stub out HPKE public key fetch for self-hosted authenticate (#4360)

Fetch the HPKE public key only when configured to use the hosted authenticate service. Determine whether we are using the hosted authenticate service by comparing the resolved authenticate domain with a hard-coded list of hosted authenticate domains. Extract this list of hosted authenticate domains to the internal/urlutil package in order to keep a single source of truth for this data.
2025-08-04 01:09:36 +02:00 · 2023-07-13 10:04:34 -07:00 · 2023-07-13 10:04:34 -07:00 · a1388592d8
commit a1388592d8
parent 4674b98cfb
6 changed files with 107 additions and 6 deletions
--- a/internal/autocert/manager.go
+++ b/internal/autocert/manager.go
@ -458,8 +458,9 @@ func sourceHostnames(cfg *config.Config) []string {
 	}

 	// remove any hosted authenticate URLs
-	delete(dedupe, "authenticate.pomerium.app")
-	delete(dedupe, "authenticate.staging.pomerium.app")
+	for _, domain := range urlutil.HostedAuthenticateDomains {
+		delete(dedupe, domain)
+	}

 	var h []string
 	for k := range dedupe {
--- a/internal/urlutil/hostedauthenticate.go
+++ b/internal/urlutil/hostedauthenticate.go
@ -0,0 +1,25 @@
+package urlutil
+
+// HostedAuthenticateDomains is a list of all known domains associated with the
+// hosted authenticate service.
+var HostedAuthenticateDomains = []string{
+	"authenticate.pomerium.app",
+	"authenticate.staging.pomerium.app",
+}
+
+var hostedAuthenticateDomainSet = initHostedAuthenticateDomainSet()
+
+func initHostedAuthenticateDomainSet() map[string]struct{} {
+	s := make(map[string]struct{})
+	for _, domain := range HostedAuthenticateDomains {
+		s[domain] = struct{}{}
+	}
+	return s
+}
+
+// IsHostedAuthenticateDomain indicates whether the given domain is associated
+// with the hosted authenticate service.
+func IsHostedAuthenticateDomain(domain string) bool {
+	_, isHostedAuthenticate := hostedAuthenticateDomainSet[domain]
+	return isHostedAuthenticate
+}
--- a/internal/urlutil/hostedauthenticate_test.go
+++ b/internal/urlutil/hostedauthenticate_test.go
@ -0,0 +1,19 @@
+package urlutil
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsHostedAuthenticateDomain(t *testing.T) {
+	t.Parallel()
+
+	for _, domain := range HostedAuthenticateDomains {
+		assert.True(t, IsHostedAuthenticateDomain(domain), domain)
+	}
+
+	for _, domain := range []string{"authenticate.example.com", "foo.bar"} {
+		assert.False(t, IsHostedAuthenticateDomain(domain), domain)
+	}
+}