Skip to content

feat(ca/acme/eab): add --json output to add, list, and remove#1663

Draft
joshdrake wants to merge 1 commit into
masterfrom
feat/add-eab-json-output
Draft

feat(ca/acme/eab): add --json output to add, list, and remove#1663
joshdrake wants to merge 1 commit into
masterfrom
feat/add-eab-json-output

Conversation

@joshdrake

Copy link
Copy Markdown

Summary

Adds a --json flag for machine-readable output across the entire step ca acme eab command chain (add, list, remove). Previously these subcommands only emitted fixed-width column text, making them awkward to script against — add.go even carried a standing // TODO(hs): JSON output, so that executing this command can be more easily automated?.

What changed (command/ca/acme/eab/)

  • eab.go — Exported cliEAK's fields with JSON tags (id, provisioner, reference, plus omitempty key/createdAt/boundAt/account). Guarded createdAt with an IsZero() check mirroring the existing boundAt handling so unset timestamps drop out via omitempty. Added a shared package-local jsonFlag.
  • add.go--json marshals the created key including the secret (the whole point of add) as a JSON object; replaced the TODO(hs).
  • list.go--json collects every page into a JSON array and bypasses the $PAGER machinery. The secret HMAC key is omitted, matching the table's existing ***** masking; an empty result is [].
  • remove.go--json emits {"provisioner":…,"id":…,"deleted":true} on success.
  • eab_test.go — New; the package's first tests, covering toCLI (including zero-timestamp handling) and the JSON contract for both the add and list shapes.

Example output

// add --json
{
  "id": "zFGdKC1sHmNf3Wsx3OujY808chxwEdmr",
  "provisioner": "my_acme",
  "reference": "my_ref",
  "key": "Zm9vYmFyYmF6..."
}

// list --json  (key omitted, matching the masked table)
[
  {
    "id": "zFGdKC1sHmNf3Wsx3OujY808chxwEdmr",
    "provisioner": "my_acme",
    "createdAt": "2026-07-06 12:00:00 +00:00",
    "reference": "my_ref"
  }
]

// remove --json
{
  "provisioner": "my_acme",
  "id": "zFGdKC1sHmNf3Wsx3OujY808chxwEdmr",
  "deleted": true
}

Design decisions

  • list --json omits the key rather than exposing every secret in bulk — this preserves today's posture where only add (at creation time) ever reveals a key.
  • All three subcommands get the flag for a consistent chain.

Testing

  • go build ./..., gofmt, and go vet clean.
  • golangci-lint with the smallstep config → 0 issues.
  • New unit tests pass; --json verified present in --help for all three subcommands.
  • Not exercised against a live Certificate Manager CA (requires admin credentials); the JSON shape is covered by the unit tests instead.

🤖 Generated with Claude Code

The `step ca acme eab` subcommands only emitted fixed-width column text,
making them awkward to script against (add.go even carried a standing
TODO asking for JSON output). Add a `--json` flag to each subcommand for
machine-readable output:

- add:    marshals the created key (including the secret) as a JSON object
- list:   collects all pages into a JSON array, bypassing $PAGER; the
          secret HMAC key is omitted, matching the table's masking
- remove: emits {"provisioner","id","deleted":true} on success

The shared cliEAK struct now has exported, JSON-tagged fields, and toCLI
guards createdAt with an IsZero check (mirroring boundAt) so unset
timestamps are dropped via omitempty. Adds the first unit tests for the
package covering toCLI and the JSON contract.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

1 similar comment
@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@github-actions github-actions Bot added the needs triage Waiting for discussion / prioritization by team label Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs triage Waiting for discussion / prioritization by team

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants