From 6e2315d8ca3824fed558d11ab1e32ff873329748 Mon Sep 17 00:00:00 2001 From: Yannik Sembritzki Date: Tue, 24 Mar 2026 00:10:15 +0100 Subject: [PATCH 1/2] Add provisionerName to webhook request for x509 and SSH --- authority/ssh.go | 6 ++++++ authority/tls.go | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/authority/ssh.go b/authority/ssh.go index c34bcd65b..9dec30e12 100644 --- a/authority/ssh.go +++ b/authority/ssh.go @@ -700,6 +700,9 @@ func (a *Authority) callEnrichingWebhooksSSH(ctx context.Context, prov provision if whEnrichReq, err = webhook.NewRequestBody( webhook.WithSSHCertificateRequest(cr), ); err == nil { + if prov != nil { + whEnrichReq.ProvisionerName = prov.GetName() + } err = webhookCtl.Enrich(ctx, whEnrichReq) } @@ -716,6 +719,9 @@ func (a *Authority) callAuthorizingWebhooksSSH(ctx context.Context, prov provisi if whAuthBody, err = webhook.NewRequestBody( webhook.WithSSHCertificate(cert, certTpl), ); err == nil { + if prov != nil { + whAuthBody.ProvisionerName = prov.GetName() + } err = webhookCtl.Authorize(ctx, whAuthBody) } diff --git a/authority/tls.go b/authority/tls.go index d794ad73e..a4a879cff 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -1053,6 +1053,9 @@ func (a *Authority) callEnrichingWebhooksX509(ctx context.Context, prov provisio webhook.WithX509CertificateRequest(csr), webhook.WithAttestationData(attested), ); err == nil { + if prov != nil { + whEnrichReq.ProvisionerName = prov.GetName() + } err = webhookCtl.Enrich(ctx, whEnrichReq) } @@ -1077,6 +1080,9 @@ func (a *Authority) callAuthorizingWebhooksX509(ctx context.Context, prov provis webhook.WithX509Certificate(cert, leaf), webhook.WithAttestationData(attested), ); err == nil { + if prov != nil { + whAuthBody.ProvisionerName = prov.GetName() + } err = webhookCtl.Authorize(ctx, whAuthBody) } From b289e6fdc4e1f2397bf93786fa8e9078cecf4541 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Tue, 31 Mar 2026 15:31:39 -0700 Subject: [PATCH 2/2] Add method to add the provisioner name This commit adds the RequestBodyOption WithProvisionerName that adds the provisioner name if the provisioner is not nil --- authority/ssh.go | 8 ++------ authority/tls.go | 8 ++------ webhook/options.go | 16 ++++++++++++++++ webhook/options_test.go | 9 +++++++++ 4 files changed, 29 insertions(+), 12 deletions(-) diff --git a/authority/ssh.go b/authority/ssh.go index 9dec30e12..e29e1c318 100644 --- a/authority/ssh.go +++ b/authority/ssh.go @@ -699,10 +699,8 @@ func (a *Authority) callEnrichingWebhooksSSH(ctx context.Context, prov provision var whEnrichReq *webhook.RequestBody if whEnrichReq, err = webhook.NewRequestBody( webhook.WithSSHCertificateRequest(cr), + webhook.WithProvisionerName(prov), ); err == nil { - if prov != nil { - whEnrichReq.ProvisionerName = prov.GetName() - } err = webhookCtl.Enrich(ctx, whEnrichReq) } @@ -718,10 +716,8 @@ func (a *Authority) callAuthorizingWebhooksSSH(ctx context.Context, prov provisi var whAuthBody *webhook.RequestBody if whAuthBody, err = webhook.NewRequestBody( webhook.WithSSHCertificate(cert, certTpl), + webhook.WithProvisionerName(prov), ); err == nil { - if prov != nil { - whAuthBody.ProvisionerName = prov.GetName() - } err = webhookCtl.Authorize(ctx, whAuthBody) } diff --git a/authority/tls.go b/authority/tls.go index a4a879cff..3900c446c 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -1052,10 +1052,8 @@ func (a *Authority) callEnrichingWebhooksX509(ctx context.Context, prov provisio if whEnrichReq, err = webhook.NewRequestBody( webhook.WithX509CertificateRequest(csr), webhook.WithAttestationData(attested), + webhook.WithProvisionerName(prov), ); err == nil { - if prov != nil { - whEnrichReq.ProvisionerName = prov.GetName() - } err = webhookCtl.Enrich(ctx, whEnrichReq) } @@ -1079,10 +1077,8 @@ func (a *Authority) callAuthorizingWebhooksX509(ctx context.Context, prov provis if whAuthBody, err = webhook.NewRequestBody( webhook.WithX509Certificate(cert, leaf), webhook.WithAttestationData(attested), + webhook.WithProvisionerName(prov), ); err == nil { - if prov != nil { - whAuthBody.ProvisionerName = prov.GetName() - } err = webhookCtl.Authorize(ctx, whAuthBody) } diff --git a/webhook/options.go b/webhook/options.go index 869237097..62f0170ae 100644 --- a/webhook/options.go +++ b/webhook/options.go @@ -10,6 +10,10 @@ import ( type RequestBodyOption func(*RequestBody) error +type Provisioner interface { + GetName() string +} + func NewRequestBody(options ...RequestBodyOption) (*RequestBody, error) { rb := &RequestBody{} @@ -22,6 +26,18 @@ func NewRequestBody(options ...RequestBodyOption) (*RequestBody, error) { return rb, nil } +// WithProvisionerName sets the provisioner name in the webhook request body +// using the name from the given provisioner. If p is nil, the provisioner name +// is left unchanged. +func WithProvisionerName(p Provisioner) RequestBodyOption { + return func(rb *RequestBody) error { + if p != nil { + rb.ProvisionerName = p.GetName() + } + return nil + } +} + func WithX509CertificateRequest(cr *x509.CertificateRequest) RequestBodyOption { return func(rb *RequestBody) error { rb.X509CertificateRequest = &X509CertificateRequest{ diff --git a/webhook/options_test.go b/webhook/options_test.go index 9bcc59bca..764e1c6c1 100644 --- a/webhook/options_test.go +++ b/webhook/options_test.go @@ -13,6 +13,12 @@ import ( "golang.org/x/crypto/ssh" ) +type fakeProvisioner string + +func (f fakeProvisioner) GetName() string { + return string(f) +} + func TestNewRequestBody(t *testing.T) { t1 := time.Now() t2 := t1.Add(time.Hour) @@ -43,6 +49,7 @@ func TestNewRequestBody(t *testing.T) { }, "X509 Certificate Request": { options: []RequestBodyOption{ + WithProvisionerName(fakeProvisioner("test@example.com")), WithX509CertificateRequest(&x509.CertificateRequest{ PublicKeyAlgorithm: x509.ECDSA, Subject: pkix.Name{CommonName: "foo"}, @@ -50,6 +57,7 @@ func TestNewRequestBody(t *testing.T) { }), }, want: &RequestBody{ + ProvisionerName: "test@example.com", X509CertificateRequest: &X509CertificateRequest{ CertificateRequest: &x509util.CertificateRequest{ PublicKeyAlgorithm: x509.ECDSA, @@ -63,6 +71,7 @@ func TestNewRequestBody(t *testing.T) { }, "X509 Certificate": { options: []RequestBodyOption{ + WithProvisionerName(nil), WithX509Certificate(&x509util.Certificate{}, &x509.Certificate{ NotBefore: t1, NotAfter: t2,