From cf8905efe87276a672dabea249bdd797c6243e9d Mon Sep 17 00:00:00 2001
From: kaustubh-rh <88367583+kaustubh-rh@users.noreply.github.com>
Date: Mon, 12 Aug 2024 22:17:41 +0530
Subject: [PATCH] Fix for Client secret is visable in Admin event
 representation when Credentials Reset action performed for the Client.
 (#32067)

* Stripping secrets for the credential representation

Signed-off-by: kaustubh B <kbawanka@redhat.com>
---
 .../org/keycloak/models/utils/StripSecretsUtils.java   |  9 ++++++++-
 .../keycloak/models/utils/StripSecretsUtilsTest.java   | 10 ++++++++++
 .../services/resources/admin/ClientResource.java       |  2 +-
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/server-spi-private/src/main/java/org/keycloak/models/utils/StripSecretsUtils.java b/server-spi-private/src/main/java/org/keycloak/models/utils/StripSecretsUtils.java
index 428ab7d8194..04703d98be5 100644
--- a/server-spi-private/src/main/java/org/keycloak/models/utils/StripSecretsUtils.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/utils/StripSecretsUtils.java
@@ -24,6 +24,7 @@ import org.keycloak.provider.ProviderConfigProperty;
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.ComponentExportRepresentation;
 import org.keycloak.representations.idm.ComponentRepresentation;
+import org.keycloak.representations.idm.CredentialRepresentation;
 import org.keycloak.representations.idm.IdentityProviderRepresentation;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
@@ -59,6 +60,7 @@ public class StripSecretsUtils {
         REPRESENTATION_FORMATTER.put(ClientRepresentation.class, (session, o) -> StripSecretsUtils.stripClient((ClientRepresentation) o));
         REPRESENTATION_FORMATTER.put(IdentityProviderRepresentation.class, (session, o) -> StripSecretsUtils.stripBroker((IdentityProviderRepresentation) o));
         REPRESENTATION_FORMATTER.put(ComponentRepresentation.class, (session, o) -> StripSecretsUtils.stripComponent(session, (ComponentRepresentation) o));
+        REPRESENTATION_FORMATTER.put(CredentialRepresentation.class, (session, o) -> StripSecretsUtils.stripCredentials((CredentialRepresentation) o));
     }
 
     public static <T> T stripSecrets(KeycloakSession session, T representation) {
@@ -82,6 +84,11 @@ public class StripSecretsUtils {
             );
     }
 
+    protected static CredentialRepresentation stripCredentials(CredentialRepresentation rep) {
+        rep.setValue("**********");
+        return rep;
+    }
+
     private static ComponentRepresentation stripComponent(KeycloakSession session, ComponentRepresentation rep) {
         Map<String, ProviderConfigProperty> configProperties = ComponentUtil.getComponentConfigProperties(session, rep);
         return stripComponent(configProperties, rep);
@@ -184,4 +191,4 @@ public class StripSecretsUtils {
         return rep;
     }
 
-}
\ No newline at end of file
+}
diff --git a/server-spi-private/src/test/java/org/keycloak/models/utils/StripSecretsUtilsTest.java b/server-spi-private/src/test/java/org/keycloak/models/utils/StripSecretsUtilsTest.java
index 7534f4354e0..ffefa851c74 100644
--- a/server-spi-private/src/test/java/org/keycloak/models/utils/StripSecretsUtilsTest.java
+++ b/server-spi-private/src/test/java/org/keycloak/models/utils/StripSecretsUtilsTest.java
@@ -122,6 +122,16 @@ public class StripSecretsUtilsTest {
         assertEquals("configValue1", rep.getConfig().get("configParam1"));
     }
 
+    @Test
+    public void stripCredentials(){
+        CredentialRepresentation rep = new CredentialRepresentation();
+        rep.setId("test");
+        rep.setValue("secretValue");
+        StripSecretsUtils.stripCredentials(rep);
+        assertEquals("test", rep.getId());
+        assertEquals("**********", rep.getValue());
+    }
+
     @Test
     public void stripComponent() {
         ComponentRepresentation rep = new ComponentRepresentation();
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java b/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java
index 099e3be25ac..4834b5c5241 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java
@@ -299,7 +299,7 @@ public class ClientResource {
 
             adminEvent.operation(OperationType.ACTION).resourcePath(session.getContext().getUri()).representation(rep).success();
             session.removeAttribute(ClientSecretConstants.CLIENT_SECRET_ROTATION_ENABLED);
-
+            rep.setValue(secret);
             return rep;
         } catch (ClientPolicyException cpe) {
             throw new ErrorResponseException(cpe.getError(), cpe.getErrorDetail(),