diff --git a/pkg/authentication/authenticator/helpers.go b/pkg/authentication/authenticator/audiences.go similarity index 65% rename from pkg/authentication/authenticator/helpers.go rename to pkg/authentication/authenticator/audiences.go index f2aa9b0d7..2a3a91889 100644 --- a/pkg/authentication/authenticator/helpers.go +++ b/pkg/authentication/authenticator/audiences.go @@ -16,9 +16,30 @@ limitations under the License. package authenticator +import "context" + // Audiences is a container for the Audiences of a token. type Audiences []string +// The key type is unexported to prevent collisions +type key int + +const ( + // audiencesKey is the context key for request audiences. + audiencesKey key = iota +) + +// WithAudiences returns a context that stores a request's expected audiences. +func WithAudiences(ctx context.Context, auds Audiences) context.Context { + return context.WithValue(ctx, audiencesKey, auds) +} + +// AudiencesFrom returns a request's expected audiences stored in the request context. +func AudiencesFrom(ctx context.Context) (Audiences, bool) { + auds, ok := ctx.Value(audiencesKey).(Audiences) + return auds, ok +} + // Has checks if Audiences contains a specific audiences. func (a Audiences) Has(taud string) bool { for _, aud := range a { diff --git a/pkg/authentication/authenticator/helpers_test.go b/pkg/authentication/authenticator/audiences_test.go similarity index 100% rename from pkg/authentication/authenticator/helpers_test.go rename to pkg/authentication/authenticator/audiences_test.go diff --git a/pkg/authentication/request/anonymous/anonymous.go b/pkg/authentication/request/anonymous/anonymous.go index 76ff13022..f9177d151 100644 --- a/pkg/authentication/request/anonymous/anonymous.go +++ b/pkg/authentication/request/anonymous/anonymous.go @@ -21,7 +21,6 @@ import ( "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/apiserver/pkg/endpoints/request" ) const ( @@ -32,7 +31,7 @@ const ( func NewAuthenticator() authenticator.Request { return authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) { - auds, _ := request.AudiencesFrom(req.Context()) + auds, _ := authenticator.AudiencesFrom(req.Context()) return &authenticator.Response{ User: &user.DefaultInfo{ Name: anonymousUser, diff --git a/pkg/authentication/token/cache/cached_token_authenticator.go b/pkg/authentication/token/cache/cached_token_authenticator.go index ec5af39d8..457770aa7 100644 --- a/pkg/authentication/token/cache/cached_token_authenticator.go +++ b/pkg/authentication/token/cache/cached_token_authenticator.go @@ -23,7 +23,6 @@ import ( utilclock "k8s.io/apimachinery/pkg/util/clock" "k8s.io/apiserver/pkg/authentication/authenticator" - "k8s.io/apiserver/pkg/endpoints/request" ) // cacheRecord holds the three return values of the authenticator.Token AuthenticateToken method @@ -67,7 +66,7 @@ func newWithClock(authenticator authenticator.Token, successTTL, failureTTL time // AuthenticateToken implements authenticator.Token func (a *cachedTokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) { - auds, _ := request.AudiencesFrom(ctx) + auds, _ := authenticator.AudiencesFrom(ctx) key := keyFunc(auds, token) if record, ok := a.cache.get(key); ok { diff --git a/pkg/authentication/token/cache/cached_token_authenticator_test.go b/pkg/authentication/token/cache/cached_token_authenticator_test.go index e92e957a4..9215fefc0 100644 --- a/pkg/authentication/token/cache/cached_token_authenticator_test.go +++ b/pkg/authentication/token/cache/cached_token_authenticator_test.go @@ -25,7 +25,6 @@ import ( utilclock "k8s.io/apimachinery/pkg/util/clock" "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/apiserver/pkg/endpoints/request" ) func TestCachedTokenAuthenticator(t *testing.T) { @@ -109,7 +108,7 @@ func TestCachedTokenAuthenticator(t *testing.T) { func TestCachedTokenAuthenticatorWithAudiences(t *testing.T) { resultUsers := make(map[string]user.Info) fakeAuth := authenticator.TokenFunc(func(ctx context.Context, token string) (*authenticator.Response, bool, error) { - auds, _ := request.AudiencesFrom(ctx) + auds, _ := authenticator.AudiencesFrom(ctx) return &authenticator.Response{User: resultUsers[auds[0]+token]}, true, nil }) fakeClock := utilclock.NewFakeClock(time.Now()) @@ -119,10 +118,10 @@ func TestCachedTokenAuthenticatorWithAudiences(t *testing.T) { resultUsers["audAusertoken1"] = &user.DefaultInfo{Name: "user1"} resultUsers["audBusertoken1"] = &user.DefaultInfo{Name: "user1-different"} - if u, ok, _ := a.AuthenticateToken(request.WithAudiences(context.Background(), []string{"audA"}), "usertoken1"); !ok || u.User.GetName() != "user1" { + if u, ok, _ := a.AuthenticateToken(authenticator.WithAudiences(context.Background(), []string{"audA"}), "usertoken1"); !ok || u.User.GetName() != "user1" { t.Errorf("Expected user1") } - if u, ok, _ := a.AuthenticateToken(request.WithAudiences(context.Background(), []string{"audB"}), "usertoken1"); !ok || u.User.GetName() != "user1-different" { + if u, ok, _ := a.AuthenticateToken(authenticator.WithAudiences(context.Background(), []string{"audB"}), "usertoken1"); !ok || u.User.GetName() != "user1-different" { t.Errorf("Expected user1-different") } } diff --git a/pkg/endpoints/filters/authentication.go b/pkg/endpoints/filters/authentication.go index b9c6f6e51..70c14e088 100644 --- a/pkg/endpoints/filters/authentication.go +++ b/pkg/endpoints/filters/authentication.go @@ -57,7 +57,7 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, failed } return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { if len(apiAuds) > 0 { - req = req.WithContext(genericapirequest.WithAudiences(req.Context(), apiAuds)) + req = req.WithContext(authenticator.WithAudiences(req.Context(), apiAuds)) } resp, ok, err := auth.AuthenticateRequest(req) if err != nil || !ok { diff --git a/pkg/endpoints/request/context.go b/pkg/endpoints/request/context.go index eb1e85460..fe3ae38ed 100644 --- a/pkg/endpoints/request/context.go +++ b/pkg/endpoints/request/context.go @@ -21,7 +21,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apiserver/pkg/apis/audit" - "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" ) @@ -95,14 +94,3 @@ func AuditEventFrom(ctx context.Context) *audit.Event { ev, _ := ctx.Value(auditKey).(*audit.Event) return ev } - -// WithAudiences returns a context that stores a request's expected audiences. -func WithAudiences(ctx context.Context, auds authenticator.Audiences) context.Context { - return context.WithValue(ctx, audiencesKey, auds) -} - -// AudiencesFrom returns a request's expected audiences stored in the request context. -func AudiencesFrom(ctx context.Context) (authenticator.Audiences, bool) { - auds, ok := ctx.Value(audiencesKey).(authenticator.Audiences) - return auds, ok -} diff --git a/pkg/server/deprecated_insecure_serving.go b/pkg/server/deprecated_insecure_serving.go index cf84988a7..6cf6c1a64 100644 --- a/pkg/server/deprecated_insecure_serving.go +++ b/pkg/server/deprecated_insecure_serving.go @@ -25,7 +25,6 @@ import ( "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/client-go/rest" ) @@ -80,7 +79,7 @@ func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, type InsecureSuperuser struct{} func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) { - auds, _ := request.AudiencesFrom(req.Context()) + auds, _ := authenticator.AudiencesFrom(req.Context()) return &authenticator.Response{ User: &user.DefaultInfo{ Name: "system:unsecured",