Merge branch 'master' into carl/goreleaser-make

.github/workflows/actionlint.yml

@@ -0,0 +1,17 @@
+name: Lint GitHub Actions workflows
+on:
+  push:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  actionlint:
+    uses: smallstep/workflows/.github/workflows/actionlint.yml@main
+    secrets: inherit

.github/workflows/release.yml

@@ -53,12 +53,12 @@ jobs:
           echo "DOCKER_TAGS_DEBIAN=${{ env.DOCKER_TAGS_DEBIAN }},${{ env.DOCKER_IMAGE }}:${DEBIAN_TAG}" >> "${GITHUB_ENV}"
       - name: Create Release
         id: create_release
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: ${{ github.ref }}
-          name: Release ${{ github.ref }}
+          tag_name: ${{ github.ref_name }}
+          name: Release ${{ github.ref_name }}
           draft: false
           prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
 
@@ -109,7 +109,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Setup Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: 'stable'
           check-latest: true

.goreleaser.yml

@@ -48,6 +48,7 @@ builds:
       - linux_amd64
       - linux_arm64
       - windows_amd64
+      - freebsd_amd64
     binary: 'step_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
   -
     # This build is for S3 unversioned binaries that follow our naming convention there.
@@ -59,6 +60,7 @@ builds:
       - linux_amd64
       - linux_arm64
       - windows_amd64
+      - freebsd_amd64
     binary: 'step_latest_{{ .Os }}_{{ .Arch }}'
   -
     # This build is specifically for nFPM targets (.deb and .rpm files).
@@ -268,7 +270,7 @@ blobs:
       - s3-versioned
       - s3-unversioned
     acl: public-read
-    disable: '{{ neq .Prerelease "" }}'
+    disable: '{{ ne .Prerelease "" }}'
 
 
 winget:

CHANGELOG.md

@@ -26,6 +26,38 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ---
 
+## [0.27.2] - 2024-07-18
+
+### Added
+
+- `console` flag to SSH commands (smallstep/cli#1238)
+- Upload FreeBSD build to S3 (smallstep/cli#1239)
+
+
+## [0.27.1] - 2024-07-11
+
+### Fixed
+
+- Broken release process
+
+
+## [0.27.0] - 2024-07-11
+
+### Changed
+
+- Makefile: install to /usr/local/bin, not /usr/bin (smallstep/cli#1214)
+
+### Fixed
+
+- Set proper JOSE algorithm for Ed25519 keys (smallstep/cli#1208)
+- Makefile: usage of install command line flags on MacOS (smallstep/cli#1212)
+- Restore operation of '--bundle' flag in certificate inspect (smallstep/cli#1215)
+- Fish completion (smallstep/cli#1222)
+- Restore operation of inspect CSR from STDIN (smallstep/cli#1232)
+
+### Security
+
+
 ## [0.26.2] - 2024-06-13
 
 ### Added

Makefile

@@ -21,6 +21,12 @@ GOOS_OVERRIDE?=
 # CGO_OVERRIDE="CGO_ENABLED=1" to enable CGO
 CGO_OVERRIDE?=CGO_ENABLED=0
 
+# which build id in .goreleaser.yml to build
+GORELEASER_BUILD_ID?=default
+ifdef DEBUG
+	GORELEASER_BUILD_ID=debug
+endif
+
 all: lint test build
 
 ci: test build
@@ -68,23 +74,32 @@ Q=$(if $V,,@)
 SRC=$(shell find . -type f -name '*.go')
 OUTPUT_ROOT=output/
 
-GORELEASER_BUILD_ID?=default
-ifdef DEBUG
-	GORELEASER_BUILD_ID=debug
+ifeq ($(OS),Windows_NT)
+	HOSTOS=Windows
+else
+	HOSTOS=$(shell uname)
 endif
+HOSTARCH=$(shell go env GOHOSTARCH)
+
+GORELEASER_PRO_URL=https://github.com/goreleaser/goreleaser-pro/releases/latest/download/goreleaser-pro_$(HOSTOS)_$(HOSTARCH).tar.gz
 
 .PHONY: all
 
 #########################################
 # Bootstrapping
 #########################################
-
+TMPDIR := $(shell mktemp -d)
+bootstra%: GOPATH=$(shell go env GOPATH)
 bootstra%:
 	$Q curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $$(go env GOPATH)/bin latest
 	$Q go install golang.org/x/vuln/cmd/govulncheck@latest
 	$Q go install gotest.tools/gotestsum@latest
 	$Q go install golang.org/x/tools/cmd/goimports@latest
-	$Q go install github.com/goreleaser/goreleaser@latest
+	@echo "Installing GoReleaser Pro into $(GOPATH)/bin"
+	$Q curl -o $(TMPDIR)/goreleaser.tar.gz -L $(GORELEASER_PRO_URL)
+	$Q ls $(TMPDIR)
+	$Q tar xvzf $(TMPDIR)/goreleaser.tar.gz -C $(TMPDIR)
+	$Q cp $(TMPDIR)/goreleaser $(GOPATH)/bin
 
 .PHONY: bootstra%
 

command/ca/ca.go

@@ -137,11 +137,6 @@ location being served by an existing fileserver in order to respond to ACME
 challenge validation requests.`,
 	}
 
-	consoleFlag = cli.BoolFlag{
-		Name:  "console",
-		Usage: "Complete the flow while remaining inside the terminal",
-	}
-
 	fingerprintFlag = cli.StringFlag{
 		Name:  "fingerprint",
 		Usage: "The <fingerprint> of the targeted root certificate.",

command/ca/certificate.go

@@ -191,7 +191,7 @@ multiple SANs. The '--san' flag and the '--token' flag are mutually exclusive.`,
 			flags.Force,
 			flags.Offline,
 			flags.PasswordFile,
-			consoleFlag,
+			flags.Console,
 			flags.KMSUri,
 			flags.X5cCert,
 			flags.X5cKey,

command/ca/sign.go

@@ -124,7 +124,7 @@ $ step ca sign foo.csr foo.crt \
 			flags.Force,
 			flags.Offline,
 			flags.PasswordFile,
-			consoleFlag,
+			flags.Console,
 			flags.KMSUri,
 			flags.X5cCert,
 			flags.X5cKey,

command/certificate/inspect.go

@@ -11,6 +11,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certinfo"
 	"github.com/smallstep/cli/flags"
+	"github.com/smallstep/cli/utils"
 	zx509 "github.com/smallstep/zcrypto/x509"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
@@ -218,17 +219,22 @@ func inspectAction(ctx *cli.Context) error {
 		}
 		return inspectCertificates(ctx, peerCertificates[:1], os.Stdout)
 	default: // is not URL
+		b, err := utils.ReadFile(crtFile)
+		if err != nil {
+			return errors.Wrapf(err, "error reading file %s", crtFile)
+		}
+
 		var pemError *pemutil.InvalidPEMError
-		crts, err := pemutil.ReadCertificateBundle(crtFile)
+		crts, err := pemutil.ParseCertificateBundle(b)
 		switch {
 		case errors.As(err, &pemError) && pemError.Type == pemutil.PEMTypeCertificate:
-			csr, err := pemutil.ReadCertificateRequest(crtFile)
+			csr, err := pemutil.ParseCertificateRequest(b)
 			if err != nil {
 				return errors.Errorf("file %s does not contain any valid CERTIFICATE or CERTIFICATE REQUEST blocks", crtFile)
 			}
 			return inspectCertificateRequest(ctx, csr, os.Stdout)
 		case err != nil:
-			return err
+			return fmt.Errorf("error parsing %s: %w", crtFile, err)
 		default:
 			if bundle {
 				return inspectCertificates(ctx, crts, os.Stdout)

command/oauth/cmd.go

@@ -1,7 +1,6 @@
 package oauth
 
 import (
-	"bufio"
 	"bytes"
 	"crypto/sha256"
 	"crypto/x509"
@@ -901,11 +900,9 @@ func (o *oauth) DoDeviceAuthorization() (*token, error) {
 		idr.Interval = defaultDeviceAuthzInterval
 	}
 
-	fmt.Fprintf(os.Stderr, "Visit %s and enter the code: (press 'ENTER' to open default browser)\n", idr.VerificationURI)
+	fmt.Fprintf(os.Stderr, "Visit %s and enter the code:\n", idr.VerificationURI)
 	fmt.Fprintln(os.Stderr, idr.UserCode)
 
-	go openBrowserIfAsked(o, idr.VerificationURI)
-
 	// Poll the Token endpoint until the user completes the flow.
 	data = url.Values{}
 	data.Set("client_id", o.clientID)
@@ -939,13 +936,6 @@ func (o *oauth) DoDeviceAuthorization() (*token, error) {
 	}
 }
 
-func openBrowserIfAsked(o *oauth, u string) {
-	reader := bufio.NewReader(os.Stdin)
-	reader.ReadString('\n')
-
-	exec.OpenInBrowser(u, o.browser)
-}
-
 var errHTTPToken = errors.New("bad request; token not returned")
 
 func (o *oauth) deviceAuthzTokenPoll(data url.Values) (*token, error) {

command/ssh/certificate.go

@@ -39,7 +39,7 @@ func certificateCommand() cli.Command {
 [**--password-file**=<file>] [**--provisioner-password-file**=<file>]
 [**--add-user**] [**--not-before**=<time|duration>] [**--comment**=<comment>]
 [**--not-after**=<time|duration>] [**--token**=<token>] [**--issuer**=<name>]
-[**--no-password**] [**--insecure**] [**--force**] [**--x5c-cert**=<file>]
+[**--console**] [**--no-password**] [**--insecure**] [**--force**] [**--x5c-cert**=<file>]
 [**--x5c-key**=<file>] [**--k8ssa-token-path**=<file>] [**--no-agent**]
 [**--kty**=<key-type>] [**--curve**=<curve>] [**--size**=<size>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>]`,
@@ -176,6 +176,7 @@ $  step ssh certificate --kty OKP --curve Ed25519 mariano@work id_ed25519
 			flags.Token,
 			flags.TemplateSet,
 			flags.TemplateSetFile,
+			flags.Console,
 			sshAddUserFlag,
 			sshHostFlag,
 			sshHostIDFlag,

command/ssh/config.go

@@ -31,7 +31,7 @@ func configCommand() cli.Command {
 		UsageText: `**step ssh config**
 [**--team**=<name>] [**--team-authority**=<sub-domain>] [**--host**]
 [**--set**=<key=value>] [**--set-file**=<file>] [**--dry-run**] [**--roots**]
-[**--federation**] [**--force**] [**--offline**] [**--ca-config**=<file>]
+[**--federation**] [**--console**] [**--force**] [**--offline**] [**--ca-config**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>]
 [**--authority**=<name>] [**--profile**=<name>]`,
 		Description: `**step ssh config** configures SSH to be used with certificates. It also supports
@@ -89,6 +89,7 @@ user or host certificates`,
 times to set multiple variables.`,
 			},
 			flags.TemplateSetFile,
+			flags.Console,
 			flags.DryRun,
 			flags.Force,
 			flags.CaConfig,
@@ -204,6 +205,9 @@ func configAction(ctx *cli.Context) (recoverErr error) {
 	if step.Contexts().Enabled() {
 		data["Context"] = step.Contexts().GetCurrent().Name
 	}
+	if ctx.Bool("console") {
+		data["Console"] = "true"
+	}
 	if len(sets) > 0 {
 		for _, s := range sets {
 			i := strings.Index(s, "=")

command/ssh/hosts.go

@@ -19,7 +19,7 @@ func hostsCommand() cli.Command {
 		Action: command.ActionFunc(hostsAction),
 		Usage:  "returns a list of all valid hosts",
 		UsageText: `**step ssh hosts** [**--set**=<key=value>] [**--set-file**=<file>]
-[**--offline**] [**--ca-config**=<file>] [**--ca-url**=<uri>] [**--root**=<file>]
+[**--console**] [**--offline**] [**--ca-config**=<file>] [**--ca-url**=<uri>] [**--root**=<file>]
 [**--context**=<name>]`,
 		Description: `**step ssh hosts** returns a list of valid hosts for SSH.
 
@@ -35,6 +35,7 @@ $ step ssh hosts
 		Flags: []cli.Flag{
 			flags.TemplateSet,
 			flags.TemplateSetFile,
+			flags.Console,
 			flags.Offline,
 			flags.CaConfig,
 			flags.CaURL,

command/ssh/login.go

@@ -29,7 +29,7 @@ func loginCommand() cli.Command {
 [**--token**=<token>] [**--provisioner**=<name>] [**--provisioner-password-file**=<file>]
 [**--principal**=<string>] [**--not-before**=<time|duration>] [**--not-after**=<time|duration>]
 [**--kty**=<key-type>] [**--curve**=<curve>] [**--size**=<size>] [**--comment**=<comment>]
-[**--set**=<key=value>] [**--set-file**=<file>] [**--force**] [**--insecure**]
+[**--set**=<key=value>] [**--set-file**=<file>] [**--console**] [**--force**] [**--insecure**]
 [**--offline**] [**--ca-config**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>]`,
 		Description: `**step ssh login** generates a new SSH key pair and send a request to [step
@@ -93,6 +93,7 @@ $  step ssh certificate --kty OKP --curve Ed25519 mariano@work id_ed25519
 			flags.NotAfter,
 			flags.TemplateSet,
 			flags.TemplateSetFile,
+			flags.Console,
 			flags.Force,
 			flags.Offline,
 			flags.CaConfig,

command/ssh/proxycommand.go

@@ -33,7 +33,7 @@ func proxycommandCommand() cli.Command {
 		Usage:  "proxy ssh connections according to the host registry",
 		UsageText: `**step ssh proxycommand** <user> <host> <port>
 [**--provisioner**=<name>] [**--set**=<key=value>] [**--set-file**=<file>]
-[**--offline**] [**--ca-config**=<file>]
+[**--console**] [**--offline**] [**--ca-config**=<file>]
 [**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>]`,
 		Description: `**step ssh proxycommand** looks into the host registry
 and proxies the ssh connection according to its configuration. This command
@@ -56,6 +56,7 @@ This command will add the user to the ssh-agent if necessary.
 			flags.ProvisionerPasswordFileWithAlias,
 			flags.TemplateSet,
 			flags.TemplateSetFile,
+			flags.Console,
 			flags.Offline,
 			flags.CaConfig,
 			flags.CaURL,

flags/flags.go

@@ -467,6 +467,11 @@ flag exists so it can be configured in $STEPPATH/config/defaults.json.`,
 		Name:  "comment",
 		Usage: "The comment used when adding the certificate to an agent. Defaults to the subject if not provided.",
 	}
+
+	Console = cli.BoolFlag{
+		Name:  "console",
+		Usage: `Complete the flow while remaining inside the terminal.`,
+	}
 )
 
 // FingerprintFormatFlag returns a flag for configuring the fingerprint format.