From f0b1ae1865a845545d619d7efe6e54e907369857 Mon Sep 17 00:00:00 2001
From: Flavian Missi <fmissi@redhat.com>
Date: Fri, 8 Nov 2024 13:18:55 +0100
Subject: [PATCH] docker: drop use of external distribution challenge pkg

in distribution v3, the registry/client package became internal. this
change copies `responseChallenges` from upstream, removing the last
reference to registry/client in this repo, making it ready for the
distribution v3 bump, whenever that comes.

Signed-off-by: Flavian Missi <fmissi@redhat.com>
---
 docker/distribution_error.go |  3 +--
 docker/wwwauthenticate.go    | 13 +++++++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/docker/distribution_error.go b/docker/distribution_error.go
index 0a0064576a..539da4e388 100644
--- a/docker/distribution_error.go
+++ b/docker/distribution_error.go
@@ -24,7 +24,6 @@ import (
 	"slices"
 
 	"github.com/docker/distribution/registry/api/errcode"
-	dockerChallenge "github.com/docker/distribution/registry/client/auth/challenge"
 )
 
 // errNoErrorsInBody is returned when an HTTP response body parses to an empty
@@ -117,7 +116,7 @@ func handleErrorResponse(resp *http.Response) error {
 	if resp.StatusCode >= 400 && resp.StatusCode < 500 {
 		// Check for OAuth errors within the `WWW-Authenticate` header first
 		// See https://tools.ietf.org/html/rfc6750#section-3
-		for _, c := range dockerChallenge.ResponseChallenges(resp) {
+		for _, c := range responseChallenges(resp) {
 			if c.Scheme == "bearer" {
 				var err errcode.Error
 				// codes defined at https://tools.ietf.org/html/rfc6750#section-3.1
diff --git a/docker/wwwauthenticate.go b/docker/wwwauthenticate.go
index 6bcb835b9e..c3c2b1e5ba 100644
--- a/docker/wwwauthenticate.go
+++ b/docker/wwwauthenticate.go
@@ -60,6 +60,19 @@ func init() {
 	}
 }
 
+// responseChallenges returns a list of authorization challenges
+// for the given http Response. Challenges are only checked if
+// the response status code was a 401.
+func responseChallenges(resp *http.Response) []challenge {
+	if resp.StatusCode == http.StatusUnauthorized {
+		// Parse the WWW-Authenticate Header and store the challenges
+		// on this endpoint object.
+		return parseAuthHeader(resp.Header)
+	}
+
+	return nil
+}
+
 func parseAuthHeader(header http.Header) []challenge {
 	challenges := []challenge{}
 	for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] {