mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 19:06:33 +02:00
4698e4661a
Currently we always add an invalid_client_certificate deny rule to all PPL policies. Instead, let's add this rule only when a client CA is configured. This way, if a user is not using client certificates at all, they won't see any reason strings related to client certificates in the authorize logs. Change the "valid-client-certificate-or-none-required" reason string to just "valid-client-certificate" accordingly. Pass the main Evaluator config to NewPolicyEvaluator so that we can determine whether there is a client CA configured or not. Extract the existing default deny rule to a separate method. Add unit tests exercising the new behavior.
20 lines
335 B
Go
20 lines
335 B
Go
package parser
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestAddDefaultClientCertificateRule(t *testing.T) {
|
|
var p Policy
|
|
p.AddDefaultClientCertificateRule()
|
|
assert.Equal(t, Policy{
|
|
Rules: []Rule{{
|
|
Action: ActionDeny,
|
|
Or: []Criterion{
|
|
{Name: "invalid_client_certificate"},
|
|
},
|
|
}},
|
|
}, p)
|
|
}
|