Closed johanandren closed 6 months ago
After thinking about it a bit: I guess a single "require" directive that matches on CN and SAN would maybe make more sense than the separate ones I've created now. And maybe also extractors the values for arbitrary logic, and pulling those back to utilities that we can use from Akka gRPC as well.
It looks good to me. It's really hard to say what we should provide in terms of matching the CN vs SAN. Common Names have been deprecated for HTTPS server certificates for almost 25 years. But for client certificates, there's just no standard out there as to what a client certificate should use to identify itself. I think most common would be some sort of DNS value, but should that be in the CN or the SAN?
I think a simple API that matches both CN and SAN may satisfy 95+% of use cases, and a lower level power API will deal with the rest - the directive to extract the certificate is probably enough.
Ready for final review
@jroper would be great if you could take a peek at the directives and see if this is something that you envisioned, or tell me if I'm completely off.