Fix authentication fallback when X-Registry-Auth header contains empty JSON object

[alessandro-verzicco]

Problem

When Docker Compose client sends authentication headers, it may send X-Registry-Auth: e30= (which decodes to {}), representing an empty JSON object. Currently, Podman checks if the authentication header is empty or null, but doesn't handle the case where the header contains an empty JSON object with credentials. This prevents Podman from falling back to using authentication files on the filesystem.
I've noticed this issue when I started using testcontainers-go compose module in CI environment which has no direct internet access and podman configured with mirrors which requires authentication. Since compose client is not aware about mirrors, is not setting the proper value for X-Registry-Auth (for example compose client thinks that image is being pulled from docker.io while the correct hostname should be the one of the mirror). Basically the docker compose client doesn't have the full context and it's better to rely on podman selecting the proper authentication token based on the mirror hostname

Solution

This PR extends the authentication header parsing logic to detect and handle empty JSON objects in authentication headers. When an empty authentication configuration is detected (empty username and password), Podman now properly falls back to using the authentication files stored on the filesystem instead of attempting to use the empty header value.

Changes

pkg/auth/auth.go

• Updated authentication header parsing to detect empty credential objects
• Added logic to treat empty authentication configurations (empty username/password) the same as null or missing headers
• Ensures fallback to filesystem authentication when credentials are empty

pkg/auth/auth_test.go

• Added test case to verify that empty JSON object authentication headers are handled correctly
• Added tests confirming that authentication properly falls back to filesystem config when empty credentials are provided
• Ensured backward compatibility with existing authentication flows

Testing

• Added unit tests covering the empty JSON object scenario
• Verified that authentication falls back to filesystem config when X-Registry-Auth: e30= is sent
• Ensured backward compatibility with existing authentication flows

Compatibility

This change maintains compatibility with Docker Compose and other Docker-compatible clients that send empty authentication objects while expecting Podman to use local credentials stored in authentication files.

Checklist

Ensure you have completed the following checklist for your pull request to be reviewed:

• Certify you wrote the patch or otherwise have the right to pass it on as an open-source patch by signing all
  commits. (git commit -s). (If needed, use git commit -s --amend). The author email must match
  the sign-off email address. See CONTRIBUTING.md
  for more information.
• Referenced issues using Fixes: #00000 in commit message (if applicable)
• Tests have been added/updated (or no tests are needed)
• Documentation has been updated (or no documentation changes are needed)
• All commits pass make validatepr (format/lint checks)
• Release note entered in the section below (or None if no user-facing changes)

Does this PR introduce a user-facing change?

None

[mheon]

/approve
LGTM

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alessandro-verzicco, mheon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mheon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[baude]

/lgtm