[X.509] Certificate Subject Validation (OPA)Β #898
Description
Summary
Test certificate subject-based authorization using native x509 authentication combined with an OPA rule. Based on the workaround from architecture#140 β but using Authorino's native x509 identity extraction instead of anonymous + OPA parsing.
The OPA rule validates certificate subject attributes after Authorino extracts the cert identity. Uses add_opa_policy() from existing AuthorizationSection (similar to the Pattern-based add_auth_rules used in existing mTLS tests at tests/singlecluster/authorino/operator/tls/mtls/conftest.py:15).
Setup
- AuthPolicy with x509 identity + OPA authorization rule matching specific certificate subjects
Tests
- Client with matching subject (e.g.,
OU=Sales) β200 OK - Client with valid cert but non-matching subject (e.g.,
OU=Inventory) β403 Forbidden
References
- Parent issue: E2E tests for X.509 Client Certificate Authentication in AuthPolicy (XFCC header)Β #885
- RFC 0015
- Architecture Issue #140 (OPA workaround demo with certificate subject-based authorization)