enforce True or False for boolean credential injectors

see: https://github.com/ansible/tower/issues/2038

awx/main/models/credential/__init__.py

@@ -623,6 +623,11 @@ class CredentialType(CommonModelNameNotUnique):
             if len(value):
                 namespace[field_name] = value
 
+        # default missing boolean fields to False
+        for field in self.inputs.get('fields', []):
+            if field['type'] == 'boolean' and field['id'] not in credential.inputs.keys():
+                namespace[field['id']] = safe_namespace[field['id']] = False
+
         file_tmpls = self.injectors.get('file', {})
         # If any file templates are provided, render the files and update the
         # special `tower` template namespace so the filename can be

awx/main/tests/unit/test_tasks.py

@@ -1122,19 +1122,22 @@ class TestJobCredentials(TestJobExecution):
         self.run_pexpect.side_effect = run_pexpect_side_effect
         self.task.run(self.pk)
 
-    def test_net_credentials(self):
+    @pytest.mark.parametrize('authorize, expected_authorize', [
+        [True, '1'],
+        [False, '0'],
+        [None, '0'],
+    ])
+    def test_net_credentials(self, authorize, expected_authorize):
         net = CredentialType.defaults['net']()
-        credential = Credential(
+        inputs = {
-            pk=1,
+            'username': 'bob',
-            credential_type=net,
+            'password': 'secret',
-            inputs = {
+            'ssh_key_data': self.EXAMPLE_PRIVATE_KEY,
-                'username': 'bob',
+            'authorize_password': 'authorizeme'
-                'password': 'secret',
+        }
-                'ssh_key_data': self.EXAMPLE_PRIVATE_KEY,
+        if authorize is not None:
-                'authorize': True,
+            inputs['authorize'] = authorize
-                'authorize_password': 'authorizeme'
+        credential = Credential(pk=1,credential_type=net, inputs = inputs)
-            }
-        )
         for field in ('password', 'ssh_key_data', 'authorize_password'):
             credential.inputs[field] = encrypt_field(credential, field)
         self.instance.credentials.add(credential)
@@ -1143,8 +1146,9 @@ class TestJobCredentials(TestJobExecution):
             args, cwd, env, stdout = args
             assert env['ANSIBLE_NET_USERNAME'] == 'bob'
             assert env['ANSIBLE_NET_PASSWORD'] == 'secret'
-            assert env['ANSIBLE_NET_AUTHORIZE'] == '1'
+            assert env['ANSIBLE_NET_AUTHORIZE'] == expected_authorize
-            assert env['ANSIBLE_NET_AUTH_PASS'] == 'authorizeme'
+            if authorize:
+                assert env['ANSIBLE_NET_AUTH_PASS'] == 'authorizeme'
             assert open(env['ANSIBLE_NET_SSH_KEYFILE'], 'rb').read() == self.EXAMPLE_PRIVATE_KEY
             return ['successful', 0]
 
@@ -2141,6 +2145,30 @@ class TestInventoryUpdateCredentials(TestJobExecution):
         self.task.run(self.pk)
         assert self.instance.job_env['TOWER_PASSWORD'] == tasks.HIDDEN_PASSWORD
 
+    def test_tower_source_ssl_verify_empty(self):
+        tower = CredentialType.defaults['tower']()
+        self.instance.source = 'tower'
+        self.instance.instance_filters = '12345'
+        inputs = {
+            'host': 'https://tower.example.org',
+            'username': 'bob',
+            'password': 'secret',
+        }
+
+        def get_cred():
+            cred = Credential(pk=1, credential_type=tower, inputs = inputs)
+            cred.inputs['password'] = encrypt_field(cred, 'password')
+            return cred
+        self.instance.get_cloud_credential = get_cred
+
+        def run_pexpect_side_effect(*args, **kwargs):
+            args, cwd, env, stdout = args
+            assert env['TOWER_VERIFY_SSL'] == 'False'
+            return ['successful', 0]
+
+        self.run_pexpect.side_effect = run_pexpect_side_effect
+        self.task.run(self.pk)
+
     def test_awx_task_env(self):
         gce = CredentialType.defaults['gce']()
         self.instance.source = 'gce'

docs/CHANGELOG.md

@@ -19,6 +19,8 @@
 * Removed `TOWER_HOST` as a default environment variable in job running environment
   due to conflict with tower credential type. Playbook authors should replace their
   use with `AWX_HOST`. [[#1727](https://github.com/ansible/awx/issues/1727)]
+* Boolean fields for custom credential types will now always default extra_vars and
+  environment variables to `False` when a value is not provided. [[#2038](https://github.com/ansible/tower/issues/2038)]
 * Add validation to prevent string "$encrypted$" from becoming a literal
   survey question default [[#518](https://github.com/ansible/awx/issues/518)].
 * Enable the `--export` option for `ansible-inventory` via the environment