3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-03 00:40:25 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: do not redirect if invalid client cert (#4344)

Browse source 
If an authorization policy requires a client certificate, but an
incoming request does not include a valid certificate, we should serve a
deny error page right away, regardless of whether the user is
authenticated via the identity provider or not. Do not redirect to the
identity provider login page in this case.

Update the existing integration tests accordingly, and add a unit test
case for this scenario.
This commit is contained in:
Kenneth Jenkins 2023-07-10 16:39:26 -07:00 committed by GitHub
parent f87aaffe16
commit 5459e6940a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 50 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

6
authorize/check_response.go
View file

@ -32,6 +32,12 @@ func (a *Authorize) handleResult(
request *evaluator.Request,
result *evaluator.Result,
) (*envoy_service_auth_v3.CheckResponse, error) {
// If a client certificate is required, but the client did not provide a
// valid certificate, deny right away. Do not redirect to authenticate.
if result.Deny.Reasons.Has(criteria.ReasonInvalidClientCertificate) {
return a.handleResultDenied(ctx, in, request, result, result.Deny.Reasons)
}
// when the user is unauthenticated it means they haven't
// logged in yet, so redirect to authenticate
if result.Allow.Reasons.Has(criteria.ReasonUserUnauthenticated) ||