authorize: add "client-certificate-required" reason

Add a new reason "client-certificate-required" that will be returned by
the invalid_client_certificate criterion in the case that no client
certificate was provided. Determine this using the new 'presented' field
populated from the Envoy metadata.

authorize/check_response.go

@@ -34,7 +34,7 @@ func (a *Authorize) handleResult(
 ) (*envoy_service_auth_v3.CheckResponse, error) {
 	// If a client certificate is required, but the client did not provide a
 	// valid certificate, deny right away. Do not redirect to authenticate.
-	if result.Deny.Reasons.Has(criteria.ReasonInvalidClientCertificate) {
+	if invalidClientCertReason(result.Deny.Reasons) {
 		return a.handleResultDenied(ctx, in, request, result, result.Deny.Reasons)
 	}
 
@@ -93,7 +93,7 @@ func (a *Authorize) handleResultDenied(
 	case reasons.Has(criteria.ReasonRouteNotFound):
 		denyStatusCode = http.StatusNotFound
 		denyStatusText = httputil.DetailsText(http.StatusNotFound)
-	case reasons.Has(criteria.ReasonInvalidClientCertificate):
+	case invalidClientCertReason(reasons):
 		denyStatusCode = httputil.StatusInvalidClientCertificate
 		denyStatusText = httputil.DetailsText(httputil.StatusInvalidClientCertificate)
 	}
@@ -101,6 +101,11 @@ func (a *Authorize) handleResultDenied(
 	return a.deniedResponse(ctx, in, denyStatusCode, denyStatusText, nil)
 }
 
+func invalidClientCertReason(reasons criteria.Reasons) bool {
+	return reasons.Has(criteria.ReasonClientCertificateRequired) ||
+		reasons.Has(criteria.ReasonInvalidClientCertificate)
+}
+
 func (a *Authorize) okResponse(headers http.Header) *envoy_service_auth_v3.CheckResponse {
 	var requestHeaders []*envoy_config_core_v3.HeaderValueOption
 	for k, vs := range headers {