mirror of
https://github.com/pomerium/pomerium.git
synced 2025-07-09 04:48:13 +02:00
authorize: add "client-certificate-required" reason
Add a new reason "client-certificate-required" that will be returned by the invalid_client_certificate criterion in the case that no client certificate was provided. Determine this using the new 'presented' field populated from the Envoy metadata.
This commit is contained in:
parent
4698e4661a
commit
f6042ce76a
8 changed files with 202 additions and 42 deletions
|
@ -118,7 +118,7 @@ func TestPolicyEvaluator(t *testing.T) {
|
|||
Traces: []contextutil.PolicyEvaluationTrace{{Allow: true}},
|
||||
}, output)
|
||||
})
|
||||
t.Run("invalid cert", func(t *testing.T) {
|
||||
t.Run("no cert", func(t *testing.T) {
|
||||
output, err := eval(t,
|
||||
p1,
|
||||
[]proto.Message{s1, u1, s2, u2},
|
||||
|
@ -129,6 +129,27 @@ func TestPolicyEvaluator(t *testing.T) {
|
|||
IsValidClientCertificate: false,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, &PolicyResponse{
|
||||
Allow: NewRuleResult(true, criteria.ReasonEmailOK),
|
||||
Deny: NewRuleResult(true, criteria.ReasonClientCertificateRequired),
|
||||
Traces: []contextutil.PolicyEvaluationTrace{{Allow: true, Deny: true}},
|
||||
}, output)
|
||||
})
|
||||
t.Run("invalid cert", func(t *testing.T) {
|
||||
output, err := eval(t,
|
||||
p1,
|
||||
[]proto.Message{s1, u1, s2, u2},
|
||||
&PolicyRequest{
|
||||
HTTP: RequestHTTP{
|
||||
Method: http.MethodGet,
|
||||
URL: "https://from.example.com/path",
|
||||
ClientCertificate: ClientCertificateInfo{Presented: true},
|
||||
},
|
||||
Session: RequestSession{ID: "s1"},
|
||||
|
||||
IsValidClientCertificate: false,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, &PolicyResponse{
|
||||
Allow: NewRuleResult(true, criteria.ReasonEmailOK),
|
||||
Deny: NewRuleResult(true, criteria.ReasonInvalidClientCertificate),
|
||||
|
@ -241,7 +262,7 @@ func TestPolicyEvaluator(t *testing.T) {
|
|||
require.NoError(t, err)
|
||||
assert.Equal(t, &PolicyResponse{
|
||||
Allow: NewRuleResult(false),
|
||||
Deny: NewRuleResult(true, criteria.ReasonAccept, criteria.ReasonInvalidClientCertificate),
|
||||
Deny: NewRuleResult(true, criteria.ReasonAccept, criteria.ReasonClientCertificateRequired),
|
||||
Traces: []contextutil.PolicyEvaluationTrace{{Deny: true}, {ID: "p1", Deny: true}},
|
||||
}, output)
|
||||
})
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue