Merge pull request #19733 from calavera/auth_error_on_post_create

Respond with 401 when there is an unauthorized error from the registry.

api/server/router/local/image.go

@@ -7,9 +7,11 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"strings"
 
 	"github.com/docker/distribution/digest"
+	"github.com/docker/distribution/registry/api/errcode"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/builder/dockerfile"
 	derr "github.com/docker/docker/errors"
@@ -137,6 +139,12 @@ func (s *router) postImagesCreate(ctx context.Context, w http.ResponseWriter, r
 				err = s.daemon.PullImage(ref, metaHeaders, authConfig, output)
 			}
 		}
+		// Check the error from pulling an image to make sure the request
+		// was authorized. Modify the status if the request was
+		// unauthorized to respond with 401 rather than 500.
+		if err != nil && isAuthorizedError(err) {
+			err = errcode.ErrorCodeUnauthorized.WithMessage(fmt.Sprintf("Authentication is required: %s", err))
+		}
 	} else { //import
 		var newRef reference.Named
 		if repo != "" {
@@ -373,3 +381,16 @@ func (s *router) getImagesSearch(ctx context.Context, w http.ResponseWriter, r *
 	}
 	return httputils.WriteJSON(w, http.StatusOK, query.Results)
 }
+
+func isAuthorizedError(err error) bool {
+	if urlError, ok := err.(*url.Error); ok {
+		err = urlError.Err
+	}
+
+	if dError, ok := err.(errcode.Error); ok {
+		if dError.ErrorCode() == errcode.ErrorCodeUnauthorized {
+			return true
+		}
+	}
+	return false
+}

registry/registry.go

@@ -28,7 +28,6 @@ var (
 	// ErrAlreadyExists is an error returned if an image being pushed
 	// already exists on the remote side
 	ErrAlreadyExists = errors.New("Image already exists")
-	errLoginRequired = errors.New("Authentication is required.")
 )
 
 func init() {

registry/session.go

@@ -19,6 +19,7 @@ import (
 	"strings"
 
 	"github.com/Sirupsen/logrus"
+	"github.com/docker/distribution/registry/api/errcode"
 	"github.com/docker/docker/pkg/httputils"
 	"github.com/docker/docker/pkg/ioutils"
 	"github.com/docker/docker/pkg/stringid"
@@ -213,7 +214,7 @@ func (r *Session) GetRemoteHistory(imgID, registry string) ([]string, error) {
 	defer res.Body.Close()
 	if res.StatusCode != 200 {
 		if res.StatusCode == 401 {
-			return nil, errLoginRequired
+			return nil, errcode.ErrorCodeUnauthorized.WithArgs()
 		}
 		return nil, httputils.NewHTTPRequestError(fmt.Sprintf("Server error: %d trying to fetch remote history for %s", res.StatusCode, imgID), res)
 	}
@@ -427,7 +428,7 @@ func (r *Session) GetRepositoryData(name reference.Named) (*RepositoryData, erro
 	}
 	defer res.Body.Close()
 	if res.StatusCode == 401 {
-		return nil, errLoginRequired
+		return nil, errcode.ErrorCodeUnauthorized.WithArgs()
 	}
 	// TODO: Right now we're ignoring checksums in the response body.
 	// In the future, we need to use them to check image validity.
@@ -661,7 +662,7 @@ func (r *Session) PushImageJSONIndex(remote reference.Named, imgList []*ImgData,
 	defer res.Body.Close()
 
 	if res.StatusCode == 401 {
-		return nil, errLoginRequired
+		return nil, errcode.ErrorCodeUnauthorized.WithArgs()
 	}
 
 	var tokens, endpoints []string