@@ -114,6 +114,7 @@ func (d *SwarmDaemon) info() (swarm.Info, error) {

 type serviceConstructor func(*swarm.Service)

 type nodeConstructor func(*swarm.Node)

+type specConstructor func(*swarm.Spec)

 func (d *SwarmDaemon) createService(c *check.C, f ...serviceConstructor) string {

 	var service swarm.Service

@@ -185,3 +186,19 @@ func (d *SwarmDaemon) listNodes(c *check.C) []swarm.Node {

 	c.Assert(json.Unmarshal(out, &nodes), checker.IsNil)

 	return nodes

 }

+

+func (d *SwarmDaemon) updateSwarm(c *check.C, f ...specConstructor) {

+	var sw swarm.Swarm

+	status, out, err := d.SockRequest("GET", "/swarm", nil)

+	c.Assert(err, checker.IsNil)

+	c.Assert(status, checker.Equals, http.StatusOK, check.Commentf("output: %q", string(out)))

+	c.Assert(json.Unmarshal(out, &sw), checker.IsNil)

+

+	for _, fn := range f {

+		fn(&sw.Spec)

+	}

+	url := fmt.Sprintf("/swarm/update?version=%d", sw.Version.Index)

+	status, out, err = d.SockRequest("POST", url, sw.Spec)

+	c.Assert(err, checker.IsNil)

+	c.Assert(status, checker.Equals, http.StatusOK, check.Commentf("output: %q", string(out)))

+}

@@ -145,6 +145,74 @@ func (s *DockerSwarmSuite) TestApiSwarmSecretAcceptance(c *check.C) {

 	info, err = d2.info()

 	c.Assert(err, checker.IsNil)

 	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)

+

+	// change secret

+	d1.updateSwarm(c, func(s *swarm.Spec) {

+		for i := range s.AcceptancePolicy.Policies {

+			p := "foobaz"

+			s.AcceptancePolicy.Policies[i].Secret = &p

+		}

+	})

+

+	err = d2.Join(d1.listenAddr, "foobar", "", false)

+	c.Assert(err, checker.NotNil)

+	c.Assert(err.Error(), checker.Contains, "secret token is necessary")

+	info, err = d2.info()

+	c.Assert(err, checker.IsNil)

+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)

+

+	c.Assert(d2.Join(d1.listenAddr, "foobaz", "", false), checker.IsNil)

+	info, err = d2.info()

+	c.Assert(err, checker.IsNil)

+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)

+	c.Assert(d2.Leave(false), checker.IsNil)

+	info, err = d2.info()

+	c.Assert(err, checker.IsNil)

+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)

+

+	// change policy, don't change secret

+	d1.updateSwarm(c, func(s *swarm.Spec) {

+		for i, p := range s.AcceptancePolicy.Policies {

+			if p.Role == swarm.NodeRoleManager {

+				s.AcceptancePolicy.Policies[i].Autoaccept = false

+			}

+			s.AcceptancePolicy.Policies[i].Secret = nil

+		}

+	})

+

+	err = d2.Join(d1.listenAddr, "", "", false)

+	c.Assert(err, checker.NotNil)

+	c.Assert(err.Error(), checker.Contains, "secret token is necessary")

+	info, err = d2.info()

+	c.Assert(err, checker.IsNil)

+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)

+

+	c.Assert(d2.Join(d1.listenAddr, "foobaz", "", false), checker.IsNil)

+	info, err = d2.info()

+	c.Assert(err, checker.IsNil)

+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)

+	c.Assert(d2.Leave(false), checker.IsNil)

+	info, err = d2.info()

+	c.Assert(err, checker.IsNil)

+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)

+

+	// clear secret

+	d1.updateSwarm(c, func(s *swarm.Spec) {

+		for i := range s.AcceptancePolicy.Policies {

+			p := ""

+			s.AcceptancePolicy.Policies[i].Secret = &p

+		}

+	})

+

+	c.Assert(d2.Join(d1.listenAddr, "", "", false), checker.IsNil)

+	info, err = d2.info()

+	c.Assert(err, checker.IsNil)

+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)

+	c.Assert(d2.Leave(false), checker.IsNil)

+	info, err = d2.info()

+	c.Assert(err, checker.IsNil)

+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)

+

 }

 func (s *DockerSwarmSuite) TestApiSwarmCAHash(c *check.C) {