From 373f1e56127de561c5254eac2656f9066ad24693 Mon Sep 17 00:00:00 2001
From: ruediger-maass <ruediger.maass@de.ibm.com>
Date: Wed, 28 Feb 2018 02:32:44 +0000
Subject: [PATCH] Adds handling of 401 for POST /v2/token without
 authentication

This fix adds support for image registries that expect authentication for POST /v2/token such as used by the GET. E.g., JFrog Artifactory y has been observed to respond with a 401 (Unauthorized) in that case. Adding 401 in addition to the current handling of 405 and 404 in the resolver solves the authentication problem. Finally, this enables image pulls also for Artifactory.

Signed-off-by: Ruediger Maass <ruediger.maass@de.ibm.com>
---
 remotes/docker/resolver.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/remotes/docker/resolver.go b/remotes/docker/resolver.go
index 06b1724b4..371027489 100644
--- a/remotes/docker/resolver.go
+++ b/remotes/docker/resolver.go
@@ -498,7 +498,8 @@ func (r *dockerBase) fetchTokenWithOAuth(ctx context.Context, to tokenOptions) (
 
 	// Registries without support for POST may return 404 for POST /v2/token.
 	// As of September 2017, GCR is known to return 404.
-	if (resp.StatusCode == 405 && r.username != "") || resp.StatusCode == 404 {
+	// As of February 2018, JFrog Artifactory is known to return 401.
+	if (resp.StatusCode == 405 && r.username != "") || resp.StatusCode == 404 || resp.StatusCode == 401 {
 		return r.getToken(ctx, to)
 	} else if resp.StatusCode < 200 || resp.StatusCode >= 400 {
 		b, _ := ioutil.ReadAll(io.LimitReader(resp.Body, 64000)) // 64KB