*: remove --insecure-allow-any-token option
e2e and integration tests have been switched over to the tokenfile authenticator instead. ```release-note The --insecure-allow-any-token flag has been removed from kube-apiserver. Users of the flag should use impersonation headers instead for debugging. ``` Kubernetes-commit: e2f2ab67f29d3e859e0b3e6668d8d770d93132fc
This commit is contained in:
Eric Chiang
Kubernetes Publisher
parent
157dcc8988
commit
6fb062b0b3
|
|
@ -1,24 +0,0 @@
|
||||||
package(default_visibility = ["//visibility:public"])
|
|
||||||
|
|
||||||
licenses(["notice"])
|
|
||||||
|
|
||||||
load(
|
|
||||||
"@io_bazel_rules_go//go:def.bzl",
|
|
||||||
"go_library",
|
|
||||||
"go_test",
|
|
||||||
)
|
|
||||||
|
|
||||||
go_test(
|
|
||||||
name = "go_default_test",
|
|
||||||
srcs = ["anytoken_test.go"],
|
|
||||||
library = ":go_default_library",
|
|
||||||
tags = ["automanaged"],
|
|
||||||
deps = ["//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library"],
|
|
||||||
)
|
|
||||||
|
|
||||||
go_library(
|
|
||||||
name = "go_default_library",
|
|
||||||
srcs = ["anytoken.go"],
|
|
||||||
tags = ["automanaged"],
|
|
||||||
deps = ["//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library"],
|
|
||||||
)
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
||||||
/*
|
|
||||||
Copyright 2016 The Kubernetes Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package anytoken
|
|
||||||
|
|
||||||
import (
|
|
||||||
"strings"
|
|
||||||
|
|
||||||
"k8s.io/apiserver/pkg/authentication/user"
|
|
||||||
)
|
|
||||||
|
|
||||||
type AnyTokenAuthenticator struct{}
|
|
||||||
|
|
||||||
func (AnyTokenAuthenticator) AuthenticateToken(value string) (user.Info, bool, error) {
|
|
||||||
lastSlash := strings.LastIndex(value, "/")
|
|
||||||
if lastSlash == -1 {
|
|
||||||
return &user.DefaultInfo{Name: value}, true, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
ret := &user.DefaultInfo{Name: value[:lastSlash]}
|
|
||||||
|
|
||||||
groupString := value[lastSlash+1:]
|
|
||||||
if len(groupString) == 0 {
|
|
||||||
return ret, true, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
ret.Groups = strings.Split(groupString, ",")
|
|
||||||
return ret, true, nil
|
|
||||||
}
|
|
||||||
|
|
@ -1,71 +0,0 @@
|
||||||
/*
|
|
||||||
Copyright 2016 The Kubernetes Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package anytoken
|
|
||||||
|
|
||||||
import (
|
|
||||||
"reflect"
|
|
||||||
"testing"
|
|
||||||
|
|
||||||
"k8s.io/apiserver/pkg/authentication/user"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestAnyTokenAuthenticator(t *testing.T) {
|
|
||||||
tests := []struct {
|
|
||||||
name string
|
|
||||||
token string
|
|
||||||
|
|
||||||
expectedUser user.Info
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
name: "user only",
|
|
||||||
token: "joe",
|
|
||||||
expectedUser: &user.DefaultInfo{Name: "joe"},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "user with slash",
|
|
||||||
token: "scheme/joe/",
|
|
||||||
expectedUser: &user.DefaultInfo{Name: "scheme/joe"},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "user with groups",
|
|
||||||
token: "joe/group1,group2",
|
|
||||||
expectedUser: &user.DefaultInfo{Name: "joe", Groups: []string{"group1", "group2"}},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "user with slash and groups",
|
|
||||||
token: "scheme/joe/group1,group2",
|
|
||||||
expectedUser: &user.DefaultInfo{Name: "scheme/joe", Groups: []string{"group1", "group2"}},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, tc := range tests {
|
|
||||||
actualUser, _, _ := AnyTokenAuthenticator{}.AuthenticateToken(tc.token)
|
|
||||||
|
|
||||||
if len(actualUser.GetExtra()) != 0 {
|
|
||||||
t.Errorf("%q: got extra: %v", tc.name, actualUser.GetExtra())
|
|
||||||
}
|
|
||||||
if len(actualUser.GetUID()) != 0 {
|
|
||||||
t.Errorf("%q: got extra: %v", tc.name, actualUser.GetUID())
|
|
||||||
}
|
|
||||||
if e, a := tc.expectedUser.GetName(), actualUser.GetName(); e != a {
|
|
||||||
t.Errorf("%q: expected %v, got %v", tc.name, e, a)
|
|
||||||
}
|
|
||||||
if e, a := tc.expectedUser.GetGroups(), actualUser.GetGroups(); !reflect.DeepEqual(e, a) {
|
|
||||||
t.Errorf("%q: expected %v, got %v", tc.name, e, a)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Loading…
Reference in New Issue