[PR #9621/fb4f7248 backport][stable-8] keycloak_client: sanitize `saml.encryption.private.key` (#9628)

keycloak_client: sanitize `saml.encryption.private.key` (#9621) * sanitize saml.encryption.private.key in module output * add changelog fragment * Re-categorize changelog fragment. --------- Co-authored-by: Felix Fontein <felix@fontein.de> (cherry picked from commit fb4f7248c9) Co-authored-by: fgruenbauer <gruenbauer@b1-systems.de>
2025-01-26 13:22:51 +01:00 · 2025-01-26 13:22:51 +01:00 · cd729c56b3
parent c643c0b143
commit cd729c56b3
2 changed files with 7 additions and 2 deletions
--- a/changelogs/fragments/9621-keycloak_client-sanitize-saml-encryption-key.yml
+++ b/changelogs/fragments/9621-keycloak_client-sanitize-saml-encryption-key.yml
@ -0,0 +1,2 @@
+security_fixes:
+  - keycloak_client - Sanitize ``saml.encryption.private.key`` so it does not show in the logs (https://github.com/ansible-collections/community.general/pull/9621).
--- a/plugins/modules/keycloak_client.py
+++ b/plugins/modules/keycloak_client.py
@ -776,8 +776,11 @@ def sanitize_cr(clientrep):
        result['secret'] = 'no_log'
    if 'attributes' in result:
        attributes = result['attributes']
-        if isinstance(attributes, dict) and 'saml.signing.private.key' in attributes:
-            attributes['saml.signing.private.key'] = 'no_log'
+        if isinstance(attributes, dict):
+            if 'saml.signing.private.key' in attributes:
+                attributes['saml.signing.private.key'] = 'no_log'
+            if 'saml.encryption.private.key' in attributes:
+                attributes['saml.encryption.private.key'] = 'no_log'
    return normalise_cr(result)