@@ -11,6 +11,7 @@ import (

 	"path"

 	"strings"

+	log "github.com/Sirupsen/logrus"

 	"github.com/docker/docker/utils"

 )

@@ -144,8 +145,18 @@ func SaveConfig(configFile *ConfigFile) error {

 	return nil

 }

-// try to register/login to the registry server

-func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, error) {

+// Login tries to register/login to the registry server.

+func Login(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {

+	// Separates the v2 registry login logic from the v1 logic.

+	if registryEndpoint.Version == APIVersion2 {

+		return loginV2(authConfig, registryEndpoint, factory)

+	}

+

+	return loginV1(authConfig, registryEndpoint, factory)

+}

+

+// loginV1 tries to register/login to the v1 registry server.

+func loginV1(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {

 	var (

 		status  string

 		reqBody []byte

@@ -161,6 +172,8 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e

 		serverAddress = authConfig.ServerAddress

 	)

+	log.Debugf("attempting v1 login to registry endpoint %s", registryEndpoint)

+

 	if serverAddress == "" {

 		return "", fmt.Errorf("Server Error: Server Address not set.")

 	}

@@ -253,6 +266,103 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e

 	return status, nil

 }

+// loginV2 tries to login to the v2 registry server. The given registry endpoint has been

+// pinged or setup with a list of authorization challenges. Each of these challenges are

+// tried until one of them succeeds. Currently supported challenge schemes are:

+// 		HTTP Basic Authorization

+// 		Token Authorization with a separate token issuing server

+// NOTE: the v2 logic does not attempt to create a user account if one doesn't exist. For

+// now, users should create their account through other means like directly from a web page

+// served by the v2 registry service provider. Whether this will be supported in the future

+// is to be determined.

+func loginV2(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {

+	log.Debugf("attempting v2 login to registry endpoint %s", registryEndpoint)

+

+	client := &http.Client{

+		Transport: &http.Transport{

+			DisableKeepAlives: true,

+			Proxy:             http.ProxyFromEnvironment,

+		},

+		CheckRedirect: AddRequiredHeadersToRedirectedRequests,

+	}

+

+	var (

+		err       error

+		allErrors []error

+	)

+

+	for _, challenge := range registryEndpoint.AuthChallenges {

+		log.Debugf("trying %q auth challenge with params %s", challenge.Scheme, challenge.Parameters)

+

+		switch strings.ToLower(challenge.Scheme) {

+		case "basic":

+			err = tryV2BasicAuthLogin(authConfig, challenge.Parameters, registryEndpoint, client, factory)

+		case "bearer":

+			err = tryV2TokenAuthLogin(authConfig, challenge.Parameters, registryEndpoint, client, factory)

+		default:

+			// Unsupported challenge types are explicitly skipped.

+			err = fmt.Errorf("unsupported auth scheme: %q", challenge.Scheme)

+		}

+

+		if err == nil {

+			return "Login Succeeded", nil

+		}

+

+		log.Debugf("error trying auth challenge %q: %s", challenge.Scheme, err)

+

+		allErrors = append(allErrors, err)

+	}

+

+	return "", fmt.Errorf("no successful auth challenge for %s - errors: %s", registryEndpoint, allErrors)

+}

+

+func tryV2BasicAuthLogin(authConfig *AuthConfig, params map[string]string, registryEndpoint *Endpoint, client *http.Client, factory *utils.HTTPRequestFactory) error {

+	req, err := factory.NewRequest("GET", registryEndpoint.Path(""), nil)

+	if err != nil {

+		return err

+	}

+

+	req.SetBasicAuth(authConfig.Username, authConfig.Password)

+

+	resp, err := client.Do(req)

+	if err != nil {

+		return err

+	}

+	defer resp.Body.Close()

+

+	if resp.StatusCode != http.StatusOK {

+		return fmt.Errorf("basic auth attempt to %s realm %q failed with status: %d %s", registryEndpoint, params["realm"], resp.StatusCode, http.StatusText(resp.StatusCode))

+	}

+

+	return nil

+}

+

+func tryV2TokenAuthLogin(authConfig *AuthConfig, params map[string]string, registryEndpoint *Endpoint, client *http.Client, factory *utils.HTTPRequestFactory) error {

+	token, err := getToken(authConfig.Username, authConfig.Password, params, registryEndpoint, client, factory)

+	if err != nil {

+		return err

+	}

+

+	req, err := factory.NewRequest("GET", registryEndpoint.Path(""), nil)

+	if err != nil {

+		return err

+	}

+

+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))

+

+	resp, err := client.Do(req)

+	if err != nil {

+		return err

+	}

+	defer resp.Body.Close()

+

+	if resp.StatusCode != http.StatusOK {

+		return fmt.Errorf("token auth attempt to %s realm %q failed with status: %d %s", registryEndpoint, params["realm"], resp.StatusCode, http.StatusText(resp.StatusCode))

+	}

+

+	return nil

+}

+

 // this method matches a auth configuration to a server address or a url

 func (config *ConfigFile) ResolveAuthConfig(index *IndexInfo) AuthConfig {

 	configKey := index.GetAuthConfigKey()

new file mode 100644

@@ -0,0 +1,150 @@

+package registry

+

+import (

+	"net/http"

+	"strings"

+)

+

+// Octet types from RFC 2616.

+type octetType byte

+

+// AuthorizationChallenge carries information

+// from a WWW-Authenticate response header.

+type AuthorizationChallenge struct {

+	Scheme     string

+	Parameters map[string]string

+}

+

+var octetTypes [256]octetType

+

+const (

+	isToken octetType = 1 << iota

+	isSpace

+)

+

+func init() {

+	// OCTET      = <any 8-bit sequence of data>

+	// CHAR       = <any US-ASCII character (octets 0 - 127)>

+	// CTL        = <any US-ASCII control character (octets 0 - 31) and DEL (127)>

+	// CR         = <US-ASCII CR, carriage return (13)>

+	// LF         = <US-ASCII LF, linefeed (10)>

+	// SP         = <US-ASCII SP, space (32)>

+	// HT         = <US-ASCII HT, horizontal-tab (9)>

+	// <">        = <US-ASCII double-quote mark (34)>

+	// CRLF       = CR LF

+	// LWS        = [CRLF] 1*( SP | HT )

+	// TEXT       = <any OCTET except CTLs, but including LWS>

+	// separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <">

+	//              | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT

+	// token      = 1*<any CHAR except CTLs or separators>

+	// qdtext     = <any TEXT except <">>

+

+	for c := 0; c < 256; c++ {

+		var t octetType

+		isCtl := c <= 31 || c == 127

+		isChar := 0 <= c && c <= 127

+		isSeparator := strings.IndexRune(" \t\"(),/:;<=>?@[]\\{}", rune(c)) >= 0

+		if strings.IndexRune(" \t\r\n", rune(c)) >= 0 {

+			t |= isSpace

+		}

+		if isChar && !isCtl && !isSeparator {

+			t |= isToken

+		}

+		octetTypes[c] = t

+	}

+}

+

+func parseAuthHeader(header http.Header) []*AuthorizationChallenge {

+	var challenges []*AuthorizationChallenge

+	for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] {

+		v, p := parseValueAndParams(h)

+		if v != "" {

+			challenges = append(challenges, &AuthorizationChallenge{Scheme: v, Parameters: p})

+		}

+	}

+	return challenges

+}

+

+func parseValueAndParams(header string) (value string, params map[string]string) {

+	params = make(map[string]string)

+	value, s := expectToken(header)

+	if value == "" {

+		return

+	}

+	value = strings.ToLower(value)

+	s = "," + skipSpace(s)

+	for strings.HasPrefix(s, ",") {

+		var pkey string

+		pkey, s = expectToken(skipSpace(s[1:]))

+		if pkey == "" {

+			return

+		}

+		if !strings.HasPrefix(s, "=") {

+			return

+		}

+		var pvalue string

+		pvalue, s = expectTokenOrQuoted(s[1:])

+		if pvalue == "" {

+			return

+		}

+		pkey = strings.ToLower(pkey)

+		params[pkey] = pvalue

+		s = skipSpace(s)

+	}

+	return

+}

+

+func skipSpace(s string) (rest string) {

+	i := 0

+	for ; i < len(s); i++ {

+		if octetTypes[s[i]]&isSpace == 0 {

+			break

+		}

+	}

+	return s[i:]

+}

+

+func expectToken(s string) (token, rest string) {

+	i := 0

+	for ; i < len(s); i++ {

+		if octetTypes[s[i]]&isToken == 0 {

+			break

+		}

+	}

+	return s[:i], s[i:]

+}

+

+func expectTokenOrQuoted(s string) (value string, rest string) {

+	if !strings.HasPrefix(s, "\"") {

+		return expectToken(s)

+	}

+	s = s[1:]

+	for i := 0; i < len(s); i++ {

+		switch s[i] {

+		case '"':

+			return s[:i], s[i+1:]

+		case '\\':

+			p := make([]byte, len(s)-1)

+			j := copy(p, s[:i])

+			escape := true

+			for i = i + i; i < len(s); i++ {

+				b := s[i]

+				switch {

+				case escape:

+					escape = false

+					p[j] = b

+					j++

+				case b == '\\':

+					escape = true

+				case b == '"':

+					return string(p[:j]), s[i+1:]

+				default:

+					p[j] = b

+					j++

+				}

+			}

+			return "", ""

+		}

+	}

+	return "", ""

+}

@@ -15,28 +15,31 @@ import (

 // for mocking in unit tests

 var lookupIP = net.LookupIP

-// scans string for api version in the URL path. returns the trimmed hostname, if version found, string and API version.

-func scanForAPIVersion(hostname string) (string, APIVersion) {

+// scans string for api version in the URL path. returns the trimmed address, if version found, string and API version.

+func scanForAPIVersion(address string) (string, APIVersion) {

 	var (

 		chunks        []string

 		apiVersionStr string

 	)

-	if strings.HasSuffix(hostname, "/") {

-		chunks = strings.Split(hostname[:len(hostname)-1], "/")

-		apiVersionStr = chunks[len(chunks)-1]

-	} else {

-		chunks = strings.Split(hostname, "/")

-		apiVersionStr = chunks[len(chunks)-1]

+

+	if strings.HasSuffix(address, "/") {

+		address = address[:len(address)-1]

 	}

+

+	chunks = strings.Split(address, "/")

+	apiVersionStr = chunks[len(chunks)-1]

+

 	for k, v := range apiVersions {

 		if apiVersionStr == v {

-			hostname = strings.Join(chunks[:len(chunks)-1], "/")

-			return hostname, k

+			address = strings.Join(chunks[:len(chunks)-1], "/")

+			return address, k

 		}

 	}

-	return hostname, DefaultAPIVersion

+

+	return address, APIVersionUnknown

 }

+// NewEndpoint parses the given address to return a registry endpoint.

 func NewEndpoint(index *IndexInfo) (*Endpoint, error) {

 	// *TODO: Allow per-registry configuration of endpoints.

 	endpoint, err := newEndpoint(index.GetAuthConfigKey(), index.Secure)

@@ -44,81 +47,124 @@ func NewEndpoint(index *IndexInfo) (*Endpoint, error) {

 		return nil, err

 	}

+	log.Debugf("pinging registry endpoint %s", endpoint)

+

 	// Try HTTPS ping to registry

 	endpoint.URL.Scheme = "https"

 	if _, err := endpoint.Ping(); err != nil {

-

-		//TODO: triggering highland build can be done there without "failing"

-

 		if index.Secure {

 			// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`

 			// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.

-			return nil, fmt.Errorf("Invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)

+			return nil, fmt.Errorf("invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)

 		}

 		// If registry is insecure and HTTPS failed, fallback to HTTP.

 		log.Debugf("Error from registry %q marked as insecure: %v. Insecurely falling back to HTTP", endpoint, err)

 		endpoint.URL.Scheme = "http"

-		_, err2 := endpoint.Ping()

-		if err2 == nil {

+

+		var err2 error

+		if _, err2 = endpoint.Ping(); err2 == nil {

 			return endpoint, nil

 		}

-		return nil, fmt.Errorf("Invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)

+		return nil, fmt.Errorf("invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)

 	}

 	return endpoint, nil

 }

-func newEndpoint(hostname string, secure bool) (*Endpoint, error) {

+

+func newEndpoint(address string, secure bool) (*Endpoint, error) {

 	var (

-		endpoint        = Endpoint{}

-		trimmedHostname string

-		err             error

+		endpoint       = new(Endpoint)

+		trimmedAddress string

+		err            error

 	)

-	if !strings.HasPrefix(hostname, "http") {

-		hostname = "https://" + hostname

+

+	if !strings.HasPrefix(address, "http") {

+		address = "https://" + address

 	}

-	trimmedHostname, endpoint.Version = scanForAPIVersion(hostname)

-	endpoint.URL, err = url.Parse(trimmedHostname)

-	if err != nil {

+

+	trimmedAddress, endpoint.Version = scanForAPIVersion(address)

+

+	if endpoint.URL, err = url.Parse(trimmedAddress); err != nil {

 		return nil, err

 	}

-	endpoint.secure = secure

-	return &endpoint, nil

+	endpoint.IsSecure = secure

+	return endpoint, nil

 }

 func (repoInfo *RepositoryInfo) GetEndpoint() (*Endpoint, error) {

 	return NewEndpoint(repoInfo.Index)

 }

+// Endpoint stores basic information about a registry endpoint.

 type Endpoint struct {

-	URL     *url.URL

-	Version APIVersion

-	secure  bool

+	URL            *url.URL

+	Version        APIVersion

+	IsSecure       bool

+	AuthChallenges []*AuthorizationChallenge

 }

 // Get the formated URL for the root of this registry Endpoint

-func (e Endpoint) String() string {

-	return fmt.Sprintf("%s/v%d/", e.URL.String(), e.Version)

+func (e *Endpoint) String() string {

+	return fmt.Sprintf("%s/v%d/", e.URL, e.Version)

+}

+

+// VersionString returns a formatted string of this

+// endpoint address using the given API Version.

+func (e *Endpoint) VersionString(version APIVersion) string {

+	return fmt.Sprintf("%s/v%d/", e.URL, version)

 }

-func (e Endpoint) VersionString(version APIVersion) string {

-	return fmt.Sprintf("%s/v%d/", e.URL.String(), version)

+// Path returns a formatted string for the URL

+// of this endpoint with the given path appended.

+func (e *Endpoint) Path(path string) string {

+	return fmt.Sprintf("%s/v%d/%s", e.URL, e.Version, path)

 }

-func (e Endpoint) Ping() (RegistryInfo, error) {

+func (e *Endpoint) Ping() (RegistryInfo, error) {

+	// The ping logic to use is determined by the registry endpoint version.

+	switch e.Version {

+	case APIVersion1:

+		return e.pingV1()

+	case APIVersion2:

+		return e.pingV2()

+	}

+

+	// APIVersionUnknown

+	// We should try v2 first...

+	e.Version = APIVersion2

+	regInfo, errV2 := e.pingV2()

+	if errV2 == nil {

+		return regInfo, nil

+	}

+

+	// ... then fallback to v1.

+	e.Version = APIVersion1

+	regInfo, errV1 := e.pingV1()

+	if errV1 == nil {

+		return regInfo, nil

+	}

+

+	e.Version = APIVersionUnknown

+	return RegistryInfo{}, fmt.Errorf("unable to ping registry endpoint %s\nv2 ping attempt failed with error: %s\n v1 ping attempt failed with error: %s", e, errV2, errV1)

+}

+

+func (e *Endpoint) pingV1() (RegistryInfo, error) {

+	log.Debugf("attempting v1 ping for registry endpoint %s", e)

+

 	if e.String() == IndexServerAddress() {

-		// Skip the check, we now this one is valid

+		// Skip the check, we know this one is valid

 		// (and we never want to fallback to http in case of error)

 		return RegistryInfo{Standalone: false}, nil

 	}

-	req, err := http.NewRequest("GET", e.String()+"_ping", nil)

+	req, err := http.NewRequest("GET", e.Path("_ping"), nil)

 	if err != nil {

 		return RegistryInfo{Standalone: false}, err

 	}

-	resp, _, err := doRequest(req, nil, ConnectTimeout, e.secure)

+	resp, _, err := doRequest(req, nil, ConnectTimeout, e.IsSecure)

 	if err != nil {

 		return RegistryInfo{Standalone: false}, err

 	}

@@ -127,7 +173,7 @@ func (e Endpoint) Ping() (RegistryInfo, error) {

 	jsonString, err := ioutil.ReadAll(resp.Body)

 	if err != nil {

-		return RegistryInfo{Standalone: false}, fmt.Errorf("Error while reading the http response: %s", err)

+		return RegistryInfo{Standalone: false}, fmt.Errorf("error while reading the http response: %s", err)

 	}

 	// If the header is absent, we assume true for compatibility with earlier

@@ -157,3 +203,33 @@ func (e Endpoint) Ping() (RegistryInfo, error) {

 	log.Debugf("RegistryInfo.Standalone: %t", info.Standalone)

 	return info, nil

 }

+

+func (e *Endpoint) pingV2() (RegistryInfo, error) {

+	log.Debugf("attempting v2 ping for registry endpoint %s", e)

+

+	req, err := http.NewRequest("GET", e.Path(""), nil)

+	if err != nil {

+		return RegistryInfo{}, err

+	}

+

+	resp, _, err := doRequest(req, nil, ConnectTimeout, e.IsSecure)

+	if err != nil {

+		return RegistryInfo{}, err

+	}

+	defer resp.Body.Close()

+

+	if resp.StatusCode == http.StatusOK {

+		// It would seem that no authentication/authorization is required.

+		// So we don't need to parse/add any authorization schemes.

+		return RegistryInfo{Standalone: true}, nil

+	}

+

+	if resp.StatusCode == http.StatusUnauthorized {

+		// Parse the WWW-Authenticate Header and store the challenges

+		// on this endpoint object.

+		e.AuthChallenges = parseAuthHeader(resp.Header)

+		return RegistryInfo{}, nil

+	}

+

+	return RegistryInfo{}, fmt.Errorf("v2 registry endpoint returned status %d: %q", resp.StatusCode, http.StatusText(resp.StatusCode))

+}

@@ -8,8 +8,10 @@ func TestEndpointParse(t *testing.T) {

 		expected string

 	}{

 		{IndexServerAddress(), IndexServerAddress()},

-		{"http://0.0.0.0:5000", "http://0.0.0.0:5000/v1/"},

-		{"0.0.0.0:5000", "https://0.0.0.0:5000/v1/"},

+		{"http://0.0.0.0:5000/v1/", "http://0.0.0.0:5000/v1/"},

+		{"http://0.0.0.0:5000/v2/", "http://0.0.0.0:5000/v2/"},

+		{"http://0.0.0.0:5000", "http://0.0.0.0:5000/v0/"},

+		{"0.0.0.0:5000", "https://0.0.0.0:5000/v0/"},

 	}

 	for _, td := range testData {

 		e, err := newEndpoint(td.str, false)

@@ -1,6 +1,7 @@

 package registry

 import (

+	log "github.com/Sirupsen/logrus"

 	"github.com/docker/docker/engine"

 )

@@ -38,28 +39,39 @@ func (s *Service) Install(eng *engine.Engine) error {

 // and returns OK if authentication was sucessful.

 // It can be used to verify the validity of a client's credentials.

 func (s *Service) Auth(job *engine.Job) engine.Status {

-	var authConfig = new(AuthConfig)

+	var (

+		authConfig = new(AuthConfig)

+		endpoint   *Endpoint

+		index      *IndexInfo

+		status     string

+		err        error

+	)

 	job.GetenvJson("authConfig", authConfig)

-	if authConfig.ServerAddress != "" {

-		index, err := ResolveIndexInfo(job, authConfig.ServerAddress)

-		if err != nil {

-			return job.Error(err)

-		}

-		if !index.Official {

-			endpoint, err := NewEndpoint(index)

-			if err != nil {

-				return job.Error(err)

-			}

-			authConfig.ServerAddress = endpoint.String()

-		}

-	}

-

-	status, err := Login(authConfig, HTTPRequestFactory(nil))

-	if err != nil {

+	addr := authConfig.ServerAddress

+	if addr == "" {

+		// Use the official registry address if not specified.

+		addr = IndexServerAddress()

+	}

+

+	if index, err = ResolveIndexInfo(job, addr); err != nil {

 		return job.Error(err)

 	}

+

+	if endpoint, err = NewEndpoint(index); err != nil {

+		log.Errorf("unable to get new registry endpoint: %s", err)

+		return job.Error(err)

+	}

+

+	authConfig.ServerAddress = endpoint.String()

+

+	if status, err = Login(authConfig, endpoint, HTTPRequestFactory(nil)); err != nil {

+		log.Errorf("unable to login against registry endpoint %s: %s", endpoint, err)

+		return job.Error(err)

+	}

+

+	log.Infof("successful registry login for endpoint %s: %s", endpoint, status)

 	job.Printf("%s\n", status)

 	return engine.StatusOK

@@ -65,7 +65,7 @@ func NewSession(authConfig *AuthConfig, factory *utils.HTTPRequestFactory, endpo

 }

 func (r *Session) doRequest(req *http.Request) (*http.Response, *http.Client, error) {

-	return doRequest(req, r.jar, r.timeout, r.indexEndpoint.secure)

+	return doRequest(req, r.jar, r.timeout, r.indexEndpoint.IsSecure)

 }

 // Retrieve the history of a given image from the Registry.

new file mode 100644

@@ -0,0 +1,70 @@

+package registry

+

+import (

+	"errors"

+	"fmt"

+	"net/http"

+	"net/url"

+	"strings"

+

+	"github.com/docker/docker/utils"

+)

+

+func getToken(username, password string, params map[string]string, registryEndpoint *Endpoint, client *http.Client, factory *utils.HTTPRequestFactory) (token string, err error) {

+	realm, ok := params["realm"]

+	if !ok {

+		return "", errors.New("no realm specified for token auth challenge")

+	}

+

+	realmURL, err := url.Parse(realm)

+	if err != nil {

+		return "", fmt.Errorf("invalid token auth challenge realm: %s", err)

+	}

+

+	if realmURL.Scheme == "" {

+		if registryEndpoint.IsSecure {

+			realmURL.Scheme = "https"

+		} else {

+			realmURL.Scheme = "http"

+		}

+	}

+

+	req, err := factory.NewRequest("GET", realmURL.String(), nil)

+	if err != nil {

+		return "", err

+	}

+

+	reqParams := req.URL.Query()

+	service := params["service"]

+	scope := params["scope"]

+

+	if service != "" {

+		reqParams.Add("service", service)

+	}

+

+	for _, scopeField := range strings.Fields(scope) {

+		reqParams.Add("scope", scopeField)

+	}

+

+	reqParams.Add("account", username)

+

+	req.URL.RawQuery = reqParams.Encode()

+	req.SetBasicAuth(username, password)

+

+	resp, err := client.Do(req)

+	if err != nil {

+		return "", err

+	}

+	defer resp.Body.Close()

+

+	if !(resp.StatusCode == http.StatusOK || resp.StatusCode == http.StatusNoContent) {

+		return "", fmt.Errorf("token auth attempt for registry %s: %s request failed with status: %d %s", registryEndpoint, req.URL, resp.StatusCode, http.StatusText(resp.StatusCode))

+	}

+

+	token = resp.Header.Get("X-Auth-Token")

+	if token == "" {

+		return "", errors.New("token server did not include a token in the response header")

+	}

+

+	return token, nil

+}

@@ -55,14 +55,15 @@ func (av APIVersion) String() string {

 	return apiVersions[av]

 }

-var DefaultAPIVersion APIVersion = APIVersion1

 var apiVersions = map[APIVersion]string{

 	1: "v1",

 	2: "v2",

 }

+// API Version identifiers.

 const (

-	APIVersion1 = iota + 1

+	APIVersionUnknown = iota

+	APIVersion1

 	APIVersion2

 )