10 files changed, 1058 insertions, 0 deletions

diff --git a/vendor/github.com/hashicorp/terraform/svchost/auth/cache.go b/vendor/github.com/hashicorp/terraform/svchost/auth/cache.go
new file mode 100644
index 0000000..4f0d168
--- /dev/null
+++ b/vendor/github.com/hashicorp/terraform/svchost/auth/cache.go
@@ -0,0 +1,45 @@
+package auth
+
+import (
+        "github.com/hashicorp/terraform/svchost"
+)
+
+// CachingCredentialsSource creates a new credentials source that wraps another
+// and caches its results in memory, on a per-hostname basis.
+//
+// No means is provided for expiration of cached credentials, so a caching
+// credentials source should have a limited lifetime (one Terraform operation,
+// for example) to ensure that time-limited credentials don't expire before
+// their cache entries do.
+func CachingCredentialsSource(source CredentialsSource) CredentialsSource {
+        return &cachingCredentialsSource{
+                source: source,
+                cache:  map[svchost.Hostname]HostCredentials{},
+        }
+}
+
+type cachingCredentialsSource struct {
+        source CredentialsSource
+        cache  map[svchost.Hostname]HostCredentials
+}
+
+// ForHost passes the given hostname on to the wrapped credentials source and
+// caches the result to return for future requests with the same hostname.
+//
+// Both credentials and non-credentials (nil) responses are cached.
+//
+// No cache entry is created if the wrapped source returns an error, to allow
+// the caller to retry the failing operation.
+func (s *cachingCredentialsSource) ForHost(host svchost.Hostname) (HostCredentials, error) {
+        if cache, cached := s.cache[host]; cached {
+                return cache, nil
+        }
+
+        result, err := s.source.ForHost(host)
+        if err != nil {
+                return result, err
+        }
+
+        s.cache[host] = result
+        return result, nil
+}
diff --git a/vendor/github.com/hashicorp/terraform/svchost/auth/credentials.go b/vendor/github.com/hashicorp/terraform/svchost/auth/credentials.go
new file mode 100644
index 0000000..0372c16
--- /dev/null
+++ b/vendor/github.com/hashicorp/terraform/svchost/auth/credentials.go
@@ -0,0 +1,63 @@
+// Package auth contains types and functions to manage authentication
+// credentials for service hosts.
+package auth
+
+import (
+        "net/http"
+
+        "github.com/hashicorp/terraform/svchost"
+)
+
+// Credentials is a list of CredentialsSource objects that can be tried in
+// turn until one returns credentials for a host, or one returns an error.
+//
+// A Credentials is itself a CredentialsSource, wrapping its members.
+// In principle one CredentialsSource can be nested inside another, though
+// there is no good reason to do so.
+type Credentials []CredentialsSource
+
+// NoCredentials is an empty CredentialsSource that always returns nil
+// when asked for credentials.
+var NoCredentials CredentialsSource = Credentials{}
+
+// A CredentialsSource is an object that may be able to provide credentials
+// for a given host.
+//
+// Credentials lookups are not guaranteed to be concurrency-safe. Callers
+// using these facilities in concurrent code must use external concurrency
+// primitives to prevent race conditions.
+type CredentialsSource interface {
+        // ForHost returns a non-nil HostCredentials if the source has credentials
+        // available for the host, and a nil HostCredentials if it does not.
+        //
+        // If an error is returned, progress through a list of CredentialsSources
+        // is halted and the error is returned to the user.
+        ForHost(host svchost.Hostname) (HostCredentials, error)
+}
+
+// HostCredentials represents a single set of credentials for a particular
+// host.
+type HostCredentials interface {
+        // PrepareRequest modifies the given request in-place to apply the
+        // receiving credentials. The usual behavior of this method is to
+        // add some sort of Authorization header to the request.
+        PrepareRequest(req *http.Request)
+
+        // Token returns the authentication token.
+        Token() string
+}
+
+// ForHost iterates over the contained CredentialsSource objects and
+// tries to obtain credentials for the given host from each one in turn.
+//
+// If any source returns either a non-nil HostCredentials or a non-nil error
+// then this result is returned. Otherwise, the result is nil, nil.
+func (c Credentials) ForHost(host svchost.Hostname) (HostCredentials, error) {
+        for _, source := range c {
+                creds, err := source.ForHost(host)
+                if creds != nil || err != nil {
+                        return creds, err
+                }
+        }
+        return nil, nil
+}
diff --git a/vendor/github.com/hashicorp/terraform/svchost/auth/from_map.go b/vendor/github.com/hashicorp/terraform/svchost/auth/from_map.go
new file mode 100644
index 0000000..f91006a
--- /dev/null
+++ b/vendor/github.com/hashicorp/terraform/svchost/auth/from_map.go
@@ -0,0 +1,18 @@
+package auth
+
+// HostCredentialsFromMap converts a map of key-value pairs from a credentials
+// definition provided by the user (e.g. in a config file, or via a credentials
+// helper) into a HostCredentials object if possible, or returns nil if
+// no credentials could be extracted from the map.
+//
+// This function ignores map keys it is unfamiliar with, to allow for future
+// expansion of the credentials map format for new credential types.
+func HostCredentialsFromMap(m map[string]interface{}) HostCredentials {
+        if m == nil {
+                return nil
+        }
+        if token, ok := m["token"].(string); ok {
+                return HostCredentialsToken(token)
+        }
+        return nil
+}
diff --git a/vendor/github.com/hashicorp/terraform/svchost/auth/helper_program.go b/vendor/github.com/hashicorp/terraform/svchost/auth/helper_program.go
new file mode 100644
index 0000000..d72ffe3
--- /dev/null
+++ b/vendor/github.com/hashicorp/terraform/svchost/auth/helper_program.go
@@ -0,0 +1,80 @@
+package auth
+
+import (
+        "bytes"
+        "encoding/json"
+        "fmt"
+        "os/exec"
+        "path/filepath"
+
+        "github.com/hashicorp/terraform/svchost"
+)
+
+type helperProgramCredentialsSource struct {
+        executable string
+        args       []string
+}
+
+// HelperProgramCredentialsSource returns a CredentialsSource that runs the
+// given program with the given arguments in order to obtain credentials.
+//
+// The given executable path must be an absolute path; it is the caller's
+// responsibility to validate and process a relative path or other input
+// provided by an end-user. If the given path is not absolute, this
+// function will panic.
+//
+// When credentials are requested, the program will be run in a child process
+// with the given arguments along with two additional arguments added to the
+// end of the list: the literal string "get", followed by the requested
+// hostname in ASCII compatibility form (punycode form).
+func HelperProgramCredentialsSource(executable string, args ...string) CredentialsSource {
+        if !filepath.IsAbs(executable) {
+                panic("NewCredentialsSourceHelperProgram requires absolute path to executable")
+        }
+
+        fullArgs := make([]string, len(args)+1)
+        fullArgs[0] = executable
+        copy(fullArgs[1:], args)
+
+        return &helperProgramCredentialsSource{
+                executable: executable,
+                args:       fullArgs,
+        }
+}
+
+func (s *helperProgramCredentialsSource) ForHost(host svchost.Hostname) (HostCredentials, error) {
+        args := make([]string, len(s.args), len(s.args)+2)
+        copy(args, s.args)
+        args = append(args, "get")
+        args = append(args, string(host))
+
+        outBuf := bytes.Buffer{}
+        errBuf := bytes.Buffer{}
+
+        cmd := exec.Cmd{
+                Path:   s.executable,
+                Args:   args,
+                Stdin:  nil,
+                Stdout: &outBuf,
+                Stderr: &errBuf,
+        }
+        err := cmd.Run()
+        if _, isExitErr := err.(*exec.ExitError); isExitErr {
+                errText := errBuf.String()
+                if errText == "" {
+                        // Shouldn't happen for a well-behaved helper program
+                        return nil, fmt.Errorf("error in %s, but it produced no error message", s.executable)
+                }
+                return nil, fmt.Errorf("error in %s: %s", s.executable, errText)
+        } else if err != nil {
+                return nil, fmt.Errorf("failed to run %s: %s", s.executable, err)
+        }
+
+        var m map[string]interface{}
+        err = json.Unmarshal(outBuf.Bytes(), &m)
+        if err != nil {
+                return nil, fmt.Errorf("malformed output from %s: %s", s.executable, err)
+        }
+
+        return HostCredentialsFromMap(m), nil
+}
diff --git a/vendor/github.com/hashicorp/terraform/svchost/auth/static.go b/vendor/github.com/hashicorp/terraform/svchost/auth/static.go
new file mode 100644
index 0000000..5373fdd
--- /dev/null
+++ b/vendor/github.com/hashicorp/terraform/svchost/auth/static.go
@@ -0,0 +1,28 @@
+package auth
+
+import (
+        "github.com/hashicorp/terraform/svchost"
+)
+
+// StaticCredentialsSource is a credentials source that retrieves credentials
+// from the provided map. It returns nil if a requested hostname is not
+// present in the map.
+//
+// The caller should not modify the given map after passing it to this function.
+func StaticCredentialsSource(creds map[svchost.Hostname]map[string]interface{}) CredentialsSource {
+        return staticCredentialsSource(creds)
+}
+
+type staticCredentialsSource map[svchost.Hostname]map[string]interface{}
+
+func (s staticCredentialsSource) ForHost(host svchost.Hostname) (HostCredentials, error) {
+        if s == nil {
+                return nil, nil
+        }
+
+        if m, exists := s[host]; exists {
+                return HostCredentialsFromMap(m), nil
+        }
+
+        return nil, nil
+}
diff --git a/vendor/github.com/hashicorp/terraform/svchost/auth/token_credentials.go b/vendor/github.com/hashicorp/terraform/svchost/auth/token_credentials.go
new file mode 100644
index 0000000..9358bcb
--- /dev/null
+++ b/vendor/github.com/hashicorp/terraform/svchost/auth/token_credentials.go
@@ -0,0 +1,25 @@
+package auth
+
+import (
+        "net/http"
+)
+
+// HostCredentialsToken is a HostCredentials implementation that represents a
+// single "bearer token", to be sent to the server via an Authorization header
+// with the auth type set to "Bearer"
+type HostCredentialsToken string
+
+// PrepareRequest alters the given HTTP request by setting its Authorization
+// header to the string "Bearer " followed by the encapsulated authentication
+// token.
+func (tc HostCredentialsToken) PrepareRequest(req *http.Request) {
+        if req.Header == nil {
+                req.Header = http.Header{}
+        }
+        req.Header.Set("Authorization", "Bearer "+string(tc))
+}
+
+// Token returns the authentication token.
+func (tc HostCredentialsToken) Token() string {
+        return string(tc)
+}
diff --git a/vendor/github.com/hashicorp/terraform/svchost/disco/disco.go b/vendor/github.com/hashicorp/terraform/svchost/disco/disco.go
new file mode 100644
index 0000000..1963cbd
--- /dev/null
+++ b/vendor/github.com/hashicorp/terraform/svchost/disco/disco.go
@@ -0,0 +1,259 @@
+// Package disco handles Terraform's remote service discovery protocol.
+//
+// This protocol allows mapping from a service hostname, as produced by the
+// svchost package, to a set of services supported by that host and the
+// endpoint information for each supported service.
+package disco
+
+import (
+        "encoding/json"
+        "errors"
+        "fmt"
+        "io"
+        "io/ioutil"
+        "log"
+        "mime"
+        "net/http"
+        "net/url"
+        "time"
+
+        cleanhttp "github.com/hashicorp/go-cleanhttp"
+        "github.com/hashicorp/terraform/httpclient"
+        "github.com/hashicorp/terraform/svchost"
+        "github.com/hashicorp/terraform/svchost/auth"
+)
+
+const (
+        // Fixed path to the discovery manifest.
+        discoPath = "/.well-known/terraform.json"
+
+        // Arbitrary-but-small number to prevent runaway redirect loops.
+        maxRedirects = 3
+
+        // Arbitrary-but-small time limit to prevent UI "hangs" during discovery.
+        discoTimeout = 11 * time.Second
+
+        // 1MB - to prevent abusive services from using loads of our memory.
+        maxDiscoDocBytes = 1 * 1024 * 1024
+)
+
+// httpTransport is overridden during tests, to skip TLS verification.
+var httpTransport = cleanhttp.DefaultPooledTransport()
+
+// Disco is the main type in this package, which allows discovery on given
+// hostnames and caches the results by hostname to avoid repeated requests
+// for the same information.
+type Disco struct {
+        hostCache map[svchost.Hostname]*Host
+        credsSrc  auth.CredentialsSource
+
+        // Transport is a custom http.RoundTripper to use.
+        Transport http.RoundTripper
+}
+
+// New returns a new initialized discovery object.
+func New() *Disco {
+        return NewWithCredentialsSource(nil)
+}
+
+// NewWithCredentialsSource returns a new discovery object initialized with
+// the given credentials source.
+func NewWithCredentialsSource(credsSrc auth.CredentialsSource) *Disco {
+        return &Disco{
+                hostCache: make(map[svchost.Hostname]*Host),
+                credsSrc:  credsSrc,
+                Transport: httpTransport,
+        }
+}
+
+// SetCredentialsSource provides a credentials source that will be used to
+// add credentials to outgoing discovery requests, where available.
+//
+// If this method is never called, no outgoing discovery requests will have
+// credentials.
+func (d *Disco) SetCredentialsSource(src auth.CredentialsSource) {
+        d.credsSrc = src
+}
+
+// CredentialsForHost returns a non-nil HostCredentials if the embedded source has
+// credentials available for the host, and a nil HostCredentials if it does not.
+func (d *Disco) CredentialsForHost(hostname svchost.Hostname) (auth.HostCredentials, error) {
+        if d.credsSrc == nil {
+                return nil, nil
+        }
+        return d.credsSrc.ForHost(hostname)
+}
+
+// ForceHostServices provides a pre-defined set of services for a given
+// host, which prevents the receiver from attempting network-based discovery
+// for the given host. Instead, the given services map will be returned
+// verbatim.
+//
+// When providing "forced" services, any relative URLs are resolved against
+// the initial discovery URL that would have been used for network-based
+// discovery, yielding the same results as if the given map were published
+// at the host's default discovery URL, though using absolute URLs is strongly
+// recommended to make the configured behavior more explicit.
+func (d *Disco) ForceHostServices(hostname svchost.Hostname, services map[string]interface{}) {
+        if services == nil {
+                services = map[string]interface{}{}
+        }
+
+        d.hostCache[hostname] = &Host{
+                discoURL: &url.URL{
+                        Scheme: "https",
+                        Host:   string(hostname),
+                        Path:   discoPath,
+                },
+                hostname:  hostname.ForDisplay(),
+                services:  services,
+                transport: d.Transport,
+        }
+}
+
+// Discover runs the discovery protocol against the given hostname (which must
+// already have been validated and prepared with svchost.ForComparison) and
+// returns an object describing the services available at that host.
+//
+// If a given hostname supports no Terraform services at all, a non-nil but
+// empty Host object is returned. When giving feedback to the end user about
+// such situations, we say "host <name> does not provide a <service> service",
+// regardless of whether that is due to that service specifically being absent
+// or due to the host not providing Terraform services at all, since we don't
+// wish to expose the detail of whole-host discovery to an end-user.
+func (d *Disco) Discover(hostname svchost.Hostname) (*Host, error) {
+        if host, cached := d.hostCache[hostname]; cached {
+                return host, nil
+        }
+
+        host, err := d.discover(hostname)
+        if err != nil {
+                return nil, err
+        }
+        d.hostCache[hostname] = host
+
+        return host, nil
+}
+
+// DiscoverServiceURL is a convenience wrapper for discovery on a given
+// hostname and then looking up a particular service in the result.
+func (d *Disco) DiscoverServiceURL(hostname svchost.Hostname, serviceID string) (*url.URL, error) {
+        host, err := d.Discover(hostname)
+        if err != nil {
+                return nil, err
+        }
+        return host.ServiceURL(serviceID)
+}
+
+// discover implements the actual discovery process, with its result cached
+// by the public-facing Discover method.
+func (d *Disco) discover(hostname svchost.Hostname) (*Host, error) {
+        discoURL := &url.URL{
+                Scheme: "https",
+                Host:   hostname.String(),
+                Path:   discoPath,
+        }
+
+        client := &http.Client{
+                Transport: d.Transport,
+                Timeout:   discoTimeout,
+
+                CheckRedirect: func(req *http.Request, via []*http.Request) error {
+                        log.Printf("[DEBUG] Service discovery redirected to %s", req.URL)
+                        if len(via) > maxRedirects {
+                                return errors.New("too many redirects") // this error will never actually be seen
+                        }
+                        return nil
+                },
+        }
+
+        req := &http.Request{
+                Header: make(http.Header),
+                Method: "GET",
+                URL:    discoURL,
+        }
+        req.Header.Set("Accept", "application/json")
+        req.Header.Set("User-Agent", httpclient.UserAgentString())
+
+        creds, err := d.CredentialsForHost(hostname)
+        if err != nil {
+                log.Printf("[WARN] Failed to get credentials for %s: %s (ignoring)", hostname, err)
+        }
+        if creds != nil {
+                // Update the request to include credentials.
+                creds.PrepareRequest(req)
+        }
+
+        log.Printf("[DEBUG] Service discovery for %s at %s", hostname, discoURL)
+
+        resp, err := client.Do(req)
+        if err != nil {
+                return nil, fmt.Errorf("Failed to request discovery document: %v", err)
+        }
+        defer resp.Body.Close()
+
+        host := &Host{
+                // Use the discovery URL from resp.Request in
+                // case the client followed any redirects.
+                discoURL:  resp.Request.URL,
+                hostname:  hostname.ForDisplay(),
+                transport: d.Transport,
+        }
+
+        // Return the host without any services.
+        if resp.StatusCode == 404 {
+                return host, nil
+        }
+
+        if resp.StatusCode != 200 {
+                return nil, fmt.Errorf("Failed to request discovery document: %s", resp.Status)
+        }
+
+        contentType := resp.Header.Get("Content-Type")
+        mediaType, _, err := mime.ParseMediaType(contentType)
+        if err != nil {
+                return nil, fmt.Errorf("Discovery URL has a malformed Content-Type %q", contentType)
+        }
+        if mediaType != "application/json" {
+                return nil, fmt.Errorf("Discovery URL returned an unsupported Content-Type %q", mediaType)
+        }
+
+        // This doesn't catch chunked encoding, because ContentLength is -1 in that case.
+        if resp.ContentLength > maxDiscoDocBytes {
+                // Size limit here is not a contractual requirement and so we may
+                // adjust it over time if we find a different limit is warranted.
+                return nil, fmt.Errorf(
+                        "Discovery doc response is too large (got %d bytes; limit %d)",
+                        resp.ContentLength, maxDiscoDocBytes,
+                )
+        }
+
+        // If the response is using chunked encoding then we can't predict its
+        // size, but we'll at least prevent reading the entire thing into memory.
+        lr := io.LimitReader(resp.Body, maxDiscoDocBytes)
+
+        servicesBytes, err := ioutil.ReadAll(lr)
+        if err != nil {
+                return nil, fmt.Errorf("Error reading discovery document body: %v", err)
+        }
+
+        var services map[string]interface{}
+        err = json.Unmarshal(servicesBytes, &services)
+        if err != nil {
+                return nil, fmt.Errorf("Failed to decode discovery document as a JSON object: %v", err)
+        }
+        host.services = services
+
+        return host, nil
+}
+
+// Forget invalidates any cached record of the given hostname. If the host
+// has no cache entry then this is a no-op.
+func (d *Disco) Forget(hostname svchost.Hostname) {
+        delete(d.hostCache, hostname)
+}
+
+// ForgetAll is like Forget, but for all of the hostnames that have cache entries.
+func (d *Disco) ForgetAll() {
+        d.hostCache = make(map[svchost.Hostname]*Host)
+}
diff --git a/vendor/github.com/hashicorp/terraform/svchost/disco/host.go b/vendor/github.com/hashicorp/terraform/svchost/disco/host.go
new file mode 100644
index 0000000..ab9514c
--- /dev/null
+++ b/vendor/github.com/hashicorp/terraform/svchost/disco/host.go
@@ -0,0 +1,264 @@
+package disco
+
+import (
+        "encoding/json"
+        "fmt"
+        "log"
+        "net/http"
+        "net/url"
+        "os"
+        "strconv"
+        "strings"
+        "time"
+
+        "github.com/hashicorp/go-version"
+        "github.com/hashicorp/terraform/httpclient"
+)
+
+const versionServiceID = "versions.v1"
+
+// Host represents a service discovered host.
+type Host struct {
+        discoURL  *url.URL
+        hostname  string
+        services  map[string]interface{}
+        transport http.RoundTripper
+}
+
+// Constraints represents the version constraints of a service.
+type Constraints struct {
+        Service   string   `json:"service"`
+        Product   string   `json:"product"`
+        Minimum   string   `json:"minimum"`
+        Maximum   string   `json:"maximum"`
+        Excluding []string `json:"excluding"`
+}
+
+// ErrServiceNotProvided is returned when the service is not provided.
+type ErrServiceNotProvided struct {
+        hostname string
+        service  string
+}
+
+// Error returns a customized error message.
+func (e *ErrServiceNotProvided) Error() string {
+        if e.hostname == "" {
+                return fmt.Sprintf("host does not provide a %s service", e.service)
+        }
+        return fmt.Sprintf("host %s does not provide a %s service", e.hostname, e.service)
+}
+
+// ErrVersionNotSupported is returned when the version is not supported.
+type ErrVersionNotSupported struct {
+        hostname string
+        service  string
+        version  string
+}
+
+// Error returns a customized error message.
+func (e *ErrVersionNotSupported) Error() string {
+        if e.hostname == "" {
+                return fmt.Sprintf("host does not support %s version %s", e.service, e.version)
+        }
+        return fmt.Sprintf("host %s does not support %s version %s", e.hostname, e.service, e.version)
+}
+
+// ErrNoVersionConstraints is returned when checkpoint was disabled
+// or the endpoint to query for version constraints was unavailable.
+type ErrNoVersionConstraints struct {
+        disabled bool
+}
+
+// Error returns a customized error message.
+func (e *ErrNoVersionConstraints) Error() string {
+        if e.disabled {
+                return "checkpoint disabled"
+        }
+        return "unable to contact versions service"
+}
+
+// ServiceURL returns the URL associated with the given service identifier,
+// which should be of the form "servicename.vN".
+//
+// A non-nil result is always an absolute URL with a scheme of either HTTPS
+// or HTTP.
+func (h *Host) ServiceURL(id string) (*url.URL, error) {
+        svc, ver, err := parseServiceID(id)
+        if err != nil {
+                return nil, err
+        }
+
+        // No services supported for an empty Host.
+        if h == nil || h.services == nil {
+                return nil, &ErrServiceNotProvided{service: svc}
+        }
+
+        urlStr, ok := h.services[id].(string)
+        if !ok {
+                // See if we have a matching service as that would indicate
+                // the service is supported, but not the requested version.
+                for serviceID := range h.services {
+                        if strings.HasPrefix(serviceID, svc+".") {
+                                return nil, &ErrVersionNotSupported{
+                                        hostname: h.hostname,
+                                        service:  svc,
+                                        version:  ver.Original(),
+                                }
+                        }
+                }
+
+                // No discovered services match the requested service.
+                return nil, &ErrServiceNotProvided{hostname: h.hostname, service: svc}
+        }
+
+        u, err := url.Parse(urlStr)
+        if err != nil {
+                return nil, fmt.Errorf("Failed to parse service URL: %v", err)
+        }
+
+        // Make relative URLs absolute using our discovery URL.
+        if !u.IsAbs() {
+                u = h.discoURL.ResolveReference(u)
+        }
+
+        if u.Scheme != "https" && u.Scheme != "http" {
+                return nil, fmt.Errorf("Service URL is using an unsupported scheme: %s", u.Scheme)
+        }
+        if u.User != nil {
+                return nil, fmt.Errorf("Embedded username/password information is not permitted")
+        }
+
+        // Fragment part is irrelevant, since we're not a browser.
+        u.Fragment = ""
+
+        return h.discoURL.ResolveReference(u), nil
+}
+
+// VersionConstraints returns the contraints for a given service identifier
+// (which should be of the form "servicename.vN") and product.
+//
+// When an exact (service and version) match is found, the constraints for
+// that service are returned.
+//
+// When the requested version is not provided but the service is, we will
+// search for all alternative versions. If mutliple alternative versions
+// are found, the contrains of the latest available version are returned.
+//
+// When a service is not provided at all an error will be returned instead.
+//
+// When checkpoint is disabled or when a 404 is returned after making the
+// HTTP call, an ErrNoVersionConstraints error will be returned.
+func (h *Host) VersionConstraints(id, product string) (*Constraints, error) {
+        svc, _, err := parseServiceID(id)
+        if err != nil {
+                return nil, err
+        }
+
+        // Return early if checkpoint is disabled.
+        if disabled := os.Getenv("CHECKPOINT_DISABLE"); disabled != "" {
+                return nil, &ErrNoVersionConstraints{disabled: true}
+        }
+
+        // No services supported for an empty Host.
+        if h == nil || h.services == nil {
+                return nil, &ErrServiceNotProvided{service: svc}
+        }
+
+        // Try to get the service URL for the version service and
+        // return early if the service isn't provided by the host.
+        u, err := h.ServiceURL(versionServiceID)
+        if err != nil {
+                return nil, err
+        }
+
+        // Check if we have an exact (service and version) match.
+        if _, ok := h.services[id].(string); !ok {
+                // If we don't have an exact match, we search for all matching
+                // services and then use the service ID of the latest version.
+                var services []string
+                for serviceID := range h.services {
+                        if strings.HasPrefix(serviceID, svc+".") {
+                                services = append(services, serviceID)
+                        }
+                }
+
+                if len(services) == 0 {
+                        // No discovered services match the requested service.
+                        return nil, &ErrServiceNotProvided{hostname: h.hostname, service: svc}
+                }
+
+                // Set id to the latest service ID we found.
+                var latest *version.Version
+                for _, serviceID := range services {
+                        if _, ver, err := parseServiceID(serviceID); err == nil {
+                                if latest == nil || latest.LessThan(ver) {
+                                        id = serviceID
+                                        latest = ver
+                                }
+                        }
+                }
+        }
+
+        // Set a default timeout of 1 sec for the versions request (in milliseconds)
+        timeout := 1000
+        if v, err := strconv.Atoi(os.Getenv("CHECKPOINT_TIMEOUT")); err == nil {
+                timeout = v
+        }
+
+        client := &http.Client{
+                Transport: h.transport,
+                Timeout:   time.Duration(timeout) * time.Millisecond,
+        }
+
+        // Prepare the service URL by setting the service and product.
+        v := u.Query()
+        v.Set("product", product)
+        u.Path += id
+        u.RawQuery = v.Encode()
+
+        // Create a new request.
+        req, err := http.NewRequest("GET", u.String(), nil)
+        if err != nil {
+                return nil, fmt.Errorf("Failed to create version constraints request: %v", err)
+        }
+        req.Header.Set("Accept", "application/json")
+        req.Header.Set("User-Agent", httpclient.UserAgentString())
+
+        log.Printf("[DEBUG] Retrieve version constraints for service %s and product %s", id, product)
+
+        resp, err := client.Do(req)
+        if err != nil {
+                return nil, fmt.Errorf("Failed to request version constraints: %v", err)
+        }
+        defer resp.Body.Close()
+
+        if resp.StatusCode == 404 {
+                return nil, &ErrNoVersionConstraints{disabled: false}
+        }
+
+        if resp.StatusCode != 200 {
+                return nil, fmt.Errorf("Failed to request version constraints: %s", resp.Status)
+        }
+
+        // Parse the constraints from the response body.
+        result := &Constraints{}
+        if err := json.NewDecoder(resp.Body).Decode(result); err != nil {
+                return nil, fmt.Errorf("Error parsing version constraints: %v", err)
+        }
+
+        return result, nil
+}
+
+func parseServiceID(id string) (string, *version.Version, error) {
+        parts := strings.SplitN(id, ".", 2)
+        if len(parts) != 2 {
+                return "", nil, fmt.Errorf("Invalid service ID format (i.e. service.vN): %s", id)
+        }
+
+        version, err := version.NewVersion(parts[1])
+        if err != nil {
+                return "", nil, fmt.Errorf("Invalid service version: %v", err)
+        }
+
+        return parts[0], version, nil
+}
diff --git a/vendor/github.com/hashicorp/terraform/svchost/label_iter.go b/vendor/github.com/hashicorp/terraform/svchost/label_iter.go
new file mode 100644
index 0000000..af8ccba
--- /dev/null
+++ b/vendor/github.com/hashicorp/terraform/svchost/label_iter.go
@@ -0,0 +1,69 @@
+package svchost
+
+import (
+        "strings"
+)
+
+// A labelIter allows iterating over domain name labels.
+//
+// This type is copied from golang.org/x/net/idna, where it is used
+// to segment hostnames into their separate labels for analysis. We use
+// it for the same purpose here, in ForComparison.
+type labelIter struct {
+        orig     string
+        slice    []string
+        curStart int
+        curEnd   int
+        i        int
+}
+
+func (l *labelIter) reset() {
+        l.curStart = 0
+        l.curEnd = 0
+        l.i = 0
+}
+
+func (l *labelIter) done() bool {
+        return l.curStart >= len(l.orig)
+}
+
+func (l *labelIter) result() string {
+        if l.slice != nil {
+                return strings.Join(l.slice, ".")
+        }
+        return l.orig
+}
+
+func (l *labelIter) label() string {
+        if l.slice != nil {
+                return l.slice[l.i]
+        }
+        p := strings.IndexByte(l.orig[l.curStart:], '.')
+        l.curEnd = l.curStart + p
+        if p == -1 {
+                l.curEnd = len(l.orig)
+        }
+        return l.orig[l.curStart:l.curEnd]
+}
+
+// next sets the value to the next label. It skips the last label if it is empty.
+func (l *labelIter) next() {
+        l.i++
+        if l.slice != nil {
+                if l.i >= len(l.slice) || l.i == len(l.slice)-1 && l.slice[l.i] == "" {
+                        l.curStart = len(l.orig)
+                }
+        } else {
+                l.curStart = l.curEnd + 1
+                if l.curStart == len(l.orig)-1 && l.orig[l.curStart] == '.' {
+                        l.curStart = len(l.orig)
+                }
+        }
+}
+
+func (l *labelIter) set(s string) {
+        if l.slice == nil {
+                l.slice = strings.Split(l.orig, ".")
+        }
+        l.slice[l.i] = s
+}
diff --git a/vendor/github.com/hashicorp/terraform/svchost/svchost.go b/vendor/github.com/hashicorp/terraform/svchost/svchost.go
new file mode 100644
index 0000000..4eded14
--- /dev/null
+++ b/vendor/github.com/hashicorp/terraform/svchost/svchost.go
@@ -0,0 +1,207 @@
+// Package svchost deals with the representations of the so-called "friendly
+// hostnames" that we use to represent systems that provide Terraform-native
+// remote services, such as module registry, remote operations, etc.
+//
+// Friendly hostnames are specified such that, as much as possible, they
+// are consistent with how web browsers think of hostnames, so that users
+// can bring their intuitions about how hostnames behave when they access
+// a Terraform Enterprise instance's web UI (or indeed any other website)
+// and have this behave in a similar way.
+package svchost
+
+import (
+        "errors"
+        "fmt"
+        "strconv"
+        "strings"
+
+        "golang.org/x/net/idna"
+)
+
+// Hostname is specialized name for string that indicates that the string
+// has been converted to (or was already in) the storage and comparison form.
+//
+// Hostname values are not suitable for display in the user-interface. Use
+// the ForDisplay method to obtain a form suitable for display in the UI.
+//
+// Unlike user-supplied hostnames, strings of type Hostname (assuming they
+// were constructed by a function within this package) can be compared for
+// equality using the standard Go == operator.
+type Hostname string
+
+// acePrefix is the ASCII Compatible Encoding prefix, used to indicate that
+// a domain name label is in "punycode" form.
+const acePrefix = "xn--"
+
+// displayProfile is a very liberal idna profile that we use to do
+// normalization for display without imposing validation rules.
+var displayProfile = idna.New(
+        idna.MapForLookup(),
+        idna.Transitional(true),
+)
+
+// ForDisplay takes a user-specified hostname and returns a normalized form of
+// it suitable for display in the UI.
+//
+// If the input is so invalid that no normalization can be performed then
+// this will return the input, assuming that the caller still wants to
+// display _something_. This function is, however, more tolerant than the
+// other functions in this package and will make a best effort to prepare
+// _any_ given hostname for display.
+//
+// For validation, use either IsValid (for explicit validation) or
+// ForComparison (which implicitly validates, returning an error if invalid).
+func ForDisplay(given string) string {
+        var portPortion string
+        if colonPos := strings.Index(given, ":"); colonPos != -1 {
+                given, portPortion = given[:colonPos], given[colonPos:]
+        }
+        portPortion, _ = normalizePortPortion(portPortion)
+
+        ascii, err := displayProfile.ToASCII(given)
+        if err != nil {
+                return given + portPortion
+        }
+        display, err := displayProfile.ToUnicode(ascii)
+        if err != nil {
+                return given + portPortion
+        }
+        return display + portPortion
+}
+
+// IsValid returns true if the given user-specified hostname is a valid
+// service hostname.
+//
+// Validity is determined by complying with the RFC 5891 requirements for
+// names that are valid for domain lookup (section 5), with the additional
+// requirement that user-supplied forms must not _already_ contain
+// Punycode segments.
+func IsValid(given string) bool {
+        _, err := ForComparison(given)
+        return err == nil
+}
+
+// ForComparison takes a user-specified hostname and returns a normalized
+// form of it suitable for storage and comparison. The result is not suitable
+// for display to end-users because it uses Punycode to represent non-ASCII
+// characters, and this form is unreadable for non-ASCII-speaking humans.
+//
+// The result is typed as Hostname -- a specialized name for string -- so that
+// other APIs can make it clear within the type system whether they expect a
+// user-specified or display-form hostname or a value already normalized for
+// comparison.
+//
+// The returned Hostname is not valid if the returned error is non-nil.
+func ForComparison(given string) (Hostname, error) {
+        var portPortion string
+        if colonPos := strings.Index(given, ":"); colonPos != -1 {
+                given, portPortion = given[:colonPos], given[colonPos:]
+        }
+
+        var err error
+        portPortion, err = normalizePortPortion(portPortion)
+        if err != nil {
+                return Hostname(""), err
+        }
+
+        if given == "" {
+                return Hostname(""), fmt.Errorf("empty string is not a valid hostname")
+        }
+
+        // First we'll apply our additional constraint that Punycode must not
+        // be given directly by the user. This is not an IDN specification
+        // requirement, but we prohibit it to force users to use human-readable
+        // hostname forms within Terraform configuration.
+        labels := labelIter{orig: given}
+        for ; !labels.done(); labels.next() {
+                label := labels.label()
+                if label == "" {
+                        return Hostname(""), fmt.Errorf(
+                                "hostname contains empty label (two consecutive periods)",
+                        )
+                }
+                if strings.HasPrefix(label, acePrefix) {
+                        return Hostname(""), fmt.Errorf(
+                                "hostname label %q specified in punycode format; service hostnames must be given in unicode",
+                                label,
+                        )
+                }
+        }
+
+        result, err := idna.Lookup.ToASCII(given)
+        if err != nil {
+                return Hostname(""), err
+        }
+        return Hostname(result + portPortion), nil
+}
+
+// ForDisplay returns a version of the receiver that is appropriate for display
+// in the UI. This includes converting any punycode labels to their
+// corresponding Unicode characters.
+//
+// A round-trip through ForComparison and this ForDisplay method does not
+// guarantee the same result as calling this package's top-level ForDisplay
+// function, since a round-trip through the Hostname type implies stricter
+// handling than we do when doing basic display-only processing.
+func (h Hostname) ForDisplay() string {
+        given := string(h)
+        var portPortion string
+        if colonPos := strings.Index(given, ":"); colonPos != -1 {
+                given, portPortion = given[:colonPos], given[colonPos:]
+        }
+        // We don't normalize the port portion here because we assume it's
+        // already been normalized on the way in.
+
+        result, err := idna.Lookup.ToUnicode(given)
+        if err != nil {
+                // Should never happen, since type Hostname indicates that a string
+                // passed through our validation rules.
+                panic(fmt.Errorf("ForDisplay called on invalid Hostname: %s", err))
+        }
+        return result + portPortion
+}
+
+func (h Hostname) String() string {
+        return string(h)
+}
+
+func (h Hostname) GoString() string {
+        return fmt.Sprintf("svchost.Hostname(%q)", string(h))
+}
+
+// normalizePortPortion attempts to normalize the "port portion" of a hostname,
+// which begins with the first colon in the hostname and should be followed
+// by a string of decimal digits.
+//
+// If the port portion is valid, a normalized version of it is returned along
+// with a nil error.
+//
+// If the port portion is invalid, the input string is returned verbatim along
+// with a non-nil error.
+//
+// An empty string is a valid port portion representing the absense of a port.
+// If non-empty, the first character must be a colon.
+func normalizePortPortion(s string) (string, error) {
+        if s == "" {
+                return s, nil
+        }
+
+        if s[0] != ':' {
+                // should never happen, since caller tends to guarantee the presence
+                // of a colon due to how it's extracted from the string.
+                return s, errors.New("port portion is missing its initial colon")
+        }
+
+        numStr := s[1:]
+        num, err := strconv.Atoi(numStr)
+        if err != nil {
+                return s, errors.New("port portion contains non-digit characters")
+        }
+        if num == 443 {
+                return "", nil // ":443" is the default
+        }
+        if num > 65535 {
+                return s, errors.New("port number is greater than 65535")
+        }
+        return fmt.Sprintf(":%d", num), nil
+}