Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add `provisionerName` to webhook request body

Browse Source
pull/1617/head
Herman Slatman 6 months ago
parent a7ed79bb21
commit de45d66cdb
No known key found for this signature in database
GPG Key ID: F4D8A44EA0A75A4F
3 changed files with 20 additions and 14 deletions
Show Stats Download Patch File Download Diff File

5
authority/provisioner/scep.go
Unescape Escape View File

@ -146,12 +146,13 @@ var (
// that case, the other webhooks will be skipped. If none of // that case, the other webhooks will be skipped. If none of
// the webhooks indicates the value of the challenge was accepted, // the webhooks indicates the value of the challenge was accepted,
// an error is returned. // an error is returned.
func (c *challengeValidationController) Validate(ctx context.Context, csr *x509.CertificateRequest, challenge, transactionID string) error { func (c *challengeValidationController) Validate(ctx context.Context, csr *x509.CertificateRequest, provisionerName, challenge, transactionID string) error {
for _, wh := range c.webhooks { for _, wh := range c.webhooks {
req, err := webhook.NewRequestBody(webhook.WithX509CertificateRequest(csr)) req, err := webhook.NewRequestBody(webhook.WithX509CertificateRequest(csr))
if err != nil { if err != nil {
return fmt.Errorf("failed creating new webhook request: %w", err) return fmt.Errorf("failed creating new webhook request: %w", err)
} }
req.ProvisionerName = provisionerName
req.SCEPChallenge = challenge req.SCEPChallenge = challenge
req.SCEPTransactionID = transactionID req.SCEPTransactionID = transactionID
resp, err := wh.DoWithContext(ctx, c.client, req, nil) // TODO(hs): support templated URL? Requires some refactoring resp, err := wh.DoWithContext(ctx, c.client, req, nil) // TODO(hs): support templated URL? Requires some refactoring
@ -439,7 +440,7 @@ func (s *SCEP) ValidateChallenge(ctx context.Context, csr *x509.CertificateReque
} }
switch s.selectValidationMethod() { switch s.selectValidationMethod() {
case validationMethodWebhook: case validationMethodWebhook:
return s.challengeValidationController.Validate(ctx, csr, challenge, transactionID) return s.challengeValidationController.Validate(ctx, csr, s.Name, challenge, transactionID)
default: default:
if subtle.ConstantTimeCompare([]byte(s.ChallengePassword), []byte(challenge)) == 0 { if subtle.ConstantTimeCompare([]byte(s.ChallengePassword), []byte(challenge)) == 0 {
return errors.New("invalid challenge password provided") return errors.New("invalid challenge password provided")

26
authority/provisioner/scep_test.go
Unescape Escape View File

@ -59,8 +59,9 @@ func Test_challengeValidationController_Validate(t *testing.T) {
webhooks []*Webhook webhooks []*Webhook
} }
type args struct { type args struct {
challenge string provisionerName string
transactionID string challenge string
transactionID string
} }
tests := []struct { tests := []struct {
name string name string
@ -72,7 +73,7 @@ func Test_challengeValidationController_Validate(t *testing.T) {
{ {
name: "fail/no-webhook", name: "fail/no-webhook",
fields: fields{http.DefaultClient, nil}, fields: fields{http.DefaultClient, nil},
args: args{"no-webhook", "transaction-1"}, args: args{"my-scep-provisioner", "no-webhook", "transaction-1"},
expErr: errors.New("webhook server did not allow request"), expErr: errors.New("webhook server did not allow request"),
}, },
{ {
@ -83,7 +84,7 @@ func Test_challengeValidationController_Validate(t *testing.T) {
CertType: linkedca.Webhook_SSH.String(), CertType: linkedca.Webhook_SSH.String(),
}, },
}}, }},
args: args{"wrong-cert-type", "transaction-1"}, args: args{"my-scep-provisioner", "wrong-cert-type", "transaction-1"},
expErr: errors.New("webhook server did not allow request"), expErr: errors.New("webhook server did not allow request"),
}, },
{ {
@ -99,8 +100,9 @@ func Test_challengeValidationController_Validate(t *testing.T) {
}, },
}}, }},
args: args{ args: args{
challenge: "wrong-secret-value", provisionerName: "my-scep-provisioner",
transactionID: "transaction-1", challenge: "wrong-secret-value",
transactionID: "transaction-1",
}, },
expErr: errors.New("failed executing webhook request: illegal base64 data at input byte 0"), expErr: errors.New("failed executing webhook request: illegal base64 data at input byte 0"),
}, },
@ -117,8 +119,9 @@ func Test_challengeValidationController_Validate(t *testing.T) {
}, },
}}, }},
args: args{ args: args{
challenge: "not-allowed", provisionerName: "my-scep-provisioner",
transactionID: "transaction-1", challenge: "not-allowed",
transactionID: "transaction-1",
}, },
server: nokServer, server: nokServer,
expErr: errors.New("webhook server did not allow request"), expErr: errors.New("webhook server did not allow request"),
@ -136,8 +139,9 @@ func Test_challengeValidationController_Validate(t *testing.T) {
}, },
}}, }},
args: args{ args: args{
challenge: "challenge", provisionerName: "my-scep-provisioner",
transactionID: "transaction-1", challenge: "challenge",
transactionID: "transaction-1",
}, },
server: okServer, server: okServer,
}, },
@ -151,7 +155,7 @@ func Test_challengeValidationController_Validate(t *testing.T) {
} }
ctx := context.Background() ctx := context.Background()
err := c.Validate(ctx, dummyCSR, tt.args.challenge, tt.args.transactionID) err := c.Validate(ctx, dummyCSR, tt.args.provisionerName, tt.args.challenge, tt.args.transactionID)
if tt.expErr != nil { if tt.expErr != nil {
assert.EqualError(t, err, tt.expErr.Error()) assert.EqualError(t, err, tt.expErr.Error())

3
webhook/types.go
Unescape Escape View File

@ -70,7 +70,8 @@ type X5CCertificate struct {
// RequestBody is the body sent to webhook servers. // RequestBody is the body sent to webhook servers.
type RequestBody struct { type RequestBody struct {
Timestamp time.Time `json:"timestamp"` Timestamp time.Time `json:"timestamp"`
ProvisionerName string `json:"provisionerName,omitempty"`
// Only set after successfully completing acme device-attest-01 challenge // Only set after successfully completing acme device-attest-01 challenge
AttestationData *AttestationData `json:"attestationData,omitempty"` AttestationData *AttestationData `json:"attestationData,omitempty"`
// Set for most provisioners, but not acme or scep // Set for most provisioners, but not acme or scep

Write Preview
Loading…
Cancel
Save