Merge pull request #5593 from docker/4651-tls-env-and-flags

Support mixed use of TLS flags and TLS environment variables

compose/cli/command.py

@@ -35,7 +35,7 @@ def project_from_options(project_dir, options):
         project_name=options.get('--project-name'),
         verbose=options.get('--verbose'),
         host=host,
-        tls_config=tls_config_from_options(options),
+        tls_config=tls_config_from_options(options, environment),
         environment=environment,
         override_dir=options.get('--project-directory'),
     )

compose/cli/docker_client.py

@@ -2,6 +2,7 @@ from __future__ import absolute_import
 from __future__ import unicode_literals
 
 import logging
+import os.path
 import ssl
 
 from docker import APIClient
@@ -35,14 +36,22 @@ def get_tls_version(environment):
 
 
 def tls_config_from_options(options, environment=None):
+    environment = environment or {}
+    cert_path = environment.get('DOCKER_CERT_PATH') or None
+
     tls = options.get('--tls', False)
     ca_cert = unquote_path(options.get('--tlscacert'))
     cert = unquote_path(options.get('--tlscert'))
     key = unquote_path(options.get('--tlskey'))
-    verify = options.get('--tlsverify')
+    verify = options.get('--tlsverify', environment.get('DOCKER_TLS_VERIFY'))
     skip_hostname_check = options.get('--skip-hostname-check', False)
+    if cert_path is not None and not any((ca_cert, cert, key)):
+        # FIXME: Modify TLSConfig to take a cert_path argument and do this internally
+        cert = os.path.join(cert_path, 'cert.pem')
+        key = os.path.join(cert_path, 'key.pem')
+        ca_cert = os.path.join(cert_path, 'ca.pem')
 
-    tls_version = get_tls_version(environment or {})
+    tls_version = get_tls_version(environment)
 
     advanced_opts = any([ca_cert, cert, key, verify, tls_version])
 

tests/unit/cli/docker_client_test.py

@@ -64,9 +64,9 @@ class DockerClientTestCase(unittest.TestCase):
 
 
 class TLSConfigTestCase(unittest.TestCase):
-    ca_cert = 'tests/fixtures/tls/ca.pem'
-    client_cert = 'tests/fixtures/tls/cert.pem'
-    key = 'tests/fixtures/tls/key.key'
+    ca_cert = os.path.join('tests/fixtures/tls/', 'ca.pem')
+    client_cert = os.path.join('tests/fixtures/tls/', 'cert.pem')
+    key = os.path.join('tests/fixtures/tls/', 'key.pem')
 
     def test_simple_tls(self):
         options = {'--tls': True}
@@ -168,6 +168,26 @@ class TLSConfigTestCase(unittest.TestCase):
         assert isinstance(result, docker.tls.TLSConfig)
         assert result.ssl_version == ssl.PROTOCOL_TLSv1
 
+    def test_tls_mixed_environment_and_flags(self):
+        options = {'--tls': True, '--tlsverify': False}
+        environment = {'DOCKER_CERT_PATH': 'tests/fixtures/tls/'}
+        result = tls_config_from_options(options, environment)
+        assert isinstance(result, docker.tls.TLSConfig)
+        assert result.cert == (self.client_cert, self.key)
+        assert result.ca_cert == self.ca_cert
+        assert result.verify is False
+
+    def test_tls_flags_override_environment(self):
+        environment = {'DOCKER_TLS_VERIFY': True}
+        options = {'--tls': True, '--tlsverify': False}
+        assert tls_config_from_options(options, environment) is True
+
+        environment['COMPOSE_TLS_VERSION'] = 'TLSv1'
+        result = tls_config_from_options(options, environment)
+        assert isinstance(result, docker.tls.TLSConfig)
+        assert result.ssl_version == ssl.PROTOCOL_TLSv1
+        assert result.verify is False
+
 
 class TestGetTlsVersion(object):
     def test_get_tls_version_default(self):