Remove password and client secret from return objects

We are hiding password and client_secret values in the auth_provider_info module return objects as passwords and client_secret are visible from what Sensu Go backend returns.
sensu · Apr 29, 2021 · d403ebd · d403ebd
1 parent 7130e1a
commit d403ebd
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 9 deletions.
diff --git a/plugins/modules/auth_provider_info.py b/plugins/modules/auth_provider_info.py
@@ -5,6 +5,7 @@
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 
 from __future__ import absolute_import, division, print_function
+
 __metaclass__ = type
 
 ANSIBLE_METADATA = {
@@ -67,7 +68,6 @@
       groups_prefix: ''
       servers:
         binding:
-          password: 'YOUR_PASSWORD'
           user_dn: 'cn=binder,dc=acme,dc=org'
         client_cert_file: ''
         client_key_file: ''
@@ -98,6 +98,17 @@
 API_VERSION = "authentication/v2"
 
 
+def remove_item(result):
+    for server in result.get("servers", []):
+        if server["binding"] and "password" in server["binding"]:
+            del server["binding"]["password"]
+
+    if "client_secret" in result:
+        del result["client_secret"]
+
+    return result
+
+
 def main():
     module = AnsibleModule(
         supports_check_mode=True,
@@ -109,7 +120,11 @@ def main():
 
     client = arguments.get_sensu_client(module.params["auth"])
     path = utils.build_url_path(
-        API_GROUP, API_VERSION, None, "authproviders", module.params["name"],
+        API_GROUP,
+        API_VERSION,
+        None,
+        "authproviders",
+        module.params["name"],
     )
 
     try:
@@ -118,9 +133,10 @@ def main():
         module.fail_json(msg=str(e))
 
     # We simulate the behavior of v2 API here and only return the spec.
-    module.exit_json(changed=False, objects=[
-        utils.convert_v1_to_v2_response(p) for p in providers
-    ])
+    module.exit_json(
+        changed=False,
+        objects=[remove_item(utils.convert_v1_to_v2_response(p)) for p in providers],
+    )
 
 
 if __name__ == "__main__":

diff --git a/tests/unit/plugins/modules/test_auth_provider_info.py b/tests/unit/plugins/modules/test_auth_provider_info.py
@@ -22,27 +22,27 @@
 class TestAuthProviderInfo(ModuleTestCase):
     def test_get_all_auth_providers(self, mocker):
         get_mock = mocker.patch.object(utils, "get")
-        get_mock.return_value = [dict(spec=1), dict(spec=2)]
+        get_mock.return_value = [dict(spec=dict(a=1)), dict(spec=dict(b=2))]
         set_module_args()
 
         with pytest.raises(AnsibleExitJson) as context:
             auth_provider_info.main()
 
         _client, path = get_mock.call_args[0]
         assert path == "/api/enterprise/authentication/v2/authproviders"
-        assert context.value.args[0]["objects"] == [1, 2]
+        assert context.value.args[0]["objects"] == [dict(a=1), dict(b=2)]
 
     def test_get_single_auth_provider(self, mocker):
         get_mock = mocker.patch.object(utils, "get")
-        get_mock.return_value = dict(spec=4)
+        get_mock.return_value = dict(spec=dict(a=1))
         set_module_args(name="sample-auth-provider")
 
         with pytest.raises(AnsibleExitJson) as context:
             auth_provider_info.main()
 
         _client, path = get_mock.call_args[0]
         assert path == "/api/enterprise/authentication/v2/authproviders/sample-auth-provider"
-        assert context.value.args[0]["objects"] == [4]
+        assert context.value.args[0]["objects"] == [dict(a=1)]
 
     def test_missing_single_auth_provider(self, mocker):
         get_mock = mocker.patch.object(utils, "get")