feat: add check for digest mismatch (#8443)

* feat: add check for digest mismatch

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* feat: add unit test

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

---------

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

pkg/registryclient/client.go

@@ -186,6 +186,9 @@ func (c *client) FetchImageDescriptor(ctx context.Context, imageRef string) (*gc
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch image reference: %s, error: %v", imageRef, err)
 	}
+	if _, ok := parsedRef.(name.Digest); ok && parsedRef.Identifier() != desc.Digest.String() {
+		return nil, fmt.Errorf("digest mismatch, expected: %s, received: %s", parsedRef.Identifier(), desc.Digest.String())
+	}
 	return desc, nil
 }
 

pkg/registryclient/client_test.go

@@ -1,6 +1,7 @@
 package registryclient
 
 import (
+	"context"
 	"crypto/tls"
 	"net/http"
 	"testing"
@@ -29,3 +30,16 @@ func TestInitClientWithInsecureRegistryOption(t *testing.T) {
 	assert.Assert(t, expInsecureSkipVerify == gotInsecureSkipVerify)
 	assert.Assert(t, c.Keychain() != nil)
 }
+
+func TestFetchImageDescriptor(t *testing.T) {
+	c, err := New()
+	assert.NilError(t, err)
+
+	tagDesc, err := c.FetchImageDescriptor(context.Background(), "ghcr.io/kyverno/test-verify-image:signed-keyless")
+	assert.NilError(t, err)
+	assert.Equal(t, tagDesc.Digest.String(), "sha256:445a99db22e9add9bfb15ddb1980861a329e5dff5c88d7eec9cbf08b6b2f4eb1")
+
+	digestDesc, err := c.FetchImageDescriptor(context.Background(), "ghcr.io/kyverno/test-verify-image@sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105")
+	assert.NilError(t, err)
+	assert.Equal(t, digestDesc.Digest.String(), "sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105")
+}