From b09aee2dc85d64b13e885d1ff9f51dff218e0853 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Thu, 20 Jul 2023 18:17:32 -0700
Subject: [PATCH] Allow to disable smallstep extensions using the cli

This commit adds the flag --disable-smallstep-extensions to "step ca
provisioner" commands. A provisioner created with this flag will have
the claim DisableSmallstepExtensions set to true and certificates
created using that provisioner will not have the smallstep provisioner
extension.

Related to smallstep/certificates#620
---
 command/ca/provisioner/add.go         | 6 ++++--
 command/ca/provisioner/provisioner.go | 4 ++++
 command/ca/provisioner/update.go      | 6 +++++-
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/command/ca/provisioner/add.go b/command/ca/provisioner/add.go
index 0fd924a24..300b72e9c 100644
--- a/command/ca/provisioner/add.go
+++ b/command/ca/provisioner/add.go
@@ -167,6 +167,7 @@ SCEP
 			sshHostDefaultDurFlag,
 			disableRenewalFlag,
 			allowRenewalAfterExpiryFlag,
+			disableSmallstepExtensionsFlag,
 			//enableX509Flag,
 			enableSSHFlag,
 
@@ -360,8 +361,9 @@ func addAction(ctx *cli.Context) (err error) {
 			HostDurations: &linkedca.Durations{},
 			Enabled:       !(ctx.IsSet("ssh") && !ctx.Bool("ssh")),
 		},
-		DisableRenewal:          ctx.Bool("disable-renewal"),
-		AllowRenewalAfterExpiry: ctx.Bool("allow-renewal-after-expiry"),
+		DisableRenewal:             ctx.Bool("disable-renewal"),
+		AllowRenewalAfterExpiry:    ctx.Bool("allow-renewal-after-expiry"),
+		DisableSmallstepExtensions: ctx.Bool("disable-smallstep-extensions"),
 	}
 
 	if ctx.IsSet("x509-min-dur") {
diff --git a/command/ca/provisioner/provisioner.go b/command/ca/provisioner/provisioner.go
index 685a64ff3..eefc2aae0 100644
--- a/command/ca/provisioner/provisioner.go
+++ b/command/ca/provisioner/provisioner.go
@@ -248,6 +248,10 @@ unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
 		Name:  "allow-renewal-after-expiry",
 		Usage: `Allow renewals for expired certificates generated by this provisioner.`,
 	}
+	disableSmallstepExtensionsFlag = cli.BoolFlag{
+		Name:  "disable-smallstep-extensions",
+		Usage: `Disable the Smallstep extension for all certificates generated by this provisioner.`,
+	}
 	//enableX509Flag = cli.BoolFlag{
 	//	Name:  "x509",
 	//	Usage: `Enable provisioning of x509 certificates.`,
diff --git a/command/ca/provisioner/update.go b/command/ca/provisioner/update.go
index f36b53ba9..b4f608b07 100644
--- a/command/ca/provisioner/update.go
+++ b/command/ca/provisioner/update.go
@@ -166,6 +166,7 @@ SCEP
 			sshHostDefaultDurFlag,
 			disableRenewalFlag,
 			allowRenewalAfterExpiryFlag,
+			disableSmallstepExtensionsFlag,
 			//enableX509Flag,
 			enableSSHFlag,
 
@@ -404,8 +405,11 @@ func updateClaims(ctx *cli.Context, p *linkedca.Provisioner) {
 	if ctx.IsSet("allow-renewal-after-expiry") {
 		p.Claims.AllowRenewalAfterExpiry = ctx.Bool("allow-renewal-after-expiry")
 	}
-	claims := p.Claims
+	if ctx.IsSet("disable-smallstep-extensions") {
+		p.Claims.DisableSmallstepExtensions = ctx.Bool("disable-smallstep-extensions")
+	}
 
+	claims := p.Claims
 	if claims.X509 == nil {
 		claims.X509 = &linkedca.X509Claims{}
 	}