3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-04 01:09:36 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: omit client cert rule when not needed (#4386)

Browse source 
Currently we always add an invalid_client_certificate deny rule to all
PPL policies. Instead, let's add this rule only when a client CA is
configured. This way, if a user is not using client certificates at all,
they won't see any reason strings related to client certificates in the
authorize logs.

Change the "valid-client-certificate-or-none-required" reason string to
just "valid-client-certificate" accordingly.

Pass the main Evaluator config to NewPolicyEvaluator so that we can
determine whether there is a client CA configured or not. Extract the
existing default deny rule to a separate method. Add unit tests
exercising the new behavior.
This commit is contained in:
Kenneth Jenkins 2023-07-24 15:27:57 -07:00 committed by GitHub
parent 219296a875
commit 4698e4661a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 166 additions and 103 deletions
Download patch file Download diff file Expand all files Collapse all files

7
config/policy_ppl.go
View file

@ -79,13 +79,6 @@ func (p *Policy) ToPPL() *parser.Policy {
}
ppl.Rules = append(ppl.Rules, allowRule)
denyRule := parser.Rule{Action: parser.ActionDeny}
denyRule.Or = append(denyRule.Or,
parser.Criterion{
Name: "invalid_client_certificate",
})
ppl.Rules = append(ppl.Rules, denyRule)
// append embedded PPL policy rules
if p.Policy != nil && p.Policy.Policy != nil {
ppl.Rules = append(ppl.Rules, p.Policy.Policy.Rules...)