From 93f7f438bbfe5b0e6671223d54c06e580e9538b3 Mon Sep 17 00:00:00 2001 From: fgruenbauer Date: Sun, 26 Jan 2025 13:15:06 +0100 Subject: [PATCH] keycloak_client: sanitize `saml.encryption.private.key` (#9621) * sanitize saml.encryption.private.key in module output * add changelog fragment * Re-categorize changelog fragment. --------- Co-authored-by: Felix Fontein (cherry picked from commit fb4f7248c9f1483345f2cb0da8f3f92c0c32a935) --- .../9621-keycloak_client-sanitize-saml-encryption-key.yml | 2 ++ plugins/modules/keycloak_client.py | 7 +++++-- 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 changelogs/fragments/9621-keycloak_client-sanitize-saml-encryption-key.yml diff --git a/changelogs/fragments/9621-keycloak_client-sanitize-saml-encryption-key.yml b/changelogs/fragments/9621-keycloak_client-sanitize-saml-encryption-key.yml new file mode 100644 index 00000000000..5d3401e4308 --- /dev/null +++ b/changelogs/fragments/9621-keycloak_client-sanitize-saml-encryption-key.yml @@ -0,0 +1,2 @@ +security_fixes: + - keycloak_client - Sanitize ``saml.encryption.private.key`` so it does not show in the logs (https://github.com/ansible-collections/community.general/pull/9621). \ No newline at end of file diff --git a/plugins/modules/keycloak_client.py b/plugins/modules/keycloak_client.py index 68696fd4040..c7514ba4c86 100644 --- a/plugins/modules/keycloak_client.py +++ b/plugins/modules/keycloak_client.py @@ -775,8 +775,11 @@ def sanitize_cr(clientrep): result['secret'] = 'no_log' if 'attributes' in result: attributes = result['attributes'] - if isinstance(attributes, dict) and 'saml.signing.private.key' in attributes: - attributes['saml.signing.private.key'] = 'no_log' + if isinstance(attributes, dict): + if 'saml.signing.private.key' in attributes: + attributes['saml.signing.private.key'] = 'no_log' + if 'saml.encryption.private.key' in attributes: + attributes['saml.encryption.private.key'] = 'no_log' return normalise_cr(result)