Adds support for v2 registry login

summary of changes:

registry/auth.go
  - More logging around the login functions
  - split Login() out to handle different code paths for v1 (unchanged logic)
    and v2 (does not currently do account creation)
  - handling for either basic or token based login attempts
registry/authchallenge.go
  - New File
  - credit to Brian Bland <brian.bland@docker.com> (github: BrianBland)
  - handles parsing of WWW-Authenticate response headers
registry/endpoint.go
  - EVEN MOAR LOGGING
  - Many edits throught to make the coad less dense. Sparse code is more
    readable code.
  - slit Ping() out to handle different code paths for v1 (unchanged logic)
    and v2.
  - Updated Endpoint struct type to include an entry for authorization
    challenges discovered during ping of a v2 registry.
  - If registry endpoint version is unknown, v2 code path is first attempted,
    then fallback to v1 upon failure.
registry/service.go
  - STILL MOAR LOGGING
  - simplified the logic around starting the 'auth' job.
registry/session.go
  - updated use of a registry.Endpoint struct field.
registry/token.go
  - New File
  - Handles getting token from the parameters of a token auth challenge.
  - Modified from function written by Brian Bland (see above credit).
registry/types.go
  - Removed 'DefaultAPIVersion' in lieu of 'APIVersionUnknown = 0'`

Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)

registry/auth.go

@@ -11,6 +11,7 @@ import (
 	"path"
 	"strings"
 
+	log "github.com/Sirupsen/logrus"
 	"github.com/docker/docker/utils"
 )
 
@@ -144,8 +145,18 @@ func SaveConfig(configFile *ConfigFile) error {
 	return nil
 }
 
-// try to register/login to the registry server
-func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, error) {
+// Login tries to register/login to the registry server.
+func Login(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {
+	// Separates the v2 registry login logic from the v1 logic.
+	if registryEndpoint.Version == APIVersion2 {
+		return loginV2(authConfig, registryEndpoint, factory)
+	}
+
+	return loginV1(authConfig, registryEndpoint, factory)
+}
+
+// loginV1 tries to register/login to the v1 registry server.
+func loginV1(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {
 	var (
 		status  string
 		reqBody []byte
@@ -161,6 +172,8 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e
 		serverAddress = authConfig.ServerAddress
 	)
 
+	log.Debugf("attempting v1 login to registry endpoint %s", registryEndpoint)
+
 	if serverAddress == "" {
 		return "", fmt.Errorf("Server Error: Server Address not set.")
 	}
@@ -253,6 +266,103 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e
 	return status, nil
 }
 
+// loginV2 tries to login to the v2 registry server. The given registry endpoint has been
+// pinged or setup with a list of authorization challenges. Each of these challenges are
+// tried until one of them succeeds. Currently supported challenge schemes are:
+// 		HTTP Basic Authorization
+// 		Token Authorization with a separate token issuing server
+// NOTE: the v2 logic does not attempt to create a user account if one doesn't exist. For
+// now, users should create their account through other means like directly from a web page
+// served by the v2 registry service provider. Whether this will be supported in the future
+// is to be determined.
+func loginV2(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {
+	log.Debugf("attempting v2 login to registry endpoint %s", registryEndpoint)
+
+	client := &http.Client{
+		Transport: &http.Transport{
+			DisableKeepAlives: true,
+			Proxy:             http.ProxyFromEnvironment,
+		},
+		CheckRedirect: AddRequiredHeadersToRedirectedRequests,
+	}
+
+	var (
+		err       error
+		allErrors []error
+	)
+
+	for _, challenge := range registryEndpoint.AuthChallenges {
+		log.Debugf("trying %q auth challenge with params %s", challenge.Scheme, challenge.Parameters)
+
+		switch strings.ToLower(challenge.Scheme) {
+		case "basic":
+			err = tryV2BasicAuthLogin(authConfig, challenge.Parameters, registryEndpoint, client, factory)
+		case "bearer":
+			err = tryV2TokenAuthLogin(authConfig, challenge.Parameters, registryEndpoint, client, factory)
+		default:
+			// Unsupported challenge types are explicitly skipped.
+			err = fmt.Errorf("unsupported auth scheme: %q", challenge.Scheme)
+		}
+
+		if err == nil {
+			return "Login Succeeded", nil
+		}
+
+		log.Debugf("error trying auth challenge %q: %s", challenge.Scheme, err)
+
+		allErrors = append(allErrors, err)
+	}
+
+	return "", fmt.Errorf("no successful auth challenge for %s - errors: %s", registryEndpoint, allErrors)
+}
+
+func tryV2BasicAuthLogin(authConfig *AuthConfig, params map[string]string, registryEndpoint *Endpoint, client *http.Client, factory *utils.HTTPRequestFactory) error {
+	req, err := factory.NewRequest("GET", registryEndpoint.Path(""), nil)
+	if err != nil {
+		return err
+	}
+
+	req.SetBasicAuth(authConfig.Username, authConfig.Password)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("basic auth attempt to %s realm %q failed with status: %d %s", registryEndpoint, params["realm"], resp.StatusCode, http.StatusText(resp.StatusCode))
+	}
+
+	return nil
+}
+
+func tryV2TokenAuthLogin(authConfig *AuthConfig, params map[string]string, registryEndpoint *Endpoint, client *http.Client, factory *utils.HTTPRequestFactory) error {
+	token, err := getToken(authConfig.Username, authConfig.Password, params, registryEndpoint, client, factory)
+	if err != nil {
+		return err
+	}
+
+	req, err := factory.NewRequest("GET", registryEndpoint.Path(""), nil)
+	if err != nil {
+		return err
+	}
+
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("token auth attempt to %s realm %q failed with status: %d %s", registryEndpoint, params["realm"], resp.StatusCode, http.StatusText(resp.StatusCode))
+	}
+
+	return nil
+}
+
 // this method matches a auth configuration to a server address or a url
 func (config *ConfigFile) ResolveAuthConfig(index *IndexInfo) AuthConfig {
 	configKey := index.GetAuthConfigKey()

registry/authchallenge.go

@@ -0,0 +1,150 @@
+package registry
+
+import (
+	"net/http"
+	"strings"
+)
+
+// Octet types from RFC 2616.
+type octetType byte
+
+// AuthorizationChallenge carries information
+// from a WWW-Authenticate response header.
+type AuthorizationChallenge struct {
+	Scheme     string
+	Parameters map[string]string
+}
+
+var octetTypes [256]octetType
+
+const (
+	isToken octetType = 1 << iota
+	isSpace
+)
+
+func init() {
+	// OCTET      = <any 8-bit sequence of data>
+	// CHAR       = <any US-ASCII character (octets 0 - 127)>
+	// CTL        = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
+	// CR         = <US-ASCII CR, carriage return (13)>
+	// LF         = <US-ASCII LF, linefeed (10)>
+	// SP         = <US-ASCII SP, space (32)>
+	// HT         = <US-ASCII HT, horizontal-tab (9)>
+	// <">        = <US-ASCII double-quote mark (34)>
+	// CRLF       = CR LF
+	// LWS        = [CRLF] 1*( SP | HT )
+	// TEXT       = <any OCTET except CTLs, but including LWS>
+	// separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <">
+	//              | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT
+	// token      = 1*<any CHAR except CTLs or separators>
+	// qdtext     = <any TEXT except <">>
+
+	for c := 0; c < 256; c++ {
+		var t octetType
+		isCtl := c <= 31 || c == 127
+		isChar := 0 <= c && c <= 127
+		isSeparator := strings.IndexRune(" \t\"(),/:;<=>?@[]\\{}", rune(c)) >= 0
+		if strings.IndexRune(" \t\r\n", rune(c)) >= 0 {
+			t |= isSpace
+		}
+		if isChar && !isCtl && !isSeparator {
+			t |= isToken
+		}
+		octetTypes[c] = t
+	}
+}
+
+func parseAuthHeader(header http.Header) []*AuthorizationChallenge {
+	var challenges []*AuthorizationChallenge
+	for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] {
+		v, p := parseValueAndParams(h)
+		if v != "" {
+			challenges = append(challenges, &AuthorizationChallenge{Scheme: v, Parameters: p})
+		}
+	}
+	return challenges
+}
+
+func parseValueAndParams(header string) (value string, params map[string]string) {
+	params = make(map[string]string)
+	value, s := expectToken(header)
+	if value == "" {
+		return
+	}
+	value = strings.ToLower(value)
+	s = "," + skipSpace(s)
+	for strings.HasPrefix(s, ",") {
+		var pkey string
+		pkey, s = expectToken(skipSpace(s[1:]))
+		if pkey == "" {
+			return
+		}
+		if !strings.HasPrefix(s, "=") {
+			return
+		}
+		var pvalue string
+		pvalue, s = expectTokenOrQuoted(s[1:])
+		if pvalue == "" {
+			return
+		}
+		pkey = strings.ToLower(pkey)
+		params[pkey] = pvalue
+		s = skipSpace(s)
+	}
+	return
+}
+
+func skipSpace(s string) (rest string) {
+	i := 0
+	for ; i < len(s); i++ {
+		if octetTypes[s[i]]&isSpace == 0 {
+			break
+		}
+	}
+	return s[i:]
+}
+
+func expectToken(s string) (token, rest string) {
+	i := 0
+	for ; i < len(s); i++ {
+		if octetTypes[s[i]]&isToken == 0 {
+			break
+		}
+	}
+	return s[:i], s[i:]
+}
+
+func expectTokenOrQuoted(s string) (value string, rest string) {
+	if !strings.HasPrefix(s, "\"") {
+		return expectToken(s)
+	}
+	s = s[1:]
+	for i := 0; i < len(s); i++ {
+		switch s[i] {
+		case '"':
+			return s[:i], s[i+1:]
+		case '\\':
+			p := make([]byte, len(s)-1)
+			j := copy(p, s[:i])
+			escape := true
+			for i = i + i; i < len(s); i++ {
+				b := s[i]
+				switch {
+				case escape:
+					escape = false
+					p[j] = b
+					j++
+				case b == '\\':
+					escape = true
+				case b == '"':
+					return string(p[:j]), s[i+1:]
+				default:
+					p[j] = b
+					j++
+				}
+			}
+			return "", ""
+		}
+	}
+	return "", ""
+}

registry/endpoint.go

@@ -15,28 +15,31 @@ import (
 // for mocking in unit tests
 var lookupIP = net.LookupIP
 
-// scans string for api version in the URL path. returns the trimmed hostname, if version found, string and API version.
-func scanForAPIVersion(hostname string) (string, APIVersion) {
+// scans string for api version in the URL path. returns the trimmed address, if version found, string and API version.
+func scanForAPIVersion(address string) (string, APIVersion) {
 	var (
 		chunks        []string
 		apiVersionStr string
 	)
-	if strings.HasSuffix(hostname, "/") {
-		chunks = strings.Split(hostname[:len(hostname)-1], "/")
-		apiVersionStr = chunks[len(chunks)-1]
-	} else {
-		chunks = strings.Split(hostname, "/")
-		apiVersionStr = chunks[len(chunks)-1]
+
+	if strings.HasSuffix(address, "/") {
+		address = address[:len(address)-1]
 	}
+
+	chunks = strings.Split(address, "/")
+	apiVersionStr = chunks[len(chunks)-1]
+
 	for k, v := range apiVersions {
 		if apiVersionStr == v {
-			hostname = strings.Join(chunks[:len(chunks)-1], "/")
-			return hostname, k
+			address = strings.Join(chunks[:len(chunks)-1], "/")
+			return address, k
 		}
 	}
-	return hostname, DefaultAPIVersion
+
+	return address, APIVersionUnknown
 }
 
+// NewEndpoint parses the given address to return a registry endpoint.
 func NewEndpoint(index *IndexInfo) (*Endpoint, error) {
 	// *TODO: Allow per-registry configuration of endpoints.
 	endpoint, err := newEndpoint(index.GetAuthConfigKey(), index.Secure)
@@ -44,81 +47,124 @@ func NewEndpoint(index *IndexInfo) (*Endpoint, error) {
 		return nil, err
 	}
 
+	log.Debugf("pinging registry endpoint %s", endpoint)
+
 	// Try HTTPS ping to registry
 	endpoint.URL.Scheme = "https"
 	if _, err := endpoint.Ping(); err != nil {
-
-		//TODO: triggering highland build can be done there without "failing"
-
 		if index.Secure {
 			// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
 			// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
-			return nil, fmt.Errorf("Invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
+			return nil, fmt.Errorf("invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
 		}
 
 		// If registry is insecure and HTTPS failed, fallback to HTTP.
 		log.Debugf("Error from registry %q marked as insecure: %v. Insecurely falling back to HTTP", endpoint, err)
 		endpoint.URL.Scheme = "http"
-		_, err2 := endpoint.Ping()
-		if err2 == nil {
+
+		var err2 error
+		if _, err2 = endpoint.Ping(); err2 == nil {
 			return endpoint, nil
 		}
 
-		return nil, fmt.Errorf("Invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)
+		return nil, fmt.Errorf("invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)
 	}
 
 	return endpoint, nil
 }
-func newEndpoint(hostname string, secure bool) (*Endpoint, error) {
+
+func newEndpoint(address string, secure bool) (*Endpoint, error) {
 	var (
-		endpoint        = Endpoint{}
-		trimmedHostname string
-		err             error
+		endpoint       = new(Endpoint)
+		trimmedAddress string
+		err            error
 	)
-	if !strings.HasPrefix(hostname, "http") {
-		hostname = "https://" + hostname
+
+	if !strings.HasPrefix(address, "http") {
+		address = "https://" + address
 	}
-	trimmedHostname, endpoint.Version = scanForAPIVersion(hostname)
-	endpoint.URL, err = url.Parse(trimmedHostname)
-	if err != nil {
+
+	trimmedAddress, endpoint.Version = scanForAPIVersion(address)
+
+	if endpoint.URL, err = url.Parse(trimmedAddress); err != nil {
 		return nil, err
 	}
-	endpoint.secure = secure
-	return &endpoint, nil
+	endpoint.IsSecure = secure
+	return endpoint, nil
 }
 
 func (repoInfo *RepositoryInfo) GetEndpoint() (*Endpoint, error) {
 	return NewEndpoint(repoInfo.Index)
 }
 
+// Endpoint stores basic information about a registry endpoint.
 type Endpoint struct {
-	URL     *url.URL
-	Version APIVersion
-	secure  bool
+	URL            *url.URL
+	Version        APIVersion
+	IsSecure       bool
+	AuthChallenges []*AuthorizationChallenge
 }
 
 // Get the formated URL for the root of this registry Endpoint
-func (e Endpoint) String() string {
-	return fmt.Sprintf("%s/v%d/", e.URL.String(), e.Version)
+func (e *Endpoint) String() string {
+	return fmt.Sprintf("%s/v%d/", e.URL, e.Version)
 }
 
-func (e Endpoint) VersionString(version APIVersion) string {
-	return fmt.Sprintf("%s/v%d/", e.URL.String(), version)
+// VersionString returns a formatted string of this
+// endpoint address using the given API Version.
+func (e *Endpoint) VersionString(version APIVersion) string {
+	return fmt.Sprintf("%s/v%d/", e.URL, version)
 }
 
-func (e Endpoint) Ping() (RegistryInfo, error) {
+// Path returns a formatted string for the URL
+// of this endpoint with the given path appended.
+func (e *Endpoint) Path(path string) string {
+	return fmt.Sprintf("%s/v%d/%s", e.URL, e.Version, path)
+}
+
+func (e *Endpoint) Ping() (RegistryInfo, error) {
+	// The ping logic to use is determined by the registry endpoint version.
+	switch e.Version {
+	case APIVersion1:
+		return e.pingV1()
+	case APIVersion2:
+		return e.pingV2()
+	}
+
+	// APIVersionUnknown
+	// We should try v2 first...
+	e.Version = APIVersion2
+	regInfo, errV2 := e.pingV2()
+	if errV2 == nil {
+		return regInfo, nil
+	}
+
+	// ... then fallback to v1.
+	e.Version = APIVersion1
+	regInfo, errV1 := e.pingV1()
+	if errV1 == nil {
+		return regInfo, nil
+	}
+
+	e.Version = APIVersionUnknown
+	return RegistryInfo{}, fmt.Errorf("unable to ping registry endpoint %s\nv2 ping attempt failed with error: %s\n v1 ping attempt failed with error: %s", e, errV2, errV1)
+}
+
+func (e *Endpoint) pingV1() (RegistryInfo, error) {
+	log.Debugf("attempting v1 ping for registry endpoint %s", e)
+
 	if e.String() == IndexServerAddress() {
-		// Skip the check, we now this one is valid
+		// Skip the check, we know this one is valid
 		// (and we never want to fallback to http in case of error)
 		return RegistryInfo{Standalone: false}, nil
 	}
 
-	req, err := http.NewRequest("GET", e.String()+"_ping", nil)
+	req, err := http.NewRequest("GET", e.Path("_ping"), nil)
 	if err != nil {
 		return RegistryInfo{Standalone: false}, err
 	}
 
-	resp, _, err := doRequest(req, nil, ConnectTimeout, e.secure)
+	resp, _, err := doRequest(req, nil, ConnectTimeout, e.IsSecure)
 	if err != nil {
 		return RegistryInfo{Standalone: false}, err
 	}
@@ -127,7 +173,7 @@ func (e Endpoint) Ping() (RegistryInfo, error) {
 
 	jsonString, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
-		return RegistryInfo{Standalone: false}, fmt.Errorf("Error while reading the http response: %s", err)
+		return RegistryInfo{Standalone: false}, fmt.Errorf("error while reading the http response: %s", err)
 	}
 
 	// If the header is absent, we assume true for compatibility with earlier
@@ -157,3 +203,33 @@ func (e Endpoint) Ping() (RegistryInfo, error) {
 	log.Debugf("RegistryInfo.Standalone: %t", info.Standalone)
 	return info, nil
 }
+
+func (e *Endpoint) pingV2() (RegistryInfo, error) {
+	log.Debugf("attempting v2 ping for registry endpoint %s", e)
+
+	req, err := http.NewRequest("GET", e.Path(""), nil)
+	if err != nil {
+		return RegistryInfo{}, err
+	}
+
+	resp, _, err := doRequest(req, nil, ConnectTimeout, e.IsSecure)
+	if err != nil {
+		return RegistryInfo{}, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		// It would seem that no authentication/authorization is required.
+		// So we don't need to parse/add any authorization schemes.
+		return RegistryInfo{Standalone: true}, nil
+	}
+
+	if resp.StatusCode == http.StatusUnauthorized {
+		// Parse the WWW-Authenticate Header and store the challenges
+		// on this endpoint object.
+		e.AuthChallenges = parseAuthHeader(resp.Header)
+		return RegistryInfo{}, nil
+	}
+
+	return RegistryInfo{}, fmt.Errorf("v2 registry endpoint returned status %d: %q", resp.StatusCode, http.StatusText(resp.StatusCode))
+}

registry/endpoint_test.go

@@ -8,8 +8,10 @@ func TestEndpointParse(t *testing.T) {
 		expected string
 	}{
 		{IndexServerAddress(), IndexServerAddress()},
-		{"http://0.0.0.0:5000", "http://0.0.0.0:5000/v1/"},
-		{"0.0.0.0:5000", "https://0.0.0.0:5000/v1/"},
+		{"http://0.0.0.0:5000/v1/", "http://0.0.0.0:5000/v1/"},
+		{"http://0.0.0.0:5000/v2/", "http://0.0.0.0:5000/v2/"},
+		{"http://0.0.0.0:5000", "http://0.0.0.0:5000/v0/"},
+		{"0.0.0.0:5000", "https://0.0.0.0:5000/v0/"},
 	}
 	for _, td := range testData {
 		e, err := newEndpoint(td.str, false)

registry/service.go

@@ -1,6 +1,7 @@
 package registry
 
 import (
+	log "github.com/Sirupsen/logrus"
 	"github.com/docker/docker/engine"
 )
 
@@ -38,28 +39,39 @@ func (s *Service) Install(eng *engine.Engine) error {
 // and returns OK if authentication was sucessful.
 // It can be used to verify the validity of a client's credentials.
 func (s *Service) Auth(job *engine.Job) engine.Status {
-	var authConfig = new(AuthConfig)
+	var (
+		authConfig = new(AuthConfig)
+		endpoint   *Endpoint
+		index      *IndexInfo
+		status     string
+		err        error
+	)
 
 	job.GetenvJson("authConfig", authConfig)
 
-	if authConfig.ServerAddress != "" {
-		index, err := ResolveIndexInfo(job, authConfig.ServerAddress)
-		if err != nil {
-			return job.Error(err)
-		}
-		if !index.Official {
-			endpoint, err := NewEndpoint(index)
-			if err != nil {
-				return job.Error(err)
-			}
-			authConfig.ServerAddress = endpoint.String()
-		}
+	addr := authConfig.ServerAddress
+	if addr == "" {
+		// Use the official registry address if not specified.
+		addr = IndexServerAddress()
 	}
 
-	status, err := Login(authConfig, HTTPRequestFactory(nil))
-	if err != nil {
+	if index, err = ResolveIndexInfo(job, addr); err != nil {
 		return job.Error(err)
 	}
+
+	if endpoint, err = NewEndpoint(index); err != nil {
+		log.Errorf("unable to get new registry endpoint: %s", err)
+		return job.Error(err)
+	}
+
+	authConfig.ServerAddress = endpoint.String()
+
+	if status, err = Login(authConfig, endpoint, HTTPRequestFactory(nil)); err != nil {
+		log.Errorf("unable to login against registry endpoint %s: %s", endpoint, err)
+		return job.Error(err)
+	}
+
+	log.Infof("successful registry login for endpoint %s: %s", endpoint, status)
 	job.Printf("%s\n", status)
 
 	return engine.StatusOK

registry/session.go

@@ -65,7 +65,7 @@ func NewSession(authConfig *AuthConfig, factory *utils.HTTPRequestFactory, endpo
 }
 
 func (r *Session) doRequest(req *http.Request) (*http.Response, *http.Client, error) {
-	return doRequest(req, r.jar, r.timeout, r.indexEndpoint.secure)
+	return doRequest(req, r.jar, r.timeout, r.indexEndpoint.IsSecure)
 }
 
 // Retrieve the history of a given image from the Registry.

registry/token.go

@@ -0,0 +1,70 @@
+package registry
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/docker/docker/utils"
+)
+
+func getToken(username, password string, params map[string]string, registryEndpoint *Endpoint, client *http.Client, factory *utils.HTTPRequestFactory) (token string, err error) {
+	realm, ok := params["realm"]
+	if !ok {
+		return "", errors.New("no realm specified for token auth challenge")
+	}
+
+	realmURL, err := url.Parse(realm)
+	if err != nil {
+		return "", fmt.Errorf("invalid token auth challenge realm: %s", err)
+	}
+
+	if realmURL.Scheme == "" {
+		if registryEndpoint.IsSecure {
+			realmURL.Scheme = "https"
+		} else {
+			realmURL.Scheme = "http"
+		}
+	}
+
+	req, err := factory.NewRequest("GET", realmURL.String(), nil)
+	if err != nil {
+		return "", err
+	}
+
+	reqParams := req.URL.Query()
+	service := params["service"]
+	scope := params["scope"]
+
+	if service != "" {
+		reqParams.Add("service", service)
+	}
+
+	for _, scopeField := range strings.Fields(scope) {
+		reqParams.Add("scope", scopeField)
+	}
+
+	reqParams.Add("account", username)
+
+	req.URL.RawQuery = reqParams.Encode()
+	req.SetBasicAuth(username, password)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	if !(resp.StatusCode == http.StatusOK || resp.StatusCode == http.StatusNoContent) {
+		return "", fmt.Errorf("token auth attempt for registry %s: %s request failed with status: %d %s", registryEndpoint, req.URL, resp.StatusCode, http.StatusText(resp.StatusCode))
+	}
+
+	token = resp.Header.Get("X-Auth-Token")
+	if token == "" {
+		return "", errors.New("token server did not include a token in the response header")
+	}
+
+	return token, nil
+}

registry/types.go

@@ -55,14 +55,15 @@ func (av APIVersion) String() string {
 	return apiVersions[av]
 }
 
-var DefaultAPIVersion APIVersion = APIVersion1
 var apiVersions = map[APIVersion]string{
 	1: "v1",
 	2: "v2",
 }
 
+// API Version identifiers.
 const (
-	APIVersion1 = iota + 1
+	APIVersionUnknown = iota
+	APIVersion1
 	APIVersion2
 )