mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-03 00:40:25 +02:00
4698e4661a
Currently we always add an invalid_client_certificate deny rule to all PPL policies. Instead, let's add this rule only when a client CA is configured. This way, if a user is not using client certificates at all, they won't see any reason strings related to client certificates in the authorize logs. Change the "valid-client-certificate-or-none-required" reason string to just "valid-client-certificate" accordingly. Pass the main Evaluator config to NewPolicyEvaluator so that we can determine whether there is a client CA configured or not. Extract the existing default deny rule to a separate method. Add unit tests exercising the new behavior. |
||
|---|---|---|
| .. | ||
| evaluator | ||
| internal/store | ||
| access_tracker.go | ||
| access_tracker_test.go | ||
| authorize.go | ||
| authorize_test.go | ||
| check_response.go | ||
| check_response_test.go | ||
| databroker.go | ||
| databroker_test.go | ||
| grpc.go | ||
| grpc_test.go | ||
| log.go | ||
| state.go | ||