From 15d8509a711efa062a1357cf1cfb398ec6e91023 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Mon, 7 Aug 2017 11:56:50 -0400 Subject: [PATCH] Add token group adder component --- .../apiserver/pkg/authentication/group/BUILD | 6 ++- .../authentication/group/token_group_adder.go | 48 +++++++++++++++++++ .../group/token_group_adder_test.go | 41 ++++++++++++++++ 3 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder.go create mode 100644 staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder_test.go diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/group/BUILD b/staging/src/k8s.io/apiserver/pkg/authentication/group/BUILD index d2485a55df7..32779ed1c28 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/group/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/authentication/group/BUILD @@ -10,7 +10,10 @@ load( go_test( name = "go_default_test", - srcs = ["group_adder_test.go"], + srcs = [ + "group_adder_test.go", + "token_group_adder_test.go", + ], library = ":go_default_library", tags = ["automanaged"], deps = [ @@ -24,6 +27,7 @@ go_library( srcs = [ "authenticated_group_adder.go", "group_adder.go", + "token_group_adder.go", ], tags = ["automanaged"], deps = [ diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder.go b/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder.go new file mode 100644 index 00000000000..4f60d522f76 --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder.go @@ -0,0 +1,48 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package group + +import ( + "k8s.io/apiserver/pkg/authentication/authenticator" + "k8s.io/apiserver/pkg/authentication/user" +) + +// TokenGroupAdder adds groups to an authenticated user.Info +type TokenGroupAdder struct { + // Authenticator is delegated to make the authentication decision + Authenticator authenticator.Token + // Groups are additional groups to add to the user.Info from a successful authentication + Groups []string +} + +// NewTokenGroupAdder wraps a token authenticator, and adds the specified groups to the returned user when authentication succeeds +func NewTokenGroupAdder(auth authenticator.Token, groups []string) authenticator.Token { + return &TokenGroupAdder{auth, groups} +} + +func (g *TokenGroupAdder) AuthenticateToken(token string) (user.Info, bool, error) { + u, ok, err := g.Authenticator.AuthenticateToken(token) + if err != nil || !ok { + return nil, ok, err + } + return &user.DefaultInfo{ + Name: u.GetName(), + UID: u.GetUID(), + Groups: append(u.GetGroups(), g.Groups...), + Extra: u.GetExtra(), + }, true, nil +} diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder_test.go b/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder_test.go new file mode 100644 index 00000000000..cb5a0a65efe --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder_test.go @@ -0,0 +1,41 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package group + +import ( + "reflect" + "testing" + + "k8s.io/apiserver/pkg/authentication/authenticator" + "k8s.io/apiserver/pkg/authentication/user" +) + +func TestTokenGroupAdder(t *testing.T) { + adder := authenticator.Token( + NewTokenGroupAdder( + authenticator.TokenFunc(func(token string) (user.Info, bool, error) { + return &user.DefaultInfo{Name: "user", Groups: []string{"original"}}, true, nil + }), + []string{"added"}, + ), + ) + + user, _, _ := adder.AuthenticateToken("") + if !reflect.DeepEqual(user.GetGroups(), []string{"original", "added"}) { + t.Errorf("Expected original,added groups, got %#v", user.GetGroups()) + } +}