Currently, client certificate validation is performed within the
authorize service, after user login. Instead, configure Envoy to perform
certificate validation itself, at the time of the initial connection.
When a client certificate authority is configured, Envoy will reject any
connection attempts that do not present a valid client certificate with
a trust chain rooted at the configured certificate authority.
For end users without a client certificate configured in their browser,
after this change they will see a browser default error page, rather
than an HTML error page served by Pomerium.
When multiple client CAs are configured for different routes on the same
domain, we will create a bundle from these client CAs, so that a
certificate issued by any of these CAs will be accepted during the
initial connection. If the presented certificate is not valid for the
specific route, then we serve an HTTP 495 response.
Add a separate method buildDownstreamTLSContextWithValidation(), so we
can make these changes only for the main HTTP listener, and not for the
internal gRPC listener. Move the existing unit tests for
buildDownstreamTLSContext() over to test
buildDownstreamTLSContextWithValidation() instead.
Update the existing Envoy configuration test cases, add unit tests for
the new clientCAForDomain() function, and add integration test cases.
