Merge pull request #264 from dotcloud/tls_alt_api

Improved TLSConfig API

Author: shin-

README.md

@@ -355,31 +355,49 @@ http://docs.docker.com/articles/https/ first.*
 client = docker.Client(base_url='<https_url>', tls=True)
 ```
 
+Equivalent CLI options: `docker --tls ...`
+
+If you want to use TLS but don't want to verify the server certificate
+(for example when testing with a self-signed certificate):
+
+```python
+tls_config = docker.tls.TLSConfig(verify=False)
+client = docker.Client(base_url='<https_url>', tls=tls_config)
+```
+
 * Authenticate server based on given CA
 
 ```python
-tls_config = docker.tls.TLSConfig(
-  False, tls_verify=True, tls_ca_cert='/path/to/ca.pem')
+tls_config = docker.tls.TLSConfig(ca_cert='/path/to/ca.pem')
 client = docker.Client(base_url='<https_url>', tls=tls_config)
 ```
 
+Equivalent CLI options: `docker --tlsverify --tlscacert /path/to/ca.pem ...`
+
 * Authenticate with client certificate, do not authenticate server
   based on given CA
 
 ```python
 tls_config = docker.tls.TLSConfig(
-  True, tls_cert='/path/to/client-cert.pem',
-  tls_key='/path/to/client-key.pem'
+  client_cert=('/path/to/client-cert.pem', '/path/to/client-key.pem')
 )
 client = docker.Client(base_url='<https_url>', tls=tls_config)
 ```
 
+Equivalent CLI options:
+`docker --tls --tlscert /path/to/client-cert.pem
+--tlskey /path/to/client-key.pem ...`
+
 * Authenticate with client certificate, authenticate server based on given CA
 
 ```python
 tls_config = docker.tls.TLSConfig(
-  False, tls_cert='/path/to/client-cert.pem',
-  tls_key='/path/to/client-key.pem', tls_ca_cert='/path/to/ca.pem'
+  client_cert=('/path/to/client-cert.pem', '/path/to/client-key.pem'),
+  ca_cert='/path/to/ca.pem'
 )
 client = docker.Client(base_url='<https_url>', tls=tls_config)
 ```
+
+Equivalent CLI options:
+`docker --tlsverify --tlscert /path/to/client-cert.pem
+--tlskey /path/to/client-key.pem --tlscacert /path/to/ca.pem ...`

docker/ssladapter/ssladapter.py

@@ -5,10 +5,12 @@
 from distutils.version import StrictVersion
 from requests.adapters import HTTPAdapter
 try:
-    from requests.packages.urllib3.poolmanager import PoolManager
+    import requests.packages.urllib3 as urllib3
 except ImportError:
     import urllib3
-    from urllib3.poolmanager import PoolManager
+
+
+PoolManager = urllib3.poolmanager.PoolManager
 
 
 class SSLAdapter(HTTPAdapter):
@@ -18,8 +20,9 @@ def __init__(self, ssl_version=None, **kwargs):
         super(SSLAdapter, self).__init__(**kwargs)
 
     def init_poolmanager(self, connections, maxsize, block=False):
-        urllib_ver = urllib3.__version__
-        if urllib3 and StrictVersion(urllib_ver) <= StrictVersion('1.5'):
+        urllib_ver = urllib3.__version__.split('-')[0]
+        if urllib3 and urllib_ver != 'dev' and \
+           StrictVersion(urllib_ver) <= StrictVersion('1.5'):
             self.poolmanager = PoolManager(num_pools=connections,
                                            maxsize=maxsize,
                                            block=block)

docker/tls.py

@@ -9,8 +9,8 @@ class TLSConfig(object):
     verify = None
     ssl_version = None
 
-    def __init__(self, tls, tls_cert=None, tls_key=None, tls_verify=None,
-                 tls_ca_cert=None, ssl_version=None):
+    def __init__(self, client_cert=None, ca_cert=None, verify=None,
+                 ssl_version=None):
         # Argument compatibility/mapping with
         # http://docs.docker.com/examples/https/
         # This diverges from the Docker CLI in that users can specify 'tls'
@@ -25,27 +25,35 @@ def __init__(self, tls, tls_cert=None, tls_key=None, tls_verify=None,
         # In either case, Alert the user when both are expected, but any are
         # missing.
 
-        if tls_cert or tls_key:
+        if client_cert:
+            try:
+                tls_cert, tls_key = client_cert
+            except ValueError:
+                raise errors.TLSParameterError(
+                    'client_config must be a tuple of'
+                    ' (client certificate, key file)'
+                )
+
             if not (tls_cert and tls_key) or (not os.path.isfile(tls_cert) or
                not os.path.isfile(tls_key)):
                 raise errors.TLSParameterError(
-                    'Client certificate must provide certificate and key files'
-                    ' through tls_cert and tls_key params respectively'
+                    'Path to a certificate and key files must be provided'
+                    ' through the client_config param'
                 )
             self.cert = (tls_cert, tls_key)
 
         # Either set verify to True (public/default CA checks) or to the
         # path of a CA Cert file.
-        if tls_verify is not None:
-            if not tls_ca_cert:
-                self.verify = tls_verify
-            elif os.path.isfile(tls_ca_cert):
-                if not tls_verify:
+        if verify is not None:
+            if not ca_cert:
+                self.verify = verify
+            elif os.path.isfile(ca_cert):
+                if not verify:
                     raise errors.TLSParameterError(
-                        'tls_verify can not be False when a CA cert is'
+                        'verify can not be False when a CA cert is'
                         ' provided.'
                     )
-                self.verify = tls_ca_cert
+                self.verify = ca_cert
             else:
                 raise errors.TLSParameterError(
                     'Invalid CA certificate provided for `tls_ca_cert`.'