A few small fixes

- fix durationFlags defaulting to 0s values - remove no-private-key flag in favor of private-key="" - fix deprecation warnings for adminbeta and provisionerbeta
smallstep · May 20, 2022 · 61f79db · 61f79db
1 parent 640bdca
commit 61f79db
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 49 deletions.
diff --git a/command/ca/adminbeta/admin.go b/command/ca/adminbeta/admin.go
@@ -13,8 +13,9 @@ import (
 )
 
 func deprecationWarning() {
-	ui.Printf("The `step beta ...` prefix is deprecated and will be removed in a future release.")
-	ui.Printf("Please use `step ca admin ...` going forwards.")
+	ui.Println("[WARNING] The `step beta ca admin` prefix is deprecated and will be removed in a future release.")
+	ui.Println("Please use `step ca admin` going forwards.")
+	ui.Println()
 }
 
 // Command returns the jwk subcommand.

diff --git a/command/ca/provisioner/add.go b/command/ca/provisioner/add.go
@@ -27,7 +27,7 @@ func addCommand() cli.Command {
 		Action: cli.ActionFunc(addAction),
 		Usage:  "add a provisioner",
 		UsageText: `**step ca provisioner add** <name> **--type**=JWK [**--public-key**=<file>]
-[**--private-key**=<file>] [**--no-private-key**] [**--create**] [**--password-file**=<file>]
+[**--private-key**=<file>] [**--create**] [**--password-file**=<file>]
 [**--admin-cert**=<file>] [**--admin-key**=<file>] [**--admin-provisioner**=<name>]
 [**--admin-subject**=<subject>] [**--password-file**=<file>] [**--ca-url**=<uri>]
 [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
@@ -104,7 +104,6 @@ SCEP
 			// JWK provisioner flags
 			jwkCreateFlag,
 			jwkPrivKeyFlag,
-			jwkNoPrivKeyFlag,
 
 			// OIDC provisioner flags
 			oidcClientIDFlag,
@@ -189,11 +188,6 @@ Create a JWK provisioner with newly generated keys and a template for x509 certi
 step ca provisioner add cicd --type JWK --create --x509-template ./templates/example.tpl
 '''
 
-Create a JWK provisioner with newly generated keys but do not store the private key with the provisioner:
-'''
-step ca provisioner add cicd --type JWK --create --no-private-key
-'''
-
 Create a JWK provisioner and explicitly select the configuration file to update:
 '''
 step ca provisioner add cicd --type JWK --create --ca-config /path/to/ca.json
@@ -335,32 +329,48 @@ func addAction(ctx *cli.Context) (err error) {
 
 	p.Claims = &linkedca.Claims{
 		X509: &linkedca.X509Claims{
-			Durations: &linkedca.Durations{
-				Min:     ctx.String("x509-min-dur"),
-				Max:     ctx.String("x509-max-dur"),
-				Default: ctx.String("x509-default-dur"),
-			},
-			Enabled: true,
+			Durations: &linkedca.Durations{},
+			Enabled:   true,
 			// TODO: in the future we may add the ability to disable x509.
 			// Enabled: !(ctx.IsSet("x509") && !ctx.Bool("x509")),
 		},
 		Ssh: &linkedca.SSHClaims{
-			UserDurations: &linkedca.Durations{
-				Min:     ctx.String("ssh-user-min-dur"),
-				Max:     ctx.String("ssh-user-max-dur"),
-				Default: ctx.String("ssh-user-default-dur"),
-			},
-			HostDurations: &linkedca.Durations{
-				Min:     ctx.String("ssh-host-min-dur"),
-				Max:     ctx.String("ssh-host-max-dur"),
-				Default: ctx.String("ssh-host-default-dur"),
-			},
-			Enabled: !(ctx.IsSet("ssh") && !ctx.Bool("ssh")),
+			UserDurations: &linkedca.Durations{},
+			HostDurations: &linkedca.Durations{},
+			Enabled:       !(ctx.IsSet("ssh") && !ctx.Bool("ssh")),
 		},
 		DisableRenewal:          ctx.Bool("disable-renewal"),
 		AllowRenewalAfterExpiry: ctx.Bool("allow-renewal-after-expiry"),
 	}
 
+	if ctx.IsSet("x509-min-dur") {
+		p.Claims.X509.Durations.Min = ctx.String("x509-min-dur")
+	}
+	if ctx.IsSet("x509-max-dur") {
+		p.Claims.X509.Durations.Max = ctx.String("x509-max-dur")
+	}
+	if ctx.IsSet("x509-default-dur") {
+		p.Claims.X509.Durations.Default = ctx.String("x509-default-dur")
+	}
+	if ctx.IsSet("ssh-user-min-dur") {
+		p.Claims.Ssh.UserDurations.Min = ctx.String("ssh-user-min-dur")
+	}
+	if ctx.IsSet("ssh-user-max-dur") {
+		p.Claims.Ssh.UserDurations.Max = ctx.String("ssh-user-max-dur")
+	}
+	if ctx.IsSet("ssh-user-default-dur") {
+		p.Claims.Ssh.UserDurations.Default = ctx.String("ssh-user-default-dur")
+	}
+	if ctx.IsSet("ssh-host-min-dur") {
+		p.Claims.Ssh.HostDurations.Min = ctx.String("ssh-host-min-dur")
+	}
+	if ctx.IsSet("ssh-host-max-dur") {
+		p.Claims.Ssh.HostDurations.Max = ctx.String("ssh-host-max-dur")
+	}
+	if ctx.IsSet("ssh-host-default-dur") {
+		p.Claims.Ssh.HostDurations.Default = ctx.String("ssh-host-default-dur")
+	}
+
 	switch p.Type {
 	case linkedca.Provisioner_ACME:
 		p.Details, err = createACMEDetails(ctx)
@@ -437,9 +447,6 @@ func createJWKDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error) {
 		if !ctx.IsSet("public-key") {
 			return nil, errs.RequiredWithFlagValue(ctx, "create", "false", "public-key")
 		}
-		if ctx.IsSet("private-key") && ctx.IsSet("no-private-key") {
-			return nil, errs.IncompatibleFlagWithFlag(ctx, "private-key", "no-private-key")
-		}
 
 		jwkFile := ctx.String("public-key")
 		jwk, err = jose.ReadKey(jwkFile)
@@ -513,7 +520,7 @@ func createJWKDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error) {
 		PublicKey: jwkPubBytes,
 	}
 
-	if jwe != nil && !ctx.Bool("no-private-key") {
+	if jwe != nil {
 		jwePrivStr, err := jwe.CompactSerialize()
 		if err != nil {
 			return nil, errors.Wrap(err, "error serializing JWE")

diff --git a/command/ca/provisioner/update.go b/command/ca/provisioner/update.go
@@ -28,7 +28,7 @@ func updateCommand() cli.Command {
 		Action: cli.ActionFunc(updateAction),
 		Usage:  "update a provisioner",
 		UsageText: `**step ca provisioner update** <name> [**--public-key**=<file>]
-[**--private-key**=<file>] [**--no-private-key**] [**--create**] [**--password-file**=<file>]
+[**--private-key**=<file>] [**--create**] [**--password-file**=<file>]
 [**--admin-cert**=<file>] [**--admin-key**=<file>] [**--admin-provisioner**=<name>]
 [**--admin-subject**=<subject>] [**--password-file**=<file>] [**--ca-url**=<uri>]
 [**--root**=<file>] [**--context**=<name>] [**--ca-config**=<file>]
@@ -95,7 +95,6 @@ SCEP
 			// JWK provisioner flags
 			jwkCreateFlag,
 			jwkPrivKeyFlag,
-			jwkNoPrivKeyFlag,
 
 			// OIDC provisioner flags
 			oidcClientIDFlag,
@@ -186,11 +185,6 @@ Update a JWK provisioner with newly generated keys and a template for x509 certi
 step ca provisioner update cicd --create --x509-template ./templates/example.tpl
 '''
 
-Update a JWK provisioner with newly generated keys but do not store the private key with the provisioner:
-'''
-step ca provisioner update cicd --create --no-private-key
-'''
-
 Update a JWK provisioner by removing a previously set template:
 '''
 step ca provisioner update cicd --x509-template ""
@@ -213,7 +207,7 @@ step ca provisioner update cicd --ssh=false
 
 Update a JWK provisioner by removing a previously cached private key:
 '''
-step ca provisioner update cicd --no-private-key
+step ca provisioner update cicd --private-key=""
 '''
 
 Update a JWK provisioner and explicitly select the ca.json to modify:
@@ -473,8 +467,9 @@ func updateJWKDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
 	}
 
 	var (
-		jwk *jose.JSONWebKey
-		jwe *jose.JSONWebEncryption
+		jwk              *jose.JSONWebKey
+		jwe              *jose.JSONWebEncryption
+		removePrivateKey bool
 	)
 	if ctx.Bool("create") {
 		if ctx.IsSet("public-key") {
@@ -492,10 +487,6 @@ func updateJWKDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
 			return err
 		}
 	} else {
-		if ctx.IsSet("private-key") && ctx.IsSet("no-private-key") {
-			return errs.IncompatibleFlagWithFlag(ctx, "private-key", "no-private-key")
-		}
-
 		if ctx.IsSet("public-key") {
 			jwkFile := ctx.String("public-key")
 			jwk, err = jose.ReadKey(jwkFile)
@@ -516,7 +507,9 @@ func updateJWKDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
 			}
 		}
 
-		if ctx.IsSet("private-key") {
+		if ctx.IsSet("private-key") && ctx.String("private-key") == "" {
+			removePrivateKey = true
+		} else if ctx.IsSet("private-key") {
 			jwkFile := ctx.String("private-key")
 			b, err := os.ReadFile(jwkFile)
 			if err != nil {
@@ -570,7 +563,7 @@ func updateJWKDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
 		details.PublicKey = jwkPubBytes
 	}
 
-	if ctx.Bool("no-private-key") {
+	if removePrivateKey {
 		details.EncryptedPrivateKey = nil
 	} else if jwe != nil {
 		jwePrivStr, err := jwe.CompactSerialize()

diff --git a/command/ca/provisionerbeta/provisioner.go b/command/ca/provisionerbeta/provisioner.go
@@ -12,8 +12,9 @@ import (
 )
 
 func deprecationWarning() {
-	ui.Printf("The `step beta ...` prefix is deprecated and will be removed in a future release.")
-	ui.Printf("Please use `step ca admin ...` going forwards.")
+	ui.Println("[WARNING] The `step beta ca provisioner` prefix is deprecated and will be removed in a future release.")
+	ui.Println("Please use `step ca provisioner` going forwards.")
+	ui.Println()
 }
 
 // Command returns the jwk subcommand.
@@ -33,7 +34,7 @@ func Command() cli.Command {
 certificate authority provisioners.
 
 WARNING: The 'beta' prefix is deprecated and will be removed in a future release.
-Please use 'step ca admin ...' going forwards.
+Please use 'step ca provisioner ...' going forwards.
 
 A provisioner is an entity that controls provisioning credentials, which are
 used to generate provisioning tokens.