docker: drop use of external distribution challenge pkg

in distribution v3, the registry/client package became internal. this
change copies `responseChallenges` from upstream, removing the last
reference to registry/client in this repo, making it ready for the
distribution v3 bump, whenever that comes.

Signed-off-by: Flavian Missi <[email protected]>

docker/distribution_error.go

@@ -24,7 +24,6 @@ import (
 	"slices"
 
 	"github.com/docker/distribution/registry/api/errcode"
-	dockerChallenge "github.com/docker/distribution/registry/client/auth/challenge"
 )
 
 // errNoErrorsInBody is returned when an HTTP response body parses to an empty
@@ -117,7 +116,7 @@ func handleErrorResponse(resp *http.Response) error {
 	if resp.StatusCode >= 400 && resp.StatusCode < 500 {
 		// Check for OAuth errors within the `WWW-Authenticate` header first
 		// See https://tools.ietf.org/html/rfc6750#section-3
-		for _, c := range dockerChallenge.ResponseChallenges(resp) {
+		for _, c := range responseChallenges(resp) {
 			if c.Scheme == "bearer" {
 				var err errcode.Error
 				// codes defined at https://tools.ietf.org/html/rfc6750#section-3.1

docker/wwwauthenticate.go

@@ -60,6 +60,19 @@ func init() {
 	}
 }
 
+// responseChallenges returns a list of authorization challenges
+// for the given http Response. Challenges are only checked if
+// the response status code was a 401.
+func responseChallenges(resp *http.Response) []challenge {
+	if resp.StatusCode == http.StatusUnauthorized {
+		// Parse the WWW-Authenticate Header and store the challenges
+		// on this endpoint object.
+		return parseAuthHeader(resp.Header)
+	}
+
+	return nil
+}
+
 func parseAuthHeader(header http.Header) []challenge {
 	challenges := []challenge{}
 	for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] {