IDP: avoid logging value of 'idp_client_secret'

alexey-tikhonov · alexey-tikhonov · commit efee944bae58 · 2026-01-07T21:10:43.000+01:00
Note that 'ldap_default_authtok' doesn't require special handling
because it is of DP_OPT_BLOB type and isn't logged.
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
@@ -264,6 +264,9 @@
 #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
 #define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
 
+/* IdP Provider */
+#define CONFDB_IDP_CLIENT_SECRET "idp_client_secret"
+
 /* KCM Service */
 #define CONFDB_KCM_CONF_ENTRY "config/kcm"
 #define CONFDB_KCM_SOCKET "socket_path"
diff --git a/src/providers/data_provider_opts.c b/src/providers/data_provider_opts.c
@@ -123,6 +123,15 @@ int dp_get_options(TALLOC_CTX *memctx,
                 if (ret == EOK) ret = EINVAL;
                 goto done;
             }
+
+            if (strcmp(opts[i].opt_name, CONFDB_IDP_CLIENT_SECRET) == 0) {
+                /* avoid logging value of sensitive option */
+                DEBUG(SSSDBG_CONF_SETTINGS,
+                      "Option "CONFDB_IDP_CLIENT_SECRET" is%s set\n",
+                      opts[i].val.cstring ? "" : " not");
+                break;
+            }
+
             DEBUG(SSSDBG_CONF_SETTINGS, "Option %s has%s value %s\n",
                   opts[i].opt_name,
                   opts[i].val.cstring ? "" : " no",
diff --git a/src/providers/idp/idp_init.c b/src/providers/idp/idp_init.c
@@ -111,7 +111,7 @@ errno_t sssm_idp_init(TALLOC_CTX *mem_ctx,
                                                  IDP_CLIENT_SECRET);
     if (init_ctx->client_secret == NULL) {
         DEBUG(SSSDBG_CRIT_FAILURE,
-              "Missing required option 'idp_client_secret'.\n");
+              "Missing required option '"CONFDB_IDP_CLIENT_SECRET"'.\n");
         ret = EINVAL;
         goto done;
     }
diff --git a/src/providers/idp/idp_opts.c b/src/providers/idp/idp_opts.c
@@ -28,7 +28,7 @@ struct dp_option default_idp_opts[] = {
     { "idp_request_timeout", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
     { "idp_type", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "idp_client_id", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-    { "idp_client_secret", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { CONFDB_IDP_CLIENT_SECRET, DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "idp_token_endpoint", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "idp_device_auth_endpoint", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "idp_userinfo_endpoint", DP_OPT_STRING, NULL_STRING, NULL_STRING },

Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ errno_t sssm_idp_init(TALLOC_CTX *mem_ctx,`
`111`	`111`	`IDP_CLIENT_SECRET);`
`112`	`112`	`if (init_ctx->client_secret == NULL) {`
`113`	`113`	`DEBUG(SSSDBG_CRIT_FAILURE,`
`114`		`- "Missing required option 'idp_client_secret'.\n");`
	`114`	`+ "Missing required option '"CONFDB_IDP_CLIENT_SECRET"'.\n");`
`115`	`115`	`ret = EINVAL;`
`116`	`116`	`goto done;`
`117`	`117`	`}`