docker: drop use of external distribution challenge pkg

docker/distribution_error.go

@@ -24,7 +24,6 @@ import (
 	"slices"
 
 	"github.com/docker/distribution/registry/api/errcode"
-	dockerChallenge "github.com/docker/distribution/registry/client/auth/challenge"
 )
 
 // errNoErrorsInBody is returned when an HTTP response body parses to an empty
@@ -114,10 +113,11 @@ func mergeErrors(err1, err2 error) error {
 // UnexpectedHTTPStatusError returned for response code outside of expected
 // range.
 func handleErrorResponse(resp *http.Response) error {
-	if resp.StatusCode >= 400 && resp.StatusCode < 500 {
+	switch {
+	case resp.StatusCode == http.StatusUnauthorized:
 		// Check for OAuth errors within the `WWW-Authenticate` header first
 		// See https://tools.ietf.org/html/rfc6750#section-3
-		for _, c := range dockerChallenge.ResponseChallenges(resp) {
+		for _, c := range parseAuthHeader(resp.Header) {
 			if c.Scheme == "bearer" {
 				var err errcode.Error
 				// codes defined at https://tools.ietf.org/html/rfc6750#section-3.1
@@ -138,6 +138,8 @@ func handleErrorResponse(resp *http.Response) error {
 				return mergeErrors(err, parseHTTPErrorResponse(resp.StatusCode, resp.Body))
 			}
 		}
+		fallthrough
+	case resp.StatusCode >= 400 && resp.StatusCode < 500:
 		err := parseHTTPErrorResponse(resp.StatusCode, resp.Body)
 		if uErr, ok := err.(*unexpectedHTTPResponseError); ok && resp.StatusCode == 401 {
 			return errcode.ErrorCodeUnauthorized.WithDetail(uErr.Response)

docker/distribution_error_test.go

@@ -21,8 +21,129 @@ import (
 	"net/http"
 	"strings"
 	"testing"
+
+	"github.com/docker/distribution/registry/api/errcode"
 )
 
+func TestHandleErrorResponse401InvalidTokenChallenge(t *testing.T) {
+	json := []byte(`{"errors":[{"code":"UNKNOWN","message":"some unknown error"}]}`)
+	challenge := `Bearer realm="example.io",
+error="invalid_token",
+error_description="The access token expired"`
+	response := &http.Response{
+		Status:     "401 Unauthorized",
+		StatusCode: 401,
+		Body:       io.NopCloser(bytes.NewReader(json)),
+		Header: http.Header{
+			http.CanonicalHeaderKey("WWW-Authenticate"): []string{challenge},
+		},
+	}
+	err := handleErrorResponse(response)
+	if err == nil {
+		t.Fatal("Expected handleErrorResponse to return error, got nil.")
+	}
+
+	expectedMsg := "unauthorized: The access token expired"
+	if !strings.Contains(err.Error(), expectedMsg) {
+		t.Errorf("Expected \"%s\", got: \"%s\"", expectedMsg, err.Error())
+	}
+}
+
+func TestHandleErrorResponse401InsufficientScopeChallenge(t *testing.T) {
+	json := []byte(`{"errors":[{"code":"UNKNOWN","message":"some unknown error"}]}`)
+	challenge := `Bearer realm="example.io",
+error="insufficient_scope",
+error_description="Insufficient permission"`
+	response := &http.Response{
+		Status:     "401 Unauthorized",
+		StatusCode: 401,
+		Body:       io.NopCloser(bytes.NewReader(json)),
+		Header: http.Header{
+			http.CanonicalHeaderKey("WWW-Authenticate"): []string{challenge},
+		},
+	}
+	err := handleErrorResponse(response)
+	if err == nil {
+		t.Fatal("Expected handleErrorResponse to return error, got nil.")
+	}
+
+	expectedMsg := "denied: Insufficient permission"
+	if !strings.Contains(err.Error(), expectedMsg) {
+		t.Errorf("Expected \"%s\", got: \"%s\"", expectedMsg, err.Error())
+	}
+}
+
+func TestHandleErrorResponse401InvalidTokenWithoutDescription(t *testing.T) {
+	json := []byte(`{"errors":[{"code":"UNKNOWN","message":"some unknown error"}]}`)
+	challenge := `Bearer realm="example.io",
+error="invalid_token"`
+	response := &http.Response{
+		Status:     "401 Unauthorized",
+		StatusCode: 401,
+		Body:       io.NopCloser(bytes.NewReader(json)),
+		Header: http.Header{
+			http.CanonicalHeaderKey("WWW-Authenticate"): []string{challenge},
+		},
+	}
+	err := handleErrorResponse(response)
+	if err == nil {
+		t.Fatal("Expected handleErrorResponse to return error, got nil.")
+	}
+
+	expectedMsg := errcode.ErrorCodeUnauthorized.Message()
+	if !strings.Contains(err.Error(), expectedMsg) {
+		t.Errorf("Expected \"%s\", got: \"%s\"", expectedMsg, err.Error())
+	}
+}
+
+func TestHandleErrorResponse401UnexpectedChallenge(t *testing.T) {
+	json := []byte(`{"errors":[{"code":"UNKNOWN","message":"some unknown error"}]}`)
+	challenge := `Bearer realm="example.io",
+error="invalid_request",
+error_description="The request is missing a required parameter"`
+	response := &http.Response{
+		Status:     "401 Unauthorized",
+		StatusCode: 401,
+		Body:       io.NopCloser(bytes.NewReader(json)),
+		Header: http.Header{
+			http.CanonicalHeaderKey("WWW-Authenticate"): []string{challenge},
+		},
+	}
+	err := handleErrorResponse(response)
+	if err == nil {
+		t.Fatal("Expected handleErrorResponse to return error, got nil.")
+	}
+
+	expectedMsg := "unknown: some unknown error"
+	if err.Error() != expectedMsg {
+		t.Errorf("Expected \"%s\", got: \"%s\"", expectedMsg, err.Error())
+	}
+}
+
+func TestHandleErrorResponse403InsufficientScopeChallenge(t *testing.T) {
+	json := []byte(`{"errors":[{"code":"UNKNOWN","message":"some unknown error"}]}`)
+	challenge := `Bearer realm="example.io",
+error="insufficient_scope",
+error_description="Insufficient permission"`
+	response := &http.Response{
+		Status:     "403 Forbidden",
+		StatusCode: 403,
+		Body:       io.NopCloser(bytes.NewReader(json)),
+		Header: http.Header{
+			http.CanonicalHeaderKey("WWW-Authenticate"): []string{challenge},
+		},
+	}
+	err := handleErrorResponse(response)
+	if err == nil {
+		t.Fatal("Expected handleErrorResponse to return error, got nil.")
+	}
+
+	expectedMsg := "unknown: some unknown error"
+	if err.Error() != expectedMsg {
+		t.Errorf("Expected \"%s\", got: \"%s\"", expectedMsg, err.Error())
+	}
+}
+
 func TestHandleErrorResponse401ValidBody(t *testing.T) {
 	json := []byte("{\"errors\":[{\"code\":\"UNAUTHORIZED\",\"message\":\"action requires authentication\"}]}")
 	response := &http.Response{