Merge pull request from GHSA-pvrc-wvj2-f59p

* authorize: use route id from envoy for policy evaluation

* authorize: normalize URL query params

* config: enable envoy normalize_path option

* fix tests

---------

Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>

config/policy_ppl_test.go

@@ -57,24 +57,6 @@ default allow = [false, set()]
 
 default deny = [false, set()]
 
-pomerium_routes_0 = [true, {"pomerium-route"}] {
-	session := get_session(input.session.id)
-	session.id != ""
-	contains(input.http.url, "/.pomerium/")
-}
-
-else = [true, {"pomerium-route"}] {
-	contains(input.http.url, "/.pomerium/")
-	not contains(input.http.url, "/.pomerium/jwt")
-	not contains(input.http.url, "/.pomerium/webauthn")
-}
-
-else = [false, {"user-unauthenticated"}] {
-	contains(input.http.url, "/.pomerium/")
-}
-
-else = [false, {"non-pomerium-route"}]
-
 accept_0 = [true, {"accept"}]
 
 cors_preflight_0 = [true, {"cors-request"}] {
@@ -380,7 +362,7 @@ else = [false, {"email-unauthorized"}] {
 else = [false, {"user-unauthenticated"}]
 
 or_0 = v {
-	results := [pomerium_routes_0, accept_0, cors_preflight_0, authenticated_user_0, domain_0, domain_1, domain_2, domain_3, domain_4, claim_0, claim_1, claim_2, claim_3, user_0, email_0, user_1, email_1, user_2, email_2, user_3, email_3, user_4, email_4]
+	results := [accept_0, cors_preflight_0, authenticated_user_0, domain_0, domain_1, domain_2, domain_3, domain_4, claim_0, claim_1, claim_2, claim_3, user_0, email_0, user_1, email_1, user_2, email_2, user_3, email_3, user_4, email_4]
 	normalized := [normalize_criterion_result(x) | x := results[i]]
 	v := merge_with_or(normalized)
 }