mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
tower modules: check that 'verify_ssl' defined in ~/.tower_cli.cfg isn't ignored (#50687)
* Check that verify_ssl defined in tower_cli.cfg isn't ignored * Avoid to override verify_ssl value defined in tower_cli.cfg By default, tower-cli library enables SSL certificates check. But verify_ssl false value defined in config files read by default by tower-cli library (for example /etc/tower/tower_cli.cfg) was ignored because overriden by the tower_verify_ssl parameter default value. * fix a typo in comment
This commit is contained in:
parent
797a5218fb
commit
51270be883
4 changed files with 55 additions and 3 deletions
|
@ -47,7 +47,7 @@ def tower_auth_config(module):
|
|||
'''tower_auth_config attempts to load the tower-cli.cfg file
|
||||
specified from the `tower_config_file` parameter. If found,
|
||||
if returns the contents of the file as a dictionary, else
|
||||
it will attempt to fetch values from the module pararms and
|
||||
it will attempt to fetch values from the module params and
|
||||
only pass those values that have been set.
|
||||
'''
|
||||
config_file = module.params.pop('tower_config_file', None)
|
||||
|
@ -92,7 +92,7 @@ class TowerModule(AnsibleModule):
|
|||
tower_host=dict(),
|
||||
tower_username=dict(),
|
||||
tower_password=dict(no_log=True),
|
||||
tower_verify_ssl=dict(type='bool', default=True),
|
||||
tower_verify_ssl=dict(type='bool'),
|
||||
tower_config_file=dict(type='path'),
|
||||
)
|
||||
args.update(argument_spec)
|
||||
|
|
|
@ -36,7 +36,6 @@ options:
|
|||
- Dis/allow insecure connections to Tower. If C(no), SSL certificates will not be validated.
|
||||
This should only be used on personally controlled sites using self-signed certificates.
|
||||
type: bool
|
||||
default: 'yes'
|
||||
tower_config_file:
|
||||
description:
|
||||
- Path to the Tower config file. See notes.
|
||||
|
|
2
test/integration/targets/tower_common/aliases
Normal file
2
test/integration/targets/tower_common/aliases
Normal file
|
@ -0,0 +1,2 @@
|
|||
cloud/tower
|
||||
shippable/tower/group1
|
51
test/integration/targets/tower_common/tasks/main.yml
Normal file
51
test/integration/targets/tower_common/tasks/main.yml
Normal file
|
@ -0,0 +1,51 @@
|
|||
# Test behaviour common to all tower modules
|
||||
- name: Check that SSL is available
|
||||
tower_organization:
|
||||
name: Default
|
||||
environment:
|
||||
TOWER_HOST: "https://{{ lookup('env', 'TOWER_HOST') }}"
|
||||
register: result
|
||||
|
||||
- name: Check we haven't changed anything
|
||||
assert:
|
||||
that: result is not changed
|
||||
|
||||
- name: Check that SSL is available and verify_ssl is enabled (task must fail)
|
||||
tower_organization:
|
||||
name: Default
|
||||
environment:
|
||||
TOWER_HOST: "https://{{ lookup('env', 'TOWER_HOST') }}"
|
||||
TOWER_CERTIFICATE: /dev/null # force check failure
|
||||
ignore_errors: true
|
||||
register: check_ssl_is_used
|
||||
|
||||
- name: Check that connection failed
|
||||
assert:
|
||||
that:
|
||||
- check_ssl_is_used is failed
|
||||
- >
|
||||
'Could not establish a secure connection' in check_ssl_is_used.module_stderr
|
||||
or 'OpenSSL.SSL.Error' in check_ssl_is_used.module_stderr
|
||||
# 'Could not establish a secure connection': when pyOpenSSL isn't available
|
||||
# 'OpenSSL.SSL.Error': with pyOpenSSL, see https://github.com/urllib3/urllib3/pull/1517
|
||||
|
||||
- name: Disable verify_ssl in ~/.tower_cli.cfg
|
||||
copy:
|
||||
dest: ~/.tower_cli.cfg
|
||||
content: |
|
||||
[general]
|
||||
verify_ssl = False
|
||||
force: false # ensure remote file doesn't exist
|
||||
|
||||
- block:
|
||||
- name: Check that verify_ssl is disabled (task must not fail)
|
||||
tower_organization:
|
||||
name: Default
|
||||
environment:
|
||||
TOWER_HOST: "https://{{ lookup('env', 'TOWER_HOST') }}"
|
||||
TOWER_CERTIFICATE: /dev/null # should not fail because verify_ssl is disabled
|
||||
always:
|
||||
- name: Delete ~/.tower_cli.cfg
|
||||
file:
|
||||
path: ~/.tower_cli.cfg
|
||||
state: absent
|
Loading…
Reference in a new issue