admin and cli: hide secret keys unless asked

2 files changed, 12 insertions, 4 deletions

diff --git a/src/garage/admin/key.rs b/src/garage/admin/key.rs
index 8a1c02af..908986fa 100644
--- a/src/garage/admin/key.rs
+++ b/src/garage/admin/key.rs
@@ -41,12 +41,17 @@ impl AdminRpcHandler {
 		Ok(AdminRpc::KeyList(key_ids))
 	}
 
-	async fn handle_key_info(&self, query: &KeyOpt) -> Result<AdminRpc, Error> {
-		let key = self
+	async fn handle_key_info(&self, query: &KeyInfoOpt) -> Result<AdminRpc, Error> {
+		let mut key = self
 			.garage
 			.key_helper()
 			.get_existing_matching_key(&query.key_pattern)
 			.await?;
+
+		if !query.show_secret {
+			key.state.as_option_mut().unwrap().secret_key = "(redacted)".into();
+		}
+
 		self.key_info_result(key).await
 	}
 
diff --git a/src/garage/cli/structs.rs b/src/garage/cli/structs.rs
index 2547fb8d..05d2ea31 100644
--- a/src/garage/cli/structs.rs
+++ b/src/garage/cli/structs.rs
@@ -328,7 +328,7 @@ pub enum KeyOperation {
 
 	/// Get key info
 	#[structopt(name = "info", version = garage_version())]
-	Info(KeyOpt),
+	Info(KeyInfoOpt),
 
 	/// Create new key
 	#[structopt(name = "create", version = garage_version())]
@@ -356,9 +356,12 @@ pub enum KeyOperation {
 }
 
 #[derive(Serialize, Deserialize, StructOpt, Debug)]
-pub struct KeyOpt {
+pub struct KeyInfoOpt {
 	/// ID or name of the key
 	pub key_pattern: String,
+	/// Whether to display the secret key
+	#[structopt(long = "show-secret")]
+	pub show_secret: bool,
 }
 
 #[derive(Serialize, Deserialize, StructOpt, Debug)]