From b411a20b15541c3d727ba6ee566f0a0ad9a3045f Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Tue, 9 Oct 2018 10:22:06 -0700 Subject: [PATCH] tokenreview: authenticator interface changes Kubernetes-commit: 11be17175798773a1011afad8d0a9119254e728c --- .../authenticator/interfaces.go | 52 ++++++++++++------- 1 file changed, 32 insertions(+), 20 deletions(-) diff --git a/pkg/authentication/authenticator/interfaces.go b/pkg/authentication/authenticator/interfaces.go index fd3d0383e..e3b1b622c 100644 --- a/pkg/authentication/authenticator/interfaces.go +++ b/pkg/authentication/authenticator/interfaces.go @@ -17,52 +17,64 @@ limitations under the License. package authenticator import ( + "context" "net/http" "k8s.io/apiserver/pkg/authentication/user" ) -// Token checks a string value against a backing authentication store and returns -// information about the current user and true if successful, false if not successful, -// or an error if the token could not be checked. +// Token checks a string value against a backing authentication store and +// returns a Response or an error if the token could not be checked. type Token interface { - AuthenticateToken(token string) (user.Info, bool, error) + AuthenticateToken(ctx context.Context, token string) (*Response, bool, error) } -// Request attempts to extract authentication information from a request and returns -// information about the current user and true if successful, false if not successful, -// or an error if the request could not be checked. +// Request attempts to extract authentication information from a request and +// returns a Response or an error if the request could not be checked. type Request interface { - AuthenticateRequest(req *http.Request) (user.Info, bool, error) + AuthenticateRequest(req *http.Request) (*Response, bool, error) } -// Password checks a username and password against a backing authentication store and -// returns information about the user and true if successful, false if not successful, -// or an error if the username and password could not be checked +// Password checks a username and password against a backing authentication +// store and returns a Response or an error if the password could not be +// checked. type Password interface { - AuthenticatePassword(user, password string) (user.Info, bool, error) + AuthenticatePassword(ctx context.Context, user, password string) (*Response, bool, error) } // TokenFunc is a function that implements the Token interface. -type TokenFunc func(token string) (user.Info, bool, error) +type TokenFunc func(ctx context.Context, token string) (*Response, bool, error) // AuthenticateToken implements authenticator.Token. -func (f TokenFunc) AuthenticateToken(token string) (user.Info, bool, error) { - return f(token) +func (f TokenFunc) AuthenticateToken(ctx context.Context, token string) (*Response, bool, error) { + return f(ctx, token) } // RequestFunc is a function that implements the Request interface. -type RequestFunc func(req *http.Request) (user.Info, bool, error) +type RequestFunc func(req *http.Request) (*Response, bool, error) // AuthenticateRequest implements authenticator.Request. -func (f RequestFunc) AuthenticateRequest(req *http.Request) (user.Info, bool, error) { +func (f RequestFunc) AuthenticateRequest(req *http.Request) (*Response, bool, error) { return f(req) } // PasswordFunc is a function that implements the Password interface. -type PasswordFunc func(user, password string) (user.Info, bool, error) +type PasswordFunc func(ctx context.Context, user, password string) (*Response, bool, error) // AuthenticatePassword implements authenticator.Password. -func (f PasswordFunc) AuthenticatePassword(user, password string) (user.Info, bool, error) { - return f(user, password) +func (f PasswordFunc) AuthenticatePassword(ctx context.Context, user, password string) (*Response, bool, error) { + return f(ctx, user, password) +} + +// Response is the struct returned by authenticator interfaces upon successful +// authentication. It contains information about whether the authenticator +// authenticated the request, information about the context of the +// authentication, and information about the authenticated user. +type Response struct { + // Audiences is the set of audiences the authenticator was able to validate + // the token against. If the authenticator is not audience aware, this field + // will be empty. + Audiences Audiences + // User is the UserInfo associated with the authentication context. + User user.Info }