From 7116aefe4310c77a6d8f80a9f928ce6437e8bb49 Mon Sep 17 00:00:00 2001
From: Joffrey F <joffrey@docker.com>
Date: Mon, 28 Mar 2016 17:39:20 -0700
Subject: [PATCH] Fix assert_hostname logic in tls_config_from_options

Signed-off-by: Joffrey F <joffrey@docker.com>
---
 compose/cli/docker_client.py         | 27 ++++++++++++++++++++-------
 tests/unit/cli/docker_client_test.py | 28 ++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 7 deletions(-)

diff --git a/compose/cli/docker_client.py b/compose/cli/docker_client.py
index f782a1ae..83cd8626 100644
--- a/compose/cli/docker_client.py
+++ b/compose/cli/docker_client.py
@@ -21,24 +21,37 @@ def tls_config_from_options(options):
     cert = options.get('--tlscert')
     key = options.get('--tlskey')
     verify = options.get('--tlsverify')
-    hostname = urlparse(options.get('--host') or '').hostname
+    host = options.get('--host')
+    skip_hostname_check = options.get('--skip-hostname-check', False)
+
+    if not skip_hostname_check:
+        hostname = urlparse(host).hostname if host else None
+        # If the protocol is omitted, urlparse fails to extract the hostname.
+        # Make another attempt by appending a protocol.
+        if not hostname and host:
+            hostname = urlparse('tcp://{0}'.format(host)).hostname
 
     advanced_opts = any([ca_cert, cert, key, verify])
 
     if tls is True and not advanced_opts:
         return True
-    elif advanced_opts:
+    elif advanced_opts:  # --tls is a noop
         client_cert = None
         if cert or key:
             client_cert = (cert, key)
+
+        assert_hostname = None
+        if skip_hostname_check:
+            assert_hostname = False
+        elif hostname:
+            assert_hostname = hostname
+
         return TLSConfig(
             client_cert=client_cert, verify=verify, ca_cert=ca_cert,
-            assert_hostname=(
-                hostname or not options.get('--skip-hostname-check', False)
-            )
+            assert_hostname=assert_hostname
         )
-    else:
-        return None
+
+    return None
 
 
 def docker_client(environment, version=None, tls_config=None, host=None):
diff --git a/tests/unit/cli/docker_client_test.py b/tests/unit/cli/docker_client_test.py
index 56bab19c..f4476ad3 100644
--- a/tests/unit/cli/docker_client_test.py
+++ b/tests/unit/cli/docker_client_test.py
@@ -103,3 +103,31 @@ class TLSConfigTestCase(unittest.TestCase):
         options = {'--tlskey': self.key}
         with pytest.raises(docker.errors.TLSParameterError):
             tls_config_from_options(options)
+
+    def test_assert_hostname_explicit_host(self):
+        options = {
+            '--tlscacert': self.ca_cert, '--host': 'tcp://foobar.co.uk:1254'
+        }
+        result = tls_config_from_options(options)
+        assert isinstance(result, docker.tls.TLSConfig)
+        assert result.assert_hostname == 'foobar.co.uk'
+
+    def test_assert_hostname_explicit_host_no_proto(self):
+        options = {
+            '--tlscacert': self.ca_cert, '--host': 'foobar.co.uk:1254'
+        }
+        result = tls_config_from_options(options)
+        assert isinstance(result, docker.tls.TLSConfig)
+        assert result.assert_hostname == 'foobar.co.uk'
+
+    def test_assert_hostname_implicit_host(self):
+        options = {'--tlscacert': self.ca_cert}
+        result = tls_config_from_options(options)
+        assert isinstance(result, docker.tls.TLSConfig)
+        assert result.assert_hostname is None
+
+    def test_assert_hostname_explicit_skip(self):
+        options = {'--tlscacert': self.ca_cert, '--skip-hostname-check': True}
+        result = tls_config_from_options(options)
+        assert isinstance(result, docker.tls.TLSConfig)
+        assert result.assert_hostname is False