diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/authenticator/BUILD b/staging/src/k8s.io/apiserver/pkg/authentication/authenticator/BUILD index 1d25f33a21a..22ffab2cda7 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/authenticator/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/authentication/authenticator/BUILD @@ -5,7 +5,7 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") go_library( name = "go_default_library", srcs = [ - "helpers.go", + "audiences.go", "interfaces.go", ], importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/authenticator", @@ -28,6 +28,6 @@ filegroup( go_test( name = "go_default_test", - srcs = ["helpers_test.go"], + srcs = ["audiences_test.go"], embed = [":go_default_library"], ) diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/authenticator/helpers.go b/staging/src/k8s.io/apiserver/pkg/authentication/authenticator/audiences.go similarity index 65% rename from staging/src/k8s.io/apiserver/pkg/authentication/authenticator/helpers.go rename to staging/src/k8s.io/apiserver/pkg/authentication/authenticator/audiences.go index f2aa9b0d7ee..2a3a918896d 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/authenticator/helpers.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/authenticator/audiences.go @@ -16,9 +16,30 @@ limitations under the License. package authenticator +import "context" + // Audiences is a container for the Audiences of a token. type Audiences []string +// The key type is unexported to prevent collisions +type key int + +const ( + // audiencesKey is the context key for request audiences. + audiencesKey key = iota +) + +// WithAudiences returns a context that stores a request's expected audiences. +func WithAudiences(ctx context.Context, auds Audiences) context.Context { + return context.WithValue(ctx, audiencesKey, auds) +} + +// AudiencesFrom returns a request's expected audiences stored in the request context. +func AudiencesFrom(ctx context.Context) (Audiences, bool) { + auds, ok := ctx.Value(audiencesKey).(Audiences) + return auds, ok +} + // Has checks if Audiences contains a specific audiences. func (a Audiences) Has(taud string) bool { for _, aud := range a { diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/authenticator/helpers_test.go b/staging/src/k8s.io/apiserver/pkg/authentication/authenticator/audiences_test.go similarity index 100% rename from staging/src/k8s.io/apiserver/pkg/authentication/authenticator/helpers_test.go rename to staging/src/k8s.io/apiserver/pkg/authentication/authenticator/audiences_test.go diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD index b78435554cb..329b92ecc52 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD @@ -25,7 +25,6 @@ go_library( deps = [ "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library", ], ) diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go index 76ff130227a..f9177d15137 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go @@ -21,7 +21,6 @@ import ( "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/apiserver/pkg/endpoints/request" ) const ( @@ -32,7 +31,7 @@ const ( func NewAuthenticator() authenticator.Request { return authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) { - auds, _ := request.AudiencesFrom(req.Context()) + auds, _ := authenticator.AudiencesFrom(req.Context()) return &authenticator.Response{ User: &user.DefaultInfo{ Name: anonymousUser, diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD index 3c8ca28129f..66c09d44844 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD @@ -17,7 +17,6 @@ go_test( "//staging/src/k8s.io/apimachinery/pkg/util/clock:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library", "//vendor/github.com/pborman/uuid:go_default_library", ], ) @@ -35,7 +34,6 @@ go_library( "//staging/src/k8s.io/apimachinery/pkg/util/cache:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/clock:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library", ], ) diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go index ec5af39d8bc..457770aa73d 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go @@ -23,7 +23,6 @@ import ( utilclock "k8s.io/apimachinery/pkg/util/clock" "k8s.io/apiserver/pkg/authentication/authenticator" - "k8s.io/apiserver/pkg/endpoints/request" ) // cacheRecord holds the three return values of the authenticator.Token AuthenticateToken method @@ -67,7 +66,7 @@ func newWithClock(authenticator authenticator.Token, successTTL, failureTTL time // AuthenticateToken implements authenticator.Token func (a *cachedTokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) { - auds, _ := request.AudiencesFrom(ctx) + auds, _ := authenticator.AudiencesFrom(ctx) key := keyFunc(auds, token) if record, ok := a.cache.get(key); ok { diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go index e92e957a4d3..9215fefc076 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go @@ -25,7 +25,6 @@ import ( utilclock "k8s.io/apimachinery/pkg/util/clock" "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/apiserver/pkg/endpoints/request" ) func TestCachedTokenAuthenticator(t *testing.T) { @@ -109,7 +108,7 @@ func TestCachedTokenAuthenticator(t *testing.T) { func TestCachedTokenAuthenticatorWithAudiences(t *testing.T) { resultUsers := make(map[string]user.Info) fakeAuth := authenticator.TokenFunc(func(ctx context.Context, token string) (*authenticator.Response, bool, error) { - auds, _ := request.AudiencesFrom(ctx) + auds, _ := authenticator.AudiencesFrom(ctx) return &authenticator.Response{User: resultUsers[auds[0]+token]}, true, nil }) fakeClock := utilclock.NewFakeClock(time.Now()) @@ -119,10 +118,10 @@ func TestCachedTokenAuthenticatorWithAudiences(t *testing.T) { resultUsers["audAusertoken1"] = &user.DefaultInfo{Name: "user1"} resultUsers["audBusertoken1"] = &user.DefaultInfo{Name: "user1-different"} - if u, ok, _ := a.AuthenticateToken(request.WithAudiences(context.Background(), []string{"audA"}), "usertoken1"); !ok || u.User.GetName() != "user1" { + if u, ok, _ := a.AuthenticateToken(authenticator.WithAudiences(context.Background(), []string{"audA"}), "usertoken1"); !ok || u.User.GetName() != "user1" { t.Errorf("Expected user1") } - if u, ok, _ := a.AuthenticateToken(request.WithAudiences(context.Background(), []string{"audB"}), "usertoken1"); !ok || u.User.GetName() != "user1-different" { + if u, ok, _ := a.AuthenticateToken(authenticator.WithAudiences(context.Background(), []string{"audB"}), "usertoken1"); !ok || u.User.GetName() != "user1-different" { t.Errorf("Expected user1-different") } } diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go index b9c6f6e51a7..70c14e088a2 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go @@ -57,7 +57,7 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, failed } return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { if len(apiAuds) > 0 { - req = req.WithContext(genericapirequest.WithAudiences(req.Context(), apiAuds)) + req = req.WithContext(authenticator.WithAudiences(req.Context(), apiAuds)) } resp, ok, err := auth.AuthenticateRequest(req) if err != nil || !ok { diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/request/BUILD b/staging/src/k8s.io/apiserver/pkg/endpoints/request/BUILD index e56dc33f8bd..5e84006a1cf 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/request/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/request/BUILD @@ -35,7 +35,6 @@ go_library( "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//staging/src/k8s.io/apiserver/pkg/apis/audit:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//vendor/github.com/golang/glog:go_default_library", ], diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/request/context.go b/staging/src/k8s.io/apiserver/pkg/endpoints/request/context.go index eb1e8546093..fe3ae38edcd 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/request/context.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/request/context.go @@ -21,7 +21,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apiserver/pkg/apis/audit" - "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" ) @@ -95,14 +94,3 @@ func AuditEventFrom(ctx context.Context) *audit.Event { ev, _ := ctx.Value(auditKey).(*audit.Event) return ev } - -// WithAudiences returns a context that stores a request's expected audiences. -func WithAudiences(ctx context.Context, auds authenticator.Audiences) context.Context { - return context.WithValue(ctx, audiencesKey, auds) -} - -// AudiencesFrom returns a request's expected audiences stored in the request context. -func AudiencesFrom(ctx context.Context) (authenticator.Audiences, bool) { - auds, ok := ctx.Value(audiencesKey).(authenticator.Audiences) - return auds, ok -} diff --git a/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go b/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go index cf84988a7e0..6cf6c1a64fc 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go +++ b/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go @@ -25,7 +25,6 @@ import ( "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/client-go/rest" ) @@ -80,7 +79,7 @@ func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, type InsecureSuperuser struct{} func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) { - auds, _ := request.AudiencesFrom(req.Context()) + auds, _ := authenticator.AudiencesFrom(req.Context()) return &authenticator.Response{ User: &user.DefaultInfo{ Name: "system:unsecured",