tower modules: check that 'verify_ssl' defined in ~/.tower_cli.cfg isn't ignored (#50687)

* Check that verify_ssl defined in tower_cli.cfg isn't ignored

* Avoid to override verify_ssl value defined in tower_cli.cfg

By default, tower-cli library enables SSL certificates check. But
verify_ssl false value defined in config files read by default by
tower-cli library (for example /etc/tower/tower_cli.cfg) was ignored
because overriden by the tower_verify_ssl parameter default value.

* fix a typo in comment

lib/ansible/module_utils/ansible_tower.py

@@ -47,7 +47,7 @@ def tower_auth_config(module):
     '''tower_auth_config attempts to load the tower-cli.cfg file
     specified from the `tower_config_file` parameter. If found,
     if returns the contents of the file as a dictionary, else
-    it will attempt to fetch values from the module pararms and
+    it will attempt to fetch values from the module params and
     only pass those values that have been set.
     '''
     config_file = module.params.pop('tower_config_file', None)
@@ -92,7 +92,7 @@ class TowerModule(AnsibleModule):
             tower_host=dict(),
             tower_username=dict(),
             tower_password=dict(no_log=True),
-            tower_verify_ssl=dict(type='bool', default=True),
+            tower_verify_ssl=dict(type='bool'),
             tower_config_file=dict(type='path'),
         )
         args.update(argument_spec)

lib/ansible/plugins/doc_fragments/tower.py

@@ -36,7 +36,6 @@ options:
           - Dis/allow insecure connections to Tower. If C(no), SSL certificates will not be validated.
             This should only be used on personally controlled sites using self-signed certificates.
         type: bool
-        default: 'yes'
     tower_config_file:
       description:
         - Path to the Tower config file. See notes.

test/integration/targets/tower_common/aliases

@@ -0,0 +1,2 @@
+cloud/tower
+shippable/tower/group1

test/integration/targets/tower_common/tasks/main.yml

@@ -0,0 +1,51 @@
+# Test behaviour common to all tower modules
+- name: Check that SSL is available
+  tower_organization:
+    name: Default
+  environment:
+    TOWER_HOST: "https://{{ lookup('env', 'TOWER_HOST') }}"
+  register: result
+
+- name: Check we haven't changed anything
+  assert:
+    that: result is not changed
+
+- name: Check that SSL is available and verify_ssl is enabled (task must fail)
+  tower_organization:
+    name: Default
+  environment:
+    TOWER_HOST: "https://{{ lookup('env', 'TOWER_HOST') }}"
+    TOWER_CERTIFICATE: /dev/null  # force check failure
+  ignore_errors: true
+  register: check_ssl_is_used
+
+- name: Check that connection failed
+  assert:
+    that:
+      - check_ssl_is_used is failed
+      - >
+          'Could not establish a secure connection' in check_ssl_is_used.module_stderr
+          or 'OpenSSL.SSL.Error' in check_ssl_is_used.module_stderr
+        # 'Could not establish a secure connection': when pyOpenSSL isn't available
+        # 'OpenSSL.SSL.Error': with pyOpenSSL, see https://github.com/urllib3/urllib3/pull/1517
+
+- name: Disable verify_ssl in ~/.tower_cli.cfg
+  copy:
+    dest: ~/.tower_cli.cfg
+    content: |
+      [general]
+      verify_ssl = False
+    force: false  # ensure remote file doesn't exist
+
+- block:
+    - name: Check that verify_ssl is disabled (task must not fail)
+      tower_organization:
+        name: Default
+      environment:
+        TOWER_HOST: "https://{{ lookup('env', 'TOWER_HOST') }}"
+        TOWER_CERTIFICATE: /dev/null  # should not fail because verify_ssl is disabled
+  always:
+    - name: Delete ~/.tower_cli.cfg
+      file:
+        path: ~/.tower_cli.cfg
+        state: absent