1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

tower modules: check that 'verify_ssl' defined in ~/.tower_cli.cfg isn't ignored (#50687)

* Check that verify_ssl defined in tower_cli.cfg isn't ignored

* Avoid to override verify_ssl value defined in tower_cli.cfg

By default, tower-cli library enables SSL certificates check. But
verify_ssl false value defined in config files read by default by
tower-cli library (for example /etc/tower/tower_cli.cfg) was ignored
because overriden by the tower_verify_ssl parameter default value.

* fix a typo in comment
This commit is contained in:
Pilou 2019-02-13 11:26:43 +01:00 committed by John R Barker
parent 797a5218fb
commit 51270be883
4 changed files with 55 additions and 3 deletions

View file

@ -47,7 +47,7 @@ def tower_auth_config(module):
'''tower_auth_config attempts to load the tower-cli.cfg file
specified from the `tower_config_file` parameter. If found,
if returns the contents of the file as a dictionary, else
it will attempt to fetch values from the module pararms and
it will attempt to fetch values from the module params and
only pass those values that have been set.
'''
config_file = module.params.pop('tower_config_file', None)
@ -92,7 +92,7 @@ class TowerModule(AnsibleModule):
tower_host=dict(),
tower_username=dict(),
tower_password=dict(no_log=True),
tower_verify_ssl=dict(type='bool', default=True),
tower_verify_ssl=dict(type='bool'),
tower_config_file=dict(type='path'),
)
args.update(argument_spec)

View file

@ -36,7 +36,6 @@ options:
- Dis/allow insecure connections to Tower. If C(no), SSL certificates will not be validated.
This should only be used on personally controlled sites using self-signed certificates.
type: bool
default: 'yes'
tower_config_file:
description:
- Path to the Tower config file. See notes.

View file

@ -0,0 +1,2 @@
cloud/tower
shippable/tower/group1

View file

@ -0,0 +1,51 @@
# Test behaviour common to all tower modules
- name: Check that SSL is available
tower_organization:
name: Default
environment:
TOWER_HOST: "https://{{ lookup('env', 'TOWER_HOST') }}"
register: result
- name: Check we haven't changed anything
assert:
that: result is not changed
- name: Check that SSL is available and verify_ssl is enabled (task must fail)
tower_organization:
name: Default
environment:
TOWER_HOST: "https://{{ lookup('env', 'TOWER_HOST') }}"
TOWER_CERTIFICATE: /dev/null # force check failure
ignore_errors: true
register: check_ssl_is_used
- name: Check that connection failed
assert:
that:
- check_ssl_is_used is failed
- >
'Could not establish a secure connection' in check_ssl_is_used.module_stderr
or 'OpenSSL.SSL.Error' in check_ssl_is_used.module_stderr
# 'Could not establish a secure connection': when pyOpenSSL isn't available
# 'OpenSSL.SSL.Error': with pyOpenSSL, see https://github.com/urllib3/urllib3/pull/1517
- name: Disable verify_ssl in ~/.tower_cli.cfg
copy:
dest: ~/.tower_cli.cfg
content: |
[general]
verify_ssl = False
force: false # ensure remote file doesn't exist
- block:
- name: Check that verify_ssl is disabled (task must not fail)
tower_organization:
name: Default
environment:
TOWER_HOST: "https://{{ lookup('env', 'TOWER_HOST') }}"
TOWER_CERTIFICATE: /dev/null # should not fail because verify_ssl is disabled
always:
- name: Delete ~/.tower_cli.cfg
file:
path: ~/.tower_cli.cfg
state: absent