Update the integration test templates to add a new client certificate
issued by downstream-ca-1, along with a combined CRL that revokes it.
(Setting a CRL just from downstream-ca-1 doesn't appear to work, which
surprises me.) Add a test case to verify that access is not allowed when
using the revoked certificate.
If an authorization policy requires a client certificate, but an
incoming request does not include a valid certificate, we should serve a
deny error page right away, regardless of whether the user is
authenticated via the identity provider or not. Do not redirect to the
identity provider login page in this case.
Update the existing integration tests accordingly, and add a unit test
case for this scenario.
* integration test config: add downstream mTLS routes
Add two new CA certificates for use with downstream mTLS tests, and a
client certificate/key pair issued by each CA.
Add a few routes to the policy template that require a client CA. Update
the generated output configurations.
(based on commit ed63a6a6e7)
* add downstream mTLS integration test cases
These are modeled after the tests added to v0.17 in 83957a9, but here
the expected behavior is that requests with an invalid client
certificate will receive a 495 response only after authentication.
* add support for proxy protocol on HTTP listener (#1777)
* add support for proxy protocol on HTTP listener
* rename option, add doc
* reduce memory usage by handling http/2 coalescing via a lua script
* move script to file
* use wellknown
* fix integration test
- gofumpt everything
- fix TLS MinVersion to be at least 1.2
- add octal syntax
- remove newlines
- fix potential decompression bomb in ecjson
- remove implicit memory aliasing in for loops.
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
Currently, user's identity headers are always inserted to downstream
request. For privacy reason, it would be better to not insert these
headers by default, and let user chose whether to include these headers
per=policy basis.
Fixes#702
* config: add RemoveRequestHeaders
Currently, we have "set_request_headers" config, which reflects envoy
route.Route.RequestHeadersToAdd. This commit add new config
"remove_request_headers", which reflects envoy RequestHeadersToRemove.
This is also a preparation for future PRs to implement disable user
identity in request headers feature.
* integration: add test for remove_request_headers
* docs: add documentation/changelog for remove_request_headers
* integration-tests: switch to go for backends to support TLS scenarios
* fix apply order
* generate additional tls certs
* integration-tests: tls_skip_verify option
* integration-tests: wait for openid to come up before starting authenticate
* add tls_server_name test
* add test for tls_custom_ca
* increase setup timeout to 15 minutes
* fix secret name reference
* mtls wip
* mtls wip
* add test for client_cert
