Add --disable-ssh-ca-user and --disable-ssh-ca-host flags ...

... for provisioner add and update. Only works for GCP IID provisioner (for now).
smallstep · Oct 28, 2024 · 93eb7d2 · 93eb7d2
1 parent dfb4907
commit 93eb7d2
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/command/ca/provisioner/add.go b/command/ca/provisioner/add.go
@@ -173,6 +173,8 @@ SCEP
 			instanceAgeFlag,
 			disableCustomSANsFlag,
 			disableTOFUFlag,
+			disableSSHCAUserFlag,
+			disableSSHCAHostFlag,
 
 			// Claims
 			x509TemplateFlag,

diff --git a/command/ca/provisioner/provisioner.go b/command/ca/provisioner/provisioner.go
@@ -542,6 +542,16 @@ with the same instance will be accepted. By default only the first request
 will be accepted.`,
 	}
 
+	disableSSHCAUserFlag = cli.BoolFlag{
+		Name:  "disable-ssh-ca-user",
+		Usage: `Disable ability to sign SSH user certificates`,
+	}
+
+	disableSSHCAHostFlag = cli.BoolFlag{
+		Name:  "disable-ssh-ca-host",
+		Usage: `Disable ability to sign SSH host certificates`,
+	}
+
 	// Nebula provisioner flags
 	nebulaRootFlag = cli.StringFlag{
 		Name: "nebula-root",

diff --git a/command/ca/provisioner/update.go b/command/ca/provisioner/update.go
@@ -177,6 +177,8 @@ SCEP
 			instanceAgeFlag,
 			disableCustomSANsFlag,
 			disableTOFUFlag,
+			disableSSHCAUserFlag,
+			disableSSHCAHostFlag,
 
 			// Claims
 			x509TemplateFlag,
@@ -917,6 +919,7 @@ func updateGCPDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
 	}
 	if ctx.IsSet("disable-ssh-ca-user") {
 		boolVal := ctx.Bool("disable-ssh-ca-user")
+		fmt.Printf("boolVal = %+v\n", boolVal)
 		details.DisableSshCaUser = &boolVal
 	}
 	if ctx.IsSet("disable-ssh-ca-host") {
@@ -935,6 +938,8 @@ func updateGCPDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
 	if ctx.IsSet("gcp-project") {
 		details.ProjectIds = append(details.ProjectIds, ctx.StringSlice("gcp-project")...)
 	}
+
+	fmt.Printf("*details.DisableSshCaUser = %+v\n", *details.DisableSshCaUser)
 	return nil
 }