registry: implement getHttpAuthHeader in OciRegistryClient (#291)

Author: iamabhilaksh

registry/registry-client/pom.xml

@@ -32,6 +32,12 @@
             <version>5.12.1</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-params</artifactId>
+            <version>5.12.1</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-junit-jupiter</artifactId>

registry/registry-client/src/main/java/com/salesforce/multicloudj/registry/driver/AuthChallenge.java

@@ -0,0 +1,131 @@
+package com.salesforce.multicloudj.registry.driver;
+
+import lombok.Getter;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.http.HttpHeaders;
+import org.apache.http.HttpStatus;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.impl.client.CloseableHttpClient;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Parses HTTP WWW-Authenticate header to determine authentication requirements.
+ * Supports both Basic and Bearer authentication schemes.
+ * Also supports anonymous access when no authentication is required.
+ */
+@Getter
+public final class AuthChallenge {
+
+  private static final String ANONYMOUS_SCHEME = "Anonymous";
+  private static final String BEARER_SCHEME = "Bearer";
+  private static final Pattern SCHEME_PATTERN = Pattern.compile("^(Basic|Bearer)\\s*", Pattern.CASE_INSENSITIVE);
+  private static final Pattern PARAM_PATTERN = Pattern.compile("(\\w+)=\"([^\"]*)\"");
+
+  /** The authentication scheme (Basic, Bearer, or Anonymous). */
+  private final String scheme;
+
+  /** The realm URL for token exchange (Bearer auth). */
+  private final String realm;
+
+  /** The service identifier. */
+  private final String service;
+
+  /** The requested scope. */
+  private final String scope;
+
+  private AuthChallenge(String scheme, String realm, String service, String scope) {
+    this.scheme = scheme;
+    this.realm = realm;
+    this.service = service;
+    this.scope = scope;
+  }
+
+  /**
+   * Creates an AuthChallenge representing anonymous access (no auth required).
+   *
+   * @return an anonymous AuthChallenge
+   */
+  public static AuthChallenge anonymous() {
+    return new AuthChallenge(ANONYMOUS_SCHEME, null, null, null);
+  }
+
+  /**
+   * Discovers authentication requirements by pinging the registry.
+   * Sends GET /v2/ and parses the WWW-Authenticate header from 401 response.
+   *
+   * @param httpClient the HTTP client to use for the request
+   * @param registryEndpoint the registry base URL
+   * @return AuthChallenge describing the authentication requirements (including anonymous)
+   * @throws IOException if the request fails
+   */
+  public static AuthChallenge discover(CloseableHttpClient httpClient, String registryEndpoint) throws IOException {
+    String url = registryEndpoint + "/v2/";
+    HttpGet request = new HttpGet(url);
+
+    try (CloseableHttpResponse response = httpClient.execute(request)) {
+      int statusCode = response.getStatusLine().getStatusCode();
+
+      if (statusCode == HttpStatus.SC_OK) {
+        // No authentication required (anonymous access)
+        return anonymous();
+      }
+
+      if (statusCode == HttpStatus.SC_UNAUTHORIZED) {
+        // Parse WWW-Authenticate header
+        if (response.containsHeader(HttpHeaders.WWW_AUTHENTICATE)) {
+          String authHeader = response.getFirstHeader(HttpHeaders.WWW_AUTHENTICATE).getValue();
+          return parse(authHeader);
+        }
+        throw new IOException("Registry returned 401 without WWW-Authenticate header");
+      }
+      throw new IOException("Unexpected response from registry ping: HTTP " + statusCode);
+    }
+  }
+
+  /**
+   * Parses a WWW-Authenticate header value.
+   *
+   * @param header the WWW-Authenticate header value
+   * @return parsed AuthChallenge
+   * @throws IllegalArgumentException if the header cannot be parsed
+   */
+  public static AuthChallenge parse(String header) {
+    if (StringUtils.isBlank(header)) {
+      throw new IllegalArgumentException("WWW-Authenticate header is empty");
+    }
+
+    Matcher schemeMatcher = SCHEME_PATTERN.matcher(header);
+    if (!schemeMatcher.find()) {
+      throw new UnsupportedOperationException("Unsupported authentication scheme in: " + header);
+    }
+
+    String scheme = schemeMatcher.group(1);
+    String paramsPart = header.substring(schemeMatcher.end());
+
+    Map<String, String> params = new HashMap<>();
+    Matcher paramMatcher = PARAM_PATTERN.matcher(paramsPart);
+    while (paramMatcher.find()) {
+      params.put(paramMatcher.group(1).toLowerCase(), paramMatcher.group(2));
+    }
+
+    return new AuthChallenge(
+        scheme,
+        params.get("realm"),
+        params.get("service"),
+        params.get("scope")
+    );
+  }
+
+  /**
+   * Returns true if this is a Bearer authentication challenge.
+   */
+  public boolean isBearer() {
+    return BEARER_SCHEME.equalsIgnoreCase(scheme);
+  }
+}

registry/registry-client/src/main/java/com/salesforce/multicloudj/registry/driver/BearerTokenExchange.java

@@ -0,0 +1,116 @@
+package com.salesforce.multicloudj.registry.driver;
+
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
+import com.google.gson.JsonSyntaxException;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.http.HttpHeaders;
+import org.apache.http.HttpStatus;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.util.EntityUtils;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.nio.charset.StandardCharsets;
+
+import org.apache.http.client.utils.URIBuilder;
+
+/**
+ * Handles OAuth2 Bearer Token exchange for OCI registries.
+ * Exchanges identity tokens for registry-scoped bearer tokens.
+ */
+public class BearerTokenExchange {
+
+  private final CloseableHttpClient httpClient;
+
+  /**
+   * Creates a new BearerTokenExchange instance.
+   *
+   * @param httpClient the HTTP client to use for requests
+   */
+  public BearerTokenExchange(CloseableHttpClient httpClient) {
+    this.httpClient = httpClient;
+  }
+
+  /**
+   * Exchanges an identity token for a registry-scoped bearer token.
+   *
+   * @param challenge the authentication challenge from AuthChallenge.discover()
+   * @param identityToken the identity token (e.g., OAuth2 access token from GCP)
+   * @param repository the repository to request access for
+   * @param actions the actions to request (e.g., "pull", "push")
+   * @return the bearer token for use in Authorization header
+   * @throws IOException if the token exchange fails
+   */
+  public String getBearerToken(AuthChallenge challenge, String identityToken,
+                               String repository, String... actions) throws IOException {
+    if (challenge == null || !challenge.isBearer()) {
+      throw new IllegalArgumentException("Bearer token exchange requires a Bearer challenge");
+    }
+
+    String realm = challenge.getRealm();
+    if (StringUtils.isBlank(realm)) {
+      throw new IOException("Bearer challenge missing realm");
+    }
+
+    // Build token request URL using URIBuilder for proper encoding
+    URI tokenUri = buildTokenUri(realm, challenge, repository, actions);
+
+    HttpGet request = new HttpGet(tokenUri);
+    // Use identity token as Bearer auth for the token endpoint
+    request.setHeader(HttpHeaders.AUTHORIZATION, "Bearer " + identityToken);
+
+    try (CloseableHttpResponse response = httpClient.execute(request)) {
+      int statusCode = response.getStatusLine().getStatusCode();
+      if (statusCode != HttpStatus.SC_OK) {
+        String errorBody = EntityUtils.toString(response.getEntity(), StandardCharsets.UTF_8);
+        throw new IOException("Token exchange failed: HTTP " + statusCode + " - " + errorBody);
+      }
+
+      String responseBody = EntityUtils.toString(response.getEntity(), StandardCharsets.UTF_8);
+      
+      JsonObject json;
+      try {
+        json = JsonParser.parseString(responseBody).getAsJsonObject();
+      } catch (JsonSyntaxException e) {
+        throw new IOException("Invalid JSON response from token endpoint: " + responseBody, e);
+      }
+
+      // Token can be in "token" (Docker Hub, AWS ECR) or "access_token" (GCP Artifact Registry) field
+      if (json.has("token") && !json.get("token").isJsonNull()) {
+        return json.get("token").getAsString();
+      } else if (json.has("access_token") && !json.get("access_token").isJsonNull()) {
+        return json.get("access_token").getAsString();
+      }
+
+      throw new IOException("Token response missing token field");
+    }
+  }
+
+  private URI buildTokenUri(String realm, AuthChallenge challenge, String repository, String[] actions)
+          throws IOException {
+    try {
+      URIBuilder uriBuilder = new URIBuilder(realm);
+      
+      if (challenge.getService() != null) {
+        uriBuilder.addParameter("service", challenge.getService());
+      }
+
+      // Build scope: repository:<name>:<actions>
+      if (repository != null && actions.length > 0) {
+        String scope = "repository:" + repository + ":" + String.join(",", actions);
+        uriBuilder.addParameter("scope", scope);
+      } else if (challenge.getScope() != null) {
+        // Fallback: use scope from the original WWW-Authenticate header
+        uriBuilder.addParameter("scope", challenge.getScope());
+      }
+
+      return uriBuilder.build();
+    } catch (URISyntaxException e) {
+      throw new IOException("Invalid token endpoint URL: " + realm, e);
+    }
+  }
+}