Add provisionerName to webhook request body

2026-01-27 10:18:34 +00:00 · 2023-11-08 19:43:13 +01:00
parent a7ed79bb21
commit de45d66cdb
3 changed files with 20 additions and 14 deletions
--- a/authority/provisioner/scep.go
+++ b/authority/provisioner/scep.go
@@ -146,12 +146,13 @@ var (
 // that case, the other webhooks will be skipped. If none of
 // the webhooks indicates the value of the challenge was accepted,
 // an error is returned.
-func (c *challengeValidationController) Validate(ctx context.Context, csr *x509.CertificateRequest, challenge, transactionID string) error {
+func (c *challengeValidationController) Validate(ctx context.Context, csr *x509.CertificateRequest, provisionerName, challenge, transactionID string) error {
 	for _, wh := range c.webhooks {
 		req, err := webhook.NewRequestBody(webhook.WithX509CertificateRequest(csr))
 		if err != nil {
 			return fmt.Errorf("failed creating new webhook request: %w", err)
 		}
+		req.ProvisionerName = provisionerName
 		req.SCEPChallenge = challenge
 		req.SCEPTransactionID = transactionID
 		resp, err := wh.DoWithContext(ctx, c.client, req, nil) // TODO(hs): support templated URL? Requires some refactoring
@@ -439,7 +440,7 @@ func (s *SCEP) ValidateChallenge(ctx context.Context, csr *x509.CertificateReque
 	}
 	switch s.selectValidationMethod() {
 	case validationMethodWebhook:
-		return s.challengeValidationController.Validate(ctx, csr, challenge, transactionID)
+		return s.challengeValidationController.Validate(ctx, csr, s.Name, challenge, transactionID)
 	default:
 		if subtle.ConstantTimeCompare([]byte(s.ChallengePassword), []byte(challenge)) == 0 {
 			return errors.New("invalid challenge password provided")
--- a/authority/provisioner/scep_test.go
+++ b/authority/provisioner/scep_test.go
@@ -59,8 +59,9 @@ func Test_challengeValidationController_Validate(t *testing.T) {
 		webhooks []*Webhook
 	}
 	type args struct {
-		challenge     string
-		transactionID string
+		provisionerName string
+		challenge       string
+		transactionID   string
 	}
 	tests := []struct {
 		name   string
@@ -72,7 +73,7 @@ func Test_challengeValidationController_Validate(t *testing.T) {
 		{
 			name:   "fail/no-webhook",
 			fields: fields{http.DefaultClient, nil},
-			args:   args{"no-webhook", "transaction-1"},
+			args:   args{"my-scep-provisioner", "no-webhook", "transaction-1"},
 			expErr: errors.New("webhook server did not allow request"),
 		},
 		{
@@ -83,7 +84,7 @@ func Test_challengeValidationController_Validate(t *testing.T) {
 					CertType: linkedca.Webhook_SSH.String(),
 				},
 			}},
-			args:   args{"wrong-cert-type", "transaction-1"},
+			args:   args{"my-scep-provisioner", "wrong-cert-type", "transaction-1"},
 			expErr: errors.New("webhook server did not allow request"),
 		},
 		{
@@ -99,8 +100,9 @@ func Test_challengeValidationController_Validate(t *testing.T) {
 				},
 			}},
 			args: args{
-				challenge:     "wrong-secret-value",
-				transactionID: "transaction-1",
+				provisionerName: "my-scep-provisioner",
+				challenge:       "wrong-secret-value",
+				transactionID:   "transaction-1",
 			},
 			expErr: errors.New("failed executing webhook request: illegal base64 data at input byte 0"),
 		},
@@ -117,8 +119,9 @@ func Test_challengeValidationController_Validate(t *testing.T) {
 				},
 			}},
 			args: args{
-				challenge:     "not-allowed",
-				transactionID: "transaction-1",
+				provisionerName: "my-scep-provisioner",
+				challenge:       "not-allowed",
+				transactionID:   "transaction-1",
 			},
 			server: nokServer,
 			expErr: errors.New("webhook server did not allow request"),
@@ -136,8 +139,9 @@ func Test_challengeValidationController_Validate(t *testing.T) {
 				},
 			}},
 			args: args{
-				challenge:     "challenge",
-				transactionID: "transaction-1",
+				provisionerName: "my-scep-provisioner",
+				challenge:       "challenge",
+				transactionID:   "transaction-1",
 			},
 			server: okServer,
 		},
@@ -151,7 +155,7 @@ func Test_challengeValidationController_Validate(t *testing.T) {
 			}

 			ctx := context.Background()
-			err := c.Validate(ctx, dummyCSR, tt.args.challenge, tt.args.transactionID)
+			err := c.Validate(ctx, dummyCSR, tt.args.provisionerName, tt.args.challenge, tt.args.transactionID)

 			if tt.expErr != nil {
 				assert.EqualError(t, err, tt.expErr.Error())
--- a/webhook/types.go
+++ b/webhook/types.go
@@ -70,7 +70,8 @@ type X5CCertificate struct {

 // RequestBody is the body sent to webhook servers.
 type RequestBody struct {
-	Timestamp time.Time `json:"timestamp"`
+	Timestamp       time.Time `json:"timestamp"`
+	ProvisionerName string    `json:"provisionerName,omitempty"`
 	// Only set after successfully completing acme device-attest-01 challenge
 	AttestationData *AttestationData `json:"attestationData,omitempty"`
 	// Set for most provisioners, but not acme or scep