Support hierarchical credentials on AuthStore (per namespace, per repository etc)

[Copilot]

Description

Implements hierarchical credential lookup in AuthStore following containers-auth.json(5) semantics (podman/buildah behavior). Previously only exact registry matches were supported; now credentials are resolved from most-specific to least-specific path.

For my-registry.local/namespace/user/image:latest, lookup order is:

my-registry.local/namespace/user/image
my-registry.local/namespace/user
my-registry.local/namespace
my-registry.local

AuthStore.Config.getCredential() — replaced the single credentialStore.get(registry) call with an iterative hierarchical lookup:

• Builds the initial lookup key via registry + "/" + containerRef.getFullRepository()
• Iterates with while (!key.equals(registry)), checking credentialStore at each level and stripping one path segment per iteration
• Once the loop exits, checks the registry-level key in credentialStore
• Credential helper lookups (credentialHelperStore) are only performed at the registry level — never during the hierarchical path traversal
• Falls through to the all-registries helper as before

Testing done

New unit tests in AuthStoreTest using a config with multi-level credential keys:

Test	Scenario
testHierarchicalCredentialLookupMostSpecific	Exact full-path match wins
testHierarchicalCredentialLookupNamespaceOnly	Falls back to namespace-level credential (my-registry.local/namespace)
testHierarchicalCredentialLookupFallsBackToRegistry	Falls back to registry-level credential
testHierarchicalCredentialLookupRegistryOnly	No-namespace reference falls back to registry
testHierarchicalCredentialLookupNoMatch	Unknown registry returns null

Submitter checklist

• I have read and understood the CONTRIBUTING guide
• I have run mvn license:update-file-header, mvn spotless:apply, pre-commit run -a, mvn clean install before opening the PR

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Support for hierarchical credentials on AuthStore</issue_title>
<issue_description>See https://man.archlinux.org/man/containers-auth.json.5

When checking for available credentials, the relevant repository is matched against available keys in its hierarchical order, going from most-specific to least-specific. For example, an image pull for my-registry.local/namespace/user/image:latest will result in a lookup in auth.json in the following order:

my-registry.local/namespace/user/image
my-registry.local/namespace/user
my-registry.local/namespace
my-registry.local

Method public @Nullable Credential getCredential(ContainerRef containerRef) need to be adapted

We cannot anymore check by only the registry

String registry = containerRef.getRegistry();
Credential cred = credentialStore.get(registry);
if (cred != null) {
    return cred;
}

No need to support credentials help</issue_description>

<agent_instructions>On the Credential getCredential(ContainerRef containerRef) method we need to support the same logic of podman/buildah.

The most relevant credentials is taken first.

Right now the SDK only check by checking the exact match of registry.

Can you add a private method that select the most relevant Credentials (or null of nothing is found).

And replace at Credential cred = credentialStore.get(registry);

Test need to be implemented on AuthStoreTest (no need to touch other classes, I will just rely on non-regression)
</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Support for hierarchical credentials on AuthStore #587

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[jonesbusy]

@copilot

I want also that you complete test with only namespace

"my-registry.local/namespace/user/image": {
    "auth": "...."
},

Can you also try to rely on existing method of ContainerRef like getFullRepository that should return the image repository including the namespace if any (no no need to expose namespace var on the credential store)

When changing code you need to make sure to apply spotless (mvn spotless:apply). This fail the build, but at least it doesn't cause any regression on other test

The getHierarchicalKeys is also quite confusing. I'm not sure if it's a good idea to assemble lookup keys.

Cannot we take

• Build the container reference (without tag or digest using the getFullRepository)
• Check exact match
• If not found remove one segment
• Iterate until we have the registry (no ther segement)

This look better that return a list of key to check

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.69%. Comparing base (2941219) to head (ec3c13c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main     #588      +/-   ##
============================================
+ Coverage     88.44%   88.69%   +0.25%     
+ Complexity      815      812       -3     
============================================
  Files            42       42              
  Lines          2405     2414       +9     
  Branches        295      297       +2     
============================================
+ Hits           2127     2141      +14     
+ Misses          168      161       -7     
- Partials        110      112       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jonesbusy]

@copilot This is better.

The while(true) is risky. I would prefer adding a condition (like no / anymore, then we can fall back to the registry only)

Also we only need to check on credentialStore. Never on credentialHelperStore that only use registry

Can you update the PR

[Copilot]

@copilot This is better.

The while(true) is risky. I would prefer adding a condition (like no / anymore, then we can fall back to the registry only)
...

Done in ec3c13c:

• Replaced while(true) with while (!key.equals(registry)) — terminates explicitly when the key reaches the registry level
• The hierarchical loop now only checks credentialStore; credential helper lookups are kept at registry level only (registry-scoped helper, then all-registries helper)
• Renamed the second cred variable to registryCred to avoid shadowing