Fix unexpected results when filtering images

The filtered image contains all Names of image. This causes the podman to list images that are not expected.

For example:
If an image `box:latest` is taged as `example:latest` and then images are filtered with `reference=example`, `box:latest` and `example:latest` will be output because the image has multiple names.

Fixes: containers/podman#25725
Fixes: https://issues.redhat.com/browse/RUN-2726

Signed-off-by: Jan Rodák <hony.com@seznam.cz>

Author: Honny1

libimage/filters.go

@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"path"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@@ -21,6 +22,12 @@ import (
 // indicates that the image matches the criteria.
 type filterFunc func(*Image, *layerTree) (bool, error)
 
+// referenceFilterFunc is a prototype for a filter that returns a list of
+// references. The first return value indicates whether the image matches the
+// criteria. The second return value is a list of names that match the
+// criteria. The third return value is an error
+type referenceFilterFunc func(*Image) (bool, []string, error)
+
 type compiledFilters map[string][]filterFunc
 
 // Apply the specified filters.  All filters of each key must apply.
@@ -51,13 +58,25 @@ func (i *Image) applyFilters(ctx context.Context, filters compiledFilters, tree
 // filterImages returns a slice of images which are passing all specified
 // filters.
 // tree must be provided if compileImageFilters indicated it is necessary.
-func (r *Runtime) filterImages(ctx context.Context, images []*Image, filters compiledFilters, tree *layerTree) ([]*Image, error) {
+func (r *Runtime) filterImages(ctx context.Context, images []*Image, filters compiledFilters, referenceFilter referenceFilterFunc, tree *layerTree) ([]*Image, error) {
 	result := []*Image{}
 	for i := range images {
 		match, err := images[i].applyFilters(ctx, filters, tree)
 		if err != nil {
 			return nil, err
 		}
+		if referenceFilter != nil {
+			referenceMatch, names, err := referenceFilter(images[i])
+			if err != nil {
+				return nil, err
+			}
+			if !referenceMatch || len(names) == 0 {
+				continue
+			}
+			// If the image matches the reference filter, add the names to the image.
+			images[i].setNames(names)
+		}
+
 		if match {
 			result = append(result, images[i])
 		}
@@ -71,10 +90,10 @@ func (r *Runtime) filterImages(ctx context.Context, images []*Image, filters com
 //	after, since, before, containers, dangling, id, label, readonly, reference, intermediate
 //
 // compileImageFilters returns: compiled filters, if LayerTree is needed, error
-func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOptions) (compiledFilters, bool, error) {
+func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOptions) (compiledFilters, referenceFilterFunc, bool, error) {
 	logrus.Tracef("Parsing image filters %s", options.Filters)
 	if len(options.Filters) == 0 {
-		return nil, false, nil
+		return nil, nil, false, nil
 	}
 
 	filterInvalidValue := `invalid image filter %q: must be in the format "filter=value or filter!=value"`
@@ -93,7 +112,7 @@ func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOp
 		} else {
 			split = strings.SplitN(f, "=", 2)
 			if len(split) != 2 {
-				return nil, false, fmt.Errorf(filterInvalidValue, f)
+				return nil, nil, false, fmt.Errorf(filterInvalidValue, f)
 			}
 		}
 
@@ -103,28 +122,28 @@ func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOp
 		case "after", "since":
 			img, err := r.time(key, value)
 			if err != nil {
-				return nil, false, err
+				return nil, nil, false, err
 			}
 			key = "since"
 			filter = filterAfter(img.Created())
 
 		case "before":
 			img, err := r.time(key, value)
 			if err != nil {
-				return nil, false, err
+				return nil, nil, false, err
 			}
 			filter = filterBefore(img.Created())
 
 		case "containers":
 			if err := r.containers(duplicate, key, value, options.IsExternalContainerFunc); err != nil {
-				return nil, false, err
+				return nil, nil, false, err
 			}
 			filter = filterContainers(value, options.IsExternalContainerFunc)
 
 		case "dangling":
 			dangling, err := r.bool(duplicate, key, value)
 			if err != nil {
-				return nil, false, err
+				return nil, nil, false, err
 			}
 			needsLayerTree = true
 			filter = filterDangling(ctx, dangling)
@@ -135,14 +154,14 @@ func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOp
 		case "digest":
 			f, err := filterDigest(value)
 			if err != nil {
-				return nil, false, err
+				return nil, nil, false, err
 			}
 			filter = f
 
 		case "intermediate":
 			intermediate, err := r.bool(duplicate, key, value)
 			if err != nil {
-				return nil, false, err
+				return nil, nil, false, err
 			}
 			needsLayerTree = true
 			filter = filterIntermediate(ctx, intermediate)
@@ -152,14 +171,14 @@ func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOp
 		case "readonly":
 			readOnly, err := r.bool(duplicate, key, value)
 			if err != nil {
-				return nil, false, err
+				return nil, nil, false, err
 			}
 			filter = filterReadOnly(readOnly)
 
 		case "manifest":
 			manifest, err := r.bool(duplicate, key, value)
 			if err != nil {
-				return nil, false, err
+				return nil, nil, false, err
 			}
 			filter = filterManifest(ctx, manifest)
 
@@ -174,12 +193,12 @@ func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOp
 		case "until":
 			until, err := r.until(value)
 			if err != nil {
-				return nil, false, err
+				return nil, nil, false, err
 			}
 			filter = filterBefore(until)
 
 		default:
-			return nil, false, fmt.Errorf(filterInvalidValue, key)
+			return nil, nil, false, fmt.Errorf(filterInvalidValue, key)
 		}
 		if negate {
 			filter = negateFilter(filter)
@@ -189,10 +208,7 @@ func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOp
 
 	// reference filters is a special case as it does an OR for positive matches
 	// and an AND logic for negative matches
-	filter := filterReferences(r, wantedReferenceMatches, unwantedReferenceMatches)
-	filters["reference"] = append(filters["reference"], filter)
-
-	return filters, needsLayerTree, nil
+	return filters, filterReferences(r, wantedReferenceMatches, unwantedReferenceMatches), needsLayerTree, nil
 }
 
 func negateFilter(f filterFunc) filterFunc {
@@ -265,62 +281,72 @@ func filterManifest(ctx context.Context, value bool) filterFunc {
 
 // filterReferences creates a reference filter for matching the specified wantedReferenceMatches value (OR logic)
 // and for matching the unwantedReferenceMatches values (AND logic)
-func filterReferences(r *Runtime, wantedReferenceMatches, unwantedReferenceMatches []string) filterFunc {
-	return func(img *Image, _ *layerTree) (bool, error) {
+func filterReferences(r *Runtime, wantedReferenceMatches, unwantedReferenceMatches []string) referenceFilterFunc {
+	return func(img *Image) (bool, []string, error) {
+		namesThatMatch := img.Names()
 		// Empty reference filters, return true
 		if len(wantedReferenceMatches) == 0 && len(unwantedReferenceMatches) == 0 {
-			return true, nil
+			return true, namesThatMatch, nil
 		}
 
 		unwantedMatched := false
+		// TODO 6.0 podman: remove unwanted matches from the output names. https://github.com/containers/common/pull/2413#discussion_r2031749013
 		// Go through the unwanted matches first
 		for _, value := range unwantedReferenceMatches {
-			matches, err := imageMatchesReferenceFilter(r, img, value)
+			matchedNames, err := imageMatchesReferenceFilter(r, img, value)
 			if err != nil {
-				return false, err
+				return false, namesThatMatch, err
 			}
-			if matches {
+			if len(matchedNames) > 0 {
 				unwantedMatched = true
 			}
 		}
 
 		// If there are no wanted match filters, then return false for the image
 		// that matched the unwanted value otherwise return true
 		if len(wantedReferenceMatches) == 0 {
-			return !unwantedMatched, nil
+			return !unwantedMatched, namesThatMatch, nil
 		}
 
 		// Go through the wanted matches
 		// If an image matches the wanted filter but it also matches the unwanted
 		// filter, don't add it to the output
 		for _, value := range wantedReferenceMatches {
-			matches, err := imageMatchesReferenceFilter(r, img, value)
+			matchedNames, err := imageMatchesReferenceFilter(r, img, value)
 			if err != nil {
-				return false, err
+				return false, nil, err
 			}
-			if matches && !unwantedMatched {
-				return true, nil
+			if len(matchedNames) > 0 && !unwantedMatched {
+				// Removes non-compliant names from image names
+				namesThatMatch = slices.DeleteFunc(namesThatMatch, func(name string) bool {
+					return !slices.ContainsFunc(matchedNames, func(matchedName string) bool {
+						return strings.Contains(name, matchedName)
+					})
+				})
+				return true, namesThatMatch, nil
 			}
 		}
 
-		return false, nil
+		return false, namesThatMatch, nil
 	}
 }
 
-// imageMatchesReferenceFilter returns true if an image matches the filter value given
-func imageMatchesReferenceFilter(r *Runtime, img *Image, value string) (bool, error) {
-	lookedUp, _, _ := r.LookupImage(value, nil)
+// imageMatchesReferenceFilter returns a list of matching image references that match the specified filter value
+func imageMatchesReferenceFilter(r *Runtime, img *Image, value string) ([]string, error) {
+	lookedUp, resolvedName, _ := r.LookupImage(value, nil)
 	if lookedUp != nil {
 		if lookedUp.ID() == img.ID() {
-			return true, nil
+			resolvedName, _, _ := strings.Cut(resolvedName, "@")
+			return []string{resolvedName}, nil
 		}
 	}
 
 	refs, err := img.NamesReferences()
 	if err != nil {
-		return false, err
+		return nil, err
 	}
 
+	resolvedNames := []string{}
 	for _, ref := range refs {
 		refString := ref.String() // FQN with tag/digest
 		candidates := []string{refString}
@@ -348,12 +374,12 @@ func imageMatchesReferenceFilter(r *Runtime, img *Image, value string) (bool, er
 			// path.Match() is also used by Docker's reference.FamiliarMatch().
 			matched, _ := path.Match(value, candidate)
 			if matched {
-				return true, nil
+				resolvedNames = append(resolvedNames, refString)
+				break
 			}
 		}
 	}
-
-	return false, nil
+	return resolvedNames, nil
 }
 
 // filterLabel creates a label for matching the specified value.

libimage/filters_test.go

@@ -44,47 +44,48 @@ func TestFilterReference(t *testing.T) {
 	for _, test := range []struct {
 		filters []string
 		matches int
+		names   []string
 	}{
-		{[]string{"image"}, 2},
-		{[]string{"*mage*"}, 2},
-		{[]string{"image:*"}, 2},
-		{[]string{"image:tag"}, 1},
-		{[]string{"image:another-tag"}, 1},
-		{[]string{"localhost/image"}, 1},
-		{[]string{"localhost/image:tag"}, 1},
-		{[]string{"library/image"}, 1},
-		{[]string{"docker.io/library/image*"}, 1},
-		{[]string{"docker.io/library/image:*"}, 1},
-		{[]string{"docker.io/library/image:another-tag"}, 1},
-		{[]string{"localhost/*"}, 2},
-		{[]string{"localhost/image:*tag"}, 1},
-		{[]string{"localhost/*mage:*ag"}, 2},
-		{[]string{"quay.io/libpod/busybox"}, 1},
-		{[]string{"quay.io/libpod/alpine"}, 1},
-		{[]string{"quay.io/libpod"}, 0},
-		{[]string{"quay.io/libpod/*"}, 2},
-		{[]string{"busybox"}, 1},
-		{[]string{"alpine"}, 1},
-		{[]string{"alpine@" + alpine.Digest().String()}, 1},
-		{[]string{"alpine:latest@" + alpine.Digest().String()}, 1},
-		{[]string{"quay.io/libpod/alpine@" + alpine.Digest().String()}, 1},
-		{[]string{"quay.io/libpod/alpine:latest@" + alpine.Digest().String()}, 1},
+		{[]string{"image"}, 2, []string{"localhost/image:tag", "docker.io/library/image:another-tag"}},
+		{[]string{"*mage*"}, 2, []string{"localhost/image:tag", "localhost/another-image:tag", "docker.io/library/image:another-tag"}},
+		{[]string{"image:*"}, 2, []string{"localhost/image:tag", "docker.io/library/image:another-tag"}},
+		{[]string{"image:tag"}, 1, []string{"localhost/image:tag"}},
+		{[]string{"image:another-tag"}, 1, []string{"docker.io/library/image:another-tag"}},
+		{[]string{"localhost/image"}, 1, []string{"localhost/image:tag"}},
+		{[]string{"localhost/image:tag"}, 1, []string{"localhost/image:tag"}},
+		{[]string{"library/image"}, 1, []string{"docker.io/library/image:another-tag"}},
+		{[]string{"docker.io/library/image*"}, 1, []string{"docker.io/library/image:another-tag"}},
+		{[]string{"docker.io/library/image:*"}, 1, []string{"docker.io/library/image:another-tag"}},
+		{[]string{"docker.io/library/image:another-tag"}, 1, []string{"docker.io/library/image:another-tag"}},
+		{[]string{"localhost/*"}, 2, []string{"localhost/image:tag", "localhost/another-image:tag"}},
+		{[]string{"localhost/image:*tag"}, 1, []string{"localhost/image:tag"}},
+		{[]string{"localhost/*mage:*ag"}, 2, []string{"localhost/image:tag", "localhost/another-image:tag"}},
+		{[]string{"quay.io/libpod/busybox"}, 1, []string{"quay.io/libpod/busybox:latest"}},
+		{[]string{"quay.io/libpod/alpine"}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"quay.io/libpod"}, 0, []string{}},
+		{[]string{"quay.io/libpod/*"}, 2, []string{"quay.io/libpod/busybox:latest", "quay.io/libpod/alpine:latest"}},
+		{[]string{"busybox"}, 1, []string{"quay.io/libpod/busybox:latest"}},
+		{[]string{"alpine"}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"alpine@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"alpine:latest@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"quay.io/libpod/alpine@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"quay.io/libpod/alpine:latest@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
 		// Make sure negate works as expected
-		{[]string{"!alpine"}, 1},
-		{[]string{"!alpine", "!busybox"}, 0},
-		{[]string{"!alpine", "busybox"}, 1},
-		{[]string{"alpine", "busybox"}, 2},
-		{[]string{"*test", "!*box"}, 1},
+		{[]string{"!alpine"}, 1, []string{"quay.io/libpod/busybox:latest", "localhost/image:tag"}},
+		{[]string{"!alpine", "!busybox"}, 0, []string{}},
+		{[]string{"!alpine", "busybox"}, 1, []string{"quay.io/libpod/busybox:latest"}},
+		{[]string{"alpine", "busybox"}, 2, []string{"quay.io/libpod/busybox:latest", "quay.io/libpod/alpine:latest"}},
+		{[]string{"*test", "!*box"}, 1, []string{"quay.io/libpod/alpine:latest"}},
 		// Make sure that tags are ignored
-		{[]string{"alpine:ignoreme@" + alpine.Digest().String()}, 1},
-		{[]string{"alpine:123@" + alpine.Digest().String()}, 1},
-		{[]string{"quay.io/libpod/alpine:hurz@" + alpine.Digest().String()}, 1},
-		{[]string{"quay.io/libpod/alpine:456@" + alpine.Digest().String()}, 1},
+		{[]string{"alpine:ignoreme@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"alpine:123@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"quay.io/libpod/alpine:hurz@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
+		{[]string{"quay.io/libpod/alpine:456@" + alpine.Digest().String()}, 1, []string{"quay.io/libpod/alpine:latest"}},
 		// Make sure that repo and digest must match
-		{[]string{"alpine:busyboxdigest@" + busybox.Digest().String()}, 0},
-		{[]string{"alpine:busyboxdigest@" + busybox.Digest().String()}, 0},
-		{[]string{"quay.io/libpod/alpine:busyboxdigest@" + busybox.Digest().String()}, 0},
-		{[]string{"quay.io/libpod/alpine:busyboxdigest@" + busybox.Digest().String()}, 0},
+		{[]string{"alpine:busyboxdigest@" + busybox.Digest().String()}, 0, []string{}},
+		{[]string{"alpine:busyboxdigest@" + busybox.Digest().String()}, 0, []string{}},
+		{[]string{"quay.io/libpod/alpine:busyboxdigest@" + busybox.Digest().String()}, 0, []string{}},
+		{[]string{"quay.io/libpod/alpine:busyboxdigest@" + busybox.Digest().String()}, 0, []string{}},
 	} {
 		var filters []string
 		for _, filter := range test.filters {
@@ -94,12 +95,20 @@ func TestFilterReference(t *testing.T) {
 				filters = append(filters, "reference="+filter)
 			}
 		}
+
 		listOptions := &ListImagesOptions{
 			Filters: filters,
 		}
 		listedImages, err := runtime.ListImages(ctx, listOptions)
+
 		require.NoError(t, err, "%v", test)
 		require.Len(t, listedImages, test.matches, "%s -> %v", test.filters, listedImages)
+
+		resultNames := []string{}
+		for _, image := range listedImages {
+			resultNames = append(resultNames, image.Names()...)
+		}
+		require.ElementsMatch(t, test.names, resultNames, "filters: %s ", test.filters)
 	}
 }
 

libimage/image.go

@@ -112,6 +112,11 @@ func (i *Image) Names() []string {
 	return i.storageImage.Names
 }
 
+// setNames sets the names of the image.
+func (i *Image) setNames(names []string) {
+	i.storageImage.Names = names
+}
+
 // NamesReferences returns Names() as references.
 func (i *Image) NamesReferences() ([]reference.Reference, error) {
 	if i.cached.namesReferences != nil {