From 11b093981f52f162bffc6283fdead9eb719ebe96 Mon Sep 17 00:00:00 2001
From: Andrew Duthie <andrew.duthie@gsa.gov>
Date: Thu, 9 May 2024 16:58:20 -0400
Subject: [PATCH] LG-13300: Include key_id in valid certificate token

---
 app/models/certificate.rb                    | 1 +
 spec/controllers/identify_controller_spec.rb | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/models/certificate.rb b/app/models/certificate.rb
index 5754c1590..5bea31b2a 100644
--- a/app/models/certificate.rb
+++ b/app/models/certificate.rb
@@ -193,6 +193,7 @@ def token_for_valid_certificate(extra)
         subject: subject_s,
         issuer: issuer.to_s,
         uuid: piv.uuid,
+        key_id: key_id,
       )
     )
   end
diff --git a/spec/controllers/identify_controller_spec.rb b/spec/controllers/identify_controller_spec.rb
index 0a122df50..eecd5d35c 100644
--- a/spec/controllers/identify_controller_spec.rb
+++ b/spec/controllers/identify_controller_spec.rb
@@ -135,7 +135,7 @@
             allow(OcspService).to receive(:new).and_return(ocsp_responder)
           end
 
-          it 'returns a token with a uuid and subject and logs certificate metadata' do
+          it 'returns a token with a uuid, subject, key id, and logs certificate metadata' do
             allow(IdentityConfig.store).to receive(:client_cert_escaped).and_return(true)
 
             cert = Certificate.new(client_cert)
@@ -169,6 +169,7 @@
             expect(token).to be_truthy
 
             expect(token_contents['nonce']).to eq '123'
+            expect(token_contents['key_id']).to eq(cert.key_id)
 
             # N.B.: we do this split/sort because DNs match without respect to
             # ordering of components. OpenSSL::X509::Name doesn't match correctly.