pomerium

3pp-mirror/pomerium

Fork 0

mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 19:06:33 +02:00

Commit graph

Author	SHA1	Message	Date
Kenneth Jenkins	4698e4661a	authorize: omit client cert rule when not needed (#4386 ) Currently we always add an invalid_client_certificate deny rule to all PPL policies. Instead, let's add this rule only when a client CA is configured. This way, if a user is not using client certificates at all, they won't see any reason strings related to client certificates in the authorize logs. Change the "valid-client-certificate-or-none-required" reason string to just "valid-client-certificate" accordingly. Pass the main Evaluator config to NewPolicyEvaluator so that we can determine whether there is a client CA configured or not. Extract the existing default deny rule to a separate method. Add unit tests exercising the new behavior.	2023-07-24 15:27:57 -07:00

Author

SHA1

Message

Date

Kenneth Jenkins

4698e4661a

authorize: omit client cert rule when not needed (#4386 )

Currently we always add an invalid_client_certificate deny rule to all
PPL policies. Instead, let's add this rule only when a client CA is
configured. This way, if a user is not using client certificates at all,
they won't see any reason strings related to client certificates in the
authorize logs.

Change the "valid-client-certificate-or-none-required" reason string to
just "valid-client-certificate" accordingly.

Pass the main Evaluator config to NewPolicyEvaluator so that we can
determine whether there is a client CA configured or not. Extract the
existing default deny rule to a separate method. Add unit tests
exercising the new behavior.

2023-07-24 15:27:57 -07:00

1 commit