From 281cda3b6941c315a4eef7c68203eeeca83e6f63 Mon Sep 17 00:00:00 2001
From: joerger <bjoerger@goteleport.com>
Date: Tue, 20 Feb 2024 17:35:44 -0800
Subject: [PATCH] Require admin MFA for get/list tokens.

---
 lib/auth/auth_with_roles.go           | 10 +++++++++
 tool/tctl/common/admin_action_test.go | 30 +++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go
index 8c886ed2895bc..f812458f8b5fb 100644
--- a/lib/auth/auth_with_roles.go
+++ b/lib/auth/auth_with_roles.go
@@ -2017,6 +2017,11 @@ func (a *ServerWithRoles) GetTokens(ctx context.Context) ([]types.ProvisionToken
 	if err := a.action(apidefaults.Namespace, types.KindToken, types.VerbList, types.VerbRead); err != nil {
 		return nil, trace.Wrap(err)
 	}
+
+	if err := a.context.AuthorizeAdminAction(); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	return a.authServer.GetTokens(ctx)
 }
 
@@ -2028,6 +2033,11 @@ func (a *ServerWithRoles) GetToken(ctx context.Context, token string) (types.Pro
 			return nil, trace.Wrap(err)
 		}
 	}
+
+	if err := a.context.AuthorizeAdminAction(); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	return a.authServer.GetToken(ctx, token)
 }
 
diff --git a/tool/tctl/common/admin_action_test.go b/tool/tctl/common/admin_action_test.go
index dd8e193d91c84..65d70bdb34d7a 100644
--- a/tool/tctl/common/admin_action_test.go
+++ b/tool/tctl/common/admin_action_test.go
@@ -372,6 +372,11 @@ func (s *adminActionTestSuite) testTokens(t *testing.T) {
 				cliCommand: &tctl.TokensCommand{},
 				setup:      createToken,
 				cleanup:    deleteToken,
+			}, {
+				command:    "tokens ls",
+				cliCommand: &tctl.TokensCommand{},
+				setup:      createToken,
+				cleanup:    deleteToken,
 			},
 		} {
 			t.Run(tc.command, func(t *testing.T) {
@@ -385,6 +390,7 @@ func (s *adminActionTestSuite) testTokens(t *testing.T) {
 			resource:        token,
 			resourceCreate:  createToken,
 			resourceCleanup: deleteToken,
+			testGetList:     true,
 		})
 	})
 
@@ -820,6 +826,10 @@ type resourceCommandTestCase struct {
 	resource        types.Resource
 	resourceCreate  func() error
 	resourceCleanup func() error
+
+	// Tests get/list resource, for privileged resources
+	// like tokens that should require MFA to be seen.
+	testGetList bool
 }
 
 func (s *adminActionTestSuite) testResourceCommand(t *testing.T, ctx context.Context, tc resourceCommandTestCase) {
@@ -854,6 +864,26 @@ func (s *adminActionTestSuite) testResourceCommand(t *testing.T, ctx context.Con
 			cleanup:    tc.resourceCleanup,
 		})
 	})
+
+	if tc.testGetList {
+		t.Run("tctl get", func(t *testing.T) {
+			s.testCommand(t, ctx, adminActionTestCase{
+				command:    fmt.Sprintf("get %v", getResourceRef(tc.resource)),
+				cliCommand: &tctl.ResourceCommand{},
+				setup:      tc.resourceCreate,
+				cleanup:    tc.resourceCleanup,
+			})
+		})
+
+		t.Run("tctl list", func(t *testing.T) {
+			s.testCommand(t, ctx, adminActionTestCase{
+				command:    fmt.Sprintf("get %v", tc.resource.GetKind()),
+				cliCommand: &tctl.ResourceCommand{},
+				setup:      tc.resourceCreate,
+				cleanup:    tc.resourceCleanup,
+			})
+		})
+	}
 }
 
 type editCommandTestCase struct {