move no k8s.io/kubernetes deps to apiserver

2026-01-04 23:17:50 +00:00 · 2017-01-13 11:05:38 -05:00
parent 212234ab3f
commit 81b073a5f5
27 changed files with 0 additions and 270 deletions
--- a/plugin/pkg/auth/authenticator/request/headerrequest/BUILD
+++ b/plugin/pkg/auth/authenticator/request/headerrequest/BUILD
@@ -1,43 +0,0 @@
-package(default_visibility = ["//visibility:public"])
-
-licenses(["notice"])
-
-load(
-    "@io_bazel_rules_go//go:def.bzl",
-    "go_library",
-    "go_test",
-)
-
-go_test(
-    name = "go_default_test",
-    srcs = ["requestheader_test.go"],
-    library = ":go_default_library",
-    tags = ["automanaged"],
-    deps = ["//vendor:k8s.io/apiserver/pkg/authentication/user"],
-)
-
-go_library(
-    name = "go_default_library",
-    srcs = ["requestheader.go"],
-    tags = ["automanaged"],
-    deps = [
-        "//vendor:k8s.io/apimachinery/pkg/util/sets",
-        "//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
-        "//vendor:k8s.io/apiserver/pkg/authentication/request/x509",
-        "//vendor:k8s.io/apiserver/pkg/authentication/user",
-        "//vendor:k8s.io/client-go/pkg/util/cert",
-    ],
-)
-
-filegroup(
-    name = "package-srcs",
-    srcs = glob(["**"]),
-    tags = ["automanaged"],
-    visibility = ["//visibility:private"],
-)
-
-filegroup(
-    name = "all-srcs",
-    srcs = [":package-srcs"],
-    tags = ["automanaged"],
-)
--- a/plugin/pkg/auth/authenticator/request/headerrequest/requestheader.go
+++ b/plugin/pkg/auth/authenticator/request/headerrequest/requestheader.go
@@ -1,178 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package headerrequest
-
-import (
-	"crypto/x509"
-	"fmt"
-	"io/ioutil"
-	"net/http"
-	"strings"
-
-	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apiserver/pkg/authentication/authenticator"
-	x509request "k8s.io/apiserver/pkg/authentication/request/x509"
-	"k8s.io/apiserver/pkg/authentication/user"
-	utilcert "k8s.io/client-go/pkg/util/cert"
-)
-
-type requestHeaderAuthRequestHandler struct {
-	// nameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins.
-	nameHeaders []string
-
-	// groupHeaders are the headers to check (case-insensitively) for group membership.  All values of all headers will be added.
-	groupHeaders []string
-
-	// extraHeaderPrefixes are the head prefixes to check (case-insensitively) for filling in
-	// the user.Info.Extra.  All values of all matching headers will be added.
-	extraHeaderPrefixes []string
-}
-
-func New(nameHeaders []string, groupHeaders []string, extraHeaderPrefixes []string) (authenticator.Request, error) {
-	trimmedNameHeaders, err := trimHeaders(nameHeaders...)
-	if err != nil {
-		return nil, err
-	}
-	trimmedGroupHeaders, err := trimHeaders(groupHeaders...)
-	if err != nil {
-		return nil, err
-	}
-	trimmedExtraHeaderPrefixes, err := trimHeaders(extraHeaderPrefixes...)
-	if err != nil {
-		return nil, err
-	}
-
-	return &requestHeaderAuthRequestHandler{
-		nameHeaders:         trimmedNameHeaders,
-		groupHeaders:        trimmedGroupHeaders,
-		extraHeaderPrefixes: trimmedExtraHeaderPrefixes,
-	}, nil
-}
-
-func trimHeaders(headerNames ...string) ([]string, error) {
-	ret := []string{}
-	for _, headerName := range headerNames {
-		trimmedHeader := strings.TrimSpace(headerName)
-		if len(trimmedHeader) == 0 {
-			return nil, fmt.Errorf("empty header %q", headerName)
-		}
-		ret = append(ret, trimmedHeader)
-	}
-
-	return ret, nil
-}
-
-func NewSecure(clientCA string, proxyClientNames []string, nameHeaders []string, groupHeaders []string, extraHeaderPrefixes []string) (authenticator.Request, error) {
-	headerAuthenticator, err := New(nameHeaders, groupHeaders, extraHeaderPrefixes)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(clientCA) == 0 {
-		return nil, fmt.Errorf("missing clientCA file")
-	}
-
-	// Wrap with an x509 verifier
-	caData, err := ioutil.ReadFile(clientCA)
-	if err != nil {
-		return nil, fmt.Errorf("error reading %s: %v", clientCA, err)
-	}
-	opts := x509request.DefaultVerifyOptions()
-	opts.Roots = x509.NewCertPool()
-	certs, err := utilcert.ParseCertsPEM(caData)
-	if err != nil {
-		return nil, fmt.Errorf("error loading certs from  %s: %v", clientCA, err)
-	}
-	for _, cert := range certs {
-		opts.Roots.AddCert(cert)
-	}
-
-	return x509request.NewVerifier(opts, headerAuthenticator, sets.NewString(proxyClientNames...)), nil
-}
-
-func (a *requestHeaderAuthRequestHandler) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
-	name := headerValue(req.Header, a.nameHeaders)
-	if len(name) == 0 {
-		return nil, false, nil
-	}
-	groups := allHeaderValues(req.Header, a.groupHeaders)
-	extra := newExtra(req.Header, a.extraHeaderPrefixes)
-
-	// clear headers used for authentication
-	for _, headerName := range a.nameHeaders {
-		req.Header.Del(headerName)
-	}
-	for _, headerName := range a.groupHeaders {
-		req.Header.Del(headerName)
-	}
-	for k := range extra {
-		for _, prefix := range a.extraHeaderPrefixes {
-			req.Header.Del(prefix + k)
-		}
-	}
-
-	return &user.DefaultInfo{
-		Name:   name,
-		Groups: groups,
-		Extra:  extra,
-	}, true, nil
-}
-
-func headerValue(h http.Header, headerNames []string) string {
-	for _, headerName := range headerNames {
-		headerValue := h.Get(headerName)
-		if len(headerValue) > 0 {
-			return headerValue
-		}
-	}
-	return ""
-}
-
-func allHeaderValues(h http.Header, headerNames []string) []string {
-	ret := []string{}
-	for _, headerName := range headerNames {
-		values, ok := h[headerName]
-		if !ok {
-			continue
-		}
-
-		for _, headerValue := range values {
-			if len(headerValue) > 0 {
-				ret = append(ret, headerValue)
-			}
-		}
-	}
-	return ret
-}
-
-func newExtra(h http.Header, headerPrefixes []string) map[string][]string {
-	ret := map[string][]string{}
-
-	// we have to iterate over prefixes first in order to have proper ordering inside the value slices
-	for _, prefix := range headerPrefixes {
-		for headerName, vv := range h {
-			if !strings.HasPrefix(strings.ToLower(headerName), strings.ToLower(prefix)) {
-				continue
-			}
-
-			extraKey := strings.ToLower(headerName[len(prefix):])
-			ret[extraKey] = append(ret[extraKey], vv...)
-		}
-	}
-
-	return ret
-}
--- a/plugin/pkg/auth/authenticator/request/headerrequest/requestheader_test.go
+++ b/plugin/pkg/auth/authenticator/request/headerrequest/requestheader_test.go
@@ -1,159 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package headerrequest
-
-import (
-	"net/http"
-	"reflect"
-	"testing"
-
-	"k8s.io/apiserver/pkg/authentication/user"
-)
-
-func TestRequestHeader(t *testing.T) {
-	testcases := map[string]struct {
-		nameHeaders        []string
-		groupHeaders       []string
-		extraPrefixHeaders []string
-		requestHeaders     http.Header
-
-		expectedUser user.Info
-		expectedOk   bool
-	}{
-		"empty": {},
-		"user no match": {
-			nameHeaders: []string{"X-Remote-User"},
-		},
-		"user match": {
-			nameHeaders:    []string{"X-Remote-User"},
-			requestHeaders: http.Header{"X-Remote-User": {"Bob"}},
-			expectedUser: &user.DefaultInfo{
-				Name:   "Bob",
-				Groups: []string{},
-				Extra:  map[string][]string{},
-			},
-			expectedOk: true,
-		},
-		"user exact match": {
-			nameHeaders: []string{"X-Remote-User"},
-			requestHeaders: http.Header{
-				"Prefixed-X-Remote-User-With-Suffix": {"Bob"},
-				"X-Remote-User-With-Suffix":          {"Bob"},
-			},
-		},
-		"user first match": {
-			nameHeaders: []string{
-				"X-Remote-User",
-				"A-Second-X-Remote-User",
-				"Another-X-Remote-User",
-			},
-			requestHeaders: http.Header{
-				"X-Remote-User":          {"", "First header, second value"},
-				"A-Second-X-Remote-User": {"Second header, first value", "Second header, second value"},
-				"Another-X-Remote-User":  {"Third header, first value"}},
-			expectedUser: &user.DefaultInfo{
-				Name:   "Second header, first value",
-				Groups: []string{},
-				Extra:  map[string][]string{},
-			},
-			expectedOk: true,
-		},
-		"user case-insensitive": {
-			nameHeaders:    []string{"x-REMOTE-user"},             // configured headers can be case-insensitive
-			requestHeaders: http.Header{"X-Remote-User": {"Bob"}}, // the parsed headers are normalized by the http package
-			expectedUser: &user.DefaultInfo{
-				Name:   "Bob",
-				Groups: []string{},
-				Extra:  map[string][]string{},
-			},
-			expectedOk: true,
-		},
-
-		"groups none": {
-			nameHeaders:  []string{"X-Remote-User"},
-			groupHeaders: []string{"X-Remote-Group"},
-			requestHeaders: http.Header{
-				"X-Remote-User": {"Bob"},
-			},
-			expectedUser: &user.DefaultInfo{
-				Name:   "Bob",
-				Groups: []string{},
-				Extra:  map[string][]string{},
-			},
-			expectedOk: true,
-		},
-		"groups all matches": {
-			nameHeaders:  []string{"X-Remote-User"},
-			groupHeaders: []string{"X-Remote-Group-1", "X-Remote-Group-2"},
-			requestHeaders: http.Header{
-				"X-Remote-User":    {"Bob"},
-				"X-Remote-Group-1": {"one-a", "one-b"},
-				"X-Remote-Group-2": {"two-a", "two-b"},
-			},
-			expectedUser: &user.DefaultInfo{
-				Name:   "Bob",
-				Groups: []string{"one-a", "one-b", "two-a", "two-b"},
-				Extra:  map[string][]string{},
-			},
-			expectedOk: true,
-		},
-
-		"extra prefix matches case-insensitive": {
-			nameHeaders:        []string{"X-Remote-User"},
-			groupHeaders:       []string{"X-Remote-Group-1", "X-Remote-Group-2"},
-			extraPrefixHeaders: []string{"X-Remote-Extra-1-", "X-Remote-Extra-2-"},
-			requestHeaders: http.Header{
-				"X-Remote-User":         {"Bob"},
-				"X-Remote-Group-1":      {"one-a", "one-b"},
-				"X-Remote-Group-2":      {"two-a", "two-b"},
-				"X-Remote-extra-1-key1": {"alfa", "bravo"},
-				"X-Remote-Extra-1-Key2": {"charlie", "delta"},
-				"X-Remote-Extra-1-":     {"india", "juliet"},
-				"X-Remote-extra-2-":     {"kilo", "lima"},
-				"X-Remote-extra-2-Key1": {"echo", "foxtrot"},
-				"X-Remote-Extra-2-key2": {"golf", "hotel"},
-			},
-			expectedUser: &user.DefaultInfo{
-				Name:   "Bob",
-				Groups: []string{"one-a", "one-b", "two-a", "two-b"},
-				Extra: map[string][]string{
-					"key1": {"alfa", "bravo", "echo", "foxtrot"},
-					"key2": {"charlie", "delta", "golf", "hotel"},
-					"":     {"india", "juliet", "kilo", "lima"},
-				},
-			},
-			expectedOk: true,
-		},
-	}
-
-	for k, testcase := range testcases {
-		auth, err := New(testcase.nameHeaders, testcase.groupHeaders, testcase.extraPrefixHeaders)
-		if err != nil {
-			t.Fatal(err)
-		}
-		req := &http.Request{Header: testcase.requestHeaders}
-
-		user, ok, _ := auth.AuthenticateRequest(req)
-		if testcase.expectedOk != ok {
-			t.Errorf("%v: expected %v, got %v", k, testcase.expectedOk, ok)
-		}
-		if e, a := testcase.expectedUser, user; !reflect.DeepEqual(e, a) {
-			t.Errorf("%v: expected %#v, got %#v", k, e, a)
-
-		}
-	}
-}