mirror of
https://github.com/pomerium/pomerium.git
synced 2025-07-31 23:41:09 +02:00
4698e4661a
Currently we always add an invalid_client_certificate deny rule to all PPL policies. Instead, let's add this rule only when a client CA is configured. This way, if a user is not using client certificates at all, they won't see any reason strings related to client certificates in the authorize logs. Change the "valid-client-certificate-or-none-required" reason string to just "valid-client-certificate" accordingly. Pass the main Evaluator config to NewPolicyEvaluator so that we can determine whether there is a client CA configured or not. Extract the existing default deny rule to a separate method. Add unit tests exercising the new behavior. |
||
|---|---|---|
| .. | ||
| opa | ||
| config.go | ||
| evaluator.go | ||
| evaluator_test.go | ||
| functions.go | ||
| functions_test.go | ||
| google_cloud_serverless.go | ||
| google_cloud_serverless_test.go | ||
| headers_evaluator.go | ||
| headers_evaluator_test.go | ||
| policy_evaluator.go | ||
| policy_evaluator_test.go | ||