The TLS certificates are now relative to the config file used.

Previously, if a relative path was provided, it was relative to the
current working directory to wherever the binaries were run.  Now
it is relative to whatever config file was used.

Signed-off-by: Ying Li <ying.li@docker.com>

cmd/notary-server/config.json

@@ -1,23 +0,0 @@
-{
-	"server": {
-		"http_addr": ":4443",
-		"tls_key_file": "./fixtures/notary-server.key",
-		"tls_cert_file": "./fixtures/notary-server.crt"
-	},
-	"trust_service": {
-	  "type": "remote",
-	  "hostname": "notarysigner",
-	  "port": "7899",
-	  "tls_ca_file": "./fixtures/root-ca.crt",
-	  "key_algorithm": "ecdsa",
-	  "tls_client_cert": "./fixtures/notary-server.crt",
-	  "tls_client_key": "./fixtures/notary-server.key"
-	},
-	"logging": {
-		"level": "debug"
-	},
-	"storage": {
-		"backend": "mysql",
-		"db_url": "root@tcp(notarymysql:3306)/notary"
-	}
-}

cmd/notary-server/main.go

@@ -73,10 +73,10 @@ func getAddrAndTLSConfig(configuration *viper.Viper) (string, *tls.Config, error
 
 // sets up TLS for the GRPC connection to notary-signer
 func grpcTLS(configuration *viper.Viper) (*tls.Config, error) {
-	rootCA := configuration.GetString("trust_service.tls_ca_file")
+	rootCA := utils.GetPathRelativeToConfig(configuration, "trust_service.tls_ca_file")
 	serverName := configuration.GetString("trust_service.hostname")
-	clientCert := configuration.GetString("trust_service.tls_client_cert")
-	clientKey := configuration.GetString("trust_service.tls_client_key")
+	clientCert := utils.GetPathRelativeToConfig(configuration, "trust_service.tls_client_cert")
+	clientKey := utils.GetPathRelativeToConfig(configuration, "trust_service.tls_client_key")
 
 	if (clientCert == "" && clientKey != "") || (clientCert != "" && clientKey == "") {
 		return nil, fmt.Errorf("Partial TLS configuration found. Either include both a client cert and client key file in the configuration, or include neither.")

cmd/notary-server/main_test.go

@@ -121,18 +121,22 @@ func TestGrpcTLSNoConfig(t *testing.T) {
 
 // The rest of the functionality of grpcTLS depends upon
 // utils.ConfigureClientTLS, so this test just asserts that if successful,
-// the correct tls.Config is returned based on all the configuration parameters
+// the correct tls.Config is returned based on all the configuration parameters,
+// and that it gets the path relative to the config file
 func TestGrpcTLSSuccess(t *testing.T) {
 	keypair, err := tls.LoadX509KeyPair(Cert, Key)
 	assert.NoError(t, err, "Unable to load cert and key for testing")
 
-	config := fmt.Sprintf(
-		`{"trust_service": {
+	configJSON := `{
+		"trust_service": {
             "hostname": "notary-server",
-            "tls_client_cert": "%s",
-            "tls_client_key": "%s"}}`,
-		Cert, Key)
-	tlsConfig, err := grpcTLS(configure(config))
+            "tls_client_cert": "notary-server.crt",
+            "tls_client_key": "notary-server.key"
+        }
+    }`
+	config := configure(configJSON)
+	config.SetConfigFile("../../fixtures/config.json")
+	tlsConfig, err := grpcTLS(config)
 	assert.NoError(t, err)
 	assert.Equal(t, []tls.Certificate{keypair}, tlsConfig.Certificates)
 }

cmd/notary-signer/config.json

@@ -1,16 +0,0 @@
-{
-	"server": {
-		"http_addr": ":4444",
-		"grpc_addr": ":7899",
-		"tls_cert_file": "./fixtures/notary-signer.crt",
-		"tls_key_file": "./fixtures/notary-signer.key",
-		"client_ca_file": "./fixtures/notary-server.crt"
-	},
-	"logging": {
-		"level": "debug"
-	},
-	"storage": {
-		"backend": "mysql",
-		"db_url": "root@tcp(notarymysql:3306)/notary"
-	}
-}