From b0d24fb801dab2be71b3375829cfb6f6c3d7d072 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Fri, 16 Sep 2022 12:35:09 -0700
Subject: [PATCH 1/2] Fix test with gcloud local credentialss

---
 cas/cloudcas/cloudcas_test.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/cas/cloudcas/cloudcas_test.go b/cas/cloudcas/cloudcas_test.go
index eee25956..e5fbf58e 100644
--- a/cas/cloudcas/cloudcas_test.go
+++ b/cas/cloudcas/cloudcas_test.go
@@ -14,6 +14,7 @@ import (
 	"io"
 	"net"
 	"os"
+	"path/filepath"
 	"reflect"
 	"testing"
 	"time"
@@ -402,6 +403,14 @@ func TestNew_real(t *testing.T) {
 		})
 	}
 
+	failDefaultCredentials := true
+	if home, err := os.UserHomeDir(); err == nil {
+		file := filepath.Join(home, ".config", "gcloud", "application_default_credentials.json")
+		if _, err := os.Stat(file); err == nil {
+			failDefaultCredentials = false
+		}
+	}
+
 	type args struct {
 		ctx  context.Context
 		opts apiv1.Options
@@ -412,7 +421,7 @@ func TestNew_real(t *testing.T) {
 		args     args
 		wantErr  bool
 	}{
-		{"fail default credentials", true, args{context.Background(), apiv1.Options{CertificateAuthority: testAuthorityName}}, true},
+		{"fail default credentials", true, args{context.Background(), apiv1.Options{CertificateAuthority: testAuthorityName}}, failDefaultCredentials},
 		{"fail certificate authority", false, args{context.Background(), apiv1.Options{}}, true},
 		{"fail with credentials", false, args{context.Background(), apiv1.Options{
 			CertificateAuthority: testAuthorityName, CredentialsFile: "testdata/missing.json",

From 34c6c65671ec59fc63a045bd128d3a35a6f4fb7b Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Fri, 16 Sep 2022 12:37:41 -0700
Subject: [PATCH 2/2] Pass attestation information to the Sign method

Attestation information might be useful in authorizing webhooks
---
 acme/order.go                         | 10 ++++++++++
 authority/provisioner/sign_options.go |  6 ++++++
 authority/tls.go                      |  6 ++++++
 3 files changed, 22 insertions(+)

diff --git a/acme/order.go b/acme/order.go
index ee76a364..2eddad53 100644
--- a/acme/order.go
+++ b/acme/order.go
@@ -157,6 +157,9 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 	data := x509util.NewTemplateData()
 	data.SetCommonName(csr.Subject.CommonName)
 
+	// Custom sign options passed to authority.Sign
+	var extraOptions []provisioner.SignOption
+
 	// TODO: support for multiple identifiers?
 	var permanentIdentifier string
 	for i := range o.Identifiers {
@@ -173,6 +176,9 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 			Type:  x509util.PermanentIdentifierType,
 			Value: permanentIdentifier,
 		})
+		extraOptions = append(extraOptions, provisioner.AttestationData{
+			PermanentIdentifier: permanentIdentifier,
+		})
 	} else {
 		defaultTemplate = x509util.DefaultLeafTemplate
 		sans, err := o.sans(csr)
@@ -193,7 +199,11 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 	if err != nil {
 		return WrapErrorISE(err, "error creating template options from ACME provisioner")
 	}
+
+	// Build extra signing options.
 	signOps = append(signOps, templateOptions)
+	signOps = append(signOps, extraOptions...)
+
 	// Sign a new certificate.
 	certChain, err := auth.Sign(csr, provisioner.SignOptions{
 		NotBefore: provisioner.NewTimeDuration(o.NotBefore),
diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go
index c3868e5f..8a0363a6 100644
--- a/authority/provisioner/sign_options.go
+++ b/authority/provisioner/sign_options.go
@@ -77,6 +77,12 @@ func (fn CertificateEnforcerFunc) Enforce(cert *x509.Certificate) error {
 	return fn(cert)
 }
 
+// AttestationData is a SignOption used to pass attestation information to the
+// sign methods.
+type AttestationData struct {
+	PermanentIdentifier string
+}
+
 // emailOnlyIdentity is a CertificateRequestValidator that checks that the only
 // SAN provided is the given email address.
 type emailOnlyIdentity string
diff --git a/authority/tls.go b/authority/tls.go
index c7e2dd09..632ac238 100644
--- a/authority/tls.go
+++ b/authority/tls.go
@@ -94,6 +94,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
 
 	var prov provisioner.Interface
 	var pInfo *casapi.ProvisionerInfo
+	var attData provisioner.AttestationData
 	for _, op := range extraOpts {
 		switch k := op.(type) {
 		// Capture current provisioner
@@ -129,6 +130,11 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
 		case provisioner.CertificateEnforcer:
 			certEnforcers = append(certEnforcers, k)
 
+		// Extra information from ACME attestations.
+		case provisioner.AttestationData:
+			attData = k
+			// TODO(mariano,areed): remove me once attData is used.
+			_ = attData
 		default:
 			return nil, errs.InternalServer("authority.Sign; invalid extra option type %T", append([]interface{}{k}, opts...)...)
 		}