3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-21 21:17:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: remove incorrect "valid-client-certificate" reason (#4470)

Browse source 
Fix the logic around when to add the default invalid_client_certificate
rule: this should only be added if mTLS is enabled and the enforcement
mode is not set to "policy". Add a unit test for this logic.
This commit is contained in:
Kenneth Jenkins 2023-08-17 08:13:57 -07:00 committed by GitHub
parent a83375db7f
commit e448909042
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 130 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

53
authorize/authorize_test.go
View file

@ -7,7 +7,10 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/pomerium/pomerium/authorize/evaluator"
"github.com/pomerium/pomerium/authorize/internal/store"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/pkg/policy/criteria"
)
func TestNew(t *testing.T) {
@ -138,3 +141,53 @@ func testPolicies(t *testing.T) []config.Policy {
}
return policies
}
func TestNewPolicyEvaluator_addDefaultClientCertificateRule(t *testing.T) {
t.Parallel()
resultFalse := evaluator.NewRuleResult(false) // no mention of client certificates
resultClientCertificateRequired := evaluator.NewRuleResult(true,
criteria.ReasonClientCertificateRequired)
cases := []struct {
label string
opts *config.Options
expected evaluator.RuleResult
}{
{"zero", &config.Options{}, resultFalse},
{"default", config.NewDefaultOptions(), resultFalse},
{"client CA, default enforcement", &config.Options{
DownstreamMTLS: config.DownstreamMTLSSettings{CA: "ZmFrZSBDQQ=="},
}, resultClientCertificateRequired},
{"client CA, reject connection", &config.Options{
DownstreamMTLS: config.DownstreamMTLSSettings{
CA: "ZmFrZSBDQQ==",
Enforcement: config.MTLSEnforcementRejectConnection,
},
}, resultClientCertificateRequired},
{"client CA, policy", &config.Options{
DownstreamMTLS: config.DownstreamMTLSSettings{
CA: "ZmFrZSBDQQ==",
Enforcement: config.MTLSEnforcementPolicy,
},
}, resultFalse},
}
for i := range cases {
c := &cases[i]
t.Run(c.label, func(t *testing.T) {
store := store.New()
c.opts.Policies = []config.Policy{{
To: mustParseWeightedURLs(t, "http://example.com"),
}}
e, err := newPolicyEvaluator(c.opts, store)
require.NoError(t, err)
r, err := e.Evaluate(context.Background(), &evaluator.Request{
Policy: &c.opts.Policies[0],
HTTP: evaluator.RequestHTTP{},
})
require.NoError(t, err)
assert.Equal(t, c.expected, r.Deny)
})
}
}