HTTP/3 Support (#5349)

* wip

* http3 support

* add integration test

* move some quic code

* fix codec type

* casing

* add alt-svc header

* add quic unit test

integration/authentication_test.go

@@ -19,45 +19,45 @@ func TestRouteSessions(t *testing.T) {
 	ctx, clearTimeout := context.WithTimeout(context.Background(), time.Second*30)
 	defer clearTimeout()
 
-	client := getClient(t)
+	testHTTPClient(t, func(t *testing.T, client *http.Client) {
+		// Sign in to access one route.
+		url1 := mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain")
+		res, err := flows.Authenticate(ctx, client, url1, flows.WithEmail("user1@dogs.test"))
+		require.NoError(t, err)
+		require.Equal(t, http.StatusOK, res.StatusCode, "expected OK for httpdetails")
 
-	// Sign in to access one route.
-	url1 := mustParseURL("https://httpdetails.localhost.pomerium.io/by-domain")
-	res, err := flows.Authenticate(ctx, client, url1, flows.WithEmail("user1@dogs.test"))
-	require.NoError(t, err)
-	require.Equal(t, http.StatusOK, res.StatusCode, "expected OK for httpdetails")
+		// Now request a different route. This should not require signing in again,
+		// but will redirect through the authenticate service if using the
+		// stateless authentication flow.
+		client.CheckRedirect = nil
+		url2 := mustParseURL("https://restricted-httpdetails.localhost.pomerium.io/by-domain")
+		req, _ := http.NewRequestWithContext(ctx, http.MethodGet, url2.String(), nil)
+		res, err = client.Do(req)
+		require.NoError(t, err)
+		require.Equal(t, http.StatusOK, res.StatusCode, "expected OK for restricted-httpdetails")
 
-	// Now request a different route. This should not require signing in again,
-	// but will redirect through the authenticate service if using the
-	// stateless authentication flow.
-	client.CheckRedirect = nil
-	url2 := mustParseURL("https://restricted-httpdetails.localhost.pomerium.io/by-domain")
-	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, url2.String(), nil)
-	res, err = client.Do(req)
-	require.NoError(t, err)
-	require.Equal(t, http.StatusOK, res.StatusCode, "expected OK for restricted-httpdetails")
+		// Now examine the session cookies saved for each route.
+		claims1 := getSessionCookieJWTClaims(t, client, url1)
+		claims2 := getSessionCookieJWTClaims(t, client, url2)
 
-	// Now examine the session cookies saved for each route.
-	claims1 := getSessionCookieJWTClaims(t, client, url1)
-	claims2 := getSessionCookieJWTClaims(t, client, url2)
+		if AuthenticateFlow == "stateless" {
+			// Under the stateless authenticate flow, each route should have its
+			// own session.
+			assert.NotEqual(t, claims1.ID, claims2.ID)
+		} else {
+			// Under the stateful authenticate flow, the two routes should share
+			// the same session.
+			assert.Equal(t, claims1.ID, claims2.ID)
 
-	if AuthenticateFlow == "stateless" {
-		// Under the stateless authenticate flow, each route should have its
-		// own session.
-		assert.NotEqual(t, claims1.ID, claims2.ID)
-	} else {
-		// Under the stateful authenticate flow, the two routes should share
-		// the same session.
-		assert.Equal(t, claims1.ID, claims2.ID)
-
-		// The only cookies set on the authenticate service domain should be
-		// "_pomerium_authenticate" and "_pomerium_csrf". (No identity profile
-		// cookies should be present.)
-		c := client.Jar.Cookies(mustParseURL("https://authenticate.localhost.pomerium.io"))
-		assert.Equal(t, 2, len(c))
-		cookieNames := slices.Map(c, func(c *http.Cookie) string { return c.Name })
-		assert.ElementsMatch(t, []string{"_pomerium_authenticate", "_pomerium_csrf"}, cookieNames)
-	}
+			// The only cookies set on the authenticate service domain should be
+			// "_pomerium_authenticate" and "_pomerium_csrf". (No identity profile
+			// cookies should be present.)
+			c := client.Jar.Cookies(mustParseURL("https://authenticate.localhost.pomerium.io"))
+			assert.Equal(t, 2, len(c))
+			cookieNames := slices.Map(c, func(c *http.Cookie) string { return c.Name })
+			assert.ElementsMatch(t, []string{"_pomerium_authenticate", "_pomerium_csrf"}, cookieNames)
+		}
+	})
 }
 
 func getSessionCookieJWTClaims(t *testing.T, client *http.Client, u *url.URL) *jwt.Claims {