diff --git a/compose/cli/command.py b/compose/cli/command.py index 7cea91a2d..6977195a0 100644 --- a/compose/cli/command.py +++ b/compose/cli/command.py @@ -35,7 +35,7 @@ def project_from_options(project_dir, options): project_name=options.get('--project-name'), verbose=options.get('--verbose'), host=host, - tls_config=tls_config_from_options(options), + tls_config=tls_config_from_options(options, environment), environment=environment, override_dir=options.get('--project-directory'), ) diff --git a/compose/cli/docker_client.py b/compose/cli/docker_client.py index 44c7ad91d..a581ae672 100644 --- a/compose/cli/docker_client.py +++ b/compose/cli/docker_client.py @@ -2,6 +2,7 @@ from __future__ import absolute_import from __future__ import unicode_literals import logging +import os.path import ssl from docker import APIClient @@ -35,14 +36,22 @@ def get_tls_version(environment): def tls_config_from_options(options, environment=None): + environment = environment or {} + cert_path = environment.get('DOCKER_CERT_PATH') or None + tls = options.get('--tls', False) ca_cert = unquote_path(options.get('--tlscacert')) cert = unquote_path(options.get('--tlscert')) key = unquote_path(options.get('--tlskey')) - verify = options.get('--tlsverify') + verify = options.get('--tlsverify', environment.get('DOCKER_TLS_VERIFY')) skip_hostname_check = options.get('--skip-hostname-check', False) + if cert_path is not None and not any((ca_cert, cert, key)): + # FIXME: Modify TLSConfig to take a cert_path argument and do this internally + cert = os.path.join(cert_path, 'cert.pem') + key = os.path.join(cert_path, 'key.pem') + ca_cert = os.path.join(cert_path, 'ca.pem') - tls_version = get_tls_version(environment or {}) + tls_version = get_tls_version(environment) advanced_opts = any([ca_cert, cert, key, verify, tls_version]) diff --git a/tests/fixtures/tls/key.key b/tests/fixtures/tls/key.pem similarity index 100% rename from tests/fixtures/tls/key.key rename to tests/fixtures/tls/key.pem diff --git a/tests/unit/cli/docker_client_test.py b/tests/unit/cli/docker_client_test.py index c4cd275f3..62a537ba5 100644 --- a/tests/unit/cli/docker_client_test.py +++ b/tests/unit/cli/docker_client_test.py @@ -64,9 +64,9 @@ class DockerClientTestCase(unittest.TestCase): class TLSConfigTestCase(unittest.TestCase): - ca_cert = 'tests/fixtures/tls/ca.pem' - client_cert = 'tests/fixtures/tls/cert.pem' - key = 'tests/fixtures/tls/key.key' + ca_cert = os.path.join('tests/fixtures/tls/', 'ca.pem') + client_cert = os.path.join('tests/fixtures/tls/', 'cert.pem') + key = os.path.join('tests/fixtures/tls/', 'key.pem') def test_simple_tls(self): options = {'--tls': True} @@ -168,6 +168,26 @@ class TLSConfigTestCase(unittest.TestCase): assert isinstance(result, docker.tls.TLSConfig) assert result.ssl_version == ssl.PROTOCOL_TLSv1 + def test_tls_mixed_environment_and_flags(self): + options = {'--tls': True, '--tlsverify': False} + environment = {'DOCKER_CERT_PATH': 'tests/fixtures/tls/'} + result = tls_config_from_options(options, environment) + assert isinstance(result, docker.tls.TLSConfig) + assert result.cert == (self.client_cert, self.key) + assert result.ca_cert == self.ca_cert + assert result.verify is False + + def test_tls_flags_override_environment(self): + environment = {'DOCKER_TLS_VERIFY': True} + options = {'--tls': True, '--tlsverify': False} + assert tls_config_from_options(options, environment) is True + + environment['COMPOSE_TLS_VERSION'] = 'TLSv1' + result = tls_config_from_options(options, environment) + assert isinstance(result, docker.tls.TLSConfig) + assert result.ssl_version == ssl.PROTOCOL_TLSv1 + assert result.verify is False + class TestGetTlsVersion(object): def test_get_tls_version_default(self):