[PR #8355/fabf6263 backport][stable-6] Fix sanitize for keycloak_identitiy_provider. (#8369)

Fix sanitize for keycloak_identitiy_provider. (#8355) * Fix sanitize for keycloak_identitiy_provider. * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> --------- Co-authored-by: Felix Fontein <felix@fontein.de> (cherry picked from commit fabf6263f1) Co-authored-by: Florian Apolloner <florian@apolloner.eu>
2024-09-14 20:13:21 +02:00 · 2024-05-15 19:59:51 +02:00 · 2024-05-15 19:59:51 +02:00 · 1f3fefa31c
commit 1f3fefa31c
parent 7efdcb618d
3 changed files with 4 additions and 1 deletions
--- a/changelogs/fragments/8355-keycloak-idp-sanitize.yaml
+++ b/changelogs/fragments/8355-keycloak-idp-sanitize.yaml
@ -0,0 +1,2 @@
+security_fixes:
+  - keycloak_identity_provider - the client secret was not correctly sanitized by the module. The return values ``proposed``, ``existing``, and ``end_state``, as well as the diff, did contain the client secret unmasked (https://github.com/ansible-collections/community.general/pull/8355).
--- a/plugins/modules/keycloak_identity_provider.py
+++ b/plugins/modules/keycloak_identity_provider.py
@ -436,7 +436,7 @@ def sanitize(idp):
    idpcopy = deepcopy(idp)
    if 'config' in idpcopy:
        if 'clientSecret' in idpcopy['config']:
-            idpcopy['clientSecret'] = '**********'
+            idpcopy['config']['clientSecret'] = '**********'
    return idpcopy


--- a/tests/integration/targets/keycloak_identity_provider/tasks/main.yml
+++ b/tests/integration/targets/keycloak_identity_provider/tasks/main.yml
@ -62,6 +62,7 @@
      - result.existing == {}
      - result.end_state.alias == "{{ idp }}"
      - result.end_state.mappers != []
+      - result.end_state.config.client_secret = "**********"

 - name: Update existing identity provider (no change)
  community.general.keycloak_identity_provider: