flags

package
v0.24.2-rc.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 14, 2023 License: Apache-2.0 Imports: 14 Imported by: 27

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// KTY is the flag to set the key type.
	KTY = cli.StringFlag{
		Name:  "kty",
		Value: "EC",
		Usage: `The <kty> to build the certificate upon.
If unset, default is EC.

: <kty> is a case-sensitive string and must be one of:

    **EC**
    :  Create an **elliptic curve** keypair

    **OKP**
    :  Create an octet key pair (for **"Ed25519"** curve)

    **RSA**
    :  Create an **RSA** keypair`,
	}

	// Size is the flag to set the key size.
	Size = cli.IntFlag{
		Name: "size",
		Usage: `The <size> (in bits) of the key for RSA and oct key types. RSA keys require a
minimum key size of 2048 bits. If unset, default is 2048 bits for RSA keys and 128 bits for oct keys.`,
	}

	// Curve is the flag to se the key curve.
	Curve = cli.StringFlag{
		Name: "crv, curve",
		Usage: `The elliptic <curve> to use for EC and OKP key types. Corresponds
to the **"crv"** JWK parameter. Valid curves are defined in JWA [RFC7518]. If
unset, default is P-256 for EC keys and Ed25519 for OKP keys.

: <curve> is a case-sensitive string and must be one of:

		**P-256**
		:  NIST P-256 Curve

		**P-384**
		:  NIST P-384 Curve

		**P-521**
		:  NIST P-521 Curve

		**Ed25519**
		:  Ed25519 Curve`,
	}

	// Subtle is the flag required for delicate operations.
	Subtle = cli.BoolFlag{
		Name: "subtle",
	}

	// Insecure is the flag required on insecure operations
	Insecure = cli.BoolFlag{
		Name: "insecure",
	}

	// K8sSATokenPathFlag is an optional flag that allows modification of the
	// kubernetes service account token path.
	K8sSATokenPathFlag = cli.StringFlag{
		Name:  "k8ssa-token-path",
		Usage: `Configure the <file> from which to read the kubernetes service account token.`,
		Value: `/var/run/secrets/kubernetes.io/serviceaccount/token`,
	}

	// Force is a cli.Flag used to overwrite files.
	Force = cli.BoolFlag{
		Name:  "f,force",
		Usage: "Force the overwrite of files without asking.",
	}

	// DryRun is a cli.Flag used to avoid the writing of files.
	DryRun = cli.BoolFlag{
		Name:  "dry-run",
		Usage: "Executes the command without changing any file.",
	}

	// PasswordFile is a cli.Flag used to pass a file to encrypt or decrypt a
	// private key.
	PasswordFile = cli.StringFlag{
		Name:  "password-file",
		Usage: `The path to the <file> containing the password to encrypt or decrypt the private key.`,
	}

	// NoPassword is a cli.Flag used to avoid using a password to encrypt private
	// keys.
	NoPassword = cli.BoolFlag{
		Name: "no-password",
		Usage: `Do not ask for a password to encrypt a private key. Sensitive key material will
be written to disk unencrypted. This is not recommended. Requires **--insecure** flag.`,
	}

	// Token is a cli.Flag used to pass the CA token.
	Token = cli.StringFlag{
		Name: "token",
		Usage: `The one-time <token> used to authenticate with the CA in order to create the
certificate.`,
	}

	// Limit is a cli.Flag used to limit the number of entities returned in API requests.
	Limit = cli.UintFlag{
		Name:  "limit",
		Usage: `The number of entities to return per (paging) API request.`,
	}

	// NoPager is a cli.Flag used to disable usage of $PAGER for paging purposes.
	NoPager = cli.BoolFlag{
		Name:  "no-pager",
		Usage: `Disables usage of $PAGER for paging purposes`,
	}

	// NotBefore is a cli.Flag used to pass the start period of the certificate
	// validity.
	NotBefore = cli.StringFlag{
		Name: "not-before",
		Usage: `The <time|duration> when the certificate validity period starts. If a <time> is
used it is expected to be in RFC 3339 format. If a <duration> is used, it is a
sequence of decimal numbers, each with optional fraction and a unit suffix, such
as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms",
"s", "m", "h".`,
	}

	// NotAfter is a cli.Flag used to pass the end period of the certificate
	// validity.
	NotAfter = cli.StringFlag{
		Name: "not-after",
		Usage: `The <time|duration> when the certificate validity period ends. If a <time> is
used it is expected to be in RFC 3339 format. If a <duration> is used, it is a
sequence of decimal numbers, each with optional fraction and a unit suffix, such
as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms",
"s", "m", "h".`,
	}

	// CertNotBefore is a cli.Flag used to pass the start period of the certificate
	// validity. This is currently only used for SSH certificates.
	CertNotBefore = cli.StringFlag{
		Name: "cert-not-before",
		Usage: `The <time|duration> when the certificate validity period starts. If a <time> is
used it is expected to be in RFC 3339 format. If a <duration> is used, it is a
sequence of decimal numbers, each with optional fraction and a unit suffix, such
as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms",
"s", "m", "h". This flag is only supported on SSH certificates.`,
	}

	// CertNotAfter is a cli.Flag used to pass the end period of the certificate
	// validity. This is currently only used for SSH certificates.
	CertNotAfter = cli.StringFlag{
		Name: "cert-not-after",
		Usage: `The <time|duration> when the certificate validity period ends. If a <time> is
used it is expected to be in RFC 3339 format. If a <duration> is used, it is a
sequence of decimal numbers, each with optional fraction and a unit suffix, such
as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms",
"s", "m", "h". This flag is only supported on SSH certificates.`,
	}

	// Provisioner is a cli.Flag used to pass the CA provisioner to use.
	Provisioner = cli.StringFlag{
		Name:  "provisioner,issuer",
		Usage: "The provisioner <name> to use.",
	}

	// AdminProvisioner is a cli.Flag used to pass the CA Admin provisioner to use.
	AdminProvisioner = cli.StringFlag{
		Name:  "admin-provisioner,admin-issuer",
		Usage: "The provisioner <name> to use for generating admin credentials.",
	}

	// AdminSubject is a cli.Flag used to pass the admin subject to use when generating
	// admin credentials.
	AdminSubject = cli.StringFlag{
		Name:  "admin-subject,admin-name",
		Usage: "The admin <subject> to use for generating admin credentials.",
	}

	// AdminPasswordFileWithAlias is a cli.Flag used to pass the password to use
	// when generating admin credentials.
	AdminPasswordFile = cli.StringFlag{
		Name: "admin-password-file,password-file",
		Usage: `The path to the <file> containing the password to decrypt the one-time token
generating key.`,
	}

	// AdminPasswordFileNoAlias is a cli.Flag used to pass the password to use
	// when generating admin credentials.
	AdminPasswordFileNoAlias = cli.StringFlag{
		Name: "admin-password-file",
		Usage: `The path to the <file> containing the password to decrypt the one-time token
generating key.`,
	}

	// ProvisionerPasswordFile is a cli.Flag used to pass the password file to
	// decrypt the generating key.
	ProvisionerPasswordFile = cli.StringFlag{
		Name: "provisioner-password-file",
		Usage: `The path to the <file> containing the password to decrypt the one-time token
generating key.`,
	}

	// ProvisionerPasswordFileWithAlias is a cli.Flag that allows multiple
	// alias flag names for the ProvisionerPasswordFile.
	ProvisionerPasswordFileWithAlias = cli.StringFlag{
		Name: "provisioner-password-file,password-file",
		Usage: `The path to the <file> containing the password to decrypt the one-time token
generating key.`,
	}

	// CaURL is a cli.Flag used to pass the CA url.
	CaURL = cli.StringFlag{
		Name:  "ca-url",
		Usage: "<URI> of the targeted Step Certificate Authority.",
	}

	// Root is a cli.Flag used to pass the path of the root certificate to use.
	Root = cli.StringFlag{
		Name:  "root",
		Usage: "The path to the PEM <file> used as the root certificate authority.",
	}

	// HiddenNoContext is a cli.Flag that prevents context configuration
	// from being applied for a given command.
	HiddenNoContext = cli.BoolTFlag{
		Name:   "no-context",
		Usage:  "Do not apply context specific environment for this command.",
		Hidden: true,
	}

	// Context is a cli.Flag used to select a a context name.
	Context = cli.StringFlag{
		Name:  "context",
		Usage: "The context <name> to apply for the given command.",
	}

	// ContextProfile is a cli.Flag to select a context profile name.
	ContextProfile = cli.StringFlag{
		Name:  "profile",
		Usage: `The <name> that will serve as the profile name for the context.`,
	}

	// ContextAuthority is a cli.Flag used to select a context authority name.
	ContextAuthority = cli.StringFlag{
		Name:  "authority",
		Usage: `The <name> that will serve as the authority name for the context.`,
	}

	// Offline is a cli.Flag used to activate the offline flow.
	Offline = cli.BoolFlag{
		Name: "offline",
		Usage: `Creates a certificate without contacting the certificate authority. Offline mode
uses the configuration, certificates, and keys created with **step ca init**,
but can accept a different configuration file using **--ca-config** flag.`,
	}

	// CaConfig is a cli.Flag used to pass the CA configuration file.
	CaConfig = cli.StringFlag{
		Name: "ca-config",
		Usage: `The certificate authority configuration <file>. Defaults to
$(step path)/config/ca.json`,
		Value: filepath.Join(step.Path(), "config", "ca.json"),
	}

	// AdminCert is a cli.Flag used to pass the x5c header certificate for a JWT.
	AdminCert = cli.StringFlag{
		Name:  "admin-cert",
		Usage: "Admin certificate (<chain>) in PEM format to store in the 'x5c' header of a JWT.",
	}

	// AdminKey is a cli.Flag used to pass the private key (corresponding to the x5c-cert)
	// that is used to sign the token.
	AdminKey = cli.StringFlag{
		Name: "admin-key",
		Usage: `Private key <file>, used to sign a JWT, corresponding to the admin certificate that will
be stored in the 'x5c' header.`,
	}

	// X5cCert is a cli.Flag used to pass the x5c header certificate for a JWT.
	X5cCert = cli.StringFlag{
		Name:  "x5c-cert",
		Usage: "Certificate (<chain>) in PEM format to store in the 'x5c' header of a JWT.",
	}

	// X5cKey is a cli.Flag used to pass the private key (corresponding to the x5c-cert)
	// that is used to sign the token.
	X5cKey = cli.StringFlag{
		Name: "x5c-key",
		Usage: `Private key <file>, used to sign a JWT, corresponding to the certificate that will
be stored in the 'x5c' header.`,
	}

	// X5cChain is a cli.Flag used to pass the intermediate chain certificates corresponding to the x5c-cert
	// that is used to sign the token.
	X5cChain = cli.StringSliceFlag{
		Name:  "x5c-chain",
		Usage: `Certificate <file>, in PEM format`,
	}

	// X5cInsecure is a cli.Flag used to set the JWT header x5cInsecure instead
	// of x5c when --x5c-cert is used.
	X5cInsecure = cli.BoolFlag{
		Name:  "x5c-insecure",
		Usage: "Use the JWT header 'x5cInsecure' instead of 'x5c'.",
	}

	// X5tCert is a cli.Flag used to pass the x5t header certificate thumbprint
	// for a JWS or JWT.
	X5tCert = cli.StringFlag{
		Name:  "x5t-cert",
		Usage: "Certificate <file> in PEM format to use for the 'x5t' header of a JWS or JWT",
	}

	// X5tKey is a cli.Flag used to pass the private key (corresponding to the x5t-cert)
	// that is used to sign the token.
	X5tKey = cli.StringFlag{
		Name: "x5t-key",
		Usage: `Private key <file>, used to sign a JWT, corresponding to the certificate used for
the 'x5t' header.`,
	}

	// SSHPOPCert is a cli.Flag used to pass the sshpop header certificate for a JWT.
	SSHPOPCert = cli.StringFlag{
		Name:  "sshpop-cert",
		Usage: "Certificate (<chain>) in PEM format to store in the 'sshpop' header of a JWT.",
	}

	// SSHPOPKey is a cli.Flag used to pass the private key (corresponding to the sshpop-cert)
	// that is used to sign the token.
	SSHPOPKey = cli.StringFlag{
		Name: "sshpop-key",
		Usage: `Private key <file>, used to sign a JWT, corresponding to the certificate that will
be stored in the 'sshpop' header.`,
	}

	// NebulaCert is a cli.Flag used to pass the nebula certificate used as the
	// nebula header certificate in a JWT.
	NebulaCert = cli.StringFlag{
		Name:  "nebula-cert",
		Usage: "Certificate <file> in PEM format to store in the 'nebula' header of a JWT.",
	}

	// NebulaKey is a cli.Flag used to pass the private key (corresponding to
	// the nebula-cert) that is used to sign the token.
	NebulaKey = cli.StringFlag{
		Name: "nebula-key",
		Usage: `Private key <file>, used to sign a JWT, corresponding to the certificate that will
be stored in the 'nebula' header.`,
	}

	// Team is a cli.Flag used to pass the team ID.
	Team = cli.StringFlag{
		Name:  "team",
		Usage: "The team <ID> used to bootstrap the environment.",
	}

	// TeamURL is a cli.Flag used to pass the team URL.
	TeamURL = cli.StringFlag{
		Name: "team-url",
		Usage: `The <url> step queries to retrieve initial team configuration. Only used with
the **--team** option. If the url contains <\<\>> placeholders, they are replaced with the team ID.
Replacing the authority-id section of the url is not supported with placeholders.`,
	}

	// TeamAuthority is a cli.Flag used to pass the name of the authority belonging
	// to a team.
	TeamAuthority = cli.StringFlag{
		Name: "team-authority",
		Usage: `The <sub-domain> of the certificate authority to bootstrap. E.g., for an authority with
domain name 'certs.example-team.ca.smallstep.com' the value would be 'certs'.`,
	}

	// RedirectURL is a cli.Flag used to pass a url to redirect after an OAuth
	// flow finishes..
	RedirectURL = cli.StringFlag{
		Name:  "redirect-url",
		Usage: "The <url> to open in the system browser when the OAuth flow is successful.",
	}

	// ServerName is a cli.Flag used to set the TLS Server Name Indication in
	// request to a server.
	ServerName = cli.StringFlag{
		Name:  "servername",
		Usage: `TLS Server Name Indication that should be sent to request a specific certificate from the server.`,
	}

	// Template is a cli.Flag used to set the template file to use.
	Template = cli.StringFlag{
		Name:  "template",
		Usage: `The certificate template <file>, a JSON representation of the certificate to create.`,
	}

	// TemplateSet is a cli.Flag used to send key-value pairs to the ca.
	TemplateSet = cli.StringSliceFlag{
		Name:  "set",
		Usage: "The <key=value> pair with template data variables. Use the **--set** flag multiple times to add multiple variables.",
	}

	// TemplateSetFile is a cli.Flag used to send a JSON file to the CA.
	TemplateSetFile = cli.StringFlag{
		Name:  "set-file",
		Usage: "The JSON <file> with the template data variables.",
	}

	// Identity is a cli.Flag used to be able to define the identity argument in
	// defaults.json.
	Identity = cli.StringFlag{
		Name: "identity",
		Usage: `The certificate identity. It is usually passed as a positional argument, but a
flag exists so it can be configured in $STEPPATH/config/defaults.json.`,
	}

	// EABKeyID is a cli.Flag that points to an ACME EAB Key ID
	EABKeyID = cli.StringFlag{
		Name:  "eab-key-id",
		Usage: "An ACME EAB Key ID.",
	}

	// EABReference is a cli.Flag that points to an ACME EAB Key Reference
	EABReference = cli.StringFlag{
		Name:  "eab-key-reference",
		Usage: "An ACME EAB Key Reference.",
	}

	KMSUri = cli.StringFlag{
		Name:  "kms",
		Usage: "The <uri> to configure a Cloud KMS or an HSM.",
	}

	AttestationURI = cli.StringFlag{
		Name:  "attestation-uri",
		Usage: "The KMS <uri> used for attestation.",
	}
)

Functions

func FingerprintCertificateModeFlag added in v0.24.0

func FingerprintCertificateModeFlag() cli.BoolFlag

FingerprintCertificateModeFlag returns a flag for configuring the fingerprinting mode. The default behavior is to fingerprint just the public key if an SSH certificate is being fingerprinted. By providing `--certificate`, the certificate bytes will be included in calculating the fingerprint, resulting in a different one.

func FingerprintFormatFlag added in v0.23.0

func FingerprintFormatFlag(defaultFmt string) cli.StringFlag

FingerprintFormatFlag returns a flag for configuring the fingerprint format.

func GetTemplateData added in v0.22.0

func GetTemplateData(ctx *cli.Context) (map[string]interface{}, error)

GetTemplateData parses the set and set-file flags and returns a map to be used in certificate templates.

func ParseCaURL added in v0.15.0

func ParseCaURL(ctx *cli.Context) (string, error)

ParseCaURL gets and parses the ca-url from the command context.

  • Require non-empty value.
  • Prepend an 'https' scheme if the URL does not have a scheme.
  • Error if the URL scheme is not implicitly or explicitly 'https'.

func ParseCaURLIfExists added in v0.15.0

func ParseCaURLIfExists(ctx *cli.Context) (string, error)

ParseCaURLIfExists gets and parses the ca-url from the command context, if one is present.

  • Allow empty value.
  • Prepend an 'https' scheme if the URL does not have a scheme.
  • Error if the URL scheme is not implicitly or explicitly 'https'.

func ParseFingerprintFormat added in v0.23.0

func ParseFingerprintFormat(format string) (fingerprint.Encoding, error)

ParseFingerprintFormat gets the fingerprint encoding from the format flag.

func ParseTemplateData added in v0.15.0

func ParseTemplateData(ctx *cli.Context) (json.RawMessage, error)

ParseTemplateData parses the set and set-file flags and returns a json message to be used in certificate templates.

func ParseTimeDuration added in v0.12.0

func ParseTimeDuration(ctx *cli.Context) (notBefore, notAfter api.TimeDuration, err error)

ParseTimeDuration parses the not-before and not-after flags as a timeDuration

func ParseTimeOrDuration added in v0.8.2

func ParseTimeOrDuration(s string) (time.Time, bool)

ParseTimeOrDuration is a helper that returns the time or the current time with an extra duration. It's used in flags like --not-before, --not-after.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL