mirror of https://github.com/docker/compose.git
Fix DOCKER_TLS_VERIFY bug
Signed-off-by: Joffrey F <joffrey@docker.com>
This commit is contained in:
parent
520fad331f
commit
4d4e066fbc
|
@ -10,6 +10,7 @@ from docker.errors import TLSParameterError
|
|||
from docker.tls import TLSConfig
|
||||
from docker.utils import kwargs_from_env
|
||||
|
||||
from ..config.environment import Environment
|
||||
from ..const import HTTP_TIMEOUT
|
||||
from .errors import UserError
|
||||
from .utils import generate_user_agent
|
||||
|
@ -36,14 +37,18 @@ def get_tls_version(environment):
|
|||
|
||||
|
||||
def tls_config_from_options(options, environment=None):
|
||||
environment = environment or {}
|
||||
environment = environment or Environment()
|
||||
cert_path = environment.get('DOCKER_CERT_PATH') or None
|
||||
|
||||
tls = options.get('--tls', False)
|
||||
ca_cert = unquote_path(options.get('--tlscacert'))
|
||||
cert = unquote_path(options.get('--tlscert'))
|
||||
key = unquote_path(options.get('--tlskey'))
|
||||
verify = options.get('--tlsverify', environment.get('DOCKER_TLS_VERIFY'))
|
||||
# verify is a special case - with docopt `--tlsverify` = False means it
|
||||
# wasn't used, so we set it if either the environment or the flag is True
|
||||
# see https://github.com/docker/compose/issues/5632
|
||||
verify = options.get('--tlsverify') or environment.get_boolean('DOCKER_TLS_VERIFY')
|
||||
|
||||
skip_hostname_check = options.get('--skip-hostname-check', False)
|
||||
if cert_path is not None and not any((ca_cert, cert, key)):
|
||||
# FIXME: Modify TLSConfig to take a cert_path argument and do this internally
|
||||
|
|
|
@ -13,6 +13,7 @@ from compose.cli import errors
|
|||
from compose.cli.docker_client import docker_client
|
||||
from compose.cli.docker_client import get_tls_version
|
||||
from compose.cli.docker_client import tls_config_from_options
|
||||
from compose.config.environment import Environment
|
||||
from tests import mock
|
||||
from tests import unittest
|
||||
|
||||
|
@ -163,14 +164,14 @@ class TLSConfigTestCase(unittest.TestCase):
|
|||
def test_tls_simple_with_tls_version(self):
|
||||
tls_version = 'TLSv1'
|
||||
options = {'--tls': True}
|
||||
environment = {'COMPOSE_TLS_VERSION': tls_version}
|
||||
environment = Environment({'COMPOSE_TLS_VERSION': tls_version})
|
||||
result = tls_config_from_options(options, environment)
|
||||
assert isinstance(result, docker.tls.TLSConfig)
|
||||
assert result.ssl_version == ssl.PROTOCOL_TLSv1
|
||||
|
||||
def test_tls_mixed_environment_and_flags(self):
|
||||
options = {'--tls': True, '--tlsverify': False}
|
||||
environment = {'DOCKER_CERT_PATH': 'tests/fixtures/tls/'}
|
||||
environment = Environment({'DOCKER_CERT_PATH': 'tests/fixtures/tls/'})
|
||||
result = tls_config_from_options(options, environment)
|
||||
assert isinstance(result, docker.tls.TLSConfig)
|
||||
assert result.cert == (self.client_cert, self.key)
|
||||
|
@ -178,15 +179,42 @@ class TLSConfigTestCase(unittest.TestCase):
|
|||
assert result.verify is False
|
||||
|
||||
def test_tls_flags_override_environment(self):
|
||||
environment = {'DOCKER_TLS_VERIFY': True}
|
||||
options = {'--tls': True, '--tlsverify': False}
|
||||
assert tls_config_from_options(options, environment) is True
|
||||
environment = Environment({
|
||||
'DOCKER_CERT_PATH': '/completely/wrong/path',
|
||||
'DOCKER_TLS_VERIFY': 'false'
|
||||
})
|
||||
options = {
|
||||
'--tlscacert': '"{0}"'.format(self.ca_cert),
|
||||
'--tlscert': '"{0}"'.format(self.client_cert),
|
||||
'--tlskey': '"{0}"'.format(self.key),
|
||||
'--tlsverify': True
|
||||
}
|
||||
|
||||
result = tls_config_from_options(options, environment)
|
||||
assert isinstance(result, docker.tls.TLSConfig)
|
||||
assert result.cert == (self.client_cert, self.key)
|
||||
assert result.ca_cert == self.ca_cert
|
||||
assert result.verify is True
|
||||
|
||||
def test_tls_verify_flag_no_override(self):
|
||||
environment = Environment({
|
||||
'DOCKER_TLS_VERIFY': 'true',
|
||||
'COMPOSE_TLS_VERSION': 'TLSv1'
|
||||
})
|
||||
options = {'--tls': True, '--tlsverify': False}
|
||||
|
||||
environment['COMPOSE_TLS_VERSION'] = 'TLSv1'
|
||||
result = tls_config_from_options(options, environment)
|
||||
assert isinstance(result, docker.tls.TLSConfig)
|
||||
assert result.ssl_version == ssl.PROTOCOL_TLSv1
|
||||
assert result.verify is False
|
||||
# verify is a special case - since `--tlsverify` = False means it
|
||||
# wasn't used, we set it if either the environment or the flag is True
|
||||
# see https://github.com/docker/compose/issues/5632
|
||||
assert result.verify is True
|
||||
|
||||
def test_tls_verify_env_falsy_value(self):
|
||||
environment = Environment({'DOCKER_TLS_VERIFY': '0'})
|
||||
options = {'--tls': True}
|
||||
assert tls_config_from_options(options, environment) is True
|
||||
|
||||
|
||||
class TestGetTlsVersion(object):
|
||||
|
|
Loading…
Reference in New Issue