Fixes #37418 - Fixes an issue that caused hidden Ansible variables to be shown in plain text on the Host-Details page

[Thorben-D]

Redmine Issue #37418 and reproducer

Variables marked as hidden were shown in plain text under Variables and Inventory on a host's details page.
This PR fixes that by masking the values in question in the UI.
Values are still shown in plain text when editing, as this requires the same permissions, edit_ansible_variables, as

Configure > Ansible > Variables.

It should be noted, that hidden variables are NOT considered secrets. The point of hidden is to only hide the values of the respective variables in the UI. The Foreman documentation clearly reflects this fact under point 6.

Changes:

• Add "hiddenValue" to GraphQL query hostVariableOverrides.gql
• Replace plain text secret with masked value
• Add a parameter "redact_secrets" to AnsibleInventoriesController#show_inventory
• Change frontend code to use newly added "redact_secrets" parameter
• Add a new "to_hash_with_secrets_redacted" method to InventoryCreator

Requires #716

[nofaralfasi]

I'm getting the following error when navigating to the Variables tab:

RuntimeError (Failed to implement AnsibleVariable.hiddenValue, tried:
- `Types::OverridenAnsibleVariable#hidden_value`, which did not exist
- `Presenters::OverridenAnsibleVariablePresenter#hidden_value`, which did not exist
- Looking up hash key `:hidden_value` or `"hidden_value"` on `#<Presenters::OverridenAnsibleVariablePresenter:0x00007f28c28ced48>`, but it wasn't a Hash
To implement this field, define one of the methods above (and check for typos)

[Thorben-D]

@nofaralfasi I think that is because you still have the broken GQL scheme... Did you make sure the content of #716 is present on your branch?

[nofaralfasi]

@nofaralfasi I think that is because you still have the broken GQL scheme... Did you make sure the content of #716 is present on your branch?

You are right, I missed that part.
Now the Variables tab is shown properly. However, the default value of the hidden variable is still visible through the GraphQL response.
It's a little more complicated to find it, but still very possible.

Also, it's not possible to edit the variable value from the Variables tab. I see it's not related to the changes here, but we need to take care of it as well.

[Thorben-D]

Glad you got it sorted.
Yes, the value may indeed still be extracted from the query response. I suppose we could check if the user has the edit_ansible_variables permission and require it for the value to be queried.

I tried to reproduce the issue you faced with editing the value, but without success.
The default value is not changed by this action, but the value for this particular host is. For me, this is then shown under:
Configure > Ansible > Variables > Variable > Specify Matchers

[nofaralfasi]

Glad you got it sorted. Yes, the value may indeed still be extracted from the query response. I suppose we could check if the user has the edit_ansible_variables permission and require it for the value to be queried.

Exactly. That should be the correct implementation.

I tried to reproduce the issue you faced with editing the value, but without success. The default value is not changed by this action, but the value for this particular host is. For me, this is then shown under: Configure > Ansible > Variables > Variable > Specify Matchers

I apologize for the confusion, it was a problem on my setup. I'll be more careful next time.

[Thorben-D]

Great, I'll implement that then!
No worries about the mix-up, thanks for having a look!