Fix for Client secret is visable in Admin event representation when Credentials Reset action performed for the Client. (#32067)

* Stripping secrets for the credential representation Signed-off-by: kaustubh B <kbawanka@redhat.com>
2024-08-12 22:17:41 +05:30 · 2024-08-12 22:17:41 +05:30 · cf8905efe8
commit cf8905efe8
parent ea3937f37c
3 changed files with 19 additions and 2 deletions
--- a/server-spi-private/src/main/java/org/keycloak/models/utils/StripSecretsUtils.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/utils/StripSecretsUtils.java
@ -24,6 +24,7 @@ import org.keycloak.provider.ProviderConfigProperty;
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.ComponentExportRepresentation;
 import org.keycloak.representations.idm.ComponentRepresentation;
+import org.keycloak.representations.idm.CredentialRepresentation;
 import org.keycloak.representations.idm.IdentityProviderRepresentation;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
@ -59,6 +60,7 @@ public class StripSecretsUtils {
        REPRESENTATION_FORMATTER.put(ClientRepresentation.class, (session, o) -> StripSecretsUtils.stripClient((ClientRepresentation) o));
        REPRESENTATION_FORMATTER.put(IdentityProviderRepresentation.class, (session, o) -> StripSecretsUtils.stripBroker((IdentityProviderRepresentation) o));
        REPRESENTATION_FORMATTER.put(ComponentRepresentation.class, (session, o) -> StripSecretsUtils.stripComponent(session, (ComponentRepresentation) o));
+        REPRESENTATION_FORMATTER.put(CredentialRepresentation.class, (session, o) -> StripSecretsUtils.stripCredentials((CredentialRepresentation) o));
    }

    public static <T> T stripSecrets(KeycloakSession session, T representation) {
@ -82,6 +84,11 @@ public class StripSecretsUtils {
            );
    }

+    protected static CredentialRepresentation stripCredentials(CredentialRepresentation rep) {
+        rep.setValue("**********");
+        return rep;
+    }
+
    private static ComponentRepresentation stripComponent(KeycloakSession session, ComponentRepresentation rep) {
        Map<String, ProviderConfigProperty> configProperties = ComponentUtil.getComponentConfigProperties(session, rep);
        return stripComponent(configProperties, rep);
--- a/server-spi-private/src/test/java/org/keycloak/models/utils/StripSecretsUtilsTest.java
+++ b/server-spi-private/src/test/java/org/keycloak/models/utils/StripSecretsUtilsTest.java
@ -122,6 +122,16 @@ public class StripSecretsUtilsTest {
        assertEquals("configValue1", rep.getConfig().get("configParam1"));
    }

+    @Test
+    public void stripCredentials(){
+        CredentialRepresentation rep = new CredentialRepresentation();
+        rep.setId("test");
+        rep.setValue("secretValue");
+        StripSecretsUtils.stripCredentials(rep);
+        assertEquals("test", rep.getId());
+        assertEquals("**********", rep.getValue());
+    }
+
    @Test
    public void stripComponent() {
        ComponentRepresentation rep = new ComponentRepresentation();
--- a/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java
@ -299,7 +299,7 @@ public class ClientResource {

            adminEvent.operation(OperationType.ACTION).resourcePath(session.getContext().getUri()).representation(rep).success();
            session.removeAttribute(ClientSecretConstants.CLIENT_SECRET_ROTATION_ENABLED);
-
+            rep.setValue(secret);
            return rep;
        } catch (ClientPolicyException cpe) {
            throw new ErrorResponseException(cpe.getError(), cpe.getErrorDetail(),