We’ve found that while using smart class variables, a user that does not have access to view the key/pair values in the foreman UI. Can view the plain text version of the ‘secrets’ without any sort of authentication viewing the nodes yaml file using the foreman UI.
example if I, as an admin, log into our foremen UI and create a smart class parameter, apply that parameter to a class and a node.
Someone without any sort foreman role or even login can not view the UI.
returns to the login authentication page.
but that same person can access a node that has that puppet class and see the plain text results of the smart class parameter secret, even if its hidden, just by accessing the node yaml
the yaml should not be available to view the smart class secrets without authentication.
Are you sure the user you are testing with has no permissions assigned to it?
Foreman 1.15 is very old - the currently supported versions are 1.24 and 2.0. It is very possible this has changed in the ~3 years since 1.15.3 was released. I would highly recommend planning your upgrade to a supported foreman version as soon as possible.
I was not able to confirm this in a current version - only a user that has view permissions for the specific host, or a connection from an authenticated smart proxy should be able to see the enc output. You might also want to make sure the restrict_registered_smart_proxies setting is set to true (as is the default) - if it is set to false, this endpoint will be indeed available without authentication.
If you can reproduce this issue in a current version, please contact the Foreman security team via email to ensure it is properly addressed.
Thank you @tbrisker!
I will try and get a dev environment up to the latest release and validate too.
much appreciate you taking the time to investigate it too.
Regards and thanks for the email link in case we see the same issue.
Yes @tbrisker we validated with several users and several browsers (incognito modes too)
and all we are able to see the node yaml URL while not being about to see the params in foreman UI whether they had a login or not