From f5e1875f1181e5ee1ea85f985369f681908158aa Mon Sep 17 00:00:00 2001
From: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
Date: Fri, 7 Jul 2023 16:32:23 -0700
Subject: [PATCH] add a unit test

---
 authorize/check_response_test.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/authorize/check_response_test.go b/authorize/check_response_test.go
index aa3134d97..b7e837efe 100644
--- a/authorize/check_response_test.go
+++ b/authorize/check_response_test.go
@@ -88,6 +88,19 @@ func TestAuthorize_handleResult(t *testing.T) {
 			assert.NotNil(t, res.GetOkResponse())
 		})
 	})
+	t.Run("invalid-client-certificate", func(t *testing.T) {
+		// Even if the user is unauthenticated, if a client certificate was required and no valid
+		// certificate was provided, access should be denied (no login redirect).
+		res, err := a.handleResult(context.Background(),
+			&envoy_service_auth_v3.CheckRequest{},
+			&evaluator.Request{},
+			&evaluator.Result{
+				Allow: evaluator.NewRuleResult(false, criteria.ReasonUserUnauthenticated),
+				Deny:  evaluator.NewRuleResult(true, criteria.ReasonInvalidClientCertificate),
+			})
+		assert.NoError(t, err)
+		assert.Equal(t, 495, int(res.GetDeniedResponse().GetStatus().GetCode()))
+	})
 }
 
 func TestAuthorize_okResponse(t *testing.T) {