Autosign entry additions should require authentication
Using the smart proxy API, I can create an autosign entry by POSTing to http://smartproxy.example.com/puppet/ca/autosign/NAME without any authentication. There should be some type of trust relationship established between the client and the Smart Proxy on the CA (cert, OAuth, user/password, whatever) to prevent unauthorized users from being able to get the CA to sign a key.
This isn't the end of the world, but it does break the trust model in the CA to have untrusted things able to get the CA to sign keys.
I was able to reproduce this on Foreman 1.5.1, and assume it is always that way (hopefully not making an ass out of anyone).