Make --tlsverify enable tls regardless of value specified

I also needed to add a mflag.IsSet() function that allows you to check to see if a certain flag was actually specified on the cmd line. Per #9221 - also tweaked the docs to fix a typo. Closes #9221 Signed-off-by: Doug Davis <dug@us.ibm.com>
2022-11-09 12:21:53 -05:00 · 2014-11-20 07:29:04 -08:00 · 2014-11-20 07:29:04 -08:00 · ae9bd580af
commit ae9bd580af
parent c1a40d9279
5 changed files with 43 additions and 3 deletions
--- a/docker/docker.go
+++ b/docker/docker.go
@ -83,9 +83,14 @@ func main() {
 	)
 	tlsConfig.InsecureSkipVerify = true

+	// Regardless of whether the user sets it to true or false, if they
+	// specify --tlsverify at all then we need to turn on tls
+	if flag.IsSet("-tlsverify") {
+		*flTls = true
+	}
+
 	// If we should verify the server, we need to load a trusted ca
 	if *flTlsVerify {
-		*flTls = true
 		certPool := x509.NewCertPool()
 		file, err := ioutil.ReadFile(*flCa)
 		if err != nil {
--- a/docker/flags.go
+++ b/docker/flags.go
@ -35,7 +35,7 @@ var (
 	flSocketGroup = flag.String([]string{"G", "-group"}, "docker", "Group to assign the unix socket specified by -H when running in daemon mode\nuse '' (the empty string) to disable setting of a group")
 	flLogLevel    = flag.String([]string{"l", "-log-level"}, "info", "Set the logging level")
 	flEnableCors  = flag.Bool([]string{"#api-enable-cors", "-api-enable-cors"}, false, "Enable CORS headers in the remote API")
-	flTls         = flag.Bool([]string{"-tls"}, false, "Use TLS; implied by --tlsverify=true")
+	flTls         = flag.Bool([]string{"-tls"}, false, "Use TLS; implied by --tlsverify flag")
 	flTlsVerify   = flag.Bool([]string{"-tlsverify"}, dockerTlsVerify, "Use TLS and verify the remote (daemon: verify client, client: verify daemon)")

 	// these are initialized in init() below since their default values depend on dockerCertPath which isn't fully initialized until init() runs
--- a/docs/sources/reference/commandline/cli.md
+++ b/docs/sources/reference/commandline/cli.md
@ -84,7 +84,7 @@ expect an integer, and they can only be specified once.
      -s, --storage-driver=""                    Force the Docker runtime to use a specific storage driver
      --selinux-enabled=false                    Enable selinux support. SELinux does not presently support the BTRFS storage driver
      --storage-opt=[]                           Set storage driver options
-      --tls=false                                Use TLS; implied by --tlsverify=true
+      --tls=false                                Use TLS; implied by --tlsverify flag
      --tlscacert="/home/sven/.docker/ca.pem"    Trust only remotes providing a certificate signed by the CA given here
      --tlscert="/home/sven/.docker/cert.pem"    Path to TLS certificate file
      --tlskey="/home/sven/.docker/key.pem"      Path to TLS key file
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@ -2687,3 +2687,28 @@ func TestContainerNetworkMode(t *testing.T) {

 	logDone("run - container shared network namespace")
 }
+
+func TestRunTLSverify(t *testing.T) {
+	cmd := exec.Command(dockerBinary, "ps")
+	out, ec, err := runCommandWithOutput(cmd)
+	if err != nil || ec != 0 {
+		t.Fatalf("Should have worked: %v:\n%v", err, out)
+	}
+
+	// Regardless of whether we specify true or false we need to
+	// test to make sure tls is turned on if --tlsverify is specified at all
+
+	cmd = exec.Command(dockerBinary, "--tlsverify=false", "ps")
+	out, ec, err = runCommandWithOutput(cmd)
+	if err == nil || ec == 0 || !strings.Contains(out, "trying to connect") {
+		t.Fatalf("Should have failed: \nec:%v\nout:%v\nerr:%v", ec, out, err)
+	}
+
+	cmd = exec.Command(dockerBinary, "--tlsverify=true", "ps")
+	out, ec, err = runCommandWithOutput(cmd)
+	if err == nil || ec == 0 || !strings.Contains(out, "cert") {
+		t.Fatalf("Should have failed: \nec:%v\nout:%v\nerr:%v", ec, out, err)
+	}
+
+	logDone("run - verify tls is set for --tlsverify")
+}
--- a/pkg/mflag/flag.go
+++ b/pkg/mflag/flag.go
@ -394,12 +394,22 @@ func (f *FlagSet) Lookup(name string) *Flag {
 	return f.formal[name]
 }

+// Indicates whether the specified flag was specified at all on the cmd line
+func (f *FlagSet) IsSet(name string) bool {
+	return f.actual[name] != nil
+}
+
 // Lookup returns the Flag structure of the named command-line flag,
 // returning nil if none exists.
 func Lookup(name string) *Flag {
 	return CommandLine.formal[name]
 }

+// Indicates whether the specified flag was specified at all on the cmd line
+func IsSet(name string) bool {
+	return CommandLine.IsSet(name)
+}
+
 // Set sets the value of the named flag.
 func (f *FlagSet) Set(name, value string) error {
 	flag, ok := f.formal[name]