Merge pull request #1391 from smallstep/herman/policy-scep-prompt-fixes

Fix some provisioner and policy prompt issues

Author: hslatman

command/ca/policy/actions/cn.go

@@ -56,7 +56,7 @@ $ step ca policy authority x509 deny cn "My Bad CA Name"
 			commonNamesAction,
 		),
 		Flags: []cli.Flag{
-			provisionerFilterFlag,
+			flags.Provisioner,
 			flags.EABKeyID,
 			flags.EABReference,
 			cli.BoolFlag{
@@ -76,9 +76,12 @@ $ step ca policy authority x509 deny cn "My Bad CA Name"
 }
 
 func commonNamesAction(ctx context.Context) (err error) {
-	clictx := command.CLIContextFromContext(ctx)
+	var (
+		provisioner = retrieveAndUnsetProvisionerFlagIfRequired(ctx)
+		clictx      = command.CLIContextFromContext(ctx)
+		args        = clictx.Args()
+	)
 
-	args := clictx.Args()
 	if len(args) == 0 {
 		return errs.TooFewArguments(clictx)
 	}
@@ -88,7 +91,7 @@ func commonNamesAction(ctx context.Context) (err error) {
 		return fmt.Errorf("error creating admin client: %w", err)
 	}
 
-	policy, err := retrieveAndInitializePolicy(ctx, client)
+	policy, err := retrieveAndInitializePolicy(ctx, client, provisioner)
 	if err != nil {
 		return fmt.Errorf("error retrieving policy: %w", err)
 	}
@@ -113,7 +116,7 @@ func commonNamesAction(ctx context.Context) (err error) {
 		panic("no SSH nor X.509 context set")
 	}
 
-	updatedPolicy, err := updatePolicy(ctx, client, policy)
+	updatedPolicy, err := updatePolicy(ctx, client, policy, provisioner)
 	if err != nil {
 		return fmt.Errorf("error updating policy: %w", err)
 	}

command/ca/policy/actions/dns.go

@@ -74,7 +74,7 @@ $ step ca policy authority ssh host allow dns "badsshhost.local"
 			dnsAction,
 		),
 		Flags: []cli.Flag{
-			provisionerFilterFlag,
+			flags.Provisioner,
 			flags.EABKeyID,
 			flags.EABReference,
 			cli.BoolFlag{
@@ -94,9 +94,12 @@ $ step ca policy authority ssh host allow dns "badsshhost.local"
 }
 
 func dnsAction(ctx context.Context) (err error) {
-	clictx := command.CLIContextFromContext(ctx)
+	var (
+		provisioner = retrieveAndUnsetProvisionerFlagIfRequired(ctx)
+		clictx      = command.CLIContextFromContext(ctx)
+		args        = clictx.Args()
+	)
 
-	args := clictx.Args()
 	if len(args) == 0 {
 		return errs.TooFewArguments(clictx)
 	}
@@ -106,7 +109,7 @@ func dnsAction(ctx context.Context) (err error) {
 		return fmt.Errorf("error creating admin client: %w", err)
 	}
 
-	policy, err := retrieveAndInitializePolicy(ctx, client)
+	policy, err := retrieveAndInitializePolicy(ctx, client, provisioner)
 	if err != nil {
 		return fmt.Errorf("error retrieving policy: %w", err)
 	}
@@ -138,7 +141,7 @@ func dnsAction(ctx context.Context) (err error) {
 		panic("no SSH nor X.509 context set")
 	}
 
-	updatedPolicy, err := updatePolicy(ctx, client, policy)
+	updatedPolicy, err := updatePolicy(ctx, client, policy, provisioner)
 	if err != nil {
 		return fmt.Errorf("error updating policy: %w", err)
 	}

command/ca/policy/actions/emails.go

@@ -63,7 +63,7 @@ $ step ca policy provisioner ssh user deny email @example.com --provisioner my_p
 			emailAction,
 		),
 		Flags: []cli.Flag{
-			provisionerFilterFlag,
+			flags.Provisioner,
 			cli.BoolFlag{
 				Name:  "remove",
 				Usage: `removes the provided emails from the policy instead of adding them`,
@@ -81,9 +81,12 @@ $ step ca policy provisioner ssh user deny email @example.com --provisioner my_p
 }
 
 func emailAction(ctx context.Context) (err error) {
-	clictx := command.CLIContextFromContext(ctx)
+	var (
+		provisioner = retrieveAndUnsetProvisionerFlagIfRequired(ctx)
+		clictx      = command.CLIContextFromContext(ctx)
+		args        = clictx.Args()
+	)
 
-	args := clictx.Args()
 	if len(args) == 0 {
 		return errs.TooFewArguments(clictx)
 	}
@@ -93,7 +96,7 @@ func emailAction(ctx context.Context) (err error) {
 		return fmt.Errorf("error creating admin client: %w", err)
 	}
 
-	policy, err := retrieveAndInitializePolicy(ctx, client)
+	policy, err := retrieveAndInitializePolicy(ctx, client, provisioner)
 	if err != nil {
 		return err
 	}
@@ -125,7 +128,7 @@ func emailAction(ctx context.Context) (err error) {
 		panic("no SSH nor X.509 context set")
 	}
 
-	updatedPolicy, err := updatePolicy(ctx, client, policy)
+	updatedPolicy, err := updatePolicy(ctx, client, policy, provisioner)
 	if err != nil {
 		return fmt.Errorf("error updating policy: %w", err)
 	}

command/ca/policy/actions/ips.go

@@ -94,7 +94,7 @@ $ step ca policy authority ssh host deny ip 192.168.0.40
 			ipAction,
 		),
 		Flags: []cli.Flag{
-			provisionerFilterFlag,
+			flags.Provisioner,
 			flags.EABKeyID,
 			flags.EABReference,
 			cli.BoolFlag{
@@ -114,9 +114,12 @@ $ step ca policy authority ssh host deny ip 192.168.0.40
 }
 
 func ipAction(ctx context.Context) (err error) {
-	clictx := command.CLIContextFromContext(ctx)
+	var (
+		provisioner = retrieveAndUnsetProvisionerFlagIfRequired(ctx)
+		clictx      = command.CLIContextFromContext(ctx)
+		args        = clictx.Args()
+	)
 
-	args := clictx.Args()
 	if len(args) == 0 {
 		return errs.TooFewArguments(clictx)
 	}
@@ -126,7 +129,7 @@ func ipAction(ctx context.Context) (err error) {
 		return fmt.Errorf("error creating admin client: %w", err)
 	}
 
-	policy, err := retrieveAndInitializePolicy(ctx, client)
+	policy, err := retrieveAndInitializePolicy(ctx, client, provisioner)
 	if err != nil {
 		return err
 	}
@@ -158,7 +161,7 @@ func ipAction(ctx context.Context) (err error) {
 		panic("no SSH nor X.509 context set")
 	}
 
-	updatedPolicy, err := updatePolicy(ctx, client, policy)
+	updatedPolicy, err := updatePolicy(ctx, client, policy, provisioner)
 	if err != nil {
 		return fmt.Errorf("error updating policy: %w", err)
 	}

command/ca/policy/actions/policy.go

@@ -7,7 +7,6 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/urfave/cli"
 	"google.golang.org/protobuf/encoding/protojson"
 
 	"github.com/smallstep/certificates/ca"
@@ -18,22 +17,37 @@ import (
 	"github.com/smallstep/cli/internal/command"
 )
 
-var provisionerFilterFlag = cli.StringFlag{
-	Name:  "provisioner",
-	Usage: `The provisioner <name>`,
+func retrieveAndUnsetProvisionerFlagIfRequired(ctx context.Context) string {
+	// when managing policies on the authority level there's no need
+	// to select a provisioner, so the flag does not need to be unset.
+	if policycontext.IsAuthorityPolicyLevel(ctx) {
+		return ""
+	}
+
+	clictx := command.CLIContextFromContext(ctx)
+	provisioner := clictx.String("provisioner")
+
+	// unset the provisioner and issuer flag values, so that they're not used
+	// automatically in token flows.
+	if err := clictx.Set("provisioner", ""); err != nil {
+		panic(fmt.Errorf("failed unsetting provisioner flag: %w", err))
+	}
+	if err := clictx.Set("issuer", ""); err != nil {
+		panic(fmt.Errorf("failed unsetting issuer flag: %w", err))
+	}
+
+	return provisioner
 }
 
-func retrieveAndInitializePolicy(ctx context.Context, client *ca.AdminClient) (*linkedca.Policy, error) {
+func retrieveAndInitializePolicy(ctx context.Context, client *ca.AdminClient, provisioner string) (*linkedca.Policy, error) {
 	var (
-		policy *linkedca.Policy
-		err    error
+		clictx    = command.CLIContextFromContext(ctx)
+		reference = clictx.String("eab-key-reference")
+		keyID     = clictx.String("eab-key-id")
+		policy    *linkedca.Policy
+		err       error
 	)
 
-	clictx := command.CLIContextFromContext(ctx)
-	provisioner := clictx.String("provisioner")
-	reference := clictx.String("eab-key-reference")
-	keyID := clictx.String("eab-key-id")
-
 	switch {
 	case policycontext.IsAuthorityPolicyLevel(ctx):
 		policy, err = client.GetAuthorityPolicy()
@@ -147,13 +161,11 @@ func initPolicy(p *linkedca.Policy) *linkedca.Policy {
 	return p
 }
 
-func updatePolicy(ctx context.Context, client *ca.AdminClient, policy *linkedca.Policy) (*linkedca.Policy, error) {
-	clictx := command.CLIContextFromContext(ctx)
-	provisioner := clictx.String("provisioner")
-	reference := clictx.String("eab-key-reference")
-	keyID := clictx.String("eab-key-id")
-
+func updatePolicy(ctx context.Context, client *ca.AdminClient, policy *linkedca.Policy, provisioner string) (*linkedca.Policy, error) {
 	var (
+		clictx        = command.CLIContextFromContext(ctx)
+		reference     = clictx.String("eab-key-reference")
+		keyID         = clictx.String("eab-key-id")
 		updatedPolicy *linkedca.Policy
 		err           error
 	)

command/ca/policy/actions/principals.go

@@ -58,7 +58,7 @@ $ step ca policy provisioner ssh host deny principal root --provisioner my_ssh_u
 			principalAction,
 		),
 		Flags: []cli.Flag{
-			provisionerFilterFlag,
+			flags.Provisioner,
 			cli.BoolFlag{
 				Name:  "remove",
 				Usage: `removes the provided Principals from the policy instead of adding them`,
@@ -76,9 +76,12 @@ $ step ca policy provisioner ssh host deny principal root --provisioner my_ssh_u
 }
 
 func principalAction(ctx context.Context) (err error) {
-	clictx := command.CLIContextFromContext(ctx)
+	var (
+		provisioner = retrieveAndUnsetProvisionerFlagIfRequired(ctx)
+		clictx      = command.CLIContextFromContext(ctx)
+		args        = clictx.Args()
+	)
 
-	args := clictx.Args()
 	if len(args) == 0 {
 		return errs.TooFewArguments(clictx)
 	}
@@ -88,7 +91,7 @@ func principalAction(ctx context.Context) (err error) {
 		return fmt.Errorf("error creating admin client: %w", err)
 	}
 
-	policy, err := retrieveAndInitializePolicy(ctx, client)
+	policy, err := retrieveAndInitializePolicy(ctx, client, provisioner)
 	if err != nil {
 		return err
 	}
@@ -120,7 +123,7 @@ func principalAction(ctx context.Context) (err error) {
 		panic("no SSH nor X.509 context set")
 	}
 
-	updatedPolicy, err := updatePolicy(ctx, client, policy)
+	updatedPolicy, err := updatePolicy(ctx, client, policy, provisioner)
 	if err != nil {
 		return fmt.Errorf("error updating policy: %w", err)
 	}

command/ca/policy/actions/remove.go

@@ -55,7 +55,7 @@ $ step ca policy acme remove --provisioner my_acme_provisioner --eab-key-id "lUO
 			removeAction,
 		),
 		Flags: []cli.Flag{
-			provisionerFilterFlag,
+			flags.Provisioner,
 			flags.EABKeyID,
 			flags.EABReference,
 			flags.AdminCert,
@@ -71,10 +71,12 @@ $ step ca policy acme remove --provisioner my_acme_provisioner --eab-key-id "lUO
 }
 
 func removeAction(ctx context.Context) (err error) {
-	clictx := command.CLIContextFromContext(ctx)
-	provisioner := clictx.String("provisioner")
-	reference := clictx.String("eab-key-reference")
-	keyID := clictx.String("eab-key-id")
+	var (
+		provisioner = retrieveAndUnsetProvisionerFlagIfRequired(ctx)
+		clictx      = command.CLIContextFromContext(ctx)
+		reference   = clictx.String("eab-key-reference")
+		keyID       = clictx.String("eab-key-id")
+	)
 
 	client, err := cautils.NewAdminClient(clictx)
 	if err != nil {

command/ca/policy/actions/uris.go

@@ -53,7 +53,7 @@ $ step ca policy provisioner x509 allow uri "*.example.com" --provisioner my_pro
 			uriAction,
 		),
 		Flags: []cli.Flag{
-			provisionerFilterFlag,
+			flags.Provisioner,
 			cli.BoolFlag{
 				Name:  "remove",
 				Usage: `removes the provided URIs from the policy instead of adding them`,
@@ -71,9 +71,12 @@ $ step ca policy provisioner x509 allow uri "*.example.com" --provisioner my_pro
 }
 
 func uriAction(ctx context.Context) (err error) {
-	clictx := command.CLIContextFromContext(ctx)
+	var (
+		provisioner = retrieveAndUnsetProvisionerFlagIfRequired(ctx)
+		clictx      = command.CLIContextFromContext(ctx)
+		args        = clictx.Args()
+	)
 
-	args := clictx.Args()
 	if len(args) == 0 {
 		return errs.TooFewArguments(clictx)
 	}
@@ -83,7 +86,7 @@ func uriAction(ctx context.Context) (err error) {
 		return fmt.Errorf("error creating admin client: %w", err)
 	}
 
-	policy, err := retrieveAndInitializePolicy(ctx, client)
+	policy, err := retrieveAndInitializePolicy(ctx, client, provisioner)
 	if err != nil {
 		return fmt.Errorf("error retrieving policy: %w", err)
 	}
@@ -108,7 +111,7 @@ func uriAction(ctx context.Context) (err error) {
 		panic("no SSH nor X.509 context set")
 	}
 
-	updatedPolicy, err := updatePolicy(ctx, client, policy)
+	updatedPolicy, err := updatePolicy(ctx, client, policy, provisioner)
 	if err != nil {
 		return fmt.Errorf("error updating policy: %w", err)
 	}

command/ca/policy/actions/view.go

@@ -56,7 +56,7 @@ $ step ca policy acme view --provisioner my_acme_provisioner --eab-key-id "lUOTG
 			viewAction,
 		),
 		Flags: []cli.Flag{
-			provisionerFilterFlag,
+			flags.Provisioner,
 			flags.EABKeyID,
 			flags.EABReference,
 			flags.AdminCert,
@@ -72,20 +72,19 @@ $ step ca policy acme view --provisioner my_acme_provisioner --eab-key-id "lUOTG
 }
 
 func viewAction(ctx context.Context) (err error) {
-	clictx := command.CLIContextFromContext(ctx)
-	provisioner := clictx.String("provisioner")
-	reference := clictx.String("eab-key-reference")
-	keyID := clictx.String("eab-key-id")
+	var (
+		provisioner = retrieveAndUnsetProvisionerFlagIfRequired(ctx)
+		clictx      = command.CLIContextFromContext(ctx)
+		reference   = clictx.String("eab-key-reference")
+		keyID       = clictx.String("eab-key-id")
+		policy      *linkedca.Policy
+	)
 
 	client, err := cautils.NewAdminClient(clictx)
 	if err != nil {
 		return fmt.Errorf("error creating admin client: %w", err)
 	}
 
-	var (
-		policy *linkedca.Policy
-	)
-
 	switch {
 	case policycontext.IsAuthorityPolicyLevel(ctx):
 		policy, err = client.GetAuthorityPolicy()