From 0b0a4b0eaa8228289f0f7834aa538fd80bda9601 Mon Sep 17 00:00:00 2001
From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com>
Date: Wed, 15 May 2024 19:59:48 +0200
Subject: [PATCH] [PR #8355/fabf6263 backport][stable-7] Fix sanitize for
 keycloak_identitiy_provider. (#8370)

Fix sanitize for keycloak_identitiy_provider. (#8355)

* Fix sanitize for keycloak_identitiy_provider.

* Apply suggestions from code review

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit fabf6263f1c5fcf4a0ab35ae5a02bf1cdb93c595)

Co-authored-by: Florian Apolloner <florian@apolloner.eu>
---
 changelogs/fragments/8355-keycloak-idp-sanitize.yaml            | 2 ++
 plugins/modules/keycloak_identity_provider.py                   | 2 +-
 .../targets/keycloak_identity_provider/tasks/main.yml           | 1 +
 3 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/8355-keycloak-idp-sanitize.yaml

diff --git a/changelogs/fragments/8355-keycloak-idp-sanitize.yaml b/changelogs/fragments/8355-keycloak-idp-sanitize.yaml
new file mode 100644
index 0000000000..3a7942bb88
--- /dev/null
+++ b/changelogs/fragments/8355-keycloak-idp-sanitize.yaml
@@ -0,0 +1,2 @@
+security_fixes:
+  - keycloak_identity_provider - the client secret was not correctly sanitized by the module. The return values ``proposed``, ``existing``, and ``end_state``, as well as the diff, did contain the client secret unmasked (https://github.com/ansible-collections/community.general/pull/8355).
\ No newline at end of file
diff --git a/plugins/modules/keycloak_identity_provider.py b/plugins/modules/keycloak_identity_provider.py
index 588f553e8d..2eca3a06d2 100644
--- a/plugins/modules/keycloak_identity_provider.py
+++ b/plugins/modules/keycloak_identity_provider.py
@@ -437,7 +437,7 @@ def sanitize(idp):
     idpcopy = deepcopy(idp)
     if 'config' in idpcopy:
         if 'clientSecret' in idpcopy['config']:
-            idpcopy['clientSecret'] = '**********'
+            idpcopy['config']['clientSecret'] = '**********'
     return idpcopy
 
 
diff --git a/tests/integration/targets/keycloak_identity_provider/tasks/main.yml b/tests/integration/targets/keycloak_identity_provider/tasks/main.yml
index afad9740ed..fa118ed1d9 100644
--- a/tests/integration/targets/keycloak_identity_provider/tasks/main.yml
+++ b/tests/integration/targets/keycloak_identity_provider/tasks/main.yml
@@ -62,6 +62,7 @@
       - result.existing == {}
       - result.end_state.alias == "{{ idp }}"
       - result.end_state.mappers != []
+      - result.end_state.config.client_secret = "**********"
 
 - name: Update existing identity provider (no change)
   community.general.keycloak_identity_provider: