authorize: add "client-certificate-required" reason

Add a new reason "client-certificate-required" that will be returned by the invalid_client_certificate criterion in the case that no client certificate was provided. Determine this using the new 'presented' field populated from the Envoy metadata.
2025-07-16 08:16:18 +02:00 · 2023-07-21 17:29:07 -07:00 · 2023-07-21 17:29:07 -07:00 · f6042ce76a
commit f6042ce76a
parent 4698e4661a
8 changed files with 202 additions and 42 deletions
--- a/authorize/evaluator/policy_evaluator_test.go
+++ b/authorize/evaluator/policy_evaluator_test.go
@ -118,7 +118,7 @@ func TestPolicyEvaluator(t *testing.T) {
 			Traces: []contextutil.PolicyEvaluationTrace{{Allow: true}},
 		}, output)
 	})
-	t.Run("invalid cert", func(t *testing.T) {
+	t.Run("no cert", func(t *testing.T) {
 		output, err := eval(t,
 			p1,
 			[]proto.Message{s1, u1, s2, u2},
@ -129,6 +129,27 @@ func TestPolicyEvaluator(t *testing.T) {
 				IsValidClientCertificate: false,
 			})
 		require.NoError(t, err)
+		assert.Equal(t, &PolicyResponse{
+			Allow:  NewRuleResult(true, criteria.ReasonEmailOK),
+			Deny:   NewRuleResult(true, criteria.ReasonClientCertificateRequired),
+			Traces: []contextutil.PolicyEvaluationTrace{{Allow: true, Deny: true}},
+		}, output)
+	})
+	t.Run("invalid cert", func(t *testing.T) {
+		output, err := eval(t,
+			p1,
+			[]proto.Message{s1, u1, s2, u2},
+			&PolicyRequest{
+				HTTP: RequestHTTP{
+					Method:            http.MethodGet,
+					URL:               "https://from.example.com/path",
+					ClientCertificate: ClientCertificateInfo{Presented: true},
+				},
+				Session: RequestSession{ID: "s1"},
+
+				IsValidClientCertificate: false,
+			})
+		require.NoError(t, err)
 		assert.Equal(t, &PolicyResponse{
 			Allow:  NewRuleResult(true, criteria.ReasonEmailOK),
 			Deny:   NewRuleResult(true, criteria.ReasonInvalidClientCertificate),
@ -241,7 +262,7 @@ func TestPolicyEvaluator(t *testing.T) {
 			require.NoError(t, err)
 			assert.Equal(t, &PolicyResponse{
 				Allow:  NewRuleResult(false),
-				Deny:   NewRuleResult(true, criteria.ReasonAccept, criteria.ReasonInvalidClientCertificate),
+				Deny:   NewRuleResult(true, criteria.ReasonAccept, criteria.ReasonClientCertificateRequired),
 				Traces: []contextutil.PolicyEvaluationTrace{{Deny: true}, {ID: "p1", Deny: true}},
 			}, output)
 		})