authorize: add "client-certificate-required" reason (#4389)

Add a new reason "client-certificate-required" that will be returned by the invalid_client_certificate criterion in the case that no client certificate was provided. Determine this using the new 'presented' field populated from the Envoy metadata.
2025-08-03 00:40:25 +02:00 · 2023-07-25 10:03:51 -07:00 · 2023-07-25 10:03:51 -07:00 · 8401170443
commit 8401170443
parent 638d9f3d6c
8 changed files with 202 additions and 42 deletions
--- a/pkg/policy/criteria/invalid_client_certificate_test.go
+++ b/pkg/policy/criteria/invalid_client_certificate_test.go
@ -0,0 +1,60 @@
+package criteria
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestInvalidClientCertificate(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		label    string
+		input    Input
+		expected A
+	}{
+		{
+			"not presented",
+			Input{},
+			A{true, A{ReasonClientCertificateRequired}, M{}},
+		},
+		{
+			"invalid",
+			Input{
+				HTTP: InputHTTP{
+					ClientCertificate: ClientCertificateInfo{Presented: true},
+				},
+			},
+			A{true, A{ReasonInvalidClientCertificate}, M{}},
+		},
+		{
+			"valid",
+			Input{
+				HTTP: InputHTTP{
+					ClientCertificate: ClientCertificateInfo{Presented: true},
+				},
+				IsValidClientCertificate: true,
+			},
+			A{false, A{ReasonValidClientCertificate}, M{}},
+		},
+	}
+
+	const policy = `
+deny:
+  or:
+    - invalid_client_certificate: true`
+
+	for i := range cases {
+		c := cases[i]
+		t.Run(c.label, func(t *testing.T) {
+			t.Parallel()
+
+			res, err := evaluate(t, policy, []dataBrokerRecord{}, c.input)
+			require.NoError(t, err)
+			assert.Equal(t, A{false, A{}}, res["allow"])
+			assert.Equal(t, c.expected, res["deny"])
+		})
+	}
+}