config: add support for max_verify_depth

Add a new max_verify_depth option to the downstream_mtls settings group,
with a default value of 1 (to match the behavior of current Pomerium
releases).

Populate the corresponding setting within Envoy, and also implement a
depth check within isValidClientCertificate() in the authorize service.

authorize/authorize.go

@@ -120,11 +120,16 @@ func newPolicyEvaluator(opts *config.Options, store *store.Store) (*evaluator.Ev
 	addDefaultClientCertificateRule :=
 		opts.DownstreamMTLS.GetEnforcement() != config.MTLSEnforcementPolicy
 
+	clientCertConstraints := evaluator.ClientCertConstraints{
+		MaxVerifyDepth: opts.DownstreamMTLS.GetMaxVerifyDepth(),
+	}
+
 	return evaluator.New(ctx, store,
 		evaluator.WithPolicies(opts.GetAllPolicies()),
 		evaluator.WithClientCA(clientCA),
 		evaluator.WithAddDefaultClientCertificateRule(addDefaultClientCertificateRule),
 		evaluator.WithClientCRL(clientCRL),
+		evaluator.WithClientCertConstraints(clientCertConstraints),
 		evaluator.WithSigningKey(signingKey),
 		evaluator.WithAuthenticateURL(authenticateURL.String()),
 		evaluator.WithGoogleCloudServerlessAuthenticationServiceAccount(opts.GetGoogleCloudServerlessAuthenticationServiceAccount()),