Merge branch 'master' into crypto_jwe_encrypt_password

Author: dopey

.github/workflows/release.yml

@@ -53,7 +53,7 @@ jobs:
           echo "DOCKER_TAGS_DEBIAN=${{ env.DOCKER_TAGS_DEBIAN }},${{ env.DOCKER_IMAGE }}:${DEBIAN_TAG}" >> "${GITHUB_ENV}"
       - name: Create Release
         id: create_release
-        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
+        uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2.0.9
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -111,17 +111,17 @@ jobs:
     if: needs.create_release.outputs.is_prerelease == 'false'
     steps:
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: 'stable'
           check-latest: true
       - name: Build
         id: build
         run: V=1 make build
       - name: Checkout Docs
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: smallstep/docs
           token: ${{ secrets.DOCS_PAT }}

CHANGELOG.md

@@ -26,6 +26,18 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ---
 
+## [0.28.0] - 2024-10-29
+
+### Added
+
+- disableSSHCAUser and disableSSHCAHost options to GCP provisioner create and update commands (smallstep/cli#1305)
+- Support programmatically opening browser on Android devices (smallstep/cli#1301)
+
+### Fixed
+
+- Fix --context being ignored in commands that rely on certificates (smallstep/cli#1301)
+
+
 ## [0.27.5] - 2024-10-17
 
 ### Added

command/ca/certificate.go

@@ -28,7 +28,7 @@ func certificateCommand() cli.Command {
 [**--not-before**=<time|duration>] [**--not-after**=<time|duration>]
 [**--san**=<SAN>] [**--set**=<key=value>] [**--set-file**=<file>]
 [**--acme**=<file>] [**--standalone**] [**--webroot**=<file>]
-[**--contact**=<email>] [**--http-listen**=<address>] [**--bundle**]
+[**--contact**=<email>] [**--http-listen**=<address>]
 [**--kty**=<type>] [**--curve**=<curve>] [**--size**=<size>] [**--console**]
 [**--x5c-cert**=<file>] [**--x5c-key**=<file>] [**--k8ssa-token-path**=<file>]
 [**--offline**] [**--password-file**] [**--ca-url**=<uri>] [**--root**=<file>]

command/ca/provisioner/add.go

@@ -100,6 +100,7 @@ IID (AWS/GCP/Azure)
 [**--azure-audience**=<name>] [**--azure-subscription-id**=<id>]
 [**--azure-object-id**=<id>] [**--instance-age**=<duration>] [**--iid-roots**=<file>]
 [**--disable-custom-sans**] [**--disable-trust-on-first-use**]
+[**--disable-ssh-ca-user**] [**--disable-ssh-ca-host**]
 [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-subject**=<subject>] [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
@@ -172,6 +173,8 @@ SCEP
 			instanceAgeFlag,
 			disableCustomSANsFlag,
 			disableTOFUFlag,
+			disableSSHCAUserFlag,
+			disableSSHCAHostFlag,
 
 			// Claims
 			x509TemplateFlag,
@@ -744,6 +747,13 @@ func createOIDCDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error) {
 }
 
 func createAWSDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error) {
+	if ctx.IsSet("disable-ssh-ca-user") {
+		return nil, errors.New("flag disable-ssh-ca-user is not supported for AWS IID provisioners")
+	}
+	if ctx.IsSet("disable-ssh-ca-host") {
+		return nil, errors.New("flag disable-ssh-ca-host is not supported for AWS IID provisioners")
+	}
+
 	d, err := parseInstanceAge(ctx)
 	if err != nil {
 		return nil, err
@@ -764,6 +774,13 @@ func createAWSDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error) {
 }
 
 func createAzureDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error) {
+	if ctx.IsSet("disable-ssh-ca-user") {
+		return nil, errors.New("flag disable-ssh-ca-user is not supported for Azure IID provisioners")
+	}
+	if ctx.IsSet("disable-ssh-ca-host") {
+		return nil, errors.New("flag disable-ssh-ca-host is not supported for Azure IID provisioners")
+	}
+
 	tenantID := ctx.String("azure-tenant")
 	if tenantID == "" {
 		return nil, errs.RequiredWithFlagValue(ctx, "type", ctx.String("type"), "azure-tenant")
@@ -790,13 +807,29 @@ func createGCPDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error) {
 		return nil, err
 	}
 
+	var (
+		disableSSHCAUser *bool
+		disableSSHCAHost *bool
+	)
+
+	if ctx.IsSet("disable-ssh-ca-user") {
+		boolVal := ctx.Bool("disable-ssh-ca-user")
+		disableSSHCAUser = &boolVal
+	}
+	if ctx.IsSet("disable-ssh-ca-host") {
+		boolVal := ctx.Bool("disable-ssh-ca-host")
+		disableSSHCAHost = &boolVal
+	}
+
 	return &linkedca.ProvisionerDetails{
 		Data: &linkedca.ProvisionerDetails_GCP{
 			GCP: &linkedca.GCPProvisioner{
 				ServiceAccounts:        ctx.StringSlice("gcp-service-account"),
 				ProjectIds:             ctx.StringSlice("gcp-project"),
 				DisableCustomSans:      ctx.Bool("disable-custom-sans"),
 				DisableTrustOnFirstUse: ctx.Bool("disable-trust-on-first-use"),
+				DisableSshCaUser:       disableSSHCAUser,
+				DisableSshCaHost:       disableSSHCAHost,
 				InstanceAge:            d,
 			},
 		},

command/ca/provisioner/provisioner.go

@@ -542,6 +542,16 @@ with the same instance will be accepted. By default only the first request
 will be accepted.`,
 	}
 
+	disableSSHCAUserFlag = cli.BoolFlag{
+		Name:  "disable-ssh-ca-user",
+		Usage: `Disable ability to sign SSH user certificates`,
+	}
+
+	disableSSHCAHostFlag = cli.BoolFlag{
+		Name:  "disable-ssh-ca-host",
+		Usage: `Disable ability to sign SSH host certificates`,
+	}
+
 	// Nebula provisioner flags
 	nebulaRootFlag = cli.StringFlag{
 		Name: "nebula-root",

command/ca/provisioner/update.go

@@ -92,6 +92,7 @@ IID (AWS/GCP/Azure)
 [**--azure-audience**=<name>] [**--azure-subscription-id**=<id>]
 [**--azure-object-id**=<id>] [**--instance-age**=<duration>]
 [**--disable-custom-sans**] [**--disable-trust-on-first-use**]
+[**--disable-ssh-ca-user**] [**--disable-ssh-ca-host**]
 [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-subject**=<subject>] [**--admin-provisioner**=<name>] [**--admin-password-file**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
@@ -176,6 +177,8 @@ SCEP
 			instanceAgeFlag,
 			disableCustomSANsFlag,
 			disableTOFUFlag,
+			disableSSHCAUserFlag,
+			disableSSHCAHostFlag,
 
 			// Claims
 			x509TemplateFlag,
@@ -826,6 +829,13 @@ func updateOIDCDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
 }
 
 func updateAWSDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
+	if ctx.IsSet("disable-ssh-ca-user") {
+		return errors.New("flag disable-ssh-ca-user is not supported for AWS IID provisioners")
+	}
+	if ctx.IsSet("disable-ssh-ca-host") {
+		return errors.New("flag disable-ssh-ca-host is not supported for AWS IID provisioners")
+	}
+
 	data, ok := p.Details.GetData().(*linkedca.ProvisionerDetails_AWS)
 	if !ok {
 		return errors.New("error casting details to AWS type")
@@ -855,6 +865,13 @@ func updateAWSDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
 }
 
 func updateAzureDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
+	if ctx.IsSet("disable-ssh-ca-user") {
+		return errors.New("flag disable-ssh-ca-user is not supported for Azure IID provisioners")
+	}
+	if ctx.IsSet("disable-ssh-ca-host") {
+		return errors.New("flag disable-ssh-ca-host is not supported for Azure IID provisioners")
+	}
+
 	data, ok := p.Details.GetData().(*linkedca.ProvisionerDetails_Azure)
 	if !ok {
 		return errors.New("error casting details to Azure type")
@@ -914,6 +931,14 @@ func updateGCPDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
 	if ctx.IsSet("disable-trust-on-first-use") {
 		details.DisableTrustOnFirstUse = ctx.Bool("disable-trust-on-first-use")
 	}
+	if ctx.IsSet("disable-ssh-ca-user") {
+		boolVal := ctx.Bool("disable-ssh-ca-user")
+		details.DisableSshCaUser = &boolVal
+	}
+	if ctx.IsSet("disable-ssh-ca-host") {
+		boolVal := ctx.Bool("disable-ssh-ca-host")
+		details.DisableSshCaHost = &boolVal
+	}
 	if ctx.IsSet("remove-gcp-service-account") {
 		details.ServiceAccounts = removeElements(details.ServiceAccounts, ctx.StringSlice("remove-gcp-service-account"))
 	}
@@ -926,6 +951,7 @@ func updateGCPDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
 	if ctx.IsSet("gcp-project") {
 		details.ProjectIds = append(details.ProjectIds, ctx.StringSlice("gcp-project")...)
 	}
+
 	return nil
 }
 

exec/exec.go

@@ -115,6 +115,8 @@ func OpenInBrowser(url, browser string) error {
 		} else {
 			cmd = exec.Command("xdg-open", url)
 		}
+	case "android":
+		cmd = exec.Command("xdg-open", url)
 	case "windows":
 		cmd = exec.Command("rundll32", "url.dll,FileProtocolHandler", url)
 	default:

go.mod

@@ -16,7 +16,7 @@ require (
 	github.com/pquerna/otp v1.4.0
 	github.com/slackhq/nebula v1.9.4
 	github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262
-	github.com/smallstep/certificates v0.27.5
+	github.com/smallstep/certificates v0.28.0
 	github.com/smallstep/certinfo v1.12.2
 	github.com/smallstep/cli-utils v0.10.0
 	github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935
@@ -27,7 +27,7 @@ require (
 	github.com/urfave/cli v1.22.16
 	go.mozilla.org/pkcs7 v0.9.0
 	go.step.sm/crypto v0.54.0
-	go.step.sm/linkedca v0.22.1
+	go.step.sm/linkedca v0.22.2
 	golang.org/x/crypto v0.28.0
 	golang.org/x/sys v0.26.0
 	golang.org/x/term v0.25.0
@@ -36,13 +36,13 @@ require (
 )
 
 require (
-	cloud.google.com/go v0.115.1 // indirect
-	cloud.google.com/go/auth v0.9.8 // indirect
+	cloud.google.com/go v0.116.0 // indirect
+	cloud.google.com/go/auth v0.9.9 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
 	cloud.google.com/go/compute/metadata v0.5.2 // indirect
 	cloud.google.com/go/iam v1.2.1 // indirect
-	cloud.google.com/go/longrunning v0.6.1 // indirect
-	cloud.google.com/go/security v1.18.1 // indirect
+	cloud.google.com/go/longrunning v0.6.2 // indirect
+	cloud.google.com/go/security v1.18.2 // indirect
 	dario.cat/mergo v1.0.1 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
@@ -104,11 +104,11 @@ require (
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/newrelic/go-agent/v3 v3.35.0 // indirect
+	github.com/newrelic/go-agent/v3 v3.35.1 // indirect
 	github.com/peterbourgon/diskv/v3 v3.0.1 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.20.4 // indirect
+	github.com/prometheus/client_golang v1.20.5 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
@@ -131,17 +131,16 @@ require (
 	go.opentelemetry.io/otel v1.29.0 // indirect
 	go.opentelemetry.io/otel/metric v1.29.0 // indirect
 	go.opentelemetry.io/otel/trace v1.29.0 // indirect
-	go.step.sm/cli-utils v0.9.0 // indirect
 	golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81 // indirect
 	golang.org/x/net v0.30.0 // indirect
 	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/text v0.19.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
-	google.golang.org/api v0.200.0 // indirect
-	google.golang.org/genproto v0.0.0-20241007155032-5fefd90f89a9 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect
+	google.golang.org/api v0.203.0 // indirect
+	google.golang.org/genproto v0.0.0-20241015192408-796eee8c2d53 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 // indirect
 	google.golang.org/grpc v1.67.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect