authorize: omit client cert rule when not needed (#4386)

Currently we always add an invalid_client_certificate deny rule to all PPL policies. Instead, let's add this rule only when a client CA is configured. This way, if a user is not using client certificates at all, they won't see any reason strings related to client certificates in the authorize logs. Change the "valid-client-certificate-or-none-required" reason string to just "valid-client-certificate" accordingly. Pass the main Evaluator config to NewPolicyEvaluator so that we can determine whether there is a client CA configured or not. Extract the existing default deny rule to a separate method. Add unit tests exercising the new behavior.
2025-08-02 00:10:45 +02:00 · 2023-07-24 15:27:57 -07:00 · 2023-07-24 15:27:57 -07:00 · 4698e4661a
commit 4698e4661a
parent 219296a875
10 changed files with 166 additions and 103 deletions
--- a/pkg/policy/parser/default_test.go
+++ b/pkg/policy/parser/default_test.go
@ -0,0 +1,20 @@
+package parser
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAddDefaultClientCertificateRule(t *testing.T) {
+	var p Policy
+	p.AddDefaultClientCertificateRule()
+	assert.Equal(t, Policy{
+		Rules: []Rule{{
+			Action: ActionDeny,
+			Or: []Criterion{
+				{Name: "invalid_client_certificate"},
+			},
+		}},
+	}, p)
+}