3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 10:26:29 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/pkg/policy/parser/default.go
Kenneth Jenkins 4698e4661a
authorize: omit client cert rule when not needed (#4386) 
Currently we always add an invalid_client_certificate deny rule to all
PPL policies. Instead, let's add this rule only when a client CA is
configured. This way, if a user is not using client certificates at all,
they won't see any reason strings related to client certificates in the
authorize logs.

Change the "valid-client-certificate-or-none-required" reason string to
just "valid-client-certificate" accordingly.

Pass the main Evaluator config to NewPolicyEvaluator so that we can
determine whether there is a client CA configured or not. Extract the
existing default deny rule to a separate method. Add unit tests
exercising the new behavior.
2023-07-24 15:27:57 -07:00

9 lines
344 B
Go
Raw Blame History

package parser
// AddDefaultClientCertificateRule adds a deny rule to the policy with the
// criterion invalid_client_certificate.
func (p *Policy) AddDefaultClientCertificateRule() {
denyRule := Rule{Action: ActionDeny}
denyRule.Or = append(denyRule.Or, Criterion{Name: "invalid_client_certificate"})
p.Rules = append(p.Rules, denyRule)
}
Reference in a new issue View git blame Copy permalink