ContainerImage.Pinniped/internal/authenticators/authenticators.go

// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// Package authenticators contains authenticator interfaces.
package authenticators

import (
	"context"

	"k8s.io/apiserver/pkg/authentication/user"
)

// This interface is similar to the k8s token authenticator, but works with username/passwords instead
// of a single token string.
//
// The return values should be as follows.
// 1. For a successful authentication:
//    - A response which includes the username, uid, and groups in the userInfo. The username and uid must not be blank.
//    - true
//    - nil error
// 2. For an unsuccessful authentication, e.g. bad username or password:
//    - nil response
//    - false
//    - nil error
// 3. For an unexpected error, e.g. a network problem:
//    - nil response
//    - false
//    - an error
// Other combinations of return values must be avoided.
//
// See k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go for the token authenticator
// interface, as well as the Response type.
type UserAuthenticator interface {
	AuthenticateUser(ctx context.Context, username, password string, grantedScopes []string) (*Response, bool, error)
}

type Response struct {
	User                   user.Info
	DN                     string
	ExtraRefreshAttributes map[string]string
}
Merge branch 'main' into upstream_access_revocation_during_gc 2022-01-14 18:49:22 +00:00			`// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.`
Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00			`// SPDX-License-Identifier: Apache-2.0`

More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress. 2021-04-10 01:49:43 +00:00			`// Package authenticators contains authenticator interfaces.`
			`package authenticators`
Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00
			`import (`
			`"context"`

Addressing code review changes - changed to use custom authenticators.Response rather than the k8s one that doesn't include space for a DN - Added more checking for correct idp type in token handler - small style changes Signed-off-by: Margo Crawford <margaretc@vmware.com> 2021-11-03 17:33:22 +00:00			`"k8s.io/apiserver/pkg/authentication/user"`
Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00			`)`

			`// This interface is similar to the k8s token authenticator, but works with username/passwords instead`
			`// of a single token string.`
			`//`
Implement upstream LDAP support in auth_handler.go - When the upstream IDP is an LDAP IDP and the user's LDAP username and password are received as new custom headers, then authenticate the user and, if authentication was successful, return a redirect with an authcode. Handle errors according to the OAuth/OIDC specs. - Still does not support having multiple upstream IDPs defined at the same time, which was an existing limitation of this endpoint. - Does not yet include the actual LDAP authentication, which is hidden behind an interface from the point of view of auth_handler.go - Move the oidctestutil package to the testutil directory. - Add an interface for Fosite storage to avoid a cyclical test dependency. - Add GetURL() to the UpstreamLDAPIdentityProviderI interface. - Extract test helpers to be shared between callback_handler_test.go and auth_handler_test.go because the authcode and fosite storage assertions should be identical. - Backfill Content-Type assertions in callback_handler_test.go. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-04-09 00:28:01 +00:00			`// The return values should be as follows.`
			`// 1. For a successful authentication:`
			`// - A response which includes the username, uid, and groups in the userInfo. The username and uid must not be blank.`
			`// - true`
			`// - nil error`
			`// 2. For an unsuccessful authentication, e.g. bad username or password:`
			`// - nil response`
			`// - false`
			`// - nil error`
			`// 3. For an unexpected error, e.g. a network problem:`
			`// - nil response`
			`// - false`
			`// - an error`
			`// Other combinations of return values must be avoided.`
			`//`
Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00			`// See k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go for the token authenticator`
			`// interface, as well as the Response type.`
			`type UserAuthenticator interface {`
Don't do ldap group search when group scope not specified Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-22 17:58:08 +00:00			`AuthenticateUser(ctx context.Context, username, password string, grantedScopes []string) (*Response, bool, error)`
Addressing code review changes - changed to use custom authenticators.Response rather than the k8s one that doesn't include space for a DN - Added more checking for correct idp type in token handler - small style changes Signed-off-by: Margo Crawford <margaretc@vmware.com> 2021-11-03 17:33:22 +00:00			`}`

			`type Response struct {`
Move ad specific stuff to controller also make extra refresh attributes a separate field rather than part of Extra Signed-off-by: Margo Crawford <margaretc@vmware.com> 2021-12-09 22:02:40 +00:00			`User user.Info`
			`DN string`
			`ExtraRefreshAttributes map[string]string`
Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00			`}`