config: no longer stub out HPKE public key fetch (#4853)

This partially reverts commit a1388592d8. Fetching the authenticate service HPKE public key is required only for the stateless authentication flow. Now that Pomerium will instead use the older (stateful) authentication flow when configured for a self-hosted authenticate service, this logic shouldn't be needed at all. Removing this logic should also make it easier to test against a local instance of the hosted authenticate service.
2025-04-28 18:06:34 +02:00 · 2023-12-12 09:57:58 -08:00 · 2023-12-12 09:57:58 -08:00 · fe46ed33f4
commit fe46ed33f4
parent 1dbe4410d7
3 changed files with 4 additions and 60 deletions
--- a/config/config.go
+++ b/config/config.go
@ -237,22 +237,10 @@ func (cfg *Config) GetAuthenticateKeyFetcher() (hpke.KeyFetcher, error) {
 	if err != nil {
 		return nil, err
 	}
-
-	// For hosted authenticate, we need to fetch the HPKE public key.
-	if urlutil.IsHostedAuthenticateDomain(authenticateURL.Hostname()) {
-		hpkeURL := authenticateURL.ResolveReference(&url.URL{
-			Path: urlutil.HPKEPublicKeyPath,
-		}).String()
-		return hpke.NewKeyFetcher(hpkeURL, transport), nil
-	}
-
-	// Otherwise we can use our own HPKE public key.
-	privKey, err := cfg.Options.GetHPKEPrivateKey()
-	if err != nil {
-		return nil, err
-	}
-	pubKey := privKey.PublicKey()
-	return hpke.NewStubKeyFetcher(pubKey), nil
+	hpkeURL := authenticateURL.ResolveReference(&url.URL{
+		Path: urlutil.HPKEPublicKeyPath,
+	}).String()
+	return hpke.NewKeyFetcher(hpkeURL, transport), nil
 }

 func (cfg *Config) resolveAuthenticateURL() (*url.URL, *http.Transport, error) {
--- a/pkg/hpke/stub.go
+++ b/pkg/hpke/stub.go
@ -1,18 +0,0 @@
-package hpke
-
-import (
-	"context"
-)
-
-type stubFetcher struct {
-	key *PublicKey
-}
-
-func (f stubFetcher) FetchPublicKey(_ context.Context) (*PublicKey, error) {
-	return f.key, nil
-}
-
-// NewStubKeyFetcher returns a new KeyFetcher which returns a fixed key.
-func NewStubKeyFetcher(key *PublicKey) KeyFetcher {
-	return stubFetcher{key}
-}
--- a/pkg/hpke/stub_test.go
+++ b/pkg/hpke/stub_test.go
@ -1,26 +0,0 @@
-package hpke_test
-
-import (
-	"context"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/pomerium/pomerium/pkg/hpke"
-)
-
-func TestStubFetcher(t *testing.T) {
-	t.Parallel()
-
-	hpkePrivateKey, err := hpke.GeneratePrivateKey()
-	require.NoError(t, err)
-
-	expected := hpkePrivateKey.PublicKey()
-
-	f := hpke.NewStubKeyFetcher(expected)
-
-	actual, err := f.FetchPublicKey(context.Background())
-	require.NoError(t, err)
-	assert.Equal(t, expected.String(), actual.String())
-}