From 52c336b72b4ada8debd9478bd59696be42a5e5f5 Mon Sep 17 00:00:00 2001 From: Aravind Khasibhatla Date: Tue, 3 Mar 2026 11:35:39 -0800 Subject: [PATCH 01/12] Add require-crl-on-client-certificate flag to certificate-authority commands Add support for the new require_crl_on_client_certificate attribute in the Certificate Authority API: - Add --require-crl-on-client-certificate flag to create command (required) - Add --require-crl-on-client-certificate flag to update command - Display the field in describe and list output - Update test fixtures and handlers Co-Authored-By: Claude Opus 4.5 --- internal/iam/command_certificate_authority.go | 42 ++++++++++--------- .../command_certificate_authority_create.go | 20 ++++++--- .../iam/command_certificate_authority_list.go | 21 +++++----- .../command_certificate_authority_update.go | 19 ++++++--- .../create-url-chain.golden | 23 +++++----- .../iam/certificate-authority/create.golden | 19 +++++---- .../describe-json.golden | 3 +- .../iam/certificate-authority/describe.golden | 19 +++++---- .../certificate-authority/list-json.golden | 9 ++-- .../iam/certificate-authority/list.golden | 10 ++--- .../update-crl-url.golden | 25 +++++------ .../iam/certificate-authority/update.golden | 19 +++++---- test/test-server/iam_handlers.go | 35 ++++++++-------- 13 files changed, 147 insertions(+), 117 deletions(-) diff --git a/internal/iam/command_certificate_authority.go b/internal/iam/command_certificate_authority.go index 31672f7856..bd5c0d5769 100644 --- a/internal/iam/command_certificate_authority.go +++ b/internal/iam/command_certificate_authority.go @@ -16,16 +16,17 @@ type certificateAuthorityCommand struct { } type certificateAuthorityOut struct { - Id string `human:"ID" serialized:"id"` - Name string `human:"Name" serialized:"name"` - Description string `human:"Description" serialized:"description"` - Fingerprints []string `human:"Fingerprints" serialized:"fingerprints"` - ExpirationDates []time.Time `human:"Expiration Dates" serialized:"expiration_dates"` - SerialNumbers []string `human:"Serial Numbers" serialized:"serial_numbers"` - CertificateChainFilename string `human:"Certificate Chain Filename" serialized:"certificate_chain_filename"` - CrlSource string `human:"CRL Source,omitempty" serialized:"crl_source,omitempty"` - CrlUrl string `human:"CRL URL,omitempty" serialized:"crl_url,omitempty"` - CrlUpdatedAt *time.Time `human:"CRL Updated At,omitempty" serialized:"crl_updated_at,omitempty"` + Id string `human:"ID" serialized:"id"` + Name string `human:"Name" serialized:"name"` + Description string `human:"Description" serialized:"description"` + Fingerprints []string `human:"Fingerprints" serialized:"fingerprints"` + ExpirationDates []time.Time `human:"Expiration Dates" serialized:"expiration_dates"` + SerialNumbers []string `human:"Serial Numbers" serialized:"serial_numbers"` + CertificateChainFilename string `human:"Certificate Chain Filename" serialized:"certificate_chain_filename"` + CrlSource string `human:"CRL Source,omitempty" serialized:"crl_source,omitempty"` + CrlUrl string `human:"CRL URL,omitempty" serialized:"crl_url,omitempty"` + CrlUpdatedAt *time.Time `human:"CRL Updated At,omitempty" serialized:"crl_updated_at,omitempty"` + RequireCrlOnClientCertificate bool `human:"Require CRL On Client Certificate" serialized:"require_crl_on_client_certificate"` } func newCertificateAuthorityCommand(prerunner pcmd.PreRunner) *cobra.Command { @@ -49,16 +50,17 @@ func newCertificateAuthorityCommand(prerunner pcmd.PreRunner) *cobra.Command { func printCertificateAuthority(cmd *cobra.Command, certificateAuthority certificateauthorityv2.IamV2CertificateAuthority) error { table := output.NewTable(cmd) table.Add(&certificateAuthorityOut{ - Id: certificateAuthority.GetId(), - Name: certificateAuthority.GetDisplayName(), - Description: certificateAuthority.GetDescription(), - Fingerprints: certificateAuthority.GetFingerprints(), - ExpirationDates: certificateAuthority.GetExpirationDates(), - SerialNumbers: certificateAuthority.GetSerialNumbers(), - CertificateChainFilename: certificateAuthority.GetCertificateChainFilename(), - CrlSource: certificateAuthority.GetCrlSource(), - CrlUrl: certificateAuthority.GetCrlUrl(), - CrlUpdatedAt: certificateAuthority.CrlUpdatedAt, + Id: certificateAuthority.GetId(), + Name: certificateAuthority.GetDisplayName(), + Description: certificateAuthority.GetDescription(), + Fingerprints: certificateAuthority.GetFingerprints(), + ExpirationDates: certificateAuthority.GetExpirationDates(), + SerialNumbers: certificateAuthority.GetSerialNumbers(), + CertificateChainFilename: certificateAuthority.GetCertificateChainFilename(), + CrlSource: certificateAuthority.GetCrlSource(), + CrlUrl: certificateAuthority.GetCrlUrl(), + CrlUpdatedAt: certificateAuthority.CrlUpdatedAt, + RequireCrlOnClientCertificate: certificateAuthority.GetRequireCrlOnClientCertificate(), }) return table.Print() } diff --git a/internal/iam/command_certificate_authority_create.go b/internal/iam/command_certificate_authority_create.go index a8ac3c44be..08a1acecda 100644 --- a/internal/iam/command_certificate_authority_create.go +++ b/internal/iam/command_certificate_authority_create.go @@ -49,12 +49,14 @@ X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== cmd.Flags().String("certificate-chain-filename", "", "The name of the certificate file.") cmd.Flags().String("crl-url", "", "The URL from which to fetch the CRL (Certificate Revocation List) for the certificate authority.") cmd.Flags().String("crl-chain", "", "A base64 encoded string containing the CRL for this certificate authority.") + cmd.Flags().Bool("require-crl-on-client-certificate", false, "Whether to require CRL validation on client certificates.") pcmd.AddContextFlag(cmd, c.CLICommand) pcmd.AddOutputFlag(cmd) cobra.CheckErr(cmd.MarkFlagRequired("description")) cobra.CheckErr(cmd.MarkFlagRequired("certificate-chain")) cobra.CheckErr(cmd.MarkFlagRequired("certificate-chain-filename")) + cobra.CheckErr(cmd.MarkFlagRequired("require-crl-on-client-certificate")) return cmd } @@ -85,13 +87,19 @@ func (c *certificateAuthorityCommand) create(cmd *cobra.Command, args []string) return err } + requireCrlOnClientCertificate, err := cmd.Flags().GetBool("require-crl-on-client-certificate") + if err != nil { + return err + } + certRequest := certificateauthorityv2.IamV2CreateCertRequest{ - DisplayName: certificateauthorityv2.PtrString(args[0]), - Description: certificateauthorityv2.PtrString(description), - CertificateChain: certificateauthorityv2.PtrString(certificateChain), - CertificateChainFilename: certificateauthorityv2.PtrString(certificateChainFilename), - CrlUrl: certificateauthorityv2.PtrString(crlUrl), - CrlChain: certificateauthorityv2.PtrString(crlChain), + DisplayName: certificateauthorityv2.PtrString(args[0]), + Description: certificateauthorityv2.PtrString(description), + CertificateChain: certificateauthorityv2.PtrString(certificateChain), + CertificateChainFilename: certificateauthorityv2.PtrString(certificateChainFilename), + CrlUrl: certificateauthorityv2.PtrString(crlUrl), + CrlChain: certificateauthorityv2.PtrString(crlChain), + RequireCrlOnClientCertificate: certificateauthorityv2.PtrBool(requireCrlOnClientCertificate), } certificateAuthority, err := c.V2Client.CreateCertificateAuthority(certRequest) diff --git a/internal/iam/command_certificate_authority_list.go b/internal/iam/command_certificate_authority_list.go index 9280499a02..652ff18919 100644 --- a/internal/iam/command_certificate_authority_list.go +++ b/internal/iam/command_certificate_authority_list.go @@ -30,16 +30,17 @@ func (c *certificateAuthorityCommand) list(cmd *cobra.Command, _ []string) error list := output.NewList(cmd) for _, certificateAuthority := range certificateAuthorities { list.Add(&certificateAuthorityOut{ - Id: certificateAuthority.GetId(), - Name: certificateAuthority.GetDisplayName(), - Description: certificateAuthority.GetDescription(), - Fingerprints: certificateAuthority.GetFingerprints(), - ExpirationDates: certificateAuthority.GetExpirationDates(), - SerialNumbers: certificateAuthority.GetSerialNumbers(), - CertificateChainFilename: certificateAuthority.GetCertificateChainFilename(), - CrlSource: certificateAuthority.GetCrlSource(), - CrlUrl: certificateAuthority.GetCrlUrl(), - CrlUpdatedAt: certificateAuthority.CrlUpdatedAt, + Id: certificateAuthority.GetId(), + Name: certificateAuthority.GetDisplayName(), + Description: certificateAuthority.GetDescription(), + Fingerprints: certificateAuthority.GetFingerprints(), + ExpirationDates: certificateAuthority.GetExpirationDates(), + SerialNumbers: certificateAuthority.GetSerialNumbers(), + CertificateChainFilename: certificateAuthority.GetCertificateChainFilename(), + CrlSource: certificateAuthority.GetCrlSource(), + CrlUrl: certificateAuthority.GetCrlUrl(), + CrlUpdatedAt: certificateAuthority.CrlUpdatedAt, + RequireCrlOnClientCertificate: certificateAuthority.GetRequireCrlOnClientCertificate(), }) } return list.Print() diff --git a/internal/iam/command_certificate_authority_update.go b/internal/iam/command_certificate_authority_update.go index 0b9a0d8365..852360cb81 100644 --- a/internal/iam/command_certificate_authority_update.go +++ b/internal/iam/command_certificate_authority_update.go @@ -30,6 +30,7 @@ func (c *certificateAuthorityCommand) newUpdateCommand() *cobra.Command { cmd.Flags().String("certificate-chain-filename", "", "The name of the certificate file.") cmd.Flags().String("crl-url", "", "The URL from which to fetch the CRL (Certificate Revocation List) for the certificate authority.") cmd.Flags().String("crl-chain", "", "A base64 encoded string containing the CRL for this certificate authority.") + cmd.Flags().Bool("require-crl-on-client-certificate", false, "Whether to require CRL validation on client certificates.") pcmd.AddContextFlag(cmd, c.CLICommand) pcmd.AddOutputFlag(cmd) @@ -46,11 +47,12 @@ func (c *certificateAuthorityCommand) update(cmd *cobra.Command, args []string) } update := certificateauthorityv2.IamV2UpdateCertRequest{ - Id: certificateauthorityv2.PtrString(args[0]), - DisplayName: currentCertificateAuthority.DisplayName, - Description: currentCertificateAuthority.Description, - CertificateChainFilename: currentCertificateAuthority.CertificateChainFilename, - CrlUrl: currentCertificateAuthority.CrlUrl, + Id: certificateauthorityv2.PtrString(args[0]), + DisplayName: currentCertificateAuthority.DisplayName, + Description: currentCertificateAuthority.Description, + CertificateChainFilename: currentCertificateAuthority.CertificateChainFilename, + CrlUrl: currentCertificateAuthority.CrlUrl, + RequireCrlOnClientCertificate: currentCertificateAuthority.RequireCrlOnClientCertificate, } if cmd.Flags().Changed("name") { name, err := cmd.Flags().GetString("name") @@ -93,6 +95,13 @@ func (c *certificateAuthorityCommand) update(cmd *cobra.Command, args []string) } update.CrlChain = certificateauthorityv2.PtrString(crlChain) } + if cmd.Flags().Changed("require-crl-on-client-certificate") { + requireCrlOnClientCertificate, err := cmd.Flags().GetBool("require-crl-on-client-certificate") + if err != nil { + return err + } + update.RequireCrlOnClientCertificate = certificateauthorityv2.PtrBool(requireCrlOnClientCertificate) + } certificateAuthority, err := c.V2Client.UpdateCertificateAuthority(update) if err != nil { diff --git a/test/fixtures/output/iam/certificate-authority/create-url-chain.golden b/test/fixtures/output/iam/certificate-authority/create-url-chain.golden index 2340774ae8..f9d8df5efb 100644 --- a/test/fixtures/output/iam/certificate-authority/create-url-chain.golden +++ b/test/fixtures/output/iam/certificate-authority/create-url-chain.golden @@ -1,11 +1,12 @@ -+----------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | my-ca | -| Description | my certificate authority | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate.pem | -| CRL Source | LOCAL | -| CRL Updated At | 2024-07-21 17:32:28 +0000 UTC | -+----------------------------+------------------------------------------+ ++-----------------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | my-ca | +| Description | my certificate authority | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate.pem | +| CRL Source | LOCAL | +| CRL Updated At | 2024-07-21 17:32:28 +0000 UTC | +| Require CRL On Client Certificate | true | ++-----------------------------------+------------------------------------------+ diff --git a/test/fixtures/output/iam/certificate-authority/create.golden b/test/fixtures/output/iam/certificate-authority/create.golden index c17b700ccf..a25e845567 100644 --- a/test/fixtures/output/iam/certificate-authority/create.golden +++ b/test/fixtures/output/iam/certificate-authority/create.golden @@ -1,9 +1,10 @@ -+----------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | my-ca | -| Description | my certificate authority | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate.pem | -+----------------------------+------------------------------------------+ ++-----------------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | my-ca | +| Description | my certificate authority | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate.pem | +| Require CRL On Client Certificate | true | ++-----------------------------------+------------------------------------------+ diff --git a/test/fixtures/output/iam/certificate-authority/describe-json.golden b/test/fixtures/output/iam/certificate-authority/describe-json.golden index 8b2d8a6c76..3dc675fbcb 100644 --- a/test/fixtures/output/iam/certificate-authority/describe-json.golden +++ b/test/fixtures/output/iam/certificate-authority/describe-json.golden @@ -5,5 +5,6 @@ "fingerprints": ["B1BC968BD4f49D622AA89A81F2150152A41D829C"], "expiration_dates": ["2017-07-21T17:32:28Z"], "serial_numbers": ["219C542DE8f6EC7177FA4EE8C3705797"], - "certificate_chain_filename": "certificate.pem" + "certificate_chain_filename": "certificate.pem", + "require_crl_on_client_certificate": true } diff --git a/test/fixtures/output/iam/certificate-authority/describe.golden b/test/fixtures/output/iam/certificate-authority/describe.golden index c17b700ccf..a25e845567 100644 --- a/test/fixtures/output/iam/certificate-authority/describe.golden +++ b/test/fixtures/output/iam/certificate-authority/describe.golden @@ -1,9 +1,10 @@ -+----------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | my-ca | -| Description | my certificate authority | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate.pem | -+----------------------------+------------------------------------------+ ++-----------------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | my-ca | +| Description | my certificate authority | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate.pem | +| Require CRL On Client Certificate | true | ++-----------------------------------+------------------------------------------+ diff --git a/test/fixtures/output/iam/certificate-authority/list-json.golden b/test/fixtures/output/iam/certificate-authority/list-json.golden index dd77b4ea2f..3f92698525 100644 --- a/test/fixtures/output/iam/certificate-authority/list-json.golden +++ b/test/fixtures/output/iam/certificate-authority/list-json.golden @@ -6,7 +6,8 @@ "fingerprints": ["B1BC968BD4f49D622AA89A81F2150152A41D829C"], "expiration_dates": ["2017-07-21T17:32:28Z"], "serial_numbers": ["219C542DE8f6EC7177FA4EE8C3705797"], - "certificate_chain_filename": "certificate.pem" + "certificate_chain_filename": "certificate.pem", + "require_crl_on_client_certificate": true }, { "id": "op-54321", @@ -17,7 +18,8 @@ "serial_numbers": ["219C542DE8f6EC7177FA4EE8C3705797"], "certificate_chain_filename": "certificate-2.pem", "crl_source": "LOCAL", - "crl_updated_at": "2024-07-21T17:32:28Z" + "crl_updated_at": "2024-07-21T17:32:28Z", + "require_crl_on_client_certificate": false }, { "id": "op-67890", @@ -29,6 +31,7 @@ "certificate_chain_filename": "certificate-3.pem", "crl_source": "URL", "crl_url": "example.url", - "crl_updated_at": "2024-07-21T17:32:28Z" + "crl_updated_at": "2024-07-21T17:32:28Z", + "require_crl_on_client_certificate": true } ] diff --git a/test/fixtures/output/iam/certificate-authority/list.golden b/test/fixtures/output/iam/certificate-authority/list.golden index 827cc9efbe..ddece1fd54 100644 --- a/test/fixtures/output/iam/certificate-authority/list.golden +++ b/test/fixtures/output/iam/certificate-authority/list.golden @@ -1,5 +1,5 @@ - ID | Name | Description | Fingerprints | Expiration Dates | Serial Numbers | Certificate Chain Filename | CRL Source | CRL URL | CRL Updated At ------------+---------+--------------------------------+------------------------------------------+-------------------------------+----------------------------------+----------------------------+------------+-------------+-------------------------------- - op-12345 | my-ca | my certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate.pem | | | - op-54321 | my-ca-2 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-2.pem | LOCAL | | 2024-07-21 17:32:28 +0000 UTC - op-67890 | my-ca-3 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-3.pem | URL | example.url | 2024-07-21 17:32:28 +0000 UTC + ID | Name | Description | Fingerprints | Expiration Dates | Serial Numbers | Certificate Chain Filename | CRL Source | CRL URL | CRL Updated At | Require CRL On Client Certificate +-----------+---------+--------------------------------+------------------------------------------+-------------------------------+----------------------------------+----------------------------+------------+-------------+------------------------------+------------------------------------- + op-12345 | my-ca | my certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate.pem | | | | true + op-54321 | my-ca-2 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-2.pem | LOCAL | | 2024-07-21 17:32:28 +0000 UTC | false + op-67890 | my-ca-3 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-3.pem | URL | example.url | 2024-07-21 17:32:28 +0000 UTC | true diff --git a/test/fixtures/output/iam/certificate-authority/update-crl-url.golden b/test/fixtures/output/iam/certificate-authority/update-crl-url.golden index 2f077d3694..16ed2c6f0a 100644 --- a/test/fixtures/output/iam/certificate-authority/update-crl-url.golden +++ b/test/fixtures/output/iam/certificate-authority/update-crl-url.golden @@ -1,12 +1,13 @@ -+----------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | new name | -| Description | new description | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate-2.pem | -| CRL Source | URL | -| CRL URL | example.url | -| CRL Updated At | 2024-07-21 17:32:28 +0000 UTC | -+----------------------------+------------------------------------------+ ++-----------------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | new name | +| Description | new description | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate-2.pem | +| CRL Source | URL | +| CRL URL | example.url | +| CRL Updated At | 2024-07-21 17:32:28 +0000 UTC | +| Require CRL On Client Certificate | true | ++-----------------------------------+------------------------------------------+ diff --git a/test/fixtures/output/iam/certificate-authority/update.golden b/test/fixtures/output/iam/certificate-authority/update.golden index d4ad8515b4..2324d2a860 100644 --- a/test/fixtures/output/iam/certificate-authority/update.golden +++ b/test/fixtures/output/iam/certificate-authority/update.golden @@ -1,9 +1,10 @@ -+----------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | new name | -| Description | new description | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate-2.pem | -+----------------------------+------------------------------------------+ ++-----------------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | new name | +| Description | new description | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate-2.pem | +| Require CRL On Client Certificate | true | ++-----------------------------------+------------------------------------------+ diff --git a/test/test-server/iam_handlers.go b/test/test-server/iam_handlers.go index 0c67c13560..551ecc5632 100644 --- a/test/test-server/iam_handlers.go +++ b/test/test-server/iam_handlers.go @@ -516,7 +516,7 @@ func handleIamCertificateAuthority(t *testing.T) http.HandlerFunc { } switch r.Method { case http.MethodGet: - certificateAuthority := buildIamCertificateAuthority(id, "my-ca", "my certificate authority", "certificate.pem", "", "") + certificateAuthority := buildIamCertificateAuthority(id, "my-ca", "my certificate authority", "certificate.pem", "", "", true) err := json.NewEncoder(w).Encode(certificateAuthority) require.NoError(t, err) case http.MethodDelete: @@ -525,7 +525,7 @@ func handleIamCertificateAuthority(t *testing.T) http.HandlerFunc { var req certificateauthorityv2.IamV2UpdateCertRequest err := json.NewDecoder(r.Body).Decode(&req) require.NoError(t, err) - certificateAuthority := buildIamCertificateAuthority(id, req.GetDisplayName(), req.GetDescription(), req.GetCertificateChainFilename(), req.GetCrlUrl(), req.GetCrlChain()) + certificateAuthority := buildIamCertificateAuthority(id, req.GetDisplayName(), req.GetDescription(), req.GetCertificateChainFilename(), req.GetCrlUrl(), req.GetCrlChain(), req.GetRequireCrlOnClientCertificate()) err = json.NewEncoder(w).Encode(certificateAuthority) require.NoError(t, err) } @@ -538,9 +538,9 @@ func handleIamCertificateAuthorities(t *testing.T) http.HandlerFunc { switch r.Method { case http.MethodGet: certificateAuthorityList := &certificateauthorityv2.IamV2CertificateAuthorityList{Data: []certificateauthorityv2.IamV2CertificateAuthority{ - buildIamCertificateAuthority("op-12345", "my-ca", "my certificate authority", "certificate.pem", "", ""), - buildIamCertificateAuthority("op-54321", "my-ca-2", "my other certificate authority", "certificate-2.pem", "", "DEF456"), - buildIamCertificateAuthority("op-67890", "my-ca-3", "my other certificate authority", "certificate-3.pem", "example.url", ""), + buildIamCertificateAuthority("op-12345", "my-ca", "my certificate authority", "certificate.pem", "", "", true), + buildIamCertificateAuthority("op-54321", "my-ca-2", "my other certificate authority", "certificate-2.pem", "", "DEF456", false), + buildIamCertificateAuthority("op-67890", "my-ca-3", "my other certificate authority", "certificate-3.pem", "example.url", "", true), }} setPageToken(certificateAuthorityList, &certificateAuthorityList.Metadata, r.URL) err := json.NewEncoder(w).Encode(certificateAuthorityList) @@ -549,7 +549,7 @@ func handleIamCertificateAuthorities(t *testing.T) http.HandlerFunc { var req certificateauthorityv2.IamV2CreateCertRequest err := json.NewDecoder(r.Body).Decode(&req) require.NoError(t, err) - certificateAuthority := buildIamCertificateAuthority("op-12345", req.GetDisplayName(), req.GetDescription(), req.GetCertificateChainFilename(), req.GetCrlUrl(), req.GetCrlChain()) + certificateAuthority := buildIamCertificateAuthority("op-12345", req.GetDisplayName(), req.GetDescription(), req.GetCertificateChainFilename(), req.GetCrlUrl(), req.GetCrlChain(), req.GetRequireCrlOnClientCertificate()) err = json.NewEncoder(w).Encode(certificateAuthority) require.NoError(t, err) } @@ -867,7 +867,7 @@ func buildIamPool(id, name, description, identityClaim, filter string) identityp } } -func buildIamCertificateAuthority(id, name, description, certificateChainFilename, crlUrl, crlChain string) certificateauthorityv2.IamV2CertificateAuthority { +func buildIamCertificateAuthority(id, name, description, certificateChainFilename, crlUrl, crlChain string, requireCrlOnClientCertificate bool) certificateauthorityv2.IamV2CertificateAuthority { expDate, _ := time.Parse(time.RFC3339, "2017-07-21T17:32:28Z") crlSource := "" @@ -886,16 +886,17 @@ func buildIamCertificateAuthority(id, name, description, certificateChainFilenam } return certificateauthorityv2.IamV2CertificateAuthority{ - Id: certificateauthorityv2.PtrString(id), - DisplayName: certificateauthorityv2.PtrString(name), - Description: certificateauthorityv2.PtrString(description), - Fingerprints: &[]string{"B1BC968BD4f49D622AA89A81F2150152A41D829C"}, - ExpirationDates: &[]time.Time{expDate}, - SerialNumbers: &[]string{"219C542DE8f6EC7177FA4EE8C3705797"}, - CertificateChainFilename: certificateauthorityv2.PtrString(certificateChainFilename), - CrlSource: certificateauthorityv2.PtrString(crlSource), - CrlUrl: certificateauthorityv2.PtrString(crlUrl), - CrlUpdatedAt: crlUpdatedAt, + Id: certificateauthorityv2.PtrString(id), + DisplayName: certificateauthorityv2.PtrString(name), + Description: certificateauthorityv2.PtrString(description), + Fingerprints: &[]string{"B1BC968BD4f49D622AA89A81F2150152A41D829C"}, + ExpirationDates: &[]time.Time{expDate}, + SerialNumbers: &[]string{"219C542DE8f6EC7177FA4EE8C3705797"}, + CertificateChainFilename: certificateauthorityv2.PtrString(certificateChainFilename), + CrlSource: certificateauthorityv2.PtrString(crlSource), + CrlUrl: certificateauthorityv2.PtrString(crlUrl), + CrlUpdatedAt: crlUpdatedAt, + RequireCrlOnClientCertificate: certificateauthorityv2.PtrBool(requireCrlOnClientCertificate), } } From 27786cbc9730ee25900dcb68567410e463c525f4 Mon Sep 17 00:00:00 2001 From: Aravind Khasibhatla Date: Tue, 3 Mar 2026 13:44:22 -0800 Subject: [PATCH 02/12] Add --require-crl-on-client-certificate flag to integration tests Update certificate-authority create test cases to include the new required flag. Co-Authored-By: Claude Opus 4.5 --- test/iam_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/iam_test.go b/test/iam_test.go index 100ba69f81..306108d944 100644 --- a/test/iam_test.go +++ b/test/iam_test.go @@ -317,8 +317,8 @@ func (s *CLITestSuite) TestIamPool() { func (s *CLITestSuite) TestIamCertificateAuthority() { tests := []CLITest{ - {args: `iam certificate-authority create my-ca --description "my certificate authority" --certificate-chain ABC123 --certificate-chain-filename certificate.pem`, fixture: "iam/certificate-authority/create.golden"}, - {args: `iam certificate-authority create my-ca --description "my certificate authority" --certificate-chain ABC123 --certificate-chain-filename certificate.pem --crl-chain DEF456`, fixture: "iam/certificate-authority/create-url-chain.golden"}, + {args: `iam certificate-authority create my-ca --description "my certificate authority" --certificate-chain ABC123 --certificate-chain-filename certificate.pem --require-crl-on-client-certificate`, fixture: "iam/certificate-authority/create.golden"}, + {args: `iam certificate-authority create my-ca --description "my certificate authority" --certificate-chain ABC123 --certificate-chain-filename certificate.pem --crl-chain DEF456 --require-crl-on-client-certificate`, fixture: "iam/certificate-authority/create-url-chain.golden"}, {args: "iam certificate-authority delete op-12345 --force", fixture: "iam/certificate-authority/delete.golden"}, {args: "iam certificate-authority delete op-12345 op-67890", fixture: "iam/certificate-authority/delete-multiple-fail.golden", exitCode: 1}, {args: "iam certificate-authority delete op-12345 op-54321", input: "y\n", fixture: "iam/certificate-authority/delete-multiple-success.golden"}, From 2f7dcb77c0a614b1e69bfd9bb4ed991d1cf36783 Mon Sep 17 00:00:00 2001 From: Aravind Khasibhatla Date: Tue, 3 Mar 2026 13:55:56 -0800 Subject: [PATCH 03/12] Update golden files for certificate-authority tests Regenerate golden files to match current table formatting behavior. The auto-wrap feature wraps long labels like "Require CRL On Client Certificate" across multiple lines. Co-Authored-By: Claude Opus 4.5 --- .../create-url-chain.golden | 25 ++++++++--------- .../iam/certificate-authority/create.golden | 21 ++++++++------- .../iam/certificate-authority/describe.golden | 21 ++++++++------- .../iam/certificate-authority/list.golden | 11 ++++---- .../update-crl-url.golden | 27 ++++++++++--------- .../certificate-authority/update-fail.golden | 1 + .../iam/certificate-authority/update.golden | 21 ++++++++------- 7 files changed, 67 insertions(+), 60 deletions(-) diff --git a/test/fixtures/output/iam/certificate-authority/create-url-chain.golden b/test/fixtures/output/iam/certificate-authority/create-url-chain.golden index f9d8df5efb..43e9013a4c 100644 --- a/test/fixtures/output/iam/certificate-authority/create-url-chain.golden +++ b/test/fixtures/output/iam/certificate-authority/create-url-chain.golden @@ -1,12 +1,13 @@ -+-----------------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | my-ca | -| Description | my certificate authority | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate.pem | -| CRL Source | LOCAL | -| CRL Updated At | 2024-07-21 17:32:28 +0000 UTC | -| Require CRL On Client Certificate | true | -+-----------------------------------+------------------------------------------+ ++--------------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | my-ca | +| Description | my certificate authority | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate.pem | +| CRL Source | LOCAL | +| CRL Updated At | 2024-07-21 17:32:28 +0000 UTC | +| Require CRL On Client | true | +| Certificate | | ++--------------------------------+------------------------------------------+ diff --git a/test/fixtures/output/iam/certificate-authority/create.golden b/test/fixtures/output/iam/certificate-authority/create.golden index a25e845567..724dce4ad3 100644 --- a/test/fixtures/output/iam/certificate-authority/create.golden +++ b/test/fixtures/output/iam/certificate-authority/create.golden @@ -1,10 +1,11 @@ -+-----------------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | my-ca | -| Description | my certificate authority | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate.pem | -| Require CRL On Client Certificate | true | -+-----------------------------------+------------------------------------------+ ++--------------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | my-ca | +| Description | my certificate authority | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate.pem | +| Require CRL On Client | true | +| Certificate | | ++--------------------------------+------------------------------------------+ diff --git a/test/fixtures/output/iam/certificate-authority/describe.golden b/test/fixtures/output/iam/certificate-authority/describe.golden index a25e845567..724dce4ad3 100644 --- a/test/fixtures/output/iam/certificate-authority/describe.golden +++ b/test/fixtures/output/iam/certificate-authority/describe.golden @@ -1,10 +1,11 @@ -+-----------------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | my-ca | -| Description | my certificate authority | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate.pem | -| Require CRL On Client Certificate | true | -+-----------------------------------+------------------------------------------+ ++--------------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | my-ca | +| Description | my certificate authority | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate.pem | +| Require CRL On Client | true | +| Certificate | | ++--------------------------------+------------------------------------------+ diff --git a/test/fixtures/output/iam/certificate-authority/list.golden b/test/fixtures/output/iam/certificate-authority/list.golden index ddece1fd54..bf160dd5ae 100644 --- a/test/fixtures/output/iam/certificate-authority/list.golden +++ b/test/fixtures/output/iam/certificate-authority/list.golden @@ -1,5 +1,6 @@ - ID | Name | Description | Fingerprints | Expiration Dates | Serial Numbers | Certificate Chain Filename | CRL Source | CRL URL | CRL Updated At | Require CRL On Client Certificate ------------+---------+--------------------------------+------------------------------------------+-------------------------------+----------------------------------+----------------------------+------------+-------------+------------------------------+------------------------------------- - op-12345 | my-ca | my certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate.pem | | | | true - op-54321 | my-ca-2 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-2.pem | LOCAL | | 2024-07-21 17:32:28 +0000 UTC | false - op-67890 | my-ca-3 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-3.pem | URL | example.url | 2024-07-21 17:32:28 +0000 UTC | true + ID | Name | Description | Fingerprints | Expiration Dates | Serial Numbers | Certificate Chain Filename | CRL Source | CRL URL | CRL Updated At | Require CRL On Client + | | | | | | | | | | Certificate +-----------+---------+--------------------------------+------------------------------------------+-------------------------------+----------------------------------+----------------------------+------------+-------------+-------------------------------+--------------------------------- + op-12345 | my-ca | my certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate.pem | | | | true + op-54321 | my-ca-2 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-2.pem | LOCAL | | 2024-07-21 17:32:28 +0000 UTC | false + op-67890 | my-ca-3 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-3.pem | URL | example.url | 2024-07-21 17:32:28 +0000 UTC | true diff --git a/test/fixtures/output/iam/certificate-authority/update-crl-url.golden b/test/fixtures/output/iam/certificate-authority/update-crl-url.golden index 16ed2c6f0a..608bbd46b3 100644 --- a/test/fixtures/output/iam/certificate-authority/update-crl-url.golden +++ b/test/fixtures/output/iam/certificate-authority/update-crl-url.golden @@ -1,13 +1,14 @@ -+-----------------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | new name | -| Description | new description | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate-2.pem | -| CRL Source | URL | -| CRL URL | example.url | -| CRL Updated At | 2024-07-21 17:32:28 +0000 UTC | -| Require CRL On Client Certificate | true | -+-----------------------------------+------------------------------------------+ ++--------------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | new name | +| Description | new description | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate-2.pem | +| CRL Source | URL | +| CRL URL | example.url | +| CRL Updated At | 2024-07-21 17:32:28 +0000 UTC | +| Require CRL On Client | true | +| Certificate | | ++--------------------------------+------------------------------------------+ diff --git a/test/fixtures/output/iam/certificate-authority/update-fail.golden b/test/fixtures/output/iam/certificate-authority/update-fail.golden index 8f71425ad8..e3b60d8625 100644 --- a/test/fixtures/output/iam/certificate-authority/update-fail.golden +++ b/test/fixtures/output/iam/certificate-authority/update-fail.golden @@ -14,6 +14,7 @@ Flags: --certificate-chain-filename string The name of the certificate file. --crl-url string The URL from which to fetch the CRL (Certificate Revocation List) for the certificate authority. --crl-chain string A base64 encoded string containing the CRL for this certificate authority. + --require-crl-on-client-certificate Whether to require CRL validation on client certificates. --context string CLI context name. -o, --output string Specify the output format as "human", "json", or "yaml". (default "human") diff --git a/test/fixtures/output/iam/certificate-authority/update.golden b/test/fixtures/output/iam/certificate-authority/update.golden index 2324d2a860..d895dcecb6 100644 --- a/test/fixtures/output/iam/certificate-authority/update.golden +++ b/test/fixtures/output/iam/certificate-authority/update.golden @@ -1,10 +1,11 @@ -+-----------------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | new name | -| Description | new description | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate-2.pem | -| Require CRL On Client Certificate | true | -+-----------------------------------+------------------------------------------+ ++--------------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | new name | +| Description | new description | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate-2.pem | +| Require CRL On Client | true | +| Certificate | | ++--------------------------------+------------------------------------------+ From 0315c29a1a0a833b566de007be67d9ebf57eb7f3 Mon Sep 17 00:00:00 2001 From: Aravind Khasibhatla Date: Wed, 4 Mar 2026 10:44:39 -0800 Subject: [PATCH 04/12] Make --require-crl-on-client-certificate optional for backward compatibility The flag defaults to false when not specified, maintaining backward compatibility with existing CLI usage. Co-Authored-By: Claude Opus 4.5 --- internal/iam/command_certificate_authority_create.go | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/iam/command_certificate_authority_create.go b/internal/iam/command_certificate_authority_create.go index 08a1acecda..3fbffad599 100644 --- a/internal/iam/command_certificate_authority_create.go +++ b/internal/iam/command_certificate_authority_create.go @@ -56,7 +56,6 @@ X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== cobra.CheckErr(cmd.MarkFlagRequired("description")) cobra.CheckErr(cmd.MarkFlagRequired("certificate-chain")) cobra.CheckErr(cmd.MarkFlagRequired("certificate-chain-filename")) - cobra.CheckErr(cmd.MarkFlagRequired("require-crl-on-client-certificate")) return cmd } From 720a39f581469eb50d4f20e95766114d533e4055 Mon Sep 17 00:00:00 2001 From: Aravind Khasibhatla Date: Wed, 4 Mar 2026 13:54:03 -0800 Subject: [PATCH 05/12] Add integration test for update with --require-crl-on-client-certificate Adds test case to verify the update operation with the new flag, as requested in review feedback. Co-Authored-By: Claude Opus 4.5 --- .../certificate-authority/update-require-crl.golden | 11 +++++++++++ test/iam_test.go | 1 + 2 files changed, 12 insertions(+) create mode 100644 test/fixtures/output/iam/certificate-authority/update-require-crl.golden diff --git a/test/fixtures/output/iam/certificate-authority/update-require-crl.golden b/test/fixtures/output/iam/certificate-authority/update-require-crl.golden new file mode 100644 index 0000000000..33082099dc --- /dev/null +++ b/test/fixtures/output/iam/certificate-authority/update-require-crl.golden @@ -0,0 +1,11 @@ ++--------------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | my-ca | +| Description | my certificate authority | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate.pem | +| Require CRL On Client | false | +| Certificate | | ++--------------------------------+------------------------------------------+ diff --git a/test/iam_test.go b/test/iam_test.go index 306108d944..2b7d07fcd2 100644 --- a/test/iam_test.go +++ b/test/iam_test.go @@ -326,6 +326,7 @@ func (s *CLITestSuite) TestIamCertificateAuthority() { {args: "iam certificate-authority describe op-12345 -o json", fixture: "iam/certificate-authority/describe-json.golden"}, {args: `iam certificate-authority update op-12345 --name "new name" --description "new description" --certificate-chain ABC123 --certificate-chain-filename certificate-2.pem`, fixture: "iam/certificate-authority/update.golden"}, {args: `iam certificate-authority update op-12345 --name "new name" --description "new description" --certificate-chain ABC123 --certificate-chain-filename certificate-2.pem --crl-url example.url`, fixture: "iam/certificate-authority/update-crl-url.golden"}, + {args: "iam certificate-authority update op-12345 --require-crl-on-client-certificate=false", fixture: "iam/certificate-authority/update-require-crl.golden"}, {args: `iam certificate-authority update op-12345 --name "new name" --description "new description" --certificate-chain-filename certificate-2.pem`, fixture: "iam/certificate-authority/update-fail.golden", exitCode: 1}, {args: "iam certificate-authority list", fixture: "iam/certificate-authority/list.golden"}, {args: "iam certificate-authority list -o json", fixture: "iam/certificate-authority/list-json.golden"}, From 53ad019938a9675a1fac367bf2a4621b5a54e7e0 Mon Sep 17 00:00:00 2001 From: Aravind Khasibhatla Date: Wed, 4 Mar 2026 13:56:18 -0800 Subject: [PATCH 06/12] Rename flag to --require-crl-on-client-cert for brevity Shortened the flag name from --require-crl-on-client-certificate to --require-crl-on-client-cert based on review feedback. Co-Authored-By: Claude Opus 4.5 --- internal/iam/command_certificate_authority_create.go | 4 ++-- internal/iam/command_certificate_authority_update.go | 6 +++--- .../output/iam/certificate-authority/update-fail.golden | 2 +- test/iam_test.go | 6 +++--- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/internal/iam/command_certificate_authority_create.go b/internal/iam/command_certificate_authority_create.go index 3fbffad599..5bacca5784 100644 --- a/internal/iam/command_certificate_authority_create.go +++ b/internal/iam/command_certificate_authority_create.go @@ -49,7 +49,7 @@ X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== cmd.Flags().String("certificate-chain-filename", "", "The name of the certificate file.") cmd.Flags().String("crl-url", "", "The URL from which to fetch the CRL (Certificate Revocation List) for the certificate authority.") cmd.Flags().String("crl-chain", "", "A base64 encoded string containing the CRL for this certificate authority.") - cmd.Flags().Bool("require-crl-on-client-certificate", false, "Whether to require CRL validation on client certificates.") + cmd.Flags().Bool("require-crl-on-client-cert", false, "Whether to require CRL validation on client certificates.") pcmd.AddContextFlag(cmd, c.CLICommand) pcmd.AddOutputFlag(cmd) @@ -86,7 +86,7 @@ func (c *certificateAuthorityCommand) create(cmd *cobra.Command, args []string) return err } - requireCrlOnClientCertificate, err := cmd.Flags().GetBool("require-crl-on-client-certificate") + requireCrlOnClientCertificate, err := cmd.Flags().GetBool("require-crl-on-client-cert") if err != nil { return err } diff --git a/internal/iam/command_certificate_authority_update.go b/internal/iam/command_certificate_authority_update.go index 852360cb81..fb9a70ce91 100644 --- a/internal/iam/command_certificate_authority_update.go +++ b/internal/iam/command_certificate_authority_update.go @@ -30,7 +30,7 @@ func (c *certificateAuthorityCommand) newUpdateCommand() *cobra.Command { cmd.Flags().String("certificate-chain-filename", "", "The name of the certificate file.") cmd.Flags().String("crl-url", "", "The URL from which to fetch the CRL (Certificate Revocation List) for the certificate authority.") cmd.Flags().String("crl-chain", "", "A base64 encoded string containing the CRL for this certificate authority.") - cmd.Flags().Bool("require-crl-on-client-certificate", false, "Whether to require CRL validation on client certificates.") + cmd.Flags().Bool("require-crl-on-client-cert", false, "Whether to require CRL validation on client certificates.") pcmd.AddContextFlag(cmd, c.CLICommand) pcmd.AddOutputFlag(cmd) @@ -95,8 +95,8 @@ func (c *certificateAuthorityCommand) update(cmd *cobra.Command, args []string) } update.CrlChain = certificateauthorityv2.PtrString(crlChain) } - if cmd.Flags().Changed("require-crl-on-client-certificate") { - requireCrlOnClientCertificate, err := cmd.Flags().GetBool("require-crl-on-client-certificate") + if cmd.Flags().Changed("require-crl-on-client-cert") { + requireCrlOnClientCertificate, err := cmd.Flags().GetBool("require-crl-on-client-cert") if err != nil { return err } diff --git a/test/fixtures/output/iam/certificate-authority/update-fail.golden b/test/fixtures/output/iam/certificate-authority/update-fail.golden index e3b60d8625..853fa91df9 100644 --- a/test/fixtures/output/iam/certificate-authority/update-fail.golden +++ b/test/fixtures/output/iam/certificate-authority/update-fail.golden @@ -14,7 +14,7 @@ Flags: --certificate-chain-filename string The name of the certificate file. --crl-url string The URL from which to fetch the CRL (Certificate Revocation List) for the certificate authority. --crl-chain string A base64 encoded string containing the CRL for this certificate authority. - --require-crl-on-client-certificate Whether to require CRL validation on client certificates. + --require-crl-on-client-cert Whether to require CRL validation on client certificates. --context string CLI context name. -o, --output string Specify the output format as "human", "json", or "yaml". (default "human") diff --git a/test/iam_test.go b/test/iam_test.go index 2b7d07fcd2..daf058bd80 100644 --- a/test/iam_test.go +++ b/test/iam_test.go @@ -317,8 +317,8 @@ func (s *CLITestSuite) TestIamPool() { func (s *CLITestSuite) TestIamCertificateAuthority() { tests := []CLITest{ - {args: `iam certificate-authority create my-ca --description "my certificate authority" --certificate-chain ABC123 --certificate-chain-filename certificate.pem --require-crl-on-client-certificate`, fixture: "iam/certificate-authority/create.golden"}, - {args: `iam certificate-authority create my-ca --description "my certificate authority" --certificate-chain ABC123 --certificate-chain-filename certificate.pem --crl-chain DEF456 --require-crl-on-client-certificate`, fixture: "iam/certificate-authority/create-url-chain.golden"}, + {args: `iam certificate-authority create my-ca --description "my certificate authority" --certificate-chain ABC123 --certificate-chain-filename certificate.pem --require-crl-on-client-cert`, fixture: "iam/certificate-authority/create.golden"}, + {args: `iam certificate-authority create my-ca --description "my certificate authority" --certificate-chain ABC123 --certificate-chain-filename certificate.pem --crl-chain DEF456 --require-crl-on-client-cert`, fixture: "iam/certificate-authority/create-url-chain.golden"}, {args: "iam certificate-authority delete op-12345 --force", fixture: "iam/certificate-authority/delete.golden"}, {args: "iam certificate-authority delete op-12345 op-67890", fixture: "iam/certificate-authority/delete-multiple-fail.golden", exitCode: 1}, {args: "iam certificate-authority delete op-12345 op-54321", input: "y\n", fixture: "iam/certificate-authority/delete-multiple-success.golden"}, @@ -326,7 +326,7 @@ func (s *CLITestSuite) TestIamCertificateAuthority() { {args: "iam certificate-authority describe op-12345 -o json", fixture: "iam/certificate-authority/describe-json.golden"}, {args: `iam certificate-authority update op-12345 --name "new name" --description "new description" --certificate-chain ABC123 --certificate-chain-filename certificate-2.pem`, fixture: "iam/certificate-authority/update.golden"}, {args: `iam certificate-authority update op-12345 --name "new name" --description "new description" --certificate-chain ABC123 --certificate-chain-filename certificate-2.pem --crl-url example.url`, fixture: "iam/certificate-authority/update-crl-url.golden"}, - {args: "iam certificate-authority update op-12345 --require-crl-on-client-certificate=false", fixture: "iam/certificate-authority/update-require-crl.golden"}, + {args: "iam certificate-authority update op-12345 --require-crl-on-client-cert=false", fixture: "iam/certificate-authority/update-require-crl.golden"}, {args: `iam certificate-authority update op-12345 --name "new name" --description "new description" --certificate-chain-filename certificate-2.pem`, fixture: "iam/certificate-authority/update-fail.golden", exitCode: 1}, {args: "iam certificate-authority list", fixture: "iam/certificate-authority/list.golden"}, {args: "iam certificate-authority list -o json", fixture: "iam/certificate-authority/list-json.golden"}, From f79ba2ee137ba2ae2957d92ed20e5bed5d543b7a Mon Sep 17 00:00:00 2001 From: Aravind Khasibhatla Date: Wed, 4 Mar 2026 14:09:11 -0800 Subject: [PATCH 07/12] Update SDK to use merged version with require_crl_on_client_certificate Updated to SDK version v0.0.3-0.20260304220235-a27d679482e3 from master which includes the new RequireCrlOnClientCertificate field. Co-Authored-By: Claude Opus 4.5 --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 77a4f6c6a7..f5822c56cd 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/confluentinc/ccloud-sdk-go-v2/ccl v0.4.0 github.com/confluentinc/ccloud-sdk-go-v2/ccpm v0.0.1 github.com/confluentinc/ccloud-sdk-go-v2/cdx v0.0.5 - github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.2 + github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.3-0.20260304220235-a27d679482e3 github.com/confluentinc/ccloud-sdk-go-v2/cli v0.3.0 github.com/confluentinc/ccloud-sdk-go-v2/cmk v0.25.0 github.com/confluentinc/ccloud-sdk-go-v2/connect v0.7.0 diff --git a/go.sum b/go.sum index e761d8c46f..837270b24a 100644 --- a/go.sum +++ b/go.sum @@ -204,8 +204,8 @@ github.com/confluentinc/ccloud-sdk-go-v2/ccpm v0.0.1 h1:q++EceNVxARLSE5J9FO3Vbp9 github.com/confluentinc/ccloud-sdk-go-v2/ccpm v0.0.1/go.mod h1:toZWg8FVpQZ/80az0XTB4Fv22E5HJtEiMXxt4rU1JoI= github.com/confluentinc/ccloud-sdk-go-v2/cdx v0.0.5 h1:w0Z2hFxg8ng8gycWKRZFdus1R+q8D/I5AmN06NZso5s= github.com/confluentinc/ccloud-sdk-go-v2/cdx v0.0.5/go.mod h1:L8U9xs2duASJnjIYkwGrSbZNpApsbh+vlxsJlZMHJPA= -github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.2 h1:stsiO1JIRX6ITdw4DCsidQ0w7uhsyKDsYXwzxvi14GI= -github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.2/go.mod h1:OU1RGuP2y5l54jX5rA++QBAKeRvSa7GmkfNgJvB9J6M= +github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.3-0.20260304220235-a27d679482e3 h1:HYi5+8VGqqdkWJpLoqbTEFOGAUwmR6+TCsX+WXTPKc4= +github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.3-0.20260304220235-a27d679482e3/go.mod h1:Lt0BOSolRuMvnaV+aASN8KlPpkLl6+TNQKiqJosGaws= github.com/confluentinc/ccloud-sdk-go-v2/cli v0.3.0 h1:OOFNqtZN3Spuzz4TX6K6JfDM7zNDIE6BE1TtK78jFHQ= github.com/confluentinc/ccloud-sdk-go-v2/cli v0.3.0/go.mod h1:Mv0WTsBXUfKjmF+r2t2Dv/xJzZf17shhf5J1cttU2Qo= github.com/confluentinc/ccloud-sdk-go-v2/cmk v0.25.0 h1:EdZzQZ4SI5q+f0DQPjH3lWpygz1wYz7IE0K62Mv06bY= From ed45cf17cccaa8a79843105958d1a084777e49f2 Mon Sep 17 00:00:00 2001 From: Cynthia Qin Date: Thu, 5 Mar 2026 13:23:50 -0800 Subject: [PATCH 08/12] Update dependency --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index f5822c56cd..f31ec2c987 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/confluentinc/ccloud-sdk-go-v2/ccl v0.4.0 github.com/confluentinc/ccloud-sdk-go-v2/ccpm v0.0.1 github.com/confluentinc/ccloud-sdk-go-v2/cdx v0.0.5 - github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.3-0.20260304220235-a27d679482e3 + github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.3 github.com/confluentinc/ccloud-sdk-go-v2/cli v0.3.0 github.com/confluentinc/ccloud-sdk-go-v2/cmk v0.25.0 github.com/confluentinc/ccloud-sdk-go-v2/connect v0.7.0 diff --git a/go.sum b/go.sum index 837270b24a..6c48dd69eb 100644 --- a/go.sum +++ b/go.sum @@ -204,8 +204,8 @@ github.com/confluentinc/ccloud-sdk-go-v2/ccpm v0.0.1 h1:q++EceNVxARLSE5J9FO3Vbp9 github.com/confluentinc/ccloud-sdk-go-v2/ccpm v0.0.1/go.mod h1:toZWg8FVpQZ/80az0XTB4Fv22E5HJtEiMXxt4rU1JoI= github.com/confluentinc/ccloud-sdk-go-v2/cdx v0.0.5 h1:w0Z2hFxg8ng8gycWKRZFdus1R+q8D/I5AmN06NZso5s= github.com/confluentinc/ccloud-sdk-go-v2/cdx v0.0.5/go.mod h1:L8U9xs2duASJnjIYkwGrSbZNpApsbh+vlxsJlZMHJPA= -github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.3-0.20260304220235-a27d679482e3 h1:HYi5+8VGqqdkWJpLoqbTEFOGAUwmR6+TCsX+WXTPKc4= -github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.3-0.20260304220235-a27d679482e3/go.mod h1:Lt0BOSolRuMvnaV+aASN8KlPpkLl6+TNQKiqJosGaws= +github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.3 h1:jagGRDqY/ZYKaU7Rv9rz5ynMGxNoX7f9TQ/RsbvmJPw= +github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.3/go.mod h1:Lt0BOSolRuMvnaV+aASN8KlPpkLl6+TNQKiqJosGaws= github.com/confluentinc/ccloud-sdk-go-v2/cli v0.3.0 h1:OOFNqtZN3Spuzz4TX6K6JfDM7zNDIE6BE1TtK78jFHQ= github.com/confluentinc/ccloud-sdk-go-v2/cli v0.3.0/go.mod h1:Mv0WTsBXUfKjmF+r2t2Dv/xJzZf17shhf5J1cttU2Qo= github.com/confluentinc/ccloud-sdk-go-v2/cmk v0.25.0 h1:EdZzQZ4SI5q+f0DQPjH3lWpygz1wYz7IE0K62Mv06bY= From 984715ca2601001b247180f76f07c4c145810ae7 Mon Sep 17 00:00:00 2001 From: Cynthia Qin Date: Thu, 5 Mar 2026 13:40:38 -0800 Subject: [PATCH 09/12] Refine property label --- internal/iam/command_certificate_authority.go | 2 +- .../create-url-chain.golden | 25 +++++++++-------- .../iam/certificate-authority/create.golden | 21 +++++++-------- .../describe-json.golden | 2 +- .../iam/certificate-authority/describe.golden | 21 +++++++-------- .../certificate-authority/list-json.golden | 6 ++--- .../iam/certificate-authority/list.golden | 11 ++++---- .../update-crl-url.golden | 27 +++++++++---------- .../update-require-crl.golden | 21 +++++++-------- .../iam/certificate-authority/update.golden | 21 +++++++-------- 10 files changed, 75 insertions(+), 82 deletions(-) diff --git a/internal/iam/command_certificate_authority.go b/internal/iam/command_certificate_authority.go index bd5c0d5769..892ff485a0 100644 --- a/internal/iam/command_certificate_authority.go +++ b/internal/iam/command_certificate_authority.go @@ -26,7 +26,7 @@ type certificateAuthorityOut struct { CrlSource string `human:"CRL Source,omitempty" serialized:"crl_source,omitempty"` CrlUrl string `human:"CRL URL,omitempty" serialized:"crl_url,omitempty"` CrlUpdatedAt *time.Time `human:"CRL Updated At,omitempty" serialized:"crl_updated_at,omitempty"` - RequireCrlOnClientCertificate bool `human:"Require CRL On Client Certificate" serialized:"require_crl_on_client_certificate"` + RequireCrlOnClientCertificate bool `human:"Require Client CRL" serialized:"require_client_crl"` } func newCertificateAuthorityCommand(prerunner pcmd.PreRunner) *cobra.Command { diff --git a/test/fixtures/output/iam/certificate-authority/create-url-chain.golden b/test/fixtures/output/iam/certificate-authority/create-url-chain.golden index 43e9013a4c..3833948874 100644 --- a/test/fixtures/output/iam/certificate-authority/create-url-chain.golden +++ b/test/fixtures/output/iam/certificate-authority/create-url-chain.golden @@ -1,13 +1,12 @@ -+--------------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | my-ca | -| Description | my certificate authority | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate.pem | -| CRL Source | LOCAL | -| CRL Updated At | 2024-07-21 17:32:28 +0000 UTC | -| Require CRL On Client | true | -| Certificate | | -+--------------------------------+------------------------------------------+ ++----------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | my-ca | +| Description | my certificate authority | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate.pem | +| CRL Source | LOCAL | +| CRL Updated At | 2024-07-21 17:32:28 +0000 UTC | +| Require Client CRL | true | ++----------------------------+------------------------------------------+ diff --git a/test/fixtures/output/iam/certificate-authority/create.golden b/test/fixtures/output/iam/certificate-authority/create.golden index 724dce4ad3..ce29813195 100644 --- a/test/fixtures/output/iam/certificate-authority/create.golden +++ b/test/fixtures/output/iam/certificate-authority/create.golden @@ -1,11 +1,10 @@ -+--------------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | my-ca | -| Description | my certificate authority | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate.pem | -| Require CRL On Client | true | -| Certificate | | -+--------------------------------+------------------------------------------+ ++----------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | my-ca | +| Description | my certificate authority | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate.pem | +| Require Client CRL | true | ++----------------------------+------------------------------------------+ diff --git a/test/fixtures/output/iam/certificate-authority/describe-json.golden b/test/fixtures/output/iam/certificate-authority/describe-json.golden index 3dc675fbcb..c67f1caaf5 100644 --- a/test/fixtures/output/iam/certificate-authority/describe-json.golden +++ b/test/fixtures/output/iam/certificate-authority/describe-json.golden @@ -6,5 +6,5 @@ "expiration_dates": ["2017-07-21T17:32:28Z"], "serial_numbers": ["219C542DE8f6EC7177FA4EE8C3705797"], "certificate_chain_filename": "certificate.pem", - "require_crl_on_client_certificate": true + "require_client_crl": true } diff --git a/test/fixtures/output/iam/certificate-authority/describe.golden b/test/fixtures/output/iam/certificate-authority/describe.golden index 724dce4ad3..ce29813195 100644 --- a/test/fixtures/output/iam/certificate-authority/describe.golden +++ b/test/fixtures/output/iam/certificate-authority/describe.golden @@ -1,11 +1,10 @@ -+--------------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | my-ca | -| Description | my certificate authority | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate.pem | -| Require CRL On Client | true | -| Certificate | | -+--------------------------------+------------------------------------------+ ++----------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | my-ca | +| Description | my certificate authority | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate.pem | +| Require Client CRL | true | ++----------------------------+------------------------------------------+ diff --git a/test/fixtures/output/iam/certificate-authority/list-json.golden b/test/fixtures/output/iam/certificate-authority/list-json.golden index 3f92698525..53b727df10 100644 --- a/test/fixtures/output/iam/certificate-authority/list-json.golden +++ b/test/fixtures/output/iam/certificate-authority/list-json.golden @@ -7,7 +7,7 @@ "expiration_dates": ["2017-07-21T17:32:28Z"], "serial_numbers": ["219C542DE8f6EC7177FA4EE8C3705797"], "certificate_chain_filename": "certificate.pem", - "require_crl_on_client_certificate": true + "require_client_crl": true }, { "id": "op-54321", @@ -19,7 +19,7 @@ "certificate_chain_filename": "certificate-2.pem", "crl_source": "LOCAL", "crl_updated_at": "2024-07-21T17:32:28Z", - "require_crl_on_client_certificate": false + "require_client_crl": false }, { "id": "op-67890", @@ -32,6 +32,6 @@ "crl_source": "URL", "crl_url": "example.url", "crl_updated_at": "2024-07-21T17:32:28Z", - "require_crl_on_client_certificate": true + "require_client_crl": true } ] diff --git a/test/fixtures/output/iam/certificate-authority/list.golden b/test/fixtures/output/iam/certificate-authority/list.golden index bf160dd5ae..0acab401b4 100644 --- a/test/fixtures/output/iam/certificate-authority/list.golden +++ b/test/fixtures/output/iam/certificate-authority/list.golden @@ -1,6 +1,5 @@ - ID | Name | Description | Fingerprints | Expiration Dates | Serial Numbers | Certificate Chain Filename | CRL Source | CRL URL | CRL Updated At | Require CRL On Client - | | | | | | | | | | Certificate ------------+---------+--------------------------------+------------------------------------------+-------------------------------+----------------------------------+----------------------------+------------+-------------+-------------------------------+--------------------------------- - op-12345 | my-ca | my certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate.pem | | | | true - op-54321 | my-ca-2 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-2.pem | LOCAL | | 2024-07-21 17:32:28 +0000 UTC | false - op-67890 | my-ca-3 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-3.pem | URL | example.url | 2024-07-21 17:32:28 +0000 UTC | true + ID | Name | Description | Fingerprints | Expiration Dates | Serial Numbers | Certificate Chain Filename | CRL Source | CRL URL | CRL Updated At | Require Client CRL +-----------+---------+--------------------------------+------------------------------------------+-------------------------------+----------------------------------+----------------------------+------------+-------------+-------------------------------+-------------------- + op-12345 | my-ca | my certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate.pem | | | | true + op-54321 | my-ca-2 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-2.pem | LOCAL | | 2024-07-21 17:32:28 +0000 UTC | false + op-67890 | my-ca-3 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-3.pem | URL | example.url | 2024-07-21 17:32:28 +0000 UTC | true diff --git a/test/fixtures/output/iam/certificate-authority/update-crl-url.golden b/test/fixtures/output/iam/certificate-authority/update-crl-url.golden index 608bbd46b3..e006cabb9d 100644 --- a/test/fixtures/output/iam/certificate-authority/update-crl-url.golden +++ b/test/fixtures/output/iam/certificate-authority/update-crl-url.golden @@ -1,14 +1,13 @@ -+--------------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | new name | -| Description | new description | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate-2.pem | -| CRL Source | URL | -| CRL URL | example.url | -| CRL Updated At | 2024-07-21 17:32:28 +0000 UTC | -| Require CRL On Client | true | -| Certificate | | -+--------------------------------+------------------------------------------+ ++----------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | new name | +| Description | new description | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate-2.pem | +| CRL Source | URL | +| CRL URL | example.url | +| CRL Updated At | 2024-07-21 17:32:28 +0000 UTC | +| Require Client CRL | true | ++----------------------------+------------------------------------------+ diff --git a/test/fixtures/output/iam/certificate-authority/update-require-crl.golden b/test/fixtures/output/iam/certificate-authority/update-require-crl.golden index 33082099dc..c26c576f76 100644 --- a/test/fixtures/output/iam/certificate-authority/update-require-crl.golden +++ b/test/fixtures/output/iam/certificate-authority/update-require-crl.golden @@ -1,11 +1,10 @@ -+--------------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | my-ca | -| Description | my certificate authority | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate.pem | -| Require CRL On Client | false | -| Certificate | | -+--------------------------------+------------------------------------------+ ++----------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | my-ca | +| Description | my certificate authority | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate.pem | +| Require Client CRL | false | ++----------------------------+------------------------------------------+ diff --git a/test/fixtures/output/iam/certificate-authority/update.golden b/test/fixtures/output/iam/certificate-authority/update.golden index d895dcecb6..09d72fd5e9 100644 --- a/test/fixtures/output/iam/certificate-authority/update.golden +++ b/test/fixtures/output/iam/certificate-authority/update.golden @@ -1,11 +1,10 @@ -+--------------------------------+------------------------------------------+ -| ID | op-12345 | -| Name | new name | -| Description | new description | -| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | -| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | -| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | -| Certificate Chain Filename | certificate-2.pem | -| Require CRL On Client | true | -| Certificate | | -+--------------------------------+------------------------------------------+ ++----------------------------+------------------------------------------+ +| ID | op-12345 | +| Name | new name | +| Description | new description | +| Fingerprints | B1BC968BD4f49D622AA89A81F2150152A41D829C | +| Expiration Dates | 2017-07-21 17:32:28 +0000 UTC | +| Serial Numbers | 219C542DE8f6EC7177FA4EE8C3705797 | +| Certificate Chain Filename | certificate-2.pem | +| Require Client CRL | true | ++----------------------------+------------------------------------------+ From d0b253ed367ea7730edf489f59f9db398bd88632 Mon Sep 17 00:00:00 2001 From: Cynthia Qin Date: Thu, 5 Mar 2026 15:45:43 -0800 Subject: [PATCH 10/12] Resolve linter error --- internal/iam/command_certificate_authority_create.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/internal/iam/command_certificate_authority_create.go b/internal/iam/command_certificate_authority_create.go index 5bacca5784..a2581d862b 100644 --- a/internal/iam/command_certificate_authority_create.go +++ b/internal/iam/command_certificate_authority_create.go @@ -92,12 +92,12 @@ func (c *certificateAuthorityCommand) create(cmd *cobra.Command, args []string) } certRequest := certificateauthorityv2.IamV2CreateCertRequest{ - DisplayName: certificateauthorityv2.PtrString(args[0]), - Description: certificateauthorityv2.PtrString(description), - CertificateChain: certificateauthorityv2.PtrString(certificateChain), - CertificateChainFilename: certificateauthorityv2.PtrString(certificateChainFilename), - CrlUrl: certificateauthorityv2.PtrString(crlUrl), - CrlChain: certificateauthorityv2.PtrString(crlChain), + DisplayName: certificateauthorityv2.PtrString(args[0]), + Description: certificateauthorityv2.PtrString(description), + CertificateChain: certificateauthorityv2.PtrString(certificateChain), + CertificateChainFilename: certificateauthorityv2.PtrString(certificateChainFilename), + CrlUrl: certificateauthorityv2.PtrString(crlUrl), + CrlChain: certificateauthorityv2.PtrString(crlChain), RequireCrlOnClientCertificate: certificateauthorityv2.PtrBool(requireCrlOnClientCertificate), } From 8970c4cdf4c5dff987bc4de86420f8661a34ab93 Mon Sep 17 00:00:00 2001 From: Cynthia Qin Date: Mon, 9 Mar 2026 23:33:55 -0700 Subject: [PATCH 11/12] Update flag name to resolve linter error --- internal/iam/command_certificate_authority_create.go | 4 ++-- internal/iam/command_certificate_authority_update.go | 6 +++--- .../iam/certificate-authority/describe-autocomplete.golden | 5 +++++ .../output/iam/certificate-authority/update-fail.golden | 2 +- test/iam_test.go | 6 +++--- 5 files changed, 14 insertions(+), 9 deletions(-) create mode 100644 test/fixtures/output/iam/certificate-authority/describe-autocomplete.golden diff --git a/internal/iam/command_certificate_authority_create.go b/internal/iam/command_certificate_authority_create.go index a2581d862b..4105a39fbe 100644 --- a/internal/iam/command_certificate_authority_create.go +++ b/internal/iam/command_certificate_authority_create.go @@ -49,7 +49,7 @@ X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== cmd.Flags().String("certificate-chain-filename", "", "The name of the certificate file.") cmd.Flags().String("crl-url", "", "The URL from which to fetch the CRL (Certificate Revocation List) for the certificate authority.") cmd.Flags().String("crl-chain", "", "A base64 encoded string containing the CRL for this certificate authority.") - cmd.Flags().Bool("require-crl-on-client-cert", false, "Whether to require CRL validation on client certificates.") + cmd.Flags().Bool("require-client-crl", false, "Whether to require CRL validation on client certificates.") pcmd.AddContextFlag(cmd, c.CLICommand) pcmd.AddOutputFlag(cmd) @@ -86,7 +86,7 @@ func (c *certificateAuthorityCommand) create(cmd *cobra.Command, args []string) return err } - requireCrlOnClientCertificate, err := cmd.Flags().GetBool("require-crl-on-client-cert") + requireCrlOnClientCertificate, err := cmd.Flags().GetBool("require-client-crl") if err != nil { return err } diff --git a/internal/iam/command_certificate_authority_update.go b/internal/iam/command_certificate_authority_update.go index fb9a70ce91..03e33dfec7 100644 --- a/internal/iam/command_certificate_authority_update.go +++ b/internal/iam/command_certificate_authority_update.go @@ -30,7 +30,7 @@ func (c *certificateAuthorityCommand) newUpdateCommand() *cobra.Command { cmd.Flags().String("certificate-chain-filename", "", "The name of the certificate file.") cmd.Flags().String("crl-url", "", "The URL from which to fetch the CRL (Certificate Revocation List) for the certificate authority.") cmd.Flags().String("crl-chain", "", "A base64 encoded string containing the CRL for this certificate authority.") - cmd.Flags().Bool("require-crl-on-client-cert", false, "Whether to require CRL validation on client certificates.") + cmd.Flags().Bool("require-client-crl", false, "Whether to require CRL validation on client certificates.") pcmd.AddContextFlag(cmd, c.CLICommand) pcmd.AddOutputFlag(cmd) @@ -95,8 +95,8 @@ func (c *certificateAuthorityCommand) update(cmd *cobra.Command, args []string) } update.CrlChain = certificateauthorityv2.PtrString(crlChain) } - if cmd.Flags().Changed("require-crl-on-client-cert") { - requireCrlOnClientCertificate, err := cmd.Flags().GetBool("require-crl-on-client-cert") + if cmd.Flags().Changed("require-client-crl") { + requireCrlOnClientCertificate, err := cmd.Flags().GetBool("require-client-crl") if err != nil { return err } diff --git a/test/fixtures/output/iam/certificate-authority/describe-autocomplete.golden b/test/fixtures/output/iam/certificate-authority/describe-autocomplete.golden new file mode 100644 index 0000000000..48274c5f1d --- /dev/null +++ b/test/fixtures/output/iam/certificate-authority/describe-autocomplete.golden @@ -0,0 +1,5 @@ +op-12345 my-ca +op-54321 my-ca-2 +op-67890 my-ca-3 +:4 +Completion ended with directive: ShellCompDirectiveNoFileComp diff --git a/test/fixtures/output/iam/certificate-authority/update-fail.golden b/test/fixtures/output/iam/certificate-authority/update-fail.golden index 853fa91df9..40a4aa30eb 100644 --- a/test/fixtures/output/iam/certificate-authority/update-fail.golden +++ b/test/fixtures/output/iam/certificate-authority/update-fail.golden @@ -14,7 +14,7 @@ Flags: --certificate-chain-filename string The name of the certificate file. --crl-url string The URL from which to fetch the CRL (Certificate Revocation List) for the certificate authority. --crl-chain string A base64 encoded string containing the CRL for this certificate authority. - --require-crl-on-client-cert Whether to require CRL validation on client certificates. + --require-client-crl Whether to require CRL validation on client certificates. --context string CLI context name. -o, --output string Specify the output format as "human", "json", or "yaml". (default "human") diff --git a/test/iam_test.go b/test/iam_test.go index daf058bd80..92b455f7d4 100644 --- a/test/iam_test.go +++ b/test/iam_test.go @@ -317,8 +317,8 @@ func (s *CLITestSuite) TestIamPool() { func (s *CLITestSuite) TestIamCertificateAuthority() { tests := []CLITest{ - {args: `iam certificate-authority create my-ca --description "my certificate authority" --certificate-chain ABC123 --certificate-chain-filename certificate.pem --require-crl-on-client-cert`, fixture: "iam/certificate-authority/create.golden"}, - {args: `iam certificate-authority create my-ca --description "my certificate authority" --certificate-chain ABC123 --certificate-chain-filename certificate.pem --crl-chain DEF456 --require-crl-on-client-cert`, fixture: "iam/certificate-authority/create-url-chain.golden"}, + {args: `iam certificate-authority create my-ca --description "my certificate authority" --certificate-chain ABC123 --certificate-chain-filename certificate.pem --require-client-crl`, fixture: "iam/certificate-authority/create.golden"}, + {args: `iam certificate-authority create my-ca --description "my certificate authority" --certificate-chain ABC123 --certificate-chain-filename certificate.pem --crl-chain DEF456 --require-client-crl`, fixture: "iam/certificate-authority/create-url-chain.golden"}, {args: "iam certificate-authority delete op-12345 --force", fixture: "iam/certificate-authority/delete.golden"}, {args: "iam certificate-authority delete op-12345 op-67890", fixture: "iam/certificate-authority/delete-multiple-fail.golden", exitCode: 1}, {args: "iam certificate-authority delete op-12345 op-54321", input: "y\n", fixture: "iam/certificate-authority/delete-multiple-success.golden"}, @@ -326,7 +326,7 @@ func (s *CLITestSuite) TestIamCertificateAuthority() { {args: "iam certificate-authority describe op-12345 -o json", fixture: "iam/certificate-authority/describe-json.golden"}, {args: `iam certificate-authority update op-12345 --name "new name" --description "new description" --certificate-chain ABC123 --certificate-chain-filename certificate-2.pem`, fixture: "iam/certificate-authority/update.golden"}, {args: `iam certificate-authority update op-12345 --name "new name" --description "new description" --certificate-chain ABC123 --certificate-chain-filename certificate-2.pem --crl-url example.url`, fixture: "iam/certificate-authority/update-crl-url.golden"}, - {args: "iam certificate-authority update op-12345 --require-crl-on-client-cert=false", fixture: "iam/certificate-authority/update-require-crl.golden"}, + {args: "iam certificate-authority update op-12345 --require-client-crl=false", fixture: "iam/certificate-authority/update-require-crl.golden"}, {args: `iam certificate-authority update op-12345 --name "new name" --description "new description" --certificate-chain-filename certificate-2.pem`, fixture: "iam/certificate-authority/update-fail.golden", exitCode: 1}, {args: "iam certificate-authority list", fixture: "iam/certificate-authority/list.golden"}, {args: "iam certificate-authority list -o json", fixture: "iam/certificate-authority/list-json.golden"}, From c4a91a21f2265bef77cd7745e558a4ba4b4539b5 Mon Sep 17 00:00:00 2001 From: Cynthia Qin Date: Tue, 10 Mar 2026 10:10:38 -0700 Subject: [PATCH 12/12] Update help --- .../iam/certificate-authority/create-help.golden | 1 + .../output/iam/certificate-authority/list.golden | 10 +++++----- .../iam/certificate-authority/update-fail.golden | 2 +- .../iam/certificate-authority/update-help.golden | 1 + 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/test/fixtures/output/iam/certificate-authority/create-help.golden b/test/fixtures/output/iam/certificate-authority/create-help.golden index 848eb0fd11..b3a9c4943a 100644 --- a/test/fixtures/output/iam/certificate-authority/create-help.golden +++ b/test/fixtures/output/iam/certificate-authority/create-help.golden @@ -35,6 +35,7 @@ Flags: --certificate-chain-filename string REQUIRED: The name of the certificate file. --crl-url string The URL from which to fetch the CRL (Certificate Revocation List) for the certificate authority. --crl-chain string A base64 encoded string containing the CRL for this certificate authority. + --require-client-crl Whether to require CRL validation on client certificates. --context string CLI context name. -o, --output string Specify the output format as "human", "json", or "yaml". (default "human") diff --git a/test/fixtures/output/iam/certificate-authority/list.golden b/test/fixtures/output/iam/certificate-authority/list.golden index 0acab401b4..093b527f8e 100644 --- a/test/fixtures/output/iam/certificate-authority/list.golden +++ b/test/fixtures/output/iam/certificate-authority/list.golden @@ -1,5 +1,5 @@ - ID | Name | Description | Fingerprints | Expiration Dates | Serial Numbers | Certificate Chain Filename | CRL Source | CRL URL | CRL Updated At | Require Client CRL ------------+---------+--------------------------------+------------------------------------------+-------------------------------+----------------------------------+----------------------------+------------+-------------+-------------------------------+-------------------- - op-12345 | my-ca | my certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate.pem | | | | true - op-54321 | my-ca-2 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-2.pem | LOCAL | | 2024-07-21 17:32:28 +0000 UTC | false - op-67890 | my-ca-3 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-3.pem | URL | example.url | 2024-07-21 17:32:28 +0000 UTC | true + ID | Name | Description | Fingerprints | Expiration Dates | Serial Numbers | Certificate Chain Filename | CRL Source | CRL URL | CRL Updated At | Require Client CRL +-----------+---------+--------------------------------+------------------------------------------+-------------------------------+----------------------------------+----------------------------+------------+-------------+-------------------------------+--------------------- + op-12345 | my-ca | my certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate.pem | | | | true + op-54321 | my-ca-2 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-2.pem | LOCAL | | 2024-07-21 17:32:28 +0000 UTC | false + op-67890 | my-ca-3 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-3.pem | URL | example.url | 2024-07-21 17:32:28 +0000 UTC | true diff --git a/test/fixtures/output/iam/certificate-authority/update-fail.golden b/test/fixtures/output/iam/certificate-authority/update-fail.golden index 40a4aa30eb..62c1137b39 100644 --- a/test/fixtures/output/iam/certificate-authority/update-fail.golden +++ b/test/fixtures/output/iam/certificate-authority/update-fail.golden @@ -14,7 +14,7 @@ Flags: --certificate-chain-filename string The name of the certificate file. --crl-url string The URL from which to fetch the CRL (Certificate Revocation List) for the certificate authority. --crl-chain string A base64 encoded string containing the CRL for this certificate authority. - --require-client-crl Whether to require CRL validation on client certificates. + --require-client-crl Whether to require CRL validation on client certificates. --context string CLI context name. -o, --output string Specify the output format as "human", "json", or "yaml". (default "human") diff --git a/test/fixtures/output/iam/certificate-authority/update-help.golden b/test/fixtures/output/iam/certificate-authority/update-help.golden index d0c8bc09c3..b8ca650f4c 100644 --- a/test/fixtures/output/iam/certificate-authority/update-help.golden +++ b/test/fixtures/output/iam/certificate-authority/update-help.golden @@ -15,6 +15,7 @@ Flags: --certificate-chain-filename string The name of the certificate file. --crl-url string The URL from which to fetch the CRL (Certificate Revocation List) for the certificate authority. --crl-chain string A base64 encoded string containing the CRL for this certificate authority. + --require-client-crl Whether to require CRL validation on client certificates. --context string CLI context name. -o, --output string Specify the output format as "human", "json", or "yaml". (default "human")