Merge pull request #264 from dotcloud/tls_alt_api

Improved TLSConfig API
2014-07-10 17:14:36 +02:00 · 2014-07-10 17:14:36 +02:00 · 72cb3882b0
parent db454f01b8 436a3b1ff9
commit 72cb3882b0
3 changed files with 51 additions and 22 deletions
--- a/README.md
+++ b/README.md
@ -355,31 +355,49 @@ http://docs.docker.com/articles/https/ first.*
 client = docker.Client(base_url='<https_url>', tls=True)
 ```

+Equivalent CLI options: `docker --tls ...`
+
+If you want to use TLS but don't want to verify the server certificate
+(for example when testing with a self-signed certificate):
+
+```python
+tls_config = docker.tls.TLSConfig(verify=False)
+client = docker.Client(base_url='<https_url>', tls=tls_config)
+```
+
 * Authenticate server based on given CA

 ```python
-tls_config = docker.tls.TLSConfig(
-  False, tls_verify=True, tls_ca_cert='/path/to/ca.pem')
+tls_config = docker.tls.TLSConfig(ca_cert='/path/to/ca.pem')
 client = docker.Client(base_url='<https_url>', tls=tls_config)
 ```

+Equivalent CLI options: `docker --tlsverify --tlscacert /path/to/ca.pem ...`
+
 * Authenticate with client certificate, do not authenticate server
  based on given CA

 ```python
 tls_config = docker.tls.TLSConfig(
-  True, tls_cert='/path/to/client-cert.pem',
-  tls_key='/path/to/client-key.pem'
+  client_cert=('/path/to/client-cert.pem', '/path/to/client-key.pem')
 )
 client = docker.Client(base_url='<https_url>', tls=tls_config)
 ```

+Equivalent CLI options:
+`docker --tls --tlscert /path/to/client-cert.pem
+--tlskey /path/to/client-key.pem ...`
+
 * Authenticate with client certificate, authenticate server based on given CA

 ```python
 tls_config = docker.tls.TLSConfig(
-  False, tls_cert='/path/to/client-cert.pem',
-  tls_key='/path/to/client-key.pem', tls_ca_cert='/path/to/ca.pem'
+  client_cert=('/path/to/client-cert.pem', '/path/to/client-key.pem'),
+  ca_cert='/path/to/ca.pem'
 )
 client = docker.Client(base_url='<https_url>', tls=tls_config)
 ```
+
+Equivalent CLI options:
+`docker --tlsverify --tlscert /path/to/client-cert.pem
+--tlskey /path/to/client-key.pem --tlscacert /path/to/ca.pem ...`
--- a/docker/ssladapter/ssladapter.py
+++ b/docker/ssladapter/ssladapter.py
@ -5,10 +5,12 @@
 from distutils.version import StrictVersion
 from requests.adapters import HTTPAdapter
 try:
-    from requests.packages.urllib3.poolmanager import PoolManager
+    import requests.packages.urllib3 as urllib3
 except ImportError:
    import urllib3
-    from urllib3.poolmanager import PoolManager
+
+
+PoolManager = urllib3.poolmanager.PoolManager


 class SSLAdapter(HTTPAdapter):
@ -18,8 +20,9 @@ class SSLAdapter(HTTPAdapter):
        super(SSLAdapter, self).__init__(**kwargs)

    def init_poolmanager(self, connections, maxsize, block=False):
-        urllib_ver = urllib3.__version__
-        if urllib3 and StrictVersion(urllib_ver) <= StrictVersion('1.5'):
+        urllib_ver = urllib3.__version__.split('-')[0]
+        if urllib3 and urllib_ver != 'dev' and \
+           StrictVersion(urllib_ver) <= StrictVersion('1.5'):
            self.poolmanager = PoolManager(num_pools=connections,
                                           maxsize=maxsize,
                                           block=block)
--- a/docker/tls.py
+++ b/docker/tls.py
@ -9,8 +9,8 @@ class TLSConfig(object):
    verify = None
    ssl_version = None

-    def __init__(self, tls, tls_cert=None, tls_key=None, tls_verify=None,
-                 tls_ca_cert=None, ssl_version=None):
+    def __init__(self, client_cert=None, ca_cert=None, verify=None,
+                 ssl_version=None):
        # Argument compatibility/mapping with
        # http://docs.docker.com/examples/https/
        # This diverges from the Docker CLI in that users can specify 'tls'
@ -25,27 +25,35 @@ class TLSConfig(object):
        # In either case, Alert the user when both are expected, but any are
        # missing.

-        if tls_cert or tls_key:
+        if client_cert:
+            try:
+                tls_cert, tls_key = client_cert
+            except ValueError:
+                raise errors.TLSParameterError(
+                    'client_config must be a tuple of'
+                    ' (client certificate, key file)'
+                )
+
            if not (tls_cert and tls_key) or (not os.path.isfile(tls_cert) or
               not os.path.isfile(tls_key)):
                raise errors.TLSParameterError(
-                    'Client certificate must provide certificate and key files'
-                    ' through tls_cert and tls_key params respectively'
+                    'Path to a certificate and key files must be provided'
+                    ' through the client_config param'
                )
            self.cert = (tls_cert, tls_key)

        # Either set verify to True (public/default CA checks) or to the
        # path of a CA Cert file.
-        if tls_verify is not None:
-            if not tls_ca_cert:
-                self.verify = tls_verify
-            elif os.path.isfile(tls_ca_cert):
-                if not tls_verify:
+        if verify is not None:
+            if not ca_cert:
+                self.verify = verify
+            elif os.path.isfile(ca_cert):
+                if not verify:
                    raise errors.TLSParameterError(
-                        'tls_verify can not be False when a CA cert is'
+                        'verify can not be False when a CA cert is'
                        ' provided.'
                    )
-                self.verify = tls_ca_cert
+                self.verify = ca_cert
            else:
                raise errors.TLSParameterError(
                    'Invalid CA certificate provided for `tls_ca_cert`.'