IDP: avoid logging value of 'idp_client_secret'

Note that 'ldap_default_authtok' doesn't require special handling
because it is of DP_OPT_BLOB type and isn't logged.

Author: alexey-tikhonov

src/confdb/confdb.h

@@ -264,6 +264,9 @@
 #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
 #define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
 
+/* IdP Provider */
+#define CONFDB_IDP_CLIENT_SECRET "idp_client_secret"
+
 /* KCM Service */
 #define CONFDB_KCM_CONF_ENTRY "config/kcm"
 #define CONFDB_KCM_SOCKET "socket_path"

src/oidc_child/oidc_child.c

@@ -155,13 +155,13 @@ static errno_t read_client_secret_from_stdin(TALLOC_CTX *mem_ctx,
 
     ret = read_from_stdin(mem_ctx, &str);
     if (ret != EOK) {
-        DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin failed.\n");
+        DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin() failed.\n");
         return ret;
     }
 
     *out = str;
 
-    DEBUG(SSSDBG_TRACE_ALL, "Client secret: [%s].\n", *out);
+    DEBUG(SSSDBG_TRACE_ALL, "Client secret was read.\n");
 
     return EOK;
 }

src/providers/data_provider_opts.c

@@ -88,6 +88,22 @@ void dp_option_inherit(int option,
 
 /* =Retrieve-Options====================================================== */
 
+static inline void log_string_option(const struct dp_option *opt)
+{
+    if (strcmp(opt->opt_name, CONFDB_IDP_CLIENT_SECRET) == 0) {
+        /* avoid logging value of sensitive option */
+        DEBUG(SSSDBG_CONF_SETTINGS,
+              "Option "CONFDB_IDP_CLIENT_SECRET" is%s set\n",
+              opt->val.cstring ? "" : " not");
+        return;
+    }
+
+    DEBUG(SSSDBG_CONF_SETTINGS, "Option %s has%s value %s\n",
+          opt->opt_name,
+          opt->val.cstring ? "" : " no",
+          opt->val.cstring ? opt->val.cstring : "");
+}
+
 int dp_get_options(TALLOC_CTX *memctx,
                    struct confdb_ctx *cdb,
                    const char *conf_path,
@@ -123,10 +139,8 @@ int dp_get_options(TALLOC_CTX *memctx,
                 if (ret == EOK) ret = EINVAL;
                 goto done;
             }
-            DEBUG(SSSDBG_CONF_SETTINGS, "Option %s has%s value %s\n",
-                  opts[i].opt_name,
-                  opts[i].val.cstring ? "" : " no",
-                  opts[i].val.cstring ? opts[i].val.cstring : "");
+
+            log_string_option(&opts[i]);
             break;
 
         case DP_OPT_BLOB:
@@ -227,10 +241,7 @@ static int dp_copy_options_ex(TALLOC_CTX *memctx,
                        opts[i].opt_name);
                 goto done;
             }
-            DEBUG(SSSDBG_CONF_SETTINGS, "Option %s has%s value %s\n",
-                  opts[i].opt_name,
-                  opts[i].val.cstring ? "" : " no",
-                  opts[i].val.cstring ? opts[i].val.cstring : "");
+            log_string_option(&opts[i]);
             break;
 
         case DP_OPT_BLOB:

src/providers/idp/idp_init.c

@@ -111,7 +111,7 @@ errno_t sssm_idp_init(TALLOC_CTX *mem_ctx,
                                                  IDP_CLIENT_SECRET);
     if (init_ctx->client_secret == NULL) {
         DEBUG(SSSDBG_CRIT_FAILURE,
-              "Missing required option 'idp_client_secret'.\n");
+              "Missing required option '"CONFDB_IDP_CLIENT_SECRET"'.\n");
         ret = EINVAL;
         goto done;
     }

src/providers/idp/idp_opts.c

@@ -28,7 +28,7 @@ struct dp_option default_idp_opts[] = {
     { "idp_request_timeout", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
     { "idp_type", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "idp_client_id", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-    { "idp_client_secret", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { CONFDB_IDP_CLIENT_SECRET, DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "idp_token_endpoint", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "idp_device_auth_endpoint", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "idp_userinfo_endpoint", DP_OPT_STRING, NULL_STRING, NULL_STRING },