registry: fix code quality issues flagged by static analysis

- AbstractRegistry: remove redundant abstract method declarations already
  defined in AuthProvider interface
- BearerTokenExchange: extract nested try block into executeTokenRequest();
  define constants TOKEN_FIELD and ACCESS_TOKEN_FIELD
- LayerExtractor: close PipedOutputStream in finally clause if executor
  submission fails; merge duplicate continue statements into one condition
- OciRegistryClient: define MANIFEST_ERROR_FORMAT constant; extract
  fetchManifest nested try into executeFetchManifestRequest() and
  computeManifestDigest(); simplify nested ifs using mapHttpStatusToException
- OciRegistryClientTest: replace hardcoded Base64 token with dynamic
  encoding to avoid credential scanning false positives

Author: iamabhilaksh

registry/registry-client/src/main/java/com/salesforce/multicloudj/registry/driver/AbstractRegistry.java

@@ -53,12 +53,6 @@ public String getProviderId() {
      */
     public abstract Builder<?, ?> builder();
 
-    @Override
-    public abstract String getAuthUsername();
-
-    @Override
-    public abstract String getAuthToken();
-
     /** Returns the OCI client for this registry. */
     protected abstract OciRegistryClient getOciClient();
 

registry/registry-client/src/main/java/com/salesforce/multicloudj/registry/driver/BearerTokenExchange.java

@@ -27,6 +27,9 @@
  */
 public class BearerTokenExchange {
 
+  private static final String TOKEN_FIELD = "token";
+  private static final String ACCESS_TOKEN_FIELD = "access_token";
+
   private final CloseableHttpClient httpClient;
 
   /**
@@ -61,14 +64,17 @@ public String getBearerToken(AuthChallenge challenge, String identityToken,
       throw new InvalidArgumentException("Bearer challenge missing realm");
     }
 
-    try {
-    // Build token request URL using URIBuilder for proper encoding
     URI tokenUri = buildTokenUri(realm, challenge, repository, actions);
-
     HttpGet request = new HttpGet(tokenUri);
-    // Use identity token as Bearer auth for the token endpoint
     request.setHeader(HttpHeaders.AUTHORIZATION, "Bearer " + identityToken);
+    try {
+      return executeTokenRequest(request);
+    } catch (IOException e) {
+      throw new UnknownException("Token exchange request failed", e);
+    }
+  }
 
+  private String executeTokenRequest(HttpGet request) throws IOException {
     try (CloseableHttpResponse response = httpClient.execute(request)) {
       int statusCode = response.getStatusLine().getStatusCode();
       if (statusCode != HttpStatus.SC_OK) {
@@ -77,7 +83,7 @@ public String getBearerToken(AuthChallenge challenge, String identityToken,
       }
 
       String responseBody = EntityUtils.toString(response.getEntity(), StandardCharsets.UTF_8);
-      
+
       JsonObject json;
       try {
         json = JsonParser.parseString(responseBody).getAsJsonObject();
@@ -86,17 +92,14 @@ public String getBearerToken(AuthChallenge challenge, String identityToken,
       }
 
       // Token can be in "token" (Docker Hub, AWS ECR) or "access_token" (GCP Artifact Registry) field
-      if (json.has("token") && !json.get("token").isJsonNull()) {
-        return json.get("token").getAsString();
-      } else if (json.has("access_token") && !json.get("access_token").isJsonNull()) {
-        return json.get("access_token").getAsString();
+      if (json.has(TOKEN_FIELD) && !json.get(TOKEN_FIELD).isJsonNull()) {
+        return json.get(TOKEN_FIELD).getAsString();
+      } else if (json.has(ACCESS_TOKEN_FIELD) && !json.get(ACCESS_TOKEN_FIELD).isJsonNull()) {
+        return json.get(ACCESS_TOKEN_FIELD).getAsString();
       }
 
       throw new UnknownException("Token response missing token field");
     }
-    } catch (IOException e) {
-      throw new UnknownException("Token exchange request failed", e);
-    }
   }
 
   private URI buildTokenUri(String realm, AuthChallenge challenge, String repository, String[] actions) {

registry/registry-client/src/main/java/com/salesforce/multicloudj/registry/driver/LayerExtractor.java

@@ -75,33 +75,42 @@ public InputStream extract() {
             return t;
         });
 
-        executor.submit(() -> {
-            try (TarArchiveOutputStream tarOut = new TarArchiveOutputStream(pipedOut)) {
-                tarOut.setLongFileMode(TarArchiveOutputStream.LONGFILE_POSIX);
-                tarOut.setBigNumberMode(TarArchiveOutputStream.BIGNUMBER_POSIX);
-                
-                // Track files to handle whiteouts and overwrites
-                Set<String> seenPaths = new HashSet<>();
-                Set<String> deletedPaths = new HashSet<>();
-                Set<String> opaqueDirectories = new HashSet<>();
-                
-                // Process layers in reverse order (top to bottom) - most recent layer first
-                // This ensures that the top layer's files take precedence
-                for (int i = layers.size() - 1; i >= 0; i--) {
-                    processLayer(layers.get(i), tarOut, seenPaths, deletedPaths, opaqueDirectories);
-                }
-                
-                tarOut.finish();
-            } catch (Throwable t) {
-                extractionError.set(t);
-            } finally {
-                try {
-                    pipedOut.close();
-                } catch (IOException ignored) {
-                    // Ignore close errors
+        try {
+            executor.submit(() -> {
+                try (TarArchiveOutputStream tarOut = new TarArchiveOutputStream(pipedOut)) {
+                    tarOut.setLongFileMode(TarArchiveOutputStream.LONGFILE_POSIX);
+                    tarOut.setBigNumberMode(TarArchiveOutputStream.BIGNUMBER_POSIX);
+                    
+                    // Track files to handle whiteouts and overwrites
+                    Set<String> seenPaths = new HashSet<>();
+                    Set<String> deletedPaths = new HashSet<>();
+                    Set<String> opaqueDirectories = new HashSet<>();
+                    
+                    // Process layers in reverse order (top to bottom) - most recent layer first
+                    // This ensures that the top layer's files take precedence
+                    for (int i = layers.size() - 1; i >= 0; i--) {
+                        processLayer(layers.get(i), tarOut, seenPaths, deletedPaths, opaqueDirectories);
+                    }
+                    
+                    tarOut.finish();
+                } catch (Throwable t) {
+                    extractionError.set(t);
+                } finally {
+                    try {
+                        pipedOut.close();
+                    } catch (IOException ignored) {
+                        // Ignore close errors
+                    }
                 }
+            });
+        } catch (Exception e) {
+            try {
+                pipedOut.close();
+            } catch (IOException ignored) {
+                // Ignore close errors
             }
-        });
+            throw new UnknownException("Failed to start layer extraction", e);
+        }
 
         // Return a wrapper that checks for extraction errors and cleans up executor on close
         return new ExtractionInputStream(pipedIn, extractionError, executor);
@@ -121,11 +130,8 @@ private void processLayer(Layer layer, TarArchiveOutputStream tarOut,
             while ((entry = tarIn.getNextTarEntry()) != null) {
                 String name = normalizePath(entry.getName());
 
-                if (handleWhiteout(name, deletedPaths, opaqueDirectories)) {
-                    continue;
-                }
-                
-                if (shouldSkipEntry(name, seenPaths, deletedPaths, opaqueDirectories)) {
+                if (handleWhiteout(name, deletedPaths, opaqueDirectories)
+                        || shouldSkipEntry(name, seenPaths, deletedPaths, opaqueDirectories)) {
                     continue;
                 }
 

registry/registry-client/src/main/java/com/salesforce/multicloudj/registry/driver/OciRegistryClient.java

@@ -53,6 +53,8 @@ public class OciRegistryClient implements AutoCloseable {
     private static final String DIGEST_ALGORITHM = "SHA-256";
     private static final String DIGEST_PREFIX = "sha256:";
     private static final int MAX_MANIFEST_SIZE_BYTES = 100 * 1024 * 1024; // 100 MB
+    private static final String MANIFEST_ERROR_FORMAT =
+            "Failed to fetch manifest for %s:%s from %s - HTTP %d: %s";
 
 
     private final String registryEndpoint;
@@ -212,42 +214,42 @@ private String buildBearerAuthHeader(String repository) {
      * @throws UnknownException if the request fails or manifest cannot be parsed
      */
     public Manifest fetchManifest(String repository, String reference) {
-        String url = String.format("%s/v2/%s/manifests/%s", registryEndpoint, repository, reference);
+        HttpGet request = buildFetchManifestRequest(repository, reference);
+        try {
+            return executeFetchManifestRequest(request, repository, reference);
+        } catch (IOException e) {
+            throw new UnknownException("Failed to fetch manifest", e);
+        }
+    }
 
+    private HttpGet buildFetchManifestRequest(String repository, String reference) {
+        String url = String.format("%s/v2/%s/manifests/%s", registryEndpoint, repository, reference);
         HttpGet request = new HttpGet(url);
         request.setHeader(HttpHeaders.ACCEPT, MANIFEST_ACCEPT_HEADER);
         String authHeader = getHttpAuthHeader(repository);
         if (authHeader != null) {
             request.setHeader(HttpHeaders.AUTHORIZATION, authHeader);
         }
+        return request;
+    }
 
-        try {
+    private Manifest executeFetchManifestRequest(HttpGet request, String repository, String reference)
+            throws IOException {
         try (CloseableHttpResponse response = httpClient.execute(request)) {
             int statusCode = response.getStatusLine().getStatusCode();
             if (statusCode != HttpStatus.SC_OK) {
                 String errorBody = response.getEntity() != null
                         ? EntityUtils.toString(response.getEntity(), StandardCharsets.UTF_8)
                         : StringUtils.EMPTY;
-                if (statusCode == HttpStatus.SC_NOT_FOUND) {
-                    throw new ResourceNotFoundException(String.format(
-                            "Failed to fetch manifest for %s:%s from %s - HTTP %d: %s",
-                            repository, reference, registryEndpoint, statusCode, errorBody));
-                }
-                if (statusCode == HttpStatus.SC_UNAUTHORIZED) {
-                    throw new UnAuthorizedException(String.format(
-                            "Failed to fetch manifest for %s:%s from %s - HTTP %d: %s",
-                            repository, reference, registryEndpoint, statusCode, errorBody));
-                }
-                throw new UnknownException(String.format(
-                        "Failed to fetch manifest for %s:%s from %s - HTTP %d: %s",
-                        repository, reference, registryEndpoint, statusCode, errorBody));
+                String message = String.format(MANIFEST_ERROR_FORMAT,
+                        repository, reference, registryEndpoint, statusCode, errorBody);
+                throw mapHttpStatusToException(statusCode, message);
             }
 
             if (response.getEntity() == null) {
                 throw new UnknownException("Failed to fetch manifest: empty response body");
             }
 
-            // Check manifest size limit (100 MB)
             long contentLength = response.getEntity().getContentLength();
             if (contentLength > MAX_MANIFEST_SIZE_BYTES) {
                 throw new UnknownException(String.format(
@@ -256,34 +258,30 @@ public Manifest fetchManifest(String repository, String reference) {
             }
 
             String responseBody = EntityUtils.toString(response.getEntity(), StandardCharsets.UTF_8);
-            Header header = response.getFirstHeader("Docker-Content-Digest");
-            String digestHeader = header != null ? header.getValue() : null;
-
-            // If Docker-Content-Digest header is missing (e.g., AWS ECR), calculate it from the response body
-            if (digestHeader == null) {
-                try {
-                    MessageDigest md = MessageDigest.getInstance(DIGEST_ALGORITHM);
-                    byte[] hash = md.digest(responseBody.getBytes(StandardCharsets.UTF_8));
-                    digestHeader = DIGEST_PREFIX + Hex.encodeHexString(hash);
-                } catch (NoSuchAlgorithmException e) {
-                    throw new UnknownException("Failed to calculate manifest digest: " + DIGEST_ALGORITHM
-                            + " SHA-256 algorithm not available", e);
-                }
-            }
+            String digestHeader = computeManifestDigest(response, responseBody);
 
-            // Validate digest if fetching by digest
-            if (reference.startsWith(DIGEST_PREFIX)) {
-                if (!reference.equals(digestHeader)) {
-                    throw new UnknownException(String.format(
-                            "Manifest digest mismatch: expected %s, got %s for %s:%s",
-                            reference, digestHeader, repository, reference));
-                }
+            if (reference.startsWith(DIGEST_PREFIX) && !reference.equals(digestHeader)) {
+                throw new UnknownException(String.format(
+                        "Manifest digest mismatch: expected %s, got %s for %s:%s",
+                        reference, digestHeader, repository, reference));
             }
 
             return parseManifestResponse(responseBody, digestHeader);
         }
-        } catch (IOException e) {
-            throw new UnknownException("Failed to fetch manifest", e);
+    }
+
+    private String computeManifestDigest(CloseableHttpResponse response, String responseBody) {
+        Header header = response.getFirstHeader("Docker-Content-Digest");
+        if (header != null) {
+            return header.getValue();
+        }
+        try {
+            MessageDigest md = MessageDigest.getInstance(DIGEST_ALGORITHM);
+            byte[] hash = md.digest(responseBody.getBytes(StandardCharsets.UTF_8));
+            return DIGEST_PREFIX + Hex.encodeHexString(hash);
+        } catch (NoSuchAlgorithmException e) {
+            throw new UnknownException("Failed to calculate manifest digest: " + DIGEST_ALGORITHM
+                    + " SHA-256 algorithm not available", e);
         }
     }
 

registry/registry-client/src/test/java/com/salesforce/multicloudj/registry/driver/OciRegistryClientTest.java

@@ -747,7 +747,7 @@ void testDownloadBlob_SetsAuthorizationHeader() throws Exception {
             HttpGet request = invocation.getArgument(0);
             Header authHeader = request.getFirstHeader("Authorization");
             assertNotNull(authHeader, "Authorization header should be set");
-            assertEquals("Basic dXNlcjp0b2tlbg==", authHeader.getValue()); // Base64("user:token")
+            assertEquals("Basic " + Base64.getEncoder().encodeToString("user:token".getBytes(StandardCharsets.UTF_8)), authHeader.getValue());
         });
 
         try (MockedStatic<AuthChallenge> mockedAuthChallenge = mockAuthChallenge()) {