authorize: do not rely on Envoy client cert validation (#4438)

Partially revert #4374: do not record the peerCertificateValidated() result as reported by Envoy, as this does not work correctly for resumed TLS sessions. Instead always record the certificate chain as presented by the client. Remove the corresponding ClientCertificateInfo Validated field, and update affected code accordingly. Skip the CRL integration test case for now.
2025-05-29 08:57:18 +02:00 · 2023-08-03 10:45:55 -07:00 · 2023-08-03 10:45:55 -07:00 · e91600c158
commit e91600c158
parent 465de43e67
9 changed files with 12 additions and 69 deletions
--- a/authorize/evaluator/functions_test.go
+++ b/authorize/evaluator/functions_test.go
@ -107,25 +107,14 @@ func Test_isValidClientCertificate(t *testing.T) {
 	t.Run("valid cert", func(t *testing.T) {
 		valid, err := isValidClientCertificate(testCA, ClientCertificateInfo{
 			Presented: true,
-			Validated: true,
 			Leaf:      testValidCert,
 		})
 		assert.NoError(t, err, "should not return an error")
 		assert.True(t, valid, "should return true")
 	})
-	t.Run("cert not externally validated", func(t *testing.T) {
-		valid, err := isValidClientCertificate(testCA, ClientCertificateInfo{
-			Presented: true,
-			Validated: false,
-			Leaf:      testValidCert,
-		})
-		assert.NoError(t, err, "should not return an error")
-		assert.False(t, valid, "should return false")
-	})
 	t.Run("unsigned cert", func(t *testing.T) {
 		valid, err := isValidClientCertificate(testCA, ClientCertificateInfo{
 			Presented: true,
-			Validated: true,
 			Leaf:      testUnsignedCert,
 		})
 		assert.NoError(t, err, "should not return an error")
@ -134,7 +123,6 @@ func Test_isValidClientCertificate(t *testing.T) {
 	t.Run("not a cert", func(t *testing.T) {
 		valid, err := isValidClientCertificate(testCA, ClientCertificateInfo{
 			Presented: true,
-			Validated: true,
 			Leaf:      "WHATEVER!",
 		})
 		assert.Error(t, err, "should return an error")