Initial import of https://github.com/docker/cs-docker

docs/auth.go

@@ -0,0 +1,255 @@
+package registry
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/docker/docker/cliconfig"
+)
+
+// Login tries to register/login to the registry server.
+func Login(authConfig *cliconfig.AuthConfig, registryEndpoint *Endpoint) (string, error) {
+	// Separates the v2 registry login logic from the v1 logic.
+	if registryEndpoint.Version == APIVersion2 {
+		return loginV2(authConfig, registryEndpoint, "" /* scope */)
+	}
+	return loginV1(authConfig, registryEndpoint)
+}
+
+// loginV1 tries to register/login to the v1 registry server.
+func loginV1(authConfig *cliconfig.AuthConfig, registryEndpoint *Endpoint) (string, error) {
+	var (
+		status        string
+		reqBody       []byte
+		err           error
+		reqStatusCode = 0
+		serverAddress = authConfig.ServerAddress
+	)
+
+	logrus.Debugf("attempting v1 login to registry endpoint %s", registryEndpoint)
+
+	if serverAddress == "" {
+		return "", fmt.Errorf("Server Error: Server Address not set.")
+	}
+
+	loginAgainstOfficialIndex := serverAddress == IndexServer
+
+	// to avoid sending the server address to the server it should be removed before being marshalled
+	authCopy := *authConfig
+	authCopy.ServerAddress = ""
+
+	jsonBody, err := json.Marshal(authCopy)
+	if err != nil {
+		return "", fmt.Errorf("Config Error: %s", err)
+	}
+
+	// using `bytes.NewReader(jsonBody)` here causes the server to respond with a 411 status.
+	b := strings.NewReader(string(jsonBody))
+	req1, err := registryEndpoint.client.Post(serverAddress+"users/", "application/json; charset=utf-8", b)
+	if err != nil {
+		return "", fmt.Errorf("Server Error: %s", err)
+	}
+	reqStatusCode = req1.StatusCode
+	defer req1.Body.Close()
+	reqBody, err = ioutil.ReadAll(req1.Body)
+	if err != nil {
+		return "", fmt.Errorf("Server Error: [%#v] %s", reqStatusCode, err)
+	}
+
+	if reqStatusCode == 201 {
+		if loginAgainstOfficialIndex {
+			status = "Account created. Please use the confirmation link we sent" +
+				" to your e-mail to activate it."
+		} else {
+			// *TODO: Use registry configuration to determine what this says, if anything?
+			status = "Account created. Please see the documentation of the registry " + serverAddress + " for instructions how to activate it."
+		}
+	} else if reqStatusCode == 400 {
+		if string(reqBody) == "\"Username or email already exists\"" {
+			req, err := http.NewRequest("GET", serverAddress+"users/", nil)
+			req.SetBasicAuth(authConfig.Username, authConfig.Password)
+			resp, err := registryEndpoint.client.Do(req)
+			if err != nil {
+				return "", err
+			}
+			defer resp.Body.Close()
+			body, err := ioutil.ReadAll(resp.Body)
+			if err != nil {
+				return "", err
+			}
+			if resp.StatusCode == 200 {
+				return "Login Succeeded", nil
+			} else if resp.StatusCode == 401 {
+				return "", fmt.Errorf("Wrong login/password, please try again")
+			} else if resp.StatusCode == 403 {
+				if loginAgainstOfficialIndex {
+					return "", fmt.Errorf("Login: Account is not Active. Please check your e-mail for a confirmation link.")
+				}
+				// *TODO: Use registry configuration to determine what this says, if anything?
+				return "", fmt.Errorf("Login: Account is not Active. Please see the documentation of the registry %s for instructions how to activate it.", serverAddress)
+			} else if resp.StatusCode == 500 { // Issue #14326
+				logrus.Errorf("%s returned status code %d. Response Body :\n%s", req.URL.String(), resp.StatusCode, body)
+				return "", fmt.Errorf("Internal Server Error")
+			}
+			return "", fmt.Errorf("Login: %s (Code: %d; Headers: %s)", body, resp.StatusCode, resp.Header)
+		}
+		return "", fmt.Errorf("Registration: %s", reqBody)
+
+	} else if reqStatusCode == 401 {
+		// This case would happen with private registries where /v1/users is
+		// protected, so people can use `docker login` as an auth check.
+		req, err := http.NewRequest("GET", serverAddress+"users/", nil)
+		req.SetBasicAuth(authConfig.Username, authConfig.Password)
+		resp, err := registryEndpoint.client.Do(req)
+		if err != nil {
+			return "", err
+		}
+		defer resp.Body.Close()
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return "", err
+		}
+		if resp.StatusCode == 200 {
+			return "Login Succeeded", nil
+		} else if resp.StatusCode == 401 {
+			return "", fmt.Errorf("Wrong login/password, please try again")
+		} else {
+			return "", fmt.Errorf("Login: %s (Code: %d; Headers: %s)", body,
+				resp.StatusCode, resp.Header)
+		}
+	} else {
+		return "", fmt.Errorf("Unexpected status code [%d] : %s", reqStatusCode, reqBody)
+	}
+	return status, nil
+}
+
+// loginV2 tries to login to the v2 registry server. The given registry endpoint has been
+// pinged or setup with a list of authorization challenges. Each of these challenges are
+// tried until one of them succeeds. Currently supported challenge schemes are:
+// 		HTTP Basic Authorization
+// 		Token Authorization with a separate token issuing server
+// NOTE: the v2 logic does not attempt to create a user account if one doesn't exist. For
+// now, users should create their account through other means like directly from a web page
+// served by the v2 registry service provider. Whether this will be supported in the future
+// is to be determined.
+func loginV2(authConfig *cliconfig.AuthConfig, registryEndpoint *Endpoint, scope string) (string, error) {
+	logrus.Debugf("attempting v2 login to registry endpoint %s", registryEndpoint)
+	var (
+		err       error
+		allErrors []error
+		client    = registryEndpoint.HTTPClient()
+	)
+
+	for _, challenge := range registryEndpoint.AuthChallenges {
+		params := make(map[string]string, len(challenge.Parameters)+1)
+		for k, v := range challenge.Parameters {
+			params[k] = v
+		}
+		params["scope"] = scope
+		logrus.Debugf("trying %q auth challenge with params %v", challenge.Scheme, params)
+
+		switch strings.ToLower(challenge.Scheme) {
+		case "basic":
+			err = tryV2BasicAuthLogin(authConfig, params, registryEndpoint)
+		case "bearer":
+			err = tryV2TokenAuthLogin(authConfig, params, registryEndpoint)
+		default:
+			// Unsupported challenge types are explicitly skipped.
+			err = fmt.Errorf("unsupported auth scheme: %q", challenge.Scheme)
+		}
+
+		if err == nil {
+			return "Login Succeeded", nil
+		}
+
+		logrus.Debugf("error trying auth challenge %q: %s", challenge.Scheme, err)
+
+		allErrors = append(allErrors, err)
+	}
+
+	return "", fmt.Errorf("no successful auth challenge for %s - errors: %s", registryEndpoint, allErrors)
+}
+
+func tryV2BasicAuthLogin(authConfig *cliconfig.AuthConfig, params map[string]string, registryEndpoint *Endpoint) error {
+	req, err := http.NewRequest("GET", registryEndpoint.Path(""), nil)
+	if err != nil {
+		return err
+	}
+
+	req.SetBasicAuth(authConfig.Username, authConfig.Password)
+
+	resp, err := registryEndpoint.client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("basic auth attempt to %s realm %q failed with status: %d %s", registryEndpoint, params["realm"], resp.StatusCode, http.StatusText(resp.StatusCode))
+	}
+
+	return nil
+}
+
+func tryV2TokenAuthLogin(authConfig *cliconfig.AuthConfig, params map[string]string, registryEndpoint *Endpoint) error {
+	token, err := getToken(authConfig.Username, authConfig.Password, params, registryEndpoint)
+	if err != nil {
+		return err
+	}
+
+	req, err := http.NewRequest("GET", registryEndpoint.Path(""), nil)
+	if err != nil {
+		return err
+	}
+
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+
+	resp, err := registryEndpoint.client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("token auth attempt to %s realm %q failed with status: %d %s", registryEndpoint, params["realm"], resp.StatusCode, http.StatusText(resp.StatusCode))
+	}
+
+	return nil
+}
+
+// ResolveAuthConfig matches an auth configuration to a server address or a URL
+func ResolveAuthConfig(config *cliconfig.ConfigFile, index *IndexInfo) cliconfig.AuthConfig {
+	configKey := index.GetAuthConfigKey()
+	// First try the happy case
+	if c, found := config.AuthConfigs[configKey]; found || index.Official {
+		return c
+	}
+
+	convertToHostname := func(url string) string {
+		stripped := url
+		if strings.HasPrefix(url, "http://") {
+			stripped = strings.Replace(url, "http://", "", 1)
+		} else if strings.HasPrefix(url, "https://") {
+			stripped = strings.Replace(url, "https://", "", 1)
+		}
+
+		nameParts := strings.SplitN(stripped, "/", 2)
+
+		return nameParts[0]
+	}
+
+	// Maybe they have a legacy config file, we will iterate the keys converting
+	// them to the new format and testing
+	for registry, ac := range config.AuthConfigs {
+		if configKey == convertToHostname(registry) {
+			return ac
+		}
+	}
+
+	// When all else fails, return an empty auth config
+	return cliconfig.AuthConfig{}
+}

docs/auth_test.go

@@ -0,0 +1,173 @@
+package registry
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/docker/cliconfig"
+)
+
+func TestEncodeAuth(t *testing.T) {
+	newAuthConfig := &cliconfig.AuthConfig{Username: "ken", Password: "test", Email: "test@example.com"}
+	authStr := cliconfig.EncodeAuth(newAuthConfig)
+	decAuthConfig := &cliconfig.AuthConfig{}
+	var err error
+	decAuthConfig.Username, decAuthConfig.Password, err = cliconfig.DecodeAuth(authStr)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if newAuthConfig.Username != decAuthConfig.Username {
+		t.Fatal("Encode Username doesn't match decoded Username")
+	}
+	if newAuthConfig.Password != decAuthConfig.Password {
+		t.Fatal("Encode Password doesn't match decoded Password")
+	}
+	if authStr != "a2VuOnRlc3Q=" {
+		t.Fatal("AuthString encoding isn't correct.")
+	}
+}
+
+func setupTempConfigFile() (*cliconfig.ConfigFile, error) {
+	root, err := ioutil.TempDir("", "docker-test-auth")
+	if err != nil {
+		return nil, err
+	}
+	root = filepath.Join(root, cliconfig.ConfigFileName)
+	configFile := cliconfig.NewConfigFile(root)
+
+	for _, registry := range []string{"testIndex", IndexServer} {
+		configFile.AuthConfigs[registry] = cliconfig.AuthConfig{
+			Username: "docker-user",
+			Password: "docker-pass",
+			Email:    "docker@docker.io",
+		}
+	}
+
+	return configFile, nil
+}
+
+func TestSameAuthDataPostSave(t *testing.T) {
+	configFile, err := setupTempConfigFile()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(configFile.Filename())
+
+	err = configFile.Save()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	authConfig := configFile.AuthConfigs["testIndex"]
+	if authConfig.Username != "docker-user" {
+		t.Fail()
+	}
+	if authConfig.Password != "docker-pass" {
+		t.Fail()
+	}
+	if authConfig.Email != "docker@docker.io" {
+		t.Fail()
+	}
+	if authConfig.Auth != "" {
+		t.Fail()
+	}
+}
+
+func TestResolveAuthConfigIndexServer(t *testing.T) {
+	configFile, err := setupTempConfigFile()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(configFile.Filename())
+
+	indexConfig := configFile.AuthConfigs[IndexServer]
+
+	officialIndex := &IndexInfo{
+		Official: true,
+	}
+	privateIndex := &IndexInfo{
+		Official: false,
+	}
+
+	resolved := ResolveAuthConfig(configFile, officialIndex)
+	assertEqual(t, resolved, indexConfig, "Expected ResolveAuthConfig to return IndexServer")
+
+	resolved = ResolveAuthConfig(configFile, privateIndex)
+	assertNotEqual(t, resolved, indexConfig, "Expected ResolveAuthConfig to not return IndexServer")
+}
+
+func TestResolveAuthConfigFullURL(t *testing.T) {
+	configFile, err := setupTempConfigFile()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(configFile.Filename())
+
+	registryAuth := cliconfig.AuthConfig{
+		Username: "foo-user",
+		Password: "foo-pass",
+		Email:    "foo@example.com",
+	}
+	localAuth := cliconfig.AuthConfig{
+		Username: "bar-user",
+		Password: "bar-pass",
+		Email:    "bar@example.com",
+	}
+	officialAuth := cliconfig.AuthConfig{
+		Username: "baz-user",
+		Password: "baz-pass",
+		Email:    "baz@example.com",
+	}
+	configFile.AuthConfigs[IndexServer] = officialAuth
+
+	expectedAuths := map[string]cliconfig.AuthConfig{
+		"registry.example.com": registryAuth,
+		"localhost:8000":       localAuth,
+		"registry.com":         localAuth,
+	}
+
+	validRegistries := map[string][]string{
+		"registry.example.com": {
+			"https://registry.example.com/v1/",
+			"http://registry.example.com/v1/",
+			"registry.example.com",
+			"registry.example.com/v1/",
+		},
+		"localhost:8000": {
+			"https://localhost:8000/v1/",
+			"http://localhost:8000/v1/",
+			"localhost:8000",
+			"localhost:8000/v1/",
+		},
+		"registry.com": {
+			"https://registry.com/v1/",
+			"http://registry.com/v1/",
+			"registry.com",
+			"registry.com/v1/",
+		},
+	}
+
+	for configKey, registries := range validRegistries {
+		configured, ok := expectedAuths[configKey]
+		if !ok || configured.Email == "" {
+			t.Fail()
+		}
+		index := &IndexInfo{
+			Name: configKey,
+		}
+		for _, registry := range registries {
+			configFile.AuthConfigs[registry] = configured
+			resolved := ResolveAuthConfig(configFile, index)
+			if resolved.Email != configured.Email {
+				t.Errorf("%s -> %q != %q\n", registry, resolved.Email, configured.Email)
+			}
+			delete(configFile.AuthConfigs, registry)
+			resolved = ResolveAuthConfig(configFile, index)
+			if resolved.Email == configured.Email {
+				t.Errorf("%s -> %q == %q\n", registry, resolved.Email, configured.Email)
+			}
+		}
+	}
+}

docs/authchallenge.go

@@ -0,0 +1,150 @@
+package registry
+
+import (
+	"net/http"
+	"strings"
+)
+
+// Octet types from RFC 2616.
+type octetType byte
+
+// AuthorizationChallenge carries information
+// from a WWW-Authenticate response header.
+type AuthorizationChallenge struct {
+	Scheme     string
+	Parameters map[string]string
+}
+
+var octetTypes [256]octetType
+
+const (
+	isToken octetType = 1 << iota
+	isSpace
+)
+
+func init() {
+	// OCTET      = <any 8-bit sequence of data>
+	// CHAR       = <any US-ASCII character (octets 0 - 127)>
+	// CTL        = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
+	// CR         = <US-ASCII CR, carriage return (13)>
+	// LF         = <US-ASCII LF, linefeed (10)>
+	// SP         = <US-ASCII SP, space (32)>
+	// HT         = <US-ASCII HT, horizontal-tab (9)>
+	// <">        = <US-ASCII double-quote mark (34)>
+	// CRLF       = CR LF
+	// LWS        = [CRLF] 1*( SP | HT )
+	// TEXT       = <any OCTET except CTLs, but including LWS>
+	// separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <">
+	//              | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT
+	// token      = 1*<any CHAR except CTLs or separators>
+	// qdtext     = <any TEXT except <">>
+
+	for c := 0; c < 256; c++ {
+		var t octetType
+		isCtl := c <= 31 || c == 127
+		isChar := 0 <= c && c <= 127
+		isSeparator := strings.IndexRune(" \t\"(),/:;<=>?@[]\\{}", rune(c)) >= 0
+		if strings.IndexRune(" \t\r\n", rune(c)) >= 0 {
+			t |= isSpace
+		}
+		if isChar && !isCtl && !isSeparator {
+			t |= isToken
+		}
+		octetTypes[c] = t
+	}
+}
+
+func parseAuthHeader(header http.Header) []*AuthorizationChallenge {
+	var challenges []*AuthorizationChallenge
+	for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] {
+		v, p := parseValueAndParams(h)
+		if v != "" {
+			challenges = append(challenges, &AuthorizationChallenge{Scheme: v, Parameters: p})
+		}
+	}
+	return challenges
+}
+
+func parseValueAndParams(header string) (value string, params map[string]string) {
+	params = make(map[string]string)
+	value, s := expectToken(header)
+	if value == "" {
+		return
+	}
+	value = strings.ToLower(value)
+	s = "," + skipSpace(s)
+	for strings.HasPrefix(s, ",") {
+		var pkey string
+		pkey, s = expectToken(skipSpace(s[1:]))
+		if pkey == "" {
+			return
+		}
+		if !strings.HasPrefix(s, "=") {
+			return
+		}
+		var pvalue string
+		pvalue, s = expectTokenOrQuoted(s[1:])
+		if pvalue == "" {
+			return
+		}
+		pkey = strings.ToLower(pkey)
+		params[pkey] = pvalue
+		s = skipSpace(s)
+	}
+	return
+}
+
+func skipSpace(s string) (rest string) {
+	i := 0
+	for ; i < len(s); i++ {
+		if octetTypes[s[i]]&isSpace == 0 {
+			break
+		}
+	}
+	return s[i:]
+}
+
+func expectToken(s string) (token, rest string) {
+	i := 0
+	for ; i < len(s); i++ {
+		if octetTypes[s[i]]&isToken == 0 {
+			break
+		}
+	}
+	return s[:i], s[i:]
+}
+
+func expectTokenOrQuoted(s string) (value string, rest string) {
+	if !strings.HasPrefix(s, "\"") {
+		return expectToken(s)
+	}
+	s = s[1:]
+	for i := 0; i < len(s); i++ {
+		switch s[i] {
+		case '"':
+			return s[:i], s[i+1:]
+		case '\\':
+			p := make([]byte, len(s)-1)
+			j := copy(p, s[:i])
+			escape := true
+			for i = i + i; i < len(s); i++ {
+				b := s[i]
+				switch {
+				case escape:
+					escape = false
+					p[j] = b
+					j++
+				case b == '\\':
+					escape = true
+				case b == '"':
+					return string(p[:j]), s[i+1:]
+				default:
+					p[j] = b
+					j++
+				}
+			}
+			return "", ""
+		}
+	}
+	return "", ""
+}

docs/config.go

@@ -0,0 +1,416 @@
+package registry
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net"
+	"net/url"
+	"strings"
+
+	"github.com/docker/distribution/registry/api/v2"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/opts"
+	flag "github.com/docker/docker/pkg/mflag"
+)
+
+// Options holds command line options.
+type Options struct {
+	Mirrors            opts.ListOpts
+	InsecureRegistries opts.ListOpts
+}
+
+const (
+	// DefaultNamespace is the default namespace
+	DefaultNamespace = "docker.io"
+	// DefaultRegistryVersionHeader is the name of the default HTTP header
+	// that carries Registry version info
+	DefaultRegistryVersionHeader = "Docker-Distribution-Api-Version"
+
+	// IndexServer is the v1 registry server used for user auth + account creation
+	IndexServer = DefaultV1Registry + "/v1/"
+	// IndexName is the name of the index
+	IndexName = "docker.io"
+
+	// NotaryServer is the endpoint serving the Notary trust server
+	NotaryServer = "https://notary.docker.io"
+
+	// IndexServer = "https://registry-stage.hub.docker.com/v1/"
+)
+
+var (
+	// ErrInvalidRepositoryName is an error returned if the repository name did
+	// not have the correct form
+	ErrInvalidRepositoryName = errors.New("Invalid repository name (ex: \"registry.domain.tld/myrepos\")")
+
+	emptyServiceConfig = NewServiceConfig(nil)
+
+	// V2Only controls access to legacy registries.  If it is set to true via the
+	// command line flag the daemon will not attempt to contact v1 legacy registries
+	V2Only = false
+)
+
+// InstallFlags adds command-line options to the top-level flag parser for
+// the current process.
+func (options *Options) InstallFlags(cmd *flag.FlagSet, usageFn func(string) string) {
+	options.Mirrors = opts.NewListOpts(ValidateMirror)
+	cmd.Var(&options.Mirrors, []string{"-registry-mirror"}, usageFn("Preferred Docker registry mirror"))
+	options.InsecureRegistries = opts.NewListOpts(ValidateIndexName)
+	cmd.Var(&options.InsecureRegistries, []string{"-insecure-registry"}, usageFn("Enable insecure registry communication"))
+	cmd.BoolVar(&V2Only, []string{"-disable-legacy-registry"}, false, "Do not contact legacy registries")
+}
+
+type netIPNet net.IPNet
+
+func (ipnet *netIPNet) MarshalJSON() ([]byte, error) {
+	return json.Marshal((*net.IPNet)(ipnet).String())
+}
+
+func (ipnet *netIPNet) UnmarshalJSON(b []byte) (err error) {
+	var ipnetStr string
+	if err = json.Unmarshal(b, &ipnetStr); err == nil {
+		var cidr *net.IPNet
+		if _, cidr, err = net.ParseCIDR(ipnetStr); err == nil {
+			*ipnet = netIPNet(*cidr)
+		}
+	}
+	return
+}
+
+// ServiceConfig stores daemon registry services configuration.
+type ServiceConfig struct {
+	InsecureRegistryCIDRs []*netIPNet           `json:"InsecureRegistryCIDRs"`
+	IndexConfigs          map[string]*IndexInfo `json:"IndexConfigs"`
+	Mirrors               []string
+}
+
+// NewServiceConfig returns a new instance of ServiceConfig
+func NewServiceConfig(options *Options) *ServiceConfig {
+	if options == nil {
+		options = &Options{
+			Mirrors:            opts.NewListOpts(nil),
+			InsecureRegistries: opts.NewListOpts(nil),
+		}
+	}
+
+	// Localhost is by default considered as an insecure registry
+	// This is a stop-gap for people who are running a private registry on localhost (especially on Boot2docker).
+	//
+	// TODO: should we deprecate this once it is easier for people to set up a TLS registry or change
+	// daemon flags on boot2docker?
+	options.InsecureRegistries.Set("127.0.0.0/8")
+
+	config := &ServiceConfig{
+		InsecureRegistryCIDRs: make([]*netIPNet, 0),
+		IndexConfigs:          make(map[string]*IndexInfo, 0),
+		// Hack: Bypass setting the mirrors to IndexConfigs since they are going away
+		// and Mirrors are only for the official registry anyways.
+		Mirrors: options.Mirrors.GetAll(),
+	}
+	// Split --insecure-registry into CIDR and registry-specific settings.
+	for _, r := range options.InsecureRegistries.GetAll() {
+		// Check if CIDR was passed to --insecure-registry
+		_, ipnet, err := net.ParseCIDR(r)
+		if err == nil {
+			// Valid CIDR.
+			config.InsecureRegistryCIDRs = append(config.InsecureRegistryCIDRs, (*netIPNet)(ipnet))
+		} else {
+			// Assume `host:port` if not CIDR.
+			config.IndexConfigs[r] = &IndexInfo{
+				Name:     r,
+				Mirrors:  make([]string, 0),
+				Secure:   false,
+				Official: false,
+			}
+		}
+	}
+
+	// Configure public registry.
+	config.IndexConfigs[IndexName] = &IndexInfo{
+		Name:     IndexName,
+		Mirrors:  config.Mirrors,
+		Secure:   true,
+		Official: true,
+	}
+
+	return config
+}
+
+// isSecureIndex returns false if the provided indexName is part of the list of insecure registries
+// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
+//
+// The list of insecure registries can contain an element with CIDR notation to specify a whole subnet.
+// If the subnet contains one of the IPs of the registry specified by indexName, the latter is considered
+// insecure.
+//
+// indexName should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name
+// or an IP address. If it is a domain name, then it will be resolved in order to check if the IP is contained
+// in a subnet. If the resolving is not successful, isSecureIndex will only try to match hostname to any element
+// of insecureRegistries.
+func (config *ServiceConfig) isSecureIndex(indexName string) bool {
+	// Check for configured index, first.  This is needed in case isSecureIndex
+	// is called from anything besides NewIndexInfo, in order to honor per-index configurations.
+	if index, ok := config.IndexConfigs[indexName]; ok {
+		return index.Secure
+	}
+
+	host, _, err := net.SplitHostPort(indexName)
+	if err != nil {
+		// assume indexName is of the form `host` without the port and go on.
+		host = indexName
+	}
+
+	addrs, err := lookupIP(host)
+	if err != nil {
+		ip := net.ParseIP(host)
+		if ip != nil {
+			addrs = []net.IP{ip}
+		}
+
+		// if ip == nil, then `host` is neither an IP nor it could be looked up,
+		// either because the index is unreachable, or because the index is behind an HTTP proxy.
+		// So, len(addrs) == 0 and we're not aborting.
+	}
+
+	// Try CIDR notation only if addrs has any elements, i.e. if `host`'s IP could be determined.
+	for _, addr := range addrs {
+		for _, ipnet := range config.InsecureRegistryCIDRs {
+			// check if the addr falls in the subnet
+			if (*net.IPNet)(ipnet).Contains(addr) {
+				return false
+			}
+		}
+	}
+
+	return true
+}
+
+// ValidateMirror validates an HTTP(S) registry mirror
+func ValidateMirror(val string) (string, error) {
+	uri, err := url.Parse(val)
+	if err != nil {
+		return "", fmt.Errorf("%s is not a valid URI", val)
+	}
+
+	if uri.Scheme != "http" && uri.Scheme != "https" {
+		return "", fmt.Errorf("Unsupported scheme %s", uri.Scheme)
+	}
+
+	if uri.Path != "" || uri.RawQuery != "" || uri.Fragment != "" {
+		return "", fmt.Errorf("Unsupported path/query/fragment at end of the URI")
+	}
+
+	return fmt.Sprintf("%s://%s/", uri.Scheme, uri.Host), nil
+}
+
+// ValidateIndexName validates an index name.
+func ValidateIndexName(val string) (string, error) {
+	// 'index.docker.io' => 'docker.io'
+	if val == "index."+IndexName {
+		val = IndexName
+	}
+	if strings.HasPrefix(val, "-") || strings.HasSuffix(val, "-") {
+		return "", fmt.Errorf("Invalid index name (%s). Cannot begin or end with a hyphen.", val)
+	}
+	// *TODO: Check if valid hostname[:port]/ip[:port]?
+	return val, nil
+}
+
+func validateRemoteName(remoteName string) error {
+
+	if !strings.Contains(remoteName, "/") {
+
+		// the repository name must not be a valid image ID
+		if err := image.ValidateID(remoteName); err == nil {
+			return fmt.Errorf("Invalid repository name (%s), cannot specify 64-byte hexadecimal strings", remoteName)
+		}
+	}
+
+	return v2.ValidateRepositoryName(remoteName)
+}
+
+func validateNoSchema(reposName string) error {
+	if strings.Contains(reposName, "://") {
+		// It cannot contain a scheme!
+		return ErrInvalidRepositoryName
+	}
+	return nil
+}
+
+// ValidateRepositoryName validates a repository name
+func ValidateRepositoryName(reposName string) error {
+	_, _, err := loadRepositoryName(reposName, true)
+	return err
+}
+
+// loadRepositoryName returns the repo name splitted into index name
+// and remote repo name. It returns an error if the name is not valid.
+func loadRepositoryName(reposName string, checkRemoteName bool) (string, string, error) {
+	if err := validateNoSchema(reposName); err != nil {
+		return "", "", err
+	}
+	indexName, remoteName := splitReposName(reposName)
+
+	var err error
+	if indexName, err = ValidateIndexName(indexName); err != nil {
+		return "", "", err
+	}
+	if checkRemoteName {
+		if err = validateRemoteName(remoteName); err != nil {
+			return "", "", err
+		}
+	}
+	return indexName, remoteName, nil
+}
+
+// NewIndexInfo returns IndexInfo configuration from indexName
+func (config *ServiceConfig) NewIndexInfo(indexName string) (*IndexInfo, error) {
+	var err error
+	indexName, err = ValidateIndexName(indexName)
+	if err != nil {
+		return nil, err
+	}
+
+	// Return any configured index info, first.
+	if index, ok := config.IndexConfigs[indexName]; ok {
+		return index, nil
+	}
+
+	// Construct a non-configured index info.
+	index := &IndexInfo{
+		Name:     indexName,
+		Mirrors:  make([]string, 0),
+		Official: false,
+	}
+	index.Secure = config.isSecureIndex(indexName)
+	return index, nil
+}
+
+// GetAuthConfigKey special-cases using the full index address of the official
+// index as the AuthConfig key, and uses the (host)name[:port] for private indexes.
+func (index *IndexInfo) GetAuthConfigKey() string {
+	if index.Official {
+		return IndexServer
+	}
+	return index.Name
+}
+
+// splitReposName breaks a reposName into an index name and remote name
+func splitReposName(reposName string) (string, string) {
+	nameParts := strings.SplitN(reposName, "/", 2)
+	var indexName, remoteName string
+	if len(nameParts) == 1 || (!strings.Contains(nameParts[0], ".") &&
+		!strings.Contains(nameParts[0], ":") && nameParts[0] != "localhost") {
+		// This is a Docker Index repos (ex: samalba/hipache or ubuntu)
+		// 'docker.io'
+		indexName = IndexName
+		remoteName = reposName
+	} else {
+		indexName = nameParts[0]
+		remoteName = nameParts[1]
+	}
+	return indexName, remoteName
+}
+
+// NewRepositoryInfo validates and breaks down a repository name into a RepositoryInfo
+func (config *ServiceConfig) NewRepositoryInfo(reposName string, bySearch bool) (*RepositoryInfo, error) {
+	indexName, remoteName, err := loadRepositoryName(reposName, !bySearch)
+	if err != nil {
+		return nil, err
+	}
+
+	repoInfo := &RepositoryInfo{
+		RemoteName: remoteName,
+	}
+
+	repoInfo.Index, err = config.NewIndexInfo(indexName)
+	if err != nil {
+		return nil, err
+	}
+
+	if repoInfo.Index.Official {
+		normalizedName := normalizeLibraryRepoName(repoInfo.RemoteName)
+
+		repoInfo.LocalName = normalizedName
+		repoInfo.RemoteName = normalizedName
+		// If the normalized name does not contain a '/' (e.g. "foo")
+		// then it is an official repo.
+		if strings.IndexRune(normalizedName, '/') == -1 {
+			repoInfo.Official = true
+			// Fix up remote name for official repos.
+			repoInfo.RemoteName = "library/" + normalizedName
+		}
+
+		repoInfo.CanonicalName = "docker.io/" + repoInfo.RemoteName
+	} else {
+		repoInfo.LocalName = localNameFromRemote(repoInfo.Index.Name, repoInfo.RemoteName)
+		repoInfo.CanonicalName = repoInfo.LocalName
+
+	}
+
+	return repoInfo, nil
+}
+
+// GetSearchTerm special-cases using local name for official index, and
+// remote name for private indexes.
+func (repoInfo *RepositoryInfo) GetSearchTerm() string {
+	if repoInfo.Index.Official {
+		return repoInfo.LocalName
+	}
+	return repoInfo.RemoteName
+}
+
+// ParseRepositoryInfo performs the breakdown of a repository name into a RepositoryInfo, but
+// lacks registry configuration.
+func ParseRepositoryInfo(reposName string) (*RepositoryInfo, error) {
+	return emptyServiceConfig.NewRepositoryInfo(reposName, false)
+}
+
+// ParseIndexInfo will use repository name to get back an indexInfo.
+func ParseIndexInfo(reposName string) (*IndexInfo, error) {
+	indexName, _ := splitReposName(reposName)
+
+	indexInfo, err := emptyServiceConfig.NewIndexInfo(indexName)
+	if err != nil {
+		return nil, err
+	}
+	return indexInfo, nil
+}
+
+// NormalizeLocalName transforms a repository name into a normalize LocalName
+// Passes through the name without transformation on error (image id, etc)
+// It does not use the repository info because we don't want to load
+// the repository index and do request over the network.
+func NormalizeLocalName(name string) string {
+	indexName, remoteName, err := loadRepositoryName(name, true)
+	if err != nil {
+		return name
+	}
+
+	var officialIndex bool
+	// Return any configured index info, first.
+	if index, ok := emptyServiceConfig.IndexConfigs[indexName]; ok {
+		officialIndex = index.Official
+	}
+
+	if officialIndex {
+		return normalizeLibraryRepoName(remoteName)
+	}
+	return localNameFromRemote(indexName, remoteName)
+}
+
+// normalizeLibraryRepoName removes the library prefix from
+// the repository name for official repos.
+func normalizeLibraryRepoName(name string) string {
+	if strings.HasPrefix(name, "library/") {
+		// If pull "library/foo", it's stored locally under "foo"
+		name = strings.SplitN(name, "/", 2)[1]
+	}
+	return name
+}
+
+// localNameFromRemote combines the index name and the repo remote name
+// to generate a repo local name.
+func localNameFromRemote(indexName, remoteName string) string {
+	return indexName + "/" + remoteName
+}

docs/config_test.go

@@ -0,0 +1,49 @@
+package registry
+
+import (
+	"testing"
+)
+
+func TestValidateMirror(t *testing.T) {
+	valid := []string{
+		"http://mirror-1.com",
+		"https://mirror-1.com",
+		"http://localhost",
+		"https://localhost",
+		"http://localhost:5000",
+		"https://localhost:5000",
+		"http://127.0.0.1",
+		"https://127.0.0.1",
+		"http://127.0.0.1:5000",
+		"https://127.0.0.1:5000",
+	}
+
+	invalid := []string{
+		"!invalid!://%as%",
+		"ftp://mirror-1.com",
+		"http://mirror-1.com/",
+		"http://mirror-1.com/?q=foo",
+		"http://mirror-1.com/v1/",
+		"http://mirror-1.com/v1/?q=foo",
+		"http://mirror-1.com/v1/?q=foo#frag",
+		"http://mirror-1.com?q=foo",
+		"https://mirror-1.com#frag",
+		"https://mirror-1.com/",
+		"https://mirror-1.com/#frag",
+		"https://mirror-1.com/v1/",
+		"https://mirror-1.com/v1/#",
+		"https://mirror-1.com?q",
+	}
+
+	for _, address := range valid {
+		if ret, err := ValidateMirror(address); err != nil || ret == "" {
+			t.Errorf("ValidateMirror(`"+address+"`) got %s %s", ret, err)
+		}
+	}
+
+	for _, address := range invalid {
+		if ret, err := ValidateMirror(address); err == nil || ret != "" {
+			t.Errorf("ValidateMirror(`"+address+"`) got %s %s", ret, err)
+		}
+	}
+}

docs/config_unix.go

@@ -0,0 +1,22 @@
+// +build !windows
+
+package registry
+
+const (
+	// DefaultV1Registry is the URI of the default v1 registry
+	DefaultV1Registry = "https://index.docker.io"
+
+	// DefaultV2Registry is the URI of the default v2 registry
+	DefaultV2Registry = "https://registry-1.docker.io"
+
+	// CertsDir is the directory where certificates are stored
+	CertsDir = "/etc/docker/certs.d"
+)
+
+// cleanPath is used to ensure that a directory name is valid on the target
+// platform. It will be passed in something *similar* to a URL such as
+// https:/index.docker.io/v1. Not all platforms support directory names
+// which contain those characters (such as : on Windows)
+func cleanPath(s string) string {
+	return s
+}

docs/config_windows.go

@@ -0,0 +1,30 @@
+package registry
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+const (
+	// DefaultV1Registry is the URI of the default v1 registry
+	DefaultV1Registry = "https://registry-win-tp3.docker.io"
+
+	// DefaultV2Registry is the URI of the default (official) v2 registry.
+	// This is the windows-specific endpoint.
+	//
+	// Currently it is a TEMPORARY link that allows Microsoft to continue
+	// development of Docker Engine for Windows.
+	DefaultV2Registry = "https://registry-win-tp3.docker.io"
+)
+
+// CertsDir is the directory where certificates are stored
+var CertsDir = os.Getenv("programdata") + `\docker\certs.d`
+
+// cleanPath is used to ensure that a directory name is valid on the target
+// platform. It will be passed in something *similar* to a URL such as
+// https:\index.docker.io\v1. Not all platforms support directory names
+// which contain those characters (such as : on Windows)
+func cleanPath(s string) string {
+	return filepath.FromSlash(strings.Replace(s, ":", "", -1))
+}

docs/endpoint.go

@@ -0,0 +1,293 @@
+package registry
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/docker/distribution/registry/api/v2"
+	"github.com/docker/distribution/registry/client/transport"
+)
+
+// for mocking in unit tests
+var lookupIP = net.LookupIP
+
+// scans string for api version in the URL path. returns the trimmed address, if version found, string and API version.
+func scanForAPIVersion(address string) (string, APIVersion) {
+	var (
+		chunks        []string
+		apiVersionStr string
+	)
+
+	if strings.HasSuffix(address, "/") {
+		address = address[:len(address)-1]
+	}
+
+	chunks = strings.Split(address, "/")
+	apiVersionStr = chunks[len(chunks)-1]
+
+	for k, v := range apiVersions {
+		if apiVersionStr == v {
+			address = strings.Join(chunks[:len(chunks)-1], "/")
+			return address, k
+		}
+	}
+
+	return address, APIVersionUnknown
+}
+
+// NewEndpoint parses the given address to return a registry endpoint.  v can be used to
+// specify a specific endpoint version
+func NewEndpoint(index *IndexInfo, metaHeaders http.Header, v APIVersion) (*Endpoint, error) {
+	tlsConfig, err := newTLSConfig(index.Name, index.Secure)
+	if err != nil {
+		return nil, err
+	}
+	endpoint, err := newEndpoint(index.GetAuthConfigKey(), tlsConfig, metaHeaders)
+	if err != nil {
+		return nil, err
+	}
+	if v != APIVersionUnknown {
+		endpoint.Version = v
+	}
+	if err := validateEndpoint(endpoint); err != nil {
+		return nil, err
+	}
+
+	return endpoint, nil
+}
+
+func validateEndpoint(endpoint *Endpoint) error {
+	logrus.Debugf("pinging registry endpoint %s", endpoint)
+
+	// Try HTTPS ping to registry
+	endpoint.URL.Scheme = "https"
+	if _, err := endpoint.Ping(); err != nil {
+		if endpoint.IsSecure {
+			// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
+			// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
+			return fmt.Errorf("invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
+		}
+
+		// If registry is insecure and HTTPS failed, fallback to HTTP.
+		logrus.Debugf("Error from registry %q marked as insecure: %v. Insecurely falling back to HTTP", endpoint, err)
+		endpoint.URL.Scheme = "http"
+
+		var err2 error
+		if _, err2 = endpoint.Ping(); err2 == nil {
+			return nil
+		}
+
+		return fmt.Errorf("invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)
+	}
+
+	return nil
+}
+
+func newEndpoint(address string, tlsConfig *tls.Config, metaHeaders http.Header) (*Endpoint, error) {
+	var (
+		endpoint       = new(Endpoint)
+		trimmedAddress string
+		err            error
+	)
+
+	if !strings.HasPrefix(address, "http") {
+		address = "https://" + address
+	}
+
+	endpoint.IsSecure = (tlsConfig == nil || !tlsConfig.InsecureSkipVerify)
+
+	trimmedAddress, endpoint.Version = scanForAPIVersion(address)
+
+	if endpoint.URL, err = url.Parse(trimmedAddress); err != nil {
+		return nil, err
+	}
+
+	// TODO(tiborvass): make sure a ConnectTimeout transport is used
+	tr := NewTransport(tlsConfig)
+	endpoint.client = HTTPClient(transport.NewTransport(tr, DockerHeaders(metaHeaders)...))
+	return endpoint, nil
+}
+
+// Endpoint stores basic information about a registry endpoint.
+type Endpoint struct {
+	client         *http.Client
+	URL            *url.URL
+	Version        APIVersion
+	IsSecure       bool
+	AuthChallenges []*AuthorizationChallenge
+	URLBuilder     *v2.URLBuilder
+}
+
+// Get the formated URL for the root of this registry Endpoint
+func (e *Endpoint) String() string {
+	return fmt.Sprintf("%s/v%d/", e.URL, e.Version)
+}
+
+// VersionString returns a formatted string of this
+// endpoint address using the given API Version.
+func (e *Endpoint) VersionString(version APIVersion) string {
+	return fmt.Sprintf("%s/v%d/", e.URL, version)
+}
+
+// Path returns a formatted string for the URL
+// of this endpoint with the given path appended.
+func (e *Endpoint) Path(path string) string {
+	return fmt.Sprintf("%s/v%d/%s", e.URL, e.Version, path)
+}
+
+// Ping pings the remote endpoint with v2 and v1 pings to determine the API
+// version. It returns a PingResult containing the discovered version. The
+// PingResult also indicates whether the registry is standalone or not.
+func (e *Endpoint) Ping() (PingResult, error) {
+	// The ping logic to use is determined by the registry endpoint version.
+	switch e.Version {
+	case APIVersion1:
+		return e.pingV1()
+	case APIVersion2:
+		return e.pingV2()
+	}
+
+	// APIVersionUnknown
+	// We should try v2 first...
+	e.Version = APIVersion2
+	regInfo, errV2 := e.pingV2()
+	if errV2 == nil {
+		return regInfo, nil
+	}
+
+	// ... then fallback to v1.
+	e.Version = APIVersion1
+	regInfo, errV1 := e.pingV1()
+	if errV1 == nil {
+		return regInfo, nil
+	}
+
+	e.Version = APIVersionUnknown
+	return PingResult{}, fmt.Errorf("unable to ping registry endpoint %s\nv2 ping attempt failed with error: %s\n v1 ping attempt failed with error: %s", e, errV2, errV1)
+}
+
+func (e *Endpoint) pingV1() (PingResult, error) {
+	logrus.Debugf("attempting v1 ping for registry endpoint %s", e)
+
+	if e.String() == IndexServer {
+		// Skip the check, we know this one is valid
+		// (and we never want to fallback to http in case of error)
+		return PingResult{Standalone: false}, nil
+	}
+
+	req, err := http.NewRequest("GET", e.Path("_ping"), nil)
+	if err != nil {
+		return PingResult{Standalone: false}, err
+	}
+
+	resp, err := e.client.Do(req)
+	if err != nil {
+		return PingResult{Standalone: false}, err
+	}
+
+	defer resp.Body.Close()
+
+	jsonString, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return PingResult{Standalone: false}, fmt.Errorf("error while reading the http response: %s", err)
+	}
+
+	// If the header is absent, we assume true for compatibility with earlier
+	// versions of the registry. default to true
+	info := PingResult{
+		Standalone: true,
+	}
+	if err := json.Unmarshal(jsonString, &info); err != nil {
+		logrus.Debugf("Error unmarshalling the _ping PingResult: %s", err)
+		// don't stop here. Just assume sane defaults
+	}
+	if hdr := resp.Header.Get("X-Docker-Registry-Version"); hdr != "" {
+		logrus.Debugf("Registry version header: '%s'", hdr)
+		info.Version = hdr
+	}
+	logrus.Debugf("PingResult.Version: %q", info.Version)
+
+	standalone := resp.Header.Get("X-Docker-Registry-Standalone")
+	logrus.Debugf("Registry standalone header: '%s'", standalone)
+	// Accepted values are "true" (case-insensitive) and "1".
+	if strings.EqualFold(standalone, "true") || standalone == "1" {
+		info.Standalone = true
+	} else if len(standalone) > 0 {
+		// there is a header set, and it is not "true" or "1", so assume fails
+		info.Standalone = false
+	}
+	logrus.Debugf("PingResult.Standalone: %t", info.Standalone)
+	return info, nil
+}
+
+func (e *Endpoint) pingV2() (PingResult, error) {
+	logrus.Debugf("attempting v2 ping for registry endpoint %s", e)
+
+	req, err := http.NewRequest("GET", e.Path(""), nil)
+	if err != nil {
+		return PingResult{}, err
+	}
+
+	resp, err := e.client.Do(req)
+	if err != nil {
+		return PingResult{}, err
+	}
+	defer resp.Body.Close()
+
+	// The endpoint may have multiple supported versions.
+	// Ensure it supports the v2 Registry API.
+	var supportsV2 bool
+
+HeaderLoop:
+	for _, supportedVersions := range resp.Header[http.CanonicalHeaderKey("Docker-Distribution-API-Version")] {
+		for _, versionName := range strings.Fields(supportedVersions) {
+			if versionName == "registry/2.0" {
+				supportsV2 = true
+				break HeaderLoop
+			}
+		}
+	}
+
+	if !supportsV2 {
+		return PingResult{}, fmt.Errorf("%s does not appear to be a v2 registry endpoint", e)
+	}
+
+	if resp.StatusCode == http.StatusOK {
+		// It would seem that no authentication/authorization is required.
+		// So we don't need to parse/add any authorization schemes.
+		return PingResult{Standalone: true}, nil
+	}
+
+	if resp.StatusCode == http.StatusUnauthorized {
+		// Parse the WWW-Authenticate Header and store the challenges
+		// on this endpoint object.
+		e.AuthChallenges = parseAuthHeader(resp.Header)
+		return PingResult{}, nil
+	}
+
+	return PingResult{}, fmt.Errorf("v2 registry endpoint returned status %d: %q", resp.StatusCode, http.StatusText(resp.StatusCode))
+}
+
+func (e *Endpoint) HTTPClient() *http.Client {
+	tlsConfig := tls.Config{
+		MinVersion: tls.VersionTLS10,
+	}
+	if !e.IsSecure {
+		tlsConfig.InsecureSkipVerify = true
+	}
+	return &http.Client{
+		Transport: &http.Transport{
+			DisableKeepAlives: true,
+			Proxy:             http.ProxyFromEnvironment,
+			TLSClientConfig:   &tlsConfig,
+		},
+		CheckRedirect: AddRequiredHeadersToRedirectedRequests,
+	}
+}

docs/endpoint_test.go

@@ -0,0 +1,93 @@
+package registry
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+)
+
+func TestEndpointParse(t *testing.T) {
+	testData := []struct {
+		str      string
+		expected string
+	}{
+		{IndexServer, IndexServer},
+		{"http://0.0.0.0:5000/v1/", "http://0.0.0.0:5000/v1/"},
+		{"http://0.0.0.0:5000/v2/", "http://0.0.0.0:5000/v2/"},
+		{"http://0.0.0.0:5000", "http://0.0.0.0:5000/v0/"},
+		{"0.0.0.0:5000", "https://0.0.0.0:5000/v0/"},
+	}
+	for _, td := range testData {
+		e, err := newEndpoint(td.str, nil, nil)
+		if err != nil {
+			t.Errorf("%q: %s", td.str, err)
+		}
+		if e == nil {
+			t.Logf("something's fishy, endpoint for %q is nil", td.str)
+			continue
+		}
+		if e.String() != td.expected {
+			t.Errorf("expected %q, got %q", td.expected, e.String())
+		}
+	}
+}
+
+// Ensure that a registry endpoint that responds with a 401 only is determined
+// to be a v1 registry unless it includes a valid v2 API header.
+func TestValidateEndpointAmbiguousAPIVersion(t *testing.T) {
+	requireBasicAuthHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Add("WWW-Authenticate", `Basic realm="localhost"`)
+		w.WriteHeader(http.StatusUnauthorized)
+	})
+
+	requireBasicAuthHandlerV2 := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// This mock server supports v2.0, v2.1, v42.0, and v100.0
+		w.Header().Add("Docker-Distribution-API-Version", "registry/100.0 registry/42.0")
+		w.Header().Add("Docker-Distribution-API-Version", "registry/2.0 registry/2.1")
+		requireBasicAuthHandler.ServeHTTP(w, r)
+	})
+
+	// Make a test server which should validate as a v1 server.
+	testServer := httptest.NewServer(requireBasicAuthHandler)
+	defer testServer.Close()
+
+	testServerURL, err := url.Parse(testServer.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	testEndpoint := Endpoint{
+		URL:     testServerURL,
+		Version: APIVersionUnknown,
+		client:  HTTPClient(NewTransport(nil)),
+	}
+
+	if err = validateEndpoint(&testEndpoint); err != nil {
+		t.Fatal(err)
+	}
+
+	if testEndpoint.Version != APIVersion1 {
+		t.Fatalf("expected endpoint to validate to %d, got %d", APIVersion1, testEndpoint.Version)
+	}
+
+	// Make a test server which should validate as a v2 server.
+	testServer = httptest.NewServer(requireBasicAuthHandlerV2)
+	defer testServer.Close()
+
+	testServerURL, err = url.Parse(testServer.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	testEndpoint.URL = testServerURL
+	testEndpoint.Version = APIVersionUnknown
+
+	if err = validateEndpoint(&testEndpoint); err != nil {
+		t.Fatal(err)
+	}
+
+	if testEndpoint.Version != APIVersion2 {
+		t.Fatalf("expected endpoint to validate to %d, got %d", APIVersion2, testEndpoint.Version)
+	}
+}

docs/reference.go

@@ -0,0 +1,68 @@
+package registry
+
+import (
+	"strings"
+
+	"github.com/docker/distribution/digest"
+)
+
+// Reference represents a tag or digest within a repository
+type Reference interface {
+	// HasDigest returns whether the reference has a verifiable
+	// content addressable reference which may be considered secure.
+	HasDigest() bool
+
+	// ImageName returns an image name for the given repository
+	ImageName(string) string
+
+	// Returns a string representation of the reference
+	String() string
+}
+
+type tagReference struct {
+	tag string
+}
+
+func (tr tagReference) HasDigest() bool {
+	return false
+}
+
+func (tr tagReference) ImageName(repo string) string {
+	return repo + ":" + tr.tag
+}
+
+func (tr tagReference) String() string {
+	return tr.tag
+}
+
+type digestReference struct {
+	digest digest.Digest
+}
+
+func (dr digestReference) HasDigest() bool {
+	return true
+}
+
+func (dr digestReference) ImageName(repo string) string {
+	return repo + "@" + dr.String()
+}
+
+func (dr digestReference) String() string {
+	return dr.digest.String()
+}
+
+// ParseReference parses a reference into either a digest or tag reference
+func ParseReference(ref string) Reference {
+	if strings.Contains(ref, ":") {
+		dgst, err := digest.ParseDigest(ref)
+		if err == nil {
+			return digestReference{digest: dgst}
+		}
+	}
+	return tagReference{tag: ref}
+}
+
+// DigestReference creates a digest reference using a digest
+func DigestReference(dgst digest.Digest) Reference {
+	return digestReference{digest: dgst}
+}

docs/registry.go

@@ -0,0 +1,249 @@
+// Package registry contains client primitives to interact with a remote Docker registry.
+package registry
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/docker/distribution/registry/api/errcode"
+	"github.com/docker/distribution/registry/api/v2"
+	"github.com/docker/distribution/registry/client"
+	"github.com/docker/distribution/registry/client/transport"
+	"github.com/docker/docker/autogen/dockerversion"
+	"github.com/docker/docker/pkg/parsers/kernel"
+	"github.com/docker/docker/pkg/tlsconfig"
+	"github.com/docker/docker/pkg/useragent"
+)
+
+var (
+	// ErrAlreadyExists is an error returned if an image being pushed
+	// already exists on the remote side
+	ErrAlreadyExists = errors.New("Image already exists")
+	errLoginRequired = errors.New("Authentication is required.")
+)
+
+// dockerUserAgent is the User-Agent the Docker client uses to identify itself.
+// It is populated on init(), comprising version information of different components.
+var dockerUserAgent string
+
+func init() {
+	httpVersion := make([]useragent.VersionInfo, 0, 6)
+	httpVersion = append(httpVersion, useragent.VersionInfo{"docker", dockerversion.VERSION})
+	httpVersion = append(httpVersion, useragent.VersionInfo{"go", runtime.Version()})
+	httpVersion = append(httpVersion, useragent.VersionInfo{"git-commit", dockerversion.GITCOMMIT})
+	if kernelVersion, err := kernel.GetKernelVersion(); err == nil {
+		httpVersion = append(httpVersion, useragent.VersionInfo{"kernel", kernelVersion.String()})
+	}
+	httpVersion = append(httpVersion, useragent.VersionInfo{"os", runtime.GOOS})
+	httpVersion = append(httpVersion, useragent.VersionInfo{"arch", runtime.GOARCH})
+
+	dockerUserAgent = useragent.AppendVersions("", httpVersion...)
+
+	if runtime.GOOS != "linux" {
+		V2Only = true
+	}
+}
+
+func newTLSConfig(hostname string, isSecure bool) (*tls.Config, error) {
+	// PreferredServerCipherSuites should have no effect
+	tlsConfig := tlsconfig.ServerDefault
+
+	tlsConfig.InsecureSkipVerify = !isSecure
+
+	if isSecure {
+		hostDir := filepath.Join(CertsDir, cleanPath(hostname))
+		logrus.Debugf("hostDir: %s", hostDir)
+		if err := ReadCertsDirectory(&tlsConfig, hostDir); err != nil {
+			return nil, err
+		}
+	}
+
+	return &tlsConfig, nil
+}
+
+func hasFile(files []os.FileInfo, name string) bool {
+	for _, f := range files {
+		if f.Name() == name {
+			return true
+		}
+	}
+	return false
+}
+
+// ReadCertsDirectory reads the directory for TLS certificates
+// including roots and certificate pairs and updates the
+// provided TLS configuration.
+func ReadCertsDirectory(tlsConfig *tls.Config, directory string) error {
+	fs, err := ioutil.ReadDir(directory)
+	if err != nil && !os.IsNotExist(err) {
+		return err
+	}
+
+	for _, f := range fs {
+		if strings.HasSuffix(f.Name(), ".crt") {
+			if tlsConfig.RootCAs == nil {
+				// TODO(dmcgowan): Copy system pool
+				tlsConfig.RootCAs = x509.NewCertPool()
+			}
+			logrus.Debugf("crt: %s", filepath.Join(directory, f.Name()))
+			data, err := ioutil.ReadFile(filepath.Join(directory, f.Name()))
+			if err != nil {
+				return err
+			}
+			tlsConfig.RootCAs.AppendCertsFromPEM(data)
+		}
+		if strings.HasSuffix(f.Name(), ".cert") {
+			certName := f.Name()
+			keyName := certName[:len(certName)-5] + ".key"
+			logrus.Debugf("cert: %s", filepath.Join(directory, f.Name()))
+			if !hasFile(fs, keyName) {
+				return fmt.Errorf("Missing key %s for certificate %s", keyName, certName)
+			}
+			cert, err := tls.LoadX509KeyPair(filepath.Join(directory, certName), filepath.Join(directory, keyName))
+			if err != nil {
+				return err
+			}
+			tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
+		}
+		if strings.HasSuffix(f.Name(), ".key") {
+			keyName := f.Name()
+			certName := keyName[:len(keyName)-4] + ".cert"
+			logrus.Debugf("key: %s", filepath.Join(directory, f.Name()))
+			if !hasFile(fs, certName) {
+				return fmt.Errorf("Missing certificate %s for key %s", certName, keyName)
+			}
+		}
+	}
+
+	return nil
+}
+
+// DockerHeaders returns request modifiers that ensure requests have
+// the User-Agent header set to dockerUserAgent and that metaHeaders
+// are added.
+func DockerHeaders(metaHeaders http.Header) []transport.RequestModifier {
+	modifiers := []transport.RequestModifier{
+		transport.NewHeaderRequestModifier(http.Header{"User-Agent": []string{dockerUserAgent}}),
+	}
+	if metaHeaders != nil {
+		modifiers = append(modifiers, transport.NewHeaderRequestModifier(metaHeaders))
+	}
+	return modifiers
+}
+
+// HTTPClient returns a HTTP client structure which uses the given transport
+// and contains the necessary headers for redirected requests
+func HTTPClient(transport http.RoundTripper) *http.Client {
+	return &http.Client{
+		Transport:     transport,
+		CheckRedirect: addRequiredHeadersToRedirectedRequests,
+	}
+}
+
+func trustedLocation(req *http.Request) bool {
+	var (
+		trusteds = []string{"docker.com", "docker.io"}
+		hostname = strings.SplitN(req.Host, ":", 2)[0]
+	)
+	if req.URL.Scheme != "https" {
+		return false
+	}
+
+	for _, trusted := range trusteds {
+		if hostname == trusted || strings.HasSuffix(hostname, "."+trusted) {
+			return true
+		}
+	}
+	return false
+}
+
+// addRequiredHeadersToRedirectedRequests adds the necessary redirection headers
+// for redirected requests
+func addRequiredHeadersToRedirectedRequests(req *http.Request, via []*http.Request) error {
+	if via != nil && via[0] != nil {
+		if trustedLocation(req) && trustedLocation(via[0]) {
+			req.Header = via[0].Header
+			return nil
+		}
+		for k, v := range via[0].Header {
+			if k != "Authorization" {
+				for _, vv := range v {
+					req.Header.Add(k, vv)
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func shouldV2Fallback(err errcode.Error) bool {
+	logrus.Debugf("v2 error: %T %v", err, err)
+	switch err.Code {
+	case v2.ErrorCodeUnauthorized, v2.ErrorCodeManifestUnknown:
+		return true
+	}
+	return false
+}
+
+// ErrNoSupport is an error type used for errors indicating that an operation
+// is not supported. It encapsulates a more specific error.
+type ErrNoSupport struct{ Err error }
+
+func (e ErrNoSupport) Error() string {
+	if e.Err == nil {
+		return "not supported"
+	}
+	return e.Err.Error()
+}
+
+// ContinueOnError returns true if we should fallback to the next endpoint
+// as a result of this error.
+func ContinueOnError(err error) bool {
+	switch v := err.(type) {
+	case errcode.Errors:
+		return ContinueOnError(v[0])
+	case ErrNoSupport:
+		return ContinueOnError(v.Err)
+	case errcode.Error:
+		return shouldV2Fallback(v)
+	case *client.UnexpectedHTTPResponseError:
+		return true
+	}
+	// let's be nice and fallback if the error is a completely
+	// unexpected one.
+	// If new errors have to be handled in some way, please
+	// add them to the switch above.
+	return true
+}
+
+// NewTransport returns a new HTTP transport. If tlsConfig is nil, it uses the
+// default TLS configuration.
+func NewTransport(tlsConfig *tls.Config) *http.Transport {
+	if tlsConfig == nil {
+		var cfg = tlsconfig.ServerDefault
+		tlsConfig = &cfg
+	}
+	return &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		Dial: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+			DualStack: true,
+		}).Dial,
+		TLSHandshakeTimeout: 10 * time.Second,
+		TLSClientConfig:     tlsConfig,
+		// TODO(dmcgowan): Call close idle connections when complete and use keep alive
+		DisableKeepAlives: true,
+	}
+}

docs/registry_mock_test.go

@@ -0,0 +1,476 @@
+package registry
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strconv"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/opts"
+	"github.com/gorilla/mux"
+
+	"github.com/Sirupsen/logrus"
+)
+
+var (
+	testHTTPServer  *httptest.Server
+	testHTTPSServer *httptest.Server
+	testLayers      = map[string]map[string]string{
+		"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20": {
+			"json": `{"id":"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20",
+				"comment":"test base image","created":"2013-03-23T12:53:11.10432-07:00",
+				"container_config":{"Hostname":"","User":"","Memory":0,"MemorySwap":0,
+				"CpuShares":0,"AttachStdin":false,"AttachStdout":false,"AttachStderr":false,
+				"Tty":false,"OpenStdin":false,"StdinOnce":false,
+				"Env":null,"Cmd":null,"Dns":null,"Image":"","Volumes":null,
+				"VolumesFrom":"","Entrypoint":null},"Size":424242}`,
+			"checksum_simple": "sha256:1ac330d56e05eef6d438586545ceff7550d3bdcb6b19961f12c5ba714ee1bb37",
+			"checksum_tarsum": "tarsum+sha256:4409a0685741ca86d38df878ed6f8cbba4c99de5dc73cd71aef04be3bb70be7c",
+			"ancestry":        `["77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20"]`,
+			"layer": string([]byte{
+				0x1f, 0x8b, 0x08, 0x08, 0x0e, 0xb0, 0xee, 0x51, 0x02, 0x03, 0x6c, 0x61, 0x79, 0x65,
+				0x72, 0x2e, 0x74, 0x61, 0x72, 0x00, 0xed, 0xd2, 0x31, 0x0e, 0xc2, 0x30, 0x0c, 0x05,
+				0x50, 0xcf, 0x9c, 0xc2, 0x27, 0x48, 0xed, 0x38, 0x4e, 0xce, 0x13, 0x44, 0x2b, 0x66,
+				0x62, 0x24, 0x8e, 0x4f, 0xa0, 0x15, 0x63, 0xb6, 0x20, 0x21, 0xfc, 0x96, 0xbf, 0x78,
+				0xb0, 0xf5, 0x1d, 0x16, 0x98, 0x8e, 0x88, 0x8a, 0x2a, 0xbe, 0x33, 0xef, 0x49, 0x31,
+				0xed, 0x79, 0x40, 0x8e, 0x5c, 0x44, 0x85, 0x88, 0x33, 0x12, 0x73, 0x2c, 0x02, 0xa8,
+				0xf0, 0x05, 0xf7, 0x66, 0xf5, 0xd6, 0x57, 0x69, 0xd7, 0x7a, 0x19, 0xcd, 0xf5, 0xb1,
+				0x6d, 0x1b, 0x1f, 0xf9, 0xba, 0xe3, 0x93, 0x3f, 0x22, 0x2c, 0xb6, 0x36, 0x0b, 0xf6,
+				0xb0, 0xa9, 0xfd, 0xe7, 0x94, 0x46, 0xfd, 0xeb, 0xd1, 0x7f, 0x2c, 0xc4, 0xd2, 0xfb,
+				0x97, 0xfe, 0x02, 0x80, 0xe4, 0xfd, 0x4f, 0x77, 0xae, 0x6d, 0x3d, 0x81, 0x73, 0xce,
+				0xb9, 0x7f, 0xf3, 0x04, 0x41, 0xc1, 0xab, 0xc6, 0x00, 0x0a, 0x00, 0x00,
+			}),
+		},
+		"42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d": {
+			"json": `{"id":"42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d",
+				"parent":"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20",
+				"comment":"test base image","created":"2013-03-23T12:55:11.10432-07:00",
+				"container_config":{"Hostname":"","User":"","Memory":0,"MemorySwap":0,
+				"CpuShares":0,"AttachStdin":false,"AttachStdout":false,"AttachStderr":false,
+				"Tty":false,"OpenStdin":false,"StdinOnce":false,
+				"Env":null,"Cmd":null,"Dns":null,"Image":"","Volumes":null,
+				"VolumesFrom":"","Entrypoint":null},"Size":424242}`,
+			"checksum_simple": "sha256:bea7bf2e4bacd479344b737328db47b18880d09096e6674165533aa994f5e9f2",
+			"checksum_tarsum": "tarsum+sha256:68fdb56fb364f074eec2c9b3f85ca175329c4dcabc4a6a452b7272aa613a07a2",
+			"ancestry": `["42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d",
+				"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20"]`,
+			"layer": string([]byte{
+				0x1f, 0x8b, 0x08, 0x08, 0xbd, 0xb3, 0xee, 0x51, 0x02, 0x03, 0x6c, 0x61, 0x79, 0x65,
+				0x72, 0x2e, 0x74, 0x61, 0x72, 0x00, 0xed, 0xd1, 0x31, 0x0e, 0xc2, 0x30, 0x0c, 0x05,
+				0x50, 0xcf, 0x9c, 0xc2, 0x27, 0x48, 0x9d, 0x38, 0x8e, 0xcf, 0x53, 0x51, 0xaa, 0x56,
+				0xea, 0x44, 0x82, 0xc4, 0xf1, 0x09, 0xb4, 0xea, 0x98, 0x2d, 0x48, 0x08, 0xbf, 0xe5,
+				0x2f, 0x1e, 0xfc, 0xf5, 0xdd, 0x00, 0xdd, 0x11, 0x91, 0x8a, 0xe0, 0x27, 0xd3, 0x9e,
+				0x14, 0xe2, 0x9e, 0x07, 0xf4, 0xc1, 0x2b, 0x0b, 0xfb, 0xa4, 0x82, 0xe4, 0x3d, 0x93,
+				0x02, 0x0a, 0x7c, 0xc1, 0x23, 0x97, 0xf1, 0x5e, 0x5f, 0xc9, 0xcb, 0x38, 0xb5, 0xee,
+				0xea, 0xd9, 0x3c, 0xb7, 0x4b, 0xbe, 0x7b, 0x9c, 0xf9, 0x23, 0xdc, 0x50, 0x6e, 0xb9,
+				0xb8, 0xf2, 0x2c, 0x5d, 0xf7, 0x4f, 0x31, 0xb6, 0xf6, 0x4f, 0xc7, 0xfe, 0x41, 0x55,
+				0x63, 0xdd, 0x9f, 0x89, 0x09, 0x90, 0x6c, 0xff, 0xee, 0xae, 0xcb, 0xba, 0x4d, 0x17,
+				0x30, 0xc6, 0x18, 0xf3, 0x67, 0x5e, 0xc1, 0xed, 0x21, 0x5d, 0x00, 0x0a, 0x00, 0x00,
+			}),
+		},
+	}
+	testRepositories = map[string]map[string]string{
+		"foo42/bar": {
+			"latest": "42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d",
+			"test":   "42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d",
+		},
+	}
+	mockHosts = map[string][]net.IP{
+		"":            {net.ParseIP("0.0.0.0")},
+		"localhost":   {net.ParseIP("127.0.0.1"), net.ParseIP("::1")},
+		"example.com": {net.ParseIP("42.42.42.42")},
+		"other.com":   {net.ParseIP("43.43.43.43")},
+	}
+)
+
+func init() {
+	r := mux.NewRouter()
+
+	// /v1/
+	r.HandleFunc("/v1/_ping", handlerGetPing).Methods("GET")
+	r.HandleFunc("/v1/images/{image_id:[^/]+}/{action:json|layer|ancestry}", handlerGetImage).Methods("GET")
+	r.HandleFunc("/v1/images/{image_id:[^/]+}/{action:json|layer|checksum}", handlerPutImage).Methods("PUT")
+	r.HandleFunc("/v1/repositories/{repository:.+}/tags", handlerGetDeleteTags).Methods("GET", "DELETE")
+	r.HandleFunc("/v1/repositories/{repository:.+}/tags/{tag:.+}", handlerGetTag).Methods("GET")
+	r.HandleFunc("/v1/repositories/{repository:.+}/tags/{tag:.+}", handlerPutTag).Methods("PUT")
+	r.HandleFunc("/v1/users{null:.*}", handlerUsers).Methods("GET", "POST", "PUT")
+	r.HandleFunc("/v1/repositories/{repository:.+}{action:/images|/}", handlerImages).Methods("GET", "PUT", "DELETE")
+	r.HandleFunc("/v1/repositories/{repository:.+}/auth", handlerAuth).Methods("PUT")
+	r.HandleFunc("/v1/search", handlerSearch).Methods("GET")
+
+	// /v2/
+	r.HandleFunc("/v2/version", handlerGetPing).Methods("GET")
+
+	testHTTPServer = httptest.NewServer(handlerAccessLog(r))
+	testHTTPSServer = httptest.NewTLSServer(handlerAccessLog(r))
+
+	// override net.LookupIP
+	lookupIP = func(host string) ([]net.IP, error) {
+		if host == "127.0.0.1" {
+			// I believe in future Go versions this will fail, so let's fix it later
+			return net.LookupIP(host)
+		}
+		for h, addrs := range mockHosts {
+			if host == h {
+				return addrs, nil
+			}
+			for _, addr := range addrs {
+				if addr.String() == host {
+					return []net.IP{addr}, nil
+				}
+			}
+		}
+		return nil, errors.New("lookup: no such host")
+	}
+}
+
+func handlerAccessLog(handler http.Handler) http.Handler {
+	logHandler := func(w http.ResponseWriter, r *http.Request) {
+		logrus.Debugf("%s \"%s %s\"", r.RemoteAddr, r.Method, r.URL)
+		handler.ServeHTTP(w, r)
+	}
+	return http.HandlerFunc(logHandler)
+}
+
+func makeURL(req string) string {
+	return testHTTPServer.URL + req
+}
+
+func makeHTTPSURL(req string) string {
+	return testHTTPSServer.URL + req
+}
+
+func makeIndex(req string) *IndexInfo {
+	index := &IndexInfo{
+		Name: makeURL(req),
+	}
+	return index
+}
+
+func makeHTTPSIndex(req string) *IndexInfo {
+	index := &IndexInfo{
+		Name: makeHTTPSURL(req),
+	}
+	return index
+}
+
+func makePublicIndex() *IndexInfo {
+	index := &IndexInfo{
+		Name:     IndexServer,
+		Secure:   true,
+		Official: true,
+	}
+	return index
+}
+
+func makeServiceConfig(mirrors []string, insecureRegistries []string) *ServiceConfig {
+	options := &Options{
+		Mirrors:            opts.NewListOpts(nil),
+		InsecureRegistries: opts.NewListOpts(nil),
+	}
+	if mirrors != nil {
+		for _, mirror := range mirrors {
+			options.Mirrors.Set(mirror)
+		}
+	}
+	if insecureRegistries != nil {
+		for _, insecureRegistries := range insecureRegistries {
+			options.InsecureRegistries.Set(insecureRegistries)
+		}
+	}
+
+	return NewServiceConfig(options)
+}
+
+func writeHeaders(w http.ResponseWriter) {
+	h := w.Header()
+	h.Add("Server", "docker-tests/mock")
+	h.Add("Expires", "-1")
+	h.Add("Content-Type", "application/json")
+	h.Add("Pragma", "no-cache")
+	h.Add("Cache-Control", "no-cache")
+	h.Add("X-Docker-Registry-Version", "0.0.0")
+	h.Add("X-Docker-Registry-Config", "mock")
+}
+
+func writeResponse(w http.ResponseWriter, message interface{}, code int) {
+	writeHeaders(w)
+	w.WriteHeader(code)
+	body, err := json.Marshal(message)
+	if err != nil {
+		io.WriteString(w, err.Error())
+		return
+	}
+	w.Write(body)
+}
+
+func readJSON(r *http.Request, dest interface{}) error {
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		return err
+	}
+	return json.Unmarshal(body, dest)
+}
+
+func apiError(w http.ResponseWriter, message string, code int) {
+	body := map[string]string{
+		"error": message,
+	}
+	writeResponse(w, body, code)
+}
+
+func assertEqual(t *testing.T, a interface{}, b interface{}, message string) {
+	if a == b {
+		return
+	}
+	if len(message) == 0 {
+		message = fmt.Sprintf("%v != %v", a, b)
+	}
+	t.Fatal(message)
+}
+
+func assertNotEqual(t *testing.T, a interface{}, b interface{}, message string) {
+	if a != b {
+		return
+	}
+	if len(message) == 0 {
+		message = fmt.Sprintf("%v == %v", a, b)
+	}
+	t.Fatal(message)
+}
+
+// Similar to assertEqual, but does not stop test
+func checkEqual(t *testing.T, a interface{}, b interface{}, messagePrefix string) {
+	if a == b {
+		return
+	}
+	message := fmt.Sprintf("%v != %v", a, b)
+	if len(messagePrefix) != 0 {
+		message = messagePrefix + ": " + message
+	}
+	t.Error(message)
+}
+
+// Similar to assertNotEqual, but does not stop test
+func checkNotEqual(t *testing.T, a interface{}, b interface{}, messagePrefix string) {
+	if a != b {
+		return
+	}
+	message := fmt.Sprintf("%v == %v", a, b)
+	if len(messagePrefix) != 0 {
+		message = messagePrefix + ": " + message
+	}
+	t.Error(message)
+}
+
+func requiresAuth(w http.ResponseWriter, r *http.Request) bool {
+	writeCookie := func() {
+		value := fmt.Sprintf("FAKE-SESSION-%d", time.Now().UnixNano())
+		cookie := &http.Cookie{Name: "session", Value: value, MaxAge: 3600}
+		http.SetCookie(w, cookie)
+		//FIXME(sam): this should be sent only on Index routes
+		value = fmt.Sprintf("FAKE-TOKEN-%d", time.Now().UnixNano())
+		w.Header().Add("X-Docker-Token", value)
+	}
+	if len(r.Cookies()) > 0 {
+		writeCookie()
+		return true
+	}
+	if len(r.Header.Get("Authorization")) > 0 {
+		writeCookie()
+		return true
+	}
+	w.Header().Add("WWW-Authenticate", "token")
+	apiError(w, "Wrong auth", 401)
+	return false
+}
+
+func handlerGetPing(w http.ResponseWriter, r *http.Request) {
+	writeResponse(w, true, 200)
+}
+
+func handlerGetImage(w http.ResponseWriter, r *http.Request) {
+	if !requiresAuth(w, r) {
+		return
+	}
+	vars := mux.Vars(r)
+	layer, exists := testLayers[vars["image_id"]]
+	if !exists {
+		http.NotFound(w, r)
+		return
+	}
+	writeHeaders(w)
+	layerSize := len(layer["layer"])
+	w.Header().Add("X-Docker-Size", strconv.Itoa(layerSize))
+	io.WriteString(w, layer[vars["action"]])
+}
+
+func handlerPutImage(w http.ResponseWriter, r *http.Request) {
+	if !requiresAuth(w, r) {
+		return
+	}
+	vars := mux.Vars(r)
+	imageID := vars["image_id"]
+	action := vars["action"]
+	layer, exists := testLayers[imageID]
+	if !exists {
+		if action != "json" {
+			http.NotFound(w, r)
+			return
+		}
+		layer = make(map[string]string)
+		testLayers[imageID] = layer
+	}
+	if checksum := r.Header.Get("X-Docker-Checksum"); checksum != "" {
+		if checksum != layer["checksum_simple"] && checksum != layer["checksum_tarsum"] {
+			apiError(w, "Wrong checksum", 400)
+			return
+		}
+	}
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		apiError(w, fmt.Sprintf("Error: %s", err), 500)
+		return
+	}
+	layer[action] = string(body)
+	writeResponse(w, true, 200)
+}
+
+func handlerGetDeleteTags(w http.ResponseWriter, r *http.Request) {
+	if !requiresAuth(w, r) {
+		return
+	}
+	repositoryName := mux.Vars(r)["repository"]
+	repositoryName = NormalizeLocalName(repositoryName)
+	tags, exists := testRepositories[repositoryName]
+	if !exists {
+		apiError(w, "Repository not found", 404)
+		return
+	}
+	if r.Method == "DELETE" {
+		delete(testRepositories, repositoryName)
+		writeResponse(w, true, 200)
+		return
+	}
+	writeResponse(w, tags, 200)
+}
+
+func handlerGetTag(w http.ResponseWriter, r *http.Request) {
+	if !requiresAuth(w, r) {
+		return
+	}
+	vars := mux.Vars(r)
+	repositoryName := vars["repository"]
+	repositoryName = NormalizeLocalName(repositoryName)
+	tagName := vars["tag"]
+	tags, exists := testRepositories[repositoryName]
+	if !exists {
+		apiError(w, "Repository not found", 404)
+		return
+	}
+	tag, exists := tags[tagName]
+	if !exists {
+		apiError(w, "Tag not found", 404)
+		return
+	}
+	writeResponse(w, tag, 200)
+}
+
+func handlerPutTag(w http.ResponseWriter, r *http.Request) {
+	if !requiresAuth(w, r) {
+		return
+	}
+	vars := mux.Vars(r)
+	repositoryName := vars["repository"]
+	repositoryName = NormalizeLocalName(repositoryName)
+	tagName := vars["tag"]
+	tags, exists := testRepositories[repositoryName]
+	if !exists {
+		tags := make(map[string]string)
+		testRepositories[repositoryName] = tags
+	}
+	tagValue := ""
+	readJSON(r, tagValue)
+	tags[tagName] = tagValue
+	writeResponse(w, true, 200)
+}
+
+func handlerUsers(w http.ResponseWriter, r *http.Request) {
+	code := 200
+	if r.Method == "POST" {
+		code = 201
+	} else if r.Method == "PUT" {
+		code = 204
+	}
+	writeResponse(w, "", code)
+}
+
+func handlerImages(w http.ResponseWriter, r *http.Request) {
+	u, _ := url.Parse(testHTTPServer.URL)
+	w.Header().Add("X-Docker-Endpoints", fmt.Sprintf("%s 	,  %s ", u.Host, "test.example.com"))
+	w.Header().Add("X-Docker-Token", fmt.Sprintf("FAKE-SESSION-%d", time.Now().UnixNano()))
+	if r.Method == "PUT" {
+		if strings.HasSuffix(r.URL.Path, "images") {
+			writeResponse(w, "", 204)
+			return
+		}
+		writeResponse(w, "", 200)
+		return
+	}
+	if r.Method == "DELETE" {
+		writeResponse(w, "", 204)
+		return
+	}
+	images := []map[string]string{}
+	for imageID, layer := range testLayers {
+		image := make(map[string]string)
+		image["id"] = imageID
+		image["checksum"] = layer["checksum_tarsum"]
+		image["Tag"] = "latest"
+		images = append(images, image)
+	}
+	writeResponse(w, images, 200)
+}
+
+func handlerAuth(w http.ResponseWriter, r *http.Request) {
+	writeResponse(w, "OK", 200)
+}
+
+func handlerSearch(w http.ResponseWriter, r *http.Request) {
+	result := &SearchResults{
+		Query:      "fakequery",
+		NumResults: 1,
+		Results:    []SearchResult{{Name: "fakeimage", StarCount: 42}},
+	}
+	writeResponse(w, result, 200)
+}
+
+func TestPing(t *testing.T) {
+	res, err := http.Get(makeURL("/v1/_ping"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	assertEqual(t, res.StatusCode, 200, "")
+	assertEqual(t, res.Header.Get("X-Docker-Registry-Config"), "mock",
+		"This is not a Mocked Registry")
+}
+
+/* Uncomment this to test Mocked Registry locally with curl
+ * WARNING: Don't push on the repos uncommented, it'll block the tests
+ *
+func TestWait(t *testing.T) {
+	logrus.Println("Test HTTP server ready and waiting:", testHTTPServer.URL)
+	c := make(chan int)
+	<-c
+}
+
+//*/

docs/registry_test.go

@@ -0,0 +1,953 @@
+package registry
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/docker/distribution/registry/client/transport"
+	"github.com/docker/docker/cliconfig"
+)
+
+var (
+	token = []string{"fake-token"}
+)
+
+const (
+	imageID = "42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d"
+	REPO    = "foo42/bar"
+)
+
+func spawnTestRegistrySession(t *testing.T) *Session {
+	authConfig := &cliconfig.AuthConfig{}
+	endpoint, err := NewEndpoint(makeIndex("/v1/"), nil, APIVersionUnknown)
+	if err != nil {
+		t.Fatal(err)
+	}
+	var tr http.RoundTripper = debugTransport{NewTransport(nil), t.Log}
+	tr = transport.NewTransport(AuthTransport(tr, authConfig, false), DockerHeaders(nil)...)
+	client := HTTPClient(tr)
+	r, err := NewSession(client, authConfig, endpoint)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// In a normal scenario for the v1 registry, the client should send a `X-Docker-Token: true`
+	// header while authenticating, in order to retrieve a token that can be later used to
+	// perform authenticated actions.
+	//
+	// The mock v1 registry does not support that, (TODO(tiborvass): support it), instead,
+	// it will consider authenticated any request with the header `X-Docker-Token: fake-token`.
+	//
+	// Because we know that the client's transport is an `*authTransport` we simply cast it,
+	// in order to set the internal cached token to the fake token, and thus send that fake token
+	// upon every subsequent requests.
+	r.client.Transport.(*authTransport).token = token
+	return r
+}
+
+func TestPingRegistryEndpoint(t *testing.T) {
+	testPing := func(index *IndexInfo, expectedStandalone bool, assertMessage string) {
+		ep, err := NewEndpoint(index, nil, APIVersionUnknown)
+		if err != nil {
+			t.Fatal(err)
+		}
+		regInfo, err := ep.Ping()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		assertEqual(t, regInfo.Standalone, expectedStandalone, assertMessage)
+	}
+
+	testPing(makeIndex("/v1/"), true, "Expected standalone to be true (default)")
+	testPing(makeHTTPSIndex("/v1/"), true, "Expected standalone to be true (default)")
+	testPing(makePublicIndex(), false, "Expected standalone to be false for public index")
+}
+
+func TestEndpoint(t *testing.T) {
+	// Simple wrapper to fail test if err != nil
+	expandEndpoint := func(index *IndexInfo) *Endpoint {
+		endpoint, err := NewEndpoint(index, nil, APIVersionUnknown)
+		if err != nil {
+			t.Fatal(err)
+		}
+		return endpoint
+	}
+
+	assertInsecureIndex := func(index *IndexInfo) {
+		index.Secure = true
+		_, err := NewEndpoint(index, nil, APIVersionUnknown)
+		assertNotEqual(t, err, nil, index.Name+": Expected error for insecure index")
+		assertEqual(t, strings.Contains(err.Error(), "insecure-registry"), true, index.Name+": Expected insecure-registry  error for insecure index")
+		index.Secure = false
+	}
+
+	assertSecureIndex := func(index *IndexInfo) {
+		index.Secure = true
+		_, err := NewEndpoint(index, nil, APIVersionUnknown)
+		assertNotEqual(t, err, nil, index.Name+": Expected cert error for secure index")
+		assertEqual(t, strings.Contains(err.Error(), "certificate signed by unknown authority"), true, index.Name+": Expected cert error for secure index")
+		index.Secure = false
+	}
+
+	index := &IndexInfo{}
+	index.Name = makeURL("/v1/")
+	endpoint := expandEndpoint(index)
+	assertEqual(t, endpoint.String(), index.Name, "Expected endpoint to be "+index.Name)
+	if endpoint.Version != APIVersion1 {
+		t.Fatal("Expected endpoint to be v1")
+	}
+	assertInsecureIndex(index)
+
+	index.Name = makeURL("")
+	endpoint = expandEndpoint(index)
+	assertEqual(t, endpoint.String(), index.Name+"/v1/", index.Name+": Expected endpoint to be "+index.Name+"/v1/")
+	if endpoint.Version != APIVersion1 {
+		t.Fatal("Expected endpoint to be v1")
+	}
+	assertInsecureIndex(index)
+
+	httpURL := makeURL("")
+	index.Name = strings.SplitN(httpURL, "://", 2)[1]
+	endpoint = expandEndpoint(index)
+	assertEqual(t, endpoint.String(), httpURL+"/v1/", index.Name+": Expected endpoint to be "+httpURL+"/v1/")
+	if endpoint.Version != APIVersion1 {
+		t.Fatal("Expected endpoint to be v1")
+	}
+	assertInsecureIndex(index)
+
+	index.Name = makeHTTPSURL("/v1/")
+	endpoint = expandEndpoint(index)
+	assertEqual(t, endpoint.String(), index.Name, "Expected endpoint to be "+index.Name)
+	if endpoint.Version != APIVersion1 {
+		t.Fatal("Expected endpoint to be v1")
+	}
+	assertSecureIndex(index)
+
+	index.Name = makeHTTPSURL("")
+	endpoint = expandEndpoint(index)
+	assertEqual(t, endpoint.String(), index.Name+"/v1/", index.Name+": Expected endpoint to be "+index.Name+"/v1/")
+	if endpoint.Version != APIVersion1 {
+		t.Fatal("Expected endpoint to be v1")
+	}
+	assertSecureIndex(index)
+
+	httpsURL := makeHTTPSURL("")
+	index.Name = strings.SplitN(httpsURL, "://", 2)[1]
+	endpoint = expandEndpoint(index)
+	assertEqual(t, endpoint.String(), httpsURL+"/v1/", index.Name+": Expected endpoint to be "+httpsURL+"/v1/")
+	if endpoint.Version != APIVersion1 {
+		t.Fatal("Expected endpoint to be v1")
+	}
+	assertSecureIndex(index)
+
+	badEndpoints := []string{
+		"http://127.0.0.1/v1/",
+		"https://127.0.0.1/v1/",
+		"http://127.0.0.1",
+		"https://127.0.0.1",
+		"127.0.0.1",
+	}
+	for _, address := range badEndpoints {
+		index.Name = address
+		_, err := NewEndpoint(index, nil, APIVersionUnknown)
+		checkNotEqual(t, err, nil, "Expected error while expanding bad endpoint")
+	}
+}
+
+func TestGetRemoteHistory(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	hist, err := r.GetRemoteHistory(imageID, makeURL("/v1/"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	assertEqual(t, len(hist), 2, "Expected 2 images in history")
+	assertEqual(t, hist[0], imageID, "Expected "+imageID+"as first ancestry")
+	assertEqual(t, hist[1], "77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20",
+		"Unexpected second ancestry")
+}
+
+func TestLookupRemoteImage(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	err := r.LookupRemoteImage(imageID, makeURL("/v1/"))
+	assertEqual(t, err, nil, "Expected error of remote lookup to nil")
+	if err := r.LookupRemoteImage("abcdef", makeURL("/v1/")); err == nil {
+		t.Fatal("Expected error of remote lookup to not nil")
+	}
+}
+
+func TestGetRemoteImageJSON(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	json, size, err := r.GetRemoteImageJSON(imageID, makeURL("/v1/"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	assertEqual(t, size, int64(154), "Expected size 154")
+	if len(json) <= 0 {
+		t.Fatal("Expected non-empty json")
+	}
+
+	_, _, err = r.GetRemoteImageJSON("abcdef", makeURL("/v1/"))
+	if err == nil {
+		t.Fatal("Expected image not found error")
+	}
+}
+
+func TestGetRemoteImageLayer(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	data, err := r.GetRemoteImageLayer(imageID, makeURL("/v1/"), 0)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if data == nil {
+		t.Fatal("Expected non-nil data result")
+	}
+
+	_, err = r.GetRemoteImageLayer("abcdef", makeURL("/v1/"), 0)
+	if err == nil {
+		t.Fatal("Expected image not found error")
+	}
+}
+
+func TestGetRemoteTag(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	tag, err := r.GetRemoteTag([]string{makeURL("/v1/")}, REPO, "test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	assertEqual(t, tag, imageID, "Expected tag test to map to "+imageID)
+
+	_, err = r.GetRemoteTag([]string{makeURL("/v1/")}, "foo42/baz", "foo")
+	if err != ErrRepoNotFound {
+		t.Fatal("Expected ErrRepoNotFound error when fetching tag for bogus repo")
+	}
+}
+
+func TestGetRemoteTags(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	tags, err := r.GetRemoteTags([]string{makeURL("/v1/")}, REPO)
+	if err != nil {
+		t.Fatal(err)
+	}
+	assertEqual(t, len(tags), 2, "Expected two tags")
+	assertEqual(t, tags["latest"], imageID, "Expected tag latest to map to "+imageID)
+	assertEqual(t, tags["test"], imageID, "Expected tag test to map to "+imageID)
+
+	_, err = r.GetRemoteTags([]string{makeURL("/v1/")}, "foo42/baz")
+	if err != ErrRepoNotFound {
+		t.Fatal("Expected ErrRepoNotFound error when fetching tags for bogus repo")
+	}
+}
+
+func TestGetRepositoryData(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	parsedURL, err := url.Parse(makeURL("/v1/"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	host := "http://" + parsedURL.Host + "/v1/"
+	data, err := r.GetRepositoryData("foo42/bar")
+	if err != nil {
+		t.Fatal(err)
+	}
+	assertEqual(t, len(data.ImgList), 2, "Expected 2 images in ImgList")
+	assertEqual(t, len(data.Endpoints), 2,
+		fmt.Sprintf("Expected 2 endpoints in Endpoints, found %d instead", len(data.Endpoints)))
+	assertEqual(t, data.Endpoints[0], host,
+		fmt.Sprintf("Expected first endpoint to be %s but found %s instead", host, data.Endpoints[0]))
+	assertEqual(t, data.Endpoints[1], "http://test.example.com/v1/",
+		fmt.Sprintf("Expected first endpoint to be http://test.example.com/v1/ but found %s instead", data.Endpoints[1]))
+
+}
+
+func TestPushImageJSONRegistry(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	imgData := &ImgData{
+		ID:       "77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20",
+		Checksum: "sha256:1ac330d56e05eef6d438586545ceff7550d3bdcb6b19961f12c5ba714ee1bb37",
+	}
+
+	err := r.PushImageJSONRegistry(imgData, []byte{0x42, 0xdf, 0x0}, makeURL("/v1/"))
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestPushImageLayerRegistry(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	layer := strings.NewReader("")
+	_, _, err := r.PushImageLayerRegistry(imageID, layer, makeURL("/v1/"), []byte{})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestValidateRepositoryName(t *testing.T) {
+	validRepoNames := []string{
+		"docker/docker",
+		"library/debian",
+		"debian",
+		"docker.io/docker/docker",
+		"docker.io/library/debian",
+		"docker.io/debian",
+		"index.docker.io/docker/docker",
+		"index.docker.io/library/debian",
+		"index.docker.io/debian",
+		"127.0.0.1:5000/docker/docker",
+		"127.0.0.1:5000/library/debian",
+		"127.0.0.1:5000/debian",
+		"thisisthesongthatneverendsitgoesonandonandonthisisthesongthatnev",
+	}
+	invalidRepoNames := []string{
+		"https://github.com/docker/docker",
+		"docker/Docker",
+		"-docker",
+		"-docker/docker",
+		"-docker.io/docker/docker",
+		"docker///docker",
+		"docker.io/docker/Docker",
+		"docker.io/docker///docker",
+		"1a3f5e7d9c1b3a5f7e9d1c3b5a7f9e1d3c5b7a9f1e3d5d7c9b1a3f5e7d9c1b3a",
+		"docker.io/1a3f5e7d9c1b3a5f7e9d1c3b5a7f9e1d3c5b7a9f1e3d5d7c9b1a3f5e7d9c1b3a",
+	}
+
+	for _, name := range invalidRepoNames {
+		err := ValidateRepositoryName(name)
+		assertNotEqual(t, err, nil, "Expected invalid repo name: "+name)
+	}
+
+	for _, name := range validRepoNames {
+		err := ValidateRepositoryName(name)
+		assertEqual(t, err, nil, "Expected valid repo name: "+name)
+	}
+
+	err := ValidateRepositoryName(invalidRepoNames[0])
+	assertEqual(t, err, ErrInvalidRepositoryName, "Expected ErrInvalidRepositoryName: "+invalidRepoNames[0])
+}
+
+func TestParseRepositoryInfo(t *testing.T) {
+	expectedRepoInfos := map[string]RepositoryInfo{
+		"fooo/bar": {
+			Index: &IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "fooo/bar",
+			LocalName:     "fooo/bar",
+			CanonicalName: "docker.io/fooo/bar",
+			Official:      false,
+		},
+		"library/ubuntu": {
+			Index: &IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu",
+			LocalName:     "ubuntu",
+			CanonicalName: "docker.io/library/ubuntu",
+			Official:      true,
+		},
+		"nonlibrary/ubuntu": {
+			Index: &IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "nonlibrary/ubuntu",
+			LocalName:     "nonlibrary/ubuntu",
+			CanonicalName: "docker.io/nonlibrary/ubuntu",
+			Official:      false,
+		},
+		"ubuntu": {
+			Index: &IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu",
+			LocalName:     "ubuntu",
+			CanonicalName: "docker.io/library/ubuntu",
+			Official:      true,
+		},
+		"other/library": {
+			Index: &IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "other/library",
+			LocalName:     "other/library",
+			CanonicalName: "docker.io/other/library",
+			Official:      false,
+		},
+		"127.0.0.1:8000/private/moonbase": {
+			Index: &IndexInfo{
+				Name:     "127.0.0.1:8000",
+				Official: false,
+			},
+			RemoteName:    "private/moonbase",
+			LocalName:     "127.0.0.1:8000/private/moonbase",
+			CanonicalName: "127.0.0.1:8000/private/moonbase",
+			Official:      false,
+		},
+		"127.0.0.1:8000/privatebase": {
+			Index: &IndexInfo{
+				Name:     "127.0.0.1:8000",
+				Official: false,
+			},
+			RemoteName:    "privatebase",
+			LocalName:     "127.0.0.1:8000/privatebase",
+			CanonicalName: "127.0.0.1:8000/privatebase",
+			Official:      false,
+		},
+		"localhost:8000/private/moonbase": {
+			Index: &IndexInfo{
+				Name:     "localhost:8000",
+				Official: false,
+			},
+			RemoteName:    "private/moonbase",
+			LocalName:     "localhost:8000/private/moonbase",
+			CanonicalName: "localhost:8000/private/moonbase",
+			Official:      false,
+		},
+		"localhost:8000/privatebase": {
+			Index: &IndexInfo{
+				Name:     "localhost:8000",
+				Official: false,
+			},
+			RemoteName:    "privatebase",
+			LocalName:     "localhost:8000/privatebase",
+			CanonicalName: "localhost:8000/privatebase",
+			Official:      false,
+		},
+		"example.com/private/moonbase": {
+			Index: &IndexInfo{
+				Name:     "example.com",
+				Official: false,
+			},
+			RemoteName:    "private/moonbase",
+			LocalName:     "example.com/private/moonbase",
+			CanonicalName: "example.com/private/moonbase",
+			Official:      false,
+		},
+		"example.com/privatebase": {
+			Index: &IndexInfo{
+				Name:     "example.com",
+				Official: false,
+			},
+			RemoteName:    "privatebase",
+			LocalName:     "example.com/privatebase",
+			CanonicalName: "example.com/privatebase",
+			Official:      false,
+		},
+		"example.com:8000/private/moonbase": {
+			Index: &IndexInfo{
+				Name:     "example.com:8000",
+				Official: false,
+			},
+			RemoteName:    "private/moonbase",
+			LocalName:     "example.com:8000/private/moonbase",
+			CanonicalName: "example.com:8000/private/moonbase",
+			Official:      false,
+		},
+		"example.com:8000/privatebase": {
+			Index: &IndexInfo{
+				Name:     "example.com:8000",
+				Official: false,
+			},
+			RemoteName:    "privatebase",
+			LocalName:     "example.com:8000/privatebase",
+			CanonicalName: "example.com:8000/privatebase",
+			Official:      false,
+		},
+		"localhost/private/moonbase": {
+			Index: &IndexInfo{
+				Name:     "localhost",
+				Official: false,
+			},
+			RemoteName:    "private/moonbase",
+			LocalName:     "localhost/private/moonbase",
+			CanonicalName: "localhost/private/moonbase",
+			Official:      false,
+		},
+		"localhost/privatebase": {
+			Index: &IndexInfo{
+				Name:     "localhost",
+				Official: false,
+			},
+			RemoteName:    "privatebase",
+			LocalName:     "localhost/privatebase",
+			CanonicalName: "localhost/privatebase",
+			Official:      false,
+		},
+		IndexName + "/public/moonbase": {
+			Index: &IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "public/moonbase",
+			LocalName:     "public/moonbase",
+			CanonicalName: "docker.io/public/moonbase",
+			Official:      false,
+		},
+		"index." + IndexName + "/public/moonbase": {
+			Index: &IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "public/moonbase",
+			LocalName:     "public/moonbase",
+			CanonicalName: "docker.io/public/moonbase",
+			Official:      false,
+		},
+		"ubuntu-12.04-base": {
+			Index: &IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu-12.04-base",
+			LocalName:     "ubuntu-12.04-base",
+			CanonicalName: "docker.io/library/ubuntu-12.04-base",
+			Official:      true,
+		},
+		IndexName + "/ubuntu-12.04-base": {
+			Index: &IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu-12.04-base",
+			LocalName:     "ubuntu-12.04-base",
+			CanonicalName: "docker.io/library/ubuntu-12.04-base",
+			Official:      true,
+		},
+		"index." + IndexName + "/ubuntu-12.04-base": {
+			Index: &IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu-12.04-base",
+			LocalName:     "ubuntu-12.04-base",
+			CanonicalName: "docker.io/library/ubuntu-12.04-base",
+			Official:      true,
+		},
+	}
+
+	for reposName, expectedRepoInfo := range expectedRepoInfos {
+		repoInfo, err := ParseRepositoryInfo(reposName)
+		if err != nil {
+			t.Error(err)
+		} else {
+			checkEqual(t, repoInfo.Index.Name, expectedRepoInfo.Index.Name, reposName)
+			checkEqual(t, repoInfo.RemoteName, expectedRepoInfo.RemoteName, reposName)
+			checkEqual(t, repoInfo.LocalName, expectedRepoInfo.LocalName, reposName)
+			checkEqual(t, repoInfo.CanonicalName, expectedRepoInfo.CanonicalName, reposName)
+			checkEqual(t, repoInfo.Index.Official, expectedRepoInfo.Index.Official, reposName)
+			checkEqual(t, repoInfo.Official, expectedRepoInfo.Official, reposName)
+		}
+	}
+}
+
+func TestNewIndexInfo(t *testing.T) {
+	testIndexInfo := func(config *ServiceConfig, expectedIndexInfos map[string]*IndexInfo) {
+		for indexName, expectedIndexInfo := range expectedIndexInfos {
+			index, err := config.NewIndexInfo(indexName)
+			if err != nil {
+				t.Fatal(err)
+			} else {
+				checkEqual(t, index.Name, expectedIndexInfo.Name, indexName+" name")
+				checkEqual(t, index.Official, expectedIndexInfo.Official, indexName+" is official")
+				checkEqual(t, index.Secure, expectedIndexInfo.Secure, indexName+" is secure")
+				checkEqual(t, len(index.Mirrors), len(expectedIndexInfo.Mirrors), indexName+" mirrors")
+			}
+		}
+	}
+
+	config := NewServiceConfig(nil)
+	noMirrors := []string{}
+	expectedIndexInfos := map[string]*IndexInfo{
+		IndexName: {
+			Name:     IndexName,
+			Official: true,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+		"index." + IndexName: {
+			Name:     IndexName,
+			Official: true,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+		"example.com": {
+			Name:     "example.com",
+			Official: false,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+		"127.0.0.1:5000": {
+			Name:     "127.0.0.1:5000",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+	}
+	testIndexInfo(config, expectedIndexInfos)
+
+	publicMirrors := []string{"http://mirror1.local", "http://mirror2.local"}
+	config = makeServiceConfig(publicMirrors, []string{"example.com"})
+
+	expectedIndexInfos = map[string]*IndexInfo{
+		IndexName: {
+			Name:     IndexName,
+			Official: true,
+			Secure:   true,
+			Mirrors:  publicMirrors,
+		},
+		"index." + IndexName: {
+			Name:     IndexName,
+			Official: true,
+			Secure:   true,
+			Mirrors:  publicMirrors,
+		},
+		"example.com": {
+			Name:     "example.com",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"example.com:5000": {
+			Name:     "example.com:5000",
+			Official: false,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+		"127.0.0.1": {
+			Name:     "127.0.0.1",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"127.0.0.1:5000": {
+			Name:     "127.0.0.1:5000",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"other.com": {
+			Name:     "other.com",
+			Official: false,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+	}
+	testIndexInfo(config, expectedIndexInfos)
+
+	config = makeServiceConfig(nil, []string{"42.42.0.0/16"})
+	expectedIndexInfos = map[string]*IndexInfo{
+		"example.com": {
+			Name:     "example.com",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"example.com:5000": {
+			Name:     "example.com:5000",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"127.0.0.1": {
+			Name:     "127.0.0.1",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"127.0.0.1:5000": {
+			Name:     "127.0.0.1:5000",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"other.com": {
+			Name:     "other.com",
+			Official: false,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+	}
+	testIndexInfo(config, expectedIndexInfos)
+}
+
+func TestMirrorEndpointLookup(t *testing.T) {
+	containsMirror := func(endpoints []APIEndpoint) bool {
+		for _, pe := range endpoints {
+			if pe.URL == "my.mirror" {
+				return true
+			}
+		}
+		return false
+	}
+	s := Service{Config: makeServiceConfig([]string{"my.mirror"}, nil)}
+	imageName := IndexName + "/test/image"
+
+	pushAPIEndpoints, err := s.LookupPushEndpoints(imageName)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if containsMirror(pushAPIEndpoints) {
+		t.Fatal("Push endpoint should not contain mirror")
+	}
+
+	pullAPIEndpoints, err := s.LookupPullEndpoints(imageName)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !containsMirror(pullAPIEndpoints) {
+		t.Fatal("Pull endpoint should contain mirror")
+	}
+}
+
+func TestPushRegistryTag(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	err := r.PushRegistryTag("foo42/bar", imageID, "stable", makeURL("/v1/"))
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestPushImageJSONIndex(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	imgData := []*ImgData{
+		{
+			ID:       "77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20",
+			Checksum: "sha256:1ac330d56e05eef6d438586545ceff7550d3bdcb6b19961f12c5ba714ee1bb37",
+		},
+		{
+			ID:       "42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d",
+			Checksum: "sha256:bea7bf2e4bacd479344b737328db47b18880d09096e6674165533aa994f5e9f2",
+		},
+	}
+	repoData, err := r.PushImageJSONIndex("foo42/bar", imgData, false, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if repoData == nil {
+		t.Fatal("Expected RepositoryData object")
+	}
+	repoData, err = r.PushImageJSONIndex("foo42/bar", imgData, true, []string{r.indexEndpoint.String()})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if repoData == nil {
+		t.Fatal("Expected RepositoryData object")
+	}
+}
+
+func TestSearchRepositories(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	results, err := r.SearchRepositories("fakequery")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if results == nil {
+		t.Fatal("Expected non-nil SearchResults object")
+	}
+	assertEqual(t, results.NumResults, 1, "Expected 1 search results")
+	assertEqual(t, results.Query, "fakequery", "Expected 'fakequery' as query")
+	assertEqual(t, results.Results[0].StarCount, 42, "Expected 'fakeimage' to have 42 stars")
+}
+
+func TestValidRemoteName(t *testing.T) {
+	validRepositoryNames := []string{
+		// Sanity check.
+		"docker/docker",
+
+		// Allow 64-character non-hexadecimal names (hexadecimal names are forbidden).
+		"thisisthesongthatneverendsitgoesonandonandonthisisthesongthatnev",
+
+		// Allow embedded hyphens.
+		"docker-rules/docker",
+
+		// Allow multiple hyphens as well.
+		"docker---rules/docker",
+
+		//Username doc and image name docker being tested.
+		"doc/docker",
+
+		// single character names are now allowed.
+		"d/docker",
+		"jess/t",
+	}
+	for _, repositoryName := range validRepositoryNames {
+		if err := validateRemoteName(repositoryName); err != nil {
+			t.Errorf("Repository name should be valid: %v. Error: %v", repositoryName, err)
+		}
+	}
+
+	invalidRepositoryNames := []string{
+		// Disallow capital letters.
+		"docker/Docker",
+
+		// Only allow one slash.
+		"docker///docker",
+
+		// Disallow 64-character hexadecimal.
+		"1a3f5e7d9c1b3a5f7e9d1c3b5a7f9e1d3c5b7a9f1e3d5d7c9b1a3f5e7d9c1b3a",
+
+		// Disallow leading and trailing hyphens in namespace.
+		"-docker/docker",
+		"docker-/docker",
+		"-docker-/docker",
+
+		// Don't allow underscores everywhere (as opposed to hyphens).
+		"____/____",
+
+		"_docker/_docker",
+
+		// Disallow consecutive underscores and periods.
+		"dock__er/docker",
+		"dock..er/docker",
+		"dock_.er/docker",
+		"dock-.er/docker",
+
+		// No repository.
+		"docker/",
+
+		//namespace too long
+		"this_is_not_a_valid_namespace_because_its_lenth_is_greater_than_255_this_is_not_a_valid_namespace_because_its_lenth_is_greater_than_255_this_is_not_a_valid_namespace_because_its_lenth_is_greater_than_255_this_is_not_a_valid_namespace_because_its_lenth_is_greater_than_255/docker",
+	}
+	for _, repositoryName := range invalidRepositoryNames {
+		if err := validateRemoteName(repositoryName); err == nil {
+			t.Errorf("Repository name should be invalid: %v", repositoryName)
+		}
+	}
+}
+
+func TestTrustedLocation(t *testing.T) {
+	for _, url := range []string{"http://example.com", "https://example.com:7777", "http://docker.io", "http://test.docker.com", "https://fakedocker.com"} {
+		req, _ := http.NewRequest("GET", url, nil)
+		if trustedLocation(req) == true {
+			t.Fatalf("'%s' shouldn't be detected as a trusted location", url)
+		}
+	}
+
+	for _, url := range []string{"https://docker.io", "https://test.docker.com:80"} {
+		req, _ := http.NewRequest("GET", url, nil)
+		if trustedLocation(req) == false {
+			t.Fatalf("'%s' should be detected as a trusted location", url)
+		}
+	}
+}
+
+func TestAddRequiredHeadersToRedirectedRequests(t *testing.T) {
+	for _, urls := range [][]string{
+		{"http://docker.io", "https://docker.com"},
+		{"https://foo.docker.io:7777", "http://bar.docker.com"},
+		{"https://foo.docker.io", "https://example.com"},
+	} {
+		reqFrom, _ := http.NewRequest("GET", urls[0], nil)
+		reqFrom.Header.Add("Content-Type", "application/json")
+		reqFrom.Header.Add("Authorization", "super_secret")
+		reqTo, _ := http.NewRequest("GET", urls[1], nil)
+
+		addRequiredHeadersToRedirectedRequests(reqTo, []*http.Request{reqFrom})
+
+		if len(reqTo.Header) != 1 {
+			t.Fatalf("Expected 1 headers, got %d", len(reqTo.Header))
+		}
+
+		if reqTo.Header.Get("Content-Type") != "application/json" {
+			t.Fatal("'Content-Type' should be 'application/json'")
+		}
+
+		if reqTo.Header.Get("Authorization") != "" {
+			t.Fatal("'Authorization' should be empty")
+		}
+	}
+
+	for _, urls := range [][]string{
+		{"https://docker.io", "https://docker.com"},
+		{"https://foo.docker.io:7777", "https://bar.docker.com"},
+	} {
+		reqFrom, _ := http.NewRequest("GET", urls[0], nil)
+		reqFrom.Header.Add("Content-Type", "application/json")
+		reqFrom.Header.Add("Authorization", "super_secret")
+		reqTo, _ := http.NewRequest("GET", urls[1], nil)
+
+		addRequiredHeadersToRedirectedRequests(reqTo, []*http.Request{reqFrom})
+
+		if len(reqTo.Header) != 2 {
+			t.Fatalf("Expected 2 headers, got %d", len(reqTo.Header))
+		}
+
+		if reqTo.Header.Get("Content-Type") != "application/json" {
+			t.Fatal("'Content-Type' should be 'application/json'")
+		}
+
+		if reqTo.Header.Get("Authorization") != "super_secret" {
+			t.Fatal("'Authorization' should be 'super_secret'")
+		}
+	}
+}
+
+func TestIsSecureIndex(t *testing.T) {
+	tests := []struct {
+		addr               string
+		insecureRegistries []string
+		expected           bool
+	}{
+		{IndexName, nil, true},
+		{"example.com", []string{}, true},
+		{"example.com", []string{"example.com"}, false},
+		{"localhost", []string{"localhost:5000"}, false},
+		{"localhost:5000", []string{"localhost:5000"}, false},
+		{"localhost", []string{"example.com"}, false},
+		{"127.0.0.1:5000", []string{"127.0.0.1:5000"}, false},
+		{"localhost", nil, false},
+		{"localhost:5000", nil, false},
+		{"127.0.0.1", nil, false},
+		{"localhost", []string{"example.com"}, false},
+		{"127.0.0.1", []string{"example.com"}, false},
+		{"example.com", nil, true},
+		{"example.com", []string{"example.com"}, false},
+		{"127.0.0.1", []string{"example.com"}, false},
+		{"127.0.0.1:5000", []string{"example.com"}, false},
+		{"example.com:5000", []string{"42.42.0.0/16"}, false},
+		{"example.com", []string{"42.42.0.0/16"}, false},
+		{"example.com:5000", []string{"42.42.42.42/8"}, false},
+		{"127.0.0.1:5000", []string{"127.0.0.0/8"}, false},
+		{"42.42.42.42:5000", []string{"42.1.1.1/8"}, false},
+		{"invalid.domain.com", []string{"42.42.0.0/16"}, true},
+		{"invalid.domain.com", []string{"invalid.domain.com"}, false},
+		{"invalid.domain.com:5000", []string{"invalid.domain.com"}, true},
+		{"invalid.domain.com:5000", []string{"invalid.domain.com:5000"}, false},
+	}
+	for _, tt := range tests {
+		config := makeServiceConfig(nil, tt.insecureRegistries)
+		if sec := config.isSecureIndex(tt.addr); sec != tt.expected {
+			t.Errorf("isSecureIndex failed for %q %v, expected %v got %v", tt.addr, tt.insecureRegistries, tt.expected, sec)
+		}
+	}
+}
+
+type debugTransport struct {
+	http.RoundTripper
+	log func(...interface{})
+}
+
+func (tr debugTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	dump, err := httputil.DumpRequestOut(req, false)
+	if err != nil {
+		tr.log("could not dump request")
+	}
+	tr.log(string(dump))
+	resp, err := tr.RoundTripper.RoundTrip(req)
+	if err != nil {
+		return nil, err
+	}
+	dump, err = httputil.DumpResponse(resp, false)
+	if err != nil {
+		tr.log("could not dump response")
+	}
+	tr.log(string(dump))
+	return resp, err
+}

docs/service.go

@@ -0,0 +1,162 @@
+package registry
+
+import (
+	"crypto/tls"
+	"net/http"
+	"net/url"
+
+	"github.com/docker/distribution/registry/client/auth"
+	"github.com/docker/docker/cliconfig"
+)
+
+// Service is a registry service. It tracks configuration data such as a list
+// of mirrors.
+type Service struct {
+	Config *ServiceConfig
+}
+
+// NewService returns a new instance of Service ready to be
+// installed into an engine.
+func NewService(options *Options) *Service {
+	return &Service{
+		Config: NewServiceConfig(options),
+	}
+}
+
+// Auth contacts the public registry with the provided credentials,
+// and returns OK if authentication was successful.
+// It can be used to verify the validity of a client's credentials.
+func (s *Service) Auth(authConfig *cliconfig.AuthConfig) (string, error) {
+	addr := authConfig.ServerAddress
+	if addr == "" {
+		// Use the official registry address if not specified.
+		addr = IndexServer
+	}
+	index, err := s.ResolveIndex(addr)
+	if err != nil {
+		return "", err
+	}
+
+	endpointVersion := APIVersion(APIVersionUnknown)
+	if V2Only {
+		// Override the endpoint to only attempt a v2 ping
+		endpointVersion = APIVersion2
+	}
+
+	endpoint, err := NewEndpoint(index, nil, endpointVersion)
+	if err != nil {
+		return "", err
+	}
+	authConfig.ServerAddress = endpoint.String()
+	return Login(authConfig, endpoint)
+}
+
+// Search queries the public registry for images matching the specified
+// search terms, and returns the results.
+func (s *Service) Search(term string, authConfig *cliconfig.AuthConfig, headers map[string][]string) (*SearchResults, error) {
+
+	repoInfo, err := s.ResolveRepositoryBySearch(term)
+	if err != nil {
+		return nil, err
+	}
+
+	// *TODO: Search multiple indexes.
+	endpoint, err := NewEndpoint(repoInfo.Index, http.Header(headers), APIVersionUnknown)
+	if err != nil {
+		return nil, err
+	}
+
+	r, err := NewSession(endpoint.client, authConfig, endpoint)
+	if err != nil {
+		return nil, err
+	}
+	return r.SearchRepositories(repoInfo.GetSearchTerm())
+}
+
+// ResolveRepository splits a repository name into its components
+// and configuration of the associated registry.
+func (s *Service) ResolveRepository(name string) (*RepositoryInfo, error) {
+	return s.Config.NewRepositoryInfo(name, false)
+}
+
+// ResolveRepositoryBySearch splits a repository name into its components
+// and configuration of the associated registry.
+func (s *Service) ResolveRepositoryBySearch(name string) (*RepositoryInfo, error) {
+	return s.Config.NewRepositoryInfo(name, true)
+}
+
+// ResolveIndex takes indexName and returns index info
+func (s *Service) ResolveIndex(name string) (*IndexInfo, error) {
+	return s.Config.NewIndexInfo(name)
+}
+
+// APIEndpoint represents a remote API endpoint
+type APIEndpoint struct {
+	Mirror        bool
+	URL           string
+	Version       APIVersion
+	Official      bool
+	TrimHostname  bool
+	TLSConfig     *tls.Config
+	VersionHeader string
+	Versions      []auth.APIVersion
+}
+
+// ToV1Endpoint returns a V1 API endpoint based on the APIEndpoint
+func (e APIEndpoint) ToV1Endpoint(metaHeaders http.Header) (*Endpoint, error) {
+	return newEndpoint(e.URL, e.TLSConfig, metaHeaders)
+}
+
+// TLSConfig constructs a client TLS configuration based on server defaults
+func (s *Service) TLSConfig(hostname string) (*tls.Config, error) {
+	return newTLSConfig(hostname, s.Config.isSecureIndex(hostname))
+}
+
+func (s *Service) tlsConfigForMirror(mirror string) (*tls.Config, error) {
+	mirrorURL, err := url.Parse(mirror)
+	if err != nil {
+		return nil, err
+	}
+	return s.TLSConfig(mirrorURL.Host)
+}
+
+// LookupPullEndpoints creates an list of endpoints to try to pull from, in order of preference.
+// It gives preference to v2 endpoints over v1, mirrors over the actual
+// registry, and HTTPS over plain HTTP.
+func (s *Service) LookupPullEndpoints(repoName string) (endpoints []APIEndpoint, err error) {
+	return s.lookupEndpoints(repoName)
+}
+
+// LookupPushEndpoints creates an list of endpoints to try to push to, in order of preference.
+// It gives preference to v2 endpoints over v1, and HTTPS over plain HTTP.
+// Mirrors are not included.
+func (s *Service) LookupPushEndpoints(repoName string) (endpoints []APIEndpoint, err error) {
+	allEndpoints, err := s.lookupEndpoints(repoName)
+	if err == nil {
+		for _, endpoint := range allEndpoints {
+			if !endpoint.Mirror {
+				endpoints = append(endpoints, endpoint)
+			}
+		}
+	}
+	return endpoints, err
+}
+
+func (s *Service) lookupEndpoints(repoName string) (endpoints []APIEndpoint, err error) {
+	endpoints, err = s.lookupV2Endpoints(repoName)
+	if err != nil {
+		return nil, err
+	}
+
+	if V2Only {
+		return endpoints, nil
+	}
+
+	legacyEndpoints, err := s.lookupV1Endpoints(repoName)
+	if err != nil {
+		return nil, err
+	}
+	endpoints = append(endpoints, legacyEndpoints...)
+
+	return endpoints, nil
+}

docs/service_v1.go

@@ -0,0 +1,54 @@
+package registry
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker/pkg/tlsconfig"
+)
+
+func (s *Service) lookupV1Endpoints(repoName string) (endpoints []APIEndpoint, err error) {
+	var cfg = tlsconfig.ServerDefault
+	tlsConfig := &cfg
+	if strings.HasPrefix(repoName, DefaultNamespace+"/") {
+		endpoints = append(endpoints, APIEndpoint{
+			URL:          DefaultV1Registry,
+			Version:      APIVersion1,
+			Official:     true,
+			TrimHostname: true,
+			TLSConfig:    tlsConfig,
+		})
+		return endpoints, nil
+	}
+
+	slashIndex := strings.IndexRune(repoName, '/')
+	if slashIndex <= 0 {
+		return nil, fmt.Errorf("invalid repo name: missing '/':  %s", repoName)
+	}
+	hostname := repoName[:slashIndex]
+
+	tlsConfig, err = s.TLSConfig(hostname)
+	if err != nil {
+		return nil, err
+	}
+
+	endpoints = []APIEndpoint{
+		{
+			URL:          "https://" + hostname,
+			Version:      APIVersion1,
+			TrimHostname: true,
+			TLSConfig:    tlsConfig,
+		},
+	}
+
+	if tlsConfig.InsecureSkipVerify {
+		endpoints = append(endpoints, APIEndpoint{ // or this
+			URL:          "http://" + hostname,
+			Version:      APIVersion1,
+			TrimHostname: true,
+			// used to check if supposed to be secure via InsecureSkipVerify
+			TLSConfig: tlsConfig,
+		})
+	}
+	return endpoints, nil
+}

docs/service_v2.go

@@ -0,0 +1,83 @@
+package registry
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/docker/distribution/registry/client/auth"
+	"github.com/docker/docker/pkg/tlsconfig"
+)
+
+func (s *Service) lookupV2Endpoints(repoName string) (endpoints []APIEndpoint, err error) {
+	var cfg = tlsconfig.ServerDefault
+	tlsConfig := &cfg
+	if strings.HasPrefix(repoName, DefaultNamespace+"/") {
+		// v2 mirrors
+		for _, mirror := range s.Config.Mirrors {
+			mirrorTLSConfig, err := s.tlsConfigForMirror(mirror)
+			if err != nil {
+				return nil, err
+			}
+			endpoints = append(endpoints, APIEndpoint{
+				URL: mirror,
+				// guess mirrors are v2
+				Version:      APIVersion2,
+				Mirror:       true,
+				TrimHostname: true,
+				TLSConfig:    mirrorTLSConfig,
+			})
+		}
+		// v2 registry
+		endpoints = append(endpoints, APIEndpoint{
+			URL:          DefaultV2Registry,
+			Version:      APIVersion2,
+			Official:     true,
+			TrimHostname: true,
+			TLSConfig:    tlsConfig,
+		})
+
+		return endpoints, nil
+	}
+
+	slashIndex := strings.IndexRune(repoName, '/')
+	if slashIndex <= 0 {
+		return nil, fmt.Errorf("invalid repo name: missing '/':  %s", repoName)
+	}
+	hostname := repoName[:slashIndex]
+
+	tlsConfig, err = s.TLSConfig(hostname)
+	if err != nil {
+		return nil, err
+	}
+
+	v2Versions := []auth.APIVersion{
+		{
+			Type:    "registry",
+			Version: "2.0",
+		},
+	}
+	endpoints = []APIEndpoint{
+		{
+			URL:           "https://" + hostname,
+			Version:       APIVersion2,
+			TrimHostname:  true,
+			TLSConfig:     tlsConfig,
+			VersionHeader: DefaultRegistryVersionHeader,
+			Versions:      v2Versions,
+		},
+	}
+
+	if tlsConfig.InsecureSkipVerify {
+		endpoints = append(endpoints, APIEndpoint{
+			URL:          "http://" + hostname,
+			Version:      APIVersion2,
+			TrimHostname: true,
+			// used to check if supposed to be secure via InsecureSkipVerify
+			TLSConfig:     tlsConfig,
+			VersionHeader: DefaultRegistryVersionHeader,
+			Versions:      v2Versions,
+		})
+	}
+
+	return endpoints, nil
+}

docs/session.go

@@ -0,0 +1,761 @@
+package registry
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"errors"
+	"sync"
+	// this is required for some certificates
+	_ "crypto/sha512"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/http/cookiejar"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/docker/docker/cliconfig"
+	"github.com/docker/docker/pkg/httputils"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/pkg/tarsum"
+	"github.com/docker/docker/utils"
+)
+
+var (
+	// ErrRepoNotFound is returned if the repository didn't exist on the
+	// remote side
+	ErrRepoNotFound = errors.New("Repository not found")
+)
+
+// A Session is used to communicate with a V1 registry
+type Session struct {
+	indexEndpoint *Endpoint
+	client        *http.Client
+	// TODO(tiborvass): remove authConfig
+	authConfig *cliconfig.AuthConfig
+	id         string
+}
+
+type authTransport struct {
+	http.RoundTripper
+	*cliconfig.AuthConfig
+
+	alwaysSetBasicAuth bool
+	token              []string
+
+	mu     sync.Mutex                      // guards modReq
+	modReq map[*http.Request]*http.Request // original -> modified
+}
+
+// AuthTransport handles the auth layer when communicating with a v1 registry (private or official)
+//
+// For private v1 registries, set alwaysSetBasicAuth to true.
+//
+// For the official v1 registry, if there isn't already an Authorization header in the request,
+// but there is an X-Docker-Token header set to true, then Basic Auth will be used to set the Authorization header.
+// After sending the request with the provided base http.RoundTripper, if an X-Docker-Token header, representing
+// a token, is present in the response, then it gets cached and sent in the Authorization header of all subsequent
+// requests.
+//
+// If the server sends a token without the client having requested it, it is ignored.
+//
+// This RoundTripper also has a CancelRequest method important for correct timeout handling.
+func AuthTransport(base http.RoundTripper, authConfig *cliconfig.AuthConfig, alwaysSetBasicAuth bool) http.RoundTripper {
+	if base == nil {
+		base = http.DefaultTransport
+	}
+	return &authTransport{
+		RoundTripper:       base,
+		AuthConfig:         authConfig,
+		alwaysSetBasicAuth: alwaysSetBasicAuth,
+		modReq:             make(map[*http.Request]*http.Request),
+	}
+}
+
+// cloneRequest returns a clone of the provided *http.Request.
+// The clone is a shallow copy of the struct and its Header map.
+func cloneRequest(r *http.Request) *http.Request {
+	// shallow copy of the struct
+	r2 := new(http.Request)
+	*r2 = *r
+	// deep copy of the Header
+	r2.Header = make(http.Header, len(r.Header))
+	for k, s := range r.Header {
+		r2.Header[k] = append([]string(nil), s...)
+	}
+
+	return r2
+}
+
+// RoundTrip changes a HTTP request's headers to add the necessary
+// authentication-related headers
+func (tr *authTransport) RoundTrip(orig *http.Request) (*http.Response, error) {
+	// Authorization should not be set on 302 redirect for untrusted locations.
+	// This logic mirrors the behavior in addRequiredHeadersToRedirectedRequests.
+	// As the authorization logic is currently implemented in RoundTrip,
+	// a 302 redirect is detected by looking at the Referer header as go http package adds said header.
+	// This is safe as Docker doesn't set Referer in other scenarios.
+	if orig.Header.Get("Referer") != "" && !trustedLocation(orig) {
+		return tr.RoundTripper.RoundTrip(orig)
+	}
+
+	req := cloneRequest(orig)
+	tr.mu.Lock()
+	tr.modReq[orig] = req
+	tr.mu.Unlock()
+
+	if tr.alwaysSetBasicAuth {
+		if tr.AuthConfig == nil {
+			return nil, errors.New("unexpected error: empty auth config")
+		}
+		req.SetBasicAuth(tr.Username, tr.Password)
+		return tr.RoundTripper.RoundTrip(req)
+	}
+
+	// Don't override
+	if req.Header.Get("Authorization") == "" {
+		if req.Header.Get("X-Docker-Token") == "true" && tr.AuthConfig != nil && len(tr.Username) > 0 {
+			req.SetBasicAuth(tr.Username, tr.Password)
+		} else if len(tr.token) > 0 {
+			req.Header.Set("Authorization", "Token "+strings.Join(tr.token, ","))
+		}
+	}
+	resp, err := tr.RoundTripper.RoundTrip(req)
+	if err != nil {
+		delete(tr.modReq, orig)
+		return nil, err
+	}
+	if len(resp.Header["X-Docker-Token"]) > 0 {
+		tr.token = resp.Header["X-Docker-Token"]
+	}
+	resp.Body = &ioutils.OnEOFReader{
+		Rc: resp.Body,
+		Fn: func() {
+			tr.mu.Lock()
+			delete(tr.modReq, orig)
+			tr.mu.Unlock()
+		},
+	}
+	return resp, nil
+}
+
+// CancelRequest cancels an in-flight request by closing its connection.
+func (tr *authTransport) CancelRequest(req *http.Request) {
+	type canceler interface {
+		CancelRequest(*http.Request)
+	}
+	if cr, ok := tr.RoundTripper.(canceler); ok {
+		tr.mu.Lock()
+		modReq := tr.modReq[req]
+		delete(tr.modReq, req)
+		tr.mu.Unlock()
+		cr.CancelRequest(modReq)
+	}
+}
+
+// NewSession creates a new session
+// TODO(tiborvass): remove authConfig param once registry client v2 is vendored
+func NewSession(client *http.Client, authConfig *cliconfig.AuthConfig, endpoint *Endpoint) (r *Session, err error) {
+	r = &Session{
+		authConfig:    authConfig,
+		client:        client,
+		indexEndpoint: endpoint,
+		id:            stringid.GenerateRandomID(),
+	}
+
+	var alwaysSetBasicAuth bool
+
+	// If we're working with a standalone private registry over HTTPS, send Basic Auth headers
+	// alongside all our requests.
+	if endpoint.VersionString(1) != IndexServer && endpoint.URL.Scheme == "https" {
+		info, err := endpoint.Ping()
+		if err != nil {
+			return nil, err
+		}
+		if info.Standalone && authConfig != nil {
+			logrus.Debugf("Endpoint %s is eligible for private registry. Enabling decorator.", endpoint.String())
+			alwaysSetBasicAuth = true
+		}
+	}
+
+	// Annotate the transport unconditionally so that v2 can
+	// properly fallback on v1 when an image is not found.
+	client.Transport = AuthTransport(client.Transport, authConfig, alwaysSetBasicAuth)
+
+	jar, err := cookiejar.New(nil)
+	if err != nil {
+		return nil, errors.New("cookiejar.New is not supposed to return an error")
+	}
+	client.Jar = jar
+
+	return r, nil
+}
+
+// ID returns this registry session's ID.
+func (r *Session) ID() string {
+	return r.id
+}
+
+// GetRemoteHistory retrieves the history of a given image from the registry.
+// It returns a list of the parent's JSON files (including the requested image).
+func (r *Session) GetRemoteHistory(imgID, registry string) ([]string, error) {
+	res, err := r.client.Get(registry + "images/" + imgID + "/ancestry")
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != 200 {
+		if res.StatusCode == 401 {
+			return nil, errLoginRequired
+		}
+		return nil, httputils.NewHTTPRequestError(fmt.Sprintf("Server error: %d trying to fetch remote history for %s", res.StatusCode, imgID), res)
+	}
+
+	var history []string
+	if err := json.NewDecoder(res.Body).Decode(&history); err != nil {
+		return nil, fmt.Errorf("Error while reading the http response: %v", err)
+	}
+
+	logrus.Debugf("Ancestry: %v", history)
+	return history, nil
+}
+
+// LookupRemoteImage checks if an image exists in the registry
+func (r *Session) LookupRemoteImage(imgID, registry string) error {
+	res, err := r.client.Get(registry + "images/" + imgID + "/json")
+	if err != nil {
+		return err
+	}
+	res.Body.Close()
+	if res.StatusCode != 200 {
+		return httputils.NewHTTPRequestError(fmt.Sprintf("HTTP code %d", res.StatusCode), res)
+	}
+	return nil
+}
+
+// GetRemoteImageJSON retrieves an image's JSON metadata from the registry.
+func (r *Session) GetRemoteImageJSON(imgID, registry string) ([]byte, int64, error) {
+	res, err := r.client.Get(registry + "images/" + imgID + "/json")
+	if err != nil {
+		return nil, -1, fmt.Errorf("Failed to download json: %s", err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode != 200 {
+		return nil, -1, httputils.NewHTTPRequestError(fmt.Sprintf("HTTP code %d", res.StatusCode), res)
+	}
+	// if the size header is not present, then set it to '-1'
+	imageSize := int64(-1)
+	if hdr := res.Header.Get("X-Docker-Size"); hdr != "" {
+		imageSize, err = strconv.ParseInt(hdr, 10, 64)
+		if err != nil {
+			return nil, -1, err
+		}
+	}
+
+	jsonString, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, -1, fmt.Errorf("Failed to parse downloaded json: %v (%s)", err, jsonString)
+	}
+	return jsonString, imageSize, nil
+}
+
+// GetRemoteImageLayer retrieves an image layer from the registry
+func (r *Session) GetRemoteImageLayer(imgID, registry string, imgSize int64) (io.ReadCloser, error) {
+	var (
+		retries    = 5
+		statusCode = 0
+		res        *http.Response
+		err        error
+		imageURL   = fmt.Sprintf("%simages/%s/layer", registry, imgID)
+	)
+
+	req, err := http.NewRequest("GET", imageURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("Error while getting from the server: %v", err)
+	}
+	// TODO(tiborvass): why are we doing retries at this level?
+	// These retries should be generic to both v1 and v2
+	for i := 1; i <= retries; i++ {
+		statusCode = 0
+		res, err = r.client.Do(req)
+		if err == nil {
+			break
+		}
+		logrus.Debugf("Error contacting registry %s: %v", registry, err)
+		if res != nil {
+			if res.Body != nil {
+				res.Body.Close()
+			}
+			statusCode = res.StatusCode
+		}
+		if i == retries {
+			return nil, fmt.Errorf("Server error: Status %d while fetching image layer (%s)",
+				statusCode, imgID)
+		}
+		time.Sleep(time.Duration(i) * 5 * time.Second)
+	}
+
+	if res.StatusCode != 200 {
+		res.Body.Close()
+		return nil, fmt.Errorf("Server error: Status %d while fetching image layer (%s)",
+			res.StatusCode, imgID)
+	}
+
+	if res.Header.Get("Accept-Ranges") == "bytes" && imgSize > 0 {
+		logrus.Debugf("server supports resume")
+		return httputils.ResumableRequestReaderWithInitialResponse(r.client, req, 5, imgSize, res), nil
+	}
+	logrus.Debugf("server doesn't support resume")
+	return res.Body, nil
+}
+
+// GetRemoteTag retrieves the tag named in the askedTag argument from the given
+// repository. It queries each of the registries supplied in the registries
+// argument, and returns data from the first one that answers the query
+// successfully.
+func (r *Session) GetRemoteTag(registries []string, repository string, askedTag string) (string, error) {
+	if strings.Count(repository, "/") == 0 {
+		// This will be removed once the registry supports auto-resolution on
+		// the "library" namespace
+		repository = "library/" + repository
+	}
+	for _, host := range registries {
+		endpoint := fmt.Sprintf("%srepositories/%s/tags/%s", host, repository, askedTag)
+		res, err := r.client.Get(endpoint)
+		if err != nil {
+			return "", err
+		}
+
+		logrus.Debugf("Got status code %d from %s", res.StatusCode, endpoint)
+		defer res.Body.Close()
+
+		if res.StatusCode == 404 {
+			return "", ErrRepoNotFound
+		}
+		if res.StatusCode != 200 {
+			continue
+		}
+
+		var tagID string
+		if err := json.NewDecoder(res.Body).Decode(&tagID); err != nil {
+			return "", err
+		}
+		return tagID, nil
+	}
+	return "", fmt.Errorf("Could not reach any registry endpoint")
+}
+
+// GetRemoteTags retrieves all tags from the given repository. It queries each
+// of the registries supplied in the registries argument, and returns data from
+// the first one that answers the query successfully. It returns a map with
+// tag names as the keys and image IDs as the values.
+func (r *Session) GetRemoteTags(registries []string, repository string) (map[string]string, error) {
+	if strings.Count(repository, "/") == 0 {
+		// This will be removed once the registry supports auto-resolution on
+		// the "library" namespace
+		repository = "library/" + repository
+	}
+	for _, host := range registries {
+		endpoint := fmt.Sprintf("%srepositories/%s/tags", host, repository)
+		res, err := r.client.Get(endpoint)
+		if err != nil {
+			return nil, err
+		}
+
+		logrus.Debugf("Got status code %d from %s", res.StatusCode, endpoint)
+		defer res.Body.Close()
+
+		if res.StatusCode == 404 {
+			return nil, ErrRepoNotFound
+		}
+		if res.StatusCode != 200 {
+			continue
+		}
+
+		result := make(map[string]string)
+		if err := json.NewDecoder(res.Body).Decode(&result); err != nil {
+			return nil, err
+		}
+		return result, nil
+	}
+	return nil, fmt.Errorf("Could not reach any registry endpoint")
+}
+
+func buildEndpointsList(headers []string, indexEp string) ([]string, error) {
+	var endpoints []string
+	parsedURL, err := url.Parse(indexEp)
+	if err != nil {
+		return nil, err
+	}
+	var urlScheme = parsedURL.Scheme
+	// The registry's URL scheme has to match the Index'
+	for _, ep := range headers {
+		epList := strings.Split(ep, ",")
+		for _, epListElement := range epList {
+			endpoints = append(
+				endpoints,
+				fmt.Sprintf("%s://%s/v1/", urlScheme, strings.TrimSpace(epListElement)))
+		}
+	}
+	return endpoints, nil
+}
+
+// GetRepositoryData returns lists of images and endpoints for the repository
+func (r *Session) GetRepositoryData(remote string) (*RepositoryData, error) {
+	repositoryTarget := fmt.Sprintf("%srepositories/%s/images", r.indexEndpoint.VersionString(1), remote)
+
+	logrus.Debugf("[registry] Calling GET %s", repositoryTarget)
+
+	req, err := http.NewRequest("GET", repositoryTarget, nil)
+	if err != nil {
+		return nil, err
+	}
+	// this will set basic auth in r.client.Transport and send cached X-Docker-Token headers for all subsequent requests
+	req.Header.Set("X-Docker-Token", "true")
+	res, err := r.client.Do(req)
+	if err != nil {
+		// check if the error is because of i/o timeout
+		// and return a non-obtuse error message for users
+		// "Get https://index.docker.io/v1/repositories/library/busybox/images: i/o timeout"
+		// was a top search on the docker user forum
+		if utils.IsTimeout(err) {
+			return nil, fmt.Errorf("Network timed out while trying to connect to %s. You may want to check your internet connection or if you are behind a proxy.", repositoryTarget)
+		}
+		return nil, fmt.Errorf("Error while pulling image: %v", err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode == 401 {
+		return nil, errLoginRequired
+	}
+	// TODO: Right now we're ignoring checksums in the response body.
+	// In the future, we need to use them to check image validity.
+	if res.StatusCode == 404 {
+		return nil, httputils.NewHTTPRequestError(fmt.Sprintf("HTTP code: %d", res.StatusCode), res)
+	} else if res.StatusCode != 200 {
+		errBody, err := ioutil.ReadAll(res.Body)
+		if err != nil {
+			logrus.Debugf("Error reading response body: %s", err)
+		}
+		return nil, httputils.NewHTTPRequestError(fmt.Sprintf("Error: Status %d trying to pull repository %s: %q", res.StatusCode, remote, errBody), res)
+	}
+
+	var endpoints []string
+	if res.Header.Get("X-Docker-Endpoints") != "" {
+		endpoints, err = buildEndpointsList(res.Header["X-Docker-Endpoints"], r.indexEndpoint.VersionString(1))
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// Assume the endpoint is on the same host
+		endpoints = append(endpoints, fmt.Sprintf("%s://%s/v1/", r.indexEndpoint.URL.Scheme, req.URL.Host))
+	}
+
+	remoteChecksums := []*ImgData{}
+	if err := json.NewDecoder(res.Body).Decode(&remoteChecksums); err != nil {
+		return nil, err
+	}
+
+	// Forge a better object from the retrieved data
+	imgsData := make(map[string]*ImgData, len(remoteChecksums))
+	for _, elem := range remoteChecksums {
+		imgsData[elem.ID] = elem
+	}
+
+	return &RepositoryData{
+		ImgList:   imgsData,
+		Endpoints: endpoints,
+	}, nil
+}
+
+// PushImageChecksumRegistry uploads checksums for an image
+func (r *Session) PushImageChecksumRegistry(imgData *ImgData, registry string) error {
+	u := registry + "images/" + imgData.ID + "/checksum"
+
+	logrus.Debugf("[registry] Calling PUT %s", u)
+
+	req, err := http.NewRequest("PUT", u, nil)
+	if err != nil {
+		return err
+	}
+	req.Header.Set("X-Docker-Checksum", imgData.Checksum)
+	req.Header.Set("X-Docker-Checksum-Payload", imgData.ChecksumPayload)
+
+	res, err := r.client.Do(req)
+	if err != nil {
+		return fmt.Errorf("Failed to upload metadata: %v", err)
+	}
+	defer res.Body.Close()
+	if len(res.Cookies()) > 0 {
+		r.client.Jar.SetCookies(req.URL, res.Cookies())
+	}
+	if res.StatusCode != 200 {
+		errBody, err := ioutil.ReadAll(res.Body)
+		if err != nil {
+			return fmt.Errorf("HTTP code %d while uploading metadata and error when trying to parse response body: %s", res.StatusCode, err)
+		}
+		var jsonBody map[string]string
+		if err := json.Unmarshal(errBody, &jsonBody); err != nil {
+			errBody = []byte(err.Error())
+		} else if jsonBody["error"] == "Image already exists" {
+			return ErrAlreadyExists
+		}
+		return fmt.Errorf("HTTP code %d while uploading metadata: %q", res.StatusCode, errBody)
+	}
+	return nil
+}
+
+// PushImageJSONRegistry pushes JSON metadata for a local image to the registry
+func (r *Session) PushImageJSONRegistry(imgData *ImgData, jsonRaw []byte, registry string) error {
+
+	u := registry + "images/" + imgData.ID + "/json"
+
+	logrus.Debugf("[registry] Calling PUT %s", u)
+
+	req, err := http.NewRequest("PUT", u, bytes.NewReader(jsonRaw))
+	if err != nil {
+		return err
+	}
+	req.Header.Add("Content-type", "application/json")
+
+	res, err := r.client.Do(req)
+	if err != nil {
+		return fmt.Errorf("Failed to upload metadata: %s", err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode == 401 && strings.HasPrefix(registry, "http://") {
+		return httputils.NewHTTPRequestError("HTTP code 401, Docker will not send auth headers over HTTP.", res)
+	}
+	if res.StatusCode != 200 {
+		errBody, err := ioutil.ReadAll(res.Body)
+		if err != nil {
+			return httputils.NewHTTPRequestError(fmt.Sprintf("HTTP code %d while uploading metadata and error when trying to parse response body: %s", res.StatusCode, err), res)
+		}
+		var jsonBody map[string]string
+		if err := json.Unmarshal(errBody, &jsonBody); err != nil {
+			errBody = []byte(err.Error())
+		} else if jsonBody["error"] == "Image already exists" {
+			return ErrAlreadyExists
+		}
+		return httputils.NewHTTPRequestError(fmt.Sprintf("HTTP code %d while uploading metadata: %q", res.StatusCode, errBody), res)
+	}
+	return nil
+}
+
+// PushImageLayerRegistry sends the checksum of an image layer to the registry
+func (r *Session) PushImageLayerRegistry(imgID string, layer io.Reader, registry string, jsonRaw []byte) (checksum string, checksumPayload string, err error) {
+	u := registry + "images/" + imgID + "/layer"
+
+	logrus.Debugf("[registry] Calling PUT %s", u)
+
+	tarsumLayer, err := tarsum.NewTarSum(layer, false, tarsum.Version0)
+	if err != nil {
+		return "", "", err
+	}
+	h := sha256.New()
+	h.Write(jsonRaw)
+	h.Write([]byte{'\n'})
+	checksumLayer := io.TeeReader(tarsumLayer, h)
+
+	req, err := http.NewRequest("PUT", u, checksumLayer)
+	if err != nil {
+		return "", "", err
+	}
+	req.Header.Add("Content-Type", "application/octet-stream")
+	req.ContentLength = -1
+	req.TransferEncoding = []string{"chunked"}
+	res, err := r.client.Do(req)
+	if err != nil {
+		return "", "", fmt.Errorf("Failed to upload layer: %v", err)
+	}
+	if rc, ok := layer.(io.Closer); ok {
+		if err := rc.Close(); err != nil {
+			return "", "", err
+		}
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode != 200 {
+		errBody, err := ioutil.ReadAll(res.Body)
+		if err != nil {
+			return "", "", httputils.NewHTTPRequestError(fmt.Sprintf("HTTP code %d while uploading metadata and error when trying to parse response body: %s", res.StatusCode, err), res)
+		}
+		return "", "", httputils.NewHTTPRequestError(fmt.Sprintf("Received HTTP code %d while uploading layer: %q", res.StatusCode, errBody), res)
+	}
+
+	checksumPayload = "sha256:" + hex.EncodeToString(h.Sum(nil))
+	return tarsumLayer.Sum(jsonRaw), checksumPayload, nil
+}
+
+// PushRegistryTag pushes a tag on the registry.
+// Remote has the format '<user>/<repo>
+func (r *Session) PushRegistryTag(remote, revision, tag, registry string) error {
+	// "jsonify" the string
+	revision = "\"" + revision + "\""
+	path := fmt.Sprintf("repositories/%s/tags/%s", remote, tag)
+
+	req, err := http.NewRequest("PUT", registry+path, strings.NewReader(revision))
+	if err != nil {
+		return err
+	}
+	req.Header.Add("Content-type", "application/json")
+	req.ContentLength = int64(len(revision))
+	res, err := r.client.Do(req)
+	if err != nil {
+		return err
+	}
+	res.Body.Close()
+	if res.StatusCode != 200 && res.StatusCode != 201 {
+		return httputils.NewHTTPRequestError(fmt.Sprintf("Internal server error: %d trying to push tag %s on %s", res.StatusCode, tag, remote), res)
+	}
+	return nil
+}
+
+// PushImageJSONIndex uploads an image list to the repository
+func (r *Session) PushImageJSONIndex(remote string, imgList []*ImgData, validate bool, regs []string) (*RepositoryData, error) {
+	cleanImgList := []*ImgData{}
+	if validate {
+		for _, elem := range imgList {
+			if elem.Checksum != "" {
+				cleanImgList = append(cleanImgList, elem)
+			}
+		}
+	} else {
+		cleanImgList = imgList
+	}
+
+	imgListJSON, err := json.Marshal(cleanImgList)
+	if err != nil {
+		return nil, err
+	}
+	var suffix string
+	if validate {
+		suffix = "images"
+	}
+	u := fmt.Sprintf("%srepositories/%s/%s", r.indexEndpoint.VersionString(1), remote, suffix)
+	logrus.Debugf("[registry] PUT %s", u)
+	logrus.Debugf("Image list pushed to index:\n%s", imgListJSON)
+	headers := map[string][]string{
+		"Content-type": {"application/json"},
+		// this will set basic auth in r.client.Transport and send cached X-Docker-Token headers for all subsequent requests
+		"X-Docker-Token": {"true"},
+	}
+	if validate {
+		headers["X-Docker-Endpoints"] = regs
+	}
+
+	// Redirect if necessary
+	var res *http.Response
+	for {
+		if res, err = r.putImageRequest(u, headers, imgListJSON); err != nil {
+			return nil, err
+		}
+		if !shouldRedirect(res) {
+			break
+		}
+		res.Body.Close()
+		u = res.Header.Get("Location")
+		logrus.Debugf("Redirected to %s", u)
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode == 401 {
+		return nil, errLoginRequired
+	}
+
+	var tokens, endpoints []string
+	if !validate {
+		if res.StatusCode != 200 && res.StatusCode != 201 {
+			errBody, err := ioutil.ReadAll(res.Body)
+			if err != nil {
+				logrus.Debugf("Error reading response body: %s", err)
+			}
+			return nil, httputils.NewHTTPRequestError(fmt.Sprintf("Error: Status %d trying to push repository %s: %q", res.StatusCode, remote, errBody), res)
+		}
+		tokens = res.Header["X-Docker-Token"]
+		logrus.Debugf("Auth token: %v", tokens)
+
+		if res.Header.Get("X-Docker-Endpoints") == "" {
+			return nil, fmt.Errorf("Index response didn't contain any endpoints")
+		}
+		endpoints, err = buildEndpointsList(res.Header["X-Docker-Endpoints"], r.indexEndpoint.VersionString(1))
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		if res.StatusCode != 204 {
+			errBody, err := ioutil.ReadAll(res.Body)
+			if err != nil {
+				logrus.Debugf("Error reading response body: %s", err)
+			}
+			return nil, httputils.NewHTTPRequestError(fmt.Sprintf("Error: Status %d trying to push checksums %s: %q", res.StatusCode, remote, errBody), res)
+		}
+	}
+
+	return &RepositoryData{
+		Endpoints: endpoints,
+	}, nil
+}
+
+func (r *Session) putImageRequest(u string, headers map[string][]string, body []byte) (*http.Response, error) {
+	req, err := http.NewRequest("PUT", u, bytes.NewReader(body))
+	if err != nil {
+		return nil, err
+	}
+	req.ContentLength = int64(len(body))
+	for k, v := range headers {
+		req.Header[k] = v
+	}
+	response, err := r.client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	return response, nil
+}
+
+func shouldRedirect(response *http.Response) bool {
+	return response.StatusCode >= 300 && response.StatusCode < 400
+}
+
+// SearchRepositories performs a search against the remote repository
+func (r *Session) SearchRepositories(term string) (*SearchResults, error) {
+	logrus.Debugf("Index server: %s", r.indexEndpoint)
+	u := r.indexEndpoint.VersionString(1) + "search?q=" + url.QueryEscape(term)
+
+	req, err := http.NewRequest("GET", u, nil)
+	if err != nil {
+		return nil, fmt.Errorf("Error while getting from the server: %v", err)
+	}
+	// Have the AuthTransport send authentication, when logged in.
+	req.Header.Set("X-Docker-Token", "true")
+	res, err := r.client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != 200 {
+		return nil, httputils.NewHTTPRequestError(fmt.Sprintf("Unexpected status code %d", res.StatusCode), res)
+	}
+	result := new(SearchResults)
+	return result, json.NewDecoder(res.Body).Decode(result)
+}
+
+// GetAuthConfig returns the authentication settings for a session
+// TODO(tiborvass): remove this once registry client v2 is vendored
+func (r *Session) GetAuthConfig(withPasswd bool) *cliconfig.AuthConfig {
+	password := ""
+	if withPasswd {
+		password = r.authConfig.Password
+	}
+	return &cliconfig.AuthConfig{
+		Username: r.authConfig.Username,
+		Password: password,
+		Email:    r.authConfig.Email,
+	}
+}

docs/token.go

@@ -0,0 +1,81 @@
+package registry
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+type tokenResponse struct {
+	Token string `json:"token"`
+}
+
+func getToken(username, password string, params map[string]string, registryEndpoint *Endpoint) (string, error) {
+	realm, ok := params["realm"]
+	if !ok {
+		return "", errors.New("no realm specified for token auth challenge")
+	}
+
+	realmURL, err := url.Parse(realm)
+	if err != nil {
+		return "", fmt.Errorf("invalid token auth challenge realm: %s", err)
+	}
+
+	if realmURL.Scheme == "" {
+		if registryEndpoint.IsSecure {
+			realmURL.Scheme = "https"
+		} else {
+			realmURL.Scheme = "http"
+		}
+	}
+
+	req, err := http.NewRequest("GET", realmURL.String(), nil)
+	if err != nil {
+		return "", err
+	}
+
+	reqParams := req.URL.Query()
+	service := params["service"]
+	scope := params["scope"]
+
+	if service != "" {
+		reqParams.Add("service", service)
+	}
+
+	for _, scopeField := range strings.Fields(scope) {
+		reqParams.Add("scope", scopeField)
+	}
+
+	if username != "" {
+		reqParams.Add("account", username)
+		req.SetBasicAuth(username, password)
+	}
+
+	req.URL.RawQuery = reqParams.Encode()
+
+	resp, err := registryEndpoint.client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("token auth attempt for registry %s: %s request failed with status: %d %s", registryEndpoint, req.URL, resp.StatusCode, http.StatusText(resp.StatusCode))
+	}
+
+	decoder := json.NewDecoder(resp.Body)
+
+	tr := new(tokenResponse)
+	if err = decoder.Decode(tr); err != nil {
+		return "", fmt.Errorf("unable to decode token response: %s", err)
+	}
+
+	if tr.Token == "" {
+		return "", errors.New("authorization server did not include a token in the response")
+	}
+
+	return tr.Token, nil
+}

docs/types.go

@@ -0,0 +1,140 @@
+package registry
+
+// SearchResult describes a search result returned from a registry
+type SearchResult struct {
+	// StarCount indicates the number of stars this repository has
+	StarCount int `json:"star_count"`
+	// IsOfficial indicates whether the result is an official repository or not
+	IsOfficial bool `json:"is_official"`
+	// Name is the name of the repository
+	Name string `json:"name"`
+	// IsOfficial indicates whether the result is trusted
+	IsTrusted bool `json:"is_trusted"`
+	// IsAutomated indicates whether the result is automated
+	IsAutomated bool `json:"is_automated"`
+	// Description is a textual description of the repository
+	Description string `json:"description"`
+}
+
+// SearchResults lists a collection search results returned from a registry
+type SearchResults struct {
+	// Query contains the query string that generated the search results
+	Query string `json:"query"`
+	// NumResults indicates the number of results the query returned
+	NumResults int `json:"num_results"`
+	// Results is a slice containing the acutal results for the search
+	Results []SearchResult `json:"results"`
+}
+
+// RepositoryData tracks the image list, list of endpoints, and list of tokens
+// for a repository
+type RepositoryData struct {
+	// ImgList is a list of images in the repository
+	ImgList map[string]*ImgData
+	// Endpoints is a list of endpoints returned in X-Docker-Endpoints
+	Endpoints []string
+	// Tokens is currently unused (remove it?)
+	Tokens []string
+}
+
+// ImgData is used to transfer image checksums to and from the registry
+type ImgData struct {
+	// ID is an opaque string that identifies the image
+	ID              string `json:"id"`
+	Checksum        string `json:"checksum,omitempty"`
+	ChecksumPayload string `json:"-"`
+	Tag             string `json:",omitempty"`
+}
+
+// PingResult contains the information returned when pinging a registry. It
+// indicates the registry's version and whether the registry claims to be a
+// standalone registry.
+type PingResult struct {
+	// Version is the registry version supplied by the registry in a HTTP
+	// header
+	Version string `json:"version"`
+	// Standalone is set to true if the registry indicates it is a
+	// standalone registry in the X-Docker-Registry-Standalone
+	// header
+	Standalone bool `json:"standalone"`
+}
+
+// APIVersion is an integral representation of an API version (presently
+// either 1 or 2)
+type APIVersion int
+
+func (av APIVersion) String() string {
+	return apiVersions[av]
+}
+
+var apiVersions = map[APIVersion]string{
+	1: "v1",
+	2: "v2",
+}
+
+// API Version identifiers.
+const (
+	APIVersionUnknown = iota
+	APIVersion1
+	APIVersion2
+)
+
+// IndexInfo contains information about a registry
+//
+// RepositoryInfo Examples:
+// {
+//   "Index" : {
+//     "Name" : "docker.io",
+//     "Mirrors" : ["https://registry-2.docker.io/v1/", "https://registry-3.docker.io/v1/"],
+//     "Secure" : true,
+//     "Official" : true,
+//   },
+//   "RemoteName" : "library/debian",
+//   "LocalName" : "debian",
+//   "CanonicalName" : "docker.io/debian"
+//   "Official" : true,
+// }
+//
+// {
+//   "Index" : {
+//     "Name" : "127.0.0.1:5000",
+//     "Mirrors" : [],
+//     "Secure" : false,
+//     "Official" : false,
+//   },
+//   "RemoteName" : "user/repo",
+//   "LocalName" : "127.0.0.1:5000/user/repo",
+//   "CanonicalName" : "127.0.0.1:5000/user/repo",
+//   "Official" : false,
+// }
+type IndexInfo struct {
+	// Name is the name of the registry, such as "docker.io"
+	Name string
+	// Mirrors is a list of mirrors, expressed as URIs
+	Mirrors []string
+	// Secure is set to false if the registry is part of the list of
+	// insecure registries. Insecure registries accept HTTP and/or accept
+	// HTTPS with certificates from unknown CAs.
+	Secure bool
+	// Official indicates whether this is an official registry
+	Official bool
+}
+
+// RepositoryInfo describes a repository
+type RepositoryInfo struct {
+	// Index points to registry information
+	Index *IndexInfo
+	// RemoteName is the remote name of the repository, such as
+	// "library/ubuntu-12.04-base"
+	RemoteName string
+	// LocalName is the local name of the repository, such as
+	// "ubuntu-12.04-base"
+	LocalName string
+	// CanonicalName is the canonical name of the repository, such as
+	// "docker.io/library/ubuntu-12.04-base"
+	CanonicalName string
+	// Official indicates whether the repository is considered official.
+	// If the registry is official, and the normalized name does not
+	// contain a '/' (e.g. "foo"), then it is considered an official repo.
+	Official bool
+}