fork distribution client v3 auth-challenge as an internal package (squashed) (#2248)

* fork distribution client v3 auth-challenge as an internal package

This forks the distribution's registry client auth-challenge code v3.0.0;
distribution/distribution@9ed95e7

The client code has moved to an internal package in the distribution project,
and is used to handle `WWW-Authenticate` headers. It was written a long time
ago, and only handles RFC 2617 (superseded by RFC 9110). Possibly there's more
current implementations for this, but this would introduce new dependencies, so
we can keep the status quo for now, and fork this code as an internal package.

Keeping it internal, due to the known limitations mentioned above, and to avoid
it being used by others assuming it's a general-purpose implementation.

This is the result of the following steps:

    # install filter-repo (https://github.com/newren/git-filter-repo/blob/main/INSTALL.md)
    brew install git-filter-repo

    # create a temporary clone of docker
    cd ~/Projects
    git clone https://github.com/distribution/distribution.git distribution_auth
    cd distribution_auth

    # switch to v3.0.0 (git-filter doesn't like multiple branches, so reset)
    git reset --hard v3.0.0

    # commit taken from
    git rev-parse --verify HEAD
    9ed95e7365224025ee89365e12cf128e1f1bf965

    git filter-repo --analyze

    # remove all code, except for 'internal/client/auth/challenge'
    # rename to 'pkg/v1/remote/internal/authchallenge'
    # include history of old location ('registry/client/auth/challenge')
    git filter-repo \
      --force \
      --path 'internal/client/auth/challenge' \
      --path 'registry/client/auth/challenge' \
      --path-rename internal/client/auth/challenge:pkg/v1/remote/internal/authchallenge

    # go to the target github.com/docker/docker repository
    cd ~/go/src/github.com/google/go-containerregistry

    # create a branch to work with
    git checkout -b fork_registryclient_authchallenge

    # add the temporary repository as an upstream and make sure it's up-to-date
    git remote add distribution_auth ~/Projects/distribution_auth
    git fetch distribution_auth

    # merge the upstream code
    git merge --allow-unrelated-histories --signoff -S distribution_auth/main

History was squashed:

- Refactor authorization challenges to its own package
  Split challenges into its own package. Avoids possible
  import cycle with challenges from client.
- Fix minor "Challanges" typo
- Fix gometalint errors
- Fix typo in NewSimpleManager() documentation
- Initial repo commit
- init
- format code with gofumpt

Move registry client internal

Our registry client is not currently in a good place to be used as the
reference OCI Distribution client implementation. But the registry proxy
currently depends on it. Make the registry client internal to the
distribution application to remove it from the API surface area (and any
implied compatibility promises) of distribution/v3@v3.0.0 without
breaking the proxy.

cleanup: move init funcs to the top of the source

We make sure they're not hiding at the bottom or in the middle
which makes debugging an utter nightmare!

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

* authchallenge: rename package and update imports

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

* pkg/v1/remote/internal/authchallenge: make manager-code a test-util

The Manager code is only used as part of tests; move it to _test files
to have a clearer separation between "production" code and test-code.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

* pkg/v1/remote/internal/authchallenge: cleanup manager code

As this code is now only used as a test-utility;

- Make the zero-value of simpleManager usable
- Remove the constructor and interface definition
- Un-export fields and mutex.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

* pkg/v1/remote/internal/authchallenge: cleanup URL-normalization

- change normalizeURL to not mutate the input URL.
- move lowercasing into canonicalAddr.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

* pkg/v1/remote/internal/authchallenge: modernize and linting

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

* pkg/v1/remote/internal/authchallenge: add boilerplating

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

---------

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Author: thaJeztah

cmd/krane/go.mod

@@ -45,7 +45,6 @@ require (
 	github.com/containerd/stargz-snapshotter/estargz v0.18.2 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/docker/cli v29.3.1+incompatible // indirect
-	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.9.5 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect

cmd/krane/go.sum

@@ -10,7 +10,6 @@ go 1.25.0
 require (
 	github.com/containerd/stargz-snapshotter/estargz v0.18.2
 	github.com/docker/cli v29.3.1+incompatible
-	github.com/docker/distribution v2.8.3+incompatible
 	github.com/google/go-cmp v0.7.0
 	github.com/klauspost/compress v1.18.5
 	github.com/mitchellh/go-homedir v1.1.0

go.mod

@@ -52,7 +52,6 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/docker/cli v29.3.1+incompatible // indirect
-	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.9.5 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect

go.sum

@@ -1,91 +1,26 @@
-package challenge
+// Copyright 2014 Docker, Inc.
+// Copyright 2021-2026 The Distribution contributors
+// Copyright 2026 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authchallenge
 
 import (
-	"fmt"
 	"net/http"
-	"net/url"
 	"strings"
-	"sync"
 )
 
-// Challenge carries information from a WWW-Authenticate response header.
-// See RFC 2617.
-type Challenge struct {
-	// Scheme is the auth-scheme according to RFC 2617
-	Scheme string
-
-	// Parameters are the auth-params according to RFC 2617
-	Parameters map[string]string
-}
-
-// Manager manages the challenges for endpoints.
-// The challenges are pulled out of HTTP responses. Only
-// responses which expect challenges should be added to
-// the manager, since a non-unauthorized request will be
-// viewed as not requiring challenges.
-type Manager interface {
-	// GetChallenges returns the challenges for the given
-	// endpoint URL.
-	GetChallenges(endpoint url.URL) ([]Challenge, error)
-
-	// AddResponse adds the response to the challenge
-	// manager. The challenges will be parsed out of
-	// the WWW-Authenicate headers and added to the
-	// URL which was produced the response. If the
-	// response was authorized, any challenges for the
-	// endpoint will be cleared.
-	AddResponse(resp *http.Response) error
-}
-
-// NewSimpleManager returns an instance of
-// Manger which only maps endpoints to challenges
-// based on the responses which have been added the
-// manager. The simple manager will make no attempt to
-// perform requests on the endpoints or cache the responses
-// to a backend.
-func NewSimpleManager() Manager {
-	return &simpleManager{
-		Challenges: make(map[string][]Challenge),
-	}
-}
-
-type simpleManager struct {
-	sync.RWMutex
-	Challenges map[string][]Challenge
-}
-
-func normalizeURL(endpoint *url.URL) {
-	endpoint.Host = strings.ToLower(endpoint.Host)
-	endpoint.Host = canonicalAddr(endpoint)
-}
-
-func (m *simpleManager) GetChallenges(endpoint url.URL) ([]Challenge, error) {
-	normalizeURL(&endpoint)
-
-	m.RLock()
-	defer m.RUnlock()
-	challenges := m.Challenges[endpoint.String()]
-	return challenges, nil
-}
-
-func (m *simpleManager) AddResponse(resp *http.Response) error {
-	challenges := ResponseChallenges(resp)
-	if resp.Request == nil {
-		return fmt.Errorf("missing request reference")
-	}
-	urlCopy := url.URL{
-		Path:   resp.Request.URL.Path,
-		Host:   resp.Request.URL.Host,
-		Scheme: resp.Request.URL.Scheme,
-	}
-	normalizeURL(&urlCopy)
-
-	m.Lock()
-	defer m.Unlock()
-	m.Challenges[urlCopy.String()] = challenges
-	return nil
-}
-
 // Octet types from RFC 2616.
 type octetType byte
 
@@ -113,7 +48,7 @@ func init() {
 	// token      = 1*<any CHAR except CTLs or separators>
 	// qdtext     = <any TEXT except <">>
 
-	for c := 0; c < 256; c++ {
+	for c := range 256 {
 		var t octetType
 		isCtl := c <= 31 || c == 127
 		isChar := 0 <= c && c <= 127
@@ -128,6 +63,16 @@ func init() {
 	}
 }
 
+// Challenge carries information from a WWW-Authenticate response header.
+// See RFC 2617.
+type Challenge struct {
+	// Scheme is the auth-scheme according to RFC 2617
+	Scheme string
+
+	// Parameters are the auth-params according to RFC 2617
+	Parameters map[string]string
+}
+
 // ResponseChallenges returns a list of authorization challenges
 // for the given http Response. Challenges are only checked if
 // the response status code was a 401.

pkg/authn/k8schain/go.mod

@@ -0,0 +1,139 @@
+// Copyright 2014 Docker, Inc.
+// Copyright 2021-2026 The Distribution contributors
+// Copyright 2026 Google LLC All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authchallenge
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+	"testing"
+)
+
+func TestAuthChallengeParse(t *testing.T) {
+	header := http.Header{}
+	header.Add("WWW-Authenticate", `Bearer realm="https://auth.example.com/token",service="registry.example.com",other=fun,slashed="he\"\l\lo"`)
+
+	challenges := parseAuthHeader(header)
+	if len(challenges) != 1 {
+		t.Fatalf("Unexpected number of auth challenges: %d, expected 1", len(challenges))
+	}
+	challenge := challenges[0]
+
+	if expected := "bearer"; challenge.Scheme != expected {
+		t.Fatalf("Unexpected scheme: %s, expected: %s", challenge.Scheme, expected)
+	}
+
+	if expected := "https://auth.example.com/token"; challenge.Parameters["realm"] != expected {
+		t.Fatalf("Unexpected param: %s, expected: %s", challenge.Parameters["realm"], expected)
+	}
+
+	if expected := "registry.example.com"; challenge.Parameters["service"] != expected {
+		t.Fatalf("Unexpected param: %s, expected: %s", challenge.Parameters["service"], expected)
+	}
+
+	if expected := "fun"; challenge.Parameters["other"] != expected {
+		t.Fatalf("Unexpected param: %s, expected: %s", challenge.Parameters["other"], expected)
+	}
+
+	if expected := "he\"llo"; challenge.Parameters["slashed"] != expected {
+		t.Fatalf("Unexpected param: %s, expected: %s", challenge.Parameters["slashed"], expected)
+	}
+}
+
+func TestAuthChallengeNormalization(t *testing.T) {
+	testAuthChallengeNormalization(t, "reg.EXAMPLE.com")
+	testAuthChallengeNormalization(t, "bɿɒʜɔiɿ-ɿɘƚƨim-ƚol-ɒ-ƨʞnɒʜƚ.com")
+	testAuthChallengeNormalization(t, "reg.example.com:80")
+	testAuthChallengeConcurrent(t, "reg.EXAMPLE.com")
+}
+
+func testAuthChallengeNormalization(t *testing.T, host string) {
+	scm := &simpleManager{}
+
+	hostURL, err := url.Parse(fmt.Sprintf("https://%s/v2/", host))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	resp := &http.Response{
+		Request: &http.Request{
+			URL: hostURL,
+		},
+		Header:     make(http.Header),
+		StatusCode: http.StatusUnauthorized,
+	}
+	resp.Header.Add("WWW-Authenticate", fmt.Sprintf(`Bearer realm="https://%s/token",service="registry.example.com"`, host))
+
+	err = scm.AddResponse(resp)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	lowered := *hostURL
+	lowered.Host = canonicalAddr(&lowered)
+	c, err := scm.GetChallenges(lowered)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(c) == 0 {
+		t.Fatal("Expected challenge for lower-cased-host URL")
+	}
+}
+
+func testAuthChallengeConcurrent(t *testing.T, host string) {
+	scm := &simpleManager{}
+
+	hostURL, err := url.Parse(fmt.Sprintf("https://%s/v2/", host))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	resp := &http.Response{
+		Request: &http.Request{
+			URL: hostURL,
+		},
+		Header:     make(http.Header),
+		StatusCode: http.StatusUnauthorized,
+	}
+	resp.Header.Add("WWW-Authenticate", fmt.Sprintf(`Bearer realm="https://%s/token",service="registry.example.com"`, host))
+	var s sync.WaitGroup
+	s.Add(2)
+	go func() {
+		defer s.Done()
+		for range 200 {
+			err = scm.AddResponse(resp)
+			if err != nil {
+				t.Error(err)
+			}
+		}
+	}()
+	go func() {
+		defer s.Done()
+		lowered := *hostURL
+		lowered.Host = strings.ToLower(lowered.Host)
+		for range 200 {
+			_, err := scm.GetChallenges(lowered)
+			if err != nil {
+				t.Error(err)
+			}
+		}
+	}()
+	s.Wait()
+}