AUTH-1736: Better handling of token revocation

We removed all token validation from cloudflared and now rely on
the edge to do the validation. This is better because the edge is
the only thing that fully knows about token revocation. So if a user
logs out or the application revokes all it's tokens cloudflared will
now handle that process instead of barfing on it.

When we go to fetch a token we will check for the existence of a
lock file. If the lock file exists, we stop and poll every half
second to see if the lock is still there. Once the lock file is
removed, it will restart the function to (hopefully) go pick up
the valid token that was just created.

carrier/carrier_test.go

@@ -91,6 +91,31 @@ func TestStartServer(t *testing.T) {
 	assert.Equal(t, string(readBuffer), message)
 }
 
+func TestIsAccessResponse(t *testing.T) {
+	validLocationHeader := http.Header{}
+	validLocationHeader.Add("location", "https://test.cloudflareaccess.com/cdn-cgi/access/login/blahblah")
+	invalidLocationHeader := http.Header{}
+	invalidLocationHeader.Add("location", "https://google.com")
+	testCases := []struct {
+		Description string
+		In          *http.Response
+		ExpectedOut bool
+	}{
+		{"nil response", nil, false},
+		{"redirect with no location", &http.Response{StatusCode: http.StatusPermanentRedirect}, false},
+		{"200 ok", &http.Response{StatusCode: http.StatusOK}, false},
+		{"redirect with location", &http.Response{StatusCode: http.StatusPermanentRedirect, Header: validLocationHeader}, true},
+		{"redirect with invalid location", &http.Response{StatusCode: http.StatusPermanentRedirect, Header: invalidLocationHeader}, false},
+	}
+
+	for i, tc := range testCases {
+		if isAccessResponse(tc.In) != tc.ExpectedOut {
+			t.Fatalf("Failed case %d -- %s", i, tc.Description)
+		}
+	}
+
+}
+
 func newTestWebSocketServer() *httptest.Server {
 	upgrader := ws.Upgrader{
 		ReadBufferSize:  1024,