From 1f3fefa31c03c66cfc83113ab37c6b0e0742e3c3 Mon Sep 17 00:00:00 2001 From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com> Date: Wed, 15 May 2024 19:59:51 +0200 Subject: [PATCH] [PR #8355/fabf6263 backport][stable-6] Fix sanitize for keycloak_identitiy_provider. (#8369) Fix sanitize for keycloak_identitiy_provider. (#8355) * Fix sanitize for keycloak_identitiy_provider. * Apply suggestions from code review Co-authored-by: Felix Fontein --------- Co-authored-by: Felix Fontein (cherry picked from commit fabf6263f1c5fcf4a0ab35ae5a02bf1cdb93c595) Co-authored-by: Florian Apolloner --- changelogs/fragments/8355-keycloak-idp-sanitize.yaml | 2 ++ plugins/modules/keycloak_identity_provider.py | 2 +- .../targets/keycloak_identity_provider/tasks/main.yml | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 changelogs/fragments/8355-keycloak-idp-sanitize.yaml diff --git a/changelogs/fragments/8355-keycloak-idp-sanitize.yaml b/changelogs/fragments/8355-keycloak-idp-sanitize.yaml new file mode 100644 index 0000000000..3a7942bb88 --- /dev/null +++ b/changelogs/fragments/8355-keycloak-idp-sanitize.yaml @@ -0,0 +1,2 @@ +security_fixes: + - keycloak_identity_provider - the client secret was not correctly sanitized by the module. The return values ``proposed``, ``existing``, and ``end_state``, as well as the diff, did contain the client secret unmasked (https://github.com/ansible-collections/community.general/pull/8355). \ No newline at end of file diff --git a/plugins/modules/keycloak_identity_provider.py b/plugins/modules/keycloak_identity_provider.py index 0d12ae03a4..e0d95c95f4 100644 --- a/plugins/modules/keycloak_identity_provider.py +++ b/plugins/modules/keycloak_identity_provider.py @@ -436,7 +436,7 @@ def sanitize(idp): idpcopy = deepcopy(idp) if 'config' in idpcopy: if 'clientSecret' in idpcopy['config']: - idpcopy['clientSecret'] = '**********' + idpcopy['config']['clientSecret'] = '**********' return idpcopy diff --git a/tests/integration/targets/keycloak_identity_provider/tasks/main.yml b/tests/integration/targets/keycloak_identity_provider/tasks/main.yml index 79ba330494..eb8ccd222c 100644 --- a/tests/integration/targets/keycloak_identity_provider/tasks/main.yml +++ b/tests/integration/targets/keycloak_identity_provider/tasks/main.yml @@ -62,6 +62,7 @@ - result.existing == {} - result.end_state.alias == "{{ idp }}" - result.end_state.mappers != [] + - result.end_state.config.client_secret = "**********" - name: Update existing identity provider (no change) community.general.keycloak_identity_provider: