diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index f67ee7814b7..7e3aaa38874 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -264,6 +264,9 @@ #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias" #define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children" +/* IdP Provider */ +#define CONFDB_IDP_CLIENT_SECRET "idp_client_secret" + /* KCM Service */ #define CONFDB_KCM_CONF_ENTRY "config/kcm" #define CONFDB_KCM_SOCKET "socket_path" diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c index 2436a272c28..deb818efcda 100644 --- a/src/oidc_child/oidc_child.c +++ b/src/oidc_child/oidc_child.c @@ -155,13 +155,13 @@ static errno_t read_client_secret_from_stdin(TALLOC_CTX *mem_ctx, ret = read_from_stdin(mem_ctx, &str); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin failed.\n"); + DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin() failed.\n"); return ret; } *out = str; - DEBUG(SSSDBG_TRACE_ALL, "Client secret: [%s].\n", *out); + DEBUG(SSSDBG_TRACE_ALL, "Client secret was read.\n"); return EOK; } diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c index 7365c2828d8..e4a5fc399d9 100644 --- a/src/oidc_child/oidc_child_curl.c +++ b/src/oidc_child/oidc_child_curl.c @@ -256,7 +256,8 @@ static errno_t set_http_opts(CURL *curl_ctx, struct rest_ctx *rest_ctx, } if (post_data != NULL) { - DEBUG(SSSDBG_TRACE_ALL, "POST data: [%s].\n", post_data); + /* Don't log 'post_data' content as it might contain 'secret' */ + DEBUG(SSSDBG_TRACE_ALL, "Setting POST data.\n"); res = curl_easy_setopt(curl_ctx, CURLOPT_POSTFIELDS, post_data); if (res != CURLE_OK) { DEBUG(SSSDBG_OP_FAILURE, "Failed to add data to POST request.\n"); diff --git a/src/providers/data_provider_opts.c b/src/providers/data_provider_opts.c index e034545aa2a..44117c295d9 100644 --- a/src/providers/data_provider_opts.c +++ b/src/providers/data_provider_opts.c @@ -88,6 +88,22 @@ void dp_option_inherit(int option, /* =Retrieve-Options====================================================== */ +static inline void log_string_option(const struct dp_option *opt) +{ + if (strcmp(opt->opt_name, CONFDB_IDP_CLIENT_SECRET) == 0) { + /* avoid logging value of sensitive option */ + DEBUG(SSSDBG_CONF_SETTINGS, + "Option "CONFDB_IDP_CLIENT_SECRET" is%s set\n", + opt->val.cstring ? "" : " not"); + return; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s has%s value %s\n", + opt->opt_name, + opt->val.cstring ? "" : " no", + opt->val.cstring ? opt->val.cstring : ""); +} + int dp_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, @@ -123,10 +139,8 @@ int dp_get_options(TALLOC_CTX *memctx, if (ret == EOK) ret = EINVAL; goto done; } - DEBUG(SSSDBG_TRACE_FUNC, "Option %s has%s value %s\n", - opts[i].opt_name, - opts[i].val.cstring ? "" : " no", - opts[i].val.cstring ? opts[i].val.cstring : ""); + + log_string_option(&opts[i]); break; case DP_OPT_BLOB: @@ -151,7 +165,7 @@ int dp_get_options(TALLOC_CTX *memctx, opts[i].val.blob.length = 0; } - DEBUG(SSSDBG_TRACE_FUNC, "Option %s has %s binary value.\n", + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s has %s binary value.\n", opts[i].opt_name, opts[i].val.blob.length?"a":"no"); break; @@ -166,7 +180,7 @@ int dp_get_options(TALLOC_CTX *memctx, opts[i].opt_name); goto done; } - DEBUG(SSSDBG_TRACE_FUNC, "Option %s has value %d\n", + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s has value %d\n", opts[i].opt_name, opts[i].val.number); break; @@ -181,7 +195,7 @@ int dp_get_options(TALLOC_CTX *memctx, opts[i].opt_name); goto done; } - DEBUG(SSSDBG_TRACE_FUNC, "Option %s is %s\n", + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s is %s\n", opts[i].opt_name, opts[i].val.boolean?"TRUE":"FALSE"); break; } @@ -227,10 +241,7 @@ static int dp_copy_options_ex(TALLOC_CTX *memctx, opts[i].opt_name); goto done; } - DEBUG(SSSDBG_TRACE_FUNC, "Option %s has%s value %s\n", - opts[i].opt_name, - opts[i].val.cstring ? "" : " no", - opts[i].val.cstring ? opts[i].val.cstring : ""); + log_string_option(&opts[i]); break; case DP_OPT_BLOB: @@ -245,7 +256,7 @@ static int dp_copy_options_ex(TALLOC_CTX *memctx, opts[i].opt_name); goto done; } - DEBUG(SSSDBG_TRACE_FUNC, "Option %s has %s binary value.\n", + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s has %s binary value.\n", opts[i].opt_name, opts[i].val.blob.length?"a":"no"); break; @@ -261,7 +272,7 @@ static int dp_copy_options_ex(TALLOC_CTX *memctx, opts[i].opt_name); goto done; } - DEBUG(SSSDBG_TRACE_FUNC, "Option %s has value %d\n", + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s has value %d\n", opts[i].opt_name, opts[i].val.number); break; @@ -277,7 +288,7 @@ static int dp_copy_options_ex(TALLOC_CTX *memctx, opts[i].opt_name); goto done; } - DEBUG(SSSDBG_TRACE_FUNC, "Option %s is %s\n", + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s is %s\n", opts[i].opt_name, opts[i].val.boolean?"TRUE":"FALSE"); break; } diff --git a/src/providers/idp/idp_init.c b/src/providers/idp/idp_init.c index 18a25e3fe9f..5094edd0f9b 100644 --- a/src/providers/idp/idp_init.c +++ b/src/providers/idp/idp_init.c @@ -111,7 +111,7 @@ errno_t sssm_idp_init(TALLOC_CTX *mem_ctx, IDP_CLIENT_SECRET); if (init_ctx->client_secret == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, - "Missing required option 'idp_client_secret'.\n"); + "Missing required option '"CONFDB_IDP_CLIENT_SECRET"'.\n"); ret = EINVAL; goto done; } diff --git a/src/providers/idp/idp_opts.c b/src/providers/idp/idp_opts.c index 9b27142cb70..ee6c77b8bca 100644 --- a/src/providers/idp/idp_opts.c +++ b/src/providers/idp/idp_opts.c @@ -28,7 +28,7 @@ struct dp_option default_idp_opts[] = { { "idp_request_timeout", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, { "idp_type", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "idp_client_id", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "idp_client_secret", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { CONFDB_IDP_CLIENT_SECRET, DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "idp_token_endpoint", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "idp_device_auth_endpoint", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "idp_userinfo_endpoint", DP_OPT_STRING, NULL_STRING, NULL_STRING },