3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 02:16:28 +02:00
Code Issues Projects Releases Packages Wiki Activity

envoyconfig: disable validation context when no client certificates are required (#4152)

Browse source 
envoyconfig: disable validation context when no client certificates are required (#4151)

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
This commit is contained in:
backport-actions-token[bot] 2023-05-04 21:35:00 +00:00 committed by GitHub
parent 0cc9da26cf
commit 66dadf7c9f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
config/envoyconfig/listeners.go
View file

@ -531,6 +531,19 @@ func (b *Builder) buildDownstreamValidationContext(
ctx context.Context,
cfg *config.Config,
) *envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext {
needsClientCert := false
if ca, _ := cfg.Options.GetClientCA(); len(ca) > 0 {
needsClientCert = true
}
for _, p := range cfg.Options.GetAllPolicies() {
if p.TLSDownstreamClientCA != "" || p.TLSDownstreamClientCAFile != "" {
needsClientCert = true
}
}
if !needsClientCert {
return nil
}
// trusted_ca is left blank because we verify the client certificate in the authorize service
vc := &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext{
ValidationContext: &envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext{

15
config/envoyconfig/listeners_test.go
View file

@ -89,10 +89,7 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
],
"tlsMinimumProtocolVersion": "TLSv1_2"
},
"alpnProtocols": ["h2", "http/1.1"],
"validationContext": {
"trustChainVerification": "ACCEPT_UNTRUSTED"
}
"alpnProtocols": ["h2", "http/1.1"]
}
}`, downstreamTLSContext)
})
@ -173,10 +170,7 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
],
"tlsMinimumProtocolVersion": "TLSv1_2"
},
"alpnProtocols": ["http/1.1"],
"validationContext": {
"trustChainVerification": "ACCEPT_UNTRUSTED"
}
"alpnProtocols": ["http/1.1"]
}
}`, downstreamTLSContext)
})
@ -201,10 +195,7 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
],
"tlsMinimumProtocolVersion": "TLSv1_2"
},
"alpnProtocols": ["h2"],
"validationContext": {
"trustChainVerification": "ACCEPT_UNTRUSTED"
}
"alpnProtocols": ["h2"]
}
}`, downstreamTLSContext)
})