Deprecating ResolveRepositoryName

Passing RepositoryInfo to ResolveAuthConfig, pullRepository, and pushRepository

Moving --registry-mirror configuration to registry config

Created resolve_repository job

Repo names with 'index.docker.io' or 'docker.io' are now synonymous with omitting an index name.

Adding test for RepositoryInfo

Adding tests for opts.StringSetOpts and registry.ValidateMirror

Fixing search term use of repoInfo

Adding integration tests for registry mirror configuration

Normalizing LookupImage image name to match LocalName parsing rules

Normalizing repository LocalName to avoid multiple references to an official image

Removing errorOut use in tests

Removing TODO comment

gofmt changes

golint comments cleanup.  renaming RegistryOptions => registry.Options, and RegistryServiceConfig => registry.ServiceConfig

Splitting out builtins.Registry and registry.NewService calls

Stray whitespace cleanup

Moving integration tests for Mirrors and InsecureRegistries into TestNewIndexInfo unit test

Factoring out ValidateRepositoryName from NewRepositoryInfo

Removing unused IndexServerURL

Allowing json marshaling of ServiceConfig.  Exposing ServiceConfig in /info

Switching to CamelCase for json marshaling

PR cleanup; removing 'Is' prefix from boolean members.  Removing unneeded json tags.

Removing non-cleanup related fix for 'localhost:[port]' in splitReposName

Merge fixes for gh9735

Fixing integration test

Reapplying #9754

Adding comment on config.IndexConfigs use from isSecureIndex

Remove unused error return value from isSecureIndex

Signed-off-by: Don Kjer <don.kjer@gmail.com>

Adding back comment in isSecureIndex

Signed-off-by: Don Kjer <don.kjer@gmail.com>

docs/auth.go

@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
-	"net/url"
 	"os"
 	"path"
 	"strings"
@@ -22,23 +21,15 @@ const (
 	// Only used for user auth + account creation
 	INDEXSERVER    = "https://index.docker.io/v1/"
 	REGISTRYSERVER = "https://registry-1.docker.io/v1/"
+	INDEXNAME      = "docker.io"
 
 	// INDEXSERVER = "https://registry-stage.hub.docker.com/v1/"
 )
 
 var (
 	ErrConfigFileMissing = errors.New("The Auth config file is missing")
-	IndexServerURL       *url.URL
 )
 
-func init() {
-	url, err := url.Parse(INDEXSERVER)
-	if err != nil {
-		panic(err)
-	}
-	IndexServerURL = url
-}
-
 type AuthConfig struct {
 	Username      string `json:"username,omitempty"`
 	Password      string `json:"password,omitempty"`
@@ -56,6 +47,10 @@ func IndexServerAddress() string {
 	return INDEXSERVER
 }
 
+func IndexServerName() string {
+	return INDEXNAME
+}
+
 // create a base64 encoded auth string to store in config
 func encodeAuth(authConfig *AuthConfig) string {
 	authStr := authConfig.Username + ":" + authConfig.Password
@@ -118,6 +113,7 @@ func LoadConfig(rootPath string) (*ConfigFile, error) {
 		}
 		authConfig.Email = origEmail[1]
 		authConfig.ServerAddress = IndexServerAddress()
+		// *TODO: Switch to using IndexServerName() instead?
 		configFile.Configs[IndexServerAddress()] = authConfig
 	} else {
 		for k, authConfig := range configFile.Configs {
@@ -181,7 +177,7 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e
 	)
 
 	if serverAddress == "" {
-		serverAddress = IndexServerAddress()
+		return "", fmt.Errorf("Server Error: Server Address not set.")
 	}
 
 	loginAgainstOfficialIndex := serverAddress == IndexServerAddress()
@@ -213,6 +209,7 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e
 			status = "Account created. Please use the confirmation link we sent" +
 				" to your e-mail to activate it."
 		} else {
+			// *TODO: Use registry configuration to determine what this says, if anything?
 			status = "Account created. Please see the documentation of the registry " + serverAddress + " for instructions how to activate it."
 		}
 	} else if reqStatusCode == 400 {
@@ -236,6 +233,7 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e
 				if loginAgainstOfficialIndex {
 					return "", fmt.Errorf("Login: Account is not Active. Please check your e-mail for a confirmation link.")
 				}
+				// *TODO: Use registry configuration to determine what this says, if anything?
 				return "", fmt.Errorf("Login: Account is not Active. Please see the documentation of the registry %s for instructions how to activate it.", serverAddress)
 			}
 			return "", fmt.Errorf("Login: %s (Code: %d; Headers: %s)", body, resp.StatusCode, resp.Header)
@@ -271,14 +269,10 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e
 }
 
 // this method matches a auth configuration to a server address or a url
-func (config *ConfigFile) ResolveAuthConfig(hostname string) AuthConfig {
+func (config *ConfigFile) ResolveAuthConfig(index *IndexInfo) AuthConfig {
-	if hostname == IndexServerAddress() || len(hostname) == 0 {
+	configKey := index.GetAuthConfigKey()
-		// default to the index server
-		return config.Configs[IndexServerAddress()]
-	}
-
 	// First try the happy case
-	if c, found := config.Configs[hostname]; found {
+	if c, found := config.Configs[configKey]; found || index.Official {
 		return c
 	}
 
@@ -297,9 +291,8 @@ func (config *ConfigFile) ResolveAuthConfig(hostname string) AuthConfig {
 
 	// Maybe they have a legacy config file, we will iterate the keys converting
 	// them to the new format and testing
-	normalizedHostename := convertToHostname(hostname)
 	for registry, config := range config.Configs {
-		if registryHostname := convertToHostname(registry); registryHostname == normalizedHostename {
+		if configKey == convertToHostname(registry) {
 			return config
 		}
 	}

docs/auth_test.go

@@ -81,12 +81,20 @@ func TestResolveAuthConfigIndexServer(t *testing.T) {
 	}
 	defer os.RemoveAll(configFile.rootPath)
 
-	for _, registry := range []string{"", IndexServerAddress()} {
+	indexConfig := configFile.Configs[IndexServerAddress()]
-		resolved := configFile.ResolveAuthConfig(registry)
+
-		if resolved != configFile.Configs[IndexServerAddress()] {
+	officialIndex := &IndexInfo{
-			t.Fail()
+		Official: true,
-		}
 	}
+	privateIndex := &IndexInfo{
+		Official: false,
+	}
+
+	resolved := configFile.ResolveAuthConfig(officialIndex)
+	assertEqual(t, resolved, indexConfig, "Expected ResolveAuthConfig to return IndexServerAddress()")
+
+	resolved = configFile.ResolveAuthConfig(privateIndex)
+	assertNotEqual(t, resolved, indexConfig, "Expected ResolveAuthConfig to not return IndexServerAddress()")
 }
 
 func TestResolveAuthConfigFullURL(t *testing.T) {
@@ -106,18 +114,27 @@ func TestResolveAuthConfigFullURL(t *testing.T) {
 		Password: "bar-pass",
 		Email:    "bar@example.com",
 	}
-	configFile.Configs["https://registry.example.com/v1/"] = registryAuth
+	officialAuth := AuthConfig{
-	configFile.Configs["http://localhost:8000/v1/"] = localAuth
+		Username: "baz-user",
-	configFile.Configs["registry.com"] = registryAuth
+		Password: "baz-pass",
+		Email:    "baz@example.com",
+	}
+	configFile.Configs[IndexServerAddress()] = officialAuth
+
+	expectedAuths := map[string]AuthConfig{
+		"registry.example.com": registryAuth,
+		"localhost:8000":       localAuth,
+		"registry.com":         localAuth,
+	}
 
 	validRegistries := map[string][]string{
-		"https://registry.example.com/v1/": {
+		"registry.example.com": {
 			"https://registry.example.com/v1/",
 			"http://registry.example.com/v1/",
 			"registry.example.com",
 			"registry.example.com/v1/",
 		},
-		"http://localhost:8000/v1/": {
+		"localhost:8000": {
 			"https://localhost:8000/v1/",
 			"http://localhost:8000/v1/",
 			"localhost:8000",
@@ -132,18 +149,24 @@ func TestResolveAuthConfigFullURL(t *testing.T) {
 	}
 
 	for configKey, registries := range validRegistries {
+		configured, ok := expectedAuths[configKey]
+		if !ok || configured.Email == "" {
+			t.Fatal()
+		}
+		index := &IndexInfo{
+			Name: configKey,
+		}
 		for _, registry := range registries {
-			var (
+			configFile.Configs[registry] = configured
-				configured AuthConfig
+			resolved := configFile.ResolveAuthConfig(index)
-				ok         bool
-			)
-			resolved := configFile.ResolveAuthConfig(registry)
-			if configured, ok = configFile.Configs[configKey]; !ok {
-				t.Fail()
-			}
 			if resolved.Email != configured.Email {
 				t.Errorf("%s -> %q != %q\n", registry, resolved.Email, configured.Email)
 			}
+			delete(configFile.Configs, registry)
+			resolved = configFile.ResolveAuthConfig(index)
+			if resolved.Email == configured.Email {
+				t.Errorf("%s -> %q == %q\n", registry, resolved.Email, configured.Email)
+			}
 		}
 	}
 }

docs/config.go

@@ -0,0 +1,126 @@
+package registry
+
+import (
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/url"
+
+	"github.com/docker/docker/opts"
+	flag "github.com/docker/docker/pkg/mflag"
+)
+
+// Options holds command line options.
+type Options struct {
+	Mirrors            opts.ListOpts
+	InsecureRegistries opts.ListOpts
+}
+
+// InstallFlags adds command-line options to the top-level flag parser for
+// the current process.
+func (options *Options) InstallFlags() {
+	options.Mirrors = opts.NewListOpts(ValidateMirror)
+	flag.Var(&options.Mirrors, []string{"-registry-mirror"}, "Specify a preferred Docker registry mirror")
+	options.InsecureRegistries = opts.NewListOpts(ValidateIndexName)
+	flag.Var(&options.InsecureRegistries, []string{"-insecure-registry"}, "Enable insecure communication with specified registries (no certificate verification for HTTPS and enable HTTP fallback) (e.g., localhost:5000 or 10.20.0.0/16)")
+}
+
+// ValidateMirror validates an HTTP(S) registry mirror
+func ValidateMirror(val string) (string, error) {
+	uri, err := url.Parse(val)
+	if err != nil {
+		return "", fmt.Errorf("%s is not a valid URI", val)
+	}
+
+	if uri.Scheme != "http" && uri.Scheme != "https" {
+		return "", fmt.Errorf("Unsupported scheme %s", uri.Scheme)
+	}
+
+	if uri.Path != "" || uri.RawQuery != "" || uri.Fragment != "" {
+		return "", fmt.Errorf("Unsupported path/query/fragment at end of the URI")
+	}
+
+	return fmt.Sprintf("%s://%s/v1/", uri.Scheme, uri.Host), nil
+}
+
+// ValidateIndexName validates an index name.
+func ValidateIndexName(val string) (string, error) {
+	// 'index.docker.io' => 'docker.io'
+	if val == "index."+IndexServerName() {
+		val = IndexServerName()
+	}
+	// *TODO: Check if valid hostname[:port]/ip[:port]?
+	return val, nil
+}
+
+type netIPNet net.IPNet
+
+func (ipnet *netIPNet) MarshalJSON() ([]byte, error) {
+	return json.Marshal((*net.IPNet)(ipnet).String())
+}
+
+func (ipnet *netIPNet) UnmarshalJSON(b []byte) (err error) {
+	var ipnet_str string
+	if err = json.Unmarshal(b, &ipnet_str); err == nil {
+		var cidr *net.IPNet
+		if _, cidr, err = net.ParseCIDR(ipnet_str); err == nil {
+			*ipnet = netIPNet(*cidr)
+		}
+	}
+	return
+}
+
+// ServiceConfig stores daemon registry services configuration.
+type ServiceConfig struct {
+	InsecureRegistryCIDRs []*netIPNet           `json:"InsecureRegistryCIDRs"`
+	IndexConfigs          map[string]*IndexInfo `json:"IndexConfigs"`
+}
+
+// NewServiceConfig returns a new instance of ServiceConfig
+func NewServiceConfig(options *Options) *ServiceConfig {
+	if options == nil {
+		options = &Options{
+			Mirrors:            opts.NewListOpts(nil),
+			InsecureRegistries: opts.NewListOpts(nil),
+		}
+	}
+
+	// Localhost is by default considered as an insecure registry
+	// This is a stop-gap for people who are running a private registry on localhost (especially on Boot2docker).
+	//
+	// TODO: should we deprecate this once it is easier for people to set up a TLS registry or change
+	// daemon flags on boot2docker?
+	options.InsecureRegistries.Set("127.0.0.0/8")
+
+	config := &ServiceConfig{
+		InsecureRegistryCIDRs: make([]*netIPNet, 0),
+		IndexConfigs:          make(map[string]*IndexInfo, 0),
+	}
+	// Split --insecure-registry into CIDR and registry-specific settings.
+	for _, r := range options.InsecureRegistries.GetAll() {
+		// Check if CIDR was passed to --insecure-registry
+		_, ipnet, err := net.ParseCIDR(r)
+		if err == nil {
+			// Valid CIDR.
+			config.InsecureRegistryCIDRs = append(config.InsecureRegistryCIDRs, (*netIPNet)(ipnet))
+		} else {
+			// Assume `host:port` if not CIDR.
+			config.IndexConfigs[r] = &IndexInfo{
+				Name:     r,
+				Mirrors:  make([]string, 0),
+				Secure:   false,
+				Official: false,
+			}
+		}
+	}
+
+	// Configure public registry.
+	config.IndexConfigs[IndexServerName()] = &IndexInfo{
+		Name:     IndexServerName(),
+		Mirrors:  options.Mirrors.GetAll(),
+		Secure:   true,
+		Official: true,
+	}
+
+	return config
+}

docs/config_test.go

@@ -0,0 +1,49 @@
+package registry
+
+import (
+	"testing"
+)
+
+func TestValidateMirror(t *testing.T) {
+	valid := []string{
+		"http://mirror-1.com",
+		"https://mirror-1.com",
+		"http://localhost",
+		"https://localhost",
+		"http://localhost:5000",
+		"https://localhost:5000",
+		"http://127.0.0.1",
+		"https://127.0.0.1",
+		"http://127.0.0.1:5000",
+		"https://127.0.0.1:5000",
+	}
+
+	invalid := []string{
+		"!invalid!://%as%",
+		"ftp://mirror-1.com",
+		"http://mirror-1.com/",
+		"http://mirror-1.com/?q=foo",
+		"http://mirror-1.com/v1/",
+		"http://mirror-1.com/v1/?q=foo",
+		"http://mirror-1.com/v1/?q=foo#frag",
+		"http://mirror-1.com?q=foo",
+		"https://mirror-1.com#frag",
+		"https://mirror-1.com/",
+		"https://mirror-1.com/#frag",
+		"https://mirror-1.com/v1/",
+		"https://mirror-1.com/v1/#",
+		"https://mirror-1.com?q",
+	}
+
+	for _, address := range valid {
+		if ret, err := ValidateMirror(address); err != nil || ret == "" {
+			t.Errorf("ValidateMirror(`"+address+"`) got %s %s", ret, err)
+		}
+	}
+
+	for _, address := range invalid {
+		if ret, err := ValidateMirror(address); err == nil || ret != "" {
+			t.Errorf("ValidateMirror(`"+address+"`) got %s %s", ret, err)
+		}
+	}
+}

docs/endpoint.go

@@ -37,8 +37,9 @@ func scanForAPIVersion(hostname string) (string, APIVersion) {
 	return hostname, DefaultAPIVersion
 }
 
-func NewEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
+func NewEndpoint(index *IndexInfo) (*Endpoint, error) {
-	endpoint, err := newEndpoint(hostname, insecureRegistries)
+	// *TODO: Allow per-registry configuration of endpoints.
+	endpoint, err := newEndpoint(index.GetAuthConfigKey(), index.Secure)
 	if err != nil {
 		return nil, err
 	}
@@ -49,7 +50,7 @@ func NewEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error
 
 		//TODO: triggering highland build can be done there without "failing"
 
-		if endpoint.secure {
+		if index.Secure {
 			// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
 			// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
 			return nil, fmt.Errorf("Invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
@@ -68,7 +69,7 @@ func NewEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error
 
 	return endpoint, nil
 }
-func newEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
+func newEndpoint(hostname string, secure bool) (*Endpoint, error) {
 	var (
 		endpoint        = Endpoint{}
 		trimmedHostname string
@@ -82,13 +83,14 @@ func newEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error
 	if err != nil {
 		return nil, err
 	}
-	endpoint.secure, err = isSecure(endpoint.URL.Host, insecureRegistries)
+	endpoint.secure = secure
-	if err != nil {
-		return nil, err
-	}
 	return &endpoint, nil
 }
 
+func (repoInfo *RepositoryInfo) GetEndpoint() (*Endpoint, error) {
+	return NewEndpoint(repoInfo.Index)
+}
+
 type Endpoint struct {
 	URL     *url.URL
 	Version APIVersion
@@ -156,27 +158,30 @@ func (e Endpoint) Ping() (RegistryInfo, error) {
 	return info, nil
 }
 
-// isSecure returns false if the provided hostname is part of the list of insecure registries.
+// isSecureIndex returns false if the provided indexName is part of the list of insecure registries
 // Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
 //
 // The list of insecure registries can contain an element with CIDR notation to specify a whole subnet.
-// If the subnet contains one of the IPs of the registry specified by hostname, the latter is considered
+// If the subnet contains one of the IPs of the registry specified by indexName, the latter is considered
 // insecure.
 //
-// hostname should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name
+// indexName should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name
 // or an IP address. If it is a domain name, then it will be resolved in order to check if the IP is contained
-// in a subnet. If the resolving is not successful, isSecure will only try to match hostname to any element
+// in a subnet. If the resolving is not successful, isSecureIndex will only try to match hostname to any element
 // of insecureRegistries.
-func isSecure(hostname string, insecureRegistries []string) (bool, error) {
+func (config *ServiceConfig) isSecureIndex(indexName string) bool {
-	if hostname == IndexServerURL.Host {
+	// Check for configured index, first.  This is needed in case isSecureIndex
-		return true, nil
+	// is called from anything besides NewIndexInfo, in order to honor per-index configurations.
+	if index, ok := config.IndexConfigs[indexName]; ok {
+		return index.Secure
 	}
 
-	host, _, err := net.SplitHostPort(hostname)
+	host, _, err := net.SplitHostPort(indexName)
 	if err != nil {
-		// assume hostname is of the form `host` without the port and go on.
+		// assume indexName is of the form `host` without the port and go on.
-		host = hostname
+		host = indexName
 	}
+
 	addrs, err := lookupIP(host)
 	if err != nil {
 		ip := net.ParseIP(host)
@@ -189,29 +194,15 @@ func isSecure(hostname string, insecureRegistries []string) (bool, error) {
 		// So, len(addrs) == 0 and we're not aborting.
 	}
 
-	for _, r := range insecureRegistries {
+	// Try CIDR notation only if addrs has any elements, i.e. if `host`'s IP could be determined.
-		if hostname == r {
+	for _, addr := range addrs {
-			// hostname matches insecure registry
+		for _, ipnet := range config.InsecureRegistryCIDRs {
-			return false, nil
-		}
-
-		// Try CIDR notation only if addrs has any elements, i.e. if `host`'s IP could be determined.
-		for _, addr := range addrs {
-
-			// now assume a CIDR was passed to --insecure-registry
-			_, ipnet, err := net.ParseCIDR(r)
-			if err != nil {
-				// if we could not parse it as a CIDR, even after removing
-				// assume it's not a CIDR and go on with the next candidate
-				break
-			}
-
 			// check if the addr falls in the subnet
-			if ipnet.Contains(addr) {
+			if (*net.IPNet)(ipnet).Contains(addr) {
-				return false, nil
+				return false
 			}
 		}
 	}
 
-	return true, nil
+	return true
 }

docs/endpoint_test.go

@@ -12,7 +12,7 @@ func TestEndpointParse(t *testing.T) {
 		{"0.0.0.0:5000", "https://0.0.0.0:5000/v1/"},
 	}
 	for _, td := range testData {
-		e, err := newEndpoint(td.str, insecureRegistries)
+		e, err := newEndpoint(td.str, false)
 		if err != nil {
 			t.Errorf("%q: %s", td.str, err)
 		}

docs/registry.go

@@ -25,6 +25,7 @@ var (
 	errLoginRequired         = errors.New("Authentication is required.")
 	validNamespaceChars      = regexp.MustCompile(`^([a-z0-9-_]*)$`)
 	validRepo                = regexp.MustCompile(`^([a-z0-9-_.]+)$`)
+	emptyServiceConfig       = NewServiceConfig(nil)
 )
 
 type TimeoutType uint32
@@ -160,12 +161,12 @@ func doRequest(req *http.Request, jar http.CookieJar, timeout TimeoutType, secur
 	return res, client, err
 }
 
-func validateRepositoryName(repositoryName string) error {
+func validateRemoteName(remoteName string) error {
 	var (
 		namespace string
 		name      string
 	)
-	nameParts := strings.SplitN(repositoryName, "/", 2)
+	nameParts := strings.SplitN(remoteName, "/", 2)
 	if len(nameParts) < 2 {
 		namespace = "library"
 		name = nameParts[0]
@@ -196,29 +197,147 @@ func validateRepositoryName(repositoryName string) error {
 	return nil
 }
 
-// Resolves a repository name to a hostname + name
+// NewIndexInfo returns IndexInfo configuration from indexName
-func ResolveRepositoryName(reposName string) (string, string, error) {
+func NewIndexInfo(config *ServiceConfig, indexName string) (*IndexInfo, error) {
-	if strings.Contains(reposName, "://") {
+	var err error
-		// It cannot contain a scheme!
+	indexName, err = ValidateIndexName(indexName)
-		return "", "", ErrInvalidRepositoryName
+	if err != nil {
-	}
+		return nil, err
-	nameParts := strings.SplitN(reposName, "/", 2)
-	if len(nameParts) == 1 || (!strings.Contains(nameParts[0], ".") && !strings.Contains(nameParts[0], ":") &&
-		nameParts[0] != "localhost") {
-		// This is a Docker Index repos (ex: samalba/hipache or ubuntu)
-		err := validateRepositoryName(reposName)
-		return IndexServerAddress(), reposName, err
-	}
-	hostname := nameParts[0]
-	reposName = nameParts[1]
-	if strings.Contains(hostname, "index.docker.io") {
-		return "", "", fmt.Errorf("Invalid repository name, try \"%s\" instead", reposName)
-	}
-	if err := validateRepositoryName(reposName); err != nil {
-		return "", "", err
 	}
 
-	return hostname, reposName, nil
+	// Return any configured index info, first.
+	if index, ok := config.IndexConfigs[indexName]; ok {
+		return index, nil
+	}
+
+	// Construct a non-configured index info.
+	index := &IndexInfo{
+		Name:     indexName,
+		Mirrors:  make([]string, 0),
+		Official: false,
+	}
+	index.Secure = config.isSecureIndex(indexName)
+	return index, nil
+}
+
+func validateNoSchema(reposName string) error {
+	if strings.Contains(reposName, "://") {
+		// It cannot contain a scheme!
+		return ErrInvalidRepositoryName
+	}
+	return nil
+}
+
+// splitReposName breaks a reposName into an index name and remote name
+func splitReposName(reposName string) (string, string) {
+	nameParts := strings.SplitN(reposName, "/", 2)
+	var indexName, remoteName string
+	if len(nameParts) == 1 || (!strings.Contains(nameParts[0], ".") &&
+		!strings.Contains(nameParts[0], ":") && nameParts[0] != "localhost") {
+		// This is a Docker Index repos (ex: samalba/hipache or ubuntu)
+		// 'docker.io'
+		indexName = IndexServerName()
+		remoteName = reposName
+	} else {
+		indexName = nameParts[0]
+		remoteName = nameParts[1]
+	}
+	return indexName, remoteName
+}
+
+// NewRepositoryInfo validates and breaks down a repository name into a RepositoryInfo
+func NewRepositoryInfo(config *ServiceConfig, reposName string) (*RepositoryInfo, error) {
+	if err := validateNoSchema(reposName); err != nil {
+		return nil, err
+	}
+
+	indexName, remoteName := splitReposName(reposName)
+	if err := validateRemoteName(remoteName); err != nil {
+		return nil, err
+	}
+
+	repoInfo := &RepositoryInfo{
+		RemoteName: remoteName,
+	}
+
+	var err error
+	repoInfo.Index, err = NewIndexInfo(config, indexName)
+	if err != nil {
+		return nil, err
+	}
+
+	if repoInfo.Index.Official {
+		normalizedName := repoInfo.RemoteName
+		if strings.HasPrefix(normalizedName, "library/") {
+			// If pull "library/foo", it's stored locally under "foo"
+			normalizedName = strings.SplitN(normalizedName, "/", 2)[1]
+		}
+
+		repoInfo.LocalName = normalizedName
+		repoInfo.RemoteName = normalizedName
+		// If the normalized name does not contain a '/' (e.g. "foo")
+		// then it is an official repo.
+		if strings.IndexRune(normalizedName, '/') == -1 {
+			repoInfo.Official = true
+			// Fix up remote name for official repos.
+			repoInfo.RemoteName = "library/" + normalizedName
+		}
+
+		// *TODO: Prefix this with 'docker.io/'.
+		repoInfo.CanonicalName = repoInfo.LocalName
+	} else {
+		// *TODO: Decouple index name from hostname (via registry configuration?)
+		repoInfo.LocalName = repoInfo.Index.Name + "/" + repoInfo.RemoteName
+		repoInfo.CanonicalName = repoInfo.LocalName
+	}
+	return repoInfo, nil
+}
+
+// ValidateRepositoryName validates a repository name
+func ValidateRepositoryName(reposName string) error {
+	var err error
+	if err = validateNoSchema(reposName); err != nil {
+		return err
+	}
+	indexName, remoteName := splitReposName(reposName)
+	if _, err = ValidateIndexName(indexName); err != nil {
+		return err
+	}
+	return validateRemoteName(remoteName)
+}
+
+// ParseRepositoryInfo performs the breakdown of a repository name into a RepositoryInfo, but
+// lacks registry configuration.
+func ParseRepositoryInfo(reposName string) (*RepositoryInfo, error) {
+	return NewRepositoryInfo(emptyServiceConfig, reposName)
+}
+
+// NormalizeLocalName transforms a repository name into a normalize LocalName
+// Passes through the name without transformation on error (image id, etc)
+func NormalizeLocalName(name string) string {
+	repoInfo, err := ParseRepositoryInfo(name)
+	if err != nil {
+		return name
+	}
+	return repoInfo.LocalName
+}
+
+// GetAuthConfigKey special-cases using the full index address of the official
+// index as the AuthConfig key, and uses the (host)name[:port] for private indexes.
+func (index *IndexInfo) GetAuthConfigKey() string {
+	if index.Official {
+		return IndexServerAddress()
+	}
+	return index.Name
+}
+
+// GetSearchTerm special-cases using local name for official index, and
+// remote name for private indexes.
+func (repoInfo *RepositoryInfo) GetSearchTerm() string {
+	if repoInfo.Index.Official {
+		return repoInfo.LocalName
+	}
+	return repoInfo.RemoteName
 }
 
 func trustedLocation(req *http.Request) bool {

docs/registry_mock_test.go

@@ -15,15 +15,16 @@ import (
 	"testing"
 	"time"
 
+	"github.com/docker/docker/opts"
 	"github.com/gorilla/mux"
 
 	log "github.com/Sirupsen/logrus"
 )
 
 var (
-	testHTTPServer     *httptest.Server
+	testHTTPServer  *httptest.Server
-	insecureRegistries []string
+	testHTTPSServer *httptest.Server
-	testLayers         = map[string]map[string]string{
+	testLayers      = map[string]map[string]string{
 		"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20": {
 			"json": `{"id":"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20",
 				"comment":"test base image","created":"2013-03-23T12:53:11.10432-07:00",
@@ -86,6 +87,7 @@ var (
 		"":            {net.ParseIP("0.0.0.0")},
 		"localhost":   {net.ParseIP("127.0.0.1"), net.ParseIP("::1")},
 		"example.com": {net.ParseIP("42.42.42.42")},
+		"other.com":   {net.ParseIP("43.43.43.43")},
 	}
 )
 
@@ -108,11 +110,7 @@ func init() {
 	r.HandleFunc("/v2/version", handlerGetPing).Methods("GET")
 
 	testHTTPServer = httptest.NewServer(handlerAccessLog(r))
-	URL, err := url.Parse(testHTTPServer.URL)
+	testHTTPSServer = httptest.NewTLSServer(handlerAccessLog(r))
-	if err != nil {
-		panic(err)
-	}
-	insecureRegistries = []string{URL.Host}
 
 	// override net.LookupIP
 	lookupIP = func(host string) ([]net.IP, error) {
@@ -146,6 +144,52 @@ func makeURL(req string) string {
 	return testHTTPServer.URL + req
 }
 
+func makeHttpsURL(req string) string {
+	return testHTTPSServer.URL + req
+}
+
+func makeIndex(req string) *IndexInfo {
+	index := &IndexInfo{
+		Name: makeURL(req),
+	}
+	return index
+}
+
+func makeHttpsIndex(req string) *IndexInfo {
+	index := &IndexInfo{
+		Name: makeHttpsURL(req),
+	}
+	return index
+}
+
+func makePublicIndex() *IndexInfo {
+	index := &IndexInfo{
+		Name:     IndexServerAddress(),
+		Secure:   true,
+		Official: true,
+	}
+	return index
+}
+
+func makeServiceConfig(mirrors []string, insecure_registries []string) *ServiceConfig {
+	options := &Options{
+		Mirrors:            opts.NewListOpts(nil),
+		InsecureRegistries: opts.NewListOpts(nil),
+	}
+	if mirrors != nil {
+		for _, mirror := range mirrors {
+			options.Mirrors.Set(mirror)
+		}
+	}
+	if insecure_registries != nil {
+		for _, insecure_registries := range insecure_registries {
+			options.InsecureRegistries.Set(insecure_registries)
+		}
+	}
+
+	return NewServiceConfig(options)
+}
+
 func writeHeaders(w http.ResponseWriter) {
 	h := w.Header()
 	h.Add("Server", "docker-tests/mock")
@@ -193,6 +237,40 @@ func assertEqual(t *testing.T, a interface{}, b interface{}, message string) {
 	t.Fatal(message)
 }
 
+func assertNotEqual(t *testing.T, a interface{}, b interface{}, message string) {
+	if a != b {
+		return
+	}
+	if len(message) == 0 {
+		message = fmt.Sprintf("%v == %v", a, b)
+	}
+	t.Fatal(message)
+}
+
+// Similar to assertEqual, but does not stop test
+func checkEqual(t *testing.T, a interface{}, b interface{}, messagePrefix string) {
+	if a == b {
+		return
+	}
+	message := fmt.Sprintf("%v != %v", a, b)
+	if len(messagePrefix) != 0 {
+		message = messagePrefix + ": " + message
+	}
+	t.Error(message)
+}
+
+// Similar to assertNotEqual, but does not stop test
+func checkNotEqual(t *testing.T, a interface{}, b interface{}, messagePrefix string) {
+	if a != b {
+		return
+	}
+	message := fmt.Sprintf("%v == %v", a, b)
+	if len(messagePrefix) != 0 {
+		message = messagePrefix + ": " + message
+	}
+	t.Error(message)
+}
+
 func requiresAuth(w http.ResponseWriter, r *http.Request) bool {
 	writeCookie := func() {
 		value := fmt.Sprintf("FAKE-SESSION-%d", time.Now().UnixNano())
@@ -271,6 +349,7 @@ func handlerGetDeleteTags(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	repositoryName := mux.Vars(r)["repository"]
+	repositoryName = NormalizeLocalName(repositoryName)
 	tags, exists := testRepositories[repositoryName]
 	if !exists {
 		apiError(w, "Repository not found", 404)
@@ -290,6 +369,7 @@ func handlerGetTag(w http.ResponseWriter, r *http.Request) {
 	}
 	vars := mux.Vars(r)
 	repositoryName := vars["repository"]
+	repositoryName = NormalizeLocalName(repositoryName)
 	tagName := vars["tag"]
 	tags, exists := testRepositories[repositoryName]
 	if !exists {
@@ -310,6 +390,7 @@ func handlerPutTag(w http.ResponseWriter, r *http.Request) {
 	}
 	vars := mux.Vars(r)
 	repositoryName := vars["repository"]
+	repositoryName = NormalizeLocalName(repositoryName)
 	tagName := vars["tag"]
 	tags, exists := testRepositories[repositoryName]
 	if !exists {

docs/registry_test.go

@@ -21,7 +21,7 @@ const (
 
 func spawnTestRegistrySession(t *testing.T) *Session {
 	authConfig := &AuthConfig{}
-	endpoint, err := NewEndpoint(makeURL("/v1/"), insecureRegistries)
+	endpoint, err := NewEndpoint(makeIndex("/v1/"))
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -32,16 +32,139 @@ func spawnTestRegistrySession(t *testing.T) *Session {
 	return r
 }
 
+func TestPublicSession(t *testing.T) {
+	authConfig := &AuthConfig{}
+
+	getSessionDecorators := func(index *IndexInfo) int {
+		endpoint, err := NewEndpoint(index)
+		if err != nil {
+			t.Fatal(err)
+		}
+		r, err := NewSession(authConfig, utils.NewHTTPRequestFactory(), endpoint, true)
+		if err != nil {
+			t.Fatal(err)
+		}
+		return len(r.reqFactory.GetDecorators())
+	}
+
+	decorators := getSessionDecorators(makeIndex("/v1/"))
+	assertEqual(t, decorators, 0, "Expected no decorator on http session")
+
+	decorators = getSessionDecorators(makeHttpsIndex("/v1/"))
+	assertNotEqual(t, decorators, 0, "Expected decorator on https session")
+
+	decorators = getSessionDecorators(makePublicIndex())
+	assertEqual(t, decorators, 0, "Expected no decorator on public session")
+}
+
 func TestPingRegistryEndpoint(t *testing.T) {
-	ep, err := NewEndpoint(makeURL("/v1/"), insecureRegistries)
+	testPing := func(index *IndexInfo, expectedStandalone bool, assertMessage string) {
-	if err != nil {
+		ep, err := NewEndpoint(index)
-		t.Fatal(err)
+		if err != nil {
+			t.Fatal(err)
+		}
+		regInfo, err := ep.Ping()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		assertEqual(t, regInfo.Standalone, expectedStandalone, assertMessage)
 	}
-	regInfo, err := ep.Ping()
+
-	if err != nil {
+	testPing(makeIndex("/v1/"), true, "Expected standalone to be true (default)")
-		t.Fatal(err)
+	testPing(makeHttpsIndex("/v1/"), true, "Expected standalone to be true (default)")
+	testPing(makePublicIndex(), false, "Expected standalone to be false for public index")
+}
+
+func TestEndpoint(t *testing.T) {
+	// Simple wrapper to fail test if err != nil
+	expandEndpoint := func(index *IndexInfo) *Endpoint {
+		endpoint, err := NewEndpoint(index)
+		if err != nil {
+			t.Fatal(err)
+		}
+		return endpoint
+	}
+
+	assertInsecureIndex := func(index *IndexInfo) {
+		index.Secure = true
+		_, err := NewEndpoint(index)
+		assertNotEqual(t, err, nil, index.Name+": Expected error for insecure index")
+		assertEqual(t, strings.Contains(err.Error(), "insecure-registry"), true, index.Name+": Expected insecure-registry  error for insecure index")
+		index.Secure = false
+	}
+
+	assertSecureIndex := func(index *IndexInfo) {
+		index.Secure = true
+		_, err := NewEndpoint(index)
+		assertNotEqual(t, err, nil, index.Name+": Expected cert error for secure index")
+		assertEqual(t, strings.Contains(err.Error(), "certificate signed by unknown authority"), true, index.Name+": Expected cert error for secure index")
+		index.Secure = false
+	}
+
+	index := &IndexInfo{}
+	index.Name = makeURL("/v1/")
+	endpoint := expandEndpoint(index)
+	assertEqual(t, endpoint.String(), index.Name, "Expected endpoint to be "+index.Name)
+	if endpoint.Version != APIVersion1 {
+		t.Fatal("Expected endpoint to be v1")
+	}
+	assertInsecureIndex(index)
+
+	index.Name = makeURL("")
+	endpoint = expandEndpoint(index)
+	assertEqual(t, endpoint.String(), index.Name+"/v1/", index.Name+": Expected endpoint to be "+index.Name+"/v1/")
+	if endpoint.Version != APIVersion1 {
+		t.Fatal("Expected endpoint to be v1")
+	}
+	assertInsecureIndex(index)
+
+	httpURL := makeURL("")
+	index.Name = strings.SplitN(httpURL, "://", 2)[1]
+	endpoint = expandEndpoint(index)
+	assertEqual(t, endpoint.String(), httpURL+"/v1/", index.Name+": Expected endpoint to be "+httpURL+"/v1/")
+	if endpoint.Version != APIVersion1 {
+		t.Fatal("Expected endpoint to be v1")
+	}
+	assertInsecureIndex(index)
+
+	index.Name = makeHttpsURL("/v1/")
+	endpoint = expandEndpoint(index)
+	assertEqual(t, endpoint.String(), index.Name, "Expected endpoint to be "+index.Name)
+	if endpoint.Version != APIVersion1 {
+		t.Fatal("Expected endpoint to be v1")
+	}
+	assertSecureIndex(index)
+
+	index.Name = makeHttpsURL("")
+	endpoint = expandEndpoint(index)
+	assertEqual(t, endpoint.String(), index.Name+"/v1/", index.Name+": Expected endpoint to be "+index.Name+"/v1/")
+	if endpoint.Version != APIVersion1 {
+		t.Fatal("Expected endpoint to be v1")
+	}
+	assertSecureIndex(index)
+
+	httpsURL := makeHttpsURL("")
+	index.Name = strings.SplitN(httpsURL, "://", 2)[1]
+	endpoint = expandEndpoint(index)
+	assertEqual(t, endpoint.String(), httpsURL+"/v1/", index.Name+": Expected endpoint to be "+httpsURL+"/v1/")
+	if endpoint.Version != APIVersion1 {
+		t.Fatal("Expected endpoint to be v1")
+	}
+	assertSecureIndex(index)
+
+	badEndpoints := []string{
+		"http://127.0.0.1/v1/",
+		"https://127.0.0.1/v1/",
+		"http://127.0.0.1",
+		"https://127.0.0.1",
+		"127.0.0.1",
+	}
+	for _, address := range badEndpoints {
+		index.Name = address
+		_, err := NewEndpoint(index)
+		checkNotEqual(t, err, nil, "Expected error while expanding bad endpoint")
 	}
-	assertEqual(t, regInfo.Standalone, true, "Expected standalone to be true (default)")
 }
 
 func TestGetRemoteHistory(t *testing.T) {
@@ -156,30 +279,413 @@ func TestPushImageLayerRegistry(t *testing.T) {
 	}
 }
 
-func TestResolveRepositoryName(t *testing.T) {
+func TestValidateRepositoryName(t *testing.T) {
-	_, _, err := ResolveRepositoryName("https://github.com/docker/docker")
+	validRepoNames := []string{
-	assertEqual(t, err, ErrInvalidRepositoryName, "Expected error invalid repo name")
+		"docker/docker",
-	ep, repo, err := ResolveRepositoryName("fooo/bar")
+		"library/debian",
-	if err != nil {
+		"debian",
-		t.Fatal(err)
+		"docker.io/docker/docker",
+		"docker.io/library/debian",
+		"docker.io/debian",
+		"index.docker.io/docker/docker",
+		"index.docker.io/library/debian",
+		"index.docker.io/debian",
+		"127.0.0.1:5000/docker/docker",
+		"127.0.0.1:5000/library/debian",
+		"127.0.0.1:5000/debian",
+		"thisisthesongthatneverendsitgoesonandonandonthisisthesongthatnev",
+	}
+	invalidRepoNames := []string{
+		"https://github.com/docker/docker",
+		"docker/Docker",
+		"docker///docker",
+		"docker.io/docker/Docker",
+		"docker.io/docker///docker",
+		"1a3f5e7d9c1b3a5f7e9d1c3b5a7f9e1d3c5b7a9f1e3d5d7c9b1a3f5e7d9c1b3a",
+		"docker.io/1a3f5e7d9c1b3a5f7e9d1c3b5a7f9e1d3c5b7a9f1e3d5d7c9b1a3f5e7d9c1b3a",
 	}
-	assertEqual(t, ep, IndexServerAddress(), "Expected endpoint to be index server address")
-	assertEqual(t, repo, "fooo/bar", "Expected resolved repo to be foo/bar")
 
-	u := makeURL("")[7:]
+	for _, name := range invalidRepoNames {
-	ep, repo, err = ResolveRepositoryName(u + "/private/moonbase")
+		err := ValidateRepositoryName(name)
-	if err != nil {
+		assertNotEqual(t, err, nil, "Expected invalid repo name: "+name)
-		t.Fatal(err)
 	}
-	assertEqual(t, ep, u, "Expected endpoint to be "+u)
-	assertEqual(t, repo, "private/moonbase", "Expected endpoint to be private/moonbase")
 
-	ep, repo, err = ResolveRepositoryName("ubuntu-12.04-base")
+	for _, name := range validRepoNames {
-	if err != nil {
+		err := ValidateRepositoryName(name)
-		t.Fatal(err)
+		assertEqual(t, err, nil, "Expected valid repo name: "+name)
 	}
-	assertEqual(t, ep, IndexServerAddress(), "Expected endpoint to be "+IndexServerAddress())
+
-	assertEqual(t, repo, "ubuntu-12.04-base", "Expected endpoint to be ubuntu-12.04-base")
+	err := ValidateRepositoryName(invalidRepoNames[0])
+	assertEqual(t, err, ErrInvalidRepositoryName, "Expected ErrInvalidRepositoryName: "+invalidRepoNames[0])
+}
+
+func TestParseRepositoryInfo(t *testing.T) {
+	expectedRepoInfos := map[string]RepositoryInfo{
+		"fooo/bar": {
+			Index: &IndexInfo{
+				Name:     IndexServerName(),
+				Official: true,
+			},
+			RemoteName:    "fooo/bar",
+			LocalName:     "fooo/bar",
+			CanonicalName: "fooo/bar",
+			Official:      false,
+		},
+		"library/ubuntu": {
+			Index: &IndexInfo{
+				Name:     IndexServerName(),
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu",
+			LocalName:     "ubuntu",
+			CanonicalName: "ubuntu",
+			Official:      true,
+		},
+		"nonlibrary/ubuntu": {
+			Index: &IndexInfo{
+				Name:     IndexServerName(),
+				Official: true,
+			},
+			RemoteName:    "nonlibrary/ubuntu",
+			LocalName:     "nonlibrary/ubuntu",
+			CanonicalName: "nonlibrary/ubuntu",
+			Official:      false,
+		},
+		"ubuntu": {
+			Index: &IndexInfo{
+				Name:     IndexServerName(),
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu",
+			LocalName:     "ubuntu",
+			CanonicalName: "ubuntu",
+			Official:      true,
+		},
+		"other/library": {
+			Index: &IndexInfo{
+				Name:     IndexServerName(),
+				Official: true,
+			},
+			RemoteName:    "other/library",
+			LocalName:     "other/library",
+			CanonicalName: "other/library",
+			Official:      false,
+		},
+		"127.0.0.1:8000/private/moonbase": {
+			Index: &IndexInfo{
+				Name:     "127.0.0.1:8000",
+				Official: false,
+			},
+			RemoteName:    "private/moonbase",
+			LocalName:     "127.0.0.1:8000/private/moonbase",
+			CanonicalName: "127.0.0.1:8000/private/moonbase",
+			Official:      false,
+		},
+		"127.0.0.1:8000/privatebase": {
+			Index: &IndexInfo{
+				Name:     "127.0.0.1:8000",
+				Official: false,
+			},
+			RemoteName:    "privatebase",
+			LocalName:     "127.0.0.1:8000/privatebase",
+			CanonicalName: "127.0.0.1:8000/privatebase",
+			Official:      false,
+		},
+		"localhost:8000/private/moonbase": {
+			Index: &IndexInfo{
+				Name:     "localhost:8000",
+				Official: false,
+			},
+			RemoteName:    "private/moonbase",
+			LocalName:     "localhost:8000/private/moonbase",
+			CanonicalName: "localhost:8000/private/moonbase",
+			Official:      false,
+		},
+		"localhost:8000/privatebase": {
+			Index: &IndexInfo{
+				Name:     "localhost:8000",
+				Official: false,
+			},
+			RemoteName:    "privatebase",
+			LocalName:     "localhost:8000/privatebase",
+			CanonicalName: "localhost:8000/privatebase",
+			Official:      false,
+		},
+		"example.com/private/moonbase": {
+			Index: &IndexInfo{
+				Name:     "example.com",
+				Official: false,
+			},
+			RemoteName:    "private/moonbase",
+			LocalName:     "example.com/private/moonbase",
+			CanonicalName: "example.com/private/moonbase",
+			Official:      false,
+		},
+		"example.com/privatebase": {
+			Index: &IndexInfo{
+				Name:     "example.com",
+				Official: false,
+			},
+			RemoteName:    "privatebase",
+			LocalName:     "example.com/privatebase",
+			CanonicalName: "example.com/privatebase",
+			Official:      false,
+		},
+		"example.com:8000/private/moonbase": {
+			Index: &IndexInfo{
+				Name:     "example.com:8000",
+				Official: false,
+			},
+			RemoteName:    "private/moonbase",
+			LocalName:     "example.com:8000/private/moonbase",
+			CanonicalName: "example.com:8000/private/moonbase",
+			Official:      false,
+		},
+		"example.com:8000/privatebase": {
+			Index: &IndexInfo{
+				Name:     "example.com:8000",
+				Official: false,
+			},
+			RemoteName:    "privatebase",
+			LocalName:     "example.com:8000/privatebase",
+			CanonicalName: "example.com:8000/privatebase",
+			Official:      false,
+		},
+		"localhost/private/moonbase": {
+			Index: &IndexInfo{
+				Name:     "localhost",
+				Official: false,
+			},
+			RemoteName:    "private/moonbase",
+			LocalName:     "localhost/private/moonbase",
+			CanonicalName: "localhost/private/moonbase",
+			Official:      false,
+		},
+		"localhost/privatebase": {
+			Index: &IndexInfo{
+				Name:     "localhost",
+				Official: false,
+			},
+			RemoteName:    "privatebase",
+			LocalName:     "localhost/privatebase",
+			CanonicalName: "localhost/privatebase",
+			Official:      false,
+		},
+		IndexServerName() + "/public/moonbase": {
+			Index: &IndexInfo{
+				Name:     IndexServerName(),
+				Official: true,
+			},
+			RemoteName:    "public/moonbase",
+			LocalName:     "public/moonbase",
+			CanonicalName: "public/moonbase",
+			Official:      false,
+		},
+		"index." + IndexServerName() + "/public/moonbase": {
+			Index: &IndexInfo{
+				Name:     IndexServerName(),
+				Official: true,
+			},
+			RemoteName:    "public/moonbase",
+			LocalName:     "public/moonbase",
+			CanonicalName: "public/moonbase",
+			Official:      false,
+		},
+		IndexServerName() + "/public/moonbase": {
+			Index: &IndexInfo{
+				Name:     IndexServerName(),
+				Official: true,
+			},
+			RemoteName:    "public/moonbase",
+			LocalName:     "public/moonbase",
+			CanonicalName: "public/moonbase",
+			Official:      false,
+		},
+		"ubuntu-12.04-base": {
+			Index: &IndexInfo{
+				Name:     IndexServerName(),
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu-12.04-base",
+			LocalName:     "ubuntu-12.04-base",
+			CanonicalName: "ubuntu-12.04-base",
+			Official:      true,
+		},
+		IndexServerName() + "/ubuntu-12.04-base": {
+			Index: &IndexInfo{
+				Name:     IndexServerName(),
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu-12.04-base",
+			LocalName:     "ubuntu-12.04-base",
+			CanonicalName: "ubuntu-12.04-base",
+			Official:      true,
+		},
+		IndexServerName() + "/ubuntu-12.04-base": {
+			Index: &IndexInfo{
+				Name:     IndexServerName(),
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu-12.04-base",
+			LocalName:     "ubuntu-12.04-base",
+			CanonicalName: "ubuntu-12.04-base",
+			Official:      true,
+		},
+		"index." + IndexServerName() + "/ubuntu-12.04-base": {
+			Index: &IndexInfo{
+				Name:     IndexServerName(),
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu-12.04-base",
+			LocalName:     "ubuntu-12.04-base",
+			CanonicalName: "ubuntu-12.04-base",
+			Official:      true,
+		},
+	}
+
+	for reposName, expectedRepoInfo := range expectedRepoInfos {
+		repoInfo, err := ParseRepositoryInfo(reposName)
+		if err != nil {
+			t.Error(err)
+		} else {
+			checkEqual(t, repoInfo.Index.Name, expectedRepoInfo.Index.Name, reposName)
+			checkEqual(t, repoInfo.RemoteName, expectedRepoInfo.RemoteName, reposName)
+			checkEqual(t, repoInfo.LocalName, expectedRepoInfo.LocalName, reposName)
+			checkEqual(t, repoInfo.CanonicalName, expectedRepoInfo.CanonicalName, reposName)
+			checkEqual(t, repoInfo.Index.Official, expectedRepoInfo.Index.Official, reposName)
+			checkEqual(t, repoInfo.Official, expectedRepoInfo.Official, reposName)
+		}
+	}
+}
+
+func TestNewIndexInfo(t *testing.T) {
+	testIndexInfo := func(config *ServiceConfig, expectedIndexInfos map[string]*IndexInfo) {
+		for indexName, expectedIndexInfo := range expectedIndexInfos {
+			index, err := NewIndexInfo(config, indexName)
+			if err != nil {
+				t.Fatal(err)
+			} else {
+				checkEqual(t, index.Name, expectedIndexInfo.Name, indexName+" name")
+				checkEqual(t, index.Official, expectedIndexInfo.Official, indexName+" is official")
+				checkEqual(t, index.Secure, expectedIndexInfo.Secure, indexName+" is secure")
+				checkEqual(t, len(index.Mirrors), len(expectedIndexInfo.Mirrors), indexName+" mirrors")
+			}
+		}
+	}
+
+	config := NewServiceConfig(nil)
+	noMirrors := make([]string, 0)
+	expectedIndexInfos := map[string]*IndexInfo{
+		IndexServerName(): {
+			Name:     IndexServerName(),
+			Official: true,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+		"index." + IndexServerName(): {
+			Name:     IndexServerName(),
+			Official: true,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+		"example.com": {
+			Name:     "example.com",
+			Official: false,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+		"127.0.0.1:5000": {
+			Name:     "127.0.0.1:5000",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+	}
+	testIndexInfo(config, expectedIndexInfos)
+
+	publicMirrors := []string{"http://mirror1.local", "http://mirror2.local"}
+	config = makeServiceConfig(publicMirrors, []string{"example.com"})
+
+	expectedIndexInfos = map[string]*IndexInfo{
+		IndexServerName(): {
+			Name:     IndexServerName(),
+			Official: true,
+			Secure:   true,
+			Mirrors:  publicMirrors,
+		},
+		"index." + IndexServerName(): {
+			Name:     IndexServerName(),
+			Official: true,
+			Secure:   true,
+			Mirrors:  publicMirrors,
+		},
+		"example.com": {
+			Name:     "example.com",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"example.com:5000": {
+			Name:     "example.com:5000",
+			Official: false,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+		"127.0.0.1": {
+			Name:     "127.0.0.1",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"127.0.0.1:5000": {
+			Name:     "127.0.0.1:5000",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"other.com": {
+			Name:     "other.com",
+			Official: false,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+	}
+	testIndexInfo(config, expectedIndexInfos)
+
+	config = makeServiceConfig(nil, []string{"42.42.0.0/16"})
+	expectedIndexInfos = map[string]*IndexInfo{
+		"example.com": {
+			Name:     "example.com",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"example.com:5000": {
+			Name:     "example.com:5000",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"127.0.0.1": {
+			Name:     "127.0.0.1",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"127.0.0.1:5000": {
+			Name:     "127.0.0.1:5000",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"other.com": {
+			Name:     "other.com",
+			Official: false,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+	}
+	testIndexInfo(config, expectedIndexInfos)
 }
 
 func TestPushRegistryTag(t *testing.T) {
@@ -232,7 +738,7 @@ func TestSearchRepositories(t *testing.T) {
 	assertEqual(t, results.Results[0].StarCount, 42, "Expected 'fakeimage' a ot hae 42 stars")
 }
 
-func TestValidRepositoryName(t *testing.T) {
+func TestValidRemoteName(t *testing.T) {
 	validRepositoryNames := []string{
 		// Sanity check.
 		"docker/docker",
@@ -247,7 +753,7 @@ func TestValidRepositoryName(t *testing.T) {
 		"____/____",
 	}
 	for _, repositoryName := range validRepositoryNames {
-		if err := validateRepositoryName(repositoryName); err != nil {
+		if err := validateRemoteName(repositoryName); err != nil {
 			t.Errorf("Repository name should be valid: %v. Error: %v", repositoryName, err)
 		}
 	}
@@ -277,7 +783,7 @@ func TestValidRepositoryName(t *testing.T) {
 		"docker/",
 	}
 	for _, repositoryName := range invalidRepositoryNames {
-		if err := validateRepositoryName(repositoryName); err == nil {
+		if err := validateRemoteName(repositoryName); err == nil {
 			t.Errorf("Repository name should be invalid: %v", repositoryName)
 		}
 	}
@@ -350,13 +856,13 @@ func TestAddRequiredHeadersToRedirectedRequests(t *testing.T) {
 	}
 }
 
-func TestIsSecure(t *testing.T) {
+func TestIsSecureIndex(t *testing.T) {
 	tests := []struct {
 		addr               string
 		insecureRegistries []string
 		expected           bool
 	}{
-		{IndexServerURL.Host, nil, true},
+		{IndexServerName(), nil, true},
 		{"example.com", []string{}, true},
 		{"example.com", []string{"example.com"}, false},
 		{"localhost", []string{"localhost:5000"}, false},
@@ -383,10 +889,9 @@ func TestIsSecure(t *testing.T) {
 		{"invalid.domain.com:5000", []string{"invalid.domain.com:5000"}, false},
 	}
 	for _, tt := range tests {
-		// TODO: remove this once we remove localhost insecure by default
+		config := makeServiceConfig(nil, tt.insecureRegistries)
-		insecureRegistries := append(tt.insecureRegistries, "127.0.0.0/8")
+		if sec := config.isSecureIndex(tt.addr); sec != tt.expected {
-		if sec, err := isSecure(tt.addr, insecureRegistries); err != nil || sec != tt.expected {
+			t.Errorf("isSecureIndex failed for %q %v, expected %v got %v", tt.addr, tt.insecureRegistries, tt.expected, sec)
-			t.Fatalf("isSecure failed for %q %v, expected %v got %v. Error: %v", tt.addr, insecureRegistries, tt.expected, sec, err)
 		}
 	}
 }

docs/service.go

@@ -13,14 +13,14 @@ import (
 //  'pull': Download images from any registry (TODO)
 //  'push': Upload images to any registry (TODO)
 type Service struct {
-	insecureRegistries []string
+	Config *ServiceConfig
 }
 
 // NewService returns a new instance of Service ready to be
 // installed no an engine.
-func NewService(insecureRegistries []string) *Service {
+func NewService(options *Options) *Service {
 	return &Service{
-		insecureRegistries: insecureRegistries,
+		Config: NewServiceConfig(options),
 	}
 }
 
@@ -28,6 +28,9 @@ func NewService(insecureRegistries []string) *Service {
 func (s *Service) Install(eng *engine.Engine) error {
 	eng.Register("auth", s.Auth)
 	eng.Register("search", s.Search)
+	eng.Register("resolve_repository", s.ResolveRepository)
+	eng.Register("resolve_index", s.ResolveIndex)
+	eng.Register("registry_config", s.GetRegistryConfig)
 	return nil
 }
 
@@ -39,15 +42,18 @@ func (s *Service) Auth(job *engine.Job) engine.Status {
 
 	job.GetenvJson("authConfig", authConfig)
 
-	if addr := authConfig.ServerAddress; addr != "" && addr != IndexServerAddress() {
+	if authConfig.ServerAddress != "" {
-		endpoint, err := NewEndpoint(addr, s.insecureRegistries)
+		index, err := ResolveIndexInfo(job, authConfig.ServerAddress)
 		if err != nil {
 			return job.Error(err)
 		}
-		if _, err := endpoint.Ping(); err != nil {
+		if !index.Official {
-			return job.Error(err)
+			endpoint, err := NewEndpoint(index)
+			if err != nil {
+				return job.Error(err)
+			}
+			authConfig.ServerAddress = endpoint.String()
 		}
-		authConfig.ServerAddress = endpoint.String()
 	}
 
 	status, err := Login(authConfig, HTTPRequestFactory(nil))
@@ -87,12 +93,12 @@ func (s *Service) Search(job *engine.Job) engine.Status {
 	job.GetenvJson("authConfig", authConfig)
 	job.GetenvJson("metaHeaders", metaHeaders)
 
-	hostname, term, err := ResolveRepositoryName(term)
+	repoInfo, err := ResolveRepositoryInfo(job, term)
 	if err != nil {
 		return job.Error(err)
 	}
-
+	// *TODO: Search multiple indexes.
-	endpoint, err := NewEndpoint(hostname, s.insecureRegistries)
+	endpoint, err := repoInfo.GetEndpoint()
 	if err != nil {
 		return job.Error(err)
 	}
@@ -100,7 +106,7 @@ func (s *Service) Search(job *engine.Job) engine.Status {
 	if err != nil {
 		return job.Error(err)
 	}
-	results, err := r.SearchRepositories(term)
+	results, err := r.SearchRepositories(repoInfo.GetSearchTerm())
 	if err != nil {
 		return job.Error(err)
 	}
@@ -116,3 +122,92 @@ func (s *Service) Search(job *engine.Job) engine.Status {
 	}
 	return engine.StatusOK
 }
+
+// ResolveRepository splits a repository name into its components
+// and configuration of the associated registry.
+func (s *Service) ResolveRepository(job *engine.Job) engine.Status {
+	var (
+		reposName = job.Args[0]
+	)
+
+	repoInfo, err := NewRepositoryInfo(s.Config, reposName)
+	if err != nil {
+		return job.Error(err)
+	}
+
+	out := engine.Env{}
+	err = out.SetJson("repository", repoInfo)
+	if err != nil {
+		return job.Error(err)
+	}
+	out.WriteTo(job.Stdout)
+
+	return engine.StatusOK
+}
+
+// Convenience wrapper for calling resolve_repository Job from a running job.
+func ResolveRepositoryInfo(jobContext *engine.Job, reposName string) (*RepositoryInfo, error) {
+	job := jobContext.Eng.Job("resolve_repository", reposName)
+	env, err := job.Stdout.AddEnv()
+	if err != nil {
+		return nil, err
+	}
+	if err := job.Run(); err != nil {
+		return nil, err
+	}
+	info := RepositoryInfo{}
+	if err := env.GetJson("repository", &info); err != nil {
+		return nil, err
+	}
+	return &info, nil
+}
+
+// ResolveIndex takes indexName and returns index info
+func (s *Service) ResolveIndex(job *engine.Job) engine.Status {
+	var (
+		indexName = job.Args[0]
+	)
+
+	index, err := NewIndexInfo(s.Config, indexName)
+	if err != nil {
+		return job.Error(err)
+	}
+
+	out := engine.Env{}
+	err = out.SetJson("index", index)
+	if err != nil {
+		return job.Error(err)
+	}
+	out.WriteTo(job.Stdout)
+
+	return engine.StatusOK
+}
+
+// Convenience wrapper for calling resolve_index Job from a running job.
+func ResolveIndexInfo(jobContext *engine.Job, indexName string) (*IndexInfo, error) {
+	job := jobContext.Eng.Job("resolve_index", indexName)
+	env, err := job.Stdout.AddEnv()
+	if err != nil {
+		return nil, err
+	}
+	if err := job.Run(); err != nil {
+		return nil, err
+	}
+	info := IndexInfo{}
+	if err := env.GetJson("index", &info); err != nil {
+		return nil, err
+	}
+	return &info, nil
+}
+
+// GetRegistryConfig returns current registry configuration.
+func (s *Service) GetRegistryConfig(job *engine.Job) engine.Status {
+	out := engine.Env{}
+	err := out.SetJson("config", s.Config)
+	if err != nil {
+		return job.Error(err)
+	}
+	out.WriteTo(job.Stdout)
+
+	return engine.StatusOK
+}

docs/types.go

@@ -65,3 +65,44 @@ const (
 	APIVersion1 = iota + 1
 	APIVersion2
 )
+
+// RepositoryInfo Examples:
+// {
+//   "Index" : {
+//     "Name" : "docker.io",
+//     "Mirrors" : ["https://registry-2.docker.io/v1/", "https://registry-3.docker.io/v1/"],
+//     "Secure" : true,
+//     "Official" : true,
+//   },
+//   "RemoteName" : "library/debian",
+//   "LocalName" : "debian",
+//   "CanonicalName" : "docker.io/debian"
+//   "Official" : true,
+// }
+
+// {
+//   "Index" : {
+//     "Name" : "127.0.0.1:5000",
+//     "Mirrors" : [],
+//     "Secure" : false,
+//     "Official" : false,
+//   },
+//   "RemoteName" : "user/repo",
+//   "LocalName" : "127.0.0.1:5000/user/repo",
+//   "CanonicalName" : "127.0.0.1:5000/user/repo",
+//   "Official" : false,
+// }
+type IndexInfo struct {
+	Name     string
+	Mirrors  []string
+	Secure   bool
+	Official bool
+}
+
+type RepositoryInfo struct {
+	Index         *IndexInfo
+	RemoteName    string
+	LocalName     string
+	CanonicalName string
+	Official      bool
+}