Refactor ignoring of provisioner flag to not rely on package globals

Author: hslatman

cmd/step/main.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/smallstep/cli/command/version"
 	"github.com/smallstep/cli/internal/plugin"
+	"github.com/smallstep/cli/internal/provisionerflag"
 	"github.com/smallstep/cli/utils"
 
 	// Enabled cas interfaces.
@@ -126,11 +127,17 @@ func newApp(stdout, stderr io.Writer) *cli.App {
 	app.Copyright = fmt.Sprintf("(c) 2018-%d Smallstep Labs, Inc.", time.Now().Year())
 
 	// Flag of custom configuration flag
-	app.Flags = append(app.Flags, cli.StringFlag{
+	app.Flags = append(app.Flags, cli.StringFlag{ //nolint:gocritic // intentionally split for documentation
 		Name:  "config",
 		Usage: "path to the config file to use for CLI flags",
 	})
 
+	// add a hidden flag that can be used to signal that the provisioner
+	// flag should be ignored in certain commands. By defining it on the
+	// app level it can be ignored in multiple (sub)commands without having
+	// to specify the flag in each command.
+	app.Flags = append(app.Flags, provisionerflag.DisabledSentinelFlag)
+
 	// Action runs on `step` or `step <command>` if the command is not enabled.
 	app.Action = func(ctx *cli.Context) error {
 		args := ctx.Args()

cmd/step/main_test.go

@@ -3,9 +3,13 @@ package main
 import (
 	"bytes"
 	"regexp"
+	"slices"
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"github.com/urfave/cli"
+
+	"github.com/smallstep/cli/internal/provisionerflag"
 )
 
 func TestAppHasAllCommands(t *testing.T) {
@@ -44,3 +48,15 @@ func TestAppRuns(t *testing.T) {
 	output := ansiRegex.ReplaceAllString(stdout.String(), "")
 	require.Contains(t, output, "step -- plumbing for distributed systems")
 }
+
+func TestAppHasSentinelFlagForIgnoringProvisionersFlag(t *testing.T) {
+	app := newApp(nil, nil)
+	require.NotNil(t, app)
+
+	// this test only checks if the flag is present when an app is created
+	// through [getApp]. This is sufficient for now to proof that the flag
+	// exists in the actual released CLI binary.
+	require.True(t, slices.ContainsFunc(app.Flags, func(f cli.Flag) bool {
+		return f.GetName() == provisionerflag.DisabledSentinelFlagName()
+	}))
+}

command/ca/policy/acme/acme.go

@@ -8,7 +8,6 @@ import (
 	"github.com/smallstep/cli/command/ca/policy/actions"
 	"github.com/smallstep/cli/command/ca/policy/policycontext"
 	"github.com/smallstep/cli/command/ca/policy/x509"
-	"github.com/smallstep/cli/internal/provisionerflag"
 )
 
 // Command returns the ACME account policy subcommand.
@@ -28,9 +27,5 @@ Please note that certificate issuance policies for ACME accounts are currently o
 			actions.RemoveCommand(ctx),
 			x509.Command(ctx),
 		},
-		Before: func(ctx *cli.Context) error {
-			provisionerflag.Ignore()
-			return nil
-		},
 	}
 }

command/ca/policy/actions/cn.go

@@ -76,6 +76,8 @@ $ step ca policy authority x509 deny cn "My Bad CA Name"
 }
 
 func commonNamesAction(ctx context.Context) (err error) {
+	ignoreProvisionerFlagIfRequired(ctx)
+
 	clictx := command.CLIContextFromContext(ctx)
 
 	args := clictx.Args()

command/ca/policy/actions/dns.go

@@ -94,6 +94,8 @@ $ step ca policy authority ssh host allow dns "badsshhost.local"
 }
 
 func dnsAction(ctx context.Context) (err error) {
+	ignoreProvisionerFlagIfRequired(ctx)
+
 	clictx := command.CLIContextFromContext(ctx)
 
 	args := clictx.Args()

command/ca/policy/actions/emails.go

@@ -81,6 +81,8 @@ $ step ca policy provisioner ssh user deny email @example.com --provisioner my_p
 }
 
 func emailAction(ctx context.Context) (err error) {
+	ignoreProvisionerFlagIfRequired(ctx)
+
 	clictx := command.CLIContextFromContext(ctx)
 
 	args := clictx.Args()

command/ca/policy/actions/ips.go

@@ -114,6 +114,8 @@ $ step ca policy authority ssh host deny ip 192.168.0.40
 }
 
 func ipAction(ctx context.Context) (err error) {
+	ignoreProvisionerFlagIfRequired(ctx)
+
 	clictx := command.CLIContextFromContext(ctx)
 
 	args := clictx.Args()

command/ca/policy/actions/policy.go

@@ -16,13 +16,26 @@ import (
 
 	"github.com/smallstep/cli/command/ca/policy/policycontext"
 	"github.com/smallstep/cli/internal/command"
+	"github.com/smallstep/cli/internal/provisionerflag"
 )
 
 var provisionerFilterFlag = cli.StringFlag{
 	Name:  "provisioner",
 	Usage: `The provisioner <name>`,
 }
 
+// ignoreProvisionerFlagIfRequired is a helper function that marks the provisioner
+// flag to be ignored when managing a provisioner or ACME account level policy. In
+// those cases the provisioner flag is used to filter which provisioner the policy
+// applies to, as opposed to its normal usage, where it can be used to select the
+// (admin) provisioner to use for authentication.
+func ignoreProvisionerFlagIfRequired(ctx context.Context) {
+	clictx := command.CLIContextFromContext(ctx)
+	if policycontext.IsProvisionerPolicyLevel(ctx) || policycontext.IsACMEPolicyLevel(ctx) {
+		provisionerflag.Ignore(clictx)
+	}
+}
+
 func retrieveAndInitializePolicy(ctx context.Context, client *ca.AdminClient) (*linkedca.Policy, error) {
 	var (
 		policy *linkedca.Policy

command/ca/policy/actions/principals.go

@@ -76,6 +76,8 @@ $ step ca policy provisioner ssh host deny principal root --provisioner my_ssh_u
 }
 
 func principalAction(ctx context.Context) (err error) {
+	ignoreProvisionerFlagIfRequired(ctx)
+
 	clictx := command.CLIContextFromContext(ctx)
 
 	args := clictx.Args()

command/ca/policy/actions/remove.go

@@ -71,6 +71,8 @@ $ step ca policy acme remove --provisioner my_acme_provisioner --eab-key-id "lUO
 }
 
 func removeAction(ctx context.Context) (err error) {
+	ignoreProvisionerFlagIfRequired(ctx)
+
 	clictx := command.CLIContextFromContext(ctx)
 	provisioner := clictx.String("provisioner")
 	reference := clictx.String("eab-key-reference")