From fe46ed33f46dd46889ccb44d898a58ef0dbce103 Mon Sep 17 00:00:00 2001
From: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
Date: Tue, 12 Dec 2023 09:57:58 -0800
Subject: [PATCH] config: no longer stub out HPKE public key fetch (#4853)

This partially reverts commit a1388592d8627368ef9421c98d43d500e20beb37.

Fetching the authenticate service HPKE public key is required only for
the stateless authentication flow. Now that Pomerium will instead use
the older (stateful) authentication flow when configured for a
self-hosted authenticate service, this logic shouldn't be needed at all.

Removing this logic should also make it easier to test against a local
instance of the hosted authenticate service.
---
 config/config.go      | 20 ++++----------------
 pkg/hpke/stub.go      | 18 ------------------
 pkg/hpke/stub_test.go | 26 --------------------------
 3 files changed, 4 insertions(+), 60 deletions(-)
 delete mode 100644 pkg/hpke/stub.go
 delete mode 100644 pkg/hpke/stub_test.go

diff --git a/config/config.go b/config/config.go
index ead1c4cc2..2fe623fc7 100644
--- a/config/config.go
+++ b/config/config.go
@@ -237,22 +237,10 @@ func (cfg *Config) GetAuthenticateKeyFetcher() (hpke.KeyFetcher, error) {
 	if err != nil {
 		return nil, err
 	}
-
-	// For hosted authenticate, we need to fetch the HPKE public key.
-	if urlutil.IsHostedAuthenticateDomain(authenticateURL.Hostname()) {
-		hpkeURL := authenticateURL.ResolveReference(&url.URL{
-			Path: urlutil.HPKEPublicKeyPath,
-		}).String()
-		return hpke.NewKeyFetcher(hpkeURL, transport), nil
-	}
-
-	// Otherwise we can use our own HPKE public key.
-	privKey, err := cfg.Options.GetHPKEPrivateKey()
-	if err != nil {
-		return nil, err
-	}
-	pubKey := privKey.PublicKey()
-	return hpke.NewStubKeyFetcher(pubKey), nil
+	hpkeURL := authenticateURL.ResolveReference(&url.URL{
+		Path: urlutil.HPKEPublicKeyPath,
+	}).String()
+	return hpke.NewKeyFetcher(hpkeURL, transport), nil
 }
 
 func (cfg *Config) resolveAuthenticateURL() (*url.URL, *http.Transport, error) {
diff --git a/pkg/hpke/stub.go b/pkg/hpke/stub.go
deleted file mode 100644
index a628584f1..000000000
--- a/pkg/hpke/stub.go
+++ /dev/null
@@ -1,18 +0,0 @@
-package hpke
-
-import (
-	"context"
-)
-
-type stubFetcher struct {
-	key *PublicKey
-}
-
-func (f stubFetcher) FetchPublicKey(_ context.Context) (*PublicKey, error) {
-	return f.key, nil
-}
-
-// NewStubKeyFetcher returns a new KeyFetcher which returns a fixed key.
-func NewStubKeyFetcher(key *PublicKey) KeyFetcher {
-	return stubFetcher{key}
-}
diff --git a/pkg/hpke/stub_test.go b/pkg/hpke/stub_test.go
deleted file mode 100644
index 1d8dc4f6b..000000000
--- a/pkg/hpke/stub_test.go
+++ /dev/null
@@ -1,26 +0,0 @@
-package hpke_test
-
-import (
-	"context"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/pomerium/pomerium/pkg/hpke"
-)
-
-func TestStubFetcher(t *testing.T) {
-	t.Parallel()
-
-	hpkePrivateKey, err := hpke.GeneratePrivateKey()
-	require.NoError(t, err)
-
-	expected := hpkePrivateKey.PublicKey()
-
-	f := hpke.NewStubKeyFetcher(expected)
-
-	actual, err := f.FetchPublicKey(context.Background())
-	require.NoError(t, err)
-	assert.Equal(t, expected.String(), actual.String())
-}