authorize: add client mTLS support (#751)

* authorize: add client mtls support * authorize: better error messages for envoy * switch from function to input * add TrustedCa to envoy config so that users are prompted for the correct client certificate * update documentation * fix invalid ClientCAFile * regenerate cache protobuf * avoid recursion, add test * move comment line * use http.StatusOK * various fixes
2025-05-29 17:07:24 +02:00 · 2020-05-21 16:01:07 -06:00 · 2020-05-21 16:01:07 -06:00 · e4832cb4ed
commit e4832cb4ed
parent 3f1faf2e9e
24 changed files with 995 additions and 279 deletions
--- a/config/options.go
+++ b/config/options.go
@ -238,6 +238,11 @@ type Options struct {
 	// CacheStorePath is the path to use for a given cache store. e.g. /etc/bolt.db
 	CacheStorePath string `mapstructure:"cache_store_path" yaml:"cache_store_path,omitempty"`

+	// ClientCA is the base64-encoded certificate authority to validate client mTLS certificates against.
+	ClientCA string `mapstructure:"client_ca" yaml:"client_ca,omitempty"`
+	// ClientCAFile points to a file that contains the certificate authority to validate client mTLS certificates against.
+	ClientCAFile string `mapstructure:"client_ca_file" yaml:"client_ca_file,omitempty"`
+
 	viper *viper.Viper
 }

@ -562,6 +567,18 @@ func (o *Options) Validate() error {
 		o.Certificates = append(o.Certificates, *cert)
 	}

+	if o.ClientCA != "" {
+		if _, err := base64.StdEncoding.DecodeString(o.ClientCA); err != nil {
+			return fmt.Errorf("config: bad client ca base64: %w", err)
+		}
+	}
+
+	if o.ClientCAFile != "" {
+		if _, err := os.Stat(o.ClientCAFile); err != nil {
+			return fmt.Errorf("config: bad client ca file: %w", err)
+		}
+	}
+
 	RedirectAndAutocertServer.update(o)

 	err = AutocertManager.update(o)