From ae9bd580af55992974fcb94f73f72cc3b2257fec Mon Sep 17 00:00:00 2001
From: Doug Davis <dug@us.ibm.com>
Date: Thu, 20 Nov 2014 07:29:04 -0800
Subject: [PATCH] Make --tlsverify enable tls regardless of value specified

I also needed to add a mflag.IsSet() function that allows you to check
to see if a certain flag was actually specified on the cmd line.

Per #9221 - also tweaked the docs to fix a typo.

Closes #9221

Signed-off-by: Doug Davis <dug@us.ibm.com>
---
 docker/docker.go                          |  7 ++++++-
 docker/flags.go                           |  2 +-
 docs/sources/reference/commandline/cli.md |  2 +-
 integration-cli/docker_cli_run_test.go    | 25 +++++++++++++++++++++++
 pkg/mflag/flag.go                         | 10 +++++++++
 5 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/docker/docker.go b/docker/docker.go
index bb61d51725..3137f5c99f 100644
--- a/docker/docker.go
+++ b/docker/docker.go
@@ -83,9 +83,14 @@ func main() {
 	)
 	tlsConfig.InsecureSkipVerify = true
 
+	// Regardless of whether the user sets it to true or false, if they
+	// specify --tlsverify at all then we need to turn on tls
+	if flag.IsSet("-tlsverify") {
+		*flTls = true
+	}
+
 	// If we should verify the server, we need to load a trusted ca
 	if *flTlsVerify {
-		*flTls = true
 		certPool := x509.NewCertPool()
 		file, err := ioutil.ReadFile(*flCa)
 		if err != nil {
diff --git a/docker/flags.go b/docker/flags.go
index 80fd9fc17c..6601b4fe8a 100644
--- a/docker/flags.go
+++ b/docker/flags.go
@@ -35,7 +35,7 @@ var (
 	flSocketGroup = flag.String([]string{"G", "-group"}, "docker", "Group to assign the unix socket specified by -H when running in daemon mode\nuse '' (the empty string) to disable setting of a group")
 	flLogLevel    = flag.String([]string{"l", "-log-level"}, "info", "Set the logging level")
 	flEnableCors  = flag.Bool([]string{"#api-enable-cors", "-api-enable-cors"}, false, "Enable CORS headers in the remote API")
-	flTls         = flag.Bool([]string{"-tls"}, false, "Use TLS; implied by --tlsverify=true")
+	flTls         = flag.Bool([]string{"-tls"}, false, "Use TLS; implied by --tlsverify flag")
 	flTlsVerify   = flag.Bool([]string{"-tlsverify"}, dockerTlsVerify, "Use TLS and verify the remote (daemon: verify client, client: verify daemon)")
 
 	// these are initialized in init() below since their default values depend on dockerCertPath which isn't fully initialized until init() runs
diff --git a/docs/sources/reference/commandline/cli.md b/docs/sources/reference/commandline/cli.md
index ca7b7b7836..ff13d6222c 100644
--- a/docs/sources/reference/commandline/cli.md
+++ b/docs/sources/reference/commandline/cli.md
@@ -84,7 +84,7 @@ expect an integer, and they can only be specified once.
       -s, --storage-driver=""                    Force the Docker runtime to use a specific storage driver
       --selinux-enabled=false                    Enable selinux support. SELinux does not presently support the BTRFS storage driver
       --storage-opt=[]                           Set storage driver options
-      --tls=false                                Use TLS; implied by --tlsverify=true
+      --tls=false                                Use TLS; implied by --tlsverify flag
       --tlscacert="/home/sven/.docker/ca.pem"    Trust only remotes providing a certificate signed by the CA given here
       --tlscert="/home/sven/.docker/cert.pem"    Path to TLS certificate file
       --tlskey="/home/sven/.docker/key.pem"      Path to TLS key file
diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go
index 9292994283..2d150426c6 100644
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@@ -2687,3 +2687,28 @@ func TestContainerNetworkMode(t *testing.T) {
 
 	logDone("run - container shared network namespace")
 }
+
+func TestRunTLSverify(t *testing.T) {
+	cmd := exec.Command(dockerBinary, "ps")
+	out, ec, err := runCommandWithOutput(cmd)
+	if err != nil || ec != 0 {
+		t.Fatalf("Should have worked: %v:\n%v", err, out)
+	}
+
+	// Regardless of whether we specify true or false we need to
+	// test to make sure tls is turned on if --tlsverify is specified at all
+
+	cmd = exec.Command(dockerBinary, "--tlsverify=false", "ps")
+	out, ec, err = runCommandWithOutput(cmd)
+	if err == nil || ec == 0 || !strings.Contains(out, "trying to connect") {
+		t.Fatalf("Should have failed: \nec:%v\nout:%v\nerr:%v", ec, out, err)
+	}
+
+	cmd = exec.Command(dockerBinary, "--tlsverify=true", "ps")
+	out, ec, err = runCommandWithOutput(cmd)
+	if err == nil || ec == 0 || !strings.Contains(out, "cert") {
+		t.Fatalf("Should have failed: \nec:%v\nout:%v\nerr:%v", ec, out, err)
+	}
+
+	logDone("run - verify tls is set for --tlsverify")
+}
diff --git a/pkg/mflag/flag.go b/pkg/mflag/flag.go
index b40f911769..c9061c2d73 100644
--- a/pkg/mflag/flag.go
+++ b/pkg/mflag/flag.go
@@ -394,12 +394,22 @@ func (f *FlagSet) Lookup(name string) *Flag {
 	return f.formal[name]
 }
 
+// Indicates whether the specified flag was specified at all on the cmd line
+func (f *FlagSet) IsSet(name string) bool {
+	return f.actual[name] != nil
+}
+
 // Lookup returns the Flag structure of the named command-line flag,
 // returning nil if none exists.
 func Lookup(name string) *Flag {
 	return CommandLine.formal[name]
 }
 
+// Indicates whether the specified flag was specified at all on the cmd line
+func IsSet(name string) bool {
+	return CommandLine.IsSet(name)
+}
+
 // Set sets the value of the named flag.
 func (f *FlagSet) Set(name, value string) error {
 	flag, ok := f.formal[name]