mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-03 04:16:03 +02:00
envoyconfig: disable validation context when no client certificates are required (#4152)
envoyconfig: disable validation context when no client certificates are required (#4151) Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
This commit is contained in:
backport-actions-token[bot]
GitHub
parent
0cc9da26cf
commit
66dadf7c9f
2 changed files with 16 additions and 12 deletions
|
|
@ -531,6 +531,19 @@ func (b *Builder) buildDownstreamValidationContext(
|
||||||
ctx context.Context,
|
ctx context.Context,
|
||||||
cfg *config.Config,
|
cfg *config.Config,
|
||||||
) *envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext {
|
) *envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext {
|
||||||
|
needsClientCert := false
|
||||||
|
if ca, _ := cfg.Options.GetClientCA(); len(ca) > 0 {
|
||||||
|
needsClientCert = true
|
||||||
|
}
|
||||||
|
for _, p := range cfg.Options.GetAllPolicies() {
|
||||||
|
if p.TLSDownstreamClientCA != "" || p.TLSDownstreamClientCAFile != "" {
|
||||||
|
needsClientCert = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !needsClientCert {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
// trusted_ca is left blank because we verify the client certificate in the authorize service
|
// trusted_ca is left blank because we verify the client certificate in the authorize service
|
||||||
vc := &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext{
|
vc := &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext{
|
||||||
ValidationContext: &envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext{
|
ValidationContext: &envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext{
|
||||||
|
|
|
||||||
|
|
@ -89,10 +89,7 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
|
||||||
],
|
],
|
||||||
"tlsMinimumProtocolVersion": "TLSv1_2"
|
"tlsMinimumProtocolVersion": "TLSv1_2"
|
||||||
},
|
},
|
||||||
"alpnProtocols": ["h2", "http/1.1"],
|
"alpnProtocols": ["h2", "http/1.1"]
|
||||||
"validationContext": {
|
|
||||||
"trustChainVerification": "ACCEPT_UNTRUSTED"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}`, downstreamTLSContext)
|
}`, downstreamTLSContext)
|
||||||
})
|
})
|
||||||
|
|
@ -173,10 +170,7 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
|
||||||
],
|
],
|
||||||
"tlsMinimumProtocolVersion": "TLSv1_2"
|
"tlsMinimumProtocolVersion": "TLSv1_2"
|
||||||
},
|
},
|
||||||
"alpnProtocols": ["http/1.1"],
|
"alpnProtocols": ["http/1.1"]
|
||||||
"validationContext": {
|
|
||||||
"trustChainVerification": "ACCEPT_UNTRUSTED"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}`, downstreamTLSContext)
|
}`, downstreamTLSContext)
|
||||||
})
|
})
|
||||||
|
|
@ -201,10 +195,7 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
|
||||||
],
|
],
|
||||||
"tlsMinimumProtocolVersion": "TLSv1_2"
|
"tlsMinimumProtocolVersion": "TLSv1_2"
|
||||||
},
|
},
|
||||||
"alpnProtocols": ["h2"],
|
"alpnProtocols": ["h2"]
|
||||||
"validationContext": {
|
|
||||||
"trustChainVerification": "ACCEPT_UNTRUSTED"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}`, downstreamTLSContext)
|
}`, downstreamTLSContext)
|
||||||
})
|
})
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue