From 58babf738b7f1ef4c9219d86c851c9f87684b6a3 Mon Sep 17 00:00:00 2001
From: David Moreau Simard <moi@dmsimard.com>
Date: Thu, 4 Feb 2021 15:03:43 -0500
Subject: [PATCH] docker swarm - Add no_log to the signing_ca_key argument
 (#80)

* docker swarm - Add no_log to the signing_ca_key argument

This will prevent accidental disclosure.

See: CVE-2021-20191

* Update changelogs/fragments/CVE-2021-20191_no_log.yml

Co-authored-by: Felix Fontein <felix@fontein.de>
---
 changelogs/fragments/CVE-2021-20191_no_log.yml | 2 ++
 plugins/modules/docker_swarm.py                | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/CVE-2021-20191_no_log.yml

diff --git a/changelogs/fragments/CVE-2021-20191_no_log.yml b/changelogs/fragments/CVE-2021-20191_no_log.yml
new file mode 100644
index 00000000..0e94bc46
--- /dev/null
+++ b/changelogs/fragments/CVE-2021-20191_no_log.yml
@@ -0,0 +1,2 @@
+security_fixes:
+  - docker_swarm - enabled ``no_log`` for the option ``signing_ca_key`` to prevent accidental disclosure (CVE-2021-20191, https://github.com/ansible-collections/community.docker/pull/80).
diff --git a/plugins/modules/docker_swarm.py b/plugins/modules/docker_swarm.py
index 96df0092..5cd2b91b 100644
--- a/plugins/modules/docker_swarm.py
+++ b/plugins/modules/docker_swarm.py
@@ -603,7 +603,7 @@ def main():
         name=dict(type='str'),
         labels=dict(type='dict'),
         signing_ca_cert=dict(type='str'),
-        signing_ca_key=dict(type='str'),
+        signing_ca_key=dict(type='str', no_log=True),
         ca_force_rotate=dict(type='int'),
         autolock_managers=dict(type='bool'),
         node_id=dict(type='str'),