https://bugzilla.redhat.com/show_bug.cgi?id=1037830
--- Comment #1 from John Eckersberg jeckersb@redhat.com --- Ok, some more detail at least on the "Authentication is required" bit.
GetRemoteHistory contains the following line:
req.Header.Set("Authorization", "Token "+strings.Join(token, ", "))
However, token is a slice with only a single element, and this single string appears to be a previously joined list of tokens. Most importantly is that it appears to have been joined with "," instead of ", " and that makes a difference.
Here's two curl calls to illustrate the difference.
The first doesn't contain the extra space after the comma, and this is the way the code as written is sending the request. You can see it returns a 401 status code (Unauthorized).
$ curl -i https://cdn-registry-1.docker.io/v1/images/a567e6f3d26a5736d00a5e9be9a609b44... --header 'Authorization: Token signature=545980deb5d0238c5c1fdbe4bc20867932fa8aee,repository="mattdm/fedora",access=read' HTTP/1.1 401 Unauthorized Server: cloudflare-nginx Date: Wed, 04 Dec 2013 00:28:12 GMT Content-Type: application/json Content-Length: 41 Connection: keep-alive Set-Cookie: __cfduid=de296b6a53b52e2ff5883a0e6b303fc811386116891989; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.docker.io; HttpOnly expires: -1 www-authenticate: Token pragma: no-cache cache-control: no-cache x-docker-registry-version: 0.6.2 x-docker-registry-config: prod CF-RAY: d74600eeb9c03f4
{ "error": "Requires authorization" }
The second call adds that extra space, and completes successfully.
$ curl -i https://cdn-registry-1.docker.io/v1/images/a567e6f3d26a5736d00a5e9be9a609b44... --header 'Authorization: Token ignature=545980deb5d0238c5c1fdbe4bc20867932fa8aee, repository="mattdm/fedora", access=read' HTTP/1.1 200 OK Server: cloudflare-nginx Date: Wed, 04 Dec 2013 00:28:26 GMT Content-Type: application/json Content-Length: 74 Connection: keep-alive Set-Cookie: __cfduid=d493453bb50165de54a9a9cc1021b890d1386116906549; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.docker.io; HttpOnly last-modified: Thu, 01 Jan 1970 00:00:00 GMT pragma: no-cache cache-control: public, max-age=31536000 expires: Thu, 04 Dec 2014 00:28:26 GMT x-docker-registry-version: 0.6.2 x-docker-registry-config: prod CF-RAY: d746069e53c03fa
[ "a567e6f3d26a5736d00a5e9be9a609b44ab13f0e43fc466f45beaa7ea9054766" ]
I'm assuming that part of the bug is that the token string slice shouldn't ever be passed in like this. I still need to trace it back and figure out where it's getting joined ahead of time. That's probably the right place to fix it. I see nine places in registry.go where it sets the Authorization header in this manner.