@@ -85,7 +85,7 @@ func pullImage(ctx context.Context, dockerCli *command.DockerCli, image string,

 		return err

 	}

-	authConfig := dockerCli.ResolveAuthConfig(ctx, repoInfo.Index)

+	authConfig := command.ResolveAuthConfig(ctx, dockerCli, repoInfo.Index)

 	encodedAuth, err := command.EncodeAuthToBase64(authConfig)

 	if err != nil {

 		return err

@@ -73,8 +73,8 @@ func runPull(dockerCli *command.DockerCli, opts pullOptions) error {

 	ctx := context.Background()

-	authConfig := dockerCli.ResolveAuthConfig(ctx, repoInfo.Index)

-	requestPrivilege := dockerCli.RegistryAuthenticationPrivilegedFunc(repoInfo.Index, "pull")

+	authConfig := command.ResolveAuthConfig(ctx, dockerCli, repoInfo.Index)

+	requestPrivilege := command.RegistryAuthenticationPrivilegedFunc(dockerCli, repoInfo.Index, "pull")

 	if command.IsTrusted() && !registryRef.HasDigest() {

 		// Check if tag is digest

@@ -44,8 +44,8 @@ func runPush(dockerCli *command.DockerCli, remote string) error {

 	ctx := context.Background()

 	// Resolve the Auth config relevant for this server

-	authConfig := dockerCli.ResolveAuthConfig(ctx, repoInfo.Index)

-	requestPrivilege := dockerCli.RegistryAuthenticationPrivilegedFunc(repoInfo.Index, "push")

+	authConfig := command.ResolveAuthConfig(ctx, dockerCli, repoInfo.Index)

+	requestPrivilege := command.RegistryAuthenticationPrivilegedFunc(dockerCli, repoInfo.Index, "push")

 	if command.IsTrusted() {

 		return trustedPush(ctx, dockerCli, repoInfo, ref, authConfig, requestPrivilege)

@@ -66,8 +66,8 @@ func runSearch(dockerCli *command.DockerCli, opts searchOptions) error {

 	ctx := context.Background()

-	authConfig := dockerCli.ResolveAuthConfig(ctx, indexInfo)

-	requestPrivilege := dockerCli.RegistryAuthenticationPrivilegedFunc(indexInfo, "search")

+	authConfig := command.ResolveAuthConfig(ctx, dockerCli, indexInfo)

+	requestPrivilege := command.RegistryAuthenticationPrivilegedFunc(dockerCli, indexInfo, "search")

 	encodedAuth, err := command.EncodeAuthToBase64(authConfig)

 	if err != nil {

@@ -499,7 +499,7 @@ func TrustedReference(ctx context.Context, cli *command.DockerCli, ref reference

 	}

 	// Resolve the Auth config relevant for this server

-	authConfig := cli.ResolveAuthConfig(ctx, repoInfo.Index)

+	authConfig := command.ResolveAuthConfig(ctx, cli, repoInfo.Index)

 	notaryRepo, err := GetNotaryRepository(cli, repoInfo, authConfig, "pull")

 	if err != nil {

@@ -61,14 +61,14 @@ func runInstall(dockerCli *command.DockerCli, opts pluginOptions) error {

 		return err

 	}

-	authConfig := dockerCli.ResolveAuthConfig(ctx, repoInfo.Index)

+	authConfig := command.ResolveAuthConfig(ctx, dockerCli, repoInfo.Index)

 	encodedAuth, err := command.EncodeAuthToBase64(authConfig)

 	if err != nil {

 		return err

 	}

-	registryAuthFunc := dockerCli.RegistryAuthenticationPrivilegedFunc(repoInfo.Index, "plugin install")

+	registryAuthFunc := command.RegistryAuthenticationPrivilegedFunc(dockerCli, repoInfo.Index, "plugin install")

 	options := types.PluginInstallOptions{

 		RegistryAuth:          encodedAuth,

@@ -45,7 +45,7 @@ func runPush(dockerCli *command.DockerCli, name string) error {

 	if err != nil {

 		return err

 	}

-	authConfig := dockerCli.ResolveAuthConfig(ctx, repoInfo.Index)

+	authConfig := command.ResolveAuthConfig(ctx, dockerCli, repoInfo.Index)

 	encodedAuth, err := command.EncodeAuthToBase64(authConfig)

 	if err != nil {

@@ -20,15 +20,14 @@ import (

 )

 // ElectAuthServer returns the default registry to use (by asking the daemon)

-// TODO: only used in registry package and from ResolveAuthConfig

-func (cli *DockerCli) ElectAuthServer(ctx context.Context) string {

+func ElectAuthServer(ctx context.Context, cli *DockerCli) string {

 	// The daemon `/info` endpoint informs us of the default registry being

 	// used. This is essential in cross-platforms environment, where for

 	// example a Linux client might be interacting with a Windows daemon, hence

 	// the default registry URL might be Windows specific.

 	serverAddress := registry.IndexServer

-	if info, err := cli.client.Info(ctx); err != nil {

-		fmt.Fprintf(cli.out, "Warning: failed to get default registry endpoint from daemon (%v). Using system default: %s\n", err, serverAddress)

+	if info, err := cli.Client().Info(ctx); err != nil {

+		fmt.Fprintf(cli.Out(), "Warning: failed to get default registry endpoint from daemon (%v). Using system default: %s\n", err, serverAddress)

 	} else {

 		serverAddress = info.IndexServerAddress

 	}

@@ -46,13 +45,12 @@ func EncodeAuthToBase64(authConfig types.AuthConfig) (string, error) {

 // RegistryAuthenticationPrivilegedFunc returns a RequestPrivilegeFunc from the specified registry index info

 // for the given command.

-// TODO: image/plugin

-func (cli *DockerCli) RegistryAuthenticationPrivilegedFunc(index *registrytypes.IndexInfo, cmdName string) types.RequestPrivilegeFunc {

+func RegistryAuthenticationPrivilegedFunc(cli *DockerCli, index *registrytypes.IndexInfo, cmdName string) types.RequestPrivilegeFunc {

 	return func() (string, error) {

-		fmt.Fprintf(cli.out, "\nPlease login prior to %s:\n", cmdName)

+		fmt.Fprintf(cli.Out(), "\nPlease login prior to %s:\n", cmdName)

 		indexServer := registry.GetAuthConfigKey(index)

-		isDefaultRegistry := indexServer == cli.ElectAuthServer(context.Background())

-		authConfig, err := cli.ConfigureAuth("", "", indexServer, isDefaultRegistry)

+		isDefaultRegistry := indexServer == ElectAuthServer(context.Background(), cli)

+		authConfig, err := ConfigureAuth(cli, "", "", indexServer, isDefaultRegistry)

 		if err != nil {

 			return "", err

 		}

@@ -63,11 +61,10 @@ func (cli *DockerCli) RegistryAuthenticationPrivilegedFunc(index *registrytypes.

 // ResolveAuthConfig is like registry.ResolveAuthConfig, but if using the

 // default index, it uses the default index name for the daemon's platform,

 // not the client's platform.

-// TODO: plugin/image/container and from RetrieveAuthTokenFromImage

-func (cli *DockerCli) ResolveAuthConfig(ctx context.Context, index *registrytypes.IndexInfo) types.AuthConfig {

+func ResolveAuthConfig(ctx context.Context, cli *DockerCli, index *registrytypes.IndexInfo) types.AuthConfig {

 	configKey := index.Name

 	if index.Official {

-		configKey = cli.ElectAuthServer(ctx)

+		configKey = ElectAuthServer(ctx, cli)

 	}

 	a, _ := cli.CredentialsStore().Get(configKey)

@@ -75,8 +72,7 @@ func (cli *DockerCli) ResolveAuthConfig(ctx context.Context, index *registrytype

 }

 // ConfigureAuth returns an AuthConfig from the specified user, password and server.

-// TODO: only used in registry package

-func (cli *DockerCli) ConfigureAuth(flUser, flPassword, serverAddress string, isDefaultRegistry bool) (types.AuthConfig, error) {

+func ConfigureAuth(cli *DockerCli, flUser, flPassword, serverAddress string, isDefaultRegistry bool) (types.AuthConfig, error) {

 	// On Windows, force the use of the regular OS stdin stream. Fixes #14336/#14210

 	if runtime.GOOS == "windows" {

 		cli.in = NewInStream(os.Stdin)

@@ -107,10 +103,10 @@ func (cli *DockerCli) ConfigureAuth(flUser, flPassword, serverAddress string, is

 	if flUser = strings.TrimSpace(flUser); flUser == "" {

 		if isDefaultRegistry {

 			// if this is a default registry (docker hub), then display the following message.

-			fmt.Fprintln(cli.out, "Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.")

+			fmt.Fprintln(cli.Out(), "Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.")

 		}

-		cli.promptWithDefault("Username", authconfig.Username)

-		flUser = readInput(cli.in, cli.out)

+		promptWithDefault(cli.Out(), "Username", authconfig.Username)

+		flUser = readInput(cli.In(), cli.Out())

 		flUser = strings.TrimSpace(flUser)

 		if flUser == "" {

 			flUser = authconfig.Username

@@ -124,11 +120,11 @@ func (cli *DockerCli) ConfigureAuth(flUser, flPassword, serverAddress string, is

 		if err != nil {

 			return authconfig, err

 		}

-		fmt.Fprintf(cli.out, "Password: ")

+		fmt.Fprintf(cli.Out(), "Password: ")

 		term.DisableEcho(cli.In().FD(), oldState)

-		flPassword = readInput(cli.in, cli.out)

-		fmt.Fprint(cli.out, "\n")

+		flPassword = readInput(cli.In(), cli.Out())

+		fmt.Fprint(cli.Out(), "\n")

 		term.RestoreTerminal(cli.In().FD(), oldState)

 		if flPassword == "" {

@@ -154,19 +150,18 @@ func readInput(in io.Reader, out io.Writer) string {

 	return string(line)

 }

-func (cli *DockerCli) promptWithDefault(prompt string, configDefault string) {

+func promptWithDefault(out io.Writer, prompt string, configDefault string) {

 	if configDefault == "" {

-		fmt.Fprintf(cli.out, "%s: ", prompt)

+		fmt.Fprintf(out, "%s: ", prompt)

 	} else {

-		fmt.Fprintf(cli.out, "%s (%s): ", prompt, configDefault)

+		fmt.Fprintf(out, "%s (%s): ", prompt, configDefault)

 	}

 }

 // RetrieveAuthTokenFromImage retrieves an encoded auth token given a complete image

-// TODO: used in service/stack packages

-func (cli *DockerCli) RetrieveAuthTokenFromImage(ctx context.Context, image string) (string, error) {

+func RetrieveAuthTokenFromImage(ctx context.Context, cli *DockerCli, image string) (string, error) {

 	// Retrieve encoded auth token from the image reference

-	authConfig, err := cli.resolveAuthConfigFromImage(ctx, image)

+	authConfig, err := resolveAuthConfigFromImage(ctx, cli, image)

 	if err != nil {

 		return "", err

 	}

@@ -178,7 +173,7 @@ func (cli *DockerCli) RetrieveAuthTokenFromImage(ctx context.Context, image stri

 }

 // resolveAuthConfigFromImage retrieves that AuthConfig using the image string

-func (cli *DockerCli) resolveAuthConfigFromImage(ctx context.Context, image string) (types.AuthConfig, error) {

+func resolveAuthConfigFromImage(ctx context.Context, cli *DockerCli, image string) (types.AuthConfig, error) {

 	registryRef, err := reference.ParseNamed(image)

 	if err != nil {

 		return types.AuthConfig{}, err

@@ -187,6 +182,5 @@ func (cli *DockerCli) resolveAuthConfigFromImage(ctx context.Context, image stri

 	if err != nil {

 		return types.AuthConfig{}, err

 	}

-	authConfig := cli.ResolveAuthConfig(ctx, repoInfo.Index)

-	return authConfig, nil

+	return ResolveAuthConfig(ctx, cli, repoInfo.Index), nil

 }

@@ -52,7 +52,7 @@ func runLogin(dockerCli *command.DockerCli, opts loginOptions) error {

 	var (

 		serverAddress string

-		authServer    = dockerCli.ElectAuthServer(ctx)

+		authServer    = command.ElectAuthServer(ctx, dockerCli)

 	)

 	if opts.serverAddress != "" {

 		serverAddress = opts.serverAddress

@@ -62,7 +62,7 @@ func runLogin(dockerCli *command.DockerCli, opts loginOptions) error {

 	isDefaultRegistry := serverAddress == authServer

-	authConfig, err := dockerCli.ConfigureAuth(opts.user, opts.password, serverAddress, isDefaultRegistry)

+	authConfig, err := command.ConfigureAuth(dockerCli, opts.user, opts.password, serverAddress, isDefaultRegistry)

 	if err != nil {

 		return err

 	}

@@ -35,7 +35,7 @@ func runLogout(dockerCli *command.DockerCli, serverAddress string) error {

 	var isDefaultRegistry bool

 	if serverAddress == "" {

-		serverAddress = dockerCli.ElectAuthServer(ctx)

+		serverAddress = command.ElectAuthServer(ctx, dockerCli)

 		isDefaultRegistry = true

 	}

@@ -55,7 +55,7 @@ func runCreate(dockerCli *command.DockerCli, opts *serviceOptions) error {

 	// only send auth if flag was set

 	if opts.registryAuth {

 		// Retrieve encoded auth token from the image reference

-		encodedAuth, err := dockerCli.RetrieveAuthTokenFromImage(ctx, opts.image)

+		encodedAuth, err := command.RetrieveAuthTokenFromImage(ctx, dockerCli, opts.image)

 		if err != nil {

 			return err

 		}

@@ -82,7 +82,7 @@ func runUpdate(dockerCli *command.DockerCli, flags *pflag.FlagSet, serviceID str

 		// Retrieve encoded auth token from the image reference

 		// This would be the old image if it didn't change in this update

 		image := service.Spec.TaskTemplate.ContainerSpec.Image

-		encodedAuth, err := dockerCli.RetrieveAuthTokenFromImage(ctx, image)

+		encodedAuth, err := command.RetrieveAuthTokenFromImage(ctx, dockerCli, image)

 		if err != nil {

 			return err

 		}

@@ -197,7 +197,7 @@ func deployServices(

 		if sendAuth {

 			// Retrieve encoded auth token from the image reference

 			image := serviceSpec.TaskTemplate.ContainerSpec.Image

-			encodedAuth, err = dockerCli.RetrieveAuthTokenFromImage(ctx, image)

+			encodedAuth, err = command.RetrieveAuthTokenFromImage(ctx, dockerCli, image)

 			if err != nil {

 				return err

 			}