authorize: add "client-certificate-required" reason (#4389)

Add a new reason "client-certificate-required" that will be returned by the invalid_client_certificate criterion in the case that no client certificate was provided. Determine this using the new 'presented' field populated from the Envoy metadata.
2025-08-03 16:59:22 +02:00 · 2023-07-25 10:03:51 -07:00 · 2023-07-25 10:03:51 -07:00 · 8401170443
commit 8401170443
parent 638d9f3d6c
8 changed files with 202 additions and 42 deletions
--- a/pkg/policy/criteria/reasons.go
+++ b/pkg/policy/criteria/reasons.go
@ -7,31 +7,32 @@ type Reason string

 // Well-known reasons.
 const (
-	ReasonAccept                   = "accept"
-	ReasonClaimOK                  = "claim-ok"
-	ReasonClaimUnauthorized        = "claim-unauthorized"
-	ReasonCORSRequest              = "cors-request"
-	ReasonDeviceOK                 = "device-ok"
-	ReasonDeviceUnauthenticated    = "device-unauthenticated"
-	ReasonDeviceUnauthorized       = "device-unauthorized"
-	ReasonDomainOK                 = "domain-ok"
-	ReasonDomainUnauthorized       = "domain-unauthorized"
-	ReasonEmailOK                  = "email-ok"
-	ReasonEmailUnauthorized        = "email-unauthorized"
-	ReasonHTTPMethodOK             = "http-method-ok"
-	ReasonHTTPMethodUnauthorized   = "http-method-unauthorized"
-	ReasonHTTPPathOK               = "http-path-ok"
-	ReasonHTTPPathUnauthorized     = "http-path-unauthorized"
-	ReasonInvalidClientCertificate = "invalid-client-certificate"
-	ReasonNonCORSRequest           = "non-cors-request"
-	ReasonNonPomeriumRoute         = "non-pomerium-route"
-	ReasonPomeriumRoute            = "pomerium-route"
-	ReasonReject                   = "reject"
-	ReasonRouteNotFound            = "route-not-found"
-	ReasonUserOK                   = "user-ok"
-	ReasonUserUnauthenticated      = "user-unauthenticated" // user needs to log in
-	ReasonUserUnauthorized         = "user-unauthorized"    // user does not have access
-	ReasonValidClientCertificate   = "valid-client-certificate"
+	ReasonAccept                    = "accept"
+	ReasonClaimOK                   = "claim-ok"
+	ReasonClaimUnauthorized         = "claim-unauthorized"
+	ReasonClientCertificateRequired = "client-certificate-required"
+	ReasonCORSRequest               = "cors-request"
+	ReasonDeviceOK                  = "device-ok"
+	ReasonDeviceUnauthenticated     = "device-unauthenticated"
+	ReasonDeviceUnauthorized        = "device-unauthorized"
+	ReasonDomainOK                  = "domain-ok"
+	ReasonDomainUnauthorized        = "domain-unauthorized"
+	ReasonEmailOK                   = "email-ok"
+	ReasonEmailUnauthorized         = "email-unauthorized"
+	ReasonHTTPMethodOK              = "http-method-ok"
+	ReasonHTTPMethodUnauthorized    = "http-method-unauthorized"
+	ReasonHTTPPathOK                = "http-path-ok"
+	ReasonHTTPPathUnauthorized      = "http-path-unauthorized"
+	ReasonInvalidClientCertificate  = "invalid-client-certificate"
+	ReasonNonCORSRequest            = "non-cors-request"
+	ReasonNonPomeriumRoute          = "non-pomerium-route"
+	ReasonPomeriumRoute             = "pomerium-route"
+	ReasonReject                    = "reject"
+	ReasonRouteNotFound             = "route-not-found"
+	ReasonUserOK                    = "user-ok"
+	ReasonUserUnauthenticated       = "user-unauthenticated" // user needs to log in
+	ReasonUserUnauthorized          = "user-unauthorized"    // user does not have access
+	ReasonValidClientCertificate    = "valid-client-certificate"
 )

 // Reasons is a collection of reasons.