Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
baa8d800
Unverified
Commit
baa8d800
authored
Oct 22, 2018
by
k8s-ci-robot
Committed by
GitHub
Oct 22, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #69582 from mikedanese/trev7
tokenreview: authenticator interface changes
parents
46ec13cf
809f278b
Hide whitespace changes
Inline
Side-by-side
Showing
63 changed files
with
490 additions
and
368 deletions
+490
-368
BUILD
pkg/kubelet/server/BUILD
+1
-0
server.go
pkg/kubelet/server/server.go
+4
-4
server_test.go
pkg/kubelet/server/server_test.go
+12
-11
storage.go
pkg/registry/authentication/tokenreview/storage.go
+10
-6
claims.go
pkg/serviceaccount/claims.go
+2
-2
claims_test.go
pkg/serviceaccount/claims_test.go
+2
-2
jwt.go
pkg/serviceaccount/jwt.go
+6
-6
jwt_test.go
pkg/serviceaccount/jwt_test.go
+9
-8
legacy.go
pkg/serviceaccount/legacy.go
+3
-3
BUILD
plugin/pkg/auth/authenticator/token/bootstrap/BUILD
+1
-0
bootstrap.go
plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go
+8
-4
bootstrap_test.go
.../pkg/auth/authenticator/token/bootstrap/bootstrap_test.go
+3
-3
interfaces.go
.../apiserver/pkg/authentication/authenticator/interfaces.go
+32
-20
authenticated_group_adder.go
...ver/pkg/authentication/group/authenticated_group_adder.go
+13
-12
group_adder.go
.../k8s.io/apiserver/pkg/authentication/group/group_adder.go
+9
-8
group_adder_test.go
...io/apiserver/pkg/authentication/group/group_adder_test.go
+10
-10
token_group_adder.go
...o/apiserver/pkg/authentication/group/token_group_adder.go
+11
-8
token_group_adder_test.go
...server/pkg/authentication/group/token_group_adder_test.go
+6
-5
anonymous.go
...iserver/pkg/authentication/request/anonymous/anonymous.go
+7
-2
anonymous_test.go
...er/pkg/authentication/request/anonymous/anonymous_test.go
+5
-5
BUILD
...io/apiserver/pkg/authentication/request/bearertoken/BUILD
+1
-4
bearertoken.go
...ver/pkg/authentication/request/bearertoken/bearertoken.go
+3
-4
bearertoken_test.go
...kg/authentication/request/bearertoken/bearertoken_test.go
+27
-22
requestheader.go
...pkg/authentication/request/headerrequest/requestheader.go
+7
-5
requestheader_test.go
...uthentication/request/headerrequest/requestheader_test.go
+17
-13
BUILD
...c/k8s.io/apiserver/pkg/authentication/request/union/BUILD
+4
-2
union.go
...8s.io/apiserver/pkg/authentication/request/union/union.go
+4
-5
unionauth_test.go
...server/pkg/authentication/request/union/unionauth_test.go
+12
-11
BUILD
...s.io/apiserver/pkg/authentication/request/websocket/BUILD
+0
-1
protocol.go
...piserver/pkg/authentication/request/websocket/protocol.go
+3
-4
protocol_test.go
...ver/pkg/authentication/request/websocket/protocol_test.go
+29
-24
x509.go
.../k8s.io/apiserver/pkg/authentication/request/x509/x509.go
+11
-9
x509_test.go
...io/apiserver/pkg/authentication/request/x509/x509_test.go
+12
-12
BUILD
...src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD
+2
-1
cache_striped.go
...apiserver/pkg/authentication/token/cache/cache_striped.go
+8
-8
cache_test.go
...io/apiserver/pkg/authentication/token/cache/cache_test.go
+7
-6
cached_token_authenticator.go
.../authentication/token/cache/cached_token_authenticator.go
+19
-10
cached_token_authenticator_test.go
...entication/token/cache/cached_token_authenticator_test.go
+40
-17
BUILD
...k8s.io/apiserver/pkg/authentication/token/tokenfile/BUILD
+1
-0
tokenfile.go
...apiserver/pkg/authentication/token/tokenfile/tokenfile.go
+4
-2
tokenfile_test.go
...rver/pkg/authentication/token/tokenfile/tokenfile_test.go
+6
-5
BUILD
...src/k8s.io/apiserver/pkg/authentication/token/union/BUILD
+4
-2
union.go
.../k8s.io/apiserver/pkg/authentication/token/union/union.go
+4
-3
unionauth_test.go
...piserver/pkg/authentication/token/union/unionauth_test.go
+17
-15
authentication.go
.../k8s.io/apiserver/pkg/endpoints/filters/authentication.go
+6
-3
authentication_test.go
...io/apiserver/pkg/endpoints/filters/authentication_test.go
+4
-4
deprecated_insecure_serving.go
...8s.io/apiserver/pkg/server/deprecated_insecure_serving.go
+7
-4
BUILD
...rver/plugin/pkg/authenticator/password/passwordfile/BUILD
+1
-0
passwordfile.go
...n/pkg/authenticator/password/passwordfile/passwordfile.go
+4
-2
passwordfile_test.go
.../authenticator/password/passwordfile/passwordfile_test.go
+6
-5
BUILD
...piserver/plugin/pkg/authenticator/request/basicauth/BUILD
+1
-4
basicauth.go
...r/plugin/pkg/authenticator/request/basicauth/basicauth.go
+3
-4
basicauth_test.go
...gin/pkg/authenticator/request/basicauth/basicauth_test.go
+6
-5
BUILD
...8s.io/apiserver/plugin/pkg/authenticator/token/oidc/BUILD
+1
-0
oidc.go
....io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go
+4
-3
oidc_test.go
...piserver/plugin/pkg/authenticator/token/oidc/oidc_test.go
+3
-2
BUILD
.../apiserver/plugin/pkg/authenticator/token/tokentest/BUILD
+4
-1
tokentest.go
...ver/plugin/pkg/authenticator/token/tokentest/tokentest.go
+9
-3
webhook.go
...iserver/plugin/pkg/authenticator/token/webhook/webhook.go
+9
-6
webhook_test.go
...er/plugin/pkg/authenticator/token/webhook/webhook_test.go
+9
-8
accessreview_test.go
test/integration/auth/accessreview_test.go
+9
-5
master_utils.go
test/integration/framework/master_utils.go
+5
-3
service_account_test.go
test/integration/serviceaccount/service_account_test.go
+3
-2
No files found.
pkg/kubelet/server/BUILD
View file @
baa8d800
...
@@ -77,6 +77,7 @@ go_test(
...
@@ -77,6 +77,7 @@ go_test(
"//staging/src/k8s.io/apimachinery/pkg/util/httpstream:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/httpstream:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/httpstream/spdy:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/httpstream/spdy:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
"//staging/src/k8s.io/client-go/tools/remotecommand:go_default_library",
"//staging/src/k8s.io/client-go/tools/remotecommand:go_default_library",
...
...
pkg/kubelet/server/server.go
View file @
baa8d800
...
@@ -221,7 +221,7 @@ func NewServer(
...
@@ -221,7 +221,7 @@ func NewServer(
func
(
s
*
Server
)
InstallAuthFilter
()
{
func
(
s
*
Server
)
InstallAuthFilter
()
{
s
.
restfulCont
.
Filter
(
func
(
req
*
restful
.
Request
,
resp
*
restful
.
Response
,
chain
*
restful
.
FilterChain
)
{
s
.
restfulCont
.
Filter
(
func
(
req
*
restful
.
Request
,
resp
*
restful
.
Response
,
chain
*
restful
.
FilterChain
)
{
// Authenticate
// Authenticate
u
,
ok
,
err
:=
s
.
auth
.
AuthenticateRequest
(
req
.
Request
)
info
,
ok
,
err
:=
s
.
auth
.
AuthenticateRequest
(
req
.
Request
)
if
err
!=
nil
{
if
err
!=
nil
{
glog
.
Errorf
(
"Unable to authenticate the request due to an error: %v"
,
err
)
glog
.
Errorf
(
"Unable to authenticate the request due to an error: %v"
,
err
)
resp
.
WriteErrorString
(
http
.
StatusUnauthorized
,
"Unauthorized"
)
resp
.
WriteErrorString
(
http
.
StatusUnauthorized
,
"Unauthorized"
)
...
@@ -233,18 +233,18 @@ func (s *Server) InstallAuthFilter() {
...
@@ -233,18 +233,18 @@ func (s *Server) InstallAuthFilter() {
}
}
// Get authorization attributes
// Get authorization attributes
attrs
:=
s
.
auth
.
GetRequestAttributes
(
u
,
req
.
Request
)
attrs
:=
s
.
auth
.
GetRequestAttributes
(
info
.
User
,
req
.
Request
)
// Authorize
// Authorize
decision
,
_
,
err
:=
s
.
auth
.
Authorize
(
attrs
)
decision
,
_
,
err
:=
s
.
auth
.
Authorize
(
attrs
)
if
err
!=
nil
{
if
err
!=
nil
{
msg
:=
fmt
.
Sprintf
(
"Authorization error (user=%s, verb=%s, resource=%s, subresource=%s)"
,
u
.
GetName
(),
attrs
.
GetVerb
(),
attrs
.
GetResource
(),
attrs
.
GetSubresource
())
msg
:=
fmt
.
Sprintf
(
"Authorization error (user=%s, verb=%s, resource=%s, subresource=%s)"
,
attrs
.
GetUser
()
.
GetName
(),
attrs
.
GetVerb
(),
attrs
.
GetResource
(),
attrs
.
GetSubresource
())
glog
.
Errorf
(
msg
,
err
)
glog
.
Errorf
(
msg
,
err
)
resp
.
WriteErrorString
(
http
.
StatusInternalServerError
,
msg
)
resp
.
WriteErrorString
(
http
.
StatusInternalServerError
,
msg
)
return
return
}
}
if
decision
!=
authorizer
.
DecisionAllow
{
if
decision
!=
authorizer
.
DecisionAllow
{
msg
:=
fmt
.
Sprintf
(
"Forbidden (user=%s, verb=%s, resource=%s, subresource=%s)"
,
u
.
GetName
(),
attrs
.
GetVerb
(),
attrs
.
GetResource
(),
attrs
.
GetSubresource
())
msg
:=
fmt
.
Sprintf
(
"Forbidden (user=%s, verb=%s, resource=%s, subresource=%s)"
,
attrs
.
GetUser
()
.
GetName
(),
attrs
.
GetVerb
(),
attrs
.
GetResource
(),
attrs
.
GetSubresource
())
glog
.
V
(
2
)
.
Info
(
msg
)
glog
.
V
(
2
)
.
Info
(
msg
)
resp
.
WriteErrorString
(
http
.
StatusForbidden
,
msg
)
resp
.
WriteErrorString
(
http
.
StatusForbidden
,
msg
)
return
return
...
...
pkg/kubelet/server/server_test.go
View file @
baa8d800
...
@@ -44,6 +44,7 @@ import (
...
@@ -44,6 +44,7 @@ import (
"k8s.io/apimachinery/pkg/util/httpstream"
"k8s.io/apimachinery/pkg/util/httpstream"
"k8s.io/apimachinery/pkg/util/httpstream/spdy"
"k8s.io/apimachinery/pkg/util/httpstream/spdy"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/client-go/tools/remotecommand"
"k8s.io/client-go/tools/remotecommand"
...
@@ -269,12 +270,12 @@ func (_ *fakeKubelet) GetCgroupCPUAndMemoryStats(cgroupName string, updateStats
...
@@ -269,12 +270,12 @@ func (_ *fakeKubelet) GetCgroupCPUAndMemoryStats(cgroupName string, updateStats
}
}
type
fakeAuth
struct
{
type
fakeAuth
struct
{
authenticateFunc
func
(
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
authenticateFunc
func
(
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
attributesFunc
func
(
user
.
Info
,
*
http
.
Request
)
authorizer
.
Attributes
attributesFunc
func
(
user
.
Info
,
*
http
.
Request
)
authorizer
.
Attributes
authorizeFunc
func
(
authorizer
.
Attributes
)
(
authorized
authorizer
.
Decision
,
reason
string
,
err
error
)
authorizeFunc
func
(
authorizer
.
Attributes
)
(
authorized
authorizer
.
Decision
,
reason
string
,
err
error
)
}
}
func
(
f
*
fakeAuth
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
(
f
*
fakeAuth
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
f
.
authenticateFunc
(
req
)
return
f
.
authenticateFunc
(
req
)
}
}
func
(
f
*
fakeAuth
)
GetRequestAttributes
(
u
user
.
Info
,
req
*
http
.
Request
)
authorizer
.
Attributes
{
func
(
f
*
fakeAuth
)
GetRequestAttributes
(
u
user
.
Info
,
req
*
http
.
Request
)
authorizer
.
Attributes
{
...
@@ -317,8 +318,8 @@ func newServerTestWithDebug(enableDebugging, redirectContainerStreaming bool, st
...
@@ -317,8 +318,8 @@ func newServerTestWithDebug(enableDebugging, redirectContainerStreaming bool, st
streamingRuntime
:
streamingServer
,
streamingRuntime
:
streamingServer
,
}
}
fw
.
fakeAuth
=
&
fakeAuth
{
fw
.
fakeAuth
=
&
fakeAuth
{
authenticateFunc
:
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
authenticateFunc
:
func
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
&
user
.
DefaultInfo
{
Name
:
"test"
},
true
,
nil
return
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
"test"
}
},
true
,
nil
},
},
attributesFunc
:
func
(
u
user
.
Info
,
req
*
http
.
Request
)
authorizer
.
Attributes
{
attributesFunc
:
func
(
u
user
.
Info
,
req
*
http
.
Request
)
authorizer
.
Attributes
{
return
&
authorizer
.
AttributesRecord
{
User
:
u
}
return
&
authorizer
.
AttributesRecord
{
User
:
u
}
...
@@ -768,9 +769,9 @@ Otherwise, add it to the expected list of paths that map to the "proxy" subresou
...
@@ -768,9 +769,9 @@ Otherwise, add it to the expected list of paths that map to the "proxy" subresou
calledAttributes
=
false
calledAttributes
=
false
)
)
fw
.
fakeAuth
.
authenticateFunc
=
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
fw
.
fakeAuth
.
authenticateFunc
=
func
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
calledAuthenticate
=
true
calledAuthenticate
=
true
return
expectedUser
,
true
,
nil
return
&
authenticator
.
Response
{
User
:
expectedUser
}
,
true
,
nil
}
}
fw
.
fakeAuth
.
attributesFunc
=
func
(
u
user
.
Info
,
req
*
http
.
Request
)
authorizer
.
Attributes
{
fw
.
fakeAuth
.
attributesFunc
=
func
(
u
user
.
Info
,
req
*
http
.
Request
)
authorizer
.
Attributes
{
calledAttributes
=
true
calledAttributes
=
true
...
@@ -830,9 +831,9 @@ func TestAuthenticationError(t *testing.T) {
...
@@ -830,9 +831,9 @@ func TestAuthenticationError(t *testing.T) {
fw
:=
newServerTest
()
fw
:=
newServerTest
()
defer
fw
.
testHTTPServer
.
Close
()
defer
fw
.
testHTTPServer
.
Close
()
fw
.
fakeAuth
.
authenticateFunc
=
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
fw
.
fakeAuth
.
authenticateFunc
=
func
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
calledAuthenticate
=
true
calledAuthenticate
=
true
return
expectedUser
,
true
,
nil
return
&
authenticator
.
Response
{
User
:
expectedUser
}
,
true
,
nil
}
}
fw
.
fakeAuth
.
attributesFunc
=
func
(
u
user
.
Info
,
req
*
http
.
Request
)
authorizer
.
Attributes
{
fw
.
fakeAuth
.
attributesFunc
=
func
(
u
user
.
Info
,
req
*
http
.
Request
)
authorizer
.
Attributes
{
calledAttributes
=
true
calledAttributes
=
true
...
@@ -868,7 +869,7 @@ func TestAuthenticationFailure(t *testing.T) {
...
@@ -868,7 +869,7 @@ func TestAuthenticationFailure(t *testing.T) {
fw
:=
newServerTest
()
fw
:=
newServerTest
()
defer
fw
.
testHTTPServer
.
Close
()
defer
fw
.
testHTTPServer
.
Close
()
fw
.
fakeAuth
.
authenticateFunc
=
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
fw
.
fakeAuth
.
authenticateFunc
=
func
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
calledAuthenticate
=
true
calledAuthenticate
=
true
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}
}
...
@@ -906,9 +907,9 @@ func TestAuthorizationSuccess(t *testing.T) {
...
@@ -906,9 +907,9 @@ func TestAuthorizationSuccess(t *testing.T) {
fw
:=
newServerTest
()
fw
:=
newServerTest
()
defer
fw
.
testHTTPServer
.
Close
()
defer
fw
.
testHTTPServer
.
Close
()
fw
.
fakeAuth
.
authenticateFunc
=
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
fw
.
fakeAuth
.
authenticateFunc
=
func
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
calledAuthenticate
=
true
calledAuthenticate
=
true
return
expectedUser
,
true
,
nil
return
&
authenticator
.
Response
{
User
:
expectedUser
}
,
true
,
nil
}
}
fw
.
fakeAuth
.
attributesFunc
=
func
(
u
user
.
Info
,
req
*
http
.
Request
)
authorizer
.
Attributes
{
fw
.
fakeAuth
.
attributesFunc
=
func
(
u
user
.
Info
,
req
*
http
.
Request
)
authorizer
.
Attributes
{
calledAttributes
=
true
calledAttributes
=
true
...
...
pkg/registry/authentication/tokenreview/storage.go
View file @
baa8d800
...
@@ -68,19 +68,23 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
...
@@ -68,19 +68,23 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
fakeReq
:=
&
http
.
Request
{
Header
:
http
.
Header
{}}
fakeReq
:=
&
http
.
Request
{
Header
:
http
.
Header
{}}
fakeReq
.
Header
.
Add
(
"Authorization"
,
"Bearer "
+
tokenReview
.
Spec
.
Token
)
fakeReq
.
Header
.
Add
(
"Authorization"
,
"Bearer "
+
tokenReview
.
Spec
.
Token
)
tokenUser
,
ok
,
err
:=
r
.
tokenAuthenticator
.
AuthenticateRequest
(
fakeReq
)
resp
,
ok
,
err
:=
r
.
tokenAuthenticator
.
AuthenticateRequest
(
fakeReq
)
tokenReview
.
Status
.
Authenticated
=
ok
tokenReview
.
Status
.
Authenticated
=
ok
if
err
!=
nil
{
if
err
!=
nil
{
tokenReview
.
Status
.
Error
=
err
.
Error
()
tokenReview
.
Status
.
Error
=
err
.
Error
()
}
}
if
tokenUser
!=
nil
{
// TODO(mikedanese): verify the response audience matches one of apiAuds if
// non-empty
if
resp
!=
nil
&&
resp
.
User
!=
nil
{
tokenReview
.
Status
.
User
=
authentication
.
UserInfo
{
tokenReview
.
Status
.
User
=
authentication
.
UserInfo
{
Username
:
token
User
.
GetName
(),
Username
:
resp
.
User
.
GetName
(),
UID
:
token
User
.
GetUID
(),
UID
:
resp
.
User
.
GetUID
(),
Groups
:
token
User
.
GetGroups
(),
Groups
:
resp
.
User
.
GetGroups
(),
Extra
:
map
[
string
]
authentication
.
ExtraValue
{},
Extra
:
map
[
string
]
authentication
.
ExtraValue
{},
}
}
for
k
,
v
:=
range
token
User
.
GetExtra
()
{
for
k
,
v
:=
range
resp
.
User
.
GetExtra
()
{
tokenReview
.
Status
.
User
.
Extra
[
k
]
=
authentication
.
ExtraValue
(
v
)
tokenReview
.
Status
.
User
.
Extra
[
k
]
=
authentication
.
ExtraValue
(
v
)
}
}
}
}
...
...
pkg/serviceaccount/claims.go
View file @
baa8d800
...
@@ -22,10 +22,10 @@ import (
...
@@ -22,10 +22,10 @@ import (
"time"
"time"
"github.com/golang/glog"
"github.com/golang/glog"
"gopkg.in/square/go-jose.v2/jwt"
apiserverserviceaccount
"k8s.io/apiserver/pkg/authentication/serviceaccount"
apiserverserviceaccount
"k8s.io/apiserver/pkg/authentication/serviceaccount"
"k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/core"
"gopkg.in/square/go-jose.v2/jwt"
)
)
// time.Now stubbed out to allow testing
// time.Now stubbed out to allow testing
...
...
pkg/serviceaccount/claims_test.go
View file @
baa8d800
...
@@ -22,10 +22,10 @@ import (
...
@@ -22,10 +22,10 @@ import (
"testing"
"testing"
"time"
"time"
"gopkg.in/square/go-jose.v2/jwt"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/apis/core"
"gopkg.in/square/go-jose.v2/jwt"
)
)
func
init
()
{
func
init
()
{
...
...
pkg/serviceaccount/jwt.go
View file @
baa8d800
...
@@ -17,6 +17,7 @@ limitations under the License.
...
@@ -17,6 +17,7 @@ limitations under the License.
package
serviceaccount
package
serviceaccount
import
(
import
(
"context"
"crypto/ecdsa"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/elliptic"
"crypto/rsa"
"crypto/rsa"
...
@@ -25,13 +26,12 @@ import (
...
@@ -25,13 +26,12 @@ import (
"fmt"
"fmt"
"strings"
"strings"
jose
"gopkg.in/square/go-jose.v2"
"gopkg.in/square/go-jose.v2/jwt"
"k8s.io/api/core/v1"
"k8s.io/api/core/v1"
utilerrors
"k8s.io/apimachinery/pkg/util/errors"
utilerrors
"k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
jose
"gopkg.in/square/go-jose.v2"
"gopkg.in/square/go-jose.v2/jwt"
)
)
// ServiceAccountTokenGetter defines functions to retrieve a named service account and secret
// ServiceAccountTokenGetter defines functions to retrieve a named service account and secret
...
@@ -140,7 +140,7 @@ type Validator interface {
...
@@ -140,7 +140,7 @@ type Validator interface {
NewPrivateClaims
()
interface
{}
NewPrivateClaims
()
interface
{}
}
}
func
(
j
*
jwtTokenAuthenticator
)
AuthenticateToken
(
tokenData
string
)
(
user
.
Info
,
bool
,
error
)
{
func
(
j
*
jwtTokenAuthenticator
)
AuthenticateToken
(
ctx
context
.
Context
,
tokenData
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
if
!
j
.
hasCorrectIssuer
(
tokenData
)
{
if
!
j
.
hasCorrectIssuer
(
tokenData
)
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}
}
...
@@ -177,7 +177,7 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(tokenData string) (user.Info,
...
@@ -177,7 +177,7 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(tokenData string) (user.Info,
return
nil
,
false
,
err
return
nil
,
false
,
err
}
}
return
sa
.
UserInfo
()
,
true
,
nil
return
&
authenticator
.
Response
{
User
:
sa
.
UserInfo
()}
,
true
,
nil
}
}
// hasCorrectIssuer returns true if tokenData is a valid JWT in compact
// hasCorrectIssuer returns true if tokenData is a valid JWT in compact
...
...
pkg/serviceaccount/jwt_test.go
View file @
baa8d800
...
@@ -17,6 +17,7 @@ limitations under the License.
...
@@ -17,6 +17,7 @@ limitations under the License.
package
serviceaccount_test
package
serviceaccount_test
import
(
import
(
"context"
"reflect"
"reflect"
"testing"
"testing"
...
@@ -278,12 +279,12 @@ func TestTokenGenerateAndValidate(t *testing.T) {
...
@@ -278,12 +279,12 @@ func TestTokenGenerateAndValidate(t *testing.T) {
authenticator
:=
serviceaccount
.
JWTTokenAuthenticator
(
serviceaccount
.
LegacyIssuer
,
tc
.
Keys
,
serviceaccount
.
NewLegacyValidator
(
tc
.
Client
!=
nil
,
getter
))
authenticator
:=
serviceaccount
.
JWTTokenAuthenticator
(
serviceaccount
.
LegacyIssuer
,
tc
.
Keys
,
serviceaccount
.
NewLegacyValidator
(
tc
.
Client
!=
nil
,
getter
))
// An invalid, non-JWT token should always fail
// An invalid, non-JWT token should always fail
if
_
,
ok
,
err
:=
authenticator
.
AuthenticateToken
(
"invalid token"
);
err
!=
nil
||
ok
{
if
_
,
ok
,
err
:=
authenticator
.
AuthenticateToken
(
context
.
Background
(),
"invalid token"
);
err
!=
nil
||
ok
{
t
.
Errorf
(
"%s: Expected err=nil, ok=false for non-JWT token"
,
k
)
t
.
Errorf
(
"%s: Expected err=nil, ok=false for non-JWT token"
,
k
)
continue
continue
}
}
user
,
ok
,
err
:=
authenticator
.
AuthenticateToken
(
tc
.
Token
)
resp
,
ok
,
err
:=
authenticator
.
AuthenticateToken
(
context
.
Background
(),
tc
.
Token
)
if
(
err
!=
nil
)
!=
tc
.
ExpectedErr
{
if
(
err
!=
nil
)
!=
tc
.
ExpectedErr
{
t
.
Errorf
(
"%s: Expected error=%v, got %v"
,
k
,
tc
.
ExpectedErr
,
err
)
t
.
Errorf
(
"%s: Expected error=%v, got %v"
,
k
,
tc
.
ExpectedErr
,
err
)
continue
continue
...
@@ -298,16 +299,16 @@ func TestTokenGenerateAndValidate(t *testing.T) {
...
@@ -298,16 +299,16 @@ func TestTokenGenerateAndValidate(t *testing.T) {
continue
continue
}
}
if
u
ser
.
GetName
()
!=
tc
.
ExpectedUserName
{
if
resp
.
U
ser
.
GetName
()
!=
tc
.
ExpectedUserName
{
t
.
Errorf
(
"%s: Expected username=%v, got %v"
,
k
,
tc
.
ExpectedUserName
,
u
ser
.
GetName
())
t
.
Errorf
(
"%s: Expected username=%v, got %v"
,
k
,
tc
.
ExpectedUserName
,
resp
.
U
ser
.
GetName
())
continue
continue
}
}
if
u
ser
.
GetUID
()
!=
tc
.
ExpectedUserUID
{
if
resp
.
U
ser
.
GetUID
()
!=
tc
.
ExpectedUserUID
{
t
.
Errorf
(
"%s: Expected userUID=%v, got %v"
,
k
,
tc
.
ExpectedUserUID
,
u
ser
.
GetUID
())
t
.
Errorf
(
"%s: Expected userUID=%v, got %v"
,
k
,
tc
.
ExpectedUserUID
,
resp
.
U
ser
.
GetUID
())
continue
continue
}
}
if
!
reflect
.
DeepEqual
(
u
ser
.
GetGroups
(),
tc
.
ExpectedGroups
)
{
if
!
reflect
.
DeepEqual
(
resp
.
U
ser
.
GetGroups
(),
tc
.
ExpectedGroups
)
{
t
.
Errorf
(
"%s: Expected groups=%v, got %v"
,
k
,
tc
.
ExpectedGroups
,
u
ser
.
GetGroups
())
t
.
Errorf
(
"%s: Expected groups=%v, got %v"
,
k
,
tc
.
ExpectedGroups
,
resp
.
U
ser
.
GetGroups
())
continue
continue
}
}
}
}
...
...
pkg/serviceaccount/legacy.go
View file @
baa8d800
...
@@ -21,11 +21,11 @@ import (
...
@@ -21,11 +21,11 @@ import (
"errors"
"errors"
"fmt"
"fmt"
"k8s.io/api/core/v1"
apiserverserviceaccount
"k8s.io/apiserver/pkg/authentication/serviceaccount"
"github.com/golang/glog"
"github.com/golang/glog"
"gopkg.in/square/go-jose.v2/jwt"
"gopkg.in/square/go-jose.v2/jwt"
"k8s.io/api/core/v1"
apiserverserviceaccount
"k8s.io/apiserver/pkg/authentication/serviceaccount"
)
)
func
LegacyClaims
(
serviceAccount
v1
.
ServiceAccount
,
secret
v1
.
Secret
)
(
*
jwt
.
Claims
,
interface
{})
{
func
LegacyClaims
(
serviceAccount
v1
.
ServiceAccount
,
secret
v1
.
Secret
)
(
*
jwt
.
Claims
,
interface
{})
{
...
...
plugin/pkg/auth/authenticator/token/bootstrap/BUILD
View file @
baa8d800
...
@@ -30,6 +30,7 @@ go_library(
...
@@ -30,6 +30,7 @@ go_library(
"//pkg/client/listers/core/internalversion:go_default_library",
"//pkg/client/listers/core/internalversion:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/cluster-bootstrap/token/api:go_default_library",
"//staging/src/k8s.io/cluster-bootstrap/token/api:go_default_library",
"//staging/src/k8s.io/cluster-bootstrap/token/util:go_default_library",
"//staging/src/k8s.io/cluster-bootstrap/token/util:go_default_library",
...
...
plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go
View file @
baa8d800
...
@@ -20,6 +20,7 @@ Package bootstrap provides a token authenticator for TLS bootstrap secrets.
...
@@ -20,6 +20,7 @@ Package bootstrap provides a token authenticator for TLS bootstrap secrets.
package
bootstrap
package
bootstrap
import
(
import
(
"context"
"crypto/subtle"
"crypto/subtle"
"fmt"
"fmt"
"regexp"
"regexp"
...
@@ -30,6 +31,7 @@ import (
...
@@ -30,6 +31,7 @@ import (
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
bootstrapapi
"k8s.io/cluster-bootstrap/token/api"
bootstrapapi
"k8s.io/cluster-bootstrap/token/api"
bootstraputil
"k8s.io/cluster-bootstrap/token/util"
bootstraputil
"k8s.io/cluster-bootstrap/token/util"
...
@@ -89,7 +91,7 @@ func tokenErrorf(s *api.Secret, format string, i ...interface{}) {
...
@@ -89,7 +91,7 @@ func tokenErrorf(s *api.Secret, format string, i ...interface{}) {
//
//
// ( token-id ).( token-secret )
// ( token-id ).( token-secret )
//
//
func
(
t
*
TokenAuthenticator
)
AuthenticateToken
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
func
(
t
*
TokenAuthenticator
)
AuthenticateToken
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
tokenID
,
tokenSecret
,
err
:=
parseToken
(
token
)
tokenID
,
tokenSecret
,
err
:=
parseToken
(
token
)
if
err
!=
nil
{
if
err
!=
nil
{
// Token isn't of the correct form, ignore it.
// Token isn't of the correct form, ignore it.
...
@@ -144,9 +146,11 @@ func (t *TokenAuthenticator) AuthenticateToken(token string) (user.Info, bool, e
...
@@ -144,9 +146,11 @@ func (t *TokenAuthenticator) AuthenticateToken(token string) (user.Info, bool, e
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}
}
return
&
user
.
DefaultInfo
{
return
&
authenticator
.
Response
{
Name
:
bootstrapapi
.
BootstrapUserPrefix
+
string
(
id
),
User
:
&
user
.
DefaultInfo
{
Groups
:
groups
,
Name
:
bootstrapapi
.
BootstrapUserPrefix
+
string
(
id
),
Groups
:
groups
,
},
},
true
,
nil
},
true
,
nil
}
}
...
...
plugin/pkg/auth/authenticator/token/bootstrap/bootstrap_test.go
View file @
baa8d800
...
@@ -17,6 +17,7 @@ limitations under the License.
...
@@ -17,6 +17,7 @@ limitations under the License.
package
bootstrap
package
bootstrap
import
(
import
(
"context"
"reflect"
"reflect"
"testing"
"testing"
...
@@ -262,7 +263,7 @@ func TestTokenAuthenticator(t *testing.T) {
...
@@ -262,7 +263,7 @@ func TestTokenAuthenticator(t *testing.T) {
for
_
,
test
:=
range
tests
{
for
_
,
test
:=
range
tests
{
func
()
{
func
()
{
a
:=
NewTokenAuthenticator
(
&
lister
{
test
.
secrets
})
a
:=
NewTokenAuthenticator
(
&
lister
{
test
.
secrets
})
u
,
found
,
err
:=
a
.
AuthenticateToken
(
test
.
token
)
resp
,
found
,
err
:=
a
.
AuthenticateToken
(
context
.
Background
(),
test
.
token
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Errorf
(
"test %q returned an error: %v"
,
test
.
name
,
err
)
t
.
Errorf
(
"test %q returned an error: %v"
,
test
.
name
,
err
)
return
return
...
@@ -280,8 +281,7 @@ func TestTokenAuthenticator(t *testing.T) {
...
@@ -280,8 +281,7 @@ func TestTokenAuthenticator(t *testing.T) {
return
return
}
}
gotUser
:=
u
.
(
*
user
.
DefaultInfo
)
gotUser
:=
resp
.
User
.
(
*
user
.
DefaultInfo
)
if
!
reflect
.
DeepEqual
(
gotUser
,
test
.
wantUser
)
{
if
!
reflect
.
DeepEqual
(
gotUser
,
test
.
wantUser
)
{
t
.
Errorf
(
"test %q want user=%#v, got=%#v"
,
test
.
name
,
test
.
wantUser
,
gotUser
)
t
.
Errorf
(
"test %q want user=%#v, got=%#v"
,
test
.
name
,
test
.
wantUser
,
gotUser
)
}
}
...
...
staging/src/k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go
View file @
baa8d800
...
@@ -17,52 +17,64 @@ limitations under the License.
...
@@ -17,52 +17,64 @@ limitations under the License.
package
authenticator
package
authenticator
import
(
import
(
"context"
"net/http"
"net/http"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
)
)
// Token checks a string value against a backing authentication store and returns
// Token checks a string value against a backing authentication store and
// information about the current user and true if successful, false if not successful,
// returns a Response or an error if the token could not be checked.
// or an error if the token could not be checked.
type
Token
interface
{
type
Token
interface
{
AuthenticateToken
(
token
string
)
(
user
.
Info
,
bool
,
error
)
AuthenticateToken
(
ctx
context
.
Context
,
token
string
)
(
*
Response
,
bool
,
error
)
}
}
// Request attempts to extract authentication information from a request and returns
// Request attempts to extract authentication information from a request and
// information about the current user and true if successful, false if not successful,
// returns a Response or an error if the request could not be checked.
// or an error if the request could not be checked.
type
Request
interface
{
type
Request
interface
{
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
*
Response
,
bool
,
error
)
}
}
// Password checks a username and password against a backing authentication
store and
// Password checks a username and password against a backing authentication
//
returns information about the user and true if successful, false if not successful,
//
store and returns a Response or an error if the password could not be
//
or an error if the username and password could not be checked
//
checked.
type
Password
interface
{
type
Password
interface
{
AuthenticatePassword
(
user
,
password
string
)
(
user
.
Info
,
bool
,
error
)
AuthenticatePassword
(
ctx
context
.
Context
,
user
,
password
string
)
(
*
Response
,
bool
,
error
)
}
}
// TokenFunc is a function that implements the Token interface.
// TokenFunc is a function that implements the Token interface.
type
TokenFunc
func
(
token
string
)
(
user
.
Info
,
bool
,
error
)
type
TokenFunc
func
(
ctx
context
.
Context
,
token
string
)
(
*
Response
,
bool
,
error
)
// AuthenticateToken implements authenticator.Token.
// AuthenticateToken implements authenticator.Token.
func
(
f
TokenFunc
)
AuthenticateToken
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
func
(
f
TokenFunc
)
AuthenticateToken
(
ctx
context
.
Context
,
token
string
)
(
*
Response
,
bool
,
error
)
{
return
f
(
token
)
return
f
(
ctx
,
token
)
}
}
// RequestFunc is a function that implements the Request interface.
// RequestFunc is a function that implements the Request interface.
type
RequestFunc
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
type
RequestFunc
func
(
req
*
http
.
Request
)
(
*
Response
,
bool
,
error
)
// AuthenticateRequest implements authenticator.Request.
// AuthenticateRequest implements authenticator.Request.
func
(
f
RequestFunc
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
(
f
RequestFunc
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
*
Response
,
bool
,
error
)
{
return
f
(
req
)
return
f
(
req
)
}
}
// PasswordFunc is a function that implements the Password interface.
// PasswordFunc is a function that implements the Password interface.
type
PasswordFunc
func
(
user
,
password
string
)
(
user
.
Info
,
bool
,
error
)
type
PasswordFunc
func
(
ctx
context
.
Context
,
user
,
password
string
)
(
*
Response
,
bool
,
error
)
// AuthenticatePassword implements authenticator.Password.
// AuthenticatePassword implements authenticator.Password.
func
(
f
PasswordFunc
)
AuthenticatePassword
(
user
,
password
string
)
(
user
.
Info
,
bool
,
error
)
{
func
(
f
PasswordFunc
)
AuthenticatePassword
(
ctx
context
.
Context
,
user
,
password
string
)
(
*
Response
,
bool
,
error
)
{
return
f
(
user
,
password
)
return
f
(
ctx
,
user
,
password
)
}
// Response is the struct returned by authenticator interfaces upon successful
// authentication. It contains information about whether the authenticator
// authenticated the request, information about the context of the
// authentication, and information about the authenticated user.
type
Response
struct
{
// Audiences is the set of audiences the authenticator was able to validate
// the token against. If the authenticator is not audience aware, this field
// will be empty.
Audiences
Audiences
// User is the UserInfo associated with the authentication context.
User
user
.
Info
}
}
staging/src/k8s.io/apiserver/pkg/authentication/group/authenticated_group_adder.go
View file @
baa8d800
...
@@ -36,25 +36,26 @@ func NewAuthenticatedGroupAdder(auth authenticator.Request) authenticator.Reques
...
@@ -36,25 +36,26 @@ func NewAuthenticatedGroupAdder(auth authenticator.Request) authenticator.Reques
return
&
AuthenticatedGroupAdder
{
auth
}
return
&
AuthenticatedGroupAdder
{
auth
}
}
}
func
(
g
*
AuthenticatedGroupAdder
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
(
g
*
AuthenticatedGroupAdder
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
u
,
ok
,
err
:=
g
.
Authenticator
.
AuthenticateRequest
(
req
)
r
,
ok
,
err
:=
g
.
Authenticator
.
AuthenticateRequest
(
req
)
if
err
!=
nil
||
!
ok
{
if
err
!=
nil
||
!
ok
{
return
nil
,
ok
,
err
return
nil
,
ok
,
err
}
}
if
u
.
GetName
()
==
user
.
Anonymous
{
if
r
.
User
.
GetName
()
==
user
.
Anonymous
{
return
u
,
true
,
nil
return
r
,
true
,
nil
}
}
for
_
,
group
:=
range
u
.
GetGroups
()
{
for
_
,
group
:=
range
r
.
User
.
GetGroups
()
{
if
group
==
user
.
AllAuthenticated
||
group
==
user
.
AllUnauthenticated
{
if
group
==
user
.
AllAuthenticated
||
group
==
user
.
AllUnauthenticated
{
return
u
,
true
,
nil
return
r
,
true
,
nil
}
}
}
}
return
&
user
.
DefaultInfo
{
r
.
User
=
&
user
.
DefaultInfo
{
Name
:
u
.
GetName
(),
Name
:
r
.
User
.
GetName
(),
UID
:
u
.
GetUID
(),
UID
:
r
.
User
.
GetUID
(),
Groups
:
append
(
u
.
GetGroups
(),
user
.
AllAuthenticated
),
Groups
:
append
(
r
.
User
.
GetGroups
(),
user
.
AllAuthenticated
),
Extra
:
u
.
GetExtra
(),
Extra
:
r
.
User
.
GetExtra
(),
},
true
,
nil
}
return
r
,
true
,
nil
}
}
staging/src/k8s.io/apiserver/pkg/authentication/group/group_adder.go
View file @
baa8d800
...
@@ -36,15 +36,16 @@ func NewGroupAdder(auth authenticator.Request, groups []string) authenticator.Re
...
@@ -36,15 +36,16 @@ func NewGroupAdder(auth authenticator.Request, groups []string) authenticator.Re
return
&
GroupAdder
{
auth
,
groups
}
return
&
GroupAdder
{
auth
,
groups
}
}
}
func
(
g
*
GroupAdder
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
(
g
*
GroupAdder
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
u
,
ok
,
err
:=
g
.
Authenticator
.
AuthenticateRequest
(
req
)
r
,
ok
,
err
:=
g
.
Authenticator
.
AuthenticateRequest
(
req
)
if
err
!=
nil
||
!
ok
{
if
err
!=
nil
||
!
ok
{
return
nil
,
ok
,
err
return
nil
,
ok
,
err
}
}
return
&
user
.
DefaultInfo
{
r
.
User
=
&
user
.
DefaultInfo
{
Name
:
u
.
GetName
(),
Name
:
r
.
User
.
GetName
(),
UID
:
u
.
GetUID
(),
UID
:
r
.
User
.
GetUID
(),
Groups
:
append
(
u
.
GetGroups
(),
g
.
Groups
...
),
Groups
:
append
(
r
.
User
.
GetGroups
(),
g
.
Groups
...
),
Extra
:
u
.
GetExtra
(),
Extra
:
r
.
User
.
GetExtra
(),
},
true
,
nil
}
return
r
,
true
,
nil
}
}
staging/src/k8s.io/apiserver/pkg/authentication/group/group_adder_test.go
View file @
baa8d800
...
@@ -28,16 +28,16 @@ import (
...
@@ -28,16 +28,16 @@ import (
func
TestGroupAdder
(
t
*
testing
.
T
)
{
func
TestGroupAdder
(
t
*
testing
.
T
)
{
adder
:=
authenticator
.
Request
(
adder
:=
authenticator
.
Request
(
NewGroupAdder
(
NewGroupAdder
(
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
&
user
.
DefaultInfo
{
Name
:
"user"
,
Groups
:
[]
string
{
"original"
}},
true
,
nil
return
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
"user"
,
Groups
:
[]
string
{
"original"
}
}},
true
,
nil
}),
}),
[]
string
{
"added"
},
[]
string
{
"added"
},
),
),
)
)
use
r
,
_
,
_
:=
adder
.
AuthenticateRequest
(
nil
)
r
,
_
,
_
:=
adder
.
AuthenticateRequest
(
nil
)
if
!
reflect
.
DeepEqual
(
user
.
GetGroups
(),
[]
string
{
"original"
,
"added"
}
)
{
if
want
:=
[]
string
{
"original"
,
"added"
};
!
reflect
.
DeepEqual
(
r
.
User
.
GetGroups
(),
want
)
{
t
.
Errorf
(
"
Expected original,added groups, got %#v"
,
user
.
GetGroups
()
)
t
.
Errorf
(
"
Unexpected groups
\n
got:
\t
%#v
\n
want:
\t
%#v"
,
r
.
User
.
GetGroups
(),
want
)
}
}
}
}
...
@@ -96,15 +96,15 @@ func TestAuthenticatedGroupAdder(t *testing.T) {
...
@@ -96,15 +96,15 @@ func TestAuthenticatedGroupAdder(t *testing.T) {
for
_
,
test
:=
range
tests
{
for
_
,
test
:=
range
tests
{
adder
:=
authenticator
.
Request
(
adder
:=
authenticator
.
Request
(
NewAuthenticatedGroupAdder
(
NewAuthenticatedGroupAdder
(
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
test
.
inputUser
,
true
,
nil
return
&
authenticator
.
Response
{
User
:
test
.
inputUser
}
,
true
,
nil
}),
}),
),
),
)
)
use
r
,
_
,
_
:=
adder
.
AuthenticateRequest
(
nil
)
r
,
_
,
_
:=
adder
.
AuthenticateRequest
(
nil
)
if
!
reflect
.
DeepEqual
(
u
ser
,
test
.
expectedUser
)
{
if
!
reflect
.
DeepEqual
(
r
.
U
ser
,
test
.
expectedUser
)
{
t
.
Errorf
(
"
got %#v"
,
u
ser
)
t
.
Errorf
(
"
Unexpected user
\n
got:
\t
%#v
\n
want:
\t
%#v"
,
r
.
User
,
test
.
expectedU
ser
)
}
}
}
}
...
...
staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder.go
View file @
baa8d800
...
@@ -17,6 +17,8 @@ limitations under the License.
...
@@ -17,6 +17,8 @@ limitations under the License.
package
group
package
group
import
(
import
(
"context"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
)
)
...
@@ -34,15 +36,16 @@ func NewTokenGroupAdder(auth authenticator.Token, groups []string) authenticator
...
@@ -34,15 +36,16 @@ func NewTokenGroupAdder(auth authenticator.Token, groups []string) authenticator
return
&
TokenGroupAdder
{
auth
,
groups
}
return
&
TokenGroupAdder
{
auth
,
groups
}
}
}
func
(
g
*
TokenGroupAdder
)
AuthenticateToken
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
func
(
g
*
TokenGroupAdder
)
AuthenticateToken
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
u
,
ok
,
err
:=
g
.
Authenticator
.
AuthenticateToken
(
token
)
r
,
ok
,
err
:=
g
.
Authenticator
.
AuthenticateToken
(
ctx
,
token
)
if
err
!=
nil
||
!
ok
{
if
err
!=
nil
||
!
ok
{
return
nil
,
ok
,
err
return
nil
,
ok
,
err
}
}
return
&
user
.
DefaultInfo
{
r
.
User
=
&
user
.
DefaultInfo
{
Name
:
u
.
GetName
(),
Name
:
r
.
User
.
GetName
(),
UID
:
u
.
GetUID
(),
UID
:
r
.
User
.
GetUID
(),
Groups
:
append
(
u
.
GetGroups
(),
g
.
Groups
...
),
Groups
:
append
(
r
.
User
.
GetGroups
(),
g
.
Groups
...
),
Extra
:
u
.
GetExtra
(),
Extra
:
r
.
User
.
GetExtra
(),
},
true
,
nil
}
return
r
,
true
,
nil
}
}
staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder_test.go
View file @
baa8d800
...
@@ -17,6 +17,7 @@ limitations under the License.
...
@@ -17,6 +17,7 @@ limitations under the License.
package
group
package
group
import
(
import
(
"context"
"reflect"
"reflect"
"testing"
"testing"
...
@@ -27,15 +28,15 @@ import (
...
@@ -27,15 +28,15 @@ import (
func
TestTokenGroupAdder
(
t
*
testing
.
T
)
{
func
TestTokenGroupAdder
(
t
*
testing
.
T
)
{
adder
:=
authenticator
.
Token
(
adder
:=
authenticator
.
Token
(
NewTokenGroupAdder
(
NewTokenGroupAdder
(
authenticator
.
TokenFunc
(
func
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
&
user
.
DefaultInfo
{
Name
:
"user"
,
Groups
:
[]
string
{
"original"
}},
true
,
nil
return
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
"user"
,
Groups
:
[]
string
{
"original"
}
}},
true
,
nil
}),
}),
[]
string
{
"added"
},
[]
string
{
"added"
},
),
),
)
)
user
,
_
,
_
:=
adder
.
AuthenticateToken
(
""
)
r
,
_
,
_
:=
adder
.
AuthenticateToken
(
context
.
Background
(),
""
)
if
!
reflect
.
DeepEqual
(
u
ser
.
GetGroups
(),
[]
string
{
"original"
,
"added"
})
{
if
!
reflect
.
DeepEqual
(
r
.
U
ser
.
GetGroups
(),
[]
string
{
"original"
,
"added"
})
{
t
.
Errorf
(
"Expected original,added groups, got %#v"
,
u
ser
.
GetGroups
())
t
.
Errorf
(
"Expected original,added groups, got %#v"
,
r
.
U
ser
.
GetGroups
())
}
}
}
}
staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go
View file @
baa8d800
...
@@ -30,7 +30,12 @@ const (
...
@@ -30,7 +30,12 @@ const (
)
)
func
NewAuthenticator
()
authenticator
.
Request
{
func
NewAuthenticator
()
authenticator
.
Request
{
return
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
return
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
&
user
.
DefaultInfo
{
Name
:
anonymousUser
,
Groups
:
[]
string
{
unauthenticatedGroup
}},
true
,
nil
return
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
anonymousUser
,
Groups
:
[]
string
{
unauthenticatedGroup
},
},
},
true
,
nil
})
})
}
}
staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go
View file @
baa8d800
...
@@ -26,17 +26,17 @@ import (
...
@@ -26,17 +26,17 @@ import (
func
TestAnonymous
(
t
*
testing
.
T
)
{
func
TestAnonymous
(
t
*
testing
.
T
)
{
var
a
authenticator
.
Request
=
NewAuthenticator
()
var
a
authenticator
.
Request
=
NewAuthenticator
()
u
,
ok
,
err
:=
a
.
AuthenticateRequest
(
nil
)
r
,
ok
,
err
:=
a
.
AuthenticateRequest
(
nil
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Fatalf
(
"Unexpected error %v"
,
err
)
t
.
Fatalf
(
"Unexpected error %v"
,
err
)
}
}
if
!
ok
{
if
!
ok
{
t
.
Fatalf
(
"Unexpectedly unauthenticated"
)
t
.
Fatalf
(
"Unexpectedly unauthenticated"
)
}
}
if
u
.
GetName
()
!=
user
.
Anonymous
{
if
r
.
User
.
GetName
()
!=
user
.
Anonymous
{
t
.
Fatalf
(
"Expected username %s, got %s"
,
user
.
Anonymous
,
u
.
GetName
())
t
.
Fatalf
(
"Expected username %s, got %s"
,
user
.
Anonymous
,
r
.
User
.
GetName
())
}
}
if
!
sets
.
NewString
(
u
.
GetGroups
()
...
)
.
Equal
(
sets
.
NewString
(
user
.
AllUnauthenticated
))
{
if
!
sets
.
NewString
(
r
.
User
.
GetGroups
()
...
)
.
Equal
(
sets
.
NewString
(
user
.
AllUnauthenticated
))
{
t
.
Fatalf
(
"Expected group %s, got %v"
,
user
.
AllUnauthenticated
,
u
.
GetGroups
())
t
.
Fatalf
(
"Expected group %s, got %v"
,
user
.
AllUnauthenticated
,
r
.
User
.
GetGroups
())
}
}
}
}
staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken/BUILD
View file @
baa8d800
...
@@ -21,10 +21,7 @@ go_library(
...
@@ -21,10 +21,7 @@ go_library(
srcs = ["bearertoken.go"],
srcs = ["bearertoken.go"],
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/request/bearertoken",
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/request/bearertoken",
importpath = "k8s.io/apiserver/pkg/authentication/request/bearertoken",
importpath = "k8s.io/apiserver/pkg/authentication/request/bearertoken",
deps = [
deps = ["//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library"],
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
],
)
)
filegroup(
filegroup(
...
...
staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken.go
View file @
baa8d800
...
@@ -22,7 +22,6 @@ import (
...
@@ -22,7 +22,6 @@ import (
"strings"
"strings"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
)
)
type
Authenticator
struct
{
type
Authenticator
struct
{
...
@@ -35,7 +34,7 @@ func New(auth authenticator.Token) *Authenticator {
...
@@ -35,7 +34,7 @@ func New(auth authenticator.Token) *Authenticator {
var
invalidToken
=
errors
.
New
(
"invalid bearer token"
)
var
invalidToken
=
errors
.
New
(
"invalid bearer token"
)
func
(
a
*
Authenticator
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
(
a
*
Authenticator
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
auth
:=
strings
.
TrimSpace
(
req
.
Header
.
Get
(
"Authorization"
))
auth
:=
strings
.
TrimSpace
(
req
.
Header
.
Get
(
"Authorization"
))
if
auth
==
""
{
if
auth
==
""
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
...
@@ -52,7 +51,7 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool,
...
@@ -52,7 +51,7 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool,
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}
}
user
,
ok
,
err
:=
a
.
auth
.
AuthenticateToken
(
token
)
resp
,
ok
,
err
:=
a
.
auth
.
AuthenticateToken
(
req
.
Context
(),
token
)
// if we authenticated successfully, go ahead and remove the bearer token so that no one
// if we authenticated successfully, go ahead and remove the bearer token so that no one
// is ever tempted to use it inside of the API server
// is ever tempted to use it inside of the API server
if
ok
{
if
ok
{
...
@@ -64,5 +63,5 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool,
...
@@ -64,5 +63,5 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool,
err
=
invalidToken
err
=
invalidToken
}
}
return
user
,
ok
,
err
return
resp
,
ok
,
err
}
}
staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken_test.go
View file @
baa8d800
...
@@ -17,6 +17,7 @@ limitations under the License.
...
@@ -17,6 +17,7 @@ limitations under the License.
package
bearertoken
package
bearertoken
import
(
import
(
"context"
"errors"
"errors"
"net/http"
"net/http"
"reflect"
"reflect"
...
@@ -27,28 +28,28 @@ import (
...
@@ -27,28 +28,28 @@ import (
)
)
func
TestAuthenticateRequest
(
t
*
testing
.
T
)
{
func
TestAuthenticateRequest
(
t
*
testing
.
T
)
{
auth
:=
New
(
authenticator
.
TokenFunc
(
func
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
auth
:=
New
(
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
if
token
!=
"token"
{
if
token
!=
"token"
{
t
.
Errorf
(
"unexpected token: %s"
,
token
)
t
.
Errorf
(
"unexpected token: %s"
,
token
)
}
}
return
&
user
.
DefaultInfo
{
Name
:
"user"
},
true
,
nil
return
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
"user"
}
},
true
,
nil
}))
}))
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
resp
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
Header
:
http
.
Header
{
"Authorization"
:
[]
string
{
"Bearer token"
}},
Header
:
http
.
Header
{
"Authorization"
:
[]
string
{
"Bearer token"
}},
})
})
if
!
ok
||
user
==
nil
||
err
!=
nil
{
if
!
ok
||
resp
==
nil
||
err
!=
nil
{
t
.
Errorf
(
"expected valid user"
)
t
.
Errorf
(
"expected valid user"
)
}
}
}
}
func
TestAuthenticateRequestTokenInvalid
(
t
*
testing
.
T
)
{
func
TestAuthenticateRequestTokenInvalid
(
t
*
testing
.
T
)
{
auth
:=
New
(
authenticator
.
TokenFunc
(
func
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
auth
:=
New
(
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}))
}))
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
resp
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
Header
:
http
.
Header
{
"Authorization"
:
[]
string
{
"Bearer token"
}},
Header
:
http
.
Header
{
"Authorization"
:
[]
string
{
"Bearer token"
}},
})
})
if
ok
||
user
!=
nil
{
if
ok
||
resp
!=
nil
{
t
.
Errorf
(
"expected not authenticated user"
)
t
.
Errorf
(
"expected not authenticated user"
)
}
}
if
err
!=
invalidToken
{
if
err
!=
invalidToken
{
...
@@ -58,13 +59,13 @@ func TestAuthenticateRequestTokenInvalid(t *testing.T) {
...
@@ -58,13 +59,13 @@ func TestAuthenticateRequestTokenInvalid(t *testing.T) {
func
TestAuthenticateRequestTokenInvalidCustomError
(
t
*
testing
.
T
)
{
func
TestAuthenticateRequestTokenInvalidCustomError
(
t
*
testing
.
T
)
{
customError
:=
errors
.
New
(
"custom"
)
customError
:=
errors
.
New
(
"custom"
)
auth
:=
New
(
authenticator
.
TokenFunc
(
func
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
auth
:=
New
(
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
nil
,
false
,
customError
return
nil
,
false
,
customError
}))
}))
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
resp
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
Header
:
http
.
Header
{
"Authorization"
:
[]
string
{
"Bearer token"
}},
Header
:
http
.
Header
{
"Authorization"
:
[]
string
{
"Bearer token"
}},
})
})
if
ok
||
user
!=
nil
{
if
ok
||
resp
!=
nil
{
t
.
Errorf
(
"expected not authenticated user"
)
t
.
Errorf
(
"expected not authenticated user"
)
}
}
if
err
!=
customError
{
if
err
!=
customError
{
...
@@ -73,13 +74,13 @@ func TestAuthenticateRequestTokenInvalidCustomError(t *testing.T) {
...
@@ -73,13 +74,13 @@ func TestAuthenticateRequestTokenInvalidCustomError(t *testing.T) {
}
}
func
TestAuthenticateRequestTokenError
(
t
*
testing
.
T
)
{
func
TestAuthenticateRequestTokenError
(
t
*
testing
.
T
)
{
auth
:=
New
(
authenticator
.
TokenFunc
(
func
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
auth
:=
New
(
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
nil
,
false
,
errors
.
New
(
"error"
)
return
nil
,
false
,
errors
.
New
(
"error"
)
}))
}))
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
resp
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
Header
:
http
.
Header
{
"Authorization"
:
[]
string
{
"Bearer token"
}},
Header
:
http
.
Header
{
"Authorization"
:
[]
string
{
"Bearer token"
}},
})
})
if
ok
||
user
!=
nil
||
err
==
nil
{
if
ok
||
resp
!=
nil
||
err
==
nil
{
t
.
Errorf
(
"expected error"
)
t
.
Errorf
(
"expected error"
)
}
}
}
}
...
@@ -94,7 +95,7 @@ func TestAuthenticateRequestBadValue(t *testing.T) {
...
@@ -94,7 +95,7 @@ func TestAuthenticateRequestBadValue(t *testing.T) {
{
Req
:
&
http
.
Request
{
Header
:
http
.
Header
{
"Authorization"
:
[]
string
{
"Bearer: token"
}}}},
{
Req
:
&
http
.
Request
{
Header
:
http
.
Header
{
"Authorization"
:
[]
string
{
"Bearer: token"
}}}},
}
}
for
i
,
testCase
:=
range
testCases
{
for
i
,
testCase
:=
range
testCases
{
auth
:=
New
(
authenticator
.
TokenFunc
(
func
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
auth
:=
New
(
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
t
.
Errorf
(
"authentication should not have been called"
)
t
.
Errorf
(
"authentication should not have been called"
)
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}))
}))
...
@@ -144,8 +145,10 @@ func TestBearerToken(t *testing.T) {
...
@@ -144,8 +145,10 @@ func TestBearerToken(t *testing.T) {
ExpectedAuthorizationHeaders
:
[]
string
{
"Bearer "
},
ExpectedAuthorizationHeaders
:
[]
string
{
"Bearer "
},
},
},
"valid bearer token removing header"
:
{
"valid bearer token removing header"
:
{
AuthorizationHeaders
:
[]
string
{
"Bearer 123"
},
AuthorizationHeaders
:
[]
string
{
"Bearer 123"
},
TokenAuth
:
authenticator
.
TokenFunc
(
func
(
t
string
)
(
user
.
Info
,
bool
,
error
)
{
return
&
user
.
DefaultInfo
{
Name
:
"myuser"
},
true
,
nil
}),
TokenAuth
:
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
t
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
"myuser"
}},
true
,
nil
}),
ExpectedUserName
:
"myuser"
,
ExpectedUserName
:
"myuser"
,
ExpectedOK
:
true
,
ExpectedOK
:
true
,
ExpectedErr
:
false
,
ExpectedErr
:
false
,
...
@@ -153,15 +156,17 @@ func TestBearerToken(t *testing.T) {
...
@@ -153,15 +156,17 @@ func TestBearerToken(t *testing.T) {
},
},
"invalid bearer token"
:
{
"invalid bearer token"
:
{
AuthorizationHeaders
:
[]
string
{
"Bearer 123"
},
AuthorizationHeaders
:
[]
string
{
"Bearer 123"
},
TokenAuth
:
authenticator
.
TokenFunc
(
func
(
t
string
)
(
user
.
Info
,
bool
,
error
)
{
return
nil
,
false
,
nil
}),
TokenAuth
:
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
t
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
nil
,
false
,
nil
}),
ExpectedUserName
:
""
,
ExpectedUserName
:
""
,
ExpectedOK
:
false
,
ExpectedOK
:
false
,
ExpectedErr
:
true
,
ExpectedErr
:
true
,
ExpectedAuthorizationHeaders
:
[]
string
{
"Bearer 123"
},
ExpectedAuthorizationHeaders
:
[]
string
{
"Bearer 123"
},
},
},
"error bearer token"
:
{
"error bearer token"
:
{
AuthorizationHeaders
:
[]
string
{
"Bearer 123"
},
AuthorizationHeaders
:
[]
string
{
"Bearer 123"
},
TokenAuth
:
authenticator
.
TokenFunc
(
func
(
t
string
)
(
user
.
Info
,
bool
,
error
)
{
return
nil
,
false
,
errors
.
New
(
"error"
)
}),
TokenAuth
:
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
t
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
nil
,
false
,
errors
.
New
(
"error"
)
}),
ExpectedUserName
:
""
,
ExpectedUserName
:
""
,
ExpectedOK
:
false
,
ExpectedOK
:
false
,
ExpectedErr
:
true
,
ExpectedErr
:
true
,
...
@@ -176,7 +181,7 @@ func TestBearerToken(t *testing.T) {
...
@@ -176,7 +181,7 @@ func TestBearerToken(t *testing.T) {
}
}
bearerAuth
:=
New
(
tc
.
TokenAuth
)
bearerAuth
:=
New
(
tc
.
TokenAuth
)
u
,
ok
,
err
:=
bearerAuth
.
AuthenticateRequest
(
req
)
resp
,
ok
,
err
:=
bearerAuth
.
AuthenticateRequest
(
req
)
if
tc
.
ExpectedErr
!=
(
err
!=
nil
)
{
if
tc
.
ExpectedErr
!=
(
err
!=
nil
)
{
t
.
Errorf
(
"%s: Expected err=%v, got %v"
,
k
,
tc
.
ExpectedErr
,
err
)
t
.
Errorf
(
"%s: Expected err=%v, got %v"
,
k
,
tc
.
ExpectedErr
,
err
)
continue
continue
...
@@ -185,8 +190,8 @@ func TestBearerToken(t *testing.T) {
...
@@ -185,8 +190,8 @@ func TestBearerToken(t *testing.T) {
t
.
Errorf
(
"%s: Expected ok=%v, got %v"
,
k
,
tc
.
ExpectedOK
,
ok
)
t
.
Errorf
(
"%s: Expected ok=%v, got %v"
,
k
,
tc
.
ExpectedOK
,
ok
)
continue
continue
}
}
if
ok
&&
u
.
GetName
()
!=
tc
.
ExpectedUserName
{
if
ok
&&
resp
.
User
.
GetName
()
!=
tc
.
ExpectedUserName
{
t
.
Errorf
(
"%s: Expected username=%v, got %v"
,
k
,
tc
.
ExpectedUserName
,
u
.
GetName
())
t
.
Errorf
(
"%s: Expected username=%v, got %v"
,
k
,
tc
.
ExpectedUserName
,
resp
.
User
.
GetName
())
continue
continue
}
}
if
!
reflect
.
DeepEqual
(
req
.
Header
[
"Authorization"
],
tc
.
ExpectedAuthorizationHeaders
)
{
if
!
reflect
.
DeepEqual
(
req
.
Header
[
"Authorization"
],
tc
.
ExpectedAuthorizationHeaders
)
{
...
...
staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader.go
View file @
baa8d800
...
@@ -105,7 +105,7 @@ func NewSecure(clientCA string, proxyClientNames []string, nameHeaders []string,
...
@@ -105,7 +105,7 @@ func NewSecure(clientCA string, proxyClientNames []string, nameHeaders []string,
return
x509request
.
NewVerifier
(
opts
,
headerAuthenticator
,
sets
.
NewString
(
proxyClientNames
...
)),
nil
return
x509request
.
NewVerifier
(
opts
,
headerAuthenticator
,
sets
.
NewString
(
proxyClientNames
...
)),
nil
}
}
func
(
a
*
requestHeaderAuthRequestHandler
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
(
a
*
requestHeaderAuthRequestHandler
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
name
:=
headerValue
(
req
.
Header
,
a
.
nameHeaders
)
name
:=
headerValue
(
req
.
Header
,
a
.
nameHeaders
)
if
len
(
name
)
==
0
{
if
len
(
name
)
==
0
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
...
@@ -126,10 +126,12 @@ func (a *requestHeaderAuthRequestHandler) AuthenticateRequest(req *http.Request)
...
@@ -126,10 +126,12 @@ func (a *requestHeaderAuthRequestHandler) AuthenticateRequest(req *http.Request)
}
}
}
}
return
&
user
.
DefaultInfo
{
return
&
authenticator
.
Response
{
Name
:
name
,
User
:
&
user
.
DefaultInfo
{
Groups
:
groups
,
Name
:
name
,
Extra
:
extra
,
Groups
:
groups
,
Extra
:
extra
,
},
},
true
,
nil
},
true
,
nil
}
}
...
...
staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_test.go
View file @
baa8d800
...
@@ -186,19 +186,23 @@ func TestRequestHeader(t *testing.T) {
...
@@ -186,19 +186,23 @@ func TestRequestHeader(t *testing.T) {
}
}
for
k
,
testcase
:=
range
testcases
{
for
k
,
testcase
:=
range
testcases
{
auth
,
err
:=
New
(
testcase
.
nameHeaders
,
testcase
.
groupHeaders
,
testcase
.
extraPrefixHeaders
)
t
.
Run
(
k
,
func
(
t
*
testing
.
T
)
{
if
err
!=
nil
{
auth
,
err
:=
New
(
testcase
.
nameHeaders
,
testcase
.
groupHeaders
,
testcase
.
extraPrefixHeaders
)
t
.
Fatal
(
err
)
if
err
!=
nil
{
}
t
.
Fatal
(
err
)
req
:=
&
http
.
Request
{
Header
:
testcase
.
requestHeaders
}
}
req
:=
&
http
.
Request
{
Header
:
testcase
.
requestHeaders
}
user
,
ok
,
_
:=
auth
.
AuthenticateRequest
(
req
)
resp
,
ok
,
_
:=
auth
.
AuthenticateRequest
(
req
)
if
testcase
.
expectedOk
!=
ok
{
if
testcase
.
expectedOk
!=
ok
{
t
.
Errorf
(
"%v: expected %v, got %v"
,
k
,
testcase
.
expectedOk
,
ok
)
t
.
Errorf
(
"%v: expected %v, got %v"
,
k
,
testcase
.
expectedOk
,
ok
)
}
}
if
e
,
a
:=
testcase
.
expectedUser
,
user
;
!
reflect
.
DeepEqual
(
e
,
a
)
{
if
!
ok
{
t
.
Errorf
(
"%v: expected %#v, got %#v"
,
k
,
e
,
a
)
return
}
}
if
e
,
a
:=
testcase
.
expectedUser
,
resp
.
User
;
!
reflect
.
DeepEqual
(
e
,
a
)
{
t
.
Errorf
(
"%v: expected %#v, got %#v"
,
k
,
e
,
a
)
}
})
}
}
}
}
staging/src/k8s.io/apiserver/pkg/authentication/request/union/BUILD
View file @
baa8d800
...
@@ -10,7 +10,10 @@ go_test(
...
@@ -10,7 +10,10 @@ go_test(
name = "go_default_test",
name = "go_default_test",
srcs = ["unionauth_test.go"],
srcs = ["unionauth_test.go"],
embed = [":go_default_library"],
embed = [":go_default_library"],
deps = ["//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library"],
deps = [
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
],
)
)
go_library(
go_library(
...
@@ -21,7 +24,6 @@ go_library(
...
@@ -21,7 +24,6 @@ go_library(
deps = [
deps = [
"//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
],
],
)
)
...
...
staging/src/k8s.io/apiserver/pkg/authentication/request/union/union.go
View file @
baa8d800
...
@@ -21,7 +21,6 @@ import (
...
@@ -21,7 +21,6 @@ import (
utilerrors
"k8s.io/apimachinery/pkg/util/errors"
utilerrors
"k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
)
)
// unionAuthRequestHandler authenticates requests using a chain of authenticator.Requests
// unionAuthRequestHandler authenticates requests using a chain of authenticator.Requests
...
@@ -51,20 +50,20 @@ func NewFailOnError(authRequestHandlers ...authenticator.Request) authenticator.
...
@@ -51,20 +50,20 @@ func NewFailOnError(authRequestHandlers ...authenticator.Request) authenticator.
}
}
// AuthenticateRequest authenticates the request using a chain of authenticator.Request objects.
// AuthenticateRequest authenticates the request using a chain of authenticator.Request objects.
func
(
authHandler
*
unionAuthRequestHandler
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
(
authHandler
*
unionAuthRequestHandler
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
var
errlist
[]
error
var
errlist
[]
error
for
_
,
currAuthRequestHandler
:=
range
authHandler
.
Handlers
{
for
_
,
currAuthRequestHandler
:=
range
authHandler
.
Handlers
{
info
,
ok
,
err
:=
currAuthRequestHandler
.
AuthenticateRequest
(
req
)
resp
,
ok
,
err
:=
currAuthRequestHandler
.
AuthenticateRequest
(
req
)
if
err
!=
nil
{
if
err
!=
nil
{
if
authHandler
.
FailOnError
{
if
authHandler
.
FailOnError
{
return
info
,
ok
,
err
return
resp
,
ok
,
err
}
}
errlist
=
append
(
errlist
,
err
)
errlist
=
append
(
errlist
,
err
)
continue
continue
}
}
if
ok
{
if
ok
{
return
info
,
ok
,
err
return
resp
,
ok
,
err
}
}
}
}
...
...
staging/src/k8s.io/apiserver/pkg/authentication/request/union/unionauth_test.go
View file @
baa8d800
...
@@ -23,6 +23,7 @@ import (
...
@@ -23,6 +23,7 @@ import (
"strings"
"strings"
"testing"
"testing"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
)
)
...
@@ -37,8 +38,8 @@ var (
...
@@ -37,8 +38,8 @@ var (
user2
=
&
user
.
DefaultInfo
{
Name
:
"elegant_sheep"
,
UID
:
"bravo"
}
user2
=
&
user
.
DefaultInfo
{
Name
:
"elegant_sheep"
,
UID
:
"bravo"
}
)
)
func
(
mock
*
mockAuthRequestHandler
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
(
mock
*
mockAuthRequestHandler
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
mock
.
returnUser
,
mock
.
isAuthenticated
,
mock
.
err
return
&
authenticator
.
Response
{
User
:
mock
.
returnUser
}
,
mock
.
isAuthenticated
,
mock
.
err
}
}
func
TestAuthenticateRequestSecondPasses
(
t
*
testing
.
T
)
{
func
TestAuthenticateRequestSecondPasses
(
t
*
testing
.
T
)
{
...
@@ -47,15 +48,15 @@ func TestAuthenticateRequestSecondPasses(t *testing.T) {
...
@@ -47,15 +48,15 @@ func TestAuthenticateRequestSecondPasses(t *testing.T) {
authRequestHandler
:=
New
(
handler1
,
handler2
)
authRequestHandler
:=
New
(
handler1
,
handler2
)
req
,
_
:=
http
.
NewRequest
(
"GET"
,
"http://example.org"
,
nil
)
req
,
_
:=
http
.
NewRequest
(
"GET"
,
"http://example.org"
,
nil
)
authenticatedUser
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateRequest
(
req
)
resp
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateRequest
(
req
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
}
}
if
!
isAuthenticated
{
if
!
isAuthenticated
{
t
.
Errorf
(
"Unexpectedly unauthenticated: %v"
,
isAuthenticated
)
t
.
Errorf
(
"Unexpectedly unauthenticated: %v"
,
isAuthenticated
)
}
}
if
!
reflect
.
DeepEqual
(
user2
,
authenticated
User
)
{
if
!
reflect
.
DeepEqual
(
user2
,
resp
.
User
)
{
t
.
Errorf
(
"Expected %v, got %v"
,
user2
,
authenticated
User
)
t
.
Errorf
(
"Expected %v, got %v"
,
user2
,
resp
.
User
)
}
}
}
}
...
@@ -65,15 +66,15 @@ func TestAuthenticateRequestFirstPasses(t *testing.T) {
...
@@ -65,15 +66,15 @@ func TestAuthenticateRequestFirstPasses(t *testing.T) {
authRequestHandler
:=
New
(
handler1
,
handler2
)
authRequestHandler
:=
New
(
handler1
,
handler2
)
req
,
_
:=
http
.
NewRequest
(
"GET"
,
"http://example.org"
,
nil
)
req
,
_
:=
http
.
NewRequest
(
"GET"
,
"http://example.org"
,
nil
)
authenticatedUser
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateRequest
(
req
)
resp
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateRequest
(
req
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
}
}
if
!
isAuthenticated
{
if
!
isAuthenticated
{
t
.
Errorf
(
"Unexpectedly unauthenticated: %v"
,
isAuthenticated
)
t
.
Errorf
(
"Unexpectedly unauthenticated: %v"
,
isAuthenticated
)
}
}
if
!
reflect
.
DeepEqual
(
user1
,
authenticated
User
)
{
if
!
reflect
.
DeepEqual
(
user1
,
resp
.
User
)
{
t
.
Errorf
(
"Expected %v, got %v"
,
user
1
,
authenticated
User
)
t
.
Errorf
(
"Expected %v, got %v"
,
user
2
,
resp
.
User
)
}
}
}
}
...
@@ -96,15 +97,15 @@ func TestAuthenticateRequestNoAuthenticators(t *testing.T) {
...
@@ -96,15 +97,15 @@ func TestAuthenticateRequestNoAuthenticators(t *testing.T) {
authRequestHandler
:=
New
()
authRequestHandler
:=
New
()
req
,
_
:=
http
.
NewRequest
(
"GET"
,
"http://example.org"
,
nil
)
req
,
_
:=
http
.
NewRequest
(
"GET"
,
"http://example.org"
,
nil
)
authenticatedUser
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateRequest
(
req
)
resp
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateRequest
(
req
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
}
}
if
isAuthenticated
{
if
isAuthenticated
{
t
.
Errorf
(
"Unexpectedly authenticated: %v"
,
isAuthenticated
)
t
.
Errorf
(
"Unexpectedly authenticated: %v"
,
isAuthenticated
)
}
}
if
authenticatedUser
!=
nil
{
if
resp
!=
nil
{
t
.
Errorf
(
"Unexpected authenticatedUser: %v"
,
authenticatedUser
)
t
.
Errorf
(
"Unexpected authenticatedUser: %v"
,
resp
)
}
}
}
}
...
...
staging/src/k8s.io/apiserver/pkg/authentication/request/websocket/BUILD
View file @
baa8d800
...
@@ -13,7 +13,6 @@ go_library(
...
@@ -13,7 +13,6 @@ go_library(
importpath = "k8s.io/apiserver/pkg/authentication/request/websocket",
importpath = "k8s.io/apiserver/pkg/authentication/request/websocket",
deps = [
deps = [
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/wsstream:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/wsstream:go_default_library",
],
],
)
)
...
...
staging/src/k8s.io/apiserver/pkg/authentication/request/websocket/protocol.go
View file @
baa8d800
...
@@ -25,7 +25,6 @@ import (
...
@@ -25,7 +25,6 @@ import (
"unicode/utf8"
"unicode/utf8"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/util/wsstream"
"k8s.io/apiserver/pkg/util/wsstream"
)
)
...
@@ -46,7 +45,7 @@ func NewProtocolAuthenticator(auth authenticator.Token) *ProtocolAuthenticator {
...
@@ -46,7 +45,7 @@ func NewProtocolAuthenticator(auth authenticator.Token) *ProtocolAuthenticator {
return
&
ProtocolAuthenticator
{
auth
}
return
&
ProtocolAuthenticator
{
auth
}
}
}
func
(
a
*
ProtocolAuthenticator
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
(
a
*
ProtocolAuthenticator
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
// Only accept websocket connections
// Only accept websocket connections
if
!
wsstream
.
IsWebSocketRequest
(
req
)
{
if
!
wsstream
.
IsWebSocketRequest
(
req
)
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
...
@@ -91,7 +90,7 @@ func (a *ProtocolAuthenticator) AuthenticateRequest(req *http.Request) (user.Inf
...
@@ -91,7 +90,7 @@ func (a *ProtocolAuthenticator) AuthenticateRequest(req *http.Request) (user.Inf
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}
}
user
,
ok
,
err
:=
a
.
auth
.
AuthenticateToken
(
token
)
resp
,
ok
,
err
:=
a
.
auth
.
AuthenticateToken
(
req
.
Context
(),
token
)
// on success, remove the protocol with the token
// on success, remove the protocol with the token
if
ok
{
if
ok
{
...
@@ -105,5 +104,5 @@ func (a *ProtocolAuthenticator) AuthenticateRequest(req *http.Request) (user.Inf
...
@@ -105,5 +104,5 @@ func (a *ProtocolAuthenticator) AuthenticateRequest(req *http.Request) (user.Inf
err
=
errInvalidToken
err
=
errInvalidToken
}
}
return
user
,
ok
,
err
return
resp
,
ok
,
err
}
}
staging/src/k8s.io/apiserver/pkg/authentication/request/websocket/protocol_test.go
View file @
baa8d800
...
@@ -17,6 +17,7 @@ limitations under the License.
...
@@ -17,6 +17,7 @@ limitations under the License.
package
websocket
package
websocket
import
(
import
(
"context"
"errors"
"errors"
"net/http"
"net/http"
"reflect"
"reflect"
...
@@ -27,36 +28,36 @@ import (
...
@@ -27,36 +28,36 @@ import (
)
)
func
TestAuthenticateRequest
(
t
*
testing
.
T
)
{
func
TestAuthenticateRequest
(
t
*
testing
.
T
)
{
auth
:=
NewProtocolAuthenticator
(
authenticator
.
TokenFunc
(
func
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
auth
:=
NewProtocolAuthenticator
(
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
if
token
!=
"token"
{
if
token
!=
"token"
{
t
.
Errorf
(
"unexpected token: %s"
,
token
)
t
.
Errorf
(
"unexpected token: %s"
,
token
)
}
}
return
&
user
.
DefaultInfo
{
Name
:
"user"
},
true
,
nil
return
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
"user"
}
},
true
,
nil
}))
}))
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
resp
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
Header
:
http
.
Header
{
Header
:
http
.
Header
{
"Connection"
:
[]
string
{
"upgrade"
},
"Connection"
:
[]
string
{
"upgrade"
},
"Upgrade"
:
[]
string
{
"websocket"
},
"Upgrade"
:
[]
string
{
"websocket"
},
"Sec-Websocket-Protocol"
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4,dummy"
},
"Sec-Websocket-Protocol"
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4,dummy"
},
},
},
})
})
if
!
ok
||
user
==
nil
||
err
!=
nil
{
if
!
ok
||
resp
==
nil
||
err
!=
nil
{
t
.
Errorf
(
"expected valid user"
)
t
.
Errorf
(
"expected valid user"
)
}
}
}
}
func
TestAuthenticateRequestTokenInvalid
(
t
*
testing
.
T
)
{
func
TestAuthenticateRequestTokenInvalid
(
t
*
testing
.
T
)
{
auth
:=
NewProtocolAuthenticator
(
authenticator
.
TokenFunc
(
func
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
auth
:=
NewProtocolAuthenticator
(
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}))
}))
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
resp
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
Header
:
http
.
Header
{
Header
:
http
.
Header
{
"Connection"
:
[]
string
{
"upgrade"
},
"Connection"
:
[]
string
{
"upgrade"
},
"Upgrade"
:
[]
string
{
"websocket"
},
"Upgrade"
:
[]
string
{
"websocket"
},
"Sec-Websocket-Protocol"
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4,dummy"
},
"Sec-Websocket-Protocol"
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4,dummy"
},
},
},
})
})
if
ok
||
user
!=
nil
{
if
ok
||
resp
!=
nil
{
t
.
Errorf
(
"expected not authenticated user"
)
t
.
Errorf
(
"expected not authenticated user"
)
}
}
if
err
!=
errInvalidToken
{
if
err
!=
errInvalidToken
{
...
@@ -66,17 +67,17 @@ func TestAuthenticateRequestTokenInvalid(t *testing.T) {
...
@@ -66,17 +67,17 @@ func TestAuthenticateRequestTokenInvalid(t *testing.T) {
func
TestAuthenticateRequestTokenInvalidCustomError
(
t
*
testing
.
T
)
{
func
TestAuthenticateRequestTokenInvalidCustomError
(
t
*
testing
.
T
)
{
customError
:=
errors
.
New
(
"custom"
)
customError
:=
errors
.
New
(
"custom"
)
auth
:=
NewProtocolAuthenticator
(
authenticator
.
TokenFunc
(
func
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
auth
:=
NewProtocolAuthenticator
(
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
nil
,
false
,
customError
return
nil
,
false
,
customError
}))
}))
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
resp
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
Header
:
http
.
Header
{
Header
:
http
.
Header
{
"Connection"
:
[]
string
{
"upgrade"
},
"Connection"
:
[]
string
{
"upgrade"
},
"Upgrade"
:
[]
string
{
"websocket"
},
"Upgrade"
:
[]
string
{
"websocket"
},
"Sec-Websocket-Protocol"
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4,dummy"
},
"Sec-Websocket-Protocol"
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4,dummy"
},
},
},
})
})
if
ok
||
user
!=
nil
{
if
ok
||
resp
!=
nil
{
t
.
Errorf
(
"expected not authenticated user"
)
t
.
Errorf
(
"expected not authenticated user"
)
}
}
if
err
!=
customError
{
if
err
!=
customError
{
...
@@ -85,17 +86,17 @@ func TestAuthenticateRequestTokenInvalidCustomError(t *testing.T) {
...
@@ -85,17 +86,17 @@ func TestAuthenticateRequestTokenInvalidCustomError(t *testing.T) {
}
}
func
TestAuthenticateRequestTokenError
(
t
*
testing
.
T
)
{
func
TestAuthenticateRequestTokenError
(
t
*
testing
.
T
)
{
auth
:=
NewProtocolAuthenticator
(
authenticator
.
TokenFunc
(
func
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
auth
:=
NewProtocolAuthenticator
(
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
nil
,
false
,
errors
.
New
(
"error"
)
return
nil
,
false
,
errors
.
New
(
"error"
)
}))
}))
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
resp
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
Header
:
http
.
Header
{
Header
:
http
.
Header
{
"Connection"
:
[]
string
{
"upgrade"
},
"Connection"
:
[]
string
{
"upgrade"
},
"Upgrade"
:
[]
string
{
"websocket"
},
"Upgrade"
:
[]
string
{
"websocket"
},
"Sec-Websocket-Protocol"
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4,dummy"
},
"Sec-Websocket-Protocol"
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4,dummy"
},
},
},
})
})
if
ok
||
user
!=
nil
||
err
==
nil
{
if
ok
||
resp
!=
nil
||
err
==
nil
{
t
.
Errorf
(
"expected error"
)
t
.
Errorf
(
"expected error"
)
}
}
}
}
...
@@ -117,12 +118,12 @@ func TestAuthenticateRequestBadValue(t *testing.T) {
...
@@ -117,12 +118,12 @@ func TestAuthenticateRequestBadValue(t *testing.T) {
},
},
}
}
for
i
,
testCase
:=
range
testCases
{
for
i
,
testCase
:=
range
testCases
{
auth
:=
NewProtocolAuthenticator
(
authenticator
.
TokenFunc
(
func
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
auth
:=
NewProtocolAuthenticator
(
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
t
.
Errorf
(
"authentication should not have been called"
)
t
.
Errorf
(
"authentication should not have been called"
)
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}))
}))
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
testCase
.
Req
)
resp
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
testCase
.
Req
)
if
ok
||
user
!=
nil
||
err
!=
nil
{
if
ok
||
resp
!=
nil
||
err
!=
nil
{
t
.
Errorf
(
"%d: expected not authenticated (no token)"
,
i
)
t
.
Errorf
(
"%d: expected not authenticated (no token)"
,
i
)
}
}
}
}
...
@@ -167,8 +168,10 @@ func TestBearerToken(t *testing.T) {
...
@@ -167,8 +168,10 @@ func TestBearerToken(t *testing.T) {
ExpectedProtocolHeaders
:
[]
string
{
"base64url.bearer.authorization.k8s.io."
},
ExpectedProtocolHeaders
:
[]
string
{
"base64url.bearer.authorization.k8s.io."
},
},
},
"valid bearer token removing header"
:
{
"valid bearer token removing header"
:
{
ProtocolHeaders
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4"
,
"dummy, dummy2"
},
ProtocolHeaders
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4"
,
"dummy, dummy2"
},
TokenAuth
:
authenticator
.
TokenFunc
(
func
(
t
string
)
(
user
.
Info
,
bool
,
error
)
{
return
&
user
.
DefaultInfo
{
Name
:
"myuser"
},
true
,
nil
}),
TokenAuth
:
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
t
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
"myuser"
}},
true
,
nil
}),
ExpectedUserName
:
"myuser"
,
ExpectedUserName
:
"myuser"
,
ExpectedOK
:
true
,
ExpectedOK
:
true
,
ExpectedErr
:
false
,
ExpectedErr
:
false
,
...
@@ -176,15 +179,17 @@ func TestBearerToken(t *testing.T) {
...
@@ -176,15 +179,17 @@ func TestBearerToken(t *testing.T) {
},
},
"invalid bearer token"
:
{
"invalid bearer token"
:
{
ProtocolHeaders
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4,dummy"
},
ProtocolHeaders
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4,dummy"
},
TokenAuth
:
authenticator
.
TokenFunc
(
func
(
t
string
)
(
user
.
Info
,
bool
,
error
)
{
return
nil
,
false
,
nil
}),
TokenAuth
:
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
t
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
nil
,
false
,
nil
}),
ExpectedUserName
:
""
,
ExpectedUserName
:
""
,
ExpectedOK
:
false
,
ExpectedOK
:
false
,
ExpectedErr
:
true
,
ExpectedErr
:
true
,
ExpectedProtocolHeaders
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4,dummy"
},
ExpectedProtocolHeaders
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4,dummy"
},
},
},
"error bearer token"
:
{
"error bearer token"
:
{
ProtocolHeaders
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4,dummy"
},
ProtocolHeaders
:
[]
string
{
"base64url.bearer.authorization.k8s.io.dG9rZW4,dummy"
},
TokenAuth
:
authenticator
.
TokenFunc
(
func
(
t
string
)
(
user
.
Info
,
bool
,
error
)
{
return
nil
,
false
,
errors
.
New
(
"error"
)
}),
TokenAuth
:
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
t
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
nil
,
false
,
errors
.
New
(
"error"
)
}),
ExpectedUserName
:
""
,
ExpectedUserName
:
""
,
ExpectedOK
:
false
,
ExpectedOK
:
false
,
ExpectedErr
:
true
,
ExpectedErr
:
true
,
...
@@ -201,7 +206,7 @@ func TestBearerToken(t *testing.T) {
...
@@ -201,7 +206,7 @@ func TestBearerToken(t *testing.T) {
}
}
bearerAuth
:=
NewProtocolAuthenticator
(
tc
.
TokenAuth
)
bearerAuth
:=
NewProtocolAuthenticator
(
tc
.
TokenAuth
)
u
,
ok
,
err
:=
bearerAuth
.
AuthenticateRequest
(
req
)
resp
,
ok
,
err
:=
bearerAuth
.
AuthenticateRequest
(
req
)
if
tc
.
ExpectedErr
!=
(
err
!=
nil
)
{
if
tc
.
ExpectedErr
!=
(
err
!=
nil
)
{
t
.
Errorf
(
"%s: Expected err=%v, got %v"
,
k
,
tc
.
ExpectedErr
,
err
)
t
.
Errorf
(
"%s: Expected err=%v, got %v"
,
k
,
tc
.
ExpectedErr
,
err
)
continue
continue
...
@@ -210,8 +215,8 @@ func TestBearerToken(t *testing.T) {
...
@@ -210,8 +215,8 @@ func TestBearerToken(t *testing.T) {
t
.
Errorf
(
"%s: Expected ok=%v, got %v"
,
k
,
tc
.
ExpectedOK
,
ok
)
t
.
Errorf
(
"%s: Expected ok=%v, got %v"
,
k
,
tc
.
ExpectedOK
,
ok
)
continue
continue
}
}
if
ok
&&
u
.
GetName
()
!=
tc
.
ExpectedUserName
{
if
ok
&&
resp
.
User
.
GetName
()
!=
tc
.
ExpectedUserName
{
t
.
Errorf
(
"%s: Expected username=%v, got %v"
,
k
,
tc
.
ExpectedUserName
,
u
.
GetName
())
t
.
Errorf
(
"%s: Expected username=%v, got %v"
,
k
,
tc
.
ExpectedUserName
,
resp
.
User
.
GetName
())
continue
continue
}
}
if
!
reflect
.
DeepEqual
(
req
.
Header
[
"Sec-Websocket-Protocol"
],
tc
.
ExpectedProtocolHeaders
)
{
if
!
reflect
.
DeepEqual
(
req
.
Header
[
"Sec-Websocket-Protocol"
],
tc
.
ExpectedProtocolHeaders
)
{
...
...
staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go
View file @
baa8d800
...
@@ -59,14 +59,14 @@ func init() {
...
@@ -59,14 +59,14 @@ func init() {
// UserConversion defines an interface for extracting user info from a client certificate chain
// UserConversion defines an interface for extracting user info from a client certificate chain
type
UserConversion
interface
{
type
UserConversion
interface
{
User
(
chain
[]
*
x509
.
Certificate
)
(
user
.
Info
,
bool
,
error
)
User
(
chain
[]
*
x509
.
Certificate
)
(
*
authenticator
.
Response
,
bool
,
error
)
}
}
// UserConversionFunc is a function that implements the UserConversion interface.
// UserConversionFunc is a function that implements the UserConversion interface.
type
UserConversionFunc
func
(
chain
[]
*
x509
.
Certificate
)
(
user
.
Info
,
bool
,
error
)
type
UserConversionFunc
func
(
chain
[]
*
x509
.
Certificate
)
(
*
authenticator
.
Response
,
bool
,
error
)
// User implements x509.UserConversion
// User implements x509.UserConversion
func
(
f
UserConversionFunc
)
User
(
chain
[]
*
x509
.
Certificate
)
(
user
.
Info
,
bool
,
error
)
{
func
(
f
UserConversionFunc
)
User
(
chain
[]
*
x509
.
Certificate
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
f
(
chain
)
return
f
(
chain
)
}
}
...
@@ -83,7 +83,7 @@ func New(opts x509.VerifyOptions, user UserConversion) *Authenticator {
...
@@ -83,7 +83,7 @@ func New(opts x509.VerifyOptions, user UserConversion) *Authenticator {
}
}
// AuthenticateRequest authenticates the request using presented client certificates
// AuthenticateRequest authenticates the request using presented client certificates
func
(
a
*
Authenticator
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
(
a
*
Authenticator
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
if
req
.
TLS
==
nil
||
len
(
req
.
TLS
.
PeerCertificates
)
==
0
{
if
req
.
TLS
==
nil
||
len
(
req
.
TLS
.
PeerCertificates
)
==
0
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}
}
...
@@ -135,7 +135,7 @@ func NewVerifier(opts x509.VerifyOptions, auth authenticator.Request, allowedCom
...
@@ -135,7 +135,7 @@ func NewVerifier(opts x509.VerifyOptions, auth authenticator.Request, allowedCom
}
}
// AuthenticateRequest verifies the presented client certificate, then delegates to the wrapped auth
// AuthenticateRequest verifies the presented client certificate, then delegates to the wrapped auth
func
(
a
*
Verifier
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
(
a
*
Verifier
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
if
req
.
TLS
==
nil
||
len
(
req
.
TLS
.
PeerCertificates
)
==
0
{
if
req
.
TLS
==
nil
||
len
(
req
.
TLS
.
PeerCertificates
)
==
0
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}
}
...
@@ -179,12 +179,14 @@ func DefaultVerifyOptions() x509.VerifyOptions {
...
@@ -179,12 +179,14 @@ func DefaultVerifyOptions() x509.VerifyOptions {
}
}
// CommonNameUserConversion builds user info from a certificate chain using the subject's CommonName
// CommonNameUserConversion builds user info from a certificate chain using the subject's CommonName
var
CommonNameUserConversion
=
UserConversionFunc
(
func
(
chain
[]
*
x509
.
Certificate
)
(
user
.
Info
,
bool
,
error
)
{
var
CommonNameUserConversion
=
UserConversionFunc
(
func
(
chain
[]
*
x509
.
Certificate
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
if
len
(
chain
[
0
]
.
Subject
.
CommonName
)
==
0
{
if
len
(
chain
[
0
]
.
Subject
.
CommonName
)
==
0
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}
}
return
&
user
.
DefaultInfo
{
return
&
authenticator
.
Response
{
Name
:
chain
[
0
]
.
Subject
.
CommonName
,
User
:
&
user
.
DefaultInfo
{
Groups
:
chain
[
0
]
.
Subject
.
Organization
,
Name
:
chain
[
0
]
.
Subject
.
CommonName
,
Groups
:
chain
[
0
]
.
Subject
.
Organization
,
},
},
true
,
nil
},
true
,
nil
})
})
staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509_test.go
View file @
baa8d800
...
@@ -590,7 +590,7 @@ func TestX509(t *testing.T) {
...
@@ -590,7 +590,7 @@ func TestX509(t *testing.T) {
"custom conversion error"
:
{
"custom conversion error"
:
{
Opts
:
getDefaultVerifyOptions
(
t
),
Opts
:
getDefaultVerifyOptions
(
t
),
Certs
:
getCerts
(
t
,
clientCNCert
),
Certs
:
getCerts
(
t
,
clientCNCert
),
User
:
UserConversionFunc
(
func
(
chain
[]
*
x509
.
Certificate
)
(
user
.
Info
,
bool
,
error
)
{
User
:
UserConversionFunc
(
func
(
chain
[]
*
x509
.
Certificate
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
nil
,
false
,
errors
.
New
(
"custom error"
)
return
nil
,
false
,
errors
.
New
(
"custom error"
)
}),
}),
...
@@ -600,8 +600,8 @@ func TestX509(t *testing.T) {
...
@@ -600,8 +600,8 @@ func TestX509(t *testing.T) {
"custom conversion success"
:
{
"custom conversion success"
:
{
Opts
:
getDefaultVerifyOptions
(
t
),
Opts
:
getDefaultVerifyOptions
(
t
),
Certs
:
getCerts
(
t
,
clientCNCert
),
Certs
:
getCerts
(
t
,
clientCNCert
),
User
:
UserConversionFunc
(
func
(
chain
[]
*
x509
.
Certificate
)
(
user
.
Info
,
bool
,
error
)
{
User
:
UserConversionFunc
(
func
(
chain
[]
*
x509
.
Certificate
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
&
user
.
DefaultInfo
{
Name
:
"custom"
},
true
,
nil
return
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
"custom"
}
},
true
,
nil
}),
}),
ExpectUserName
:
"custom"
,
ExpectUserName
:
"custom"
,
...
@@ -659,7 +659,7 @@ func TestX509(t *testing.T) {
...
@@ -659,7 +659,7 @@ func TestX509(t *testing.T) {
a
:=
New
(
testCase
.
Opts
,
testCase
.
User
)
a
:=
New
(
testCase
.
Opts
,
testCase
.
User
)
user
,
ok
,
err
:=
a
.
AuthenticateRequest
(
req
)
resp
,
ok
,
err
:=
a
.
AuthenticateRequest
(
req
)
if
testCase
.
ExpectErr
&&
err
==
nil
{
if
testCase
.
ExpectErr
&&
err
==
nil
{
t
.
Errorf
(
"%s: Expected error, got none"
,
k
)
t
.
Errorf
(
"%s: Expected error, got none"
,
k
)
...
@@ -676,11 +676,11 @@ func TestX509(t *testing.T) {
...
@@ -676,11 +676,11 @@ func TestX509(t *testing.T) {
}
}
if
testCase
.
ExpectOK
{
if
testCase
.
ExpectOK
{
if
testCase
.
ExpectUserName
!=
u
ser
.
GetName
()
{
if
testCase
.
ExpectUserName
!=
resp
.
U
ser
.
GetName
()
{
t
.
Errorf
(
"%s: Expected user.name=%v, got %v"
,
k
,
testCase
.
ExpectUserName
,
u
ser
.
GetName
())
t
.
Errorf
(
"%s: Expected user.name=%v, got %v"
,
k
,
testCase
.
ExpectUserName
,
resp
.
U
ser
.
GetName
())
}
}
groups
:=
u
ser
.
GetGroups
()
groups
:=
resp
.
U
ser
.
GetGroups
()
sort
.
Strings
(
testCase
.
ExpectGroups
)
sort
.
Strings
(
testCase
.
ExpectGroups
)
sort
.
Strings
(
groups
)
sort
.
Strings
(
groups
)
if
!
reflect
.
DeepEqual
(
testCase
.
ExpectGroups
,
groups
)
{
if
!
reflect
.
DeepEqual
(
testCase
.
ExpectGroups
,
groups
)
{
...
@@ -807,14 +807,14 @@ func TestX509Verifier(t *testing.T) {
...
@@ -807,14 +807,14 @@ func TestX509Verifier(t *testing.T) {
}
}
authCall
:=
false
authCall
:=
false
auth
:=
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
auth
:=
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
authCall
=
true
authCall
=
true
return
&
user
.
DefaultInfo
{
Name
:
"innerauth"
},
true
,
nil
return
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
"innerauth"
}
},
true
,
nil
})
})
a
:=
NewVerifier
(
testCase
.
Opts
,
auth
,
testCase
.
AllowedCNs
)
a
:=
NewVerifier
(
testCase
.
Opts
,
auth
,
testCase
.
AllowedCNs
)
user
,
ok
,
err
:=
a
.
AuthenticateRequest
(
req
)
resp
,
ok
,
err
:=
a
.
AuthenticateRequest
(
req
)
if
testCase
.
ExpectErr
&&
err
==
nil
{
if
testCase
.
ExpectErr
&&
err
==
nil
{
t
.
Errorf
(
"%s: Expected error, got none"
,
k
)
t
.
Errorf
(
"%s: Expected error, got none"
,
k
)
...
@@ -835,8 +835,8 @@ func TestX509Verifier(t *testing.T) {
...
@@ -835,8 +835,8 @@ func TestX509Verifier(t *testing.T) {
t
.
Errorf
(
"%s: Expected inner auth called, wasn't"
,
k
)
t
.
Errorf
(
"%s: Expected inner auth called, wasn't"
,
k
)
continue
continue
}
}
if
"innerauth"
!=
u
ser
.
GetName
()
{
if
"innerauth"
!=
resp
.
U
ser
.
GetName
()
{
t
.
Errorf
(
"%s: Expected user.name=%v, got %v"
,
k
,
"innerauth"
,
u
ser
.
GetName
())
t
.
Errorf
(
"%s: Expected user.name=%v, got %v"
,
k
,
"innerauth"
,
resp
.
U
ser
.
GetName
())
continue
continue
}
}
}
else
{
}
else
{
...
...
staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD
View file @
baa8d800
...
@@ -17,6 +17,7 @@ go_test(
...
@@ -17,6 +17,7 @@ go_test(
"//staging/src/k8s.io/apimachinery/pkg/util/clock:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/clock:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
"//vendor/github.com/pborman/uuid:go_default_library",
"//vendor/github.com/pborman/uuid:go_default_library",
],
],
)
)
...
@@ -34,7 +35,7 @@ go_library(
...
@@ -34,7 +35,7 @@ go_library(
"//staging/src/k8s.io/apimachinery/pkg/util/cache:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/cache:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/clock:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/clock:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/
authentication/user
:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/
endpoints/request
:go_default_library",
],
],
)
)
...
...
staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cache_striped.go
View file @
baa8d800
...
@@ -24,36 +24,36 @@ import (
...
@@ -24,36 +24,36 @@ import (
// split cache lookups across N striped caches
// split cache lookups across N striped caches
type
stripedCache
struct
{
type
stripedCache
struct
{
stripeCount
uint32
stripeCount
uint32
keyFunc
func
(
string
)
uint32
hashFunc
func
(
string
)
uint32
caches
[]
cache
caches
[]
cache
}
}
type
key
Func
func
(
string
)
uint32
type
hash
Func
func
(
string
)
uint32
type
newCacheFunc
func
()
cache
type
newCacheFunc
func
()
cache
func
newStripedCache
(
stripeCount
int
,
keyFunc
key
Func
,
newCacheFunc
newCacheFunc
)
cache
{
func
newStripedCache
(
stripeCount
int
,
hash
hash
Func
,
newCacheFunc
newCacheFunc
)
cache
{
caches
:=
[]
cache
{}
caches
:=
[]
cache
{}
for
i
:=
0
;
i
<
stripeCount
;
i
++
{
for
i
:=
0
;
i
<
stripeCount
;
i
++
{
caches
=
append
(
caches
,
newCacheFunc
())
caches
=
append
(
caches
,
newCacheFunc
())
}
}
return
&
stripedCache
{
return
&
stripedCache
{
stripeCount
:
uint32
(
stripeCount
),
stripeCount
:
uint32
(
stripeCount
),
keyFunc
:
keyFunc
,
hashFunc
:
hash
,
caches
:
caches
,
caches
:
caches
,
}
}
}
}
func
(
c
*
stripedCache
)
get
(
key
string
)
(
*
cacheRecord
,
bool
)
{
func
(
c
*
stripedCache
)
get
(
key
string
)
(
*
cacheRecord
,
bool
)
{
return
c
.
caches
[
c
.
key
Func
(
key
)
%
c
.
stripeCount
]
.
get
(
key
)
return
c
.
caches
[
c
.
hash
Func
(
key
)
%
c
.
stripeCount
]
.
get
(
key
)
}
}
func
(
c
*
stripedCache
)
set
(
key
string
,
value
*
cacheRecord
,
ttl
time
.
Duration
)
{
func
(
c
*
stripedCache
)
set
(
key
string
,
value
*
cacheRecord
,
ttl
time
.
Duration
)
{
c
.
caches
[
c
.
key
Func
(
key
)
%
c
.
stripeCount
]
.
set
(
key
,
value
,
ttl
)
c
.
caches
[
c
.
hash
Func
(
key
)
%
c
.
stripeCount
]
.
set
(
key
,
value
,
ttl
)
}
}
func
(
c
*
stripedCache
)
remove
(
key
string
)
{
func
(
c
*
stripedCache
)
remove
(
key
string
)
{
c
.
caches
[
c
.
key
Func
(
key
)
%
c
.
stripeCount
]
.
remove
(
key
)
c
.
caches
[
c
.
hash
Func
(
key
)
%
c
.
stripeCount
]
.
remove
(
key
)
}
}
func
fnv
Key
Func
(
key
string
)
uint32
{
func
fnv
Hash
Func
(
key
string
)
uint32
{
f
:=
fnv
.
New32
()
f
:=
fnv
.
New32
()
f
.
Write
([]
byte
(
key
))
f
.
Write
([]
byte
(
key
))
return
f
.
Sum32
()
return
f
.
Sum32
()
...
...
staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cache_test.go
View file @
baa8d800
...
@@ -21,10 +21,11 @@ import (
...
@@ -21,10 +21,11 @@ import (
"testing"
"testing"
"time"
"time"
"github.com/pborman/uuid"
"k8s.io/apimachinery/pkg/util/clock"
"k8s.io/apimachinery/pkg/util/clock"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
"github.com/pborman/uuid"
)
)
func
TestSimpleCache
(
t
*
testing
.
T
)
{
func
TestSimpleCache
(
t
*
testing
.
T
)
{
...
@@ -36,11 +37,11 @@ func BenchmarkSimpleCache(b *testing.B) {
...
@@ -36,11 +37,11 @@ func BenchmarkSimpleCache(b *testing.B) {
}
}
func
TestStripedCache
(
t
*
testing
.
T
)
{
func
TestStripedCache
(
t
*
testing
.
T
)
{
testCache
(
newStripedCache
(
32
,
fnv
Key
Func
,
func
()
cache
{
return
newSimpleCache
(
128
,
clock
.
RealClock
{})
}),
t
)
testCache
(
newStripedCache
(
32
,
fnv
Hash
Func
,
func
()
cache
{
return
newSimpleCache
(
128
,
clock
.
RealClock
{})
}),
t
)
}
}
func
BenchmarkStripedCache
(
b
*
testing
.
B
)
{
func
BenchmarkStripedCache
(
b
*
testing
.
B
)
{
benchmarkCache
(
newStripedCache
(
32
,
fnv
Key
Func
,
func
()
cache
{
return
newSimpleCache
(
128
,
clock
.
RealClock
{})
}),
b
)
benchmarkCache
(
newStripedCache
(
32
,
fnv
Hash
Func
,
func
()
cache
{
return
newSimpleCache
(
128
,
clock
.
RealClock
{})
}),
b
)
}
}
func
benchmarkCache
(
cache
cache
,
b
*
testing
.
B
)
{
func
benchmarkCache
(
cache
cache
,
b
*
testing
.
B
)
{
...
@@ -71,8 +72,8 @@ func testCache(cache cache, t *testing.T) {
...
@@ -71,8 +72,8 @@ func testCache(cache cache, t *testing.T) {
t
.
Errorf
(
"Expected null, false, got %#v, %v"
,
result
,
ok
)
t
.
Errorf
(
"Expected null, false, got %#v, %v"
,
result
,
ok
)
}
}
record1
:=
&
cacheRecord
{
user
:
&
user
.
DefaultInfo
{
Name
:
"bob"
}}
record1
:=
&
cacheRecord
{
resp
:
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
"bob"
}
}}
record2
:=
&
cacheRecord
{
user
:
&
user
.
DefaultInfo
{
Name
:
"alice"
}}
record2
:=
&
cacheRecord
{
resp
:
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
"alice"
}
}}
// when empty, record is stored
// when empty, record is stored
cache
.
set
(
"foo"
,
record1
,
time
.
Hour
)
cache
.
set
(
"foo"
,
record1
,
time
.
Hour
)
...
...
staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go
View file @
baa8d800
...
@@ -17,16 +17,18 @@ limitations under the License.
...
@@ -17,16 +17,18 @@ limitations under the License.
package
cache
package
cache
import
(
import
(
"context"
"fmt"
"time"
"time"
utilclock
"k8s.io/apimachinery/pkg/util/clock"
utilclock
"k8s.io/apimachinery/pkg/util/clock"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/
authentication/user
"
"k8s.io/apiserver/pkg/
endpoints/request
"
)
)
// cacheRecord holds the three return values of the authenticator.Token AuthenticateToken method
// cacheRecord holds the three return values of the authenticator.Token AuthenticateToken method
type
cacheRecord
struct
{
type
cacheRecord
struct
{
user
user
.
Info
resp
*
authenticator
.
Response
ok
bool
ok
bool
err
error
err
error
}
}
...
@@ -59,24 +61,31 @@ func newWithClock(authenticator authenticator.Token, successTTL, failureTTL time
...
@@ -59,24 +61,31 @@ func newWithClock(authenticator authenticator.Token, successTTL, failureTTL time
authenticator
:
authenticator
,
authenticator
:
authenticator
,
successTTL
:
successTTL
,
successTTL
:
successTTL
,
failureTTL
:
failureTTL
,
failureTTL
:
failureTTL
,
cache
:
newStripedCache
(
32
,
fnv
Key
Func
,
func
()
cache
{
return
newSimpleCache
(
128
,
clock
)
}),
cache
:
newStripedCache
(
32
,
fnv
Hash
Func
,
func
()
cache
{
return
newSimpleCache
(
128
,
clock
)
}),
}
}
}
}
// AuthenticateToken implements authenticator.Token
// AuthenticateToken implements authenticator.Token
func
(
a
*
cachedTokenAuthenticator
)
AuthenticateToken
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
func
(
a
*
cachedTokenAuthenticator
)
AuthenticateToken
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
if
record
,
ok
:=
a
.
cache
.
get
(
token
);
ok
{
auds
,
_
:=
request
.
AudiencesFrom
(
ctx
)
return
record
.
user
,
record
.
ok
,
record
.
err
key
:=
keyFunc
(
auds
,
token
)
if
record
,
ok
:=
a
.
cache
.
get
(
key
);
ok
{
return
record
.
resp
,
record
.
ok
,
record
.
err
}
}
user
,
ok
,
err
:=
a
.
authenticator
.
AuthenticateToken
(
token
)
resp
,
ok
,
err
:=
a
.
authenticator
.
AuthenticateToken
(
ctx
,
token
)
switch
{
switch
{
case
ok
&&
a
.
successTTL
>
0
:
case
ok
&&
a
.
successTTL
>
0
:
a
.
cache
.
set
(
token
,
&
cacheRecord
{
user
:
user
,
ok
:
ok
,
err
:
err
},
a
.
successTTL
)
a
.
cache
.
set
(
key
,
&
cacheRecord
{
resp
:
resp
,
ok
:
ok
,
err
:
err
},
a
.
successTTL
)
case
!
ok
&&
a
.
failureTTL
>
0
:
case
!
ok
&&
a
.
failureTTL
>
0
:
a
.
cache
.
set
(
token
,
&
cacheRecord
{
user
:
user
,
ok
:
ok
,
err
:
err
},
a
.
failureTTL
)
a
.
cache
.
set
(
key
,
&
cacheRecord
{
resp
:
resp
,
ok
:
ok
,
err
:
err
},
a
.
failureTTL
)
}
}
return
user
,
ok
,
err
return
resp
,
ok
,
err
}
func
keyFunc
(
auds
[]
string
,
token
string
)
string
{
return
fmt
.
Sprintf
(
"%#v|%v"
,
auds
,
token
)
}
}
staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go
View file @
baa8d800
...
@@ -17,6 +17,7 @@ limitations under the License.
...
@@ -17,6 +17,7 @@ limitations under the License.
package
cache
package
cache
import
(
import
(
"context"
"reflect"
"reflect"
"testing"
"testing"
"time"
"time"
...
@@ -24,6 +25,7 @@ import (
...
@@ -24,6 +25,7 @@ import (
utilclock
"k8s.io/apimachinery/pkg/util/clock"
utilclock
"k8s.io/apimachinery/pkg/util/clock"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/endpoints/request"
)
)
func
TestCachedTokenAuthenticator
(
t
*
testing
.
T
)
{
func
TestCachedTokenAuthenticator
(
t
*
testing
.
T
)
{
...
@@ -34,21 +36,21 @@ func TestCachedTokenAuthenticator(t *testing.T) {
...
@@ -34,21 +36,21 @@ func TestCachedTokenAuthenticator(t *testing.T) {
resultOk
bool
resultOk
bool
resultErr
error
resultErr
error
)
)
fakeAuth
:=
authenticator
.
TokenFunc
(
func
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
fakeAuth
:=
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
calledWithToken
=
append
(
calledWithToken
,
token
)
calledWithToken
=
append
(
calledWithToken
,
token
)
return
resultUsers
[
token
]
,
resultOk
,
resultErr
return
&
authenticator
.
Response
{
User
:
resultUsers
[
token
]}
,
resultOk
,
resultErr
})
})
fakeClock
:=
utilclock
.
NewFakeClock
(
time
.
Now
())
fakeClock
:=
utilclock
.
NewFakeClock
(
time
.
Now
())
a
:=
newWithClock
(
fakeAuth
,
time
.
Minute
,
0
,
fakeClock
)
a
:=
newWithClock
(
fakeAuth
,
time
.
Minute
,
0
,
fakeClock
)
calledWithToken
,
resultUsers
,
resultOk
,
resultErr
=
[]
string
{},
nil
,
false
,
nil
calledWithToken
,
resultUsers
,
resultOk
,
resultErr
=
[]
string
{},
nil
,
false
,
nil
a
.
AuthenticateToken
(
"bad1"
)
a
.
AuthenticateToken
(
context
.
Background
(),
"bad1"
)
a
.
AuthenticateToken
(
"bad2"
)
a
.
AuthenticateToken
(
context
.
Background
(),
"bad2"
)
a
.
AuthenticateToken
(
"bad3"
)
a
.
AuthenticateToken
(
context
.
Background
(),
"bad3"
)
a
.
AuthenticateToken
(
"bad1"
)
a
.
AuthenticateToken
(
context
.
Background
(),
"bad1"
)
a
.
AuthenticateToken
(
"bad2"
)
a
.
AuthenticateToken
(
context
.
Background
(),
"bad2"
)
a
.
AuthenticateToken
(
"bad3"
)
a
.
AuthenticateToken
(
context
.
Background
(),
"bad3"
)
if
!
reflect
.
DeepEqual
(
calledWithToken
,
[]
string
{
"bad1"
,
"bad2"
,
"bad3"
,
"bad1"
,
"bad2"
,
"bad3"
})
{
if
!
reflect
.
DeepEqual
(
calledWithToken
,
[]
string
{
"bad1"
,
"bad2"
,
"bad3"
,
"bad1"
,
"bad2"
,
"bad3"
})
{
t
.
Errorf
(
"Expected failing calls to bypass cache, got %v"
,
calledWithToken
)
t
.
Errorf
(
"Expected failing calls to bypass cache, got %v"
,
calledWithToken
)
}
}
...
@@ -61,13 +63,13 @@ func TestCachedTokenAuthenticator(t *testing.T) {
...
@@ -61,13 +63,13 @@ func TestCachedTokenAuthenticator(t *testing.T) {
resultUsers
[
"usertoken3"
]
=
&
user
.
DefaultInfo
{
Name
:
"user3"
}
resultUsers
[
"usertoken3"
]
=
&
user
.
DefaultInfo
{
Name
:
"user3"
}
// populate cache
// populate cache
if
user
,
ok
,
err
:=
a
.
AuthenticateToken
(
"usertoken1"
);
err
!=
nil
||
!
ok
||
u
ser
.
GetName
()
!=
"user1"
{
if
resp
,
ok
,
err
:=
a
.
AuthenticateToken
(
context
.
Background
(),
"usertoken1"
);
err
!=
nil
||
!
ok
||
resp
.
U
ser
.
GetName
()
!=
"user1"
{
t
.
Errorf
(
"Expected user1"
)
t
.
Errorf
(
"Expected user1"
)
}
}
if
user
,
ok
,
err
:=
a
.
AuthenticateToken
(
"usertoken2"
);
err
!=
nil
||
!
ok
||
u
ser
.
GetName
()
!=
"user2"
{
if
resp
,
ok
,
err
:=
a
.
AuthenticateToken
(
context
.
Background
(),
"usertoken2"
);
err
!=
nil
||
!
ok
||
resp
.
U
ser
.
GetName
()
!=
"user2"
{
t
.
Errorf
(
"Expected user2"
)
t
.
Errorf
(
"Expected user2"
)
}
}
if
user
,
ok
,
err
:=
a
.
AuthenticateToken
(
"usertoken3"
);
err
!=
nil
||
!
ok
||
u
ser
.
GetName
()
!=
"user3"
{
if
resp
,
ok
,
err
:=
a
.
AuthenticateToken
(
context
.
Background
(),
"usertoken3"
);
err
!=
nil
||
!
ok
||
resp
.
U
ser
.
GetName
()
!=
"user3"
{
t
.
Errorf
(
"Expected user3"
)
t
.
Errorf
(
"Expected user3"
)
}
}
if
!
reflect
.
DeepEqual
(
calledWithToken
,
[]
string
{
"usertoken1"
,
"usertoken2"
,
"usertoken3"
})
{
if
!
reflect
.
DeepEqual
(
calledWithToken
,
[]
string
{
"usertoken1"
,
"usertoken2"
,
"usertoken3"
})
{
...
@@ -79,13 +81,13 @@ func TestCachedTokenAuthenticator(t *testing.T) {
...
@@ -79,13 +81,13 @@ func TestCachedTokenAuthenticator(t *testing.T) {
resultUsers
,
resultOk
,
resultErr
=
nil
,
false
,
nil
resultUsers
,
resultOk
,
resultErr
=
nil
,
false
,
nil
// authenticate calls still succeed and backend is not hit
// authenticate calls still succeed and backend is not hit
if
user
,
ok
,
err
:=
a
.
AuthenticateToken
(
"usertoken1"
);
err
!=
nil
||
!
ok
||
u
ser
.
GetName
()
!=
"user1"
{
if
resp
,
ok
,
err
:=
a
.
AuthenticateToken
(
context
.
Background
(),
"usertoken1"
);
err
!=
nil
||
!
ok
||
resp
.
U
ser
.
GetName
()
!=
"user1"
{
t
.
Errorf
(
"Expected user1"
)
t
.
Errorf
(
"Expected user1"
)
}
}
if
user
,
ok
,
err
:=
a
.
AuthenticateToken
(
"usertoken2"
);
err
!=
nil
||
!
ok
||
u
ser
.
GetName
()
!=
"user2"
{
if
resp
,
ok
,
err
:=
a
.
AuthenticateToken
(
context
.
Background
(),
"usertoken2"
);
err
!=
nil
||
!
ok
||
resp
.
U
ser
.
GetName
()
!=
"user2"
{
t
.
Errorf
(
"Expected user2"
)
t
.
Errorf
(
"Expected user2"
)
}
}
if
user
,
ok
,
err
:=
a
.
AuthenticateToken
(
"usertoken3"
);
err
!=
nil
||
!
ok
||
u
ser
.
GetName
()
!=
"user3"
{
if
resp
,
ok
,
err
:=
a
.
AuthenticateToken
(
context
.
Background
(),
"usertoken3"
);
err
!=
nil
||
!
ok
||
resp
.
U
ser
.
GetName
()
!=
"user3"
{
t
.
Errorf
(
"Expected user3"
)
t
.
Errorf
(
"Expected user3"
)
}
}
if
!
reflect
.
DeepEqual
(
calledWithToken
,
[]
string
{})
{
if
!
reflect
.
DeepEqual
(
calledWithToken
,
[]
string
{})
{
...
@@ -96,10 +98,31 @@ func TestCachedTokenAuthenticator(t *testing.T) {
...
@@ -96,10 +98,31 @@ func TestCachedTokenAuthenticator(t *testing.T) {
fakeClock
.
Step
(
2
*
time
.
Minute
)
fakeClock
.
Step
(
2
*
time
.
Minute
)
// backend is consulted again and fails
// backend is consulted again and fails
a
.
AuthenticateToken
(
"usertoken1"
)
a
.
AuthenticateToken
(
context
.
Background
(),
"usertoken1"
)
a
.
AuthenticateToken
(
"usertoken2"
)
a
.
AuthenticateToken
(
context
.
Background
(),
"usertoken2"
)
a
.
AuthenticateToken
(
"usertoken3"
)
a
.
AuthenticateToken
(
context
.
Background
(),
"usertoken3"
)
if
!
reflect
.
DeepEqual
(
calledWithToken
,
[]
string
{
"usertoken1"
,
"usertoken2"
,
"usertoken3"
})
{
if
!
reflect
.
DeepEqual
(
calledWithToken
,
[]
string
{
"usertoken1"
,
"usertoken2"
,
"usertoken3"
})
{
t
.
Errorf
(
"Expected token calls, got %v"
,
calledWithToken
)
t
.
Errorf
(
"Expected token calls, got %v"
,
calledWithToken
)
}
}
}
}
func
TestCachedTokenAuthenticatorWithAudiences
(
t
*
testing
.
T
)
{
resultUsers
:=
make
(
map
[
string
]
user
.
Info
)
fakeAuth
:=
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
auds
,
_
:=
request
.
AudiencesFrom
(
ctx
)
return
&
authenticator
.
Response
{
User
:
resultUsers
[
auds
[
0
]
+
token
]},
true
,
nil
})
fakeClock
:=
utilclock
.
NewFakeClock
(
time
.
Now
())
a
:=
newWithClock
(
fakeAuth
,
time
.
Minute
,
0
,
fakeClock
)
resultUsers
[
"audAusertoken1"
]
=
&
user
.
DefaultInfo
{
Name
:
"user1"
}
resultUsers
[
"audBusertoken1"
]
=
&
user
.
DefaultInfo
{
Name
:
"user1-different"
}
if
u
,
ok
,
_
:=
a
.
AuthenticateToken
(
request
.
WithAudiences
(
context
.
Background
(),
[]
string
{
"audA"
}),
"usertoken1"
);
!
ok
||
u
.
User
.
GetName
()
!=
"user1"
{
t
.
Errorf
(
"Expected user1"
)
}
if
u
,
ok
,
_
:=
a
.
AuthenticateToken
(
request
.
WithAudiences
(
context
.
Background
(),
[]
string
{
"audB"
}),
"usertoken1"
);
!
ok
||
u
.
User
.
GetName
()
!=
"user1-different"
{
t
.
Errorf
(
"Expected user1-different"
)
}
}
staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile/BUILD
View file @
baa8d800
...
@@ -19,6 +19,7 @@ go_library(
...
@@ -19,6 +19,7 @@ go_library(
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/token/tokenfile",
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/token/tokenfile",
importpath = "k8s.io/apiserver/pkg/authentication/token/tokenfile",
importpath = "k8s.io/apiserver/pkg/authentication/token/tokenfile",
deps = [
deps = [
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",
],
],
...
...
staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile/tokenfile.go
View file @
baa8d800
...
@@ -17,6 +17,7 @@ limitations under the License.
...
@@ -17,6 +17,7 @@ limitations under the License.
package
tokenfile
package
tokenfile
import
(
import
(
"context"
"encoding/csv"
"encoding/csv"
"fmt"
"fmt"
"io"
"io"
...
@@ -24,6 +25,7 @@ import (
...
@@ -24,6 +25,7 @@ import (
"strings"
"strings"
"github.com/golang/glog"
"github.com/golang/glog"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
)
)
...
@@ -88,10 +90,10 @@ func NewCSV(path string) (*TokenAuthenticator, error) {
...
@@ -88,10 +90,10 @@ func NewCSV(path string) (*TokenAuthenticator, error) {
},
nil
},
nil
}
}
func
(
a
*
TokenAuthenticator
)
AuthenticateToken
(
value
string
)
(
user
.
Info
,
bool
,
error
)
{
func
(
a
*
TokenAuthenticator
)
AuthenticateToken
(
ctx
context
.
Context
,
value
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
user
,
ok
:=
a
.
tokens
[
value
]
user
,
ok
:=
a
.
tokens
[
value
]
if
!
ok
{
if
!
ok
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}
}
return
user
,
true
,
nil
return
&
authenticator
.
Response
{
User
:
user
}
,
true
,
nil
}
}
staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile/tokenfile_test.go
View file @
baa8d800
...
@@ -17,6 +17,7 @@ limitations under the License.
...
@@ -17,6 +17,7 @@ limitations under the License.
package
tokenfile
package
tokenfile
import
(
import
(
"context"
"io/ioutil"
"io/ioutil"
"os"
"os"
"reflect"
"reflect"
...
@@ -85,13 +86,13 @@ token7,user7,uid7,"group1,group2",otherdata
...
@@ -85,13 +86,13 @@ token7,user7,uid7,"group1,group2",otherdata
},
},
}
}
for
i
,
testCase
:=
range
testCases
{
for
i
,
testCase
:=
range
testCases
{
user
,
ok
,
err
:=
auth
.
AuthenticateToken
(
testCase
.
Token
)
resp
,
ok
,
err
:=
auth
.
AuthenticateToken
(
context
.
Background
(),
testCase
.
Token
)
if
testCase
.
User
==
nil
{
if
testCase
.
User
==
nil
{
if
user
!=
nil
{
if
resp
!=
nil
{
t
.
Errorf
(
"%d: unexpected non-nil user %#v"
,
i
,
u
ser
)
t
.
Errorf
(
"%d: unexpected non-nil user %#v"
,
i
,
resp
.
U
ser
)
}
}
}
else
if
!
reflect
.
DeepEqual
(
testCase
.
User
,
u
ser
)
{
}
else
if
!
reflect
.
DeepEqual
(
testCase
.
User
,
resp
.
U
ser
)
{
t
.
Errorf
(
"%d: expected user %#v, got %#v"
,
i
,
testCase
.
User
,
u
ser
)
t
.
Errorf
(
"%d: expected user %#v, got %#v"
,
i
,
testCase
.
User
,
resp
.
U
ser
)
}
}
if
testCase
.
Ok
!=
ok
{
if
testCase
.
Ok
!=
ok
{
...
...
staging/src/k8s.io/apiserver/pkg/authentication/token/union/BUILD
View file @
baa8d800
...
@@ -10,7 +10,10 @@ go_test(
...
@@ -10,7 +10,10 @@ go_test(
name = "go_default_test",
name = "go_default_test",
srcs = ["unionauth_test.go"],
srcs = ["unionauth_test.go"],
embed = [":go_default_library"],
embed = [":go_default_library"],
deps = ["//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library"],
deps = [
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
],
)
)
go_library(
go_library(
...
@@ -21,7 +24,6 @@ go_library(
...
@@ -21,7 +24,6 @@ go_library(
deps = [
deps = [
"//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
],
],
)
)
...
...
staging/src/k8s.io/apiserver/pkg/authentication/token/union/union.go
View file @
baa8d800
...
@@ -17,9 +17,10 @@ limitations under the License.
...
@@ -17,9 +17,10 @@ limitations under the License.
package
union
package
union
import
(
import
(
"context"
utilerrors
"k8s.io/apimachinery/pkg/util/errors"
utilerrors
"k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
)
)
// unionAuthTokenHandler authenticates tokens using a chain of authenticator.Token objects
// unionAuthTokenHandler authenticates tokens using a chain of authenticator.Token objects
...
@@ -49,10 +50,10 @@ func NewFailOnError(authTokenHandlers ...authenticator.Token) authenticator.Toke
...
@@ -49,10 +50,10 @@ func NewFailOnError(authTokenHandlers ...authenticator.Token) authenticator.Toke
}
}
// AuthenticateToken authenticates the token using a chain of authenticator.Token objects.
// AuthenticateToken authenticates the token using a chain of authenticator.Token objects.
func
(
authHandler
*
unionAuthTokenHandler
)
AuthenticateToken
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
func
(
authHandler
*
unionAuthTokenHandler
)
AuthenticateToken
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
var
errlist
[]
error
var
errlist
[]
error
for
_
,
currAuthRequestHandler
:=
range
authHandler
.
Handlers
{
for
_
,
currAuthRequestHandler
:=
range
authHandler
.
Handlers
{
info
,
ok
,
err
:=
currAuthRequestHandler
.
AuthenticateToken
(
token
)
info
,
ok
,
err
:=
currAuthRequestHandler
.
AuthenticateToken
(
ctx
,
token
)
if
err
!=
nil
{
if
err
!=
nil
{
if
authHandler
.
FailOnError
{
if
authHandler
.
FailOnError
{
return
info
,
ok
,
err
return
info
,
ok
,
err
...
...
staging/src/k8s.io/apiserver/pkg/authentication/token/union/unionauth_test.go
View file @
baa8d800
...
@@ -17,11 +17,13 @@ limitations under the License.
...
@@ -17,11 +17,13 @@ limitations under the License.
package
union
package
union
import
(
import
(
"context"
"errors"
"errors"
"reflect"
"reflect"
"strings"
"strings"
"testing"
"testing"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
)
)
...
@@ -36,8 +38,8 @@ var (
...
@@ -36,8 +38,8 @@ var (
user2
=
&
user
.
DefaultInfo
{
Name
:
"elegant_sheep"
,
UID
:
"bravo"
}
user2
=
&
user
.
DefaultInfo
{
Name
:
"elegant_sheep"
,
UID
:
"bravo"
}
)
)
func
(
mock
*
mockAuthRequestHandler
)
AuthenticateToken
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
func
(
mock
*
mockAuthRequestHandler
)
AuthenticateToken
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
mock
.
returnUser
,
mock
.
isAuthenticated
,
mock
.
err
return
&
authenticator
.
Response
{
User
:
mock
.
returnUser
}
,
mock
.
isAuthenticated
,
mock
.
err
}
}
func
TestAuthenticateTokenSecondPasses
(
t
*
testing
.
T
)
{
func
TestAuthenticateTokenSecondPasses
(
t
*
testing
.
T
)
{
...
@@ -45,15 +47,15 @@ func TestAuthenticateTokenSecondPasses(t *testing.T) {
...
@@ -45,15 +47,15 @@ func TestAuthenticateTokenSecondPasses(t *testing.T) {
handler2
:=
&
mockAuthRequestHandler
{
returnUser
:
user2
,
isAuthenticated
:
true
}
handler2
:=
&
mockAuthRequestHandler
{
returnUser
:
user2
,
isAuthenticated
:
true
}
authRequestHandler
:=
New
(
handler1
,
handler2
)
authRequestHandler
:=
New
(
handler1
,
handler2
)
authenticatedUser
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateToken
(
"foo"
)
resp
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateToken
(
context
.
Background
(),
"foo"
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
}
}
if
!
isAuthenticated
{
if
!
isAuthenticated
{
t
.
Errorf
(
"Unexpectedly unauthenticated: %v"
,
isAuthenticated
)
t
.
Errorf
(
"Unexpectedly unauthenticated: %v"
,
isAuthenticated
)
}
}
if
!
reflect
.
DeepEqual
(
user2
,
authenticated
User
)
{
if
!
reflect
.
DeepEqual
(
user2
,
resp
.
User
)
{
t
.
Errorf
(
"Expected %v, got %v"
,
user2
,
authenticated
User
)
t
.
Errorf
(
"Expected %v, got %v"
,
user2
,
resp
.
User
)
}
}
}
}
...
@@ -62,15 +64,15 @@ func TestAuthenticateTokenFirstPasses(t *testing.T) {
...
@@ -62,15 +64,15 @@ func TestAuthenticateTokenFirstPasses(t *testing.T) {
handler2
:=
&
mockAuthRequestHandler
{
returnUser
:
user2
}
handler2
:=
&
mockAuthRequestHandler
{
returnUser
:
user2
}
authRequestHandler
:=
New
(
handler1
,
handler2
)
authRequestHandler
:=
New
(
handler1
,
handler2
)
authenticatedUser
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateToken
(
"foo"
)
resp
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateToken
(
context
.
Background
(),
"foo"
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
}
}
if
!
isAuthenticated
{
if
!
isAuthenticated
{
t
.
Errorf
(
"Unexpectedly unauthenticated: %v"
,
isAuthenticated
)
t
.
Errorf
(
"Unexpectedly unauthenticated: %v"
,
isAuthenticated
)
}
}
if
!
reflect
.
DeepEqual
(
user1
,
authenticated
User
)
{
if
!
reflect
.
DeepEqual
(
user1
,
resp
.
User
)
{
t
.
Errorf
(
"Expected %v, got %v"
,
user1
,
authenticated
User
)
t
.
Errorf
(
"Expected %v, got %v"
,
user1
,
resp
.
User
)
}
}
}
}
...
@@ -79,7 +81,7 @@ func TestAuthenticateTokenSuppressUnnecessaryErrors(t *testing.T) {
...
@@ -79,7 +81,7 @@ func TestAuthenticateTokenSuppressUnnecessaryErrors(t *testing.T) {
handler2
:=
&
mockAuthRequestHandler
{
isAuthenticated
:
true
}
handler2
:=
&
mockAuthRequestHandler
{
isAuthenticated
:
true
}
authRequestHandler
:=
New
(
handler1
,
handler2
)
authRequestHandler
:=
New
(
handler1
,
handler2
)
_
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateToken
(
"foo"
)
_
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateToken
(
context
.
Background
(),
"foo"
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
}
}
...
@@ -91,15 +93,15 @@ func TestAuthenticateTokenSuppressUnnecessaryErrors(t *testing.T) {
...
@@ -91,15 +93,15 @@ func TestAuthenticateTokenSuppressUnnecessaryErrors(t *testing.T) {
func
TestAuthenticateTokenNoAuthenticators
(
t
*
testing
.
T
)
{
func
TestAuthenticateTokenNoAuthenticators
(
t
*
testing
.
T
)
{
authRequestHandler
:=
New
()
authRequestHandler
:=
New
()
authenticatedUser
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateToken
(
"foo"
)
resp
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateToken
(
context
.
Background
(),
"foo"
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
}
}
if
isAuthenticated
{
if
isAuthenticated
{
t
.
Errorf
(
"Unexpectedly authenticated: %v"
,
isAuthenticated
)
t
.
Errorf
(
"Unexpectedly authenticated: %v"
,
isAuthenticated
)
}
}
if
authenticatedUser
!=
nil
{
if
resp
!=
nil
{
t
.
Errorf
(
"Unexpected authenticatedUser: %v"
,
authenticatedUser
)
t
.
Errorf
(
"Unexpected authenticatedUser: %v"
,
resp
)
}
}
}
}
...
@@ -108,7 +110,7 @@ func TestAuthenticateTokenNonePass(t *testing.T) {
...
@@ -108,7 +110,7 @@ func TestAuthenticateTokenNonePass(t *testing.T) {
handler2
:=
&
mockAuthRequestHandler
{}
handler2
:=
&
mockAuthRequestHandler
{}
authRequestHandler
:=
New
(
handler1
,
handler2
)
authRequestHandler
:=
New
(
handler1
,
handler2
)
_
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateToken
(
"foo"
)
_
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateToken
(
context
.
Background
(),
"foo"
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
}
}
...
@@ -122,7 +124,7 @@ func TestAuthenticateTokenAdditiveErrors(t *testing.T) {
...
@@ -122,7 +124,7 @@ func TestAuthenticateTokenAdditiveErrors(t *testing.T) {
handler2
:=
&
mockAuthRequestHandler
{
err
:
errors
.
New
(
"second"
)}
handler2
:=
&
mockAuthRequestHandler
{
err
:
errors
.
New
(
"second"
)}
authRequestHandler
:=
New
(
handler1
,
handler2
)
authRequestHandler
:=
New
(
handler1
,
handler2
)
_
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateToken
(
"foo"
)
_
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateToken
(
context
.
Background
(),
"foo"
)
if
err
==
nil
{
if
err
==
nil
{
t
.
Errorf
(
"Expected an error"
)
t
.
Errorf
(
"Expected an error"
)
}
}
...
@@ -142,7 +144,7 @@ func TestAuthenticateTokenFailEarly(t *testing.T) {
...
@@ -142,7 +144,7 @@ func TestAuthenticateTokenFailEarly(t *testing.T) {
handler2
:=
&
mockAuthRequestHandler
{
err
:
errors
.
New
(
"second"
)}
handler2
:=
&
mockAuthRequestHandler
{
err
:
errors
.
New
(
"second"
)}
authRequestHandler
:=
NewFailOnError
(
handler1
,
handler2
)
authRequestHandler
:=
NewFailOnError
(
handler1
,
handler2
)
_
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateToken
(
"foo"
)
_
,
isAuthenticated
,
err
:=
authRequestHandler
.
AuthenticateToken
(
context
.
Background
(),
"foo"
)
if
err
==
nil
{
if
err
==
nil
{
t
.
Errorf
(
"Expected an error"
)
t
.
Errorf
(
"Expected an error"
)
}
}
...
...
staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go
View file @
baa8d800
...
@@ -59,7 +59,7 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, failed
...
@@ -59,7 +59,7 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, failed
if
len
(
apiAuds
)
>
0
{
if
len
(
apiAuds
)
>
0
{
req
=
req
.
WithContext
(
genericapirequest
.
WithAudiences
(
req
.
Context
(),
apiAuds
))
req
=
req
.
WithContext
(
genericapirequest
.
WithAudiences
(
req
.
Context
(),
apiAuds
))
}
}
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
req
)
resp
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
req
)
if
err
!=
nil
||
!
ok
{
if
err
!=
nil
||
!
ok
{
if
err
!=
nil
{
if
err
!=
nil
{
glog
.
Errorf
(
"Unable to authenticate the request due to an error: %v"
,
err
)
glog
.
Errorf
(
"Unable to authenticate the request due to an error: %v"
,
err
)
...
@@ -68,12 +68,15 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, failed
...
@@ -68,12 +68,15 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, failed
return
return
}
}
// TODO(mikedanese): verify the response audience matches one of apiAuds if
// non-empty
// authorization header is not required anymore in case of a successful authentication.
// authorization header is not required anymore in case of a successful authentication.
req
.
Header
.
Del
(
"Authorization"
)
req
.
Header
.
Del
(
"Authorization"
)
req
=
req
.
WithContext
(
genericapirequest
.
WithUser
(
req
.
Context
(),
u
ser
))
req
=
req
.
WithContext
(
genericapirequest
.
WithUser
(
req
.
Context
(),
resp
.
U
ser
))
authenticatedUserCounter
.
WithLabelValues
(
compressUsername
(
u
ser
.
GetName
()))
.
Inc
()
authenticatedUserCounter
.
WithLabelValues
(
compressUsername
(
resp
.
U
ser
.
GetName
()))
.
Inc
()
handler
.
ServeHTTP
(
w
,
req
)
handler
.
ServeHTTP
(
w
,
req
)
})
})
...
...
staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication_test.go
View file @
baa8d800
...
@@ -41,9 +41,9 @@ func TestAuthenticateRequest(t *testing.T) {
...
@@ -41,9 +41,9 @@ func TestAuthenticateRequest(t *testing.T) {
}
}
close
(
success
)
close
(
success
)
}),
}),
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
if
req
.
Header
.
Get
(
"Authorization"
)
==
"Something"
{
if
req
.
Header
.
Get
(
"Authorization"
)
==
"Something"
{
return
&
user
.
DefaultInfo
{
Name
:
"user"
},
true
,
nil
return
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
"user"
}
},
true
,
nil
}
}
return
nil
,
false
,
errors
.
New
(
"Authorization header is missing."
)
return
nil
,
false
,
errors
.
New
(
"Authorization header is missing."
)
}),
}),
...
@@ -64,7 +64,7 @@ func TestAuthenticateRequestFailed(t *testing.T) {
...
@@ -64,7 +64,7 @@ func TestAuthenticateRequestFailed(t *testing.T) {
http
.
HandlerFunc
(
func
(
_
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
http
.
HandlerFunc
(
func
(
_
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
t
.
Errorf
(
"unexpected call to handler"
)
t
.
Errorf
(
"unexpected call to handler"
)
}),
}),
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}),
}),
http
.
HandlerFunc
(
func
(
_
http
.
ResponseWriter
,
_
*
http
.
Request
)
{
http
.
HandlerFunc
(
func
(
_
http
.
ResponseWriter
,
_
*
http
.
Request
)
{
...
@@ -84,7 +84,7 @@ func TestAuthenticateRequestError(t *testing.T) {
...
@@ -84,7 +84,7 @@ func TestAuthenticateRequestError(t *testing.T) {
http
.
HandlerFunc
(
func
(
_
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
http
.
HandlerFunc
(
func
(
_
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
t
.
Errorf
(
"unexpected call to handler"
)
t
.
Errorf
(
"unexpected call to handler"
)
}),
}),
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
nil
,
false
,
errors
.
New
(
"failure"
)
return
nil
,
false
,
errors
.
New
(
"failure"
)
}),
}),
http
.
HandlerFunc
(
func
(
_
http
.
ResponseWriter
,
_
*
http
.
Request
)
{
http
.
HandlerFunc
(
func
(
_
http
.
ResponseWriter
,
_
*
http
.
Request
)
{
...
...
staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go
View file @
baa8d800
...
@@ -23,6 +23,7 @@ import (
...
@@ -23,6 +23,7 @@ import (
"github.com/golang/glog"
"github.com/golang/glog"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/client-go/rest"
"k8s.io/client-go/rest"
)
)
...
@@ -77,9 +78,11 @@ func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config,
...
@@ -77,9 +78,11 @@ func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config,
// but allows apiserver code to stop special-casing a nil user to skip authorization checks.
// but allows apiserver code to stop special-casing a nil user to skip authorization checks.
type
InsecureSuperuser
struct
{}
type
InsecureSuperuser
struct
{}
func
(
InsecureSuperuser
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
(
InsecureSuperuser
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
&
user
.
DefaultInfo
{
return
&
authenticator
.
Response
{
Name
:
"system:unsecured"
,
User
:
&
user
.
DefaultInfo
{
Groups
:
[]
string
{
user
.
SystemPrivilegedGroup
,
user
.
AllAuthenticated
},
Name
:
"system:unsecured"
,
Groups
:
[]
string
{
user
.
SystemPrivilegedGroup
,
user
.
AllAuthenticated
},
},
},
true
,
nil
},
true
,
nil
}
}
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/BUILD
View file @
baa8d800
...
@@ -19,6 +19,7 @@ go_library(
...
@@ -19,6 +19,7 @@ go_library(
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile",
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile",
importpath = "k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile",
importpath = "k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile",
deps = [
deps = [
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",
],
],
...
...
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile.go
View file @
baa8d800
...
@@ -17,6 +17,7 @@ limitations under the License.
...
@@ -17,6 +17,7 @@ limitations under the License.
package
passwordfile
package
passwordfile
import
(
import
(
"context"
"encoding/csv"
"encoding/csv"
"fmt"
"fmt"
"io"
"io"
...
@@ -25,6 +26,7 @@ import (
...
@@ -25,6 +26,7 @@ import (
"github.com/golang/glog"
"github.com/golang/glog"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
)
)
...
@@ -78,7 +80,7 @@ func NewCSV(path string) (*PasswordAuthenticator, error) {
...
@@ -78,7 +80,7 @@ func NewCSV(path string) (*PasswordAuthenticator, error) {
return
&
PasswordAuthenticator
{
users
},
nil
return
&
PasswordAuthenticator
{
users
},
nil
}
}
func
(
a
*
PasswordAuthenticator
)
AuthenticatePassword
(
username
,
password
string
)
(
user
.
Info
,
bool
,
error
)
{
func
(
a
*
PasswordAuthenticator
)
AuthenticatePassword
(
ctx
context
.
Context
,
username
,
password
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
user
,
ok
:=
a
.
users
[
username
]
user
,
ok
:=
a
.
users
[
username
]
if
!
ok
{
if
!
ok
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
...
@@ -86,5 +88,5 @@ func (a *PasswordAuthenticator) AuthenticatePassword(username, password string)
...
@@ -86,5 +88,5 @@ func (a *PasswordAuthenticator) AuthenticatePassword(username, password string)
if
user
.
password
!=
password
{
if
user
.
password
!=
password
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}
}
return
user
.
info
,
true
,
nil
return
&
authenticator
.
Response
{
User
:
user
.
info
}
,
true
,
nil
}
}
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile_test.go
View file @
baa8d800
...
@@ -17,6 +17,7 @@ limitations under the License.
...
@@ -17,6 +17,7 @@ limitations under the License.
package
passwordfile
package
passwordfile
import
(
import
(
"context"
"io/ioutil"
"io/ioutil"
"os"
"os"
"reflect"
"reflect"
...
@@ -110,16 +111,16 @@ password7,user7,uid7,"group1,group2",otherdata
...
@@ -110,16 +111,16 @@ password7,user7,uid7,"group1,group2",otherdata
},
},
}
}
for
i
,
testCase
:=
range
testCases
{
for
i
,
testCase
:=
range
testCases
{
user
,
ok
,
err
:=
auth
.
AuthenticatePassword
(
testCase
.
Username
,
testCase
.
Password
)
resp
,
ok
,
err
:=
auth
.
AuthenticatePassword
(
context
.
Background
(),
testCase
.
Username
,
testCase
.
Password
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Errorf
(
"%d: unexpected error: %v"
,
i
,
err
)
t
.
Errorf
(
"%d: unexpected error: %v"
,
i
,
err
)
}
}
if
testCase
.
User
==
nil
{
if
testCase
.
User
==
nil
{
if
user
!=
nil
{
if
resp
!=
nil
{
t
.
Errorf
(
"%d: unexpected non-nil user %#v"
,
i
,
u
ser
)
t
.
Errorf
(
"%d: unexpected non-nil user %#v"
,
i
,
resp
.
U
ser
)
}
}
}
else
if
!
reflect
.
DeepEqual
(
testCase
.
User
,
u
ser
)
{
}
else
if
!
reflect
.
DeepEqual
(
testCase
.
User
,
resp
.
U
ser
)
{
t
.
Errorf
(
"%d: expected user %#v, got %#v"
,
i
,
testCase
.
User
,
u
ser
)
t
.
Errorf
(
"%d: expected user %#v, got %#v"
,
i
,
testCase
.
User
,
resp
.
U
ser
)
}
}
if
testCase
.
Ok
!=
ok
{
if
testCase
.
Ok
!=
ok
{
t
.
Errorf
(
"%d: expected auth %v, got %v"
,
i
,
testCase
.
Ok
,
ok
)
t
.
Errorf
(
"%d: expected auth %v, got %v"
,
i
,
testCase
.
Ok
,
ok
)
...
...
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/BUILD
View file @
baa8d800
...
@@ -21,10 +21,7 @@ go_library(
...
@@ -21,10 +21,7 @@ go_library(
srcs = ["basicauth.go"],
srcs = ["basicauth.go"],
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth",
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth",
importpath = "k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth",
importpath = "k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth",
deps = [
deps = ["//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library"],
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
],
)
)
filegroup(
filegroup(
...
...
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/basicauth.go
View file @
baa8d800
...
@@ -21,7 +21,6 @@ import (
...
@@ -21,7 +21,6 @@ import (
"net/http"
"net/http"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
)
)
// Authenticator authenticates requests using basic auth
// Authenticator authenticates requests using basic auth
...
@@ -37,18 +36,18 @@ func New(auth authenticator.Password) *Authenticator {
...
@@ -37,18 +36,18 @@ func New(auth authenticator.Password) *Authenticator {
var
errInvalidAuth
=
errors
.
New
(
"invalid username/password combination"
)
var
errInvalidAuth
=
errors
.
New
(
"invalid username/password combination"
)
// AuthenticateRequest authenticates the request using the "Authorization: Basic" header in the request
// AuthenticateRequest authenticates the request using the "Authorization: Basic" header in the request
func
(
a
*
Authenticator
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
(
a
*
Authenticator
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
username
,
password
,
found
:=
req
.
BasicAuth
()
username
,
password
,
found
:=
req
.
BasicAuth
()
if
!
found
{
if
!
found
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}
}
user
,
ok
,
err
:=
a
.
auth
.
AuthenticatePassword
(
username
,
password
)
resp
,
ok
,
err
:=
a
.
auth
.
AuthenticatePassword
(
req
.
Context
(),
username
,
password
)
// If the password authenticator didn't error, provide a default error
// If the password authenticator didn't error, provide a default error
if
!
ok
&&
err
==
nil
{
if
!
ok
&&
err
==
nil
{
err
=
errInvalidAuth
err
=
errInvalidAuth
}
}
return
user
,
ok
,
err
return
resp
,
ok
,
err
}
}
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/basicauth_test.go
View file @
baa8d800
...
@@ -17,6 +17,7 @@ limitations under the License.
...
@@ -17,6 +17,7 @@ limitations under the License.
package
basicauth
package
basicauth
import
(
import
(
"context"
"errors"
"errors"
"net/http"
"net/http"
"testing"
"testing"
...
@@ -35,11 +36,11 @@ type testPassword struct {
...
@@ -35,11 +36,11 @@ type testPassword struct {
Err
error
Err
error
}
}
func
(
t
*
testPassword
)
AuthenticatePassword
(
user
,
password
string
)
(
user
.
Info
,
bool
,
error
)
{
func
(
t
*
testPassword
)
AuthenticatePassword
(
ctx
context
.
Context
,
user
,
password
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
t
.
Called
=
true
t
.
Called
=
true
t
.
Username
=
user
t
.
Username
=
user
t
.
Password
=
password
t
.
Password
=
password
return
t
.
User
,
t
.
OK
,
t
.
Err
return
&
authenticator
.
Response
{
User
:
t
.
User
}
,
t
.
OK
,
t
.
Err
}
}
func
TestBasicAuth
(
t
*
testing
.
T
)
{
func
TestBasicAuth
(
t
*
testing
.
T
)
{
...
@@ -94,7 +95,7 @@ func TestBasicAuth(t *testing.T) {
...
@@ -94,7 +95,7 @@ func TestBasicAuth(t *testing.T) {
req
.
SetBasicAuth
(
testCase
.
ExpectedUsername
,
testCase
.
ExpectedPassword
)
req
.
SetBasicAuth
(
testCase
.
ExpectedUsername
,
testCase
.
ExpectedPassword
)
}
}
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
req
)
resp
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
req
)
if
testCase
.
ExpectedCalled
!=
password
.
Called
{
if
testCase
.
ExpectedCalled
!=
password
.
Called
{
t
.
Errorf
(
"%s: Expected called=%v, got %v"
,
k
,
testCase
.
ExpectedCalled
,
password
.
Called
)
t
.
Errorf
(
"%s: Expected called=%v, got %v"
,
k
,
testCase
.
ExpectedCalled
,
password
.
Called
)
...
@@ -117,8 +118,8 @@ func TestBasicAuth(t *testing.T) {
...
@@ -117,8 +118,8 @@ func TestBasicAuth(t *testing.T) {
t
.
Errorf
(
"%s: Expected ok=%v, got ok=%v"
,
k
,
testCase
.
ExpectedOK
,
ok
)
t
.
Errorf
(
"%s: Expected ok=%v, got ok=%v"
,
k
,
testCase
.
ExpectedOK
,
ok
)
continue
continue
}
}
if
testCase
.
ExpectedUser
!=
""
&&
testCase
.
ExpectedUser
!=
u
ser
.
GetName
()
{
if
testCase
.
ExpectedUser
!=
""
&&
testCase
.
ExpectedUser
!=
resp
.
U
ser
.
GetName
()
{
t
.
Errorf
(
"%s: Expected user.GetName()=%v, got %v"
,
k
,
testCase
.
ExpectedUser
,
u
ser
.
GetName
())
t
.
Errorf
(
"%s: Expected user.GetName()=%v, got %v"
,
k
,
testCase
.
ExpectedUser
,
resp
.
U
ser
.
GetName
())
continue
continue
}
}
}
}
...
...
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/BUILD
View file @
baa8d800
...
@@ -28,6 +28,7 @@ go_library(
...
@@ -28,6 +28,7 @@ go_library(
deps = [
deps = [
"//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//vendor/github.com/coreos/go-oidc:go_default_library",
"//vendor/github.com/coreos/go-oidc:go_default_library",
...
...
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go
View file @
baa8d800
...
@@ -44,8 +44,10 @@ import (
...
@@ -44,8 +44,10 @@ import (
oidc
"github.com/coreos/go-oidc"
oidc
"github.com/coreos/go-oidc"
"github.com/golang/glog"
"github.com/golang/glog"
"k8s.io/apimachinery/pkg/util/net"
"k8s.io/apimachinery/pkg/util/net"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
certutil
"k8s.io/client-go/util/cert"
certutil
"k8s.io/client-go/util/cert"
)
)
...
@@ -529,7 +531,7 @@ func (r *claimResolver) resolve(endpoint endpoint, allClaims claims) error {
...
@@ -529,7 +531,7 @@ func (r *claimResolver) resolve(endpoint endpoint, allClaims claims) error {
return
nil
return
nil
}
}
func
(
a
*
Authenticator
)
AuthenticateToken
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
func
(
a
*
Authenticator
)
AuthenticateToken
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
if
!
hasCorrectIssuer
(
a
.
issuerURL
,
token
)
{
if
!
hasCorrectIssuer
(
a
.
issuerURL
,
token
)
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}
}
...
@@ -539,7 +541,6 @@ func (a *Authenticator) AuthenticateToken(token string) (user.Info, bool, error)
...
@@ -539,7 +541,6 @@ func (a *Authenticator) AuthenticateToken(token string) (user.Info, bool, error)
return
nil
,
false
,
fmt
.
Errorf
(
"oidc: authenticator not initialized"
)
return
nil
,
false
,
fmt
.
Errorf
(
"oidc: authenticator not initialized"
)
}
}
ctx
:=
context
.
Background
()
idToken
,
err
:=
verifier
.
Verify
(
ctx
,
token
)
idToken
,
err
:=
verifier
.
Verify
(
ctx
,
token
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
false
,
fmt
.
Errorf
(
"oidc: verify token: %v"
,
err
)
return
nil
,
false
,
fmt
.
Errorf
(
"oidc: verify token: %v"
,
err
)
...
@@ -617,7 +618,7 @@ func (a *Authenticator) AuthenticateToken(token string) (user.Info, bool, error)
...
@@ -617,7 +618,7 @@ func (a *Authenticator) AuthenticateToken(token string) (user.Info, bool, error)
}
}
}
}
return
info
,
true
,
nil
return
&
authenticator
.
Response
{
User
:
info
}
,
true
,
nil
}
}
// getClaimJWT gets a distributed claim JWT from url, using the supplied access
// getClaimJWT gets a distributed claim JWT from url, using the supplied access
...
...
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc_test.go
View file @
baa8d800
...
@@ -296,7 +296,8 @@ func (c *claimsTest) run(t *testing.T) {
...
@@ -296,7 +296,8 @@ func (c *claimsTest) run(t *testing.T) {
t
.
Fatalf
(
"serialize token: %v"
,
err
)
t
.
Fatalf
(
"serialize token: %v"
,
err
)
}
}
got
,
ok
,
err
:=
a
.
AuthenticateToken
(
token
)
got
,
ok
,
err
:=
a
.
AuthenticateToken
(
context
.
Background
(),
token
)
if
err
!=
nil
{
if
err
!=
nil
{
if
!
c
.
wantErr
{
if
!
c
.
wantErr
{
t
.
Fatalf
(
"authenticate token: %v"
,
err
)
t
.
Fatalf
(
"authenticate token: %v"
,
err
)
...
@@ -318,7 +319,7 @@ func (c *claimsTest) run(t *testing.T) {
...
@@ -318,7 +319,7 @@ func (c *claimsTest) run(t *testing.T) {
t
.
Fatalf
(
"expected authenticator to skip token"
)
t
.
Fatalf
(
"expected authenticator to skip token"
)
}
}
gotUser
:=
got
.
(
*
user
.
DefaultInfo
)
gotUser
:=
got
.
User
.
(
*
user
.
DefaultInfo
)
if
!
reflect
.
DeepEqual
(
gotUser
,
c
.
want
)
{
if
!
reflect
.
DeepEqual
(
gotUser
,
c
.
want
)
{
t
.
Fatalf
(
"wanted user=%#v, got=%#v"
,
c
.
want
,
gotUser
)
t
.
Fatalf
(
"wanted user=%#v, got=%#v"
,
c
.
want
,
gotUser
)
}
}
...
...
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest/BUILD
View file @
baa8d800
...
@@ -11,7 +11,10 @@ go_library(
...
@@ -11,7 +11,10 @@ go_library(
srcs = ["tokentest.go"],
srcs = ["tokentest.go"],
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest",
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest",
importpath = "k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest",
importpath = "k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest",
deps = ["//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library"],
deps = [
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
],
)
)
filegroup(
filegroup(
...
...
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest/tokentest.go
View file @
baa8d800
...
@@ -16,7 +16,12 @@ limitations under the License.
...
@@ -16,7 +16,12 @@ limitations under the License.
package
tokentest
package
tokentest
import
"k8s.io/apiserver/pkg/authentication/user"
import
(
"context"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
)
type
TokenAuthenticator
struct
{
type
TokenAuthenticator
struct
{
Tokens
map
[
string
]
*
user
.
DefaultInfo
Tokens
map
[
string
]
*
user
.
DefaultInfo
...
@@ -27,10 +32,11 @@ func New() *TokenAuthenticator {
...
@@ -27,10 +32,11 @@ func New() *TokenAuthenticator {
Tokens
:
make
(
map
[
string
]
*
user
.
DefaultInfo
),
Tokens
:
make
(
map
[
string
]
*
user
.
DefaultInfo
),
}
}
}
}
func
(
a
*
TokenAuthenticator
)
AuthenticateToken
(
value
string
)
(
user
.
Info
,
bool
,
error
)
{
func
(
a
*
TokenAuthenticator
)
AuthenticateToken
(
ctx
context
.
Context
,
value
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
user
,
ok
:=
a
.
Tokens
[
value
]
user
,
ok
:=
a
.
Tokens
[
value
]
if
!
ok
{
if
!
ok
{
return
nil
,
false
,
nil
return
nil
,
false
,
nil
}
}
return
user
,
true
,
nil
return
&
authenticator
.
Response
{
User
:
user
}
,
true
,
nil
}
}
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook/webhook.go
View file @
baa8d800
...
@@ -18,6 +18,7 @@ limitations under the License.
...
@@ -18,6 +18,7 @@ limitations under the License.
package
webhook
package
webhook
import
(
import
(
"context"
"time"
"time"
"github.com/golang/glog"
"github.com/golang/glog"
...
@@ -69,7 +70,7 @@ func newWithBackoff(tokenReview authenticationclient.TokenReviewInterface, ttl,
...
@@ -69,7 +70,7 @@ func newWithBackoff(tokenReview authenticationclient.TokenReviewInterface, ttl,
}
}
// AuthenticateToken implements the authenticator.Token interface.
// AuthenticateToken implements the authenticator.Token interface.
func
(
w
*
WebhookTokenAuthenticator
)
AuthenticateToken
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
func
(
w
*
WebhookTokenAuthenticator
)
AuthenticateToken
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
r
:=
&
authentication
.
TokenReview
{
r
:=
&
authentication
.
TokenReview
{
Spec
:
authentication
.
TokenReviewSpec
{
Token
:
token
},
Spec
:
authentication
.
TokenReviewSpec
{
Token
:
token
},
}
}
...
@@ -104,11 +105,13 @@ func (w *WebhookTokenAuthenticator) AuthenticateToken(token string) (user.Info,
...
@@ -104,11 +105,13 @@ func (w *WebhookTokenAuthenticator) AuthenticateToken(token string) (user.Info,
}
}
}
}
return
&
user
.
DefaultInfo
{
return
&
authenticator
.
Response
{
Name
:
r
.
Status
.
User
.
Username
,
User
:
&
user
.
DefaultInfo
{
UID
:
r
.
Status
.
User
.
UID
,
Name
:
r
.
Status
.
User
.
Username
,
Groups
:
r
.
Status
.
User
.
Groups
,
UID
:
r
.
Status
.
User
.
UID
,
Extra
:
extra
,
Groups
:
r
.
Status
.
User
.
Groups
,
Extra
:
extra
,
},
},
true
,
nil
},
true
,
nil
}
}
...
...
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook/webhook_test.go
View file @
baa8d800
...
@@ -17,6 +17,7 @@ limitations under the License.
...
@@ -17,6 +17,7 @@ limitations under the License.
package
webhook
package
webhook
import
(
import
(
"context"
"crypto/tls"
"crypto/tls"
"crypto/x509"
"crypto/x509"
"encoding/json"
"encoding/json"
...
@@ -257,7 +258,7 @@ func TestTLSConfig(t *testing.T) {
...
@@ -257,7 +258,7 @@ func TestTLSConfig(t *testing.T) {
// Allow all and see if we get an error.
// Allow all and see if we get an error.
service
.
Allow
()
service
.
Allow
()
_
,
authenticated
,
err
:=
wh
.
AuthenticateToken
(
"t0k3n"
)
_
,
authenticated
,
err
:=
wh
.
AuthenticateToken
(
context
.
Background
(),
"t0k3n"
)
if
tt
.
wantErr
{
if
tt
.
wantErr
{
if
err
==
nil
{
if
err
==
nil
{
t
.
Errorf
(
"expected error making authorization request: %v"
,
err
)
t
.
Errorf
(
"expected error making authorization request: %v"
,
err
)
...
@@ -270,7 +271,7 @@ func TestTLSConfig(t *testing.T) {
...
@@ -270,7 +271,7 @@ func TestTLSConfig(t *testing.T) {
}
}
service
.
Deny
()
service
.
Deny
()
_
,
authenticated
,
err
=
wh
.
AuthenticateToken
(
"t0k3n"
)
_
,
authenticated
,
err
=
wh
.
AuthenticateToken
(
context
.
Background
(),
"t0k3n"
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Errorf
(
"%s: unexpectedly failed AuthenticateToken"
,
tt
.
test
)
t
.
Errorf
(
"%s: unexpectedly failed AuthenticateToken"
,
tt
.
test
)
}
}
...
@@ -374,7 +375,7 @@ func TestWebhookTokenAuthenticator(t *testing.T) {
...
@@ -374,7 +375,7 @@ func TestWebhookTokenAuthenticator(t *testing.T) {
token
:=
"my-s3cr3t-t0ken"
token
:=
"my-s3cr3t-t0ken"
for
i
,
tt
:=
range
tests
{
for
i
,
tt
:=
range
tests
{
serv
.
response
=
tt
.
serverResponse
serv
.
response
=
tt
.
serverResponse
user
,
authenticated
,
err
:=
wh
.
AuthenticateToken
(
token
)
resp
,
authenticated
,
err
:=
wh
.
AuthenticateToken
(
context
.
Background
(),
token
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Errorf
(
"case %d: authentication failed: %v"
,
i
,
err
)
t
.
Errorf
(
"case %d: authentication failed: %v"
,
i
,
err
)
continue
continue
...
@@ -391,9 +392,9 @@ func TestWebhookTokenAuthenticator(t *testing.T) {
...
@@ -391,9 +392,9 @@ func TestWebhookTokenAuthenticator(t *testing.T) {
t
.
Errorf
(
"case %d: Plugin returned incorrect authentication response. Got %t, expected %t."
,
t
.
Errorf
(
"case %d: Plugin returned incorrect authentication response. Got %t, expected %t."
,
i
,
authenticated
,
tt
.
expectedAuthenticated
)
i
,
authenticated
,
tt
.
expectedAuthenticated
)
}
}
if
user
!=
nil
&&
tt
.
expectedUser
!=
nil
&&
!
reflect
.
DeepEqual
(
u
ser
,
tt
.
expectedUser
)
{
if
resp
!=
nil
&&
tt
.
expectedUser
!=
nil
&&
!
reflect
.
DeepEqual
(
resp
.
U
ser
,
tt
.
expectedUser
)
{
t
.
Errorf
(
"case %d: Plugin returned incorrect user. Got %#v, expected %#v"
,
t
.
Errorf
(
"case %d: Plugin returned incorrect user. Got %#v, expected %#v"
,
i
,
u
ser
,
tt
.
expectedUser
)
i
,
resp
.
U
ser
,
tt
.
expectedUser
)
}
}
}
}
}
}
...
@@ -540,12 +541,12 @@ func TestWebhookCacheAndRetry(t *testing.T) {
...
@@ -540,12 +541,12 @@ func TestWebhookCacheAndRetry(t *testing.T) {
}
}
for
_
,
testcase
:=
range
testcases
{
for
_
,
testcase
:=
range
testcases
{
func
(
)
{
t
.
Run
(
testcase
.
description
,
func
(
t
*
testing
.
T
)
{
serv
.
allow
=
testcase
.
allow
serv
.
allow
=
testcase
.
allow
serv
.
statusCode
=
testcase
.
code
serv
.
statusCode
=
testcase
.
code
serv
.
called
=
0
serv
.
called
=
0
_
,
ok
,
err
:=
wh
.
AuthenticateToken
(
testcase
.
token
)
_
,
ok
,
err
:=
wh
.
AuthenticateToken
(
context
.
Background
(),
testcase
.
token
)
hasError
:=
err
!=
nil
hasError
:=
err
!=
nil
if
hasError
!=
testcase
.
expectError
{
if
hasError
!=
testcase
.
expectError
{
t
.
Log
(
testcase
.
description
)
t
.
Log
(
testcase
.
description
)
...
@@ -559,6 +560,6 @@ func TestWebhookCacheAndRetry(t *testing.T) {
...
@@ -559,6 +560,6 @@ func TestWebhookCacheAndRetry(t *testing.T) {
t
.
Log
(
testcase
.
description
)
t
.
Log
(
testcase
.
description
)
t
.
Errorf
(
"Expected ok=%v, got %v"
,
testcase
.
expectOk
,
ok
)
t
.
Errorf
(
"Expected ok=%v, got %v"
,
testcase
.
expectOk
,
ok
)
}
}
}
(
)
})
}
}
}
}
test/integration/auth/accessreview_test.go
View file @
baa8d800
...
@@ -46,9 +46,11 @@ func (sarAuthorizer) Authorize(a authorizer.Attributes) (authorizer.Decision, st
...
@@ -46,9 +46,11 @@ func (sarAuthorizer) Authorize(a authorizer.Attributes) (authorizer.Decision, st
return
authorizer
.
DecisionAllow
,
"you're not dave"
,
nil
return
authorizer
.
DecisionAllow
,
"you're not dave"
,
nil
}
}
func
alwaysAlice
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
alwaysAlice
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
&
user
.
DefaultInfo
{
return
&
authenticator
.
Response
{
Name
:
"alice"
,
User
:
&
user
.
DefaultInfo
{
Name
:
"alice"
,
},
},
true
,
nil
},
true
,
nil
}
}
...
@@ -145,8 +147,10 @@ func TestSubjectAccessReview(t *testing.T) {
...
@@ -145,8 +147,10 @@ func TestSubjectAccessReview(t *testing.T) {
func
TestSelfSubjectAccessReview
(
t
*
testing
.
T
)
{
func
TestSelfSubjectAccessReview
(
t
*
testing
.
T
)
{
username
:=
"alice"
username
:=
"alice"
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authentication
.
Authenticator
=
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
masterConfig
.
GenericConfig
.
Authentication
.
Authenticator
=
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
return
&
user
.
DefaultInfo
{
Name
:
username
},
true
,
nil
return
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
username
},
},
true
,
nil
})
})
masterConfig
.
GenericConfig
.
Authorization
.
Authorizer
=
sarAuthorizer
{}
masterConfig
.
GenericConfig
.
Authorization
.
Authorizer
=
sarAuthorizer
{}
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
...
...
test/integration/framework/master_utils.go
View file @
baa8d800
...
@@ -83,9 +83,11 @@ func (alwaysAllow) Authorize(requestAttributes authorizer.Attributes) (authorize
...
@@ -83,9 +83,11 @@ func (alwaysAllow) Authorize(requestAttributes authorizer.Attributes) (authorize
}
}
// alwaysEmpty simulates "no authentication" for old tests
// alwaysEmpty simulates "no authentication" for old tests
func
alwaysEmpty
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
alwaysEmpty
(
req
*
http
.
Request
)
(
*
authauthenticator
.
Response
,
bool
,
error
)
{
return
&
user
.
DefaultInfo
{
return
&
authauthenticator
.
Response
{
Name
:
""
,
User
:
&
user
.
DefaultInfo
{
Name
:
""
,
},
},
true
,
nil
},
true
,
nil
}
}
...
...
test/integration/serviceaccount/service_account_test.go
View file @
baa8d800
...
@@ -21,6 +21,7 @@ package serviceaccount
...
@@ -21,6 +21,7 @@ package serviceaccount
// to work for any client of the HTTP interface.
// to work for any client of the HTTP interface.
import
(
import
(
"context"
"crypto/rand"
"crypto/rand"
"crypto/rsa"
"crypto/rsa"
"fmt"
"fmt"
...
@@ -365,9 +366,9 @@ func startServiceAccountTestServer(t *testing.T) (*clientset.Clientset, restclie
...
@@ -365,9 +366,9 @@ func startServiceAccountTestServer(t *testing.T) (*clientset.Clientset, restclie
// Set up two authenticators:
// Set up two authenticators:
// 1. A token authenticator that maps the rootToken to the "root" user
// 1. A token authenticator that maps the rootToken to the "root" user
// 2. A ServiceAccountToken authenticator that validates ServiceAccount tokens
// 2. A ServiceAccountToken authenticator that validates ServiceAccount tokens
rootTokenAuth
:=
authenticator
.
TokenFunc
(
func
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
rootTokenAuth
:=
authenticator
.
TokenFunc
(
func
(
ctx
context
.
Context
,
token
string
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
if
token
==
rootToken
{
if
token
==
rootToken
{
return
&
user
.
DefaultInfo
{
Name
:
rootUserName
},
true
,
nil
return
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
rootUserName
}
},
true
,
nil
}
}
return
nil
,
false
,
nil
return
nil
,
false
,
nil
})
})
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment