moby--moby/distribution/registry.go

package distribution

import (
	"fmt"
	"net"
	"net/http"
	"net/url"
	"strings"
	"time"

	"github.com/docker/distribution"
	distreference "github.com/docker/distribution/reference"
	"github.com/docker/distribution/registry/client"
	"github.com/docker/distribution/registry/client/auth"
	"github.com/docker/distribution/registry/client/transport"
	"github.com/docker/docker/dockerversion"
	"github.com/docker/docker/registry"
	"github.com/docker/engine-api/types"
	"golang.org/x/net/context"
)

type dumbCredentialStore struct {
	auth *types.AuthConfig
}

func (dcs dumbCredentialStore) Basic(*url.URL) (string, string) {
	return dcs.auth.Username, dcs.auth.Password
}

// NewV2Repository returns a repository (v2 only). It creates a HTTP transport
// providing timeout settings and authentication support, and also verifies the
// remote API version.
func NewV2Repository(ctx context.Context, repoInfo *registry.RepositoryInfo, endpoint registry.APIEndpoint, metaHeaders http.Header, authConfig *types.AuthConfig, actions ...string) (repo distribution.Repository, foundVersion bool, err error) {
	repoName := repoInfo.FullName()
	// If endpoint does not support CanonicalName, use the RemoteName instead
	if endpoint.TrimHostname {
		repoName = repoInfo.RemoteName()
	}

	// TODO(dmcgowan): Call close idle connections when complete, use keep alive
	base := &http.Transport{
		Proxy: http.ProxyFromEnvironment,
		Dial: (&net.Dialer{
			Timeout:   30 * time.Second,
			KeepAlive: 30 * time.Second,
			DualStack: true,
		}).Dial,
		TLSHandshakeTimeout: 10 * time.Second,
		TLSClientConfig:     endpoint.TLSConfig,
		// TODO(dmcgowan): Call close idle connections when complete and use keep alive
		DisableKeepAlives: true,
	}

	modifiers := registry.DockerHeaders(dockerversion.DockerUserAgent(), metaHeaders)
	authTransport := transport.NewTransport(base, modifiers...)
	pingClient := &http.Client{
		Transport: authTransport,
		Timeout:   15 * time.Second,
	}
	endpointStr := strings.TrimRight(endpoint.URL.String(), "/") + "/v2/"
	req, err := http.NewRequest("GET", endpointStr, nil)
	if err != nil {
		return nil, false, fallbackError{err: err}
	}
	resp, err := pingClient.Do(req)
	if err != nil {
		return nil, false, fallbackError{err: err}
	}
	defer resp.Body.Close()

	// We got a HTTP request through, so we're using the right TLS settings.
	// From this point forward, set transportOK to true in any fallbackError
	// we return.

	v2Version := auth.APIVersion{
		Type:    "registry",
		Version: "2.0",
	}

	versions := auth.APIVersions(resp, registry.DefaultRegistryVersionHeader)
	for _, pingVersion := range versions {
		if pingVersion == v2Version {
			// The version header indicates we're definitely
			// talking to a v2 registry. So don't allow future
			// fallbacks to the v1 protocol.

			foundVersion = true
			break
		}
	}

	challengeManager := auth.NewSimpleChallengeManager()
	if err := challengeManager.AddResponse(resp); err != nil {
		return nil, foundVersion, fallbackError{
			err:         err,
			confirmedV2: foundVersion,
			transportOK: true,
		}
	}

	if authConfig.RegistryToken != "" {
		passThruTokenHandler := &existingTokenHandler{token: authConfig.RegistryToken}
		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler))
	} else {
		creds := dumbCredentialStore{auth: authConfig}
		tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, actions...)
		basicHandler := auth.NewBasicHandler(creds)
		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
	}
	tr := transport.NewTransport(base, modifiers...)

	repoNameRef, err := distreference.ParseNamed(repoName)
	if err != nil {
		return nil, foundVersion, fallbackError{
			err:         err,
			confirmedV2: foundVersion,
			transportOK: true,
		}
	}

	repo, err = client.NewRepository(ctx, repoNameRef, endpoint.URL.String(), tr)
	if err != nil {
		err = fallbackError{
			err:         err,
			confirmedV2: foundVersion,
			transportOK: true,
		}
	}
	return
}

type existingTokenHandler struct {
	token string
}

func (th *existingTokenHandler) Scheme() string {
	return "bearer"
}

func (th *existingTokenHandler) AuthorizeRequest(req *http.Request, params map[string]string) error {
	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", th.token))
	return nil
}
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`package distribution`

			`import (`
Add token pass-thru for AuthConfig This change allows API clients to retrieve an authentication token from a registry, and then pass that token directly to the API. Example usage: REPO_USER=dhiltgen read -s PASSWORD REPO=privateorg/repo AUTH_URL=https://auth.docker.io/token TOKEN=$(curl -s -u "${REPO_USER}:${PASSWORD}" "${AUTH_URL}?scope=repository:${REPO}:pull&service=registry.docker.io" \| jq -r ".token") HEADER=$(echo "{\"registrytoken\":\"${TOKEN}\"}"\|base64 -w 0 ) curl -s -D - -H "X-Registry-Auth: ${HEADER}" -X POST "http://localhost:2376/images/create?fromImage=${REPO}" Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com> 2015-11-04 00:03:12 -05:00			`"fmt"`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`"net"`
			`"net/http"`
			`"net/url"`
			`"strings"`
			`"time"`

			`"github.com/docker/distribution"`
Vendor updated distribution for resumable downloads Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-01-26 14:20:14 -05:00			`distreference "github.com/docker/distribution/reference"`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`"github.com/docker/distribution/registry/client"`
			`"github.com/docker/distribution/registry/client/auth"`
			`"github.com/docker/distribution/registry/client/transport"`
Remove the use of dockerversion from the registry package Signed-off-by: Daniel Nephin <dnephin@docker.com> 2016-01-04 13:36:01 -05:00			`"github.com/docker/docker/dockerversion"`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`"github.com/docker/docker/registry"`
Modify import paths to point to the new engine-api package. Signed-off-by: David Calavera <david.calavera@gmail.com> 2016-01-04 19:05:26 -05:00			`"github.com/docker/engine-api/types"`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`"golang.org/x/net/context"`
			`)`

			`type dumbCredentialStore struct {`
Move AuthConfig to api/types Signed-off-by: Daniel Nephin <dnephin@gmail.com> 2015-12-11 23:11:42 -05:00			`auth *types.AuthConfig`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`}`

			`func (dcs dumbCredentialStore) Basic(*url.URL) (string, string) {`
			`return dcs.auth.Username, dcs.auth.Password`
			`}`

			`// NewV2Repository returns a repository (v2 only). It creates a HTTP transport`
			`// providing timeout settings and authentication support, and also verifies the`
			`// remote API version.`
Do not fall back to the V1 protocol when we know we are talking to a V2 registry If we detect a Docker-Distribution-Api-Version header indicating that the registry speaks the V2 protocol, no fallback to V1 should take place. The same applies if a V2 registry operation succeeds while attempting a push or pull. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-04 16:42:33 -05:00			`func NewV2Repository(ctx context.Context, repoInfo registry.RepositoryInfo, endpoint registry.APIEndpoint, metaHeaders http.Header, authConfig types.AuthConfig, actions ...string) (repo distribution.Repository, foundVersion bool, err error) {`
Update Named reference with validation of conversions Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> 2015-12-11 14:00:13 -05:00			`repoName := repoInfo.FullName()`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`// If endpoint does not support CanonicalName, use the RemoteName instead`
			`if endpoint.TrimHostname {`
Update Named reference with validation of conversions Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> 2015-12-11 14:00:13 -05:00			`repoName = repoInfo.RemoteName()`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`}`

			`// TODO(dmcgowan): Call close idle connections when complete, use keep alive`
			`base := &http.Transport{`
			`Proxy: http.ProxyFromEnvironment,`
Revert "Set idle timeouts for HTTP reads and writes in communications with the registry" This reverts commit 84b2162c1a15256ac09396ad0d75686ea468f40c. The intent of this commit was to set an idle timeout on a HTTP connection. If a read took more than 60 seconds to complete, or a write took more than 60 seconds to complete, the connection would be considered dead. This doesn't work properly, because the HTTP internals apparently read from the connection concurrently while writing. An upload that doesn't complete in 60 seconds leads to a timeout. Fixes #19967 Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-02-03 12:55:16 -05:00			`Dial: (&net.Dialer{`
			`Timeout: 30 * time.Second,`
			`KeepAlive: 30 * time.Second,`
			`DualStack: true,`
			`}).Dial,`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`TLSHandshakeTimeout: 10 * time.Second,`
			`TLSClientConfig: endpoint.TLSConfig,`
			`// TODO(dmcgowan): Call close idle connections when complete and use keep alive`
			`DisableKeepAlives: true,`
			`}`

Remove the use of dockerversion from the registry package Signed-off-by: Daniel Nephin <dnephin@docker.com> 2016-01-04 13:36:01 -05:00			`modifiers := registry.DockerHeaders(dockerversion.DockerUserAgent(), metaHeaders)`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`authTransport := transport.NewTransport(base, modifiers...)`
			`pingClient := &http.Client{`
			`Transport: authTransport,`
Improved push and pull with upload manager and download manager This commit adds a transfer manager which deduplicates and schedules transfers, and also an upload manager and download manager that build on top of the transfer manager to provide high-level interfaces for uploads and downloads. The push and pull code is modified to use these building blocks. Some benefits of the changes: - Simplification of push/pull code - Pushes can upload layers concurrently - Failed downloads and uploads are retried after backoff delays - Cancellation is supported, but individual transfers will only be cancelled if all pushes or pulls using them are cancelled. - The distribution code is decoupled from Docker Engine packages and API conventions (i.e. streamformatter), which will make it easier to split out. This commit also includes unit tests for the new distribution/xfer package. The tests cover 87.8% of the statements in the package. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-13 19:59:01 -05:00			`Timeout: 15 * time.Second,`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`}`
Change APIEndpoint to contain the URL in a parsed format This allows easier URL handling in code that uses APIEndpoint. If we continued to store the URL unparsed, it would require redundant parsing whenver we want to extract information from it. Also, parsing the URL earlier should give improve validation. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-02-17 19:53:25 -05:00			`endpointStr := strings.TrimRight(endpoint.URL.String(), "/") + "/v2/"`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`req, err := http.NewRequest("GET", endpointStr, nil)`
			`if err != nil {`
Smarter push/pull TLS fallback With the --insecure-registry daemon option (or talking to a registry on a local IP), the daemon will first try TLS, and then try plaintext if something goes wrong with the push or pull. It doesn't make sense to try plaintext if a HTTP request went through while using TLS. This commit changes the logic to keep track of host/port combinations where a TLS attempt managed to do at least one HTTP request (whether the response code indicated success or not). If the host/port responded to a HTTP using TLS, we won't try to make plaintext HTTP requests to it. This will result in better error messages, which sometimes ended up showing the result of the plaintext attempt, like this: Error response from daemon: Get http://myregistrydomain.com:5000/v2/: malformed HTTP response "\x15\x03\x01\x00\x02\x02" Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-02-11 18:45:29 -05:00			`return nil, false, fallbackError{err: err}`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`}`
			`resp, err := pingClient.Do(req)`
			`if err != nil {`
Smarter push/pull TLS fallback With the --insecure-registry daemon option (or talking to a registry on a local IP), the daemon will first try TLS, and then try plaintext if something goes wrong with the push or pull. It doesn't make sense to try plaintext if a HTTP request went through while using TLS. This commit changes the logic to keep track of host/port combinations where a TLS attempt managed to do at least one HTTP request (whether the response code indicated success or not). If the host/port responded to a HTTP using TLS, we won't try to make plaintext HTTP requests to it. This will result in better error messages, which sometimes ended up showing the result of the plaintext attempt, like this: Error response from daemon: Get http://myregistrydomain.com:5000/v2/: malformed HTTP response "\x15\x03\x01\x00\x02\x02" Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-02-11 18:45:29 -05:00			`return nil, false, fallbackError{err: err}`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`}`
			`defer resp.Body.Close()`

Smarter push/pull TLS fallback With the --insecure-registry daemon option (or talking to a registry on a local IP), the daemon will first try TLS, and then try plaintext if something goes wrong with the push or pull. It doesn't make sense to try plaintext if a HTTP request went through while using TLS. This commit changes the logic to keep track of host/port combinations where a TLS attempt managed to do at least one HTTP request (whether the response code indicated success or not). If the host/port responded to a HTTP using TLS, we won't try to make plaintext HTTP requests to it. This will result in better error messages, which sometimes ended up showing the result of the plaintext attempt, like this: Error response from daemon: Get http://myregistrydomain.com:5000/v2/: malformed HTTP response "\x15\x03\x01\x00\x02\x02" Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-02-11 18:45:29 -05:00			`// We got a HTTP request through, so we're using the right TLS settings.`
			`// From this point forward, set transportOK to true in any fallbackError`
			`// we return.`

Do not fall back to the V1 protocol when we know we are talking to a V2 registry If we detect a Docker-Distribution-Api-Version header indicating that the registry speaks the V2 protocol, no fallback to V1 should take place. The same applies if a V2 registry operation succeeds while attempting a push or pull. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-04 16:42:33 -05:00			`v2Version := auth.APIVersion{`
			`Type: "registry",`
			`Version: "2.0",`
			`}`

			`versions := auth.APIVersions(resp, registry.DefaultRegistryVersionHeader)`
			`for _, pingVersion := range versions {`
			`if pingVersion == v2Version {`
			`// The version header indicates we're definitely`
			`// talking to a v2 registry. So don't allow future`
			`// fallbacks to the v1 protocol.`

			`foundVersion = true`
			`break`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`}`
			`}`

			`challengeManager := auth.NewSimpleChallengeManager()`
			`if err := challengeManager.AddResponse(resp); err != nil {`
Smarter push/pull TLS fallback With the --insecure-registry daemon option (or talking to a registry on a local IP), the daemon will first try TLS, and then try plaintext if something goes wrong with the push or pull. It doesn't make sense to try plaintext if a HTTP request went through while using TLS. This commit changes the logic to keep track of host/port combinations where a TLS attempt managed to do at least one HTTP request (whether the response code indicated success or not). If the host/port responded to a HTTP using TLS, we won't try to make plaintext HTTP requests to it. This will result in better error messages, which sometimes ended up showing the result of the plaintext attempt, like this: Error response from daemon: Get http://myregistrydomain.com:5000/v2/: malformed HTTP response "\x15\x03\x01\x00\x02\x02" Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-02-11 18:45:29 -05:00			`return nil, foundVersion, fallbackError{`
			`err: err,`
			`confirmedV2: foundVersion,`
			`transportOK: true,`
			`}`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`}`

Add token pass-thru for AuthConfig This change allows API clients to retrieve an authentication token from a registry, and then pass that token directly to the API. Example usage: REPO_USER=dhiltgen read -s PASSWORD REPO=privateorg/repo AUTH_URL=https://auth.docker.io/token TOKEN=$(curl -s -u "${REPO_USER}:${PASSWORD}" "${AUTH_URL}?scope=repository:${REPO}:pull&service=registry.docker.io" \| jq -r ".token") HEADER=$(echo "{\"registrytoken\":\"${TOKEN}\"}"\|base64 -w 0 ) curl -s -D - -H "X-Registry-Auth: ${HEADER}" -X POST "http://localhost:2376/images/create?fromImage=${REPO}" Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com> 2015-11-04 00:03:12 -05:00			`if authConfig.RegistryToken != "" {`
			`passThruTokenHandler := &existingTokenHandler{token: authConfig.RegistryToken}`
			`modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler))`
			`} else {`
			`creds := dumbCredentialStore{auth: authConfig}`
Update Named reference with validation of conversions Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> 2015-12-11 14:00:13 -05:00			`tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, actions...)`
Add token pass-thru for AuthConfig This change allows API clients to retrieve an authentication token from a registry, and then pass that token directly to the API. Example usage: REPO_USER=dhiltgen read -s PASSWORD REPO=privateorg/repo AUTH_URL=https://auth.docker.io/token TOKEN=$(curl -s -u "${REPO_USER}:${PASSWORD}" "${AUTH_URL}?scope=repository:${REPO}:pull&service=registry.docker.io" \| jq -r ".token") HEADER=$(echo "{\"registrytoken\":\"${TOKEN}\"}"\|base64 -w 0 ) curl -s -D - -H "X-Registry-Auth: ${HEADER}" -X POST "http://localhost:2376/images/create?fromImage=${REPO}" Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com> 2015-11-04 00:03:12 -05:00			`basicHandler := auth.NewBasicHandler(creds)`
			`modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))`
			`}`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`tr := transport.NewTransport(base, modifiers...)`

Vendor updated distribution for resumable downloads Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-01-26 14:20:14 -05:00			`repoNameRef, err := distreference.ParseNamed(repoName)`
			`if err != nil {`
Smarter push/pull TLS fallback With the --insecure-registry daemon option (or talking to a registry on a local IP), the daemon will first try TLS, and then try plaintext if something goes wrong with the push or pull. It doesn't make sense to try plaintext if a HTTP request went through while using TLS. This commit changes the logic to keep track of host/port combinations where a TLS attempt managed to do at least one HTTP request (whether the response code indicated success or not). If the host/port responded to a HTTP using TLS, we won't try to make plaintext HTTP requests to it. This will result in better error messages, which sometimes ended up showing the result of the plaintext attempt, like this: Error response from daemon: Get http://myregistrydomain.com:5000/v2/: malformed HTTP response "\x15\x03\x01\x00\x02\x02" Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-02-11 18:45:29 -05:00			`return nil, foundVersion, fallbackError{`
			`err: err,`
			`confirmedV2: foundVersion,`
			`transportOK: true,`
			`}`
Vendor updated distribution for resumable downloads Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-01-26 14:20:14 -05:00			`}`

Change APIEndpoint to contain the URL in a parsed format This allows easier URL handling in code that uses APIEndpoint. If we continued to store the URL unparsed, it would require redundant parsing whenver we want to extract information from it. Also, parsing the URL earlier should give improve validation. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-02-17 19:53:25 -05:00			`repo, err = client.NewRepository(ctx, repoNameRef, endpoint.URL.String(), tr)`
Smarter push/pull TLS fallback With the --insecure-registry daemon option (or talking to a registry on a local IP), the daemon will first try TLS, and then try plaintext if something goes wrong with the push or pull. It doesn't make sense to try plaintext if a HTTP request went through while using TLS. This commit changes the logic to keep track of host/port combinations where a TLS attempt managed to do at least one HTTP request (whether the response code indicated success or not). If the host/port responded to a HTTP using TLS, we won't try to make plaintext HTTP requests to it. This will result in better error messages, which sometimes ended up showing the result of the plaintext attempt, like this: Error response from daemon: Get http://myregistrydomain.com:5000/v2/: malformed HTTP response "\x15\x03\x01\x00\x02\x02" Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-02-11 18:45:29 -05:00			`if err != nil {`
			`err = fallbackError{`
			`err: err,`
			`confirmedV2: foundVersion,`
			`transportOK: true,`
			`}`
			`}`
			`return`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`}`

Add token pass-thru for AuthConfig This change allows API clients to retrieve an authentication token from a registry, and then pass that token directly to the API. Example usage: REPO_USER=dhiltgen read -s PASSWORD REPO=privateorg/repo AUTH_URL=https://auth.docker.io/token TOKEN=$(curl -s -u "${REPO_USER}:${PASSWORD}" "${AUTH_URL}?scope=repository:${REPO}:pull&service=registry.docker.io" \| jq -r ".token") HEADER=$(echo "{\"registrytoken\":\"${TOKEN}\"}"\|base64 -w 0 ) curl -s -D - -H "X-Registry-Auth: ${HEADER}" -X POST "http://localhost:2376/images/create?fromImage=${REPO}" Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com> 2015-11-04 00:03:12 -05:00			`type existingTokenHandler struct {`
			`token string`
			`}`

			`func (th *existingTokenHandler) Scheme() string {`
			`return "bearer"`
			`}`

			`func (th existingTokenHandler) AuthorizeRequest(req http.Request, params map[string]string) error {`
			`req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", th.token))`
			`return nil`
			`}`