authorize: implement client certificate CRL check (#4439)

Update isValidClientCertificate() to also consult the configured certificate revocation lists. Update existing test cases and add a new unit test to exercise the revocation support. Restore the skipped integration test case. Generate new test certificates and CRLs using a new `go run`-able source file.
2025-08-03 00:40:25 +02:00 · 2023-08-03 15:59:11 -07:00 · 2023-08-03 15:59:11 -07:00 · 9d4d31cb4f
commit 9d4d31cb4f
parent e91600c158
9 changed files with 352 additions and 92 deletions
--- a/authorize/evaluator/evaluator.go
+++ b/authorize/evaluator/evaluator.go
@ -93,6 +93,7 @@ type Evaluator struct {
 	policyEvaluators  map[uint64]*PolicyEvaluator
 	headersEvaluators *HeadersEvaluator
 	clientCA          []byte
+	clientCRL         []byte
 }

 // New creates a new Evaluator.
@ -112,6 +113,7 @@ func New(ctx context.Context, store *store.Store, options ...Option) (*Evaluator
 	}

 	e.clientCA = cfg.clientCA
+	e.clientCRL = cfg.clientCRL

 	e.policyEvaluators = make(map[uint64]*PolicyEvaluator)
 	for i := range cfg.policies {
@ -209,7 +211,8 @@ func (e *Evaluator) evaluatePolicy(ctx context.Context, req *Request) (*PolicyRe
 		return nil, err
 	}

-	isValidClientCertificate, err := isValidClientCertificate(clientCA, req.HTTP.ClientCertificate)
+	isValidClientCertificate, err :=
+		isValidClientCertificate(clientCA, string(e.clientCRL), req.HTTP.ClientCertificate)
 	if err != nil {
 		return nil, fmt.Errorf("authorize: error validating client certificate: %w", err)
 	}