forked from TrueCloudLab/certificates
64 lines
1.7 KiB
Go
64 lines
1.7 KiB
Go
package webhook
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"go.step.sm/linkedca"
|
|
|
|
"github.com/smallstep/certificates/authority/provisioner"
|
|
"github.com/smallstep/certificates/webhook"
|
|
)
|
|
|
|
// Controller controls webhook execution
|
|
type Controller struct {
|
|
client *http.Client
|
|
webhooks []*provisioner.Webhook
|
|
}
|
|
|
|
// New returns a new SCEP webhook Controller
|
|
func New(webhooks []*provisioner.Webhook) (*Controller, error) {
|
|
return &Controller{
|
|
client: http.DefaultClient,
|
|
webhooks: webhooks,
|
|
}, nil
|
|
}
|
|
|
|
// Validate executes zero or more configured webhooks to
|
|
// validate the SCEP challenge. If at least one of indicates
|
|
// the challenge value is accepted, validation succeeds. Other
|
|
// webhooks will not be executed. If none of the webhooks
|
|
// indicates the challenge is accepted, an error is
|
|
// returned.
|
|
func (c *Controller) Validate(ctx context.Context, challenge string) error {
|
|
for _, wh := range c.webhooks {
|
|
if wh.Kind != linkedca.Webhook_SCEPCHALLENGE.String() {
|
|
continue
|
|
}
|
|
if !c.isCertTypeOK(wh) {
|
|
continue
|
|
}
|
|
req := &webhook.RequestBody{
|
|
SCEPChallenge: challenge,
|
|
}
|
|
resp, err := wh.DoWithContext(ctx, c.client, req, nil) // TODO(hs): support templated URL? Requires some refactoring
|
|
if err != nil {
|
|
return fmt.Errorf("failed executing webhook request: %w", err)
|
|
}
|
|
if resp.Allow {
|
|
return nil // return early when response is positive
|
|
}
|
|
}
|
|
|
|
return provisioner.ErrWebhookDenied
|
|
}
|
|
|
|
// isCertTypeOK returns whether or not the webhook can be used
|
|
// with the SCEP challenge validation webhook controller.
|
|
func (c *Controller) isCertTypeOK(wh *provisioner.Webhook) bool {
|
|
if wh.CertType == linkedca.Webhook_ALL.String() || wh.CertType == "" {
|
|
return true
|
|
}
|
|
return linkedca.Webhook_X509.String() == wh.CertType
|
|
}
|