new file mode 100644

@@ -0,0 +1,92 @@

+package authconfig

+

+import (

+	"bytes"

+	"encoding/base64"

+	"encoding/json"

+	"errors"

+	"fmt"

+	"io"

+

+	"github.com/moby/moby/api/types/registry"

+)

+

+// Encode serializes the auth configuration as a base64url encoded

+// ([RFC4648, section 5]) JSON string for sending through the X-Registry-Auth header.

+//

+// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5

+func Encode(authConfig registry.AuthConfig) (string, error) {

+	// Older daemons (or registries) may not handle an empty string,

+	// which resulted in an "io.EOF" when unmarshaling or decoding.

+	//

+	// FIXME(thaJeztah): find exactly what code-paths are impacted by this.

+	// if authConfig == (AuthConfig{}) { return "", nil }

+	buf, err := json.Marshal(authConfig)

+	if err != nil {

+		return "", errInvalidParameter{err}

+	}

+	return base64.URLEncoding.EncodeToString(buf), nil

+}

+

+// Decode decodes base64url encoded ([RFC4648, section 5]) JSON

+// authentication information as sent through the X-Registry-Auth header.

+//

+// This function always returns an [AuthConfig], even if an error occurs. It is up

+// to the caller to decide if authentication is required, and if the error can

+// be ignored.

+//

+// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5

+func Decode(authEncoded string) (*registry.AuthConfig, error) {

+	if authEncoded == "" {

+		return &registry.AuthConfig{}, nil

+	}

+

+	decoded, err := base64.URLEncoding.DecodeString(authEncoded)

+	if err != nil {

+		var e base64.CorruptInputError

+		if errors.As(err, &e) {

+			return &registry.AuthConfig{}, invalid(errors.New("must be a valid base64url-encoded string"))

+		}

+		return &registry.AuthConfig{}, invalid(err)

+	}

+

+	if bytes.Equal(decoded, []byte("{}")) {

+		return &registry.AuthConfig{}, nil

+	}

+

+	return decode(bytes.NewReader(decoded))

+}

+

+// DecodeRequestBody decodes authentication information as sent as JSON in the

+// body of a request. This function is to provide backward compatibility with old

+// clients and API versions. Current clients and API versions expect authentication

+// to be provided through the X-Registry-Auth header.

+//

+// Like [Decode], this function always returns an [AuthConfig], even if an

+// error occurs. It is up to the caller to decide if authentication is required,

+// and if the error can be ignored.

+func DecodeRequestBody(r io.ReadCloser) (*registry.AuthConfig, error) {

+	return decode(r)

+}

+

+func decode(r io.Reader) (*registry.AuthConfig, error) {

+	authConfig := &registry.AuthConfig{}

+	if err := json.NewDecoder(r).Decode(authConfig); err != nil {

+		// always return an (empty) AuthConfig to increase compatibility with

+		// the existing API.

+		return &registry.AuthConfig{}, invalid(fmt.Errorf("invalid JSON: %w", err))

+	}

+	return authConfig, nil

+}

+

+func invalid(err error) error {

+	return errInvalidParameter{fmt.Errorf("invalid X-Registry-Auth header: %w", err)}

+}

+

+type errInvalidParameter struct{ error }

+

+func (errInvalidParameter) InvalidParameter() {}

+

+func (e errInvalidParameter) Cause() error { return e.error }

+

+func (e errInvalidParameter) Unwrap() error { return e.error }

new file mode 100644

@@ -0,0 +1,191 @@

+package authconfig

+

+import (

+	"encoding/base64"

+	"strings"

+	"testing"

+

+	"github.com/moby/moby/api/types/registry"

+	"gotest.tools/v3/assert"

+	is "gotest.tools/v3/assert/cmp"

+)

+

+func TestDecodeAuthConfig(t *testing.T) {

+	tests := []struct {

+		doc         string

+		input       string

+		inputBase64 string

+		expected    registry.AuthConfig

+		expectedErr string

+	}{

+		{

+			doc:         "empty",

+			input:       ``,

+			inputBase64: ``,

+			expected:    registry.AuthConfig{},

+		},

+		{

+			doc:         "empty JSON",

+			input:       `{}`,

+			inputBase64: `e30=`,

+			expected:    registry.AuthConfig{},

+		},

+		{

+			doc:         "malformed JSON",

+			input:       `{`,

+			inputBase64: `ew==`,

+			expected:    registry.AuthConfig{},

+			expectedErr: `invalid X-Registry-Auth header: invalid JSON: unexpected EOF`,

+		},

+		{

+			doc:         "test authConfig",

+			input:       `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`,

+			inputBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifQ==`,

+			expected: registry.AuthConfig{

+				Username:      "testuser",

+				Password:      "testpassword",

+				ServerAddress: "example.com",

+			},

+		},

+		{

+			// FIXME(thaJeztah): we should not accept multiple JSON documents.

+			doc:         "multiple authConfig",

+			input:       `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}{"username":"testuser2","password":"testpassword2","serveraddress":"example.org"}`,

+			inputBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifXsidXNlcm5hbWUiOiJ0ZXN0dXNlcjIiLCJwYXNzd29yZCI6InRlc3RwYXNzd29yZDIiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5vcmcifQ==`,

+			expected: registry.AuthConfig{

+				Username:      "testuser",

+				Password:      "testpassword",

+				ServerAddress: "example.com",

+			},

+		},

+		// We currently only support base64url encoding with padding, so

+		// un-padded should produce an error.

+		//

+		// RFC4648, section 5: https://tools.ietf.org/html/rfc4648#section-5

+		// RFC4648, section 3.2: https://tools.ietf.org/html/rfc4648#section-3.2

+		{

+			doc:         "empty JSON no padding",

+			input:       `{}`,

+			inputBase64: `e30`,

+			expected:    registry.AuthConfig{},

+			expectedErr: `invalid X-Registry-Auth header: must be a valid base64url-encoded string`,

+		},

+		{

+			doc:         "test authConfig",

+			input:       `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`,

+			inputBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifQ`,

+			expected:    registry.AuthConfig{},

+			expectedErr: `invalid X-Registry-Auth header: must be a valid base64url-encoded string`,

+		},

+	}

+

+	for _, tc := range tests {

+		t.Run(tc.doc, func(t *testing.T) {

+			if tc.inputBase64 != "" {

+				// Sanity check to make sure our fixtures are correct.

+				b64 := base64.URLEncoding.EncodeToString([]byte(tc.input))

+				if !strings.HasSuffix(tc.inputBase64, "=") {

+					b64 = strings.TrimRight(b64, "=")

+				}

+				assert.Check(t, is.Equal(b64, tc.inputBase64))

+			}

+

+			out, err := Decode(tc.inputBase64)

+			if tc.expectedErr != "" {

+				assert.Check(t, is.ErrorType(err, errInvalidParameter{}))

+				assert.Check(t, is.Error(err, tc.expectedErr))

+			} else {

+				assert.NilError(t, err)

+				assert.Equal(t, *out, tc.expected)

+			}

+		})

+	}

+}

+

+func TestEncodeAuthConfig(t *testing.T) {

+	tests := []struct {

+		doc       string

+		input     registry.AuthConfig

+		outBase64 string

+		outPlain  string

+	}{

+		{

+			// Older daemons (or registries) may not handle an empty string,

+			// which resulted in an "io.EOF" when unmarshaling or decoding.

+			//

+			// FIXME(thaJeztah): find exactly what code-paths are impacted by this.

+			doc:       "empty",

+			input:     registry.AuthConfig{},

+			outBase64: `e30=`,

+			outPlain:  `{}`,

+		},

+		{

+			doc: "test authConfig",

+			input: registry.AuthConfig{

+				Username:      "testuser",

+				Password:      "testpassword",

+				ServerAddress: "example.com",

+			},

+			outBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifQ==`,

+			outPlain:  `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`,

+		},

+	}

+	for _, tc := range tests {

+		// Sanity check to make sure our fixtures are correct.

+		b64 := base64.URLEncoding.EncodeToString([]byte(tc.outPlain))

+		assert.Check(t, is.Equal(b64, tc.outBase64))

+

+		t.Run(tc.doc, func(t *testing.T) {

+			out, err := Encode(tc.input)

+			assert.NilError(t, err)

+			assert.Equal(t, out, tc.outBase64)

+

+			authJSON, err := base64.URLEncoding.DecodeString(out)

+			assert.NilError(t, err)

+			assert.Equal(t, string(authJSON), tc.outPlain)

+		})

+	}

+}

+

+func BenchmarkDecodeAuthConfig(b *testing.B) {

+	cases := []struct {

+		doc         string

+		inputBase64 string

+		invalid     bool

+	}{

+		{

+			doc:         "empty",

+			inputBase64: ``,

+		},

+		{

+			doc:         "empty JSON",

+			inputBase64: `e30=`,

+		},

+		{

+			doc:         "valid",

+			inputBase64: base64.URLEncoding.EncodeToString([]byte(`{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`)),

+		},

+		{

+			doc:         "invalid base64",

+			inputBase64: "not-base64",

+			invalid:     true,

+		},

+		{

+			doc:         "malformed JSON",

+			inputBase64: `ew==`,

+			invalid:     true,

+		},

+	}

+

+	for _, tc := range cases {

+		b.Run(tc.doc, func(b *testing.B) {

+			b.ReportAllocs()

+			for i := 0; i < b.N; i++ {

+				_, err := Decode(tc.inputBase64)

+				if !tc.invalid && err != nil {

+					b.Fatal(err)

+				}

+			}

+		})

+	}

+}

@@ -1,14 +1,6 @@

 package registry

-import (

-	"bytes"

-	"context"

-	"encoding/base64"

-	"encoding/json"

-	"errors"

-	"fmt"

-	"io"

-)

+import "context"

 // AuthHeader is the name of the header used to send encoded registry

 // authorization credentials for registry operations (push/pull).

@@ -46,85 +38,3 @@ type AuthConfig struct {

 	// RegistryToken is a bearer token to be sent to a registry

 	RegistryToken string `json:"registrytoken,omitempty"`

 }

-

-// EncodeAuthConfig serializes the auth configuration as a base64url encoded

-// ([RFC4648, section 5]) JSON string for sending through the X-Registry-Auth header.

-//

-// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5

-func EncodeAuthConfig(authConfig AuthConfig) (string, error) {

-	// Older daemons (or registries) may not handle an empty string,

-	// which resulted in an "io.EOF" when unmarshaling or decoding.

-	//

-	// FIXME(thaJeztah): find exactly what code-paths are impacted by this.

-	// if authConfig == (AuthConfig{}) { return "", nil }

-	buf, err := json.Marshal(authConfig)

-	if err != nil {

-		return "", errInvalidParameter{err}

-	}

-	return base64.URLEncoding.EncodeToString(buf), nil

-}

-

-// DecodeAuthConfig decodes base64url encoded ([RFC4648, section 5]) JSON

-// authentication information as sent through the X-Registry-Auth header.

-//

-// This function always returns an [AuthConfig], even if an error occurs. It is up

-// to the caller to decide if authentication is required, and if the error can

-// be ignored.

-//

-// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5

-func DecodeAuthConfig(authEncoded string) (*AuthConfig, error) {

-	if authEncoded == "" {

-		return &AuthConfig{}, nil

-	}

-

-	decoded, err := base64.URLEncoding.DecodeString(authEncoded)

-	if err != nil {

-		var e base64.CorruptInputError

-		if errors.As(err, &e) {

-			return &AuthConfig{}, invalid(errors.New("must be a valid base64url-encoded string"))

-		}

-		return &AuthConfig{}, invalid(err)

-	}

-

-	if bytes.Equal(decoded, []byte("{}")) {

-		return &AuthConfig{}, nil

-	}

-

-	return decodeAuthConfigFromReader(bytes.NewReader(decoded))

-}

-

-// DecodeAuthConfigBody decodes authentication information as sent as JSON in the

-// body of a request. This function is to provide backward compatibility with old

-// clients and API versions. Current clients and API versions expect authentication

-// to be provided through the X-Registry-Auth header.

-//

-// Like [DecodeAuthConfig], this function always returns an [AuthConfig], even if an

-// error occurs. It is up to the caller to decide if authentication is required,

-// and if the error can be ignored.

-//

-// Deprecated: this function is no longer used and will be removed in the next release.

-func DecodeAuthConfigBody(rdr io.ReadCloser) (*AuthConfig, error) {

-	return decodeAuthConfigFromReader(rdr)

-}

-

-func decodeAuthConfigFromReader(rdr io.Reader) (*AuthConfig, error) {

-	authConfig := &AuthConfig{}

-	if err := json.NewDecoder(rdr).Decode(authConfig); err != nil {

-		// always return an (empty) AuthConfig to increase compatibility with

-		// the existing API.

-		return &AuthConfig{}, invalid(fmt.Errorf("invalid JSON: %w", err))

-	}

-	return authConfig, nil

-}

-

-func invalid(err error) error {

-	return errInvalidParameter{fmt.Errorf("invalid X-Registry-Auth header: %w", err)}

-}

-

-type errInvalidParameter struct{ error }

-

-func (errInvalidParameter) InvalidParameter() {}

-

-func (e errInvalidParameter) Cause() error { return e.error }

-

-func (e errInvalidParameter) Unwrap() error { return e.error }

deleted file mode 100644

@@ -1,190 +0,0 @@

-package registry

-

-import (

-	"encoding/base64"

-	"strings"

-	"testing"

-

-	"gotest.tools/v3/assert"

-	is "gotest.tools/v3/assert/cmp"

-)

-

-func TestDecodeAuthConfig(t *testing.T) {

-	tests := []struct {

-		doc         string

-		input       string

-		inputBase64 string

-		expected    AuthConfig

-		expectedErr string

-	}{

-		{

-			doc:         "empty",

-			input:       ``,

-			inputBase64: ``,

-			expected:    AuthConfig{},

-		},

-		{

-			doc:         "empty JSON",

-			input:       `{}`,

-			inputBase64: `e30=`,

-			expected:    AuthConfig{},

-		},

-		{

-			doc:         "malformed JSON",

-			input:       `{`,

-			inputBase64: `ew==`,

-			expected:    AuthConfig{},

-			expectedErr: `invalid X-Registry-Auth header: invalid JSON: unexpected EOF`,

-		},

-		{

-			doc:         "test authConfig",

-			input:       `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`,

-			inputBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifQ==`,

-			expected: AuthConfig{

-				Username:      "testuser",

-				Password:      "testpassword",

-				ServerAddress: "example.com",

-			},

-		},

-		{

-			// FIXME(thaJeztah): we should not accept multiple JSON documents.

-			doc:         "multiple authConfig",

-			input:       `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}{"username":"testuser2","password":"testpassword2","serveraddress":"example.org"}`,

-			inputBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifXsidXNlcm5hbWUiOiJ0ZXN0dXNlcjIiLCJwYXNzd29yZCI6InRlc3RwYXNzd29yZDIiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5vcmcifQ==`,

-			expected: AuthConfig{

-				Username:      "testuser",

-				Password:      "testpassword",

-				ServerAddress: "example.com",

-			},

-		},

-		// We currently only support base64url encoding with padding, so

-		// un-padded should produce an error.

-		//

-		// RFC4648, section 5: https://tools.ietf.org/html/rfc4648#section-5

-		// RFC4648, section 3.2: https://tools.ietf.org/html/rfc4648#section-3.2

-		{

-			doc:         "empty JSON no padding",

-			input:       `{}`,

-			inputBase64: `e30`,

-			expected:    AuthConfig{},

-			expectedErr: `invalid X-Registry-Auth header: must be a valid base64url-encoded string`,

-		},

-		{

-			doc:         "test authConfig",

-			input:       `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`,

-			inputBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifQ`,

-			expected:    AuthConfig{},

-			expectedErr: `invalid X-Registry-Auth header: must be a valid base64url-encoded string`,

-		},

-	}

-

-	for _, tc := range tests {

-		t.Run(tc.doc, func(t *testing.T) {

-			if tc.inputBase64 != "" {

-				// Sanity check to make sure our fixtures are correct.

-				b64 := base64.URLEncoding.EncodeToString([]byte(tc.input))

-				if !strings.HasSuffix(tc.inputBase64, "=") {

-					b64 = strings.TrimRight(b64, "=")

-				}

-				assert.Check(t, is.Equal(b64, tc.inputBase64))

-			}

-

-			out, err := DecodeAuthConfig(tc.inputBase64)

-			if tc.expectedErr != "" {

-				assert.Check(t, is.ErrorType(err, errInvalidParameter{}))

-				assert.Check(t, is.Error(err, tc.expectedErr))

-			} else {

-				assert.NilError(t, err)

-				assert.Equal(t, *out, tc.expected)

-			}

-		})

-	}

-}

-

-func TestEncodeAuthConfig(t *testing.T) {

-	tests := []struct {

-		doc       string

-		input     AuthConfig

-		outBase64 string

-		outPlain  string

-	}{

-		{

-			// Older daemons (or registries) may not handle an empty string,

-			// which resulted in an "io.EOF" when unmarshaling or decoding.

-			//

-			// FIXME(thaJeztah): find exactly what code-paths are impacted by this.

-			doc:       "empty",

-			input:     AuthConfig{},

-			outBase64: `e30=`,

-			outPlain:  `{}`,

-		},

-		{

-			doc: "test authConfig",

-			input: AuthConfig{

-				Username:      "testuser",

-				Password:      "testpassword",

-				ServerAddress: "example.com",

-			},

-			outBase64: `eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiJ0ZXN0cGFzc3dvcmQiLCJzZXJ2ZXJhZGRyZXNzIjoiZXhhbXBsZS5jb20ifQ==`,

-			outPlain:  `{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`,

-		},

-	}

-	for _, tc := range tests {

-		// Sanity check to make sure our fixtures are correct.

-		b64 := base64.URLEncoding.EncodeToString([]byte(tc.outPlain))

-		assert.Check(t, is.Equal(b64, tc.outBase64))

-

-		t.Run(tc.doc, func(t *testing.T) {

-			out, err := EncodeAuthConfig(tc.input)

-			assert.NilError(t, err)

-			assert.Equal(t, out, tc.outBase64)

-

-			authJSON, err := base64.URLEncoding.DecodeString(out)

-			assert.NilError(t, err)

-			assert.Equal(t, string(authJSON), tc.outPlain)

-		})

-	}

-}

-

-func BenchmarkDecodeAuthConfig(b *testing.B) {

-	cases := []struct {

-		doc         string

-		inputBase64 string

-		invalid     bool

-	}{

-		{

-			doc:         "empty",

-			inputBase64: ``,

-		},

-		{

-			doc:         "empty JSON",

-			inputBase64: `e30=`,

-		},

-		{

-			doc:         "valid",

-			inputBase64: base64.URLEncoding.EncodeToString([]byte(`{"username":"testuser","password":"testpassword","serveraddress":"example.com"}`)),

-		},

-		{

-			doc:         "invalid base64",

-			inputBase64: "not-base64",

-			invalid:     true,

-		},

-		{

-			doc:         "malformed JSON",

-			inputBase64: `ew==`,

-			invalid:     true,

-		},

-	}

-

-	for _, tc := range cases {

-		b.Run(tc.doc, func(b *testing.B) {

-			b.ReportAllocs()

-			for i := 0; i < b.N; i++ {

-				_, err := DecodeAuthConfig(tc.inputBase64)

-				if !tc.invalid && err != nil {

-					b.Fatal(err)

-				}

-			}

-		})

-	}

-}

@@ -11,6 +11,7 @@ import (

 	"github.com/containerd/log"

 	"github.com/distribution/reference"

 	gogotypes "github.com/gogo/protobuf/types"

+	"github.com/moby/moby/api/pkg/authconfig"

 	"github.com/moby/moby/api/types/container"

 	"github.com/moby/moby/api/types/registry"

 	"github.com/moby/moby/api/types/swarm"

@@ -230,7 +231,7 @@ func (c *Cluster) CreateService(s swarm.ServiceSpec, encodedAuth string, queryRe

 			authConfig := &registry.AuthConfig{}

 			if encodedAuth != "" {

 				var err error

-				authConfig, err = registry.DecodeAuthConfig(encodedAuth)

+				authConfig, err = authconfig.Decode(encodedAuth)

 				if err != nil {

 					log.G(ctx).Warnf("invalid authconfig: %v", err)

 				}

@@ -348,7 +349,7 @@ func (c *Cluster) UpdateService(serviceIDOrName string, version uint64, spec swa

 			authConfig := &registry.AuthConfig{}

 			if encodedAuth != "" {

 				var err error

-				authConfig, err = registry.DecodeAuthConfig(encodedAuth)

+				authConfig, err = authconfig.Decode(encodedAuth)

 				if err != nil {

 					log.G(ctx).Warnf("invalid authconfig: %v", err)

 				}

@@ -9,6 +9,7 @@ import (

 	"github.com/docker/distribution"

 	"github.com/docker/distribution/manifest/manifestlist"

 	"github.com/docker/distribution/manifest/schema2"

+	"github.com/moby/moby/api/pkg/authconfig"

 	"github.com/moby/moby/api/types/registry"

 	distributionpkg "github.com/moby/moby/v2/daemon/internal/distribution"

 	"github.com/moby/moby/v2/daemon/server/httputils"

@@ -42,7 +43,7 @@ func (dr *distributionRouter) getDistributionInfo(ctx context.Context, w http.Re

 	// For a search it is not an error if no auth was given. Ignore invalid

 	// AuthConfig to increase compatibility with the existing API.

-	authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))

+	authConfig, _ := authconfig.Decode(r.Header.Get(registry.AuthHeader))

 	repos, err := dr.backend.GetRepositories(ctx, namedRef, authConfig)

 	if err != nil {

 		return err

@@ -12,6 +12,7 @@ import (

 	"github.com/containerd/platforms"

 	"github.com/distribution/reference"

+	"github.com/moby/moby/api/pkg/authconfig"

 	"github.com/moby/moby/api/pkg/progress"

 	"github.com/moby/moby/api/pkg/streamformatter"

 	"github.com/moby/moby/api/types/filters"

@@ -101,7 +102,7 @@ func (ir *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWrit

 		// AuthConfig to increase compatibility with the existing API.

 		//

 		// TODO(thaJeztah): accept empty values but return an error when failing to decode.

-		authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))

+		authConfig, _ := authconfig.Decode(r.Header.Get(registry.AuthHeader))

 		progressErr = ir.backend.PullImage(ctx, ref, platform, metaHeaders, authConfig, output)

 	} else { // import

 		src := r.Form.Get("fromSrc")

@@ -170,7 +171,7 @@ func (ir *imageRouter) postImagesPush(ctx context.Context, w http.ResponseWriter

 	// to increase compatibility with the existing API.

 	//

 	// TODO(thaJeztah): accept empty values but return an error when failing to decode.

-	authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))

+	authConfig, _ := authconfig.Decode(r.Header.Get(registry.AuthHeader))

 	output := ioutils.NewWriteFlusher(w)

 	defer output.Close()

@@ -554,7 +555,7 @@ func (ir *imageRouter) getImagesSearch(ctx context.Context, w http.ResponseWrite

 	// For a search it is not an error if no auth was given. Ignore invalid

 	// AuthConfig to increase compatibility with the existing API.

-	authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader))

+	authConfig, _ := authconfig.Decode(r.Header.Get(registry.AuthHeader))

 	headers := http.Header{}

 	for k, v := range r.Header {

@@ -7,6 +7,7 @@ import (

 	"strings"

 	"github.com/distribution/reference"

+	"github.com/moby/moby/api/pkg/authconfig"

 	"github.com/moby/moby/api/pkg/streamformatter"

 	"github.com/moby/moby/api/types/filters"

 	"github.com/moby/moby/api/types/plugin"

@@ -26,7 +27,7 @@ func parseHeaders(headers http.Header) (map[string][]string, *registry.AuthConfi

 	}

 	// Ignore invalid AuthConfig to increase compatibility with the existing API.

-	authConfig, _ := registry.DecodeAuthConfig(headers.Get(registry.AuthHeader))

+	authConfig, _ := authconfig.Decode(headers.Get(registry.AuthHeader))

 	return metaHeaders, authConfig

 }

@@ -8,6 +8,7 @@ import (

 	"time"

 	"github.com/containerd/log"

+	"github.com/moby/moby/api/pkg/authconfig"

 	buildtypes "github.com/moby/moby/api/types/build"

 	"github.com/moby/moby/api/types/events"

 	"github.com/moby/moby/api/types/filters"

@@ -373,9 +374,7 @@ func (s *systemRouter) getEvents(ctx context.Context, w http.ResponseWriter, r *

 }

 func (s *systemRouter) postAuth(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {

-	var config *registry.AuthConfig

-	err := json.NewDecoder(r.Body).Decode(&config)

-	r.Body.Close()

+	config, err := authconfig.DecodeRequestBody(r.Body)

 	if err != nil {

 		return err

 	}

new file mode 100644

@@ -0,0 +1,92 @@

+package authconfig

+

+import (

+	"bytes"

+	"encoding/base64"

+	"encoding/json"

+	"errors"

+	"fmt"

+	"io"

+

+	"github.com/moby/moby/api/types/registry"

+)

+

+// Encode serializes the auth configuration as a base64url encoded

+// ([RFC4648, section 5]) JSON string for sending through the X-Registry-Auth header.

+//

+// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5

+func Encode(authConfig registry.AuthConfig) (string, error) {

+	// Older daemons (or registries) may not handle an empty string,

+	// which resulted in an "io.EOF" when unmarshaling or decoding.

+	//

+	// FIXME(thaJeztah): find exactly what code-paths are impacted by this.

+	// if authConfig == (AuthConfig{}) { return "", nil }

+	buf, err := json.Marshal(authConfig)

+	if err != nil {

+		return "", errInvalidParameter{err}

+	}

+	return base64.URLEncoding.EncodeToString(buf), nil

+}

+

+// Decode decodes base64url encoded ([RFC4648, section 5]) JSON

+// authentication information as sent through the X-Registry-Auth header.

+//

+// This function always returns an [AuthConfig], even if an error occurs. It is up

+// to the caller to decide if authentication is required, and if the error can

+// be ignored.

+//

+// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5

+func Decode(authEncoded string) (*registry.AuthConfig, error) {

+	if authEncoded == "" {

+		return &registry.AuthConfig{}, nil

+	}

+

+	decoded, err := base64.URLEncoding.DecodeString(authEncoded)

+	if err != nil {

+		var e base64.CorruptInputError

+		if errors.As(err, &e) {

+			return &registry.AuthConfig{}, invalid(errors.New("must be a valid base64url-encoded string"))

+		}

+		return &registry.AuthConfig{}, invalid(err)

+	}

+

+	if bytes.Equal(decoded, []byte("{}")) {

+		return &registry.AuthConfig{}, nil

+	}

+

+	return decode(bytes.NewReader(decoded))

+}

+

+// DecodeRequestBody decodes authentication information as sent as JSON in the

+// body of a request. This function is to provide backward compatibility with old

+// clients and API versions. Current clients and API versions expect authentication

+// to be provided through the X-Registry-Auth header.

+//

+// Like [Decode], this function always returns an [AuthConfig], even if an

+// error occurs. It is up to the caller to decide if authentication is required,

+// and if the error can be ignored.

+func DecodeRequestBody(r io.ReadCloser) (*registry.AuthConfig, error) {

+	return decode(r)

+}

+

+func decode(r io.Reader) (*registry.AuthConfig, error) {

+	authConfig := &registry.AuthConfig{}

+	if err := json.NewDecoder(r).Decode(authConfig); err != nil {

+		// always return an (empty) AuthConfig to increase compatibility with

+		// the existing API.

+		return &registry.AuthConfig{}, invalid(fmt.Errorf("invalid JSON: %w", err))

+	}

+	return authConfig, nil

+}

+

+func invalid(err error) error {

+	return errInvalidParameter{fmt.Errorf("invalid X-Registry-Auth header: %w", err)}

+}

+

+type errInvalidParameter struct{ error }

+

+func (errInvalidParameter) InvalidParameter() {}

+

+func (e errInvalidParameter) Cause() error { return e.error }

+

+func (e errInvalidParameter) Unwrap() error { return e.error }

@@ -1,14 +1,6 @@

 package registry

-import (

-	"bytes"

-	"context"

-	"encoding/base64"

-	"encoding/json"

-	"errors"

-	"fmt"

-	"io"

-)

+import "context"

 // AuthHeader is the name of the header used to send encoded registry

 // authorization credentials for registry operations (push/pull).

@@ -46,85 +38,3 @@ type AuthConfig struct {

 	// RegistryToken is a bearer token to be sent to a registry

 	RegistryToken string `json:"registrytoken,omitempty"`

 }

-

-// EncodeAuthConfig serializes the auth configuration as a base64url encoded

-// ([RFC4648, section 5]) JSON string for sending through the X-Registry-Auth header.

-//

-// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5

-func EncodeAuthConfig(authConfig AuthConfig) (string, error) {

-	// Older daemons (or registries) may not handle an empty string,

-	// which resulted in an "io.EOF" when unmarshaling or decoding.

-	//

-	// FIXME(thaJeztah): find exactly what code-paths are impacted by this.

-	// if authConfig == (AuthConfig{}) { return "", nil }

-	buf, err := json.Marshal(authConfig)

-	if err != nil {

-		return "", errInvalidParameter{err}

-	}

-	return base64.URLEncoding.EncodeToString(buf), nil

-}

-

-// DecodeAuthConfig decodes base64url encoded ([RFC4648, section 5]) JSON

-// authentication information as sent through the X-Registry-Auth header.

-//

-// This function always returns an [AuthConfig], even if an error occurs. It is up

-// to the caller to decide if authentication is required, and if the error can

-// be ignored.

-//

-// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5

-func DecodeAuthConfig(authEncoded string) (*AuthConfig, error) {

-	if authEncoded == "" {

-		return &AuthConfig{}, nil

-	}

-

-	decoded, err := base64.URLEncoding.DecodeString(authEncoded)

-	if err != nil {

-		var e base64.CorruptInputError

-		if errors.As(err, &e) {

-			return &AuthConfig{}, invalid(errors.New("must be a valid base64url-encoded string"))

-		}

-		return &AuthConfig{}, invalid(err)

-	}

-

-	if bytes.Equal(decoded, []byte("{}")) {

-		return &AuthConfig{}, nil

-	}

-

-	return decodeAuthConfigFromReader(bytes.NewReader(decoded))

-}

-

-// DecodeAuthConfigBody decodes authentication information as sent as JSON in the

-// body of a request. This function is to provide backward compatibility with old

-// clients and API versions. Current clients and API versions expect authentication

-// to be provided through the X-Registry-Auth header.

-//

-// Like [DecodeAuthConfig], this function always returns an [AuthConfig], even if an

-// error occurs. It is up to the caller to decide if authentication is required,

-// and if the error can be ignored.

-//

-// Deprecated: this function is no longer used and will be removed in the next release.

-func DecodeAuthConfigBody(rdr io.ReadCloser) (*AuthConfig, error) {

-	return decodeAuthConfigFromReader(rdr)

-}

-

-func decodeAuthConfigFromReader(rdr io.Reader) (*AuthConfig, error) {

-	authConfig := &AuthConfig{}