Merge pull request #19319 from calavera/fix_tls_config_for_response_hijacking

Fix response hijacking with TLS enabled.

hack/vendor.sh

@@ -22,7 +22,7 @@ clone git github.com/vdemeester/shakers 3c10293ce22b900c27acad7b28656196fcc2f73b
 clone git golang.org/x/net 47990a1ba55743e6ef1affd3a14e5bac8553615d https://github.com/golang/net.git
 clone git github.com/docker/go-units 651fc226e7441360384da338d0fd37f2440ffbe3
 clone git github.com/docker/go-connections v0.1.2
-clone git github.com/docker/engine-api v0.2.1
+clone git github.com/docker/engine-api v0.2.2
 clone git github.com/RackSec/srslog 6eb773f331e46fbba8eecb8e794e635e75fc04de
 
 #get libnetwork packages

integration-cli/docker_cli_daemon_test.go

@@ -1439,6 +1439,29 @@ func (s *DockerDaemonSuite) TestHttpsInfo(c *check.C) {
 	}
 }
 
+// TestHttpsRun connects via two-way authenticated HTTPS to the create, attach, start, and wait endpoints.
+// https://github.com/docker/docker/issues/19280
+func (s *DockerDaemonSuite) TestHttpsRun(c *check.C) {
+	const (
+		testDaemonHTTPSAddr = "tcp://localhost:4271"
+	)
+
+	if err := s.d.StartWithBusybox("--tlsverify", "--tlscacert", "fixtures/https/ca.pem", "--tlscert", "fixtures/https/server-cert.pem",
+		"--tlskey", "fixtures/https/server-key.pem", "-H", testDaemonHTTPSAddr); err != nil {
+		c.Fatalf("Could not start daemon with busybox: %v", err)
+	}
+
+	daemonArgs := []string{"--host", testDaemonHTTPSAddr, "--tlsverify", "--tlscacert", "fixtures/https/ca.pem", "--tlscert", "fixtures/https/client-cert.pem", "--tlskey", "fixtures/https/client-key.pem"}
+	out, err := s.d.CmdWithArgs(daemonArgs, "run", "busybox", "echo", "TLS response")
+	if err != nil {
+		c.Fatalf("Error Occurred: %s and output: %s", err, out)
+	}
+
+	if !strings.Contains(out, "TLS response") {
+		c.Fatalf("expected output to include `TLS response`, got %v", out)
+	}
+}
+
 // TestTlsVerify verifies that --tlsverify=false turns on tls
 func (s *DockerDaemonSuite) TestTlsVerify(c *check.C) {
 	out, err := exec.Command(dockerBinary, "daemon", "--tlsverify=false").CombinedOutput()

vendor/src/github.com/docker/engine-api/client/client.go

@@ -65,7 +65,6 @@ func NewEnvClient() (*Client, error) {
 func NewClient(host string, version string, transport *http.Transport, httpHeaders map[string]string) (*Client, error) {
 	var (
 		basePath       string
-		tlsConfig      *tls.Config
 		scheme         = "http"
 		protoAddrParts = strings.SplitN(host, "://", 2)
 		proto, addr    = protoAddrParts[0], protoAddrParts[1]
@@ -90,7 +89,7 @@ func NewClient(host string, version string, transport *http.Transport, httpHeade
 		addr:              addr,
 		basePath:          basePath,
 		scheme:            scheme,
-		tlsConfig:         tlsConfig,
+		tlsConfig:         transport.TLSClientConfig,
 		httpClient:        &http.Client{Transport: transport},
 		version:           version,
 		customHTTPHeaders: httpHeaders,

vendor/src/github.com/docker/engine-api/types/filters/parse.go

@@ -10,12 +10,12 @@ import (
 	"strings"
 )
 
-// Args stores filter arguments as map key:{array of values}.
-// It contains a aggregation of the list of arguments (which are in the form
+// Args stores filter arguments as map key:{map key: bool}.
+// It contains a aggregation of the map of arguments (which are in the form
 // of -f 'key=value') based on the key, and store values for the same key
-// in an slice.
+// in an map with string keys and boolean values.
 // e.g given -f 'label=label1=1' -f 'label=label2=2' -f 'image.name=ubuntu'
-// the args will be {'label': {'label1=1','label2=2'}, 'image.name', {'ubuntu'}}
+// the args will be {"image.name":{"ubuntu":true},"label":{"label1=1":true,"label2=2":true}}
 type Args struct {
 	fields map[string]map[string]bool
 }