3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-03 16:59:22 +02:00
Code Issues Projects Releases Packages Wiki Activity

config: support client certificate SAN match (#4453)

Browse source 
Add a new match_subject_alt_names option to the downstream_mtls settings
group. This setting can be used to further constrain the allowed client
certificates by requiring that certificates contain a Subject
Alternative Name of a particular type, matching a particular regex.

When set, populate the corresponding match_typed_subject_alt_names
setting within Envoy, and also implement a corresponding check in the
authorize service.
This commit is contained in:
Kenneth Jenkins 2023-08-11 13:27:12 -07:00 committed by GitHub
parent cc1ef1ae18
commit 5568606f03
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 638 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

6
authorize/authorize.go
View file

@ -120,8 +120,10 @@ func newPolicyEvaluator(opts *config.Options, store *store.Store) (*evaluator.Ev
addDefaultClientCertificateRule :=
opts.DownstreamMTLS.GetEnforcement() != config.MTLSEnforcementPolicy
clientCertConstraints := evaluator.ClientCertConstraints{
MaxVerifyDepth: opts.DownstreamMTLS.GetMaxVerifyDepth(),
clientCertConstraints, err := evaluator.ClientCertConstraintsFromConfig(&opts.DownstreamMTLS)
if err != nil {
return nil, fmt.Errorf(
"authorize: internal error: couldn't build client cert constraints: %w", err)
}
return evaluator.New(ctx, store,