From b1d4140a220eb429eeb2059cd33fad6cd3bc7c80 Mon Sep 17 00:00:00 2001
From: Derek McGowan <derek@mcg.dev>
Date: Fri, 14 May 2021 12:12:37 -0700
Subject: [PATCH] Update docker resolver to authorize redirects

Allows redirects to be authorized if authorization is provided
for the redirected to host. The authorization will always go
to the redirect and never to the referrer.

Signed-off-by: Derek McGowan <derek@mcg.dev>
---
 remotes/docker/resolver.go | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/remotes/docker/resolver.go b/remotes/docker/resolver.go
index 866379eb8..061ee4610 100644
--- a/remotes/docker/resolver.go
+++ b/remotes/docker/resolver.go
@@ -539,7 +539,21 @@ func (r *request) do(ctx context.Context) (*http.Response, error) {
 	if err := r.authorize(ctx, req); err != nil {
 		return nil, errors.Wrap(err, "failed to authorize")
 	}
-	resp, err := ctxhttp.Do(ctx, r.host.Client, req)
+
+	var client = &http.Client{}
+	if r.host.Client != nil {
+		*client = *r.host.Client
+	}
+	if client.CheckRedirect == nil {
+		client.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+			if len(via) >= 10 {
+				return errors.New("stopped after 10 redirects")
+			}
+			return errors.Wrap(r.authorize(ctx, req), "failed to authorize redirect")
+		}
+	}
+
+	resp, err := ctxhttp.Do(ctx, client, req)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to do request")
 	}