Skip to content

Commit 418c526

Browse files
hslatmanhslatman
committed
Simplify ingoring usage of provisioner flag when managing policies
1 parent 064866f commit 418c526

File tree

15 files changed

+92
-261
lines changed

15 files changed

+92
-261
lines changed

cmd/step/main.go

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,6 @@ import (
2222

2323
"github.com/smallstep/cli/command/version"
2424
"github.com/smallstep/cli/internal/plugin"
25-
"github.com/smallstep/cli/internal/provisionerflag"
2625
"github.com/smallstep/cli/utils"
2726

2827
// Enabled cas interfaces.
@@ -132,12 +131,6 @@ func newApp(stdout, stderr io.Writer) *cli.App {
132131
Usage: "path to the config file to use for CLI flags",
133132
})
134133

135-
// add a hidden flag that can be used to signal that the provisioner
136-
// flag should be ignored in certain commands. By defining it on the
137-
// app level it can be ignored in multiple (sub)commands without having
138-
// to specify the flag in each command.
139-
app.Flags = append(app.Flags, provisionerflag.DisabledSentinelFlag)
140-
141134
// Action runs on `step` or `step <command>` if the command is not enabled.
142135
app.Action = func(ctx *cli.Context) error {
143136
args := ctx.Args()

cmd/step/main_test.go

Lines changed: 0 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -3,13 +3,9 @@ package main
33
import (
44
"bytes"
55
"regexp"
6-
"slices"
76
"testing"
87

98
"github.com/stretchr/testify/require"
10-
"github.com/urfave/cli"
11-
12-
"github.com/smallstep/cli/internal/provisionerflag"
139
)
1410

1511
func TestAppHasAllCommands(t *testing.T) {
@@ -48,15 +44,3 @@ func TestAppRuns(t *testing.T) {
4844
output := ansiRegex.ReplaceAllString(stdout.String(), "")
4945
require.Contains(t, output, "step -- plumbing for distributed systems")
5046
}
51-
52-
func TestAppHasSentinelFlagForIgnoringProvisionersFlag(t *testing.T) {
53-
app := newApp(nil, nil)
54-
require.NotNil(t, app)
55-
56-
// this test only checks if the flag is present when an app is created
57-
// through [getApp]. This is sufficient for now to proof that the flag
58-
// exists in the actual released CLI binary.
59-
require.True(t, slices.ContainsFunc(app.Flags, func(f cli.Flag) bool {
60-
return f.GetName() == provisionerflag.DisabledSentinelFlagName()
61-
}))
62-
}

command/ca/policy/actions/cn.go

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -76,11 +76,12 @@ $ step ca policy authority x509 deny cn "My Bad CA Name"
7676
}
7777

7878
func commonNamesAction(ctx context.Context) (err error) {
79-
ignoreProvisionerFlagIfRequired(ctx)
79+
var (
80+
provisioner = retrieveAndUnsetProvisionerFlagIfRequired(ctx)
81+
clictx = command.CLIContextFromContext(ctx)
82+
args = clictx.Args()
83+
)
8084

81-
clictx := command.CLIContextFromContext(ctx)
82-
83-
args := clictx.Args()
8485
if len(args) == 0 {
8586
return errs.TooFewArguments(clictx)
8687
}
@@ -90,7 +91,7 @@ func commonNamesAction(ctx context.Context) (err error) {
9091
return fmt.Errorf("error creating admin client: %w", err)
9192
}
9293

93-
policy, err := retrieveAndInitializePolicy(ctx, client)
94+
policy, err := retrieveAndInitializePolicy(ctx, client, provisioner)
9495
if err != nil {
9596
return fmt.Errorf("error retrieving policy: %w", err)
9697
}
@@ -115,7 +116,7 @@ func commonNamesAction(ctx context.Context) (err error) {
115116
panic("no SSH nor X.509 context set")
116117
}
117118

118-
updatedPolicy, err := updatePolicy(ctx, client, policy)
119+
updatedPolicy, err := updatePolicy(ctx, client, policy, provisioner)
119120
if err != nil {
120121
return fmt.Errorf("error updating policy: %w", err)
121122
}

command/ca/policy/actions/dns.go

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -94,11 +94,12 @@ $ step ca policy authority ssh host allow dns "badsshhost.local"
9494
}
9595

9696
func dnsAction(ctx context.Context) (err error) {
97-
ignoreProvisionerFlagIfRequired(ctx)
97+
var (
98+
provisioner = retrieveAndUnsetProvisionerFlagIfRequired(ctx)
99+
clictx = command.CLIContextFromContext(ctx)
100+
args = clictx.Args()
101+
)
98102

99-
clictx := command.CLIContextFromContext(ctx)
100-
101-
args := clictx.Args()
102103
if len(args) == 0 {
103104
return errs.TooFewArguments(clictx)
104105
}
@@ -108,7 +109,7 @@ func dnsAction(ctx context.Context) (err error) {
108109
return fmt.Errorf("error creating admin client: %w", err)
109110
}
110111

111-
policy, err := retrieveAndInitializePolicy(ctx, client)
112+
policy, err := retrieveAndInitializePolicy(ctx, client, provisioner)
112113
if err != nil {
113114
return fmt.Errorf("error retrieving policy: %w", err)
114115
}
@@ -140,7 +141,7 @@ func dnsAction(ctx context.Context) (err error) {
140141
panic("no SSH nor X.509 context set")
141142
}
142143

143-
updatedPolicy, err := updatePolicy(ctx, client, policy)
144+
updatedPolicy, err := updatePolicy(ctx, client, policy, provisioner)
144145
if err != nil {
145146
return fmt.Errorf("error updating policy: %w", err)
146147
}

command/ca/policy/actions/emails.go

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -81,11 +81,12 @@ $ step ca policy provisioner ssh user deny email @example.com --provisioner my_p
8181
}
8282

8383
func emailAction(ctx context.Context) (err error) {
84-
ignoreProvisionerFlagIfRequired(ctx)
84+
var (
85+
provisioner = retrieveAndUnsetProvisionerFlagIfRequired(ctx)
86+
clictx = command.CLIContextFromContext(ctx)
87+
args = clictx.Args()
88+
)
8589

86-
clictx := command.CLIContextFromContext(ctx)
87-
88-
args := clictx.Args()
8990
if len(args) == 0 {
9091
return errs.TooFewArguments(clictx)
9192
}
@@ -95,7 +96,7 @@ func emailAction(ctx context.Context) (err error) {
9596
return fmt.Errorf("error creating admin client: %w", err)
9697
}
9798

98-
policy, err := retrieveAndInitializePolicy(ctx, client)
99+
policy, err := retrieveAndInitializePolicy(ctx, client, provisioner)
99100
if err != nil {
100101
return err
101102
}
@@ -127,7 +128,7 @@ func emailAction(ctx context.Context) (err error) {
127128
panic("no SSH nor X.509 context set")
128129
}
129130

130-
updatedPolicy, err := updatePolicy(ctx, client, policy)
131+
updatedPolicy, err := updatePolicy(ctx, client, policy, provisioner)
131132
if err != nil {
132133
return fmt.Errorf("error updating policy: %w", err)
133134
}

command/ca/policy/actions/ips.go

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -114,11 +114,12 @@ $ step ca policy authority ssh host deny ip 192.168.0.40
114114
}
115115

116116
func ipAction(ctx context.Context) (err error) {
117-
ignoreProvisionerFlagIfRequired(ctx)
117+
var (
118+
provisioner = retrieveAndUnsetProvisionerFlagIfRequired(ctx)
119+
clictx = command.CLIContextFromContext(ctx)
120+
args = clictx.Args()
121+
)
118122

119-
clictx := command.CLIContextFromContext(ctx)
120-
121-
args := clictx.Args()
122123
if len(args) == 0 {
123124
return errs.TooFewArguments(clictx)
124125
}
@@ -128,7 +129,7 @@ func ipAction(ctx context.Context) (err error) {
128129
return fmt.Errorf("error creating admin client: %w", err)
129130
}
130131

131-
policy, err := retrieveAndInitializePolicy(ctx, client)
132+
policy, err := retrieveAndInitializePolicy(ctx, client, provisioner)
132133
if err != nil {
133134
return err
134135
}
@@ -160,7 +161,7 @@ func ipAction(ctx context.Context) (err error) {
160161
panic("no SSH nor X.509 context set")
161162
}
162163

163-
updatedPolicy, err := updatePolicy(ctx, client, policy)
164+
updatedPolicy, err := updatePolicy(ctx, client, policy, provisioner)
164165
if err != nil {
165166
return fmt.Errorf("error updating policy: %w", err)
166167
}

command/ca/policy/actions/policy.go

Lines changed: 25 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -16,37 +16,41 @@ import (
1616

1717
"github.com/smallstep/cli/command/ca/policy/policycontext"
1818
"github.com/smallstep/cli/internal/command"
19-
"github.com/smallstep/cli/internal/provisionerflag"
2019
)
2120

2221
var provisionerFilterFlag = cli.StringFlag{
2322
Name: "provisioner",
2423
Usage: `The provisioner <name>`,
2524
}
2625

27-
// ignoreProvisionerFlagIfRequired is a helper function that marks the provisioner
28-
// flag to be ignored when managing a provisioner or ACME account level policy. In
29-
// those cases the provisioner flag is used to filter which provisioner the policy
30-
// applies to, as opposed to its normal usage, where it can be used to select the
31-
// (admin) provisioner to use for authentication.
32-
func ignoreProvisionerFlagIfRequired(ctx context.Context) {
26+
func retrieveAndUnsetProvisionerFlagIfRequired(ctx context.Context) string {
27+
// when managing policies on the authority level there's no need
28+
// to select a provisioner, so the flag does not need to be unset.
29+
if policycontext.IsAuthorityPolicyLevel(ctx) {
30+
return ""
31+
}
32+
3333
clictx := command.CLIContextFromContext(ctx)
34-
if policycontext.IsProvisionerPolicyLevel(ctx) || policycontext.IsACMEPolicyLevel(ctx) {
35-
provisionerflag.Ignore(clictx)
34+
provisioner := clictx.String("provisioner")
35+
36+
// unset the provisioner flag value, so that it's not used
37+
// automatically in token flows.
38+
if err := clictx.Set("provisioner", ""); err != nil {
39+
panic(fmt.Errorf("failed unsetting provisioner flag: %w", err))
3640
}
41+
42+
return provisioner
3743
}
3844

39-
func retrieveAndInitializePolicy(ctx context.Context, client *ca.AdminClient) (*linkedca.Policy, error) {
45+
func retrieveAndInitializePolicy(ctx context.Context, client *ca.AdminClient, provisioner string) (*linkedca.Policy, error) {
4046
var (
41-
policy *linkedca.Policy
42-
err error
47+
clictx = command.CLIContextFromContext(ctx)
48+
reference = clictx.String("eab-key-reference")
49+
keyID = clictx.String("eab-key-id")
50+
policy *linkedca.Policy
51+
err error
4352
)
4453

45-
clictx := command.CLIContextFromContext(ctx)
46-
provisioner := clictx.String("provisioner")
47-
reference := clictx.String("eab-key-reference")
48-
keyID := clictx.String("eab-key-id")
49-
5054
switch {
5155
case policycontext.IsAuthorityPolicyLevel(ctx):
5256
policy, err = client.GetAuthorityPolicy()
@@ -160,13 +164,11 @@ func initPolicy(p *linkedca.Policy) *linkedca.Policy {
160164
return p
161165
}
162166

163-
func updatePolicy(ctx context.Context, client *ca.AdminClient, policy *linkedca.Policy) (*linkedca.Policy, error) {
164-
clictx := command.CLIContextFromContext(ctx)
165-
provisioner := clictx.String("provisioner")
166-
reference := clictx.String("eab-key-reference")
167-
keyID := clictx.String("eab-key-id")
168-
167+
func updatePolicy(ctx context.Context, client *ca.AdminClient, policy *linkedca.Policy, provisioner string) (*linkedca.Policy, error) {
169168
var (
169+
clictx = command.CLIContextFromContext(ctx)
170+
reference = clictx.String("eab-key-reference")
171+
keyID = clictx.String("eab-key-id")
170172
updatedPolicy *linkedca.Policy
171173
err error
172174
)

command/ca/policy/actions/principals.go

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -76,11 +76,12 @@ $ step ca policy provisioner ssh host deny principal root --provisioner my_ssh_u
7676
}
7777

7878
func principalAction(ctx context.Context) (err error) {
79-
ignoreProvisionerFlagIfRequired(ctx)
79+
var (
80+
provisioner = retrieveAndUnsetProvisionerFlagIfRequired(ctx)
81+
clictx = command.CLIContextFromContext(ctx)
82+
args = clictx.Args()
83+
)
8084

81-
clictx := command.CLIContextFromContext(ctx)
82-
83-
args := clictx.Args()
8485
if len(args) == 0 {
8586
return errs.TooFewArguments(clictx)
8687
}
@@ -90,7 +91,7 @@ func principalAction(ctx context.Context) (err error) {
9091
return fmt.Errorf("error creating admin client: %w", err)
9192
}
9293

93-
policy, err := retrieveAndInitializePolicy(ctx, client)
94+
policy, err := retrieveAndInitializePolicy(ctx, client, provisioner)
9495
if err != nil {
9596
return err
9697
}
@@ -122,7 +123,7 @@ func principalAction(ctx context.Context) (err error) {
122123
panic("no SSH nor X.509 context set")
123124
}
124125

125-
updatedPolicy, err := updatePolicy(ctx, client, policy)
126+
updatedPolicy, err := updatePolicy(ctx, client, policy, provisioner)
126127
if err != nil {
127128
return fmt.Errorf("error updating policy: %w", err)
128129
}

command/ca/policy/actions/remove.go

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -71,12 +71,12 @@ $ step ca policy acme remove --provisioner my_acme_provisioner --eab-key-id "lUO
7171
}
7272

7373
func removeAction(ctx context.Context) (err error) {
74-
ignoreProvisionerFlagIfRequired(ctx)
75-
76-
clictx := command.CLIContextFromContext(ctx)
77-
provisioner := clictx.String("provisioner")
78-
reference := clictx.String("eab-key-reference")
79-
keyID := clictx.String("eab-key-id")
74+
var (
75+
provisioner = retrieveAndUnsetProvisionerFlagIfRequired(ctx)
76+
clictx = command.CLIContextFromContext(ctx)
77+
reference = clictx.String("eab-key-reference")
78+
keyID = clictx.String("eab-key-id")
79+
)
8080

8181
client, err := cautils.NewAdminClient(clictx)
8282
if err != nil {

command/ca/policy/actions/uris.go

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -71,11 +71,12 @@ $ step ca policy provisioner x509 allow uri "*.example.com" --provisioner my_pro
7171
}
7272

7373
func uriAction(ctx context.Context) (err error) {
74-
ignoreProvisionerFlagIfRequired(ctx)
74+
var (
75+
provisioner = retrieveAndUnsetProvisionerFlagIfRequired(ctx)
76+
clictx = command.CLIContextFromContext(ctx)
77+
args = clictx.Args()
78+
)
7579

76-
clictx := command.CLIContextFromContext(ctx)
77-
78-
args := clictx.Args()
7980
if len(args) == 0 {
8081
return errs.TooFewArguments(clictx)
8182
}
@@ -85,7 +86,7 @@ func uriAction(ctx context.Context) (err error) {
8586
return fmt.Errorf("error creating admin client: %w", err)
8687
}
8788

88-
policy, err := retrieveAndInitializePolicy(ctx, client)
89+
policy, err := retrieveAndInitializePolicy(ctx, client, provisioner)
8990
if err != nil {
9091
return fmt.Errorf("error retrieving policy: %w", err)
9192
}
@@ -110,7 +111,7 @@ func uriAction(ctx context.Context) (err error) {
110111
panic("no SSH nor X.509 context set")
111112
}
112113

113-
updatedPolicy, err := updatePolicy(ctx, client, policy)
114+
updatedPolicy, err := updatePolicy(ctx, client, policy, provisioner)
114115
if err != nil {
115116
return fmt.Errorf("error updating policy: %w", err)
116117
}

0 commit comments

Comments
 (0)