Merge pull request #668 from smallstep/herman/allow-deny

Add commands for managing policies

CHANGELOG.md

@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased - 0.19.1] - DATE
 ### Added
+- Add commands for managing certificate issuance policies on authority, provisioner and ACME account level.
 ### Changed
 ### Deprecated
 ### Removed

command/ca/acme/acme.go

@@ -1,17 +1,18 @@
 package acme
 
 import (
-	"github.com/smallstep/cli/command/ca/acme/eab"
 	"github.com/urfave/cli"
+
+	"github.com/smallstep/cli/command/ca/acme/eab"
 )
 
 // Command returns the acme subcommand.
 func Command() cli.Command {
 	return cli.Command{
 		Name:        "acme",
-		Usage:       "manage ACME",
-		UsageText:   "**step beta ca acme** <subcommand> [arguments] [global-flags] [subcommand-flags]",
-		Description: `**step beta ca acme** command group provides facilities for managing ACME.`,
+		Usage:       "manage ACME settings",
+		UsageText:   "**step ca acme** <subcommand> [arguments] [global-flags] [subcommand-flags]",
+		Description: `**step ca acme** command group provides facilities for managing ACME.`,
 		Subcommands: cli.Commands{
 			eab.Command(),
 		},

command/ca/acme/eab/add.go

@@ -5,19 +5,21 @@ import (
 	"os"
 
 	"github.com/pkg/errors"
+	"github.com/urfave/cli"
+
+	"go.step.sm/cli-utils/errs"
+
 	adminAPI "github.com/smallstep/certificates/authority/admin/api"
 	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/utils/cautils"
-	"github.com/urfave/cli"
-	"go.step.sm/cli-utils/errs"
 )
 
 func addCommand() cli.Command {
 	return cli.Command{
 		Name:   "add",
 		Action: cli.ActionFunc(addAction),
 		Usage:  "add ACME External Account Binding Key",
-		UsageText: `**step beta ca acme eab add** <provisioner> [<reference>]
+		UsageText: `**step ca acme eab add** <provisioner> [<eab-key-reference>]
 [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-provisioner**=<string>] [**--admin-subject**=<string>]
 [**--password-file**=<file>] [**--ca-url**=<uri>] [**--root**=<file>]
@@ -32,26 +34,26 @@ func addCommand() cli.Command {
 			flags.Root,
 			flags.Context,
 		},
-		Description: `**step beta ca acme eab add** adds ACME External Account Binding Key.
+		Description: `**step ca acme eab add** adds ACME External Account Binding Key.
 
 ## POSITIONAL ARGUMENTS
 
 <provisioner>
 : Name of the provisioner to which the ACME EAB key will be added
 
-<reference>
+<eab-key-reference>
 : (Optional) reference (from external system) for the key that will be added
 
 ## EXAMPLES
 
 Add an ACME External Account Binding Key without reference:
 '''
-$ step beta ca acme eab add my_acme_provisioner
+$ step ca acme eab add my_acme_provisioner
 '''
 
 Add an ACME External Account Binding Key with reference:
 '''
-$ step beta ca acme eab add my_acme_provisioner my_first_eab_key
+$ step ca acme eab add my_acme_provisioner my_first_eab_key
 '''`,
 	}
 }

command/ca/acme/eab/eab.go

@@ -7,10 +7,12 @@ import (
 	"strconv"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/certificates/authority/admin"
-	"github.com/smallstep/certificates/ca"
 	"github.com/urfave/cli"
+
 	"go.step.sm/linkedca"
+
+	"github.com/smallstep/certificates/authority/admin"
+	"github.com/smallstep/certificates/ca"
 )
 
 type cliEAK struct {
@@ -44,30 +46,30 @@ func Command() cli.Command {
 	return cli.Command{
 		Name:      "eab",
 		Usage:     "create and manage ACME External Account Binding Keys",
-		UsageText: "**step beta ca acme eab** <subcommand> [arguments] [global-flags] [subcommand-flags]",
+		UsageText: "**step ca acme eab** <subcommand> [arguments] [global-flags] [subcommand-flags]",
 		Subcommands: cli.Commands{
 			listCommand(),
 			addCommand(),
 			removeCommand(),
 		},
-		Description: `**step beta ca acme eab** command group provides facilities for managing ACME 
+		Description: `**step ca acme eab** command group provides facilities for managing ACME 
 		External Account Binding Keys.
 
 ## EXAMPLES
 
 List the active ACME External Account Binding Keys:
 '''
-$ step beta ca acme eab list <provisioner>
+$ step ca acme eab list my_provisioner
 '''
 
 Add an ACME External Account Binding Key:
 '''
-$ step beta ca acme eab add provisioner_name some_name_or_reference
+$ step ca acme eab add my_provisioner my_reference
 '''
 
 Remove an ACME External Account Binding Key:
 '''
-$ step beta ca acme eab remove key_id
+$ step ca acme eab remove my_provisioner my_key_id
 '''
 `,
 	}

command/ca/acme/eab/list.go

@@ -7,19 +7,20 @@ import (
 	"os/exec"
 
 	"github.com/pkg/errors"
+	"github.com/urfave/cli"
+	"go.step.sm/cli-utils/errs"
+
 	"github.com/smallstep/certificates/ca"
 	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/utils/cautils"
-	"github.com/urfave/cli"
-	"go.step.sm/cli-utils/errs"
 )
 
 func listCommand() cli.Command {
 	return cli.Command{
 		Name:   "list",
 		Action: cli.ActionFunc(listAction),
 		Usage:  "list all ACME External Account Binding Keys",
-		UsageText: `**step beta ca acme eab list** <provisioner> [<reference>]
+		UsageText: `**step ca acme eab list** <provisioner> [<eab-key-reference>]
 [**--limit**=<number>] [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-provisioner**=<string>] [**--admin-subject**=<string>]
 [**--password-file**=<file>] [**--ca-url**=<uri>] [**--root**=<file>]
@@ -36,7 +37,7 @@ func listCommand() cli.Command {
 			flags.Root,
 			flags.Context,
 		},
-		Description: `**step beta ca acme eab list** lists all ACME External Account Binding (EAB) Keys.
+		Description: `**step ca acme eab list** lists all ACME External Account Binding (EAB) Keys.
 
 Output will go to stdout by default. If many EAB keys are stored in the ACME provisioner, output will be sent to $PAGER (when set). 
 
@@ -45,20 +46,20 @@ Output will go to stdout by default. If many EAB keys are stored in the ACME pro
 <provisioner>
 : Name of the provisioner to list ACME EAB keys for
 
-<reference>
+<eab-key-reference>
 : (Optional) reference (from external system) for the key to be listed
 
 
 ## EXAMPLES
 
 List all ACME External Account Binding Keys:
 '''
-$ step beta ca acme eab list my_acme_provisioner
+$ step ca acme eab list my_acme_provisioner
 '''
 
 Show ACME External Account Binding Key with specific reference:
 '''
-$ step beta ca acme eab list my_acme_provisioner my_reference
+$ step ca acme eab list my_acme_provisioner my_reference
 '''
 `,
 	}

command/ca/acme/eab/remove.go

@@ -4,18 +4,20 @@ import (
 	"fmt"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/flags"
-	"github.com/smallstep/cli/utils/cautils"
 	"github.com/urfave/cli"
+
 	"go.step.sm/cli-utils/errs"
+
+	"github.com/smallstep/cli/flags"
+	"github.com/smallstep/cli/utils/cautils"
 )
 
 func removeCommand() cli.Command {
 	return cli.Command{
 		Name:   "remove",
 		Action: cli.ActionFunc(removeAction),
 		Usage:  "remove an ACME EAB Key from the CA",
-		UsageText: `**step beta ca acme eab remove** <provisioner> <key_id>
+		UsageText: `**step ca acme eab remove** <provisioner> <eab-key-id>
 [**--admin-cert**=<file>] [**--admin-key**=<file>]
 [**--admin-provisioner**=<string>] [**--admin-subject**=<string>]
 [**--password-file**=<file>] [**--ca-url**=<uri>] [**--root**=<file>]
@@ -30,21 +32,21 @@ func removeCommand() cli.Command {
 			flags.Root,
 			flags.Context,
 		},
-		Description: `**step beta ca acme eab remove** removes an ACME EAB Key from the CA.
+		Description: `**step ca acme eab remove** removes an ACME EAB Key from the CA.
 
 ## POSITIONAL ARGUMENTS
 
 <provisioner>
 : Name of the provisioner to remove an ACME EAB key for
 
-<key_id>
+<eab-key-id>
 : The ACME EAB Key ID to remove
 
 ## EXAMPLES
 
 Remove ACME EAB Key with Key ID "zFGdKC1sHmNf3Wsx3OujY808chxwEdmr" from my_acme_provisioner:
 '''
-$ step beta ca acme eab remove my_acme_provisioner zFGdKC1sHmNf3Wsx3OujY808chxwEdmr
+$ step ca acme eab remove my_acme_provisioner zFGdKC1sHmNf3Wsx3OujY808chxwEdmr
 '''
 `,
 	}

command/ca/ca.go

@@ -1,13 +1,15 @@
 package ca
 
 import (
-	"github.com/smallstep/cli/command/ca/acme"
+	"github.com/urfave/cli"
 
+	"go.step.sm/cli-utils/command"
+
+	"github.com/smallstep/cli/command/ca/acme"
 	"github.com/smallstep/cli/command/ca/admin"
+	"github.com/smallstep/cli/command/ca/policy"
 	"github.com/smallstep/cli/command/ca/provisioner"
 	"github.com/smallstep/cli/command/ca/provisionerbeta"
-	"github.com/urfave/cli"
-	"go.step.sm/cli-utils/command"
 )
 
 // init creates and registers the ca command
@@ -78,6 +80,8 @@ $ step ca renew internal.crt internal.key \
 			rootComand(),
 			rootsCommand(),
 			federationCommand(),
+			acme.Command(),
+			policy.Command(),
 		},
 	}
 
@@ -167,7 +171,6 @@ commands may change, disappear, or be promoted to a different subcommand in the
 		Subcommands: cli.Commands{
 			admin.Command(),
 			provisionerbeta.Command(),
-			acme.Command(),
 		},
 	}
 }

command/ca/policy/acme/acme.go

@@ -0,0 +1,27 @@
+package acme
+
+import (
+	"context"
+
+	"github.com/urfave/cli"
+
+	"github.com/smallstep/cli/command/ca/policy/actions"
+	"github.com/smallstep/cli/command/ca/policy/policycontext"
+	"github.com/smallstep/cli/command/ca/policy/x509"
+)
+
+// Command returns the ACME account policy subcommand.
+func Command(ctx context.Context) cli.Command {
+	ctx = policycontext.WithACMEPolicyLevel(ctx)
+	return cli.Command{
+		Name:        "acme",
+		Usage:       "manage certificate issuance policies for ACME accounts.",
+		UsageText:   "**step ca policy acme** <subcommand> [arguments] [global-flags] [subcommand-flags]",
+		Description: `**step ca policy acme** command group provides facilities for managing certificate issuance policies for ACME accounts.`,
+		Subcommands: cli.Commands{
+			actions.ViewCommand(ctx),
+			actions.RemoveCommand(ctx),
+			x509.Command(ctx),
+		},
+	}
+}