authorize: add "client-certificate-required" reason

Add a new reason "client-certificate-required" that will be returned by the invalid_client_certificate criterion in the case that no client certificate was provided. Determine this using the new 'presented' field populated from the Envoy metadata.
2025-07-07 11:58:12 +02:00 · 2023-07-21 17:29:07 -07:00 · 2023-07-21 17:29:07 -07:00 · f6042ce76a
commit f6042ce76a
parent 4698e4661a
8 changed files with 202 additions and 42 deletions
--- a/authorize/evaluator/evaluator_test.go
+++ b/authorize/evaluator/evaluator_test.go
@ -131,9 +131,19 @@ func TestEvaluator(t *testing.T) {
 		// Clone the existing options and add a default client CA.
 		options := append([]Option(nil), options...)
 		options = append(options, WithClientCA([]byte(testCA)))
+		t.Run("missing", func(t *testing.T) {
+			res, err := eval(t, options, nil, &Request{
+				Policy: &policies[0],
+			})
+			require.NoError(t, err)
+			assert.Equal(t, NewRuleResult(true, criteria.ReasonClientCertificateRequired), res.Deny)
+		})
 		t.Run("invalid", func(t *testing.T) {
 			res, err := eval(t, options, nil, &Request{
 				Policy: &policies[0],
+				HTTP: RequestHTTP{
+					ClientCertificate: ClientCertificateInfo{Presented: true},
+				},
 			})
 			require.NoError(t, err)
 			assert.Equal(t, NewRuleResult(true, criteria.ReasonInvalidClientCertificate), res.Deny)
@ -150,11 +160,35 @@ func TestEvaluator(t *testing.T) {
 		})
 	})
 	t.Run("client certificate (per-policy CA)", func(t *testing.T) {
-		t.Run("invalid", func(t *testing.T) {
+		t.Run("missing", func(t *testing.T) {
 			res, err := eval(t, options, nil, &Request{
 				Policy: &policies[10],
 			})
 			require.NoError(t, err)
+			assert.Equal(t, NewRuleResult(true, criteria.ReasonClientCertificateRequired), res.Deny)
+		})
+		t.Run("invalid (Envoy)", func(t *testing.T) {
+			res, err := eval(t, options, nil, &Request{
+				Policy: &policies[10],
+				HTTP: RequestHTTP{
+					ClientCertificate: ClientCertificateInfo{Presented: true},
+				},
+			})
+			require.NoError(t, err)
+			assert.Equal(t, NewRuleResult(true, criteria.ReasonInvalidClientCertificate), res.Deny)
+		})
+		t.Run("invalid (authorize)", func(t *testing.T) {
+			res, err := eval(t, options, nil, &Request{
+				Policy: &policies[10],
+				HTTP: RequestHTTP{
+					ClientCertificate: ClientCertificateInfo{
+						Presented: true,
+						Validated: true,
+						Leaf:      testUnsignedCert,
+					},
+				},
+			})
+			require.NoError(t, err)
 			assert.Equal(t, NewRuleResult(true, criteria.ReasonInvalidClientCertificate), res.Deny)
 		})
 		t.Run("valid", func(t *testing.T) {