ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2026-02-04 07:51:50 +00:00
Code Activity

[PR #11005/54af64ad backport][stable-11] keycloak_user: mark credentials[].value as no_log=True (#11012)

Browse source 
keycloak_user: mark credentials[].value as no_log=True (#11005)

Mark credentials[].value as no_log=True.

(cherry picked from commit 54af64ad36)

Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
patchback[bot] 2025-10-29 17:15:36 +00:00 committed by GitHub
parent b9119335cd
commit 23cc57c9f6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
changelogs/fragments/11005-keycloak_user.yml Normal file
View file

@ -0,0 +1,4 @@
security_fixes:
- "keycloak_user - the parameter ``credentials[].value`` is now marked as ``no_log=true``. Before it was logged by Ansible, unless the task was marked as ``no_log: true``.
Since this parameter can be used for passwords, this resulted in credential leaking
(https://github.com/ansible-collections/community.general/issues/11000, https://github.com/ansible-collections/community.general/pull/11005)."

2
plugins/modules/keycloak_user.py
View file

@ -357,7 +357,7 @@ def main():
argument_spec['auth_username']['aliases'] = []
credential_spec = dict(
type=dict(type='str', required=True),
value=dict(type='str', required=True),
value=dict(type='str', required=True, no_log=True),
temporary=dict(type='bool', default=False)
)
client_consents_spec = dict(