mirror of
https://github.com/pomerium/pomerium.git
synced 2025-07-20 10:08:38 +02:00
authorize: incorporate mTLS validation from Envoy
Configure Envoy to validate client certificates, using the union of all relevant client CA bundles (that is, a bundle of the main client CA setting together with all per-route client CAs). Pass the validation status from Envoy through to the authorize service, by configuring Envoy to use the newly-added SetClientCertificateMetadata filter, and by also adding the relevant metadata namespace to the ExtAuthz configuration. Remove the existing 'include_peer_certificate' setting from the ExtAuthz configuration, as the metadata from the Lua filter will include the full certificate chain (when it validates successfully by Envoy). Update policy evaluation to consider the validation status from Envoy, in addition to its own certificate chain validation. (Policy evaluation cannot rely solely on the Envoy validation status while we still support the per-route client CA setting.)
This commit is contained in:
Kenneth Jenkins
parent
8e4f728c11
commit
36ba83a6b0
11 changed files with 409 additions and 86 deletions
|
|
@ -95,27 +95,48 @@ Y+E5W+FKfIBv9yvdNBYZsL6IZ0Yh1ctKwB5gnajO8+swx5BeaCIbBrCtOBSB
|
|||
|
||||
func Test_isValidClientCertificate(t *testing.T) {
|
||||
t.Run("no ca", func(t *testing.T) {
|
||||
valid, err := isValidClientCertificate("", "WHATEVER!")
|
||||
valid, err := isValidClientCertificate("", ClientCertificateInfo{Leaf: "WHATEVER!"})
|
||||
assert.NoError(t, err, "should not return an error")
|
||||
assert.True(t, valid, "should return true")
|
||||
})
|
||||
t.Run("no cert", func(t *testing.T) {
|
||||
valid, err := isValidClientCertificate(testCA, "")
|
||||
valid, err := isValidClientCertificate(testCA, ClientCertificateInfo{})
|
||||
assert.NoError(t, err, "should not return an error")
|
||||
assert.False(t, valid, "should return false")
|
||||
})
|
||||
t.Run("valid cert", func(t *testing.T) {
|
||||
valid, err := isValidClientCertificate(testCA, testValidCert)
|
||||
valid, err := isValidClientCertificate(testCA, ClientCertificateInfo{
|
||||
Presented: true,
|
||||
Validated: true,
|
||||
Leaf: testValidCert,
|
||||
})
|
||||
assert.NoError(t, err, "should not return an error")
|
||||
assert.True(t, valid, "should return true")
|
||||
})
|
||||
t.Run("cert not externally validated", func(t *testing.T) {
|
||||
valid, err := isValidClientCertificate(testCA, ClientCertificateInfo{
|
||||
Presented: true,
|
||||
Validated: false,
|
||||
Leaf: testValidCert,
|
||||
})
|
||||
assert.NoError(t, err, "should not return an error")
|
||||
assert.False(t, valid, "should return false")
|
||||
})
|
||||
t.Run("unsigned cert", func(t *testing.T) {
|
||||
valid, err := isValidClientCertificate(testCA, testUnsignedCert)
|
||||
valid, err := isValidClientCertificate(testCA, ClientCertificateInfo{
|
||||
Presented: true,
|
||||
Validated: true,
|
||||
Leaf: testUnsignedCert,
|
||||
})
|
||||
assert.NoError(t, err, "should not return an error")
|
||||
assert.False(t, valid, "should return false")
|
||||
})
|
||||
t.Run("not a cert", func(t *testing.T) {
|
||||
valid, err := isValidClientCertificate(testCA, "WHATEVER!")
|
||||
valid, err := isValidClientCertificate(testCA, ClientCertificateInfo{
|
||||
Presented: true,
|
||||
Validated: true,
|
||||
Leaf: "WHATEVER!",
|
||||
})
|
||||
assert.Error(t, err, "should return an error")
|
||||
assert.False(t, valid, "should return false")
|
||||
})
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue