From e2e7ce59f79b4add41034caad15ef1d6bc8cb0e3 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Fri, 12 Mar 2021 19:38:22 +0100
Subject: [PATCH 1/2] Mark join_token as no_log.

---
 .../fragments/103-docker_swarm-join_token.yml    |  4 ++++
 plugins/modules/docker_swarm.py                  | 16 +++++++++++++---
 2 files changed, 17 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/103-docker_swarm-join_token.yml

diff --git a/changelogs/fragments/103-docker_swarm-join_token.yml b/changelogs/fragments/103-docker_swarm-join_token.yml
new file mode 100644
index 000000000..a2e40747a
--- /dev/null
+++ b/changelogs/fragments/103-docker_swarm-join_token.yml
@@ -0,0 +1,4 @@
+security_fixes:
+- "docker_swarm - the ``join_token`` option is now marked as ``no_log`` so it is no longer written into logs (https://github.com/ansible-collections/community.docker/pull/103)."
+breaking_changes:
+- "docker_swarm - if ``join_token`` is specified, a returned join token with the same value will be replaced by ``VALUE_SPECIFIED_IN_NO_LOG_PARAMETER``. Make sure that you do not blindly use the join tokens from the return value of this module when the module is invoked with ``join_token`` specified! This breaking change appears in a minor release since it is necessary to fix a security issue (https://github.com/ansible-collections/community.docker/pull/103)."
diff --git a/plugins/modules/docker_swarm.py b/plugins/modules/docker_swarm.py
index 5cd2b91b6..7d6fce4d9 100644
--- a/plugins/modules/docker_swarm.py
+++ b/plugins/modules/docker_swarm.py
@@ -83,6 +83,8 @@
     description:
       - Swarm token used to join a swarm cluster.
       - Used with I(state=join).
+      - If this value is specified, the corresponding value in the return values will be censored by Ansible.
+        This is a side-effect of this value not being logged.
     type: str
   remote_addrs:
     description:
@@ -230,12 +232,20 @@
           type: dict
           contains:
               Worker:
-                  description: Token to create a new *worker* node
+                  description:
+                    - Token to create a new *worker* node.
+                    - "B(Note:) if this value has been specified as I(join_token), the value here will not
+                       be the token, but C(VALUE_SPECIFIED_IN_NO_LOG_PARAMETER). If you pass I(join_token),
+                       make sure your playbook/role does not depend on this return value!"
                   returned: success
                   type: str
                   example: SWMTKN-1--xxxxx
               Manager:
-                  description: Token to create a new *manager* node
+                  description:
+                    - Token to create a new *manager* node.
+                    - "B(Note:) if this value has been specified as I(join_token), the value here will not
+                       be the token, but C(VALUE_SPECIFIED_IN_NO_LOG_PARAMETER). If you pass I(join_token),
+                       make sure your playbook/role does not depend on this return value!"
                   returned: success
                   type: str
                   example: SWMTKN-1--xxxxx
@@ -591,7 +601,7 @@ def main():
         force=dict(type='bool', default=False),
         listen_addr=dict(type='str', default='0.0.0.0:2377'),
         remote_addrs=dict(type='list', elements='str'),
-        join_token=dict(type='str'),
+        join_token=dict(type='str', no_log=True),
         snapshot_interval=dict(type='int'),
         task_history_retention_limit=dict(type='int'),
         keep_old_snapshots=dict(type='int'),

From 0df92bb32813f97b21d3ce9b6d549f920e8a13e4 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Fri, 12 Mar 2021 22:12:31 +0100
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: Piotr Wojciechowski <23406016+WojciechowskiPiotr@users.noreply.github.com>
---
 plugins/modules/docker_swarm.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/modules/docker_swarm.py b/plugins/modules/docker_swarm.py
index 7d6fce4d9..3a7486a63 100644
--- a/plugins/modules/docker_swarm.py
+++ b/plugins/modules/docker_swarm.py
@@ -233,7 +233,7 @@
           contains:
               Worker:
                   description:
-                    - Token to create a new *worker* node.
+                    - Token to join the cluster as a new *worker* node.
                     - "B(Note:) if this value has been specified as I(join_token), the value here will not
                        be the token, but C(VALUE_SPECIFIED_IN_NO_LOG_PARAMETER). If you pass I(join_token),
                        make sure your playbook/role does not depend on this return value!"
@@ -242,7 +242,7 @@
                   example: SWMTKN-1--xxxxx
               Manager:
                   description:
-                    - Token to create a new *manager* node.
+                    - Token to join the cluster as a new *manager* node.
                     - "B(Note:) if this value has been specified as I(join_token), the value here will not
                        be the token, but C(VALUE_SPECIFIED_IN_NO_LOG_PARAMETER). If you pass I(join_token),
                        make sure your playbook/role does not depend on this return value!"