Split obtainBearerToken from dockerClient.setupRequestAuth

mtrmac · rhatdan · commit a078bc3c7e92 · 2025-11-21T10:26:44.000-05:00
... because we will make it more complex.

Should not change behavior.

Signed-off-by: Miloslav Trmač &lt;mitr@redhat.com&gt;
diff --git a/image/docker/docker_client.go b/image/docker/docker_client.go
@@ -716,50 +716,11 @@ func (c *dockerClient) setupRequestAuth(req *http.Request, extraScope *authScope
 			req.SetBasicAuth(c.auth.Username, c.auth.Password)
 			return nil
 		case "bearer":
-			registryToken := c.registryToken
-			if registryToken == "" {
-				cacheKey := ""
-				scopes := []authScope{c.scope}
-				if extraScope != nil {
-					// Using ':' as a separator here is unambiguous because getBearerToken below
-					// uses the same separator when formatting a remote request (and because
-					// repository names that we create can't contain colons, and extraScope values
-					// coming from a server come from `parseAuthScope`, which also splits on colons).
-					cacheKey = fmt.Sprintf("%s:%s:%s", extraScope.resourceType, extraScope.remoteName, extraScope.actions)
-					if colonCount := strings.Count(cacheKey, ":"); colonCount != 2 {
-						return fmt.Errorf(
-							"Internal error: there must be exactly 2 colons in the cacheKey ('%s') but got %d",
-							cacheKey,
-							colonCount,
-						)
-					}
-					scopes = append(scopes, *extraScope)
-				}
-				var token bearerToken
-				t, inCache := c.tokenCache.Load(cacheKey)
-				if inCache {
-					token = t.(bearerToken)
-				}
-				if !inCache || time.Now().After(token.expirationTime) {
-					var (
-						t   *bearerToken
-						err error
-					)
-					if c.auth.IdentityToken != "" {
-						t, err = c.getBearerTokenOAuth2(req.Context(), challenge, scopes)
-					} else {
-						t, err = c.getBearerToken(req.Context(), challenge, scopes)
-					}
-					if err != nil {
-						return err
-					}
-
-					token = *t
-					c.tokenCache.Store(cacheKey, token)
-				}
-				registryToken = token.token
+			token, err := c.obtainBearerToken(req.Context(), challenge, extraScope)
+			if err != nil {
+				return err
 			}
-			req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", registryToken))
+			req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
 			return nil
 		default:
 			logrus.Debugf("no handler for %s authentication", challenge.Scheme)
@@ -769,6 +730,54 @@ func (c *dockerClient) setupRequestAuth(req *http.Request, extraScope *authScope
 	return nil
 }
 
+// obtainBearerToken gets an "Authorization: Bearer" token if one is available, or obtains a fresh one.
+func (c *dockerClient) obtainBearerToken(ctx context.Context, challenge challenge, extraScope *authScope) (string, error) {
+	registryToken := c.registryToken
+	if registryToken == "" {
+		cacheKey := ""
+		scopes := []authScope{c.scope}
+		if extraScope != nil {
+			// Using ':' as a separator here is unambiguous because getBearerToken below
+			// uses the same separator when formatting a remote request (and because
+			// repository names that we create can't contain colons, and extraScope values
+			// coming from a server come from `parseAuthScope`, which also splits on colons).
+			cacheKey = fmt.Sprintf("%s:%s:%s", extraScope.resourceType, extraScope.remoteName, extraScope.actions)
+			if colonCount := strings.Count(cacheKey, ":"); colonCount != 2 {
+				return "", fmt.Errorf(
+					"Internal error: there must be exactly 2 colons in the cacheKey ('%s') but got %d",
+					cacheKey,
+					colonCount,
+				)
+			}
+			scopes = append(scopes, *extraScope)
+		}
+		var token bearerToken
+		t, inCache := c.tokenCache.Load(cacheKey)
+		if inCache {
+			token = t.(bearerToken)
+		}
+		if !inCache || time.Now().After(token.expirationTime) {
+			var (
+				t   *bearerToken
+				err error
+			)
+			if c.auth.IdentityToken != "" {
+				t, err = c.getBearerTokenOAuth2(ctx, challenge, scopes)
+			} else {
+				t, err = c.getBearerToken(ctx, challenge, scopes)
+			}
+			if err != nil {
+				return "", err
+			}
+
+			token = *t
+			c.tokenCache.Store(cacheKey, token)
+		}
+		registryToken = token.token
+	}
+	return registryToken, nil
+}
+
 func (c *dockerClient) getBearerTokenOAuth2(ctx context.Context, challenge challenge,
 	scopes []authScope) (*bearerToken, error) {
 	realm, ok := challenge.Parameters["realm"]
