Fix update HEAD action detection from BearerAuthenticationFilter

When the bearer authentication filter detects the incoming request
URI used before the wrong regex and, instead of being associated
with the pull-replication API it got associated with the Gerrit's
PUT /<project>/HEAD invoked by the GUI.

Align the two expressions and make the bearer token consistent
with the normal pull-replication filter and REST-API detection.

Bug: Issue 302436272
Change-Id: Ic63db73b29b11d2f66b41c936fc315525f11b664

src/main/java/com/googlesource/gerrit/plugins/replication/pull/api/BearerAuthenticationFilter.java

diff --git a/src/main/java/com/googlesource/gerrit/plugins/replication/pull/api/BearerAuthenticationFilter.java b/src/main/java/com/googlesource/gerrit/plugins/replication/pull/api/BearerAuthenticationFilter.java
index 8147149..e491964 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/replication/pull/api/BearerAuthenticationFilter.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/replication/pull/api/BearerAuthenticationFilter.java
@@ -82,7 +82,8 @@
 
     if (isBasicAuthenticationRequest(requestURI)) {
       filterChain.doFilter(servletRequest, servletResponse);
-    } else if (isPullReplicationApiRequest(requestURI) || isGitUploadPackRequest(httpRequest)) {
+    } else if (isPullReplicationApiRequest(httpRequest.getMethod(), requestURI)
+        || isGitUploadPackRequest(httpRequest)) {
       Optional<String> authorizationHeader =
           Optional.ofNullable(httpRequest.getHeader("Authorization"));
 
@@ -119,14 +120,15 @@
     return requestURI.startsWith("/a/");
   }
 
-  private boolean isPullReplicationApiRequest(String requestURI) {
+  private boolean isPullReplicationApiRequest(String requestMethod, String requestURI) {
     return (requestURI.contains(pluginName)
             && (requestURI.endsWith(String.format("/%s~apply-object", pluginName))
                 || requestURI.endsWith(String.format("/%s~apply-objects", pluginName))
                 || requestURI.endsWith(String.format("/%s~fetch", pluginName))
                 || requestURI.endsWith(String.format("/%s~delete-project", pluginName))
                 || requestURI.contains(String.format("/%s/init-project/", pluginName))))
-        || requestURI.matches(".*/projects/[^/]+/HEAD");
+        || (requestURI.matches(String.format(".*/projects/[^/]+/%s~HEAD", pluginName))
+            && "PUT".equals(requestMethod));
   }
 
   private Optional<String> extractBearerToken(String authorizationHeader) {

src/test/java/com/googlesource/gerrit/plugins/replication/pull/api/BearerAuthenticationFilterTest.java

diff --git a/src/test/java/com/googlesource/gerrit/plugins/replication/pull/api/BearerAuthenticationFilterTest.java b/src/test/java/com/googlesource/gerrit/plugins/replication/pull/api/BearerAuthenticationFilterTest.java
index 824496a..9831d6c 100644
--- a/src/test/java/com/googlesource/gerrit/plugins/replication/pull/api/BearerAuthenticationFilterTest.java
+++ b/src/test/java/com/googlesource/gerrit/plugins/replication/pull/api/BearerAuthenticationFilterTest.java
@@ -53,6 +53,12 @@
   @Mock private FilterChain filterChain;
   private final String pluginName = "pull-replication";
 
+  private void authenticateAndFilter(String method, String uri, Optional<String> queryStringMaybe)
+      throws ServletException, IOException {
+    when(httpServletRequest.getMethod()).thenReturn(method);
+    authenticateAndFilter(uri, queryStringMaybe);
+  }
+
   private void authenticateAndFilter(String uri, Optional<String> queryStringMaybe)
       throws ServletException, IOException {
     final String bearerToken = "some-bearer-token";
@@ -98,7 +104,8 @@
 
   @Test
   public void shouldAuthenticateWhenUpdateHead() throws ServletException, IOException {
-    authenticateAndFilter("any-prefix/projects/my-project/HEAD", NO_QUERY_PARAMETERS);
+    authenticateAndFilter(
+        "PUT", "any-prefix/projects/my-project/pull-replication~HEAD", NO_QUERY_PARAMETERS);
   }
 
   @Test