3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-03 00:40:25 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize/evaluator/opa: set client tls cert usage explicitly (#1026)

Browse source
This commit is contained in:
Travis Groth 2020-06-29 17:21:54 -04:00 committed by GitHub
parent f8491b48ee
commit e27ee4dd32
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
authorize/evaluator/functions.go
View file

@ -10,6 +10,7 @@ import (
"github.com/rakyll/statik/fs"
_ "github.com/pomerium/pomerium/authorize/evaluator/opa/policy" // load static assets
"github.com/pomerium/pomerium/internal/log"
)
var isValidClientCertificateCache, _ = lru.New2Q(100)
@ -41,10 +42,15 @@ func isValidClientCertificate(ca, cert string) (bool, error) {
}
_, verifyErr := xcert.Verify(x509.VerifyOptions{
Roots: roots,
Roots: roots,
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
})
valid := verifyErr == nil
if verifyErr != nil {
log.Debug().Err(verifyErr).Msg("client certificate failed verification: %w")
}
isValidClientCertificateCache.Add(cacheKey, valid)
return valid, nil