From b26b623f7dd6df856c9affb9202b079172e88d6d Mon Sep 17 00:00:00 2001
From: Zac Bergquist <zbergquist99@gmail.com>
Date: Sun, 13 Oct 2024 17:10:16 -0600
Subject: [PATCH] tctl: add a --with-secrets flag to tctl tokens ls

Show the "safe name" for tokens by default, which is the name of
the token for non-sensitive join tokens, and a redacted version
of the name for shared secret tokens.

Note: for --format=json or --format=yaml we currently maintain
the original behavior (always show the raw token contents).
The tctl get tokens command has also not been touched - it
continues to return the raw token resource from the backend.

Updates #47254
---
 tool/tctl/common/token_command.go | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/tool/tctl/common/token_command.go b/tool/tctl/common/token_command.go
index 8b7b89f7aeb7..c11a64ce070c 100644
--- a/tool/tctl/common/token_command.go
+++ b/tool/tctl/common/token_command.go
@@ -62,6 +62,8 @@ Use this token to add an MDM service to Teleport.
 type TokensCommand struct {
 	config *servicecfg.Config
 
+	withSecrets bool
+
 	// format is the output format, e.g. text or json
 	format string
 
@@ -136,6 +138,7 @@ func (c *TokensCommand) Initialize(app *kingpin.Application, config *servicecfg.
 	// "tctl tokens ls"
 	c.tokenList = tokens.Command("ls", "List node and user invitation tokens.")
 	c.tokenList.Flag("format", "Output format, 'text', 'json' or 'yaml'").EnumVar(&c.format, formats...)
+	c.tokenList.Flag("with-secrets", "Do not redact join tokens").BoolVar(&c.withSecrets)
 
 	if c.stdout == nil {
 		c.stdout = os.Stdout
@@ -384,6 +387,11 @@ func (c *TokensCommand) List(ctx context.Context, client *authclient.Client) err
 	// Sort by expire time.
 	sort.Slice(tokens, func(i, j int) bool { return tokens[i].Expiry().Unix() < tokens[j].Expiry().Unix() })
 
+	nameFunc := (types.ProvisionToken).GetSafeName
+	if c.withSecrets {
+		nameFunc = (types.ProvisionToken).GetName
+	}
+
 	switch c.format {
 	case teleport.JSON:
 		err := utils.WriteJSONArray(c.stdout, tokens)
@@ -397,7 +405,7 @@ func (c *TokensCommand) List(ctx context.Context, client *authclient.Client) err
 		}
 	case teleport.Text:
 		for _, token := range tokens {
-			fmt.Fprintln(c.stdout, token.GetName())
+			fmt.Fprintln(c.stdout, nameFunc(token))
 		}
 	default:
 		tokensView := func() string {
@@ -405,12 +413,12 @@ func (c *TokensCommand) List(ctx context.Context, client *authclient.Client) err
 			now := time.Now()
 			for _, t := range tokens {
 				expiry := "never"
-				if !t.Expiry().IsZero() {
+				if !t.Expiry().IsZero() && t.Expiry().Unix() != 0 {
 					exptime := t.Expiry().Format(time.RFC822)
 					expdur := t.Expiry().Sub(now).Round(time.Second)
 					expiry = fmt.Sprintf("%s (%s)", exptime, expdur.String())
 				}
-				table.AddRow([]string{t.GetName(), t.GetRoles().String(), printMetadataLabels(t.GetMetadata().Labels), expiry})
+				table.AddRow([]string{nameFunc(t), t.GetRoles().String(), printMetadataLabels(t.GetMetadata().Labels), expiry})
 			}
 			return table.AsBuffer().String()
 		}