Add options for specifying the subscription and object IDs with the Azure Provisioner

command/ca/provisioner/add.go

@@ -44,7 +44,7 @@ func addCommand() cli.Command {
 **step ca provisioner add** <name> **--type**=[AWS|Azure|GCP]
 [**--ca-config**=<file>] [**--aws-account**=<id>]
 [**--gcp-service-account**=<name>] [**--gcp-project**=<name>]
-[**--azure-tenant**=<id>] [**--azure-resource-group**=<name>]
+[**--azure-tenant**=<id>] [**--azure-resource-group**=<name>] [**--azure-subscription-id**=<id>] [**--azure-object-id**=<id>]
 [**--instance-age**=<duration>] [**--iid-roots**=<file>]
 [**--disable-custom-sans**] [**--disable-trust-on-first-use**]
 
@@ -138,7 +138,17 @@ Use the flag multiple times to configure multiple accounts.`,
 			cli.StringSliceFlag{
 				Name: "azure-resource-group",
 				Usage: `The Microsoft Azure resource group <name> used to validate the identity tokens.
-Use the flag multipl etimes to configure multiple resource groups`,
+Use the flag multiple times to configure multiple resource groups`,
+			},
+			cli.StringSliceFlag{
+				Name: "azure-subscription-id",
+				Usage: `The Microsoft Azure subscription <id> used to validate the identity tokens.
+Use the flag multiple times to configure multiple subscription IDs`,
+			},
+			cli.StringSliceFlag{
+				Name: "azure-object-id",
+				Usage: `The Microsoft Azure AD object <id> used to validate the identity tokens.
+Use the flag multiple times to configure multiple object IDs`,
 			},
 			cli.StringSliceFlag{
 				Name: "gcp-service-account",
@@ -258,11 +268,13 @@ $ step ca provisioner add Google --type GCP --ca-config ca.json \
   --gcp-project identity --gcp-project accounting
 '''
 
-Add an Azure provisioner with two service groups:
+Add an Azure provisioner with two resource groups, one subscription ID and one object ID:
 '''
 $ step ca provisioner add Azure --type Azure --ca-config ca.json \
   --azure-tenant bc9043e2-b645-4c1c-a87a-78f8644bfe57 \
-  --azure-resource-group identity --azure-resource-group accounting
+  --azure-resource-group identity --azure-resource-group accounting \
+  --azure-subscription-id dc760a01-2886-4a84-9abc-f3508e0f87d9 \
+  --azure-object-id f50926c7-abbf-4c28-87dc-9adc7eaf3ba7
 '''
 
 Add an GCP provisioner that will only accept the SANs provided in the identity token:
@@ -510,7 +522,7 @@ func addOIDCProvisioner(ctx *cli.Context, name string, provMap map[string]bool)
 }
 
 func addAWSProvisioner(ctx *cli.Context, name string, provMap map[string]bool) (list provisioner.List, err error) {
-	d, err := parseIntaceAge(ctx)
+	d, err := parseInstanceAge(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -548,6 +560,8 @@ func addAzureProvisioner(ctx *cli.Context, name string, provMap map[string]bool)
 		Name:                   name,
 		TenantID:               tenantID,
 		ResourceGroups:         ctx.StringSlice("azure-resource-group"),
+		SubscriptionIDs:        ctx.StringSlice("azure-subscription-id"),
+		ObjectIDs:              ctx.StringSlice("azure-object-id"),
 		DisableCustomSANs:      ctx.Bool("disable-custom-sans"),
 		DisableTrustOnFirstUse: ctx.Bool("disable-trust-on-first-use"),
 		Claims:                 getClaims(ctx),
@@ -565,7 +579,7 @@ func addAzureProvisioner(ctx *cli.Context, name string, provMap map[string]bool)
 }
 
 func addGCPProvisioner(ctx *cli.Context, name string, provMap map[string]bool) (list provisioner.List, err error) {
-	d, err := parseIntaceAge(ctx)
+	d, err := parseInstanceAge(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -746,7 +760,7 @@ func getClaims(ctx *cli.Context) *provisioner.Claims {
 	return nil
 }
 
-func parseIntaceAge(ctx *cli.Context) (provisioner.Duration, error) {
+func parseInstanceAge(ctx *cli.Context) (provisioner.Duration, error) {
 	age := ctx.Duration("instance-age")
 	if age == 0 {
 		return provisioner.Duration{}, nil

command/ca/provisionerbeta/add.go

@@ -217,6 +217,8 @@ provisioning tokens.`,
 			awsAccountFlag,
 			azureTenantFlag,
 			azureResourceGroupFlag,
+			azureSubscriptionIDFlag,
+			azureObjectIDFlag,
 			gcpServiceAccountFlag,
 			gcpProjectFlag,
 			instanceAgeFlag,
@@ -295,11 +297,13 @@ Create a SCEP provisioner with 'secret' challenge and AES-256-CBC encryption:
 step beta ca provisioner add my_scep_provisioner --type SCEP --challenge secret --encryption-algorithm-identifier 2  
 '''
 
-Create an Azure provisioner with two service groups:
+Create an Azure provisioner with two resource groups, one subscription ID and one object ID:
 '''
 $ step beta ca provisioner add Azure --type Azure \
   --azure-tenant bc9043e2-b645-4c1c-a87a-78f8644bfe57 \
-  --azure-resource-group identity --azure-resource-group accounting
+  --azure-resource-group identity --azure-resource-group accounting \
+  --azure-subscription-id dc760a01-2886-4a84-9abc-f3508e0f87d9 \
+  --azure-object-id f50926c7-abbf-4c28-87dc-9adc7eaf3ba7
 '''
 
 Create an GCP provisioner that will only accept the SANs provided in the identity token:
@@ -762,6 +766,8 @@ func createAzureDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error)
 			Azure: &linkedca.AzureProvisioner{
 				TenantId:               tenantID,
 				ResourceGroups:         ctx.StringSlice("azure-resource-group"),
+				SubscriptionIds:        ctx.StringSlice("azure-subscription-id"),
+				ObjectIds:              ctx.StringSlice("azure-object-id"),
 				DisableCustomSans:      ctx.Bool("disable-custom-sans"),
 				DisableTrustOnFirstUse: ctx.Bool("disable-trust-on-first-use"),
 			},

command/ca/provisionerbeta/provisioner.go

@@ -228,12 +228,32 @@ Use the flag multiple times to remove multiple accounts.`,
 	azureResourceGroupFlag = cli.StringSliceFlag{
 		Name: "azure-resource-group",
 		Usage: `The Microsoft Azure resource group <name> used to validate the identity tokens.
-Use the flag multipl etimes to configure multiple resource groups`,
+Use the flag multiple times to configure multiple resource groups`,
 	}
 	removeAzureResourceGroupFlag = cli.StringSliceFlag{
 		Name: "remove-azure-resource-group",
 		Usage: `Remove a Microsoft Azure resource group <name> used to validate the identity tokens.
-Use the flag multipl etimes to configure multiple resource groups`,
+Use the flag multiple times to configure multiple resource groups`,
+	}
+	azureSubscriptionIDFlag = cli.StringSliceFlag{
+		Name: "azure-subscription-id",
+		Usage: `The Microsoft Azure subscription <id> used to validate the identity tokens.
+Use the flag multiple times to configure multiple subscription IDs`,
+	}
+	removeAzureSubscriptionIDFlag = cli.StringSliceFlag{
+		Name: "remove-azure-subscription-id",
+		Usage: `Remove a Microsoft Azure subscription <id> used to validate the identity tokens.
+Use the flag multiple times to configure multiple subscription IDs`,
+	}
+	azureObjectIDFlag = cli.StringSliceFlag{
+		Name: "azure-object-id",
+		Usage: `The Microsoft Azure AD object <id> used to validate the identity tokens.
+Use the flag multiple times to configure multiple object IDs`,
+	}
+	removeAzureObjectIDFlag = cli.StringSliceFlag{
+		Name: "remove-azure-object-id",
+		Usage: `Remove a Microsoft Azure AD object <id> used to validate the identity tokens.
+Use the flag multiple times to configure multiple object IDs`,
 	}
 	gcpServiceAccountFlag = cli.StringSliceFlag{
 		Name: "gcp-service-account",

command/ca/provisionerbeta/update.go

@@ -76,7 +76,7 @@ IID (AWS/GCP/Azure)
 [**--aws-account**=<id>]... [**--remove-aws-account**=<id>]...
 [**--gcp-service-account**=<name>]... [**--remove-gcp-service-account**=<name>]...
 [**--gcp-project**=<name>]... [**--remove-gcp-project**=<name>]...
-[**--azure-tenant**=<id>] [**--azure-resource-group**=<name>]
+[**--azure-tenant**=<id>] [**--azure-resource-group**=<name>] [**--azure-subscription-id**=<id>] [**--azure-object-id**=<id>]
 [**--instance-age**=<duration>] [**--iid-roots**=<file>]
 [**--disable-custom-sans**] [**--disable-trust-on-first-use**]
 [**--admin-cert**=<file>] [**--admin-key**=<file>] [**--admin-provisioner**=<name>]
@@ -192,6 +192,10 @@ provisioning tokens.`,
 			azureTenantFlag,
 			azureResourceGroupFlag,
 			removeAzureResourceGroupFlag,
+			azureSubscriptionIDFlag,
+			removeAzureSubscriptionIDFlag,
+			azureObjectIDFlag,
+			removeAzureObjectIDFlag,
 			gcpServiceAccountFlag,
 			removeGCPServiceAccountFlag,
 			gcpProjectFlag,
@@ -814,6 +818,18 @@ func updateAzureDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
 	if ctx.IsSet("azure-resource-group") {
 		details.ResourceGroups = append(details.ResourceGroups, ctx.StringSlice("add-azure-resource-group")...)
 	}
+	if ctx.IsSet("remove-azure-subscription-id") {
+		details.SubscriptionIds = removeElements(details.SubscriptionIds, ctx.StringSlice("remove-azure-subscription-id"))
+	}
+	if ctx.IsSet("azure-subscription-id") {
+		details.SubscriptionIds = append(details.SubscriptionIds, ctx.StringSlice("add-azure-subscription-id")...)
+	}
+	if ctx.IsSet("remove-azure-object-id") {
+		details.ObjectIds = removeElements(details.ObjectIds, ctx.StringSlice("remove-azure-object-id"))
+	}
+	if ctx.IsSet("azure-object-id") {
+		details.ObjectIds = append(details.ObjectIds, ctx.StringSlice("add-azure-object-id")...)
+	}
 	return nil
 }
 

go.mod

@@ -17,8 +17,9 @@ require (
 	github.com/shurcooL/sanitized_anchor_name v1.0.0
 	github.com/slackhq/nebula v1.5.2
 	github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262
-	github.com/smallstep/certificates v0.18.1
+	github.com/smallstep/certificates v0.18.2
 	github.com/smallstep/certinfo v1.6.0
+	github.com/smallstep/nosql v0.3.10 // indirect
 	github.com/smallstep/truststore v0.11.0
 	github.com/smallstep/zcrypto v0.0.0-20210924233136-66c2600f6e71
 	github.com/smallstep/zlint v0.0.0-20180727184541-d84eaafe274f
@@ -27,7 +28,7 @@ require (
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
 	go.step.sm/cli-utils v0.7.2
 	go.step.sm/crypto v0.15.0
-	go.step.sm/linkedca v0.9.2
+	go.step.sm/linkedca v0.10.0
 	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
 	golang.org/x/net v0.0.0-20220114011407-0dd24b26b47d
 	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9