diff --git a/authority/provisioner/scep.go b/authority/provisioner/scep.go index 7862a311..a48d11cc 100644 --- a/authority/provisioner/scep.go +++ b/authority/provisioner/scep.go @@ -146,12 +146,13 @@ var ( // that case, the other webhooks will be skipped. If none of // the webhooks indicates the value of the challenge was accepted, // an error is returned. -func (c *challengeValidationController) Validate(ctx context.Context, csr *x509.CertificateRequest, challenge, transactionID string) error { +func (c *challengeValidationController) Validate(ctx context.Context, csr *x509.CertificateRequest, provisionerName, challenge, transactionID string) error { for _, wh := range c.webhooks { req, err := webhook.NewRequestBody(webhook.WithX509CertificateRequest(csr)) if err != nil { return fmt.Errorf("failed creating new webhook request: %w", err) } + req.ProvisionerName = provisionerName req.SCEPChallenge = challenge req.SCEPTransactionID = transactionID resp, err := wh.DoWithContext(ctx, c.client, req, nil) // TODO(hs): support templated URL? Requires some refactoring @@ -439,7 +440,7 @@ func (s *SCEP) ValidateChallenge(ctx context.Context, csr *x509.CertificateReque } switch s.selectValidationMethod() { case validationMethodWebhook: - return s.challengeValidationController.Validate(ctx, csr, challenge, transactionID) + return s.challengeValidationController.Validate(ctx, csr, s.Name, challenge, transactionID) default: if subtle.ConstantTimeCompare([]byte(s.ChallengePassword), []byte(challenge)) == 0 { return errors.New("invalid challenge password provided") diff --git a/authority/provisioner/scep_test.go b/authority/provisioner/scep_test.go index 4efb3dd8..9b6f16a0 100644 --- a/authority/provisioner/scep_test.go +++ b/authority/provisioner/scep_test.go @@ -59,8 +59,9 @@ func Test_challengeValidationController_Validate(t *testing.T) { webhooks []*Webhook } type args struct { - challenge string - transactionID string + provisionerName string + challenge string + transactionID string } tests := []struct { name string @@ -72,7 +73,7 @@ func Test_challengeValidationController_Validate(t *testing.T) { { name: "fail/no-webhook", fields: fields{http.DefaultClient, nil}, - args: args{"no-webhook", "transaction-1"}, + args: args{"my-scep-provisioner", "no-webhook", "transaction-1"}, expErr: errors.New("webhook server did not allow request"), }, { @@ -83,7 +84,7 @@ func Test_challengeValidationController_Validate(t *testing.T) { CertType: linkedca.Webhook_SSH.String(), }, }}, - args: args{"wrong-cert-type", "transaction-1"}, + args: args{"my-scep-provisioner", "wrong-cert-type", "transaction-1"}, expErr: errors.New("webhook server did not allow request"), }, { @@ -99,8 +100,9 @@ func Test_challengeValidationController_Validate(t *testing.T) { }, }}, args: args{ - challenge: "wrong-secret-value", - transactionID: "transaction-1", + provisionerName: "my-scep-provisioner", + challenge: "wrong-secret-value", + transactionID: "transaction-1", }, expErr: errors.New("failed executing webhook request: illegal base64 data at input byte 0"), }, @@ -117,8 +119,9 @@ func Test_challengeValidationController_Validate(t *testing.T) { }, }}, args: args{ - challenge: "not-allowed", - transactionID: "transaction-1", + provisionerName: "my-scep-provisioner", + challenge: "not-allowed", + transactionID: "transaction-1", }, server: nokServer, expErr: errors.New("webhook server did not allow request"), @@ -136,8 +139,9 @@ func Test_challengeValidationController_Validate(t *testing.T) { }, }}, args: args{ - challenge: "challenge", - transactionID: "transaction-1", + provisionerName: "my-scep-provisioner", + challenge: "challenge", + transactionID: "transaction-1", }, server: okServer, }, @@ -151,7 +155,7 @@ func Test_challengeValidationController_Validate(t *testing.T) { } ctx := context.Background() - err := c.Validate(ctx, dummyCSR, tt.args.challenge, tt.args.transactionID) + err := c.Validate(ctx, dummyCSR, tt.args.provisionerName, tt.args.challenge, tt.args.transactionID) if tt.expErr != nil { assert.EqualError(t, err, tt.expErr.Error()) diff --git a/webhook/types.go b/webhook/types.go index 2d7832b8..5e0e4d29 100644 --- a/webhook/types.go +++ b/webhook/types.go @@ -70,7 +70,8 @@ type X5CCertificate struct { // RequestBody is the body sent to webhook servers. type RequestBody struct { - Timestamp time.Time `json:"timestamp"` + Timestamp time.Time `json:"timestamp"` + ProvisionerName string `json:"provisionerName,omitempty"` // Only set after successfully completing acme device-attest-01 challenge AttestationData *AttestationData `json:"attestationData,omitempty"` // Set for most provisioners, but not acme or scep