fix: config describe prints secure properties with value redacted (#4195)

Author: cveticm

build/package/purls.txt

@@ -75,7 +75,7 @@ pkg:golang/github.com/mholt/archives@v0.1.3
 pkg:golang/github.com/mikelolasagasti/xz@v1.0.1
 pkg:golang/github.com/minio/minlz@v1.0.0
 pkg:golang/github.com/mongodb-forks/digest@v1.1.0
-pkg:golang/github.com/mongodb/atlas-cli-core@v0.0.0-20250904105537-cdeae83f46e0
+pkg:golang/github.com/mongodb/atlas-cli-core@v0.0.0-20250909113945-ffb322e05f59
 pkg:golang/github.com/montanaflynn/stats@v0.7.1
 pkg:golang/github.com/nwaples/rardecode/v2@v2.1.0
 pkg:golang/github.com/pelletier/go-toml/v2@v2.2.3

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/mattn/go-isatty v0.0.20
 	github.com/mholt/archives v0.1.3
 	github.com/mongodb-labs/cobra2snooty v1.19.1
-	github.com/mongodb/atlas-cli-core v0.0.0-20250904105537-cdeae83f46e0
+	github.com/mongodb/atlas-cli-core v0.0.0-20250909113945-ffb322e05f59
 	github.com/pelletier/go-toml v1.9.5
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
 	github.com/shirou/gopsutil/v4 v4.25.8

go.sum

@@ -320,8 +320,8 @@ github.com/mongodb-forks/digest v1.1.0 h1:7eUdsR1BtqLv0mdNm4OXs6ddWvR4X2/OsLwdKk
 github.com/mongodb-forks/digest v1.1.0/go.mod h1:rb+EX8zotClD5Dj4NdgxnJXG9nwrlx3NWKJ8xttz1Dg=
 github.com/mongodb-labs/cobra2snooty v1.19.1 h1:GDEQZWy8f/DeJlImNgVvStu6sgNi8nuSOR1Oskcw8BI=
 github.com/mongodb-labs/cobra2snooty v1.19.1/go.mod h1:Hyq4YadN8dwdOiz56MXwTuVN63p0WlkQwxdLxOSGdX8=
-github.com/mongodb/atlas-cli-core v0.0.0-20250904105537-cdeae83f46e0 h1:1g0tih3u0OGiMVmo4R5iBkduFtrNJMZUJD6MwEyWtr4=
-github.com/mongodb/atlas-cli-core v0.0.0-20250904105537-cdeae83f46e0/go.mod h1:QDfVGpdfxXM1httLNXCKsfWTKv6slzCqBZxkkPIktlQ=
+github.com/mongodb/atlas-cli-core v0.0.0-20250909113945-ffb322e05f59 h1:uIxkUglkDOtrvfzyNsV/FHwGC717mAI0S4/jzFOBvsM=
+github.com/mongodb/atlas-cli-core v0.0.0-20250909113945-ffb322e05f59/go.mod h1:QDfVGpdfxXM1httLNXCKsfWTKv6slzCqBZxkkPIktlQ=
 github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE=
 github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
 github.com/nwaples/rardecode/v2 v2.1.0 h1:JQl9ZoBPDy+nIZGb1mx8+anfHp/LV3NE2MjMiv0ct/U=

internal/cli/config/describe.go

@@ -16,6 +16,7 @@ package config
 
 import (
 	"fmt"
+	"slices"
 
 	"github.com/mongodb/atlas-cli-core/config"
 	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/cli"
@@ -32,16 +33,49 @@ var descTemplate = `SETTING	VALUE{{ range $key, $value := . }}
 {{$key}}	{{$value}}{{end}}
 `
 
+const (
+	redactedSecureText = "[redacted - source: secure storage]"
+	redactedConfigText = "[redacted - source: config file]"
+	servicePrefix      = "atlascli_"
+)
+
+func (*describeOpts) GetConfig(configStore config.Store, profileName string) (map[string]string, error) {
+	// Get the profile map, this only contains properties coming from the insecure store
+	profileMap := configStore.GetProfileStringMap(profileName)
+
+	redactedText := redactedConfigText
+	if configStore.IsSecure() {
+		redactedText = redactedSecureText
+	}
+
+	// Redact values
+	for _, key := range config.SecureProperties {
+		if v := configStore.GetProfileValue(profileName, key); v != nil && v != "" {
+			profileMap[key] = redactedText
+		}
+	}
+
+	return profileMap, nil
+}
+
 func (opts *describeOpts) Run() error {
-	if !config.Exists(opts.name) {
+	// Create a new config proxy store
+	configStore, err := config.NewStoreWithEnvOption(false)
+	if err != nil {
+		return fmt.Errorf("could not create config store: %w", err)
+	}
+
+	profileNames := configStore.GetProfileNames()
+	if !slices.Contains(profileNames, opts.name) {
 		return fmt.Errorf("you don't have a profile named '%s'", opts.name)
 	}
 
-	if err := config.SetName(opts.name); err != nil {
+	mapConfig, err := opts.GetConfig(configStore, opts.name)
+	if err != nil {
 		return err
 	}
 
-	return opts.Print(config.Map())
+	return opts.Print(mapConfig)
 }
 
 func DescribeBuilder() *cobra.Command {

internal/cli/config/describe_test.go

@@ -0,0 +1,76 @@
+// Copyright 2025 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"testing"
+
+	"github.com/mongodb/atlas-cli-core/mocks"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/mock/gomock"
+)
+
+func TestGetConfig(t *testing.T) {
+	tests := []struct {
+		name     string
+		isSecure bool
+	}{
+		{
+			name:     "secure store redaction",
+			isSecure: true,
+		},
+		{
+			name:     "config file redaction",
+			isSecure: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+
+			profileName := "test"
+			mockStore := mocks.NewMockStore(ctrl)
+
+			// Set up mock expectations
+			mockStore.EXPECT().GetProfileStringMap(profileName).Return(map[string]string{
+				"project_id":     "proj123",
+				"public_api_key": "public-key",
+			}).Times(1)
+			mockStore.EXPECT().GetProfileValue(profileName, "public_api_key").Return("pub-key").Times(1)
+			mockStore.EXPECT().GetProfileValue(profileName, "private_api_key").Return("priv-key").Times(1)
+			mockStore.EXPECT().GetProfileValue(profileName, "access_token").Return("").Times(1)
+			mockStore.EXPECT().GetProfileValue(profileName, "refresh_token").Return("").Times(1)
+			mockStore.EXPECT().GetProfileValue(profileName, "client_id").Return("").Times(1)
+			mockStore.EXPECT().GetProfileValue(profileName, "client_secret").Return("").Times(1)
+
+			mockStore.EXPECT().IsSecure().Return(tt.isSecure).Times(1)
+
+			opts := &describeOpts{}
+			result, err := opts.GetConfig(mockStore, profileName)
+			require.NoError(t, err)
+			assert.Equal(t, "proj123", result["project_id"])
+			if tt.isSecure {
+				assert.Contains(t, result["public_api_key"], redactedSecureText)
+				assert.Contains(t, result["private_api_key"], redactedSecureText)
+			} else {
+				assert.Contains(t, result["public_api_key"], redactedConfigText)
+				assert.Contains(t, result["private_api_key"], redactedConfigText)
+			}
+		})
+	}
+}