authenticate: implement hpke-based login flow (#3779)

* urlutil: add time validation functions

* authenticate: implement hpke-based login flow

* fix import cycle

* fix tests

* log error

* fix callback url

* add idp param

* fix test

* fix test

integration/main_test.go

@@ -50,10 +50,21 @@ func TestMain(m *testing.M) {
 	os.Exit(status)
 }
 
-func getClient() *http.Client {
-	jar, err := cookiejar.New(&cookiejar.Options{PublicSuffixList: publicsuffix.List})
-	if err != nil {
-		panic(err)
+type loggingRoundTripper struct {
+	t         testing.TB
+	transport http.RoundTripper
+}
+
+func (l loggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if l.t != nil {
+		l.t.Logf("%s %s", req.Method, req.URL.String())
+	}
+	return l.transport.RoundTrip(req)
+}
+
+func getTransport(t testing.TB) http.RoundTripper {
+	if t != nil {
+		t.Helper()
 	}
 
 	rootCAs, err := x509.SystemCertPool()
@@ -66,23 +77,36 @@ func getClient() *http.Client {
 		panic(err)
 	}
 	_ = rootCAs.AppendCertsFromPEM(bs)
+	transport := &http.Transport{
+		DisableKeepAlives: true,
+		TLSClientConfig: &tls.Config{
+			RootCAs: rootCAs,
+		},
+	}
+	return loggingRoundTripper{t, transport}
+}
+
+func getClient(t testing.TB) *http.Client {
+	if t != nil {
+		t.Helper()
+	}
+
+	jar, err := cookiejar.New(&cookiejar.Options{PublicSuffixList: publicsuffix.List})
+	if err != nil {
+		panic(err)
+	}
 
 	return &http.Client{
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		},
-		Transport: &http.Transport{
-			DisableKeepAlives: true,
-			TLSClientConfig: &tls.Config{
-				RootCAs: rootCAs,
-			},
-		},
-		Jar: jar,
+		Transport: getTransport(t),
+		Jar:       jar,
 	}
 }
 
 func waitForHealthy(ctx context.Context) error {
-	client := getClient()
+	client := getClient(nil)
 	check := func(endpoint string) error {
 		reqCtx, clearTimeout := context.WithTimeout(ctx, time.Second)
 		defer clearTimeout()