From 63257e057639cdd6cd513c1232ce02dc5f396f40 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Thu, 21 Sep 2023 12:05:58 +0200 Subject: [PATCH] Add full certificate DER bytes to success notification webhook --- authority/provisioner/scep.go | 22 ++++++++-------------- webhook/types.go | 1 + 2 files changed, 9 insertions(+), 14 deletions(-) diff --git a/authority/provisioner/scep.go b/authority/provisioner/scep.go index fad428e2..3e3e77b9 100644 --- a/authority/provisioner/scep.go +++ b/authority/provisioner/scep.go @@ -190,34 +190,28 @@ func newNotificationController(client *http.Client, webhooks []*Webhook) *notifi } func (c *notificationController) Success(ctx context.Context, csr *x509.CertificateRequest, cert *x509.Certificate, transactionID string) error { - if len(c.webhooks) == 0 { - return nil - } - for _, wh := range c.webhooks { req, err := webhook.NewRequestBody(webhook.WithX509CertificateRequest(csr), webhook.WithX509Certificate(nil, cert)) // TODO(hs): pass in the x509util.Certifiate too? if err != nil { return fmt.Errorf("failed creating new webhook request: %w", err) } + req.X509Certificate.Raw = cert.Raw // adding the full certificate DER bytes + // TODO(hs): more properties required? req.SCEPTransactionID = transactionID resp, err := wh.DoWithContext(ctx, c.client, req, nil) if err != nil { return fmt.Errorf("failed executing webhook request: %w", err) } - if resp.Allow { // TODO(hs): different response for notifying? - return nil // return early when response is positive + if !resp.Allow { // TODO(hs): different response for notifying? + return ErrSCEPNotificationFailed // return early } } - return ErrSCEPNotificationFailed + return nil } func (c *notificationController) Failure(ctx context.Context, csr *x509.CertificateRequest, transactionID string) error { - if len(c.webhooks) == 0 { - return nil - } - for _, wh := range c.webhooks { req, err := webhook.NewRequestBody(webhook.WithX509CertificateRequest(csr)) if err != nil { @@ -229,12 +223,12 @@ func (c *notificationController) Failure(ctx context.Context, csr *x509.Certific if err != nil { return fmt.Errorf("failed executing webhook request: %w", err) } - if resp.Allow { // TODO(hs): different response for notifying? - return nil // return early when response is positive + if !resp.Allow { // TODO(hs): different response for notifying? + return ErrSCEPNotificationFailed // return early } } - return ErrSCEPNotificationFailed + return nil } // isCertTypeOK returns whether or not the webhook can be used diff --git a/webhook/types.go b/webhook/types.go index 9eda0578..330250f5 100644 --- a/webhook/types.go +++ b/webhook/types.go @@ -30,6 +30,7 @@ type X509Certificate struct { PublicKeyAlgorithm string `json:"publicKeyAlgorithm"` NotBefore time.Time `json:"notBefore"` NotAfter time.Time `json:"notAfter"` + Raw []byte `json:"raw"` } // SSHCertificateRequest is the certificate request sent to webhook servers for