Login against private registry

To improve the use of docker with a private registry the login
command is extended with a parameter for the server address.

While implementing i noticed that two problems hindered authentication to a
private registry:

1. the resolve of the authentication did not match during push
   because the looked up key was for example localhost:8080 but
   the stored one would have been https://localhost:8080

   Besides The lookup needs to still work if the https->http fallback
   is used

2. During pull of an image no authentication is sent, which
   means all repositories are expected to be private.

These points are fixed now. The changes are implemented in
a way to be compatible to existing behavior both in the
API as also with the private registry.

Update:

- login does not require the full url any more, you can login
  to the repository prefix:

  example:
  docker logon localhost:8080

Fixed corner corner cases:

- When login is done during pull and push the registry endpoint is used and
  not the central index

- When Remote sends a 401 during pull, it is now correctly delegating to
  CmdLogin

- After a Login is done pull and push are using the newly entered login data,
  and not the previous ones. This one seems to be also broken in master, too.

- Auth config is now transfered in a parameter instead of the body when
  /images/create is called.

api.go

@@ -3,6 +3,7 @@ package docker
 import (
 	"code.google.com/p/go.net/websocket"
 	"encoding/json"
+	"encoding/base64"
 	"fmt"
 	"github.com/dotcloud/docker/auth"
 	"github.com/dotcloud/docker/utils"
@@ -394,6 +395,16 @@ func postImagesCreate(srv *Server, version float64, w http.ResponseWriter, r *ht
 	tag := r.Form.Get("tag")
 	repo := r.Form.Get("repo")
 
+	authEncoded := r.Form.Get("authConfig")
+	authConfig := &auth.AuthConfig{}
+	if authEncoded != "" {
+		authJson := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded))
+		if err := json.NewDecoder(authJson).Decode(authConfig); err != nil {
+			// for a pull it is not an error if no auth was given
+			// to increase compatibilit to existing api it is defaulting to be empty
+			authConfig = &auth.AuthConfig{}
+		}
+	}
 	if version > 1.0 {
 		w.Header().Set("Content-Type", "application/json")
 	}
@@ -405,7 +416,7 @@ func postImagesCreate(srv *Server, version float64, w http.ResponseWriter, r *ht
 				metaHeaders[k] = v
 			}
 		}
-		if err := srv.ImagePull(image, tag, w, sf, &auth.AuthConfig{}, metaHeaders, version > 1.3); err != nil {
+		if err := srv.ImagePull(image, tag, w, sf, authConfig, metaHeaders, version > 1.3); err != nil {
 			if sf.Used() {
 				w.Write(sf.FormatError(err))
 				return nil

auth/auth.go

@@ -26,10 +26,11 @@ var (
 )
 
 type AuthConfig struct {
-	Username string `json:"username,omitempty"`
+	Username      string `json:"username,omitempty"`
-	Password string `json:"password,omitempty"`
+	Password      string `json:"password,omitempty"`
-	Auth     string `json:"auth"`
+	Auth          string `json:"auth"`
-	Email    string `json:"email"`
+	Email         string `json:"email"`
+	ServerAddress string `json:"serveraddress,omitempty"`
 }
 
 type ConfigFile struct {
@@ -96,6 +97,7 @@ func LoadConfig(rootPath string) (*ConfigFile, error) {
 		}
 		origEmail := strings.Split(arr[1], " = ")
 		authConfig.Email = origEmail[1]
+		authConfig.ServerAddress = IndexServerAddress()
 		configFile.Configs[IndexServerAddress()] = authConfig
 	} else {
 		for k, authConfig := range configFile.Configs {
@@ -105,6 +107,7 @@ func LoadConfig(rootPath string) (*ConfigFile, error) {
 			}
 			authConfig.Auth = ""
 			configFile.Configs[k] = authConfig
+			authConfig.ServerAddress = k
 		}
 	}
 	return &configFile, nil
@@ -125,7 +128,7 @@ func SaveConfig(configFile *ConfigFile) error {
 		authCopy.Auth = encodeAuth(&authCopy)
 		authCopy.Username = ""
 		authCopy.Password = ""
-
+		authCopy.ServerAddress = ""
 		configs[k] = authCopy
 	}
 
@@ -146,14 +149,26 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e
 	reqStatusCode := 0
 	var status string
 	var reqBody []byte
-	jsonBody, err := json.Marshal(authConfig)
+
+	serverAddress := authConfig.ServerAddress
+	if serverAddress == "" {
+		serverAddress = IndexServerAddress()
+	}
+
+	loginAgainstOfficialIndex := serverAddress == IndexServerAddress()
+
+	// to avoid sending the server address to the server it should be removed before marshalled
+	authCopy := *authConfig
+	authCopy.ServerAddress = ""
+
+	jsonBody, err := json.Marshal(authCopy)
 	if err != nil {
 		return "", fmt.Errorf("Config Error: %s", err)
 	}
 
 	// using `bytes.NewReader(jsonBody)` here causes the server to respond with a 411 status.
 	b := strings.NewReader(string(jsonBody))
-	req1, err := http.Post(IndexServerAddress()+"users/", "application/json; charset=utf-8", b)
+	req1, err := http.Post(serverAddress+"users/", "application/json; charset=utf-8", b)
 	if err != nil {
 		return "", fmt.Errorf("Server Error: %s", err)
 	}
@@ -165,14 +180,23 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e
 	}
 
 	if reqStatusCode == 201 {
-		status = "Account created. Please use the confirmation link we sent" +
+		if loginAgainstOfficialIndex {
-			" to your e-mail to activate it."
+			status = "Account created. Please use the confirmation link we sent" +
+				" to your e-mail to activate it."
+		} else {
+			status = "Account created. Please see the documentation of the registry " + serverAddress + " for instructions how to activate it."
+		}
 	} else if reqStatusCode == 403 {
-		return "", fmt.Errorf("Login: Your account hasn't been activated. " +
+		if loginAgainstOfficialIndex {
-			"Please check your e-mail for a confirmation link.")
+			return "", fmt.Errorf("Login: Your account hasn't been activated. " +
+				"Please check your e-mail for a confirmation link.")
+		} else {
+			return "", fmt.Errorf("Login: Your account hasn't been activated. " +
+				"Please see the documentation of the registry " + serverAddress + " for instructions how to activate it.")
+		}
 	} else if reqStatusCode == 400 {
 		if string(reqBody) == "\"Username or email already exists\"" {
-			req, err := factory.NewRequest("GET", IndexServerAddress()+"users/", nil)
+			req, err := factory.NewRequest("GET", serverAddress+"users/", nil)
 			req.SetBasicAuth(authConfig.Username, authConfig.Password)
 			resp, err := client.Do(req)
 			if err != nil {
@@ -199,3 +223,52 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e
 	}
 	return status, nil
 }
+
+// this method matches a auth configuration to a server address or a url
+func (config *ConfigFile) ResolveAuthConfig(registry string) AuthConfig {
+	if registry == IndexServerAddress() || len(registry) == 0 {
+		// default to the index server
+		return config.Configs[IndexServerAddress()]
+	}
+	// if its not the index server there are three cases:
+	//
+	// 1. this is a full config url -> it should be used as is
+	// 2. it could be a full url, but with the wrong protocol
+	// 3. it can be the hostname optionally with a port
+	//
+	// as there is only one auth entry which is fully qualified we need to start
+	// parsing and matching
+
+	swapProtocoll := func(url string) string {
+		if strings.HasPrefix(url, "http:") {
+			return strings.Replace(url, "http:", "https:", 1)
+		}
+		if strings.HasPrefix(url, "https:") {
+			return strings.Replace(url, "https:", "http:", 1)
+		}
+		return url
+	}
+
+	resolveIgnoringProtocol := func(url string) AuthConfig {
+		if c, found := config.Configs[url]; found {
+			return c
+		}
+		registrySwappedProtocoll := swapProtocoll(url)
+		// now try to match with the different protocol
+		if c, found := config.Configs[registrySwappedProtocoll]; found {
+			return c
+		}
+		return AuthConfig{}
+	}
+
+	// match both protocols as it could also be a server name like httpfoo
+	if strings.HasPrefix(registry, "http:") || strings.HasPrefix(registry, "https:") {
+		return resolveIgnoringProtocol(registry)
+	}
+
+	url := "https://" + registry
+	if !strings.Contains(registry, "/") {
+		url = url + "/v1/"
+	}
+	return resolveIgnoringProtocol(url)
+}

commands.go

@@ -4,10 +4,12 @@ import (
 	"archive/tar"
 	"bufio"
 	"bytes"
+	"encoding/base64"
 	"encoding/json"
 	"flag"
 	"fmt"
 	"github.com/dotcloud/docker/auth"
+	"github.com/dotcloud/docker/registry"
 	"github.com/dotcloud/docker/term"
 	"github.com/dotcloud/docker/utils"
 	"io"
@@ -91,6 +93,7 @@ func (cli *DockerCli) CmdHelp(args ...string) error {
 		{"login", "Register or Login to the docker registry server"},
 		{"logs", "Fetch the logs of a container"},
 		{"port", "Lookup the public-facing port which is NAT-ed to PRIVATE_PORT"},
+		{"top", "Lookup the running processes of a container"},
 		{"ps", "List containers"},
 		{"pull", "Pull an image or a repository from the docker registry server"},
 		{"push", "Push an image or a repository to the docker registry server"},
@@ -102,7 +105,6 @@ func (cli *DockerCli) CmdHelp(args ...string) error {
 		{"start", "Start a stopped container"},
 		{"stop", "Stop a running container"},
 		{"tag", "Tag an image into a repository"},
-		{"top", "Lookup the running processes of a container"},
 		{"version", "Show the docker version information"},
 		{"wait", "Block until a container stops, then print its exit code"},
 	} {
@@ -187,10 +189,8 @@ func (cli *DockerCli) CmdBuild(args ...string) error {
 	} else if utils.IsURL(cmd.Arg(0)) || utils.IsGIT(cmd.Arg(0)) {
 		isRemote = true
 	} else {
-		if fi, err := os.Stat(cmd.Arg(0)); err != nil {
+		if _, err := os.Stat(cmd.Arg(0)); err != nil {
 			return err
-		} else if !fi.IsDir() {
-			return fmt.Errorf("\"%s\" is not a path or URL. Please provide a path to a directory containing a Dockerfile.", cmd.Arg(0))
 		}
 		context, err = Tar(cmd.Arg(0), Uncompressed)
 	}
@@ -254,7 +254,7 @@ func (cli *DockerCli) CmdBuild(args ...string) error {
 
 // 'docker login': login / register a user to registry service.
 func (cli *DockerCli) CmdLogin(args ...string) error {
-	cmd := Subcmd("login", "[OPTIONS]", "Register or Login to the docker registry server")
+	cmd := Subcmd("login", "[OPTIONS] [SERVER]", "Register or Login to a docker registry server, if no server is specified \""+auth.IndexServerAddress()+"\" is the default.")
 
 	var username, password, email string
 
@@ -262,10 +262,17 @@ func (cli *DockerCli) CmdLogin(args ...string) error {
 	cmd.StringVar(&password, "p", "", "password")
 	cmd.StringVar(&email, "e", "", "email")
 	err := cmd.Parse(args)
-
 	if err != nil {
 		return nil
 	}
+	serverAddress := auth.IndexServerAddress()
+	if len(cmd.Args()) > 0 {
+		serverAddress, err = registry.ExpandAndVerifyRegistryUrl(cmd.Arg(0))
+		if err != nil {
+			return err
+		}
+		fmt.Fprintf(cli.out, "Login against server at %s\n", serverAddress)
+	}
 
 	promptDefault := func(prompt string, configDefault string) {
 		if configDefault == "" {
@@ -298,19 +305,16 @@ func (cli *DockerCli) CmdLogin(args ...string) error {
 			username = authconfig.Username
 		}
 	}
-
 	if username != authconfig.Username {
 		if password == "" {
 			oldState, _ := term.SaveState(cli.terminalFd)
 			fmt.Fprintf(cli.out, "Password: ")
-
 			term.DisableEcho(cli.terminalFd, oldState)
 
 			password = readInput(cli.in, cli.out)
 			fmt.Fprint(cli.out, "\n")
 
 			term.RestoreTerminal(cli.terminalFd, oldState)
-
 			if password == "" {
 				return fmt.Errorf("Error : Password Required")
 			}
@@ -327,15 +331,15 @@ func (cli *DockerCli) CmdLogin(args ...string) error {
 		password = authconfig.Password
 		email = authconfig.Email
 	}
-
 	authconfig.Username = username
 	authconfig.Password = password
 	authconfig.Email = email
-	cli.configFile.Configs[auth.IndexServerAddress()] = authconfig
+	authconfig.ServerAddress = serverAddress
+	cli.configFile.Configs[serverAddress] = authconfig
 
-	body, statusCode, err := cli.call("POST", "/auth", cli.configFile.Configs[auth.IndexServerAddress()])
+	body, statusCode, err := cli.call("POST", "/auth", cli.configFile.Configs[serverAddress])
 	if statusCode == 401 {
-		delete(cli.configFile.Configs, auth.IndexServerAddress())
+		delete(cli.configFile.Configs, serverAddress)
 		auth.SaveConfig(cli.configFile)
 		return err
 	}
@@ -812,6 +816,13 @@ func (cli *DockerCli) CmdPush(args ...string) error {
 
 	cli.LoadConfigFile()
 
+	// Resolve the Repository name from fqn to endpoint + name
+	endpoint, _, err := registry.ResolveRepositoryName(name)
+	if err != nil {
+		return err
+	}
+	// Resolve the Auth config relevant for this server
+	authConfig := cli.configFile.ResolveAuthConfig(endpoint)
 	// If we're not using a custom registry, we know the restrictions
 	// applied to repository names and can warn the user in advance.
 	// Custom repositories can have different rules, and we must also
@@ -825,8 +836,8 @@ func (cli *DockerCli) CmdPush(args ...string) error {
 	}
 
 	v := url.Values{}
-	push := func() error {
+	push := func(authConfig auth.AuthConfig) error {
-		buf, err := json.Marshal(cli.configFile.Configs[auth.IndexServerAddress()])
+		buf, err := json.Marshal(authConfig)
 		if err != nil {
 			return err
 		}
@@ -834,13 +845,14 @@ func (cli *DockerCli) CmdPush(args ...string) error {
 		return cli.stream("POST", "/images/"+name+"/push?"+v.Encode(), bytes.NewBuffer(buf), cli.out)
 	}
 
-	if err := push(); err != nil {
+	if err := push(authConfig); err != nil {
-		if err.Error() == "Authentication is required." {
+		if err.Error() == registry.ErrLoginRequired.Error() {
 			fmt.Fprintln(cli.out, "\nPlease login prior to push:")
-			if err := cli.CmdLogin(""); err != nil {
+			if err := cli.CmdLogin(endpoint); err != nil {
 				return err
 			}
-			return push()
+			authConfig := cli.configFile.ResolveAuthConfig(endpoint)
+			return push(authConfig)
 		}
 		return err
 	}
@@ -864,11 +876,39 @@ func (cli *DockerCli) CmdPull(args ...string) error {
 		*tag = parsedTag
 	}
 
+	// Resolve the Repository name from fqn to endpoint + name
+	endpoint, _, err := registry.ResolveRepositoryName(remote)
+	if err != nil {
+		return err
+	}
+
+	cli.LoadConfigFile()
+
+	// Resolve the Auth config relevant for this server
+	authConfig := cli.configFile.ResolveAuthConfig(endpoint)
 	v := url.Values{}
 	v.Set("fromImage", remote)
 	v.Set("tag", *tag)
 
-	if err := cli.stream("POST", "/images/create?"+v.Encode(), nil, cli.out); err != nil {
+	pull := func(authConfig auth.AuthConfig) error {
+		buf, err := json.Marshal(authConfig)
+		if err != nil {
+			return err
+		}
+		v.Set("authConfig", base64.URLEncoding.EncodeToString(buf))
+
+		return cli.stream("POST", "/images/create?"+v.Encode(), bytes.NewBuffer(buf), cli.out)
+	}
+
+	if err := pull(authConfig); err != nil {
+		if err.Error() == registry.ErrLoginRequired.Error() {
+			fmt.Fprintln(cli.out, "\nPlease login prior to push:")
+			if err := cli.CmdLogin(endpoint); err != nil {
+				return err
+			}
+			authConfig := cli.configFile.ResolveAuthConfig(endpoint)
+			return pull(authConfig)
+		}
 		return err
 	}
 

docs/sources/api/docker_remote_api_v1.4.rst

@@ -991,7 +991,8 @@ Check auth configuration
 	   {
 		"username":"hannibal",
 		"password:"xxxx",
-		"email":"hannibal@a-team.com"
+		"email":"hannibal@a-team.com",
+		"serveraddress":"https://index.docker.io/v1/"
 	   }
 
         **Example response**:

docs/sources/commandline/command/login.rst

@@ -8,10 +8,17 @@
 
 ::
 
-    Usage: docker login [OPTIONS]
+    Usage: docker login [OPTIONS] [SERVER]
 
     Register or Login to the docker registry server
 
     -e="": email
     -p="": password
     -u="": username
+
+    If you want to login to a private registry you can
+    specify this by adding the server name.
+
+    example:
+    docker login localhost:8080
+

registry/registry.go

@@ -22,6 +22,7 @@ import (
 var (
 	ErrAlreadyExists         = errors.New("Image already exists")
 	ErrInvalidRepositoryName = errors.New("Invalid repository name (ex: \"registry.domain.tld/myrepos\")")
+	ErrLoginRequired         = errors.New("Authentication is required.")
 )
 
 func pingRegistryEndpoint(endpoint string) error {
@@ -102,17 +103,38 @@ func ResolveRepositoryName(reposName string) (string, string, error) {
 	if err := validateRepositoryName(reposName); err != nil {
 		return "", "", err
 	}
+	endpoint, err := ExpandAndVerifyRegistryUrl(hostname)
+	if err != nil {
+		return "", "", err
+	}
+	return endpoint, reposName, err
+}
+
+// this method expands the registry name as used in the prefix of a repo
+// to a full url. if it already is a url, there will be no change.
+// The registry is pinged to test if it http or https
+func ExpandAndVerifyRegistryUrl(hostname string) (string, error) {
+	if strings.HasPrefix(hostname, "http:") || strings.HasPrefix(hostname, "https:") {
+		// if there is no slash after https:// (8 characters) then we have no path in the url
+		if strings.LastIndex(hostname, "/") < 9 {
+			// there is no path given. Expand with default path
+			hostname = hostname + "/v1/"
+		}
+		if err := pingRegistryEndpoint(hostname); err != nil {
+			return "", errors.New("Invalid Registry endpoint: " + err.Error())
+		}
+		return hostname, nil
+	}
 	endpoint := fmt.Sprintf("https://%s/v1/", hostname)
 	if err := pingRegistryEndpoint(endpoint); err != nil {
 		utils.Debugf("Registry %s does not work (%s), falling back to http", endpoint, err)
 		endpoint = fmt.Sprintf("http://%s/v1/", hostname)
 		if err = pingRegistryEndpoint(endpoint); err != nil {
 			//TODO: triggering highland build can be done there without "failing"
-			return "", "", errors.New("Invalid Registry endpoint: " + err.Error())
+			return "", errors.New("Invalid Registry endpoint: " + err.Error())
 		}
 	}
-	err := validateRepositoryName(reposName)
+	return endpoint, nil
-	return endpoint, reposName, err
 }
 
 func doWithCookies(c *http.Client, req *http.Request) (*http.Response, error) {
@@ -139,6 +161,9 @@ func (r *Registry) GetRemoteHistory(imgID, registry string, token []string) ([]s
 	req.Header.Set("Authorization", "Token "+strings.Join(token, ", "))
 	res, err := doWithCookies(r.client, req)
 	if err != nil || res.StatusCode != 200 {
+		if res.StatusCode == 401 {
+			return nil, ErrLoginRequired
+		}
 		if res != nil {
 			return nil, utils.NewHTTPRequestError(fmt.Sprintf("Internal server error: %d trying to fetch remote history for %s", res.StatusCode, imgID), res)
 		}
@@ -282,7 +307,7 @@ func (r *Registry) GetRepositoryData(indexEp, remote string) (*RepositoryData, e
 	}
 	defer res.Body.Close()
 	if res.StatusCode == 401 {
-		return nil, utils.NewHTTPRequestError(fmt.Sprintf("Please login first (HTTP code %d)", res.StatusCode), res)
+		return nil, ErrLoginRequired
 	}
 	// TODO: Right now we're ignoring checksums in the response body.
 	// In the future, we need to use them to check image validity.

server.go

@@ -655,6 +655,9 @@ func (srv *Server) ImagePull(localName string, tag string, out io.Writer, sf *ut
 
 	out = utils.NewWriteFlusher(out)
 	err = srv.pullRepository(r, out, localName, remoteName, tag, endpoint, sf, parallel)
+	if err == registry.ErrLoginRequired {
+		return err
+	}
 	if err != nil {
 		if err := srv.pullImage(r, out, remoteName, endpoint, nil, sf); err != nil {
 			return err