Merge pull request #986 from smallstep/fix-certificates-620

maraino · web-flow · commit ae8aee4f9f9b · 2023-08-01T16:45:51.000-07:00
Allow to disable smallstep extensions using the cli
diff --git a/command/ca/provisioner/add.go b/command/ca/provisioner/add.go
@@ -167,6 +167,7 @@ SCEP
 			sshHostDefaultDurFlag,
 			disableRenewalFlag,
 			allowRenewalAfterExpiryFlag,
+			disableSmallstepExtensionsFlag,
 			//enableX509Flag,
 			enableSSHFlag,
 
@@ -360,8 +361,9 @@ func addAction(ctx *cli.Context) (err error) {
 			HostDurations: &linkedca.Durations{},
 			Enabled:       !(ctx.IsSet("ssh") && !ctx.Bool("ssh")),
 		},
-		DisableRenewal:          ctx.Bool("disable-renewal"),
-		AllowRenewalAfterExpiry: ctx.Bool("allow-renewal-after-expiry"),
+		DisableRenewal:             ctx.Bool("disable-renewal"),
+		AllowRenewalAfterExpiry:    ctx.Bool("allow-renewal-after-expiry"),
+		DisableSmallstepExtensions: ctx.Bool("disable-smallstep-extensions"),
 	}
 
 	if ctx.IsSet("x509-min-dur") {
diff --git a/command/ca/provisioner/provisioner.go b/command/ca/provisioner/provisioner.go
@@ -248,6 +248,10 @@ unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
 		Name:  "allow-renewal-after-expiry",
 		Usage: `Allow renewals for expired certificates generated by this provisioner.`,
 	}
+	disableSmallstepExtensionsFlag = cli.BoolFlag{
+		Name:  "disable-smallstep-extensions",
+		Usage: `Disable the Smallstep extension for all certificates generated by this provisioner.`,
+	}
 	//enableX509Flag = cli.BoolFlag{
 	//	Name:  "x509",
 	//	Usage: `Enable provisioning of x509 certificates.`,
diff --git a/command/ca/provisioner/update.go b/command/ca/provisioner/update.go
@@ -166,6 +166,7 @@ SCEP
 			sshHostDefaultDurFlag,
 			disableRenewalFlag,
 			allowRenewalAfterExpiryFlag,
+			disableSmallstepExtensionsFlag,
 			//enableX509Flag,
 			enableSSHFlag,
 
@@ -404,8 +405,11 @@ func updateClaims(ctx *cli.Context, p *linkedca.Provisioner) {
 	if ctx.IsSet("allow-renewal-after-expiry") {
 		p.Claims.AllowRenewalAfterExpiry = ctx.Bool("allow-renewal-after-expiry")
 	}
-	claims := p.Claims
+	if ctx.IsSet("disable-smallstep-extensions") {
+		p.Claims.DisableSmallstepExtensions = ctx.Bool("disable-smallstep-extensions")
+	}
 
+	claims := p.Claims
 	if claims.X509 == nil {
 		claims.X509 = &linkedca.X509Claims{}
 	}
