Description:

The current handling of URLs with embedded credentials (e.g., http://user:pass@example.com) in Foreman settings does not adequately protect sensitive information. While encryption at rest is possible, the value is still exposed in rendered provisioning templates and visible to users, including non-admins.

After some consideration, it seems more sustainable to improve how we define and handle such settings rather than patching individual cases.

Proposed changes:

1. Introduce a new :url setting type:

• • This type would behave like :string but with smarter handling.

• • Validate via URI.parse to ensure well-formed URLs.

• • Render as <input type="url"> in the UI to get built-in browser validation.

1. Improve encrypted? behavior for :url type:

• • If a URL contains embedded credentials, treat it as sensitive (encrypted? => true).

• • Otherwise, treat it like a regular URL.

1. Update SettingPresenter to utilize the setting type:

• • Avoid manually parsing or guessing types.

• • Leverage the type already declared in the setting definition.

Considerations:

• URLs with credentials will still be exposed in rendered templates (http_proxy passed to hosts).

• Users without admin access may be able to view them via provisioning templates.

• Encrypting at rest does little if the value is exposed during rendering and transmission.

Open questions:

• Should we allow editing of encrypted URLs in the UI?

• Should we warn users when such settings are rendered into templates?