From 5a8f690426b9e1ea9490064b08aa9511c23075e4 Mon Sep 17 00:00:00 2001
From: Tibor Vass <tibor@docker.com>
Date: Mon, 8 Jun 2015 19:56:37 -0400
Subject: [PATCH] Do not set auth headers if 302

This patch ensures no auth headers are set for v1 registries if there
was a 302 redirect.

This also ensures v2 does not use authTransport.

Signed-off-by: Tibor Vass <tibor@docker.com>
---
 docs/session.go | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/docs/session.go b/docs/session.go
index d7478f6c4..ca1f8e495 100644
--- a/docs/session.go
+++ b/docs/session.go
@@ -70,6 +70,15 @@ func AuthTransport(base http.RoundTripper, authConfig *cliconfig.AuthConfig, alw
 }
 
 func (tr *authTransport) RoundTrip(orig *http.Request) (*http.Response, error) {
+	// Authorization should not be set on 302 redirect for untrusted locations.
+	// This logic mirrors the behavior in AddRequiredHeadersToRedirectedRequests.
+	// As the authorization logic is currently implemented in RoundTrip,
+	// a 302 redirect is detected by looking at the Referer header as go http package adds said header.
+	// This is safe as Docker doesn't set Referer in other scenarios.
+	if orig.Header.Get("Referer") != "" && !trustedLocation(orig) {
+		return tr.RoundTripper.RoundTrip(orig)
+	}
+
 	req := transport.CloneRequest(orig)
 	tr.mu.Lock()
 	tr.modReq[orig] = req
@@ -84,13 +93,7 @@ func (tr *authTransport) RoundTrip(orig *http.Request) (*http.Response, error) {
 	if req.Header.Get("Authorization") == "" {
 		if req.Header.Get("X-Docker-Token") == "true" && len(tr.Username) > 0 {
 			req.SetBasicAuth(tr.Username, tr.Password)
-		} else if len(tr.token) > 0 &&
-			// Authorization should not be set on 302 redirect for untrusted locations.
-			// This logic mirrors the behavior in AddRequiredHeadersToRedirectedRequests.
-			// As the authorization logic is currently implemented in RoundTrip,
-			// a 302 redirect is detected by looking at the Referer header as go http package adds said header.
-			// This is safe as Docker doesn't set Referer in other scenarios.
-			(req.Header.Get("Referer") == "" || trustedLocation(orig)) {
+		} else if len(tr.token) > 0 {
 			req.Header.Set("Authorization", "Token "+strings.Join(tr.token, ","))
 		}
 	}
@@ -151,7 +154,9 @@ func NewSession(client *http.Client, authConfig *cliconfig.AuthConfig, endpoint
 		}
 	}
 
-	client.Transport = AuthTransport(client.Transport, authConfig, alwaysSetBasicAuth)
+	if endpoint.Version == APIVersion1 {
+		client.Transport = AuthTransport(client.Transport, authConfig, alwaysSetBasicAuth)
+	}
 
 	jar, err := cookiejar.New(nil)
 	if err != nil {