IDP: avoid logging value of 'idp_client_secret'

src/confdb/confdb.h

@@ -264,6 +264,9 @@
 #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
 #define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
 
+/* IdP Provider */
+#define CONFDB_IDP_CLIENT_SECRET "idp_client_secret"
+
 /* KCM Service */
 #define CONFDB_KCM_CONF_ENTRY "config/kcm"
 #define CONFDB_KCM_SOCKET "socket_path"

src/oidc_child/oidc_child.c

@@ -155,13 +155,13 @@ static errno_t read_client_secret_from_stdin(TALLOC_CTX *mem_ctx,
 
     ret = read_from_stdin(mem_ctx, &str);
     if (ret != EOK) {
-        DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin failed.\n");
+        DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin() failed.\n");
         return ret;
     }
 
     *out = str;
 
-    DEBUG(SSSDBG_TRACE_ALL, "Client secret: [%s].\n", *out);
+    DEBUG(SSSDBG_TRACE_ALL, "Client secret was read.\n");
 
     return EOK;
 }

src/oidc_child/oidc_child_curl.c

@@ -256,7 +256,8 @@ static errno_t set_http_opts(CURL *curl_ctx, struct rest_ctx *rest_ctx,
     }
 
     if (post_data != NULL) {
-        DEBUG(SSSDBG_TRACE_ALL, "POST data: [%s].\n", post_data);
+        /* Don't log 'post_data' content as it might contain 'secret' */
+        DEBUG(SSSDBG_TRACE_ALL, "Setting POST data.\n");
         res = curl_easy_setopt(curl_ctx, CURLOPT_POSTFIELDS, post_data);
         if (res != CURLE_OK) {
             DEBUG(SSSDBG_OP_FAILURE, "Failed to add data to POST request.\n");

src/providers/data_provider_opts.c

@@ -88,6 +88,22 @@
 
 /* =Retrieve-Options====================================================== */
 
+static inline void log_string_option(const struct dp_option *opt)
+{
+    if (strcmp(opt->opt_name, CONFDB_IDP_CLIENT_SECRET) == 0) {
+        /* avoid logging value of sensitive option */
+        DEBUG(SSSDBG_CONF_SETTINGS,
+              "Option "CONFDB_IDP_CLIENT_SECRET" is%s set\n",
+              opt->val.cstring ? "" : " not");
+        return;
+    }
+
+    DEBUG(SSSDBG_CONF_SETTINGS, "Option %s has%s value %s\n",
+          opt->opt_name,
+          opt->val.cstring ? "" : " no",
+          opt->val.cstring ? opt->val.cstring : "");
+}
+
 int dp_get_options(TALLOC_CTX *memctx,
                    struct confdb_ctx *cdb,
                    const char *conf_path,
@@ -123,10 +139,8 @@
                 if (ret == EOK) ret = EINVAL;
                 goto done;
             }
-            DEBUG(SSSDBG_TRACE_FUNC, "Option %s has%s value %s\n",
-                  opts[i].opt_name,
-                  opts[i].val.cstring ? "" : " no",
-                  opts[i].val.cstring ? opts[i].val.cstring : "");
+
+            log_string_option(&opts[i]);
             break;
 
         case DP_OPT_BLOB:
@@ -151,7 +165,7 @@
                 opts[i].val.blob.length = 0;
             }
 
-            DEBUG(SSSDBG_TRACE_FUNC, "Option %s has %s binary value.\n",
+            DEBUG(SSSDBG_CONF_SETTINGS, "Option %s has %s binary value.\n",
                   opts[i].opt_name, opts[i].val.blob.length?"a":"no");
             break;
 
@@ -166,7 +180,7 @@
                       opts[i].opt_name);
                 goto done;
             }
-            DEBUG(SSSDBG_TRACE_FUNC, "Option %s has value %d\n",
+            DEBUG(SSSDBG_CONF_SETTINGS, "Option %s has value %d\n",
                   opts[i].opt_name, opts[i].val.number);
             break;
 
@@ -181,7 +195,7 @@
                       opts[i].opt_name);
                 goto done;
             }
-            DEBUG(SSSDBG_TRACE_FUNC, "Option %s is %s\n",
+            DEBUG(SSSDBG_CONF_SETTINGS, "Option %s is %s\n",
                   opts[i].opt_name, opts[i].val.boolean?"TRUE":"FALSE");
             break;
         }
@@ -227,10 +241,7 @@
                        opts[i].opt_name);
                 goto done;
             }
-            DEBUG(SSSDBG_TRACE_FUNC, "Option %s has%s value %s\n",
-                  opts[i].opt_name,
-                  opts[i].val.cstring ? "" : " no",
-                  opts[i].val.cstring ? opts[i].val.cstring : "");
+            log_string_option(&opts[i]);
             break;
 
         case DP_OPT_BLOB:
@@ -245,7 +256,7 @@
                        opts[i].opt_name);
                 goto done;
             }
-            DEBUG(SSSDBG_TRACE_FUNC, "Option %s has %s binary value.\n",
+            DEBUG(SSSDBG_CONF_SETTINGS, "Option %s has %s binary value.\n",
                   opts[i].opt_name, opts[i].val.blob.length?"a":"no");
             break;
 
@@ -261,7 +272,7 @@
                       opts[i].opt_name);
                 goto done;
             }
-            DEBUG(SSSDBG_TRACE_FUNC, "Option %s has value %d\n",
+            DEBUG(SSSDBG_CONF_SETTINGS, "Option %s has value %d\n",
                   opts[i].opt_name, opts[i].val.number);
             break;
 
@@ -277,7 +288,7 @@
                        opts[i].opt_name);
                 goto done;
             }
-            DEBUG(SSSDBG_TRACE_FUNC, "Option %s is %s\n",
+            DEBUG(SSSDBG_CONF_SETTINGS, "Option %s is %s\n",
                   opts[i].opt_name, opts[i].val.boolean?"TRUE":"FALSE");
             break;
         }

src/providers/idp/idp_init.c

@@ -111,7 +111,7 @@
                                                  IDP_CLIENT_SECRET);
     if (init_ctx->client_secret == NULL) {
         DEBUG(SSSDBG_CRIT_FAILURE,
-              "Missing required option 'idp_client_secret'.\n");
+              "Missing required option '"CONFDB_IDP_CLIENT_SECRET"'.\n");
         ret = EINVAL;
         goto done;
     }

src/providers/idp/idp_opts.c

@@ -28,7 +28,7 @@ struct dp_option default_idp_opts[] = {
     { "idp_request_timeout", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
     { "idp_type", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "idp_client_id", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-    { "idp_client_secret", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { CONFDB_IDP_CLIENT_SECRET, DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "idp_token_endpoint", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "idp_device_auth_endpoint", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "idp_userinfo_endpoint", DP_OPT_STRING, NULL_STRING, NULL_STRING },