From 330edeeddbfbfad3ed72c42f9c0ac9638ac7ca33 Mon Sep 17 00:00:00 2001
From: Miha Dolinar <miha.dolinar@xlab.si>
Date: Thu, 29 Apr 2021 15:55:19 +0200
Subject: [PATCH] Remove password from return object in ad auth provider

We are hiding password value in the ad_auth_provider
module return object as passwords are visible from
what Sensu Go backend returns.
---
 plugins/modules/ad_auth_provider.py                  | 12 ++++++++++--
 .../molecule/module_ad_auth_provider/converge.yml    |  2 +-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/plugins/modules/ad_auth_provider.py b/plugins/modules/ad_auth_provider.py
index 5217c0fc..609b16cb 100644
--- a/plugins/modules/ad_auth_provider.py
+++ b/plugins/modules/ad_auth_provider.py
@@ -208,7 +208,6 @@
       default_upn_domain: 'example.org'
       binding:
         user_dn: 'cn=binder,dc=acme,dc=org'
-        password: 'YOUR_PASSWORD'
       group_search:
         base_dn: 'dc=acme,dc=org'
         attribute: 'member'
@@ -232,6 +231,15 @@
 API_VERSION = "authentication/v2"
 
 
+def remove_item(result):
+    if result:
+        for server in result["servers"]:
+            if server["binding"] and "password" in server["binding"]:
+                del server["binding"]["password"]
+
+    return result
+
+
 def _filter(payload):
     # Remove keys with None values from dict
     return dict((k, v) for k, v in payload.items() if v is not None)
@@ -379,7 +387,7 @@ def main():
         changed, ad_provider = utils.sync_v1(
             module.params["state"], client, path, payload, module.check_mode, do_differ
         )
-        module.exit_json(changed=changed, object=ad_provider)
+        module.exit_json(changed=changed, object=remove_item(ad_provider))
     except errors.Error as e:
         module.fail_json(msg=str(e))
 
diff --git a/tests/integration/molecule/module_ad_auth_provider/converge.yml b/tests/integration/molecule/module_ad_auth_provider/converge.yml
index b747845b..0112074b 100644
--- a/tests/integration/molecule/module_ad_auth_provider/converge.yml
+++ b/tests/integration/molecule/module_ad_auth_provider/converge.yml
@@ -261,7 +261,7 @@
           - result.object.servers.0.client_key_file == '/path/to/ssl/key.pem'
           - result.object.servers.0.default_upn_domain == 'example.org'
           - result.object.servers.0.binding.user_dn == 'cn=binder,dc=acme,dc=org'
-          - result.object.servers.0.binding.password == 'VALUE_SPECIFIED_IN_NO_LOG_PARAMETER'
+          - "'password' not in result.object.servers.0.binding"
           - result.object.servers.0.group_search.base_dn == 'dc=acme,dc=org'
           - result.object.servers.0.group_search.attribute == 'member'
           - result.object.servers.0.group_search.name_attribute == 'cn'