Merge pull request #5697 from docker/5692-restore-default-cert-path-detection

Retrieve certs from default path if not provided explicitly

compose/cli/docker_client.py

@@ -9,6 +9,7 @@ from docker import APIClient
 from docker.errors import TLSParameterError
 from docker.tls import TLSConfig
 from docker.utils import kwargs_from_env
+from docker.utils.config import home_dir
 
 from ..config.environment import Environment
 from ..const import HTTP_TIMEOUT
@@ -19,6 +20,10 @@ from .utils import unquote_path
 log = logging.getLogger(__name__)
 
 
+def default_cert_path():
+    return os.path.join(home_dir(), '.docker')
+
+
 def get_tls_version(environment):
     compose_tls_version = environment.get('COMPOSE_TLS_VERSION', None)
     if not compose_tls_version:
@@ -56,6 +61,12 @@ def tls_config_from_options(options, environment=None):
         key = os.path.join(cert_path, 'key.pem')
         ca_cert = os.path.join(cert_path, 'ca.pem')
 
+    if verify and not any((ca_cert, cert, key)):
+        # Default location for cert files is ~/.docker
+        ca_cert = os.path.join(default_cert_path(), 'ca.pem')
+        cert = os.path.join(default_cert_path(), 'cert.pem')
+        key = os.path.join(default_cert_path(), 'key.pem')
+
     tls_version = get_tls_version(environment)
 
     advanced_opts = any([ca_cert, cert, key, verify, tls_version])

tests/unit/cli/docker_client_test.py

@@ -68,9 +68,10 @@ class DockerClientTestCase(unittest.TestCase):
 
 
 class TLSConfigTestCase(unittest.TestCase):
-    ca_cert = os.path.join('tests/fixtures/tls/', 'ca.pem')
+    cert_path = 'tests/fixtures/tls/'
-    client_cert = os.path.join('tests/fixtures/tls/', 'cert.pem')
+    ca_cert = os.path.join(cert_path, 'ca.pem')
-    key = os.path.join('tests/fixtures/tls/', 'key.pem')
+    client_cert = os.path.join(cert_path, 'cert.pem')
+    key = os.path.join(cert_path, 'key.pem')
 
     def test_simple_tls(self):
         options = {'--tls': True}
@@ -202,7 +203,8 @@ class TLSConfigTestCase(unittest.TestCase):
     def test_tls_verify_flag_no_override(self):
         environment = Environment({
             'DOCKER_TLS_VERIFY': 'true',
-            'COMPOSE_TLS_VERSION': 'TLSv1'
+            'COMPOSE_TLS_VERSION': 'TLSv1',
+            'DOCKER_CERT_PATH': self.cert_path
         })
         options = {'--tls': True, '--tlsverify': False}
 
@@ -219,6 +221,17 @@ class TLSConfigTestCase(unittest.TestCase):
         options = {'--tls': True}
         assert tls_config_from_options(options, environment) is True
 
+    def test_tls_verify_default_cert_path(self):
+        environment = Environment({'DOCKER_TLS_VERIFY': '1'})
+        options = {'--tls': True}
+        with mock.patch('compose.cli.docker_client.default_cert_path') as dcp:
+            dcp.return_value = 'tests/fixtures/tls/'
+            result = tls_config_from_options(options, environment)
+        assert isinstance(result, docker.tls.TLSConfig)
+        assert result.verify is True
+        assert result.ca_cert == self.ca_cert
+        assert result.cert == (self.client_cert, self.key)
+
 
 class TestGetTlsVersion(object):
     def test_get_tls_version_default(self):