move audience context functions to authenticator package

staging/src/k8s.io/apiserver/pkg/authentication/authenticator/BUILD

@@ -5,7 +5,7 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 go_library(
     name = "go_default_library",
     srcs = [
-        "helpers.go",
+        "audiences.go",
         "interfaces.go",
     ],
     importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/authenticator",
@@ -28,6 +28,6 @@ filegroup(
 
 go_test(
     name = "go_default_test",
-    srcs = ["helpers_test.go"],
+    srcs = ["audiences_test.go"],
     embed = [":go_default_library"],
 )

staging/src/k8s.io/apiserver/pkg/authentication/authenticator/audiences.go

@@ -16,9 +16,30 @@ limitations under the License.
 
 package authenticator
 
+import "context"
+
 // Audiences is a container for the Audiences of a token.
 type Audiences []string
 
+// The key type is unexported to prevent collisions
+type key int
+
+const (
+	// audiencesKey is the context key for request audiences.
+	audiencesKey key = iota
+)
+
+// WithAudiences returns a context that stores a request's expected audiences.
+func WithAudiences(ctx context.Context, auds Audiences) context.Context {
+	return context.WithValue(ctx, audiencesKey, auds)
+}
+
+// AudiencesFrom returns a request's expected audiences stored in the request context.
+func AudiencesFrom(ctx context.Context) (Audiences, bool) {
+	auds, ok := ctx.Value(audiencesKey).(Audiences)
+	return auds, ok
+}
+
 // Has checks if Audiences contains a specific audiences.
 func (a Audiences) Has(taud string) bool {
 	for _, aud := range a {

staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD

@@ -25,7 +25,6 @@ go_library(
     deps = [
         "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
-        "//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
     ],
 )
 

staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go

@@ -21,7 +21,6 @@ import (
 
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
-	"k8s.io/apiserver/pkg/endpoints/request"
 )
 
 const (
@@ -32,7 +31,7 @@ const (
 
 func NewAuthenticator() authenticator.Request {
 	return authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
-		auds, _ := request.AudiencesFrom(req.Context())
+		auds, _ := authenticator.AudiencesFrom(req.Context())
 		return &authenticator.Response{
 			User: &user.DefaultInfo{
 				Name:   anonymousUser,

staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD

@@ -17,7 +17,6 @@ go_test(
         "//staging/src/k8s.io/apimachinery/pkg/util/clock:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
-        "//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
         "//vendor/github.com/pborman/uuid:go_default_library",
     ],
 )
@@ -35,7 +34,6 @@ go_library(
         "//staging/src/k8s.io/apimachinery/pkg/util/cache:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/clock:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
-        "//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
     ],
 )
 

staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go

@@ -23,7 +23,6 @@ import (
 
 	utilclock "k8s.io/apimachinery/pkg/util/clock"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
-	"k8s.io/apiserver/pkg/endpoints/request"
 )
 
 // cacheRecord holds the three return values of the authenticator.Token AuthenticateToken method
@@ -67,7 +66,7 @@ func newWithClock(authenticator authenticator.Token, successTTL, failureTTL time
 
 // AuthenticateToken implements authenticator.Token
 func (a *cachedTokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) {
-	auds, _ := request.AudiencesFrom(ctx)
+	auds, _ := authenticator.AudiencesFrom(ctx)
 
 	key := keyFunc(auds, token)
 	if record, ok := a.cache.get(key); ok {

staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator_test.go

@@ -25,7 +25,6 @@ import (
 	utilclock "k8s.io/apimachinery/pkg/util/clock"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
-	"k8s.io/apiserver/pkg/endpoints/request"
 )
 
 func TestCachedTokenAuthenticator(t *testing.T) {
@@ -109,7 +108,7 @@ func TestCachedTokenAuthenticator(t *testing.T) {
 func TestCachedTokenAuthenticatorWithAudiences(t *testing.T) {
 	resultUsers := make(map[string]user.Info)
 	fakeAuth := authenticator.TokenFunc(func(ctx context.Context, token string) (*authenticator.Response, bool, error) {
-		auds, _ := request.AudiencesFrom(ctx)
+		auds, _ := authenticator.AudiencesFrom(ctx)
 		return &authenticator.Response{User: resultUsers[auds[0]+token]}, true, nil
 	})
 	fakeClock := utilclock.NewFakeClock(time.Now())
@@ -119,10 +118,10 @@ func TestCachedTokenAuthenticatorWithAudiences(t *testing.T) {
 	resultUsers["audAusertoken1"] = &user.DefaultInfo{Name: "user1"}
 	resultUsers["audBusertoken1"] = &user.DefaultInfo{Name: "user1-different"}
 
-	if u, ok, _ := a.AuthenticateToken(request.WithAudiences(context.Background(), []string{"audA"}), "usertoken1"); !ok || u.User.GetName() != "user1" {
+	if u, ok, _ := a.AuthenticateToken(authenticator.WithAudiences(context.Background(), []string{"audA"}), "usertoken1"); !ok || u.User.GetName() != "user1" {
 		t.Errorf("Expected user1")
 	}
-	if u, ok, _ := a.AuthenticateToken(request.WithAudiences(context.Background(), []string{"audB"}), "usertoken1"); !ok || u.User.GetName() != "user1-different" {
+	if u, ok, _ := a.AuthenticateToken(authenticator.WithAudiences(context.Background(), []string{"audB"}), "usertoken1"); !ok || u.User.GetName() != "user1-different" {
 		t.Errorf("Expected user1-different")
 	}
 }

staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go

@@ -57,7 +57,7 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, failed
 	}
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		if len(apiAuds) > 0 {
-			req = req.WithContext(genericapirequest.WithAudiences(req.Context(), apiAuds))
+			req = req.WithContext(authenticator.WithAudiences(req.Context(), apiAuds))
 		}
 		resp, ok, err := auth.AuthenticateRequest(req)
 		if err != nil || !ok {

staging/src/k8s.io/apiserver/pkg/endpoints/request/BUILD

@@ -35,7 +35,6 @@ go_library(
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/apis/audit:go_default_library",
-        "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
         "//vendor/github.com/golang/glog:go_default_library",
     ],

staging/src/k8s.io/apiserver/pkg/endpoints/request/context.go

@@ -21,7 +21,6 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/apis/audit"
-	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 )
 
@@ -95,14 +94,3 @@ func AuditEventFrom(ctx context.Context) *audit.Event {
 	ev, _ := ctx.Value(auditKey).(*audit.Event)
 	return ev
 }
-
-// WithAudiences returns a context that stores a request's expected audiences.
-func WithAudiences(ctx context.Context, auds authenticator.Audiences) context.Context {
-	return context.WithValue(ctx, audiencesKey, auds)
-}
-
-// AudiencesFrom returns a request's expected audiences stored in the request context.
-func AudiencesFrom(ctx context.Context) (authenticator.Audiences, bool) {
-	auds, ok := ctx.Value(audiencesKey).(authenticator.Audiences)
-	return auds, ok
-}

staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go

@@ -25,7 +25,6 @@ import (
 
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
-	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/client-go/rest"
 )
 
@@ -80,7 +79,7 @@ func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config,
 type InsecureSuperuser struct{}
 
 func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
-	auds, _ := request.AudiencesFrom(req.Context())
+	auds, _ := authenticator.AudiencesFrom(req.Context())
 	return &authenticator.Response{
 		User: &user.DefaultInfo{
 			Name:   "system:unsecured",