-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #37418 - Fixes an issue that caused hidden Ansible variables to be shown in plain text on the Host-Details page #717
base: master
Are you sure you want to change the base?
Conversation
I'm getting the following error when navigating to the
|
@nofaralfasi I think that is because you still have the broken GQL scheme... Did you make sure the content of #716 is present on your branch? |
You are right, I missed that part. Also, it's not possible to edit the variable value from the |
Glad you got it sorted. I tried to reproduce the issue you faced with editing the value, but without success. |
Exactly. That should be the correct implementation.
I apologize for the confusion, it was a problem on my setup. I'll be more careful next time. |
Great, I'll implement that then! |
d468a18
to
0792fb6
Compare
to_hash_with_secrets_redacted(false) | ||
end | ||
|
||
def to_hash_with_secrets_redacted(redact_secrets = true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we hide the value here by default? What if the user has permission to see the hidden values?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which permission would this be? I don't think such a permission exists.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
admin user/any user with edit_ansible_variables
permission.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah. Thanks. I thought there is a permission whether to see hidden values or not
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am hiding the value by default because like this, a conscious decision to show the values is required by the user.
That's also how it works in Configure>Ansible>Variables><variable>.
… be shown in plain text on the Host-Details page - Add "hiddenValue" to GraphQL query hostVariableOverrides.gql - Replace plain text secret with masked value - Adds a parameter "redact_secrets" to AnsibleInventoriesController#show_inventory - Change frontend code to use newly added "redact_secrets" parameter - Add a new "to_hash_with_secrets_redacted" method to InventoryCreator - Hide hidden values in GQL response by if edit_ansible_variables not granted
0792fb6
to
bea2b37
Compare
Redmine Issue #37418 and reproducer
Variables marked as hidden were shown in plain text under Variables and Inventory on a host's details page.
This PR fixes that by masking the values in question in the UI.
Values are still shown in plain text when editing, as this requires the same permissions, edit_ansible_variables, as
Configure > Ansible > Variables.
It should be noted, that hidden variables are NOT considered secrets. The point of hidden is to only hide the values of the respective variables in the UI. The Foreman documentation clearly reflects this fact under point 6.
Changes:
Requires #716