move hpke public key handler out of internal (#4065)

2025-06-21 03:58:07 +02:00 · 2023-03-20 10:37:00 -04:00 · 2023-03-20 10:37:00 -04:00 · ccf15f8f3d
commit ccf15f8f3d
parent 6e39ebc189
6 changed files with 15 additions and 9 deletions
--- a/pkg/hpke/handlers/hpke_public_key.go
+++ b/pkg/hpke/handlers/hpke_public_key.go
@ -0,0 +1,38 @@
+// Package handlers provides http handlers for HPKE.
+package handlers
+
+import (
+	"bytes"
+	"fmt"
+	"hash/fnv"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/rs/cors"
+
+	"github.com/pomerium/pomerium/internal/httputil"
+	"github.com/pomerium/pomerium/internal/urlutil"
+	"github.com/pomerium/pomerium/pkg/hpke"
+)
+
+// HPKEPublicKeyPath is the path to the HPKE public key.
+const HPKEPublicKeyPath = urlutil.HPKEPublicKeyPath
+
+// HPKEPublicKeyHandler returns a handler which returns the HPKE public key.
+func HPKEPublicKeyHandler(publicKey *hpke.PublicKey) http.Handler {
+	return cors.AllowAll().Handler(httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
+		bs := publicKey.Bytes()
+
+		hasher := fnv.New64()
+		_, _ = hasher.Write(bs)
+		h := hasher.Sum64()
+
+		w.Header().Set("Cache-Control", "max-age=60")
+		w.Header().Set("Content-Type", "application/octet-stream")
+		w.Header().Set("Content-Length", strconv.Itoa(len(bs)))
+		w.Header().Set("ETag", fmt.Sprintf(`"%x"`, h))
+		http.ServeContent(w, r, "hpke-public-key", time.Time{}, bytes.NewReader(bs))
+		return nil
+	}))
+}
--- a/pkg/hpke/handlers/hpke_public_key_test.go
+++ b/pkg/hpke/handlers/hpke_public_key_test.go
@ -0,0 +1,34 @@
+package handlers_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/pomerium/pomerium/pkg/hpke"
+	"github.com/pomerium/pomerium/pkg/hpke/handlers"
+)
+
+func TestHPKEPublicKeyHandler(t *testing.T) {
+	t.Parallel()
+
+	k1 := hpke.DerivePrivateKey([]byte("TEST"))
+
+	t.Run("cors", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodOptions, "/", nil)
+		r.Header.Set("Origin", "https://www.example.com")
+		r.Header.Set("Access-Control-Request-Method", "GET")
+		handlers.HPKEPublicKeyHandler(k1.PublicKey()).ServeHTTP(w, r)
+		assert.Equal(t, http.StatusNoContent, w.Result().StatusCode)
+	})
+	t.Run("keys", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodGet, "/", nil)
+		handlers.HPKEPublicKeyHandler(k1.PublicKey()).ServeHTTP(w, r)
+
+		assert.Equal(t, k1.PublicKey().Bytes(), w.Body.Bytes())
+	})
+}
--- a/pkg/hpke/http_test.go
+++ b/pkg/hpke/http_test.go
@ -10,8 +10,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	"github.com/pomerium/pomerium/internal/handlers"
 	"github.com/pomerium/pomerium/pkg/hpke"
+	hpke_handlers "github.com/pomerium/pomerium/pkg/hpke/handlers"
 )

 func TestFetchPublicKeyFromJWKS(t *testing.T) {
@ -24,7 +24,7 @@ func TestFetchPublicKeyFromJWKS(t *testing.T) {
 	require.NoError(t, err)

 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		handlers.HPKEPublicKeyHandler(hpkePrivateKey.PublicKey()).ServeHTTP(w, r)
+		hpke_handlers.HPKEPublicKeyHandler(hpkePrivateKey.PublicKey()).ServeHTTP(w, r)
 	}))
 	t.Cleanup(srv.Close)