AAP-49671 Fix GitHub enterprise authenticator encrypted fields (#773)

Fixes CVE-2025-7738

Author: BrennanPaciorek

ansible_base/authentication/authenticator_plugins/github_enterprise.py

@@ -14,4 +14,4 @@ class AuthenticatorPlugin(SocialAuthMixin, SocialAuthValidateCallbackMixin, Gith
     logger = logger
     type = "github-enterprise"
     category = "sso"
-    configuration_encrypted_fields = ['ENTERPRISE_SECRET']
+    configuration_encrypted_fields = ['SECRET']

ansible_base/authentication/authenticator_plugins/github_enterprise_org.py

@@ -14,4 +14,4 @@ class AuthenticatorPlugin(SocialAuthMixin, SocialAuthValidateCallbackMixin, Gith
     logger = logger
     type = "github-enterprise-org"
     category = "sso"
-    configuration_encrypted_fields = ['ENTERPRISE_ORG_SECRET']
+    configuration_encrypted_fields = ['SECRET']

test_app/tests/authentication/serializers/test_authenticator.py

@@ -6,6 +6,7 @@
 from rest_framework.serializers import ValidationError
 
 from ansible_base.authentication.serializers import AuthenticatorSerializer
+from ansible_base.lib.utils.encryption import ENCRYPTED_STRING
 
 
 def test_validate_blank_authenticator_slug(shut_up_logging):
@@ -39,6 +40,15 @@ def test_removed_authenticator_plugin(ldap_authenticator, shut_up_logging):
     assert item['configuration'] == {}
 
 
+@pytest.mark.django_db
+@pytest.mark.parametrize("fixture", ["github_enterprise_authenticator", "github_enterprise_organization_authenticator"])
+def test_authenticator_configuration_encrypted_fields(request, fixture, shut_up_logging):
+    serializer = AuthenticatorSerializer()
+    authenticator = request.getfixturevalue(fixture)
+    item = serializer.to_representation(authenticator)
+    assert item['configuration']["SECRET"] == ENCRYPTED_STRING
+
+
 def test_authenticator_no_configuration(shut_up_logging):
     serializer = AuthenticatorSerializer()
     with pytest.raises(ValidationError):