TUN-2243: Revert "STOR-519: Add db-connect, a SQL over HTTPS server"

This reverts commit 5da2109811.
2025-07-27 00:09:57 +00:00 · 2019-08-26 16:45:49 -05:00
parent c3c88cc31e
commit 4e1df1a211
410 changed files with 666 additions and 362649 deletions
--- a/validation/validation.go
+++ b/validation/validation.go
@@ -1,7 +1,6 @@
 package validation

 import (
-	"context"
 	"fmt"
 	"net"
 	"net/url"
@@ -10,21 +9,15 @@ import (

 	"net/http"

-	"github.com/coreos/go-oidc"
 	"github.com/pkg/errors"
 	"golang.org/x/net/idna"
 )

-const (
-	defaultScheme   = "http"
-	accessDomain    = "cloudflareaccess.com"
-	accessCertPath  = "/cdn-cgi/access/certs"
-	accessJwtHeader = "Cf-access-jwt-assertion"
-)
+const defaultScheme = "http"

 var (
 	supportedProtocols = []string{"http", "https", "rdp"}
-	validationTimeout  = time.Duration(30 * time.Second)
+	validationTimeout = time.Duration(30 * time.Second)
 )

 func ValidateHostname(hostname string) (string, error) {
@@ -204,50 +197,3 @@ func toggleProtocol(httpProtocol string) string {
 		return httpProtocol
 	}
 }
-
-// Access checks if a JWT from Cloudflare Access is valid.
-type Access struct {
-	verifier *oidc.IDTokenVerifier
-}
-
-func NewAccessValidator(ctx context.Context, domain, issuer, applicationAUD string) (*Access, error) {
-	domainURL, err := ValidateUrl(domain)
-	if err != nil {
-		return nil, err
-	}
-
-	issuerURL, err := ValidateUrl(issuer)
-	if err != nil {
-		return nil, err
-	}
-
-	// An issuerURL from Cloudflare Access will always use HTTPS.
-	issuerURL = strings.Replace(issuerURL, "http:", "https:", 1)
-
-	keySet := oidc.NewRemoteKeySet(ctx, domainURL+accessCertPath)
-	return &Access{oidc.NewVerifier(issuerURL, keySet, &oidc.Config{ClientID: applicationAUD})}, nil
-}
-
-func (a *Access) Validate(ctx context.Context, jwt string) error {
-	token, err := a.verifier.Verify(ctx, jwt)
-
-	if err != nil {
-		return errors.Wrapf(err, "token is invalid: %s", jwt)
-	}
-
-	// Perform extra sanity checks, just to be safe.
-
-	if token == nil {
-		return fmt.Errorf("token is nil: %s", jwt)
-	}
-
-	if !strings.HasSuffix(token.Issuer, accessDomain) {
-		return fmt.Errorf("token has non-cloudflare issuer of %s: %s", token.Issuer, jwt)
-	}
-
-	return nil
-}
-
-func (a *Access) ValidateRequest(ctx context.Context, r *http.Request) error {
-	return a.Validate(ctx, r.Header.Get(accessJwtHeader))
-}
--- a/validation/validation_test.go
+++ b/validation/validation_test.go
@@ -320,39 +320,6 @@ func TestValidateHTTPService_NonResponsiveOrigin(t *testing.T) {
 	}
 }

-func TestNewAccessValidatorOk(t *testing.T) {
-	ctx := context.Background()
-	url := "test.cloudflareaccess.com"
-	access, err := NewAccessValidator(ctx, url, url, "")
-
-	assert.NoError(t, err)
-	assert.NotNil(t, access)
-
-	assert.Error(t, access.Validate(ctx, ""))
-	assert.Error(t, access.Validate(ctx, "invalid"))
-
-	req := httptest.NewRequest("GET", "https://test.cloudflareaccess.com", nil)
-	req.Header.Set(accessJwtHeader, "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c")
-	assert.Error(t, access.ValidateRequest(ctx, req))
-}
-
-func TestNewAccessValidatorErr(t *testing.T) {
-	ctx := context.Background()
-
-	urls := []string{
-		"",
-		"tcp://test.cloudflareaccess.com",
-		"wss://cloudflarenone.com",
-	}
-
-	for _, url := range urls {
-		access, err := NewAccessValidator(ctx, url, url, "")
-
-		assert.Error(t, err, url)
-		assert.Nil(t, access)
-	}
-}
-
 type testRoundTripper func(req *http.Request) (*http.Response, error)

 func (f testRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {