Add function to set custom auth scope in context

Currently auth.docker.io uses a custom auth scope for (docker) plugins
`repository(plugin):<repo>:<perms>`.
This makes it impossible to use containerd distribution tooling to fetch
plugins without also supplying a totally custom authorizer.

This changes allows clients to set the correct scope on the context.
It's a little bit nasty but "works".

I'm also a bit suspect of some a couple of these unexported context
functrions. Before the primary one used `contextWithRepositoryScope`
overwrites any scope value and there is another one that appends the
scope value.
With this change they both append...

Signed-off-by: Brian Goff <cpuguy83@gmail.com>

remotes/docker/scope_test.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/containerd/containerd/reference"
 	"gotest.tools/assert"
+	"gotest.tools/assert/cmp"
 )
 
 func TestRepositoryScope(t *testing.T) {
@@ -94,3 +95,14 @@ func TestGetTokenScopes(t *testing.T) {
 		assert.DeepEqual(t, tc.expected, actual)
 	}
 }
+
+func TestCustomScope(t *testing.T) {
+	scope := "whatever:foo/bar:pull"
+	ctx := WithScope(context.Background(), scope)
+	ctx = contextWithAppendPullRepositoryScope(ctx, "foo/bar")
+
+	scopes := getTokenScopes(ctx, []string{})
+	assert.Assert(t, cmp.Len(scopes, 2))
+	assert.Check(t, cmp.Equal(scopes[0], "repository:foo/bar:pull"))
+	assert.Check(t, cmp.Equal(scopes[1], scope))
+}