13 files changed, 116 insertions, 57 deletions
diff --git a/pkg/api/handlers/compat/containers_attach.go b/pkg/api/handlers/compat/containers_attach.go
index 012e20daf..990140ee1 100644
--- a/pkg/api/handlers/compat/containers_attach.go
+++ b/pkg/api/handlers/compat/containers_attach.go
@@ -90,7 +90,7 @@ func AttachContainer(w http.ResponseWriter, r *http.Request) {
 	// For Docker compatibility, we need to re-initialize containers in these states.
 	if state == define.ContainerStateConfigured || state == define.ContainerStateExited {
 		if err := ctr.Init(r.Context()); err != nil {
-			utils.InternalServerError(w, errors.Wrapf(err, "error preparing container %s for attach", ctr.ID()))
+			utils.Error(w, "Container in wrong state", http.StatusConflict, errors.Wrapf(err, "error preparing container %s for attach", ctr.ID()))
 			return
 		}
 	} else if !(state == define.ContainerStateCreated || state == define.ContainerStateRunning) {
diff --git a/pkg/api/handlers/compat/containers_stats.go b/pkg/api/handlers/compat/containers_stats.go
index 62ccd2b93..048321add 100644
--- a/pkg/api/handlers/compat/containers_stats.go
+++ b/pkg/api/handlers/compat/containers_stats.go
@@ -45,8 +45,8 @@ func StatsContainer(w http.ResponseWriter, r *http.Request) {
 		utils.InternalServerError(w, err)
 		return
 	}
-	if state != define.ContainerStateRunning && !query.Stream {
-		utils.InternalServerError(w, define.ErrCtrStateInvalid)
+	if state != define.ContainerStateRunning {
+		utils.Error(w, "Container not running and streaming requested", http.StatusConflict, define.ErrCtrStateInvalid)
 		return
 	}
 
diff --git a/pkg/api/handlers/compat/events.go b/pkg/api/handlers/compat/events.go
index 7ebfb0d1e..577ddd0a1 100644
--- a/pkg/api/handlers/compat/events.go
+++ b/pkg/api/handlers/compat/events.go
@@ -26,7 +26,10 @@ func GetEvents(w http.ResponseWriter, r *http.Request) {
 		Since   string              `schema:"since"`
 		Until   string              `schema:"until"`
 		Filters map[string][]string `schema:"filters"`
-	}{}
+		Stream  bool                `schema:"stream"`
+	}{
+		Stream: true,
+	}
 	if err := decoder.Decode(&query, r.URL.Query()); err != nil {
 		utils.Error(w, "Failed to parse parameters", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse parameters for %s", r.URL.String()))
 	}
@@ -41,9 +44,10 @@ func GetEvents(w http.ResponseWriter, r *http.Request) {
 	if len(query.Since) > 0 || len(query.Until) > 0 {
 		fromStart = true
 	}
+
 	eventChannel := make(chan *events.Event)
 	go func() {
-		readOpts := events.ReadOptions{FromStart: fromStart, Stream: true, Filters: libpodFilters, EventChannel: eventChannel, Since: query.Since, Until: query.Until}
+		readOpts := events.ReadOptions{FromStart: fromStart, Stream: query.Stream, Filters: libpodFilters, EventChannel: eventChannel, Since: query.Since, Until: query.Until}
 		eventsError = runtime.Events(readOpts)
 	}()
 	if eventsError != nil {
@@ -55,7 +59,9 @@ func GetEvents(w http.ResponseWriter, r *http.Request) {
 	// If client disappears we need to stop listening for events
 	go func(done <-chan struct{}) {
 		<-done
-		close(eventChannel)
+		if _, ok := <-eventChannel; ok {
+			close(eventChannel)
+		}
 	}(r.Context().Done())
 
 	// Headers need to be written out before turning Writer() over to json encoder
diff --git a/pkg/api/handlers/compat/images.go b/pkg/api/handlers/compat/images.go
index ea9cbd691..b64ed0036 100644
--- a/pkg/api/handlers/compat/images.go
+++ b/pkg/api/handlers/compat/images.go
@@ -15,6 +15,7 @@ import (
 	image2 "github.com/containers/libpod/libpod/image"
 	"github.com/containers/libpod/pkg/api/handlers"
 	"github.com/containers/libpod/pkg/api/handlers/utils"
+	"github.com/containers/libpod/pkg/auth"
 	"github.com/containers/libpod/pkg/domain/entities"
 	"github.com/containers/libpod/pkg/util"
 	"github.com/docker/docker/api/types"
@@ -251,19 +252,32 @@ func CreateImageFromImage(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	/*
-	   fromImage – Name of the image to pull. The name may include a tag or digest. This parameter may only be used when pulling an image. The pull is cancelled if the HTTP connection is closed.
-	   repo – Repository name given to an image when it is imported. The repo may include a tag. This parameter may only be used when importing an image.
-	   tag – Tag or digest. If empty when pulling an image, this causes all tags for the given image to be pulled.
-	*/
 	fromImage := query.FromImage
 	if len(query.Tag) >= 1 {
 		fromImage = fmt.Sprintf("%s:%s", fromImage, query.Tag)
 	}
 
-	// TODO
-	// We are eating the output right now because we haven't talked about how to deal with multiple responses yet
-	img, err := runtime.ImageRuntime().New(r.Context(), fromImage, "", "", nil, &image2.DockerRegistryOptions{}, image2.SigningOptions{}, nil, util.PullImageMissing)
+	authConf, authfile, err := auth.GetCredentials(r)
+	if err != nil {
+		utils.Error(w, "Something went wrong.", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %q header for %s", auth.XRegistryAuthHeader, r.URL.String()))
+		return
+	}
+	defer auth.RemoveAuthfile(authfile)
+
+	registryOpts := image2.DockerRegistryOptions{DockerRegistryCreds: authConf}
+	if sys := runtime.SystemContext(); sys != nil {
+		registryOpts.DockerCertPath = sys.DockerCertPath
+	}
+	img, err := runtime.ImageRuntime().New(r.Context(),
+		fromImage,
+		"", // signature policy
+		authfile,
+		nil, // writer
+		&registryOpts,
+		image2.SigningOptions{},
+		nil, // label
+		util.PullImageMissing,
+	)
 	if err != nil {
 		utils.Error(w, "Something went wrong.", http.StatusInternalServerError, err)
 		return
diff --git a/pkg/api/handlers/compat/images_push.go b/pkg/api/handlers/compat/images_push.go
index 2260d5557..47976b7c9 100644
--- a/pkg/api/handlers/compat/images_push.go
+++ b/pkg/api/handlers/compat/images_push.go
@@ -9,6 +9,7 @@ import (
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/libpod/image"
 	"github.com/containers/libpod/pkg/api/handlers/utils"
+	"github.com/containers/libpod/pkg/auth"
 	"github.com/gorilla/schema"
 	"github.com/pkg/errors"
 )
@@ -48,13 +49,17 @@ func PushImage(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// TODO: the X-Registry-Auth header is not checked yet here nor in any other
-	// endpoint. Pushing does NOT work with authentication at the moment.
-	dockerRegistryOptions := &image.DockerRegistryOptions{}
-	authfile := ""
+	authConf, authfile, err := auth.GetCredentials(r)
+	if err != nil {
+		utils.Error(w, "Something went wrong.", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %q header for %s", auth.XRegistryAuthHeader, r.URL.String()))
+		return
+	}
+	defer auth.RemoveAuthfile(authfile)
+
+	dockerRegistryOptions := &image.DockerRegistryOptions{DockerRegistryCreds: authConf}
 	if sys := runtime.SystemContext(); sys != nil {
 		dockerRegistryOptions.DockerCertPath = sys.DockerCertPath
-		authfile = sys.AuthFilePath
+		dockerRegistryOptions.RegistriesConfPath = sys.SystemRegistriesConfPath
 	}
 
 	err = newImage.PushImageToHeuristicDestination(
diff --git a/pkg/api/handlers/compat/networks.go b/pkg/api/handlers/compat/networks.go
index ceeae30fb..c52ca093f 100644
--- a/pkg/api/handlers/compat/networks.go
+++ b/pkg/api/handlers/compat/networks.go
@@ -123,7 +123,7 @@ func getNetworkResourceByName(name string, runtime *libpod.Runtime) (*types.Netw
 	report := types.NetworkResource{
 		Name:       name,
 		ID:         "",
-		Created:    time.Unix(stat.Ctim.Sec, stat.Ctim.Nsec),
+		Created:    time.Unix(int64(stat.Ctim.Sec), int64(stat.Ctim.Nsec)), // nolint: unconvert
 		Scope:      "",
 		Driver:     network.DefaultNetworkDriver,
 		EnableIPv6: false,
diff --git a/pkg/api/handlers/compat/resize.go b/pkg/api/handlers/compat/resize.go
index 3ead733bc..231b53175 100644
--- a/pkg/api/handlers/compat/resize.go
+++ b/pkg/api/handlers/compat/resize.go
@@ -1,10 +1,12 @@
 package compat
 
 import (
+	"fmt"
 	"net/http"
 	"strings"
 
 	"github.com/containers/libpod/libpod"
+	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/pkg/api/handlers/utils"
 	"github.com/gorilla/schema"
 	"github.com/pkg/errors"
@@ -43,6 +45,14 @@ func ResizeTTY(w http.ResponseWriter, r *http.Request) {
 			utils.ContainerNotFound(w, name, err)
 			return
 		}
+		if state, err := ctnr.State(); err != nil {
+			utils.InternalServerError(w, errors.Wrapf(err, "cannot obtain container state"))
+			return
+		} else if state != define.ContainerStateRunning {
+			utils.Error(w, "Container not running", http.StatusConflict,
+				fmt.Errorf("container %q in wrong state %q", name, state.String()))
+			return
+		}
 		if err := ctnr.AttachResize(sz); err != nil {
 			utils.InternalServerError(w, errors.Wrapf(err, "cannot resize container"))
 			return
@@ -56,6 +66,14 @@ func ResizeTTY(w http.ResponseWriter, r *http.Request) {
 			utils.SessionNotFound(w, name, err)
 			return
 		}
+		if state, err := ctnr.State(); err != nil {
+			utils.InternalServerError(w, errors.Wrapf(err, "cannot obtain session container state"))
+			return
+		} else if state != define.ContainerStateRunning {
+			utils.Error(w, "Container not running", http.StatusConflict,
+				fmt.Errorf("container %q in wrong state %q", name, state.String()))
+			return
+		}
 		if err := ctnr.ExecResize(name, sz); err != nil {
 			utils.InternalServerError(w, errors.Wrapf(err, "cannot resize session"))
 			return
diff --git a/pkg/api/handlers/compat/types.go b/pkg/api/handlers/compat/types.go
index b8d06760f..6d47ede64 100644
--- a/pkg/api/handlers/compat/types.go
+++ b/pkg/api/handlers/compat/types.go
@@ -48,7 +48,7 @@ type StatsJSON struct {
 	Stats
 
 	Name string `json:"name,omitempty"`
-	ID   string `json:"id,omitempty"`
+	ID   string `json:"Id,omitempty"`
 
 	// Networks request version >=1.21
 	Networks map[string]docker.NetworkStats `json:"networks,omitempty"`
diff --git a/pkg/api/handlers/libpod/containers.go b/pkg/api/handlers/libpod/containers.go
index 3902bdc9b..50f6b1a38 100644
--- a/pkg/api/handlers/libpod/containers.go
+++ b/pkg/api/handlers/libpod/containers.go
@@ -66,6 +66,10 @@ func ListContainers(w http.ResponseWriter, r *http.Request) {
 		utils.InternalServerError(w, err)
 		return
 	}
+	if len(pss) == 0 {
+		utils.WriteResponse(w, http.StatusOK, "[]")
+		return
+	}
 	utils.WriteResponse(w, http.StatusOK, pss)
 }
 
diff --git a/pkg/api/handlers/libpod/images.go b/pkg/api/handlers/libpod/images.go
index 1cbcfb52c..4b277d39c 100644
--- a/pkg/api/handlers/libpod/images.go
+++ b/pkg/api/handlers/libpod/images.go
@@ -21,6 +21,7 @@ import (
 	image2 "github.com/containers/libpod/libpod/image"
 	"github.com/containers/libpod/pkg/api/handlers"
 	"github.com/containers/libpod/pkg/api/handlers/utils"
+	"github.com/containers/libpod/pkg/auth"
 	"github.com/containers/libpod/pkg/domain/entities"
 	"github.com/containers/libpod/pkg/domain/infra/abi"
 	"github.com/containers/libpod/pkg/errorhandling"
@@ -28,6 +29,7 @@ import (
 	utils2 "github.com/containers/libpod/utils"
 	"github.com/gorilla/schema"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 // Commit
@@ -339,7 +341,6 @@ func ImagesPull(w http.ResponseWriter, r *http.Request) {
 	decoder := r.Context().Value("decoder").(*schema.Decoder)
 	query := struct {
 		Reference    string `schema:"reference"`
-		Credentials  string `schema:"credentials"`
 		OverrideOS   string `schema:"overrideOS"`
 		OverrideArch string `schema:"overrideArch"`
 		TLSVerify    bool   `schema:"tlsVerify"`
@@ -382,20 +383,16 @@ func ImagesPull(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	var registryCreds *types.DockerAuthConfig
-	if len(query.Credentials) != 0 {
-		creds, err := util.ParseRegistryCreds(query.Credentials)
-		if err != nil {
-			utils.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest,
-				errors.Wrapf(err, "error parsing credentials %q", query.Credentials))
-			return
-		}
-		registryCreds = creds
+	authConf, authfile, err := auth.GetCredentials(r)
+	if err != nil {
+		utils.Error(w, "Something went wrong.", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %q header for %s", auth.XRegistryAuthHeader, r.URL.String()))
+		return
 	}
+	defer auth.RemoveAuthfile(authfile)
 
 	// Setup the registry options
 	dockerRegistryOptions := image.DockerRegistryOptions{
-		DockerRegistryCreds: registryCreds,
+		DockerRegistryCreds: authConf,
 		OSChoice:            query.OverrideOS,
 		ArchitectureChoice:  query.OverrideArch,
 	}
@@ -403,6 +400,13 @@ func ImagesPull(w http.ResponseWriter, r *http.Request) {
 		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!query.TLSVerify)
 	}
 
+	sys := runtime.SystemContext()
+	if sys == nil {
+		sys = image.GetSystemContext("", authfile, false)
+	}
+	dockerRegistryOptions.DockerCertPath = sys.DockerCertPath
+	sys.DockerAuthConfig = authConf
+
 	// Prepare the images we want to pull
 	imagesToPull := []string{}
 	res := []handlers.LibpodImagesPullReport{}
@@ -411,8 +415,7 @@ func ImagesPull(w http.ResponseWriter, r *http.Request) {
 	if !query.AllTags {
 		imagesToPull = append(imagesToPull, imageName)
 	} else {
-		systemContext := image.GetSystemContext("", "", false)
-		tags, err := docker.GetRepositoryTags(context.Background(), systemContext, imageRef)
+		tags, err := docker.GetRepositoryTags(context.Background(), sys, imageRef)
 		if err != nil {
 			utils.InternalServerError(w, errors.Wrap(err, "error getting repository tags"))
 			return
@@ -422,12 +425,6 @@ func ImagesPull(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	authfile := ""
-	if sys := runtime.SystemContext(); sys != nil {
-		dockerRegistryOptions.DockerCertPath = sys.DockerCertPath
-		authfile = sys.AuthFilePath
-	}
-
 	// Finally pull the images
 	for _, img := range imagesToPull {
 		newImage, err := runtime.ImageRuntime().New(
@@ -456,7 +453,6 @@ func PushImage(w http.ResponseWriter, r *http.Request) {
 	runtime := r.Context().Value("runtime").(*libpod.Runtime)
 
 	query := struct {
-		Credentials string `schema:"credentials"`
 		Destination string `schema:"destination"`
 		TLSVerify   bool   `schema:"tlsVerify"`
 	}{
@@ -492,26 +488,20 @@ func PushImage(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	var registryCreds *types.DockerAuthConfig
-	if len(query.Credentials) != 0 {
-		creds, err := util.ParseRegistryCreds(query.Credentials)
-		if err != nil {
-			utils.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest,
-				errors.Wrapf(err, "error parsing credentials %q", query.Credentials))
-			return
-		}
-		registryCreds = creds
+	authConf, authfile, err := auth.GetCredentials(r)
+	if err != nil {
+		utils.Error(w, "Something went wrong.", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %q header for %s", auth.XRegistryAuthHeader, r.URL.String()))
+		return
 	}
+	defer auth.RemoveAuthfile(authfile)
+	logrus.Errorf("AuthConf: %v", authConf)
 
-	// TODO: the X-Registry-Auth header is not checked yet here nor in any other
-	// endpoint. Pushing does NOT work with authentication at the moment.
 	dockerRegistryOptions := &image.DockerRegistryOptions{
-		DockerRegistryCreds: registryCreds,
+		DockerRegistryCreds: authConf,
 	}
-	authfile := ""
 	if sys := runtime.SystemContext(); sys != nil {
 		dockerRegistryOptions.DockerCertPath = sys.DockerCertPath
-		authfile = sys.AuthFilePath
+		dockerRegistryOptions.RegistriesConfPath = sys.SystemRegistriesConfPath
 	}
 	if _, found := r.URL.Query()["tlsVerify"]; found {
 		dockerRegistryOptions.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!query.TLSVerify)
diff --git a/pkg/api/handlers/libpod/manifests.go b/pkg/api/handlers/libpod/manifests.go
index 93ca367f7..aef92368b 100644
--- a/pkg/api/handlers/libpod/manifests.go
+++ b/pkg/api/handlers/libpod/manifests.go
@@ -120,6 +120,10 @@ func ManifestRemove(w http.ResponseWriter, r *http.Request) {
 	utils.WriteResponse(w, http.StatusOK, handlers.IDResponse{ID: newID})
 }
 func ManifestPush(w http.ResponseWriter, r *http.Request) {
+	// FIXME: parameters are missing (tlsVerify, format).
+	// Also, we should use the ABI function to avoid duplicate code.
+	// Also, support for XRegistryAuth headers are missing.
+
 	runtime := r.Context().Value("runtime").(*libpod.Runtime)
 	decoder := r.Context().Value("decoder").(*schema.Decoder)
 	query := struct {
diff --git a/pkg/api/handlers/libpod/play.go b/pkg/api/handlers/libpod/play.go
index 26e02bf4f..1cb5cdb6c 100644
--- a/pkg/api/handlers/libpod/play.go
+++ b/pkg/api/handlers/libpod/play.go
@@ -9,6 +9,7 @@ import (
 	"github.com/containers/image/v5/types"
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/pkg/api/handlers/utils"
+	"github.com/containers/libpod/pkg/auth"
 	"github.com/containers/libpod/pkg/domain/entities"
 	"github.com/containers/libpod/pkg/domain/infra/abi"
 	"github.com/gorilla/schema"
@@ -47,9 +48,26 @@ func PlayKube(w http.ResponseWriter, r *http.Request) {
 		utils.Error(w, "Something went wrong.", http.StatusInternalServerError, errors.Wrap(err, "error closing temporary file"))
 		return
 	}
+	authConf, authfile, err := auth.GetCredentials(r)
+	if err != nil {
+		utils.Error(w, "Something went wrong.", http.StatusBadRequest, errors.Wrapf(err, "Failed to parse %q header for %s", auth.XRegistryAuthHeader, r.URL.String()))
+		return
+	}
+	defer auth.RemoveAuthfile(authfile)
+	var username, password string
+	if authConf != nil {
+		username = authConf.Username
+		password = authConf.Password
+	}
 
 	containerEngine := abi.ContainerEngine{Libpod: runtime}
-	options := entities.PlayKubeOptions{Network: query.Network, Quiet: true}
+	options := entities.PlayKubeOptions{
+		Authfile: authfile,
+		Username: username,
+		Password: password,
+		Network:  query.Network,
+		Quiet:    true,
+	}
 	if _, found := r.URL.Query()["tlsVerify"]; found {
 		options.SkipTLSVerify = types.NewOptionalBool(!query.TLSVerify)
 	}
diff --git a/pkg/api/handlers/types.go b/pkg/api/handlers/types.go
index d8cdd9caf..aa3d0fe91 100644
--- a/pkg/api/handlers/types.go
+++ b/pkg/api/handlers/types.go
@@ -120,7 +120,7 @@ type CreateContainerConfig struct {
 // swagger:model IDResponse
 type IDResponse struct {
 	// ID
-	ID string `json:"id"`
+	ID string `json:"Id"`
 }
 
 type ContainerTopOKBody struct {