fix: unify access_token/accessToken and refresh_token/refreshToken credential keys

[matthiasbruns]

What this PR does / why we need it

The OCI resource repository (resource_repository.go) used snake_case credential keys (access_token, refresh_token) while the rest of the codebase—including docker_config.go and the component version repository path—uses camelCase (accessToken, refreshToken). This mismatch caused silent authentication failures when tokens from Docker config (which produces camelCase keys) were used for OCI resource downloads.

This PR:

• Updates clientCredentials() in resource_repository.go to use the canonical CredentialKey* constants (camelCase) as the primary keys
• Updates CredentialFunc() in docker_config.go to also accept legacy snake_case keys
• Adds LegacyCredentialKeyAccessToken and LegacyCredentialKeyRefreshToken constants (marked deprecated) so legacy keys are not scattered as string literals
• Falls back to the legacy snake_case keys for backward compatibility, with camelCase taking precedence when both are present

Which issue(s) this PR fixes

Fixes open-component-model/ocm-project#985

Testing

How to test the changes

1. Run unit tests: go test ./bindings/go/oci/credentials/... ./bindings/go/oci/repository/resource/...
2. Verify that credentials with camelCase keys (accessToken, refreshToken) are correctly resolved in both the component version and resource repository paths
3. Verify that credentials with legacy snake_case keys (access_token, refresh_token) still work for backward compatibility

Verification

• I have added/updated tests for my changes (see Test Requirements)
• Tests pass locally (task test and task test/integration if applicable)
• If touching multiple modules, go work is enabled (see go.work)
• My changes do not decrease test coverage
• I have tested the changes locally by running ocm

[netlify]

✅ Deploy Preview for ocm-website ready!

Name	Link
🔨 Latest commit	6743b1e
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/69ef4f938e531400087aec06
😎 Deploy Preview	https://deploy-preview-2383--ocm-website.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Warning

Rate limit exceeded

@matthiasbruns has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 58 minutes and 6 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 43c19dae-eb38-435e-9801-bde1e68e03e0

📥 Commits

Reviewing files that changed from the base of the PR and between 34196bd and 6743b1e.

📒 Files selected for processing (3)

• bindings/go/oci/credentials/docker_config.go
• bindings/go/oci/credentials/docker_config_test.go
• bindings/go/oci/repository/resource/resource_repository.go

📝 Walkthrough

Walkthrough

The PR unifies credential key handling across OCI credential consumers by introducing legacy snake_case token key support with camelCase precedence. Changes standardize token access in the resource repository to match docker config behavior while maintaining backward compatibility through fallback mechanisms.

Changes

Cohort / File(s)	Summary
Docker Config Credentials bindings/go/oci/credentials/docker_config.go, bindings/go/oci/credentials/docker_config_test.go	Added deprecated legacy snake_case constants (access_token, refresh_token) and extended CredentialFunc to prefer camelCase keys (accessToken, refreshToken) with fallback to snake_case keys. Test suite expanded to validate legacy key support and camelCase precedence behavior.
OCI Resource Repository bindings/go/oci/repository/resource/resource_repository.go, bindings/go/oci/repository/resource/resource_repository_test.go	Updated clientCredentials to use standardized credential-map keys from ocicredentials package instead of hardcoded strings, implementing camelCase-first fallback to snake_case for tokens. Added comprehensive test coverage validating empty credentials, canonical key mapping, legacy key support, and explicit key precedence.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• #2060 — Modifies the same CredentialFunc in docker_config.go for host:port error handling, requiring coordination with legacy key fallback logic.
• #2055 — Touches OCI credential handling for accessToken/refreshToken mapping in basic-auth, overlaps with token unification scope.

Suggested labels

kind/bugfix, size/m

Suggested reviewers

• frewilhelm
• piotrjanik

Poem

🐰 Hippity-hop through token keys so grand,
CamelCase and snake_case, hand in hand,
Backward compat—we've got it all,
Fallback logic answers the call!
Unified credentials, standing tall! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change: unifying credential key formats (access_token/accessToken and refresh_token/refreshToken) across the codebase, which directly matches the primary objective of the PR.
Description check	✅ Passed	The description comprehensively explains the problem (key mismatch between resource repository and docker config), the solution (using canonical camelCase keys with fallback to legacy snake_case), and includes testing instructions, all of which relate directly to the changeset.
Linked Issues check	✅ Passed	The PR successfully addresses issue #985 by unifying credential key usage: using canonical camelCase keys as primary [CredentialKey*], accepting legacy snake_case keys as fallbacks, and adding deprecated constants to centralize legacy key usage with camelCase taking precedence.
Out of Scope Changes check	✅ Passed	All changes are scoped to the credential key unification objective: modifications to docker_config.go, resource_repository.go, and their corresponding test files to support both key formats with proper precedence.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

bindings/go/oci/repository/resource/resource_repository_test.go (1)

84-89: Nit: use credential key constants for consistency.

The surrounding test cases reference credential keys via ocicredentials.CredentialKey* constants, but this case hardcodes "username" and "password" as string literals. Aligning them avoids silent breakage if any constant value ever changes.

♻️ Proposed refactor

 			credentials: map[string]string{
-				"username":      "user",
-				"password":      "pass",
-				ocicredentials.LegacyCredentialKeyAccessToken:  "atoken",
-				ocicredentials.LegacyCredentialKeyRefreshToken: "rtoken",
+				ocicredentials.CredentialKeyUsername:           "user",
+				ocicredentials.CredentialKeyPassword:           "pass",
+				ocicredentials.LegacyCredentialKeyAccessToken:  "atoken",
+				ocicredentials.LegacyCredentialKeyRefreshToken: "rtoken",
 			},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bindings/go/oci/repository/resource/resource_repository_test.go` around lines
84 - 89, Replace the hardcoded "username" and "password" keys in the test
credentials map with the corresponding constants from ocicredentials (e.g.,
ocicredentials.CredentialKeyUsername and ocicredentials.CredentialKeyPassword)
so the test uses the same canonical keys as other cases (leave the existing uses
of ocicredentials.LegacyCredentialKeyAccessToken and
LegacyCredentialKeyRefreshToken unchanged).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bindings/go/oci/credentials/docker_config.go`:
- Around line 32-37: The deprecated notices for LegacyCredentialKeyAccessToken
and LegacyCredentialKeyRefreshToken must be in their own paragraph for
godoc/gocritic; update the comments above LegacyCredentialKeyAccessToken and
LegacyCredentialKeyRefreshToken by inserting a blank comment line before each
"Deprecated:" line so the "Deprecated:" sentence is separated into its own
paragraph (leave the existing explanatory sentence above intact and only add the
blank comment line immediately before the Deprecated: clause).

---

Nitpick comments:
In `@bindings/go/oci/repository/resource/resource_repository_test.go`:
- Around line 84-89: Replace the hardcoded "username" and "password" keys in the
test credentials map with the corresponding constants from ocicredentials (e.g.,
ocicredentials.CredentialKeyUsername and ocicredentials.CredentialKeyPassword)
so the test uses the same canonical keys as other cases (leave the existing uses
of ocicredentials.LegacyCredentialKeyAccessToken and
LegacyCredentialKeyRefreshToken unchanged).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 089faf03-3153-4523-9da2-c518323210a8

📥 Commits

Reviewing files that changed from the base of the PR and between 565db42 and 34196bd.

📒 Files selected for processing (4)

• bindings/go/oci/credentials/docker_config.go
• bindings/go/oci/credentials/docker_config_test.go
• bindings/go/oci/repository/resource/resource_repository.go
• bindings/go/oci/repository/resource/resource_repository_test.go

[piotrjanik]

LGTM. Two nits.