Fix for issue 9922: private registry search with auth returns 401

Signed-off-by: Don Kjer <don.kjer@gmail.com>

docs/auth.go

@@ -1,7 +1,6 @@
 package registry
 
 import (
-	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
@@ -71,21 +70,7 @@ func (auth *RequestAuthorization) getToken() (string, error) {
 		return auth.tokenCache, nil
 	}
 
-	tlsConfig := tls.Config{
+	client := auth.registryEndpoint.HTTPClient()
-		MinVersion: tls.VersionTLS10,
-	}
-	if !auth.registryEndpoint.IsSecure {
-		tlsConfig.InsecureSkipVerify = true
-	}
-
-	client := &http.Client{
-		Transport: &http.Transport{
-			DisableKeepAlives: true,
-			Proxy:             http.ProxyFromEnvironment,
-			TLSClientConfig:   &tlsConfig,
-		},
-		CheckRedirect: AddRequiredHeadersToRedirectedRequests,
-	}
 	factory := HTTPRequestFactory(nil)
 
 	for _, challenge := range auth.registryEndpoint.AuthChallenges {
@@ -252,16 +237,10 @@ func Login(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HT
 // loginV1 tries to register/login to the v1 registry server.
 func loginV1(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {
 	var (
-		status  string
+		status        string
-		reqBody []byte
+		reqBody       []byte
-		err     error
+		err           error
-		client  = &http.Client{
+		client        = registryEndpoint.HTTPClient()
-			Transport: &http.Transport{
-				DisableKeepAlives: true,
-				Proxy:             http.ProxyFromEnvironment,
-			},
-			CheckRedirect: AddRequiredHeadersToRedirectedRequests,
-		}
 		reqStatusCode = 0
 		serverAddress = authConfig.ServerAddress
 	)
@@ -285,7 +264,7 @@ func loginV1(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.
 
 	// using `bytes.NewReader(jsonBody)` here causes the server to respond with a 411 status.
 	b := strings.NewReader(string(jsonBody))
-	req1, err := http.Post(serverAddress+"users/", "application/json; charset=utf-8", b)
+	req1, err := client.Post(serverAddress+"users/", "application/json; charset=utf-8", b)
 	if err != nil {
 		return "", fmt.Errorf("Server Error: %s", err)
 	}
@@ -371,26 +350,10 @@ func loginV1(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.
 // is to be determined.
 func loginV2(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {
 	log.Debugf("attempting v2 login to registry endpoint %s", registryEndpoint)
-
-	tlsConfig := tls.Config{
-		MinVersion: tls.VersionTLS10,
-	}
-	if !registryEndpoint.IsSecure {
-		tlsConfig.InsecureSkipVerify = true
-	}
-
-	client := &http.Client{
-		Transport: &http.Transport{
-			DisableKeepAlives: true,
-			Proxy:             http.ProxyFromEnvironment,
-			TLSClientConfig:   &tlsConfig,
-		},
-		CheckRedirect: AddRequiredHeadersToRedirectedRequests,
-	}
-
 	var (
 		err       error
 		allErrors []error
+		client    = registryEndpoint.HTTPClient()
 	)
 
 	for _, challenge := range registryEndpoint.AuthChallenges {

docs/endpoint.go

@@ -1,6 +1,7 @@
 package registry
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -262,3 +263,20 @@ HeaderLoop:
 
 	return RegistryInfo{}, fmt.Errorf("v2 registry endpoint returned status %d: %q", resp.StatusCode, http.StatusText(resp.StatusCode))
 }
+
+func (e *Endpoint) HTTPClient() *http.Client {
+	tlsConfig := tls.Config{
+		MinVersion: tls.VersionTLS10,
+	}
+	if !e.IsSecure {
+		tlsConfig.InsecureSkipVerify = true
+	}
+	return &http.Client{
+		Transport: &http.Transport{
+			DisableKeepAlives: true,
+			Proxy:             http.ProxyFromEnvironment,
+			TLSClientConfig:   &tlsConfig,
+		},
+		CheckRedirect: AddRequiredHeadersToRedirectedRequests,
+	}
+}

docs/session.go

@@ -511,6 +511,10 @@ func (r *Session) PushImageJSONIndex(remote string, imgList []*ImgData, validate
 	}
 	defer res.Body.Close()
 
+	if res.StatusCode == 401 {
+		return nil, errLoginRequired
+	}
+
 	var tokens, endpoints []string
 	if !validate {
 		if res.StatusCode != 200 && res.StatusCode != 201 {