smallstep · maraino · Mar 31, 2026 · Mar 23, 2026 · Mar 31, 2026 · Mar 31, 2026
diff --git a/authority/ssh.go b/authority/ssh.go
@@ -699,6 +699,7 @@ func (a *Authority) callEnrichingWebhooksSSH(ctx context.Context, prov provision
 	var whEnrichReq *webhook.RequestBody
 	if whEnrichReq, err = webhook.NewRequestBody(
 		webhook.WithSSHCertificateRequest(cr),
+		webhook.WithProvisionerName(prov),
 	); err == nil {
 		err = webhookCtl.Enrich(ctx, whEnrichReq)
 	}
@@ -715,6 +716,7 @@ func (a *Authority) callAuthorizingWebhooksSSH(ctx context.Context, prov provisi
 	var whAuthBody *webhook.RequestBody
 	if whAuthBody, err = webhook.NewRequestBody(
 		webhook.WithSSHCertificate(cert, certTpl),
+		webhook.WithProvisionerName(prov),
 	); err == nil {
 		err = webhookCtl.Authorize(ctx, whAuthBody)
 	}

diff --git a/authority/tls.go b/authority/tls.go
@@ -1052,6 +1052,7 @@ func (a *Authority) callEnrichingWebhooksX509(ctx context.Context, prov provisio
 	if whEnrichReq, err = webhook.NewRequestBody(
 		webhook.WithX509CertificateRequest(csr),
 		webhook.WithAttestationData(attested),
+		webhook.WithProvisionerName(prov),
 	); err == nil {
 		err = webhookCtl.Enrich(ctx, whEnrichReq)
 	}
@@ -1076,6 +1077,7 @@ func (a *Authority) callAuthorizingWebhooksX509(ctx context.Context, prov provis
 	if whAuthBody, err = webhook.NewRequestBody(
 		webhook.WithX509Certificate(cert, leaf),
 		webhook.WithAttestationData(attested),
+		webhook.WithProvisionerName(prov),
 	); err == nil {
 		err = webhookCtl.Authorize(ctx, whAuthBody)
 	}

diff --git a/webhook/options.go b/webhook/options.go
@@ -10,6 +10,10 @@ import (
 
 type RequestBodyOption func(*RequestBody) error
 
+type Provisioner interface {
+	GetName() string
+}
+
 func NewRequestBody(options ...RequestBodyOption) (*RequestBody, error) {
 	rb := &RequestBody{}
 
@@ -22,6 +26,18 @@ func NewRequestBody(options ...RequestBodyOption) (*RequestBody, error) {
 	return rb, nil
 }
 
+// WithProvisionerName sets the provisioner name in the webhook request body
+// using the name from the given provisioner. If p is nil, the provisioner name
+// is left unchanged.
+func WithProvisionerName(p Provisioner) RequestBodyOption {
+	return func(rb *RequestBody) error {
+		if p != nil {
+			rb.ProvisionerName = p.GetName()
+		}
+		return nil
+	}
+}
+
 func WithX509CertificateRequest(cr *x509.CertificateRequest) RequestBodyOption {
 	return func(rb *RequestBody) error {
 		rb.X509CertificateRequest = &X509CertificateRequest{

diff --git a/webhook/options_test.go b/webhook/options_test.go
@@ -13,6 +13,12 @@ import (
 	"golang.org/x/crypto/ssh"
 )
 
+type fakeProvisioner string
+
+func (f fakeProvisioner) GetName() string {
+	return string(f)
+}
+
 func TestNewRequestBody(t *testing.T) {
 	t1 := time.Now()
 	t2 := t1.Add(time.Hour)
@@ -43,13 +49,15 @@ func TestNewRequestBody(t *testing.T) {
 		},
 		"X509 Certificate Request": {
 			options: []RequestBodyOption{
+				WithProvisionerName(fakeProvisioner("test@example.com")),
 				WithX509CertificateRequest(&x509.CertificateRequest{
 					PublicKeyAlgorithm: x509.ECDSA,
 					Subject:            pkix.Name{CommonName: "foo"},
 					Raw:                []byte("csr der"),
 				}),
 			},
 			want: &RequestBody{
+				ProvisionerName: "test@example.com",
 				X509CertificateRequest: &X509CertificateRequest{
 					CertificateRequest: &x509util.CertificateRequest{
 						PublicKeyAlgorithm: x509.ECDSA,
@@ -63,6 +71,7 @@ func TestNewRequestBody(t *testing.T) {
 		},
 		"X509 Certificate": {
 			options: []RequestBodyOption{
+				WithProvisionerName(nil),
 				WithX509Certificate(&x509util.Certificate{}, &x509.Certificate{
 					NotBefore:          t1,
 					NotAfter:           t2,