From 0bcbccba3394d0eed8cf6e1e63e87ddf4608ba48 Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Wed, 13 Jun 2018 16:37:39 -0400
Subject: [PATCH] enforce `True` or `False` for boolean credential injectors

see: https://github.com/ansible/tower/issues/2038
---
 awx/main/models/credential/__init__.py |  5 +++
 awx/main/tests/unit/test_tasks.py      | 56 +++++++++++++++++++-------
 docs/CHANGELOG.md                      |  2 +
 3 files changed, 49 insertions(+), 14 deletions(-)

diff --git a/awx/main/models/credential/__init__.py b/awx/main/models/credential/__init__.py
index 2a7f7f9ede..1996bb2537 100644
--- a/awx/main/models/credential/__init__.py
+++ b/awx/main/models/credential/__init__.py
@@ -623,6 +623,11 @@ class CredentialType(CommonModelNameNotUnique):
             if len(value):
                 namespace[field_name] = value
 
+        # default missing boolean fields to False
+        for field in self.inputs.get('fields', []):
+            if field['type'] == 'boolean' and field['id'] not in credential.inputs.keys():
+                namespace[field['id']] = safe_namespace[field['id']] = False
+
         file_tmpls = self.injectors.get('file', {})
         # If any file templates are provided, render the files and update the
         # special `tower` template namespace so the filename can be
diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py
index ccb84c2fa1..828c612c49 100644
--- a/awx/main/tests/unit/test_tasks.py
+++ b/awx/main/tests/unit/test_tasks.py
@@ -1122,19 +1122,22 @@ class TestJobCredentials(TestJobExecution):
         self.run_pexpect.side_effect = run_pexpect_side_effect
         self.task.run(self.pk)
 
-    def test_net_credentials(self):
+    @pytest.mark.parametrize('authorize, expected_authorize', [
+        [True, '1'],
+        [False, '0'],
+        [None, '0'],
+    ])
+    def test_net_credentials(self, authorize, expected_authorize):
         net = CredentialType.defaults['net']()
-        credential = Credential(
-            pk=1,
-            credential_type=net,
-            inputs = {
-                'username': 'bob',
-                'password': 'secret',
-                'ssh_key_data': self.EXAMPLE_PRIVATE_KEY,
-                'authorize': True,
-                'authorize_password': 'authorizeme'
-            }
-        )
+        inputs = {
+            'username': 'bob',
+            'password': 'secret',
+            'ssh_key_data': self.EXAMPLE_PRIVATE_KEY,
+            'authorize_password': 'authorizeme'
+        }
+        if authorize is not None:
+            inputs['authorize'] = authorize
+        credential = Credential(pk=1,credential_type=net, inputs = inputs)
         for field in ('password', 'ssh_key_data', 'authorize_password'):
             credential.inputs[field] = encrypt_field(credential, field)
         self.instance.credentials.add(credential)
@@ -1143,8 +1146,9 @@ class TestJobCredentials(TestJobExecution):
             args, cwd, env, stdout = args
             assert env['ANSIBLE_NET_USERNAME'] == 'bob'
             assert env['ANSIBLE_NET_PASSWORD'] == 'secret'
-            assert env['ANSIBLE_NET_AUTHORIZE'] == '1'
-            assert env['ANSIBLE_NET_AUTH_PASS'] == 'authorizeme'
+            assert env['ANSIBLE_NET_AUTHORIZE'] == expected_authorize
+            if authorize:
+                assert env['ANSIBLE_NET_AUTH_PASS'] == 'authorizeme'
             assert open(env['ANSIBLE_NET_SSH_KEYFILE'], 'rb').read() == self.EXAMPLE_PRIVATE_KEY
             return ['successful', 0]
 
@@ -2141,6 +2145,30 @@ class TestInventoryUpdateCredentials(TestJobExecution):
         self.task.run(self.pk)
         assert self.instance.job_env['TOWER_PASSWORD'] == tasks.HIDDEN_PASSWORD
 
+    def test_tower_source_ssl_verify_empty(self):
+        tower = CredentialType.defaults['tower']()
+        self.instance.source = 'tower'
+        self.instance.instance_filters = '12345'
+        inputs = {
+            'host': 'https://tower.example.org',
+            'username': 'bob',
+            'password': 'secret',
+        }
+
+        def get_cred():
+            cred = Credential(pk=1, credential_type=tower, inputs = inputs)
+            cred.inputs['password'] = encrypt_field(cred, 'password')
+            return cred
+        self.instance.get_cloud_credential = get_cred
+
+        def run_pexpect_side_effect(*args, **kwargs):
+            args, cwd, env, stdout = args
+            assert env['TOWER_VERIFY_SSL'] == 'False'
+            return ['successful', 0]
+
+        self.run_pexpect.side_effect = run_pexpect_side_effect
+        self.task.run(self.pk)
+
     def test_awx_task_env(self):
         gce = CredentialType.defaults['gce']()
         self.instance.source = 'gce'
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 06f28b477f..96cd3b7bc4 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -19,6 +19,8 @@
 * Removed `TOWER_HOST` as a default environment variable in job running environment
   due to conflict with tower credential type. Playbook authors should replace their
   use with `AWX_HOST`. [[#1727](https://github.com/ansible/awx/issues/1727)]
+* Boolean fields for custom credential types will now always default extra_vars and
+  environment variables to `False` when a value is not provided. [[#2038](https://github.com/ansible/tower/issues/2038)]
 * Add validation to prevent string "$encrypted$" from becoming a literal
   survey question default [[#518](https://github.com/ansible/awx/issues/518)].
 * Enable the `--export` option for `ansible-inventory` via the environment