Plugins » virt-who configure

Clone of https://bugzilla.redhat.com/show_bug.cgi?id=2158702

Description of problem:

Users logged in to Satellite WebUI who have access to the virt-who configuration mask (foreman_virt_who_configure/configs/1/edit) can read out the current password from the 'Hypervisor Password ' input field.

This is a security incident because all Satellite administrators might not have access to VMware infrastructure and 'Hypervisor Password ' should not be exposed to them.

Version-Release number of selected component (if applicable): All Satellite versions

How reproducible: Always

Steps to Reproduce:

1.Navigate to Satellite WebUI -> infrastructure -> Virt-who configurations -> create a configuration filling all the details.

2. Navigate to Satellite WebUI -> infrastructure -> Virt-who configurations -> <Configuration-Name> -> Edit

3. Place pointer on 'Hypervisor Password' field, right-click on the password field and click on "Inspect".

Actual results: The real password is shown in the value field of the input object.

Expected results: The input field "foreman_virt_who_configure_config[hypervisor_password]" should only contains dummy data.

Additional info: The web frontend of satellite is leaking this password. It would be great if satellite would use the same password input mechanism for virt-who as for the compute resources or the ldap binding accounts

/compute_resources/1-myvmware/edit#
/auth_source_ldaps/5-myldap/edit

If we go to Satellite WebUI -> Adminsiter -> Authentication Sources, you will not get the 'Account Password' in same way.