Allow a few global defaults to be pulled from the CA (#1377)

- min-encryption-password-length
- provisioner

Enforce min-encryption-password-length, if set, in the 'step ssh
certificate' command.

Add flags.FirstStringOf returns value of first defined flag in input list

Author: dopey

command/ssh/certificate.go

@@ -5,6 +5,7 @@ import (
 	"crypto"
 	"crypto/rand"
 	"crypto/x509"
+	"fmt"
 	"net/url"
 	"os"
 	"strings"
@@ -44,7 +45,8 @@ func certificateCommand() cli.Command {
 [**--console**] [**--no-password**] [**--insecure**] [**--force**] [**--x5c-cert**=<file>]
 [**--x5c-key**=<file>] [**--k8ssa-token-path**=<file>] [**--no-agent**]
 [**--kty**=<key-type>] [**--curve**=<curve>] [**--size**=<size>]
-[**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>]`,
+[**--min-password-length**=<length>] [**--ca-url**=<uri>]
+[**--root**=<file>] [**--context**=<name>]`,
 
 		Description: `**step ssh certificate** command generates an SSH key pair and creates a
 certificate using [step certificates](https://github.com/smallstep/certificates).
@@ -202,6 +204,11 @@ $  step ssh certificate --kty OKP --curve Ed25519 mariano@work id_ed25519
 				Name:  "no-agent",
 				Usage: "Do not add the generated certificate and associated private key to the SSH agent.",
 			},
+			cli.IntFlag{
+				Name:  "min-password-length",
+				Usage: "Set minimum required length for password used to encrypt private key. The default value is '0'. Values <=0 are interpreted as if no minimum value is set.",
+				Value: 0,
+			},
 			flags.CaConfig,
 			flags.CaURL,
 			flags.Root,
@@ -240,6 +247,7 @@ func certificateAction(ctx *cli.Context) error {
 	noPassword := ctx.Bool("no-password")
 	insecure := ctx.Bool("insecure")
 	sshPrivKeyFile := ctx.String("private-key")
+	minPasswordLength := ctx.Int("min-password-length")
 	validAfter, validBefore, err := flags.ParseTimeDuration(ctx)
 	if err != nil {
 		return err
@@ -258,6 +266,8 @@ func certificateAction(ctx *cli.Context) error {
 	switch {
 	case noPassword && !insecure:
 		return errs.RequiredInsecureFlag(ctx, "no-password")
+	case noPassword && minPasswordLength > 0:
+		return errs.IncompatibleFlagWithFlag(ctx, "no-password", "min-password-length")
 	case noPassword && passwordFile != "":
 		return errs.IncompatibleFlagWithFlag(ctx, "no-password", "password-file")
 	case token != "" && provisionerPasswordFile != "":
@@ -456,42 +466,47 @@ func certificateAction(ctx *cli.Context) error {
 		// Private key (with password unless --no-password --insecure)
 		opts := []pemutil.Options{
 			pemutil.WithOpenSSH(true),
-			pemutil.ToFile(keyFile, 0600),
+			pemutil.ToFile(keyFile, 0o600),
 		}
 		switch {
 		case noPassword && insecure:
 		case passwordFile != "":
-			opts = append(opts, pemutil.WithPasswordFile(passwordFile))
+			opts = append(opts, pemutil.WithMinLengthPasswordFile(passwordFile, minPasswordLength))
 		default:
-			opts = append(opts, pemutil.WithPasswordPrompt("Please enter the password to encrypt the private key", func(s string) ([]byte, error) {
-				return ui.PromptPassword(s, ui.WithValidateNotEmpty())
+			prompt := "Please enter the password to encrypt the private key"
+			if minPasswordLength > 0 {
+				prompt = fmt.Sprintf("%s (must be at least %d characters)", prompt, minPasswordLength)
+			}
+			opts = append(opts, pemutil.WithPasswordPrompt(prompt, func(s string) ([]byte, error) {
+				return ui.PromptPassword(s, ui.WithValidateNotEmpty(), ui.WithMinLength(minPasswordLength))
 			}))
 		}
+
 		_, err = pemutil.Serialize(priv, opts...)
 		if err != nil {
 			return err
 		}
 
-		if err := utils.WriteFile(pubFile, marshalPublicKey(sshPub, subject), 0644); err != nil {
+		if err := utils.WriteFile(pubFile, marshalPublicKey(sshPub, subject), 0o644); err != nil {
 			return err
 		}
 	}
 
 	// Write certificate
-	if err := utils.WriteFile(crtFile, marshalPublicKey(resp.Certificate, subject), 0644); err != nil {
+	if err := utils.WriteFile(crtFile, marshalPublicKey(resp.Certificate, subject), 0o644); err != nil {
 		return err
 	}
 
 	// Write Add User keys and certs
 	if isAddUser && resp.AddUserCertificate != nil {
 		id := provisioner.SanitizeSSHUserPrincipal(subject) + "-provisioner"
-		if _, err := pemutil.Serialize(auPriv, pemutil.WithOpenSSH(true), pemutil.ToFile(baseName+"-provisioner", 0600)); err != nil {
+		if _, err := pemutil.Serialize(auPriv, pemutil.WithOpenSSH(true), pemutil.ToFile(baseName+"-provisioner", 0o600)); err != nil {
 			return err
 		}
-		if err := utils.WriteFile(baseName+"-provisioner.pub", marshalPublicKey(sshAuPub, id), 0644); err != nil {
+		if err := utils.WriteFile(baseName+"-provisioner.pub", marshalPublicKey(sshAuPub, id), 0o644); err != nil {
 			return err
 		}
-		if err := utils.WriteFile(baseName+"-provisioner-cert.pub", marshalPublicKey(resp.AddUserCertificate, id), 0644); err != nil {
+		if err := utils.WriteFile(baseName+"-provisioner-cert.pub", marshalPublicKey(resp.AddUserCertificate, id), 0o644); err != nil {
 			return err
 		}
 	}

flags/flags.go

@@ -670,3 +670,21 @@ func parseCaURL(ctx *cli.Context, caURL string) (string, error) {
 
 	return fmt.Sprintf("%s://%s", u.Scheme, u.Host), nil
 }
+
+// FirstStringOf returns the value of the first defined flag from the input list.
+// If no defined flags, returns first flag with non-empty default value.
+func FirstStringOf(ctx *cli.Context, flags ...string) string {
+	// Return first defined flag.
+	for _, f := range flags {
+		if ctx.IsSet(f) {
+			return ctx.String(f)
+		}
+	}
+	// Return first non-empty, default, flag value.
+	for _, f := range flags {
+		if val := ctx.String(f); val != "" {
+			return val
+		}
+	}
+	return ""
+}

flags/flags_test.go

@@ -230,3 +230,78 @@ func TestParseFingerprintFormat(t *testing.T) {
 		})
 	}
 }
+
+func TestFirstStringOf(t *testing.T) {
+	getAppSet := func() (*cli.App, *flag.FlagSet) {
+		app := &cli.App{}
+		set := flag.NewFlagSet("contrive", 0)
+		return app, set
+	}
+	tests := []struct {
+		name       string
+		getContext func() *cli.Context
+		inputs     []string
+		want       string
+	}{
+		{
+			name: "no-flags-empty",
+			getContext: func() *cli.Context {
+				app, set := getAppSet()
+				//_ = set.String("ca-url", "", "")
+				return cli.NewContext(app, set, nil)
+			},
+			inputs: []string{"foo", "bar"},
+			want:   "",
+		},
+		{
+			name: "return-first-set-flag",
+			getContext: func() *cli.Context {
+				app, set := getAppSet()
+				_ = set.String("foo", "", "")
+				_ = set.String("bar", "", "")
+				_ = set.String("baz", "", "")
+				ctx := cli.NewContext(app, set, nil)
+				ctx.Set("bar", "test1")
+				ctx.Set("baz", "test2")
+				return ctx
+			},
+			inputs: []string{"foo", "bar", "baz"},
+			want:   "test1",
+		},
+		{
+			name: "return-first-default-flag",
+			getContext: func() *cli.Context {
+				app, set := getAppSet()
+				_ = set.String("foo", "", "")
+				_ = set.String("bar", "", "")
+				_ = set.String("baz", "test1", "")
+				ctx := cli.NewContext(app, set, nil)
+				return ctx
+			},
+			inputs: []string{"foo", "bar", "baz"},
+			want:   "test1",
+		},
+		{
+			name: "all-empty",
+			getContext: func() *cli.Context {
+				app, set := getAppSet()
+				_ = set.String("foo", "", "")
+				_ = set.String("bar", "", "")
+				_ = set.String("baz", "", "")
+				ctx := cli.NewContext(app, set, nil)
+				return ctx
+			},
+			inputs: []string{"foo", "bar", "baz"},
+			want:   "",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := tt.getContext()
+			val := FirstStringOf(ctx, tt.inputs...)
+			if val != tt.want {
+				t.Errorf("expected %v, but got %v", tt.want, val)
+			}
+		})
+	}
+}

utils/cautils/bootstrap.go

@@ -25,9 +25,11 @@ import (
 )
 
 type bootstrapAPIResponse struct {
-	CaURL       string `json:"url"`
-	Fingerprint string `json:"fingerprint"`
-	RedirectURL string `json:"redirect-url"`
+	CaURL             string `json:"url"`
+	Fingerprint       string `json:"fingerprint"`
+	RedirectURL       string `json:"redirect-url"`
+	Provisioner       string `json:"provisioner"`
+	MinPasswordLength int    `json:"min-password-length"`
 }
 
 // UseContext returns true if contexts should be used, false otherwise.
@@ -55,6 +57,20 @@ type bootstrapOption func(bc *bootstrapContext)
 type bootstrapContext struct {
 	defaultContextName string
 	redirectURL        string
+	provisioner        string
+	minPasswordLength  int
+}
+
+func withProvisioner(provisioner string) bootstrapOption {
+	return func(bc *bootstrapContext) {
+		bc.provisioner = provisioner
+	}
+}
+
+func withMinPasswordLength(minLength int) bootstrapOption {
+	return func(bc *bootstrapContext) {
+		bc.minPasswordLength = minLength
+	}
 }
 
 func withDefaultContextValues(context string) bootstrapOption {
@@ -70,10 +86,12 @@ func withRedirectURL(r string) bootstrapOption {
 }
 
 type bootstrapConfig struct {
-	CA          string `json:"ca-url"`
-	Fingerprint string `json:"fingerprint"`
-	Root        string `json:"root"`
-	Redirect    string `json:"redirect-url"`
+	CA                string `json:"ca-url"`
+	Fingerprint       string `json:"fingerprint"`
+	Root              string `json:"root"`
+	Redirect          string `json:"redirect-url,omitempty"`
+	Provisioner       string `json:"provisioner,omitempty"`
+	MinPasswordLength int    `json:"min-password-length,omitempty"`
 }
 
 func bootstrap(ctx *cli.Context, caURL, fingerprint string, opts ...bootstrapOption) error {
@@ -126,16 +144,16 @@ func bootstrap(ctx *cli.Context, caURL, fingerprint string, opts ...bootstrapOpt
 	rootFile := pki.GetRootCAPath()
 	configFile := step.DefaultsFile()
 
-	if err = os.MkdirAll(filepath.Dir(rootFile), 0700); err != nil {
+	if err = os.MkdirAll(filepath.Dir(rootFile), 0o700); err != nil {
 		return errs.FileError(err, rootFile)
 	}
 
-	if err = os.MkdirAll(filepath.Dir(configFile), 0700); err != nil {
+	if err = os.MkdirAll(filepath.Dir(configFile), 0o700); err != nil {
 		return errs.FileError(err, configFile)
 	}
 
 	// Serialize root
-	_, err = pemutil.Serialize(resp.RootPEM.Certificate, pemutil.ToFile(rootFile, 0600))
+	_, err = pemutil.Serialize(resp.RootPEM.Certificate, pemutil.ToFile(rootFile, 0o600))
 	if err != nil {
 		return err
 	}
@@ -148,12 +166,19 @@ func bootstrap(ctx *cli.Context, caURL, fingerprint string, opts ...bootstrapOpt
 	}
 
 	// Serialize defaults.json
-	b, err := json.MarshalIndent(bootstrapConfig{
+	bootConf := bootstrapConfig{
 		CA:          caURL,
 		Fingerprint: fingerprint,
 		Root:        pki.GetRootCAPath(),
 		Redirect:    bc.redirectURL,
-	}, "", "  ")
+	}
+	if bc.minPasswordLength > 0 {
+		bootConf.MinPasswordLength = bc.minPasswordLength
+	}
+	if bc.provisioner != "" {
+		bootConf.Provisioner = bc.provisioner
+	}
+	b, err := json.MarshalIndent(bootConf, "", "  ")
 	if err != nil {
 		return errors.Wrap(err, "error marshaling defaults.json")
 	}
@@ -162,7 +187,7 @@ func bootstrap(ctx *cli.Context, caURL, fingerprint string, opts ...bootstrapOpt
 	ctx.Set("fingerprint", fingerprint)
 	ctx.Set("root", rootFile)
 
-	if err := utils.WriteFile(configFile, b, 0644); err != nil {
+	if err := utils.WriteFile(configFile, b, 0o644); err != nil {
 		return err
 	}
 
@@ -171,12 +196,12 @@ func bootstrap(ctx *cli.Context, caURL, fingerprint string, opts ...bootstrapOpt
 	if step.Contexts().Enabled() {
 		profileDefaultsFile := step.ProfileDefaultsFile()
 
-		if err := os.MkdirAll(filepath.Dir(profileDefaultsFile), 0700); err != nil {
+		if err := os.MkdirAll(filepath.Dir(profileDefaultsFile), 0o700); err != nil {
 			return errs.FileError(err, profileDefaultsFile)
 		}
 
 		if _, err := os.Stat(profileDefaultsFile); os.IsNotExist(err) {
-			if err := os.WriteFile(profileDefaultsFile, []byte("{}"), 0600); err != nil {
+			if err := os.WriteFile(profileDefaultsFile, []byte("{}"), 0o600); err != nil {
 				return errs.FileError(err, profileDefaultsFile)
 			}
 			ui.Printf("The profile configuration has been saved in %s.\n", profileDefaultsFile)
@@ -254,9 +279,17 @@ func BootstrapTeamAuthority(ctx *cli.Context, team, teamAuthority string) error
 		r.RedirectURL = "https://smallstep.com/app/teams/sso/success"
 	}
 
-	return bootstrap(ctx, r.CaURL, r.Fingerprint,
-		withDefaultContextValues(teamAuthority+"."+team),
-		withRedirectURL(r.RedirectURL))
+	bootOpts := []bootstrapOption{
+		withDefaultContextValues(teamAuthority + "." + team),
+		withRedirectURL(r.RedirectURL),
+	}
+	if r.Provisioner != "" {
+		bootOpts = append(bootOpts, withProvisioner(r.Provisioner))
+	}
+	if r.MinPasswordLength > 0 {
+		bootOpts = append(bootOpts, withMinPasswordLength(r.MinPasswordLength))
+	}
+	return bootstrap(ctx, r.CaURL, r.Fingerprint, bootOpts...)
 }
 
 // BootstrapAuthority bootstraps an authority using only the caURL and fingerprint.
@@ -268,7 +301,7 @@ func BootstrapAuthority(ctx *cli.Context, caURL, fingerprint string) (err error)
 		}
 	}
 
-	var opts = []bootstrapOption{
+	opts := []bootstrapOption{
 		withDefaultContextValues(caHostname),
 	}
 

utils/cautils/token_flow.go

@@ -212,7 +212,7 @@ func OfflineTokenFlow(ctx *cli.Context, typ int, subject string, sans []string,
 	}
 
 	kid := ctx.String("kid")
-	issuer := ctx.String("issuer")
+	issuer := flags.FirstStringOf(ctx, "provisioner", "issuer")
 
 	// Require issuer and keyFile if ca.json does not exists.
 	// kid can be passed or created using jwk.Thumbprint.
@@ -326,7 +326,7 @@ func provisionerPrompt(ctx *cli.Context, provisioners provisioner.List) (provisi
 	}
 
 	// Filter by issuer (provisioner name)
-	if issuer := ctx.String("issuer"); issuer != "" {
+	if issuer := flags.FirstStringOf(ctx, "provisioner", "issuer"); issuer != "" {
 		provisioners = provisionerFilter(provisioners, func(p provisioner.Interface) bool {
 			return p.GetName() == issuer
 		})