enforce True or False for boolean credential injectors

see: https://github.com/ansible/tower/issues/2038
2026-01-11 18:09:57 -03:30 · 2018-06-13 16:37:39 -04:00 · 2018-06-13 16:37:39 -04:00 · 0bcbccba33
commit 0bcbccba33
parent 2a983e3dec
3 changed files with 49 additions and 14 deletions
--- a/awx/main/models/credential/init.py
+++ b/awx/main/models/credential/init.py
@ -623,6 +623,11 @@ class CredentialType(CommonModelNameNotUnique):
            if len(value):
                namespace[field_name] = value

+        # default missing boolean fields to False
+        for field in self.inputs.get('fields', []):
+            if field['type'] == 'boolean' and field['id'] not in credential.inputs.keys():
+                namespace[field['id']] = safe_namespace[field['id']] = False
+
        file_tmpls = self.injectors.get('file', {})
        # If any file templates are provided, render the files and update the
        # special `tower` template namespace so the filename can be
--- a/awx/main/tests/unit/test_tasks.py
+++ b/awx/main/tests/unit/test_tasks.py
@ -1122,19 +1122,22 @@ class TestJobCredentials(TestJobExecution):
        self.run_pexpect.side_effect = run_pexpect_side_effect
        self.task.run(self.pk)

-    def test_net_credentials(self):
+    @pytest.mark.parametrize('authorize, expected_authorize', [
+        [True, '1'],
+        [False, '0'],
+        [None, '0'],
+    ])
+    def test_net_credentials(self, authorize, expected_authorize):
        net = CredentialType.defaults['net']()
-        credential = Credential(
-            pk=1,
-            credential_type=net,
-            inputs = {
-                'username': 'bob',
-                'password': 'secret',
-                'ssh_key_data': self.EXAMPLE_PRIVATE_KEY,
-                'authorize': True,
-                'authorize_password': 'authorizeme'
-            }
-        )
+        inputs = {
+            'username': 'bob',
+            'password': 'secret',
+            'ssh_key_data': self.EXAMPLE_PRIVATE_KEY,
+            'authorize_password': 'authorizeme'
+        }
+        if authorize is not None:
+            inputs['authorize'] = authorize
+        credential = Credential(pk=1,credential_type=net, inputs = inputs)
        for field in ('password', 'ssh_key_data', 'authorize_password'):
            credential.inputs[field] = encrypt_field(credential, field)
        self.instance.credentials.add(credential)
@ -1143,8 +1146,9 @@ class TestJobCredentials(TestJobExecution):
            args, cwd, env, stdout = args
            assert env['ANSIBLE_NET_USERNAME'] == 'bob'
            assert env['ANSIBLE_NET_PASSWORD'] == 'secret'
-            assert env['ANSIBLE_NET_AUTHORIZE'] == '1'
-            assert env['ANSIBLE_NET_AUTH_PASS'] == 'authorizeme'
+            assert env['ANSIBLE_NET_AUTHORIZE'] == expected_authorize
+            if authorize:
+                assert env['ANSIBLE_NET_AUTH_PASS'] == 'authorizeme'
            assert open(env['ANSIBLE_NET_SSH_KEYFILE'], 'rb').read() == self.EXAMPLE_PRIVATE_KEY
            return ['successful', 0]

@ -2141,6 +2145,30 @@ class TestInventoryUpdateCredentials(TestJobExecution):
        self.task.run(self.pk)
        assert self.instance.job_env['TOWER_PASSWORD'] == tasks.HIDDEN_PASSWORD

+    def test_tower_source_ssl_verify_empty(self):
+        tower = CredentialType.defaults['tower']()
+        self.instance.source = 'tower'
+        self.instance.instance_filters = '12345'
+        inputs = {
+            'host': 'https://tower.example.org',
+            'username': 'bob',
+            'password': 'secret',
+        }
+
+        def get_cred():
+            cred = Credential(pk=1, credential_type=tower, inputs = inputs)
+            cred.inputs['password'] = encrypt_field(cred, 'password')
+            return cred
+        self.instance.get_cloud_credential = get_cred
+
+        def run_pexpect_side_effect(*args, **kwargs):
+            args, cwd, env, stdout = args
+            assert env['TOWER_VERIFY_SSL'] == 'False'
+            return ['successful', 0]
+
+        self.run_pexpect.side_effect = run_pexpect_side_effect
+        self.task.run(self.pk)
+
    def test_awx_task_env(self):
        gce = CredentialType.defaults['gce']()
        self.instance.source = 'gce'
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@ -19,6 +19,8 @@
 * Removed `TOWER_HOST` as a default environment variable in job running environment
  due to conflict with tower credential type. Playbook authors should replace their
  use with `AWX_HOST`. [[#1727](https://github.com/ansible/awx/issues/1727)]
+* Boolean fields for custom credential types will now always default extra_vars and
+  environment variables to `False` when a value is not provided. [[#2038](https://github.com/ansible/tower/issues/2038)]
 * Add validation to prevent string "$encrypted$" from becoming a literal
  survey question default [[#518](https://github.com/ansible/awx/issues/518)].
 * Enable the `--export` option for `ansible-inventory` via the environment