Merge pull request #19319 from calavera/fix_tls_config_for_response_hijacking

Fix response hijacking with TLS enabled.
This commit is contained in:
Brian Goff 2016-01-13 21:44:11 -05:00
commit 742a7d53f2
4 changed files with 29 additions and 7 deletions

View file

@ -22,7 +22,7 @@ clone git github.com/vdemeester/shakers 3c10293ce22b900c27acad7b28656196fcc2f73b
clone git golang.org/x/net 47990a1ba55743e6ef1affd3a14e5bac8553615d https://github.com/golang/net.git
clone git github.com/docker/go-units 651fc226e7441360384da338d0fd37f2440ffbe3
clone git github.com/docker/go-connections v0.1.2
clone git github.com/docker/engine-api v0.2.1
clone git github.com/docker/engine-api v0.2.2
clone git github.com/RackSec/srslog 6eb773f331e46fbba8eecb8e794e635e75fc04de
#get libnetwork packages

View file

@ -1439,6 +1439,29 @@ func (s *DockerDaemonSuite) TestHttpsInfo(c *check.C) {
}
}
// TestHttpsRun connects via two-way authenticated HTTPS to the create, attach, start, and wait endpoints.
// https://github.com/docker/docker/issues/19280
func (s *DockerDaemonSuite) TestHttpsRun(c *check.C) {
const (
testDaemonHTTPSAddr = "tcp://localhost:4271"
)
if err := s.d.StartWithBusybox("--tlsverify", "--tlscacert", "fixtures/https/ca.pem", "--tlscert", "fixtures/https/server-cert.pem",
"--tlskey", "fixtures/https/server-key.pem", "-H", testDaemonHTTPSAddr); err != nil {
c.Fatalf("Could not start daemon with busybox: %v", err)
}
daemonArgs := []string{"--host", testDaemonHTTPSAddr, "--tlsverify", "--tlscacert", "fixtures/https/ca.pem", "--tlscert", "fixtures/https/client-cert.pem", "--tlskey", "fixtures/https/client-key.pem"}
out, err := s.d.CmdWithArgs(daemonArgs, "run", "busybox", "echo", "TLS response")
if err != nil {
c.Fatalf("Error Occurred: %s and output: %s", err, out)
}
if !strings.Contains(out, "TLS response") {
c.Fatalf("expected output to include `TLS response`, got %v", out)
}
}
// TestTlsVerify verifies that --tlsverify=false turns on tls
func (s *DockerDaemonSuite) TestTlsVerify(c *check.C) {
out, err := exec.Command(dockerBinary, "daemon", "--tlsverify=false").CombinedOutput()

View file

@ -65,7 +65,6 @@ func NewEnvClient() (*Client, error) {
func NewClient(host string, version string, transport *http.Transport, httpHeaders map[string]string) (*Client, error) {
var (
basePath string
tlsConfig *tls.Config
scheme = "http"
protoAddrParts = strings.SplitN(host, "://", 2)
proto, addr = protoAddrParts[0], protoAddrParts[1]
@ -90,7 +89,7 @@ func NewClient(host string, version string, transport *http.Transport, httpHeade
addr: addr,
basePath: basePath,
scheme: scheme,
tlsConfig: tlsConfig,
tlsConfig: transport.TLSClientConfig,
httpClient: &http.Client{Transport: transport},
version: version,
customHTTPHeaders: httpHeaders,

View file

@ -10,12 +10,12 @@ import (
"strings"
)
// Args stores filter arguments as map key:{array of values}.
// It contains a aggregation of the list of arguments (which are in the form
// Args stores filter arguments as map key:{map key: bool}.
// It contains a aggregation of the map of arguments (which are in the form
// of -f 'key=value') based on the key, and store values for the same key
// in an slice.
// in an map with string keys and boolean values.
// e.g given -f 'label=label1=1' -f 'label=label2=2' -f 'image.name=ubuntu'
// the args will be {'label': {'label1=1','label2=2'}, 'image.name', {'ubuntu'}}
// the args will be {"image.name":{"ubuntu":true},"label":{"label1=1":true,"label2=2":true}}
type Args struct {
fields map[string]map[string]bool
}