay.io/libpod/alpine:busyboxdigest@" + busybox.Digest().String()}, 0},
+		{[]string{"alpine:busyboxdigest@" + busybox.Digest().String()}, 0, []string{}},
+		{[]string{"alpine:busyboxdigest@" + busybox.Digest().String()}, 0, []string{}},
+		{[]string{"quay.io/libpod/alpine:busyboxdigest@" + busybox.Digest().String()}, 0, []string{}},
+		{[]string{"quay.io/libpod/alpine:busyboxdigest@" + busybox.Digest().String()}, 0, []string{}},
 	} {
 		var filters []string
 		for _, filter := range test.filters {
@@ -94,12 +95,20 @@ func TestFilterReference(t *testing.T) {
 				filters = append(filters, "reference="+filter)
 			}
 		}
+
 		listOptions := &ListImagesOptions{
 			Filters: filters,
 		}
 		listedImages, err := runtime.ListImages(ctx, listOptions)
+
 		require.NoError(t, err, "%v", test)
 		require.Len(t, listedImages, test.matches, "%s -> %v", test.filters, listedImages)
+
+		resultNames := []string{}
+		for _, image := range listedImages {
+			resultNames = append(resultNames, image.Names()...)
+		}
+		require.ElementsMatch(t, test.names, resultNames, "filters: %s ", test.filters)
 	}
 }
 

libimage/image.go

@@ -112,6 +112,13 @@ func (i *Image) Names() []string {
 	return i.storageImage.Names
 }
 
+// setEphemeralNames sets the names of the image.
+//
+// WARNING: this only affects the in-memory values, they are not written into the backing storage.
+func (i *Image) setEphemeralNames(names []string) {
+	i.storageImage.Names = names
+}
+
 // NamesReferences returns Names() as references.
 func (i *Image) NamesReferences() ([]reference.Reference, error) {
 	if i.cached.namesReferences != nil {

libimage/runtime.go

@@ -599,6 +599,12 @@ func (r *Runtime) ListImagesByNames(names []string) ([]*Image, error) {
 }
 
 // ListImages lists the images in the local container storage and filter the images by ListImagesOptions
+//
+// podman images consumes the output of ListImages and produces one line for each tag in each Image.Names value,
+// rather than one line for each Image with all Names, so it makes more sense for the user to see only the corresponding names
+// in the output, not all the names of the deduplicated image; therefore, we make the corresponding names available
+// to the caller by overwriting the actual image names with the corresponding names.
+// This overwriting is done only in memory and is not written to storage in any way.
 func (r *Runtime) ListImages(ctx context.Context, options *ListImagesOptions) ([]*Image, error) {
 	if options == nil {
 		options = &ListImagesOptions{}