From 66dadf7c9f25d061668aa817e630aa52629f22e4 Mon Sep 17 00:00:00 2001
From: "backport-actions-token[bot]"
 <87506591+backport-actions-token[bot]@users.noreply.github.com>
Date: Thu, 4 May 2023 21:35:00 +0000
Subject: [PATCH] envoyconfig: disable validation context when no client
 certificates are required (#4152)

envoyconfig: disable validation context when no client certificates are required (#4151)

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
---
 config/envoyconfig/listeners.go      | 13 +++++++++++++
 config/envoyconfig/listeners_test.go | 15 +++------------
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/config/envoyconfig/listeners.go b/config/envoyconfig/listeners.go
index 9776ff9e1..d93be4683 100644
--- a/config/envoyconfig/listeners.go
+++ b/config/envoyconfig/listeners.go
@@ -531,6 +531,19 @@ func (b *Builder) buildDownstreamValidationContext(
 	ctx context.Context,
 	cfg *config.Config,
 ) *envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext {
+	needsClientCert := false
+	if ca, _ := cfg.Options.GetClientCA(); len(ca) > 0 {
+		needsClientCert = true
+	}
+	for _, p := range cfg.Options.GetAllPolicies() {
+		if p.TLSDownstreamClientCA != "" || p.TLSDownstreamClientCAFile != "" {
+			needsClientCert = true
+		}
+	}
+	if !needsClientCert {
+		return nil
+	}
+
 	// trusted_ca is left blank because we verify the client certificate in the authorize service
 	vc := &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext{
 		ValidationContext: &envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext{
diff --git a/config/envoyconfig/listeners_test.go b/config/envoyconfig/listeners_test.go
index 898e04d72..282f7e071 100644
--- a/config/envoyconfig/listeners_test.go
+++ b/config/envoyconfig/listeners_test.go
@@ -89,10 +89,7 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
 					],
 					"tlsMinimumProtocolVersion": "TLSv1_2"
 				},
-				"alpnProtocols": ["h2", "http/1.1"],
-				"validationContext": {
-					"trustChainVerification": "ACCEPT_UNTRUSTED"
-				}
+				"alpnProtocols": ["h2", "http/1.1"]
 			}
 		}`, downstreamTLSContext)
 	})
@@ -173,10 +170,7 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
 					],
 					"tlsMinimumProtocolVersion": "TLSv1_2"
 				},
-				"alpnProtocols": ["http/1.1"],
-				"validationContext": {
-					"trustChainVerification": "ACCEPT_UNTRUSTED"
-				}
+				"alpnProtocols": ["http/1.1"]
 			}
 		}`, downstreamTLSContext)
 	})
@@ -201,10 +195,7 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
 					],
 					"tlsMinimumProtocolVersion": "TLSv1_2"
 				},
-				"alpnProtocols": ["h2"],
-				"validationContext": {
-					"trustChainVerification": "ACCEPT_UNTRUSTED"
-				}
+				"alpnProtocols": ["h2"]
 			}
 		}`, downstreamTLSContext)
 	})