3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-06 10:21:05 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize/evaluator/opa: set client tls cert usage explicitly (#1026)

Browse source
This commit is contained in:
Travis Groth 2020-06-29 17:21:54 -04:00 committed by GitHub
parent f8491b48ee
commit e27ee4dd32
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
authorize/evaluator/functions.go
View file

@ -10,6 +10,7 @@ import (
"github.com/rakyll/statik/fs" "github.com/rakyll/statik/fs"
_ "github.com/pomerium/pomerium/authorize/evaluator/opa/policy" // load static assets _ "github.com/pomerium/pomerium/authorize/evaluator/opa/policy" // load static assets
"github.com/pomerium/pomerium/internal/log"
) )
var isValidClientCertificateCache, _ = lru.New2Q(100) var isValidClientCertificateCache, _ = lru.New2Q(100)
@ -42,9 +43,14 @@ func isValidClientCertificate(ca, cert string) (bool, error) {
_, verifyErr := xcert.Verify(x509.VerifyOptions{ _, verifyErr := xcert.Verify(x509.VerifyOptions{
Roots: roots, Roots: roots,
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
}) })
valid := verifyErr == nil valid := verifyErr == nil
if verifyErr != nil {
log.Debug().Err(verifyErr).Msg("client certificate failed verification: %w")
}
isValidClientCertificateCache.Add(cacheKey, valid) isValidClientCertificateCache.Add(cacheKey, valid)
return valid, nil return valid, nil