ContainerImage.Pinniped/internal/controller/authenticator/authncache/cache_test.go

// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package authncache

import (
	"context"
	"fmt"
	"math/rand"
	"testing"
	"time"

	"github.com/golang/mock/gomock"
	"github.com/stretchr/testify/require"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apiserver/pkg/authentication/authenticator"
	"k8s.io/apiserver/pkg/authentication/user"

	authv1alpha "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
	loginapi "go.pinniped.dev/generated/latest/apis/concierge/login"
	"go.pinniped.dev/internal/mocks/mocktokenauthenticator"
)

func TestCache(t *testing.T) {
	t.Parallel()

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	cache := New()
	require.NotNil(t, cache)

	key1 := Key{Name: "authenticator-one"}
	mockToken1 := mocktokenauthenticator.NewMockToken(ctrl)
	cache.Store(key1, mockToken1)
	require.Equal(t, mockToken1, cache.Get(key1))
	require.Equal(t, 1, len(cache.Keys()))

	key2 := Key{Name: "authenticator-two"}
	mockToken2 := mocktokenauthenticator.NewMockToken(ctrl)
	cache.Store(key2, mockToken2)
	require.Equal(t, mockToken2, cache.Get(key2))
	require.Equal(t, 2, len(cache.Keys()))

	for _, key := range cache.Keys() {
		cache.Delete(key)
	}
	require.Zero(t, len(cache.Keys()))

	// Fill the cache back up with a fixed set of keys, but inserted in shuffled order.
	keysInExpectedOrder := []Key{
		{APIGroup: "a", Kind: "a", Name: "a"},
		{APIGroup: "b", Kind: "a", Name: "a"},
		{APIGroup: "b", Kind: "b", Name: "a"},
		{APIGroup: "b", Kind: "b", Name: "b"},
	}
	for tries := 0; tries < 10; tries++ {
		cache := New()
		for _, i := range rand.Perm(len(keysInExpectedOrder)) {
			cache.Store(keysInExpectedOrder[i], nil)
		}

		// Expect that they come back out in sorted order.
		require.Equal(t, keysInExpectedOrder, cache.Keys())
	}
}

func TestAuthenticateTokenCredentialRequest(t *testing.T) {
	t.Parallel()

	validRequest := loginapi.TokenCredentialRequest{
		ObjectMeta: metav1.ObjectMeta{
			Namespace: "test-namespace",
		},
		Spec: loginapi.TokenCredentialRequestSpec{
			Authenticator: corev1.TypedLocalObjectReference{
				APIGroup: &authv1alpha.SchemeGroupVersion.Group,
				Kind:     "WebhookAuthenticator",
				Name:     "test-name",
			},
			Token: "test-token",
		},
		Status: loginapi.TokenCredentialRequestStatus{},
	}
	validRequestKey := Key{
		APIGroup: *validRequest.Spec.Authenticator.APIGroup,
		Kind:     validRequest.Spec.Authenticator.Kind,
		Name:     validRequest.Spec.Authenticator.Name,
	}

	mockCache := func(t *testing.T, res *authenticator.Response, authenticated bool, err error) *Cache {
		ctrl := gomock.NewController(t)
		t.Cleanup(ctrl.Finish)
		m := mocktokenauthenticator.NewMockToken(ctrl)
		m.EXPECT().AuthenticateToken(audienceFreeContext{}, validRequest.Spec.Token).Return(res, authenticated, err)
		c := New()
		c.Store(validRequestKey, m)
		return c
	}

	t.Run("no such authenticator", func(t *testing.T) {
		c := New()
		res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())
		require.EqualError(t, err, "no such authenticator")
		require.Nil(t, res)
	})

	t.Run("authenticator returns error", func(t *testing.T) {
		c := mockCache(t, nil, false, fmt.Errorf("some authenticator error"))
		res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())
		require.EqualError(t, err, "some authenticator error")
		require.Nil(t, res)
	})

	t.Run("authenticator returns unauthenticated without error", func(t *testing.T) {
		c := mockCache(t, &authenticator.Response{}, false, nil)
		res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())
		require.NoError(t, err)
		require.Nil(t, res)
	})

	t.Run("authenticator returns nil response without error", func(t *testing.T) {
		c := mockCache(t, nil, true, nil)
		res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())
		require.NoError(t, err)
		require.Nil(t, res)
	})

	t.Run("authenticator returns response with nil user", func(t *testing.T) {
		c := mockCache(t, &authenticator.Response{}, true, nil)
		res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())
		require.NoError(t, err)
		require.Nil(t, res)
	})

	t.Run("context is cancelled", func(t *testing.T) {
		ctrl := gomock.NewController(t)
		t.Cleanup(ctrl.Finish)
		m := mocktokenauthenticator.NewMockToken(ctrl)
		m.EXPECT().AuthenticateToken(gomock.Any(), validRequest.Spec.Token).DoAndReturn(
			func(ctx context.Context, token string) (*authenticator.Response, bool, error) {
				select {
				case <-time.After(2 * time.Second):
					require.Fail(t, "expected to be cancelled")
					return nil, true, nil
				case <-ctx.Done():
					return nil, false, ctx.Err()
				}
			},
		)
		c := New()
		c.Store(validRequestKey, m)

		ctx, cancel := context.WithCancel(context.Background())
		errchan := make(chan error)
		go func() {
			_, err := c.AuthenticateTokenCredentialRequest(ctx, validRequest.DeepCopy())
			errchan <- err
		}()
		cancel()
		require.EqualError(t, <-errchan, "context canceled")
	})

	t.Run("authenticator returns success", func(t *testing.T) {
		userInfo := user.DefaultInfo{
			Name:   "test-user",
			UID:    "test-uid",
			Groups: []string{"test-group-1", "test-group-2"},
			Extra:  map[string][]string{"extra-key-1": {"extra-value-1", "extra-value-2"}},
		}
		c := mockCache(t, &authenticator.Response{User: &userInfo}, true, nil)

		audienceCtx := authenticator.WithAudiences(context.Background(), authenticator.Audiences{"test-audience-1"})
		res, err := c.AuthenticateTokenCredentialRequest(audienceCtx, validRequest.DeepCopy())
		require.NoError(t, err)
		require.NotNil(t, res)
		require.Equal(t, "test-user", res.GetName())
		require.Equal(t, "test-uid", res.GetUID())
		require.Equal(t, []string{"test-group-1", "test-group-2"}, res.GetGroups())
		require.Equal(t, map[string][]string{"extra-key-1": {"extra-value-1", "extra-value-2"}}, res.GetExtra())
	})
}

type audienceFreeContext struct{}

func (audienceFreeContext) Matches(in interface{}) bool {
	ctx, isCtx := in.(context.Context)
	if !isCtx {
		return false
	}
	_, hasAudiences := authenticator.AudiencesFrom(ctx)
	return !hasAudiences
}

func (audienceFreeContext) String() string {
	return "is a context without authenticator audiences"
}
Changing references from 1.19 to 1.20 2021-01-07 22:58:09 +00:00			`// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.`
Save 2 lines by using inline-style comments for Copyright Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-16 14:19:51 +00:00			`// SPDX-License-Identifier: Apache-2.0`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00
Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`package authncache`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00
			`import (`
			`"context"`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`"fmt"`
Sort idpcache keys to make things as deterministic as possible. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-22 14:50:34 +00:00			`"math/rand"`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`"testing"`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`"time"`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00
			`"github.com/golang/mock/gomock"`
			`"github.com/stretchr/testify/require"`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`corev1 "k8s.io/api/core/v1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`"k8s.io/apiserver/pkg/authentication/authenticator"`
			`"k8s.io/apiserver/pkg/authentication/user"`

Use new 'go.pinniped.dev/generated/latest' package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-16 19:00:08 +00:00			`authv1alpha "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"`
			`loginapi "go.pinniped.dev/generated/latest/apis/concierge/login"`
Add Go vanity import paths. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-18 19:56:24 +00:00			`"go.pinniped.dev/internal/mocks/mocktokenauthenticator"`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`)`

			`func TestCache(t *testing.T) {`
			`t.Parallel()`

Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`ctrl := gomock.NewController(t)`
			`defer ctrl.Finish()`

Revert server side token credential request API group changes Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 20:51:35 +00:00			`cache := New()`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`require.NotNil(t, cache)`

authncache: remove namespace concept Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 23:16:22 +00:00			`key1 := Key{Name: "authenticator-one"}`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`mockToken1 := mocktokenauthenticator.NewMockToken(ctrl)`
			`cache.Store(key1, mockToken1)`
			`require.Equal(t, mockToken1, cache.Get(key1))`
			`require.Equal(t, 1, len(cache.Keys()))`

authncache: remove namespace concept Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 23:16:22 +00:00			`key2 := Key{Name: "authenticator-two"}`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`mockToken2 := mocktokenauthenticator.NewMockToken(ctrl)`
			`cache.Store(key2, mockToken2)`
			`require.Equal(t, mockToken2, cache.Get(key2))`
			`require.Equal(t, 2, len(cache.Keys()))`

			`for _, key := range cache.Keys() {`
			`cache.Delete(key)`
			`}`
			`require.Zero(t, len(cache.Keys()))`
Sort idpcache keys to make things as deterministic as possible. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-22 14:50:34 +00:00
			`// Fill the cache back up with a fixed set of keys, but inserted in shuffled order.`
			`keysInExpectedOrder := []Key{`
authncache: remove namespace concept Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 23:16:22 +00:00			`{APIGroup: "a", Kind: "a", Name: "a"},`
			`{APIGroup: "b", Kind: "a", Name: "a"},`
			`{APIGroup: "b", Kind: "b", Name: "a"},`
			`{APIGroup: "b", Kind: "b", Name: "b"},`
Sort idpcache keys to make things as deterministic as possible. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-22 14:50:34 +00:00			`}`
			`for tries := 0; tries < 10; tries++ {`
Revert server side token credential request API group changes Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 20:51:35 +00:00			`cache := New()`
Sort idpcache keys to make things as deterministic as possible. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-22 14:50:34 +00:00			`for _, i := range rand.Perm(len(keysInExpectedOrder)) {`
			`cache.Store(keysInExpectedOrder[i], nil)`
			`}`

			`// Expect that they come back out in sorted order.`
			`require.Equal(t, keysInExpectedOrder, cache.Keys())`
			`}`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`}`

			`func TestAuthenticateTokenCredentialRequest(t *testing.T) {`
			`t.Parallel()`

			`validRequest := loginapi.TokenCredentialRequest{`
			`ObjectMeta: metav1.ObjectMeta{`
			`Namespace: "test-namespace",`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`},`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`Spec: loginapi.TokenCredentialRequestSpec{`
Rename the IdentityProvider field to Authenticator in TokenCredentialRequest. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 17:41:21 +00:00			`Authenticator: corev1.TypedLocalObjectReference{`
Rename `idp.concierge.pinniped.dev` to `authentication.concierge.pinniped.dev`. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 16:03:25 +00:00			`APIGroup: &authv1alpha.SchemeGroupVersion.Group,`
Rename WebhookIdentityProvider to WebhookAuthenticator. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 16:39:26 +00:00			`Kind: "WebhookAuthenticator",`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`Name: "test-name",`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`},`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`Token: "test-token",`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`},`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`Status: loginapi.TokenCredentialRequestStatus{},`
			`}`
			`validRequestKey := Key{`
authncache: remove namespace concept Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 23:16:22 +00:00			`APIGroup: *validRequest.Spec.Authenticator.APIGroup,`
			`Kind: validRequest.Spec.Authenticator.Kind,`
			`Name: validRequest.Spec.Authenticator.Name,`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`}`

Revert server side token credential request API group changes Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 20:51:35 +00:00			`mockCache := func(t testing.T, res authenticator.Response, authenticated bool, err error) *Cache {`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`ctrl := gomock.NewController(t)`
			`t.Cleanup(ctrl.Finish)`
			`m := mocktokenauthenticator.NewMockToken(ctrl)`
Revert server side token credential request API group changes Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 20:51:35 +00:00			`m.EXPECT().AuthenticateToken(audienceFreeContext{}, validRequest.Spec.Token).Return(res, authenticated, err)`
			`c := New()`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`c.Store(validRequestKey, m)`
			`return c`
			`}`

Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`t.Run("no such authenticator", func(t *testing.T) {`
Revert server side token credential request API group changes Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 20:51:35 +00:00			`c := New()`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())`
Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`require.EqualError(t, err, "no such authenticator")`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`require.Nil(t, res)`
			`})`

			`t.Run("authenticator returns error", func(t *testing.T) {`
Revert server side token credential request API group changes Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 20:51:35 +00:00			`c := mockCache(t, nil, false, fmt.Errorf("some authenticator error"))`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())`
			`require.EqualError(t, err, "some authenticator error")`
			`require.Nil(t, res)`
			`})`

			`t.Run("authenticator returns unauthenticated without error", func(t *testing.T) {`
Revert server side token credential request API group changes Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 20:51:35 +00:00			`c := mockCache(t, &authenticator.Response{}, false, nil)`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())`
			`require.NoError(t, err)`
			`require.Nil(t, res)`
			`})`

			`t.Run("authenticator returns nil response without error", func(t *testing.T) {`
Revert server side token credential request API group changes Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 20:51:35 +00:00			`c := mockCache(t, nil, true, nil)`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())`
			`require.NoError(t, err)`
			`require.Nil(t, res)`
			`})`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`t.Run("authenticator returns response with nil user", func(t *testing.T) {`
Revert server side token credential request API group changes Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 20:51:35 +00:00			`c := mockCache(t, &authenticator.Response{}, true, nil)`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`res, err := c.AuthenticateTokenCredentialRequest(context.Background(), validRequest.DeepCopy())`
			`require.NoError(t, err)`
			`require.Nil(t, res)`
			`})`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`t.Run("context is cancelled", func(t *testing.T) {`
			`ctrl := gomock.NewController(t)`
			`t.Cleanup(ctrl.Finish)`
			`m := mocktokenauthenticator.NewMockToken(ctrl)`
			`m.EXPECT().AuthenticateToken(gomock.Any(), validRequest.Spec.Token).DoAndReturn(`
			`func(ctx context.Context, token string) (*authenticator.Response, bool, error) {`
			`select {`
			`case <-time.After(2 * time.Second):`
			`require.Fail(t, "expected to be cancelled")`
			`return nil, true, nil`
			`case <-ctx.Done():`
			`return nil, false, ctx.Err()`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`}`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`},`
			`)`
Revert server side token credential request API group changes Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 20:51:35 +00:00			`c := New()`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`c.Store(validRequestKey, m)`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`ctx, cancel := context.WithCancel(context.Background())`
			`errchan := make(chan error)`
			`go func() {`
			`_, err := c.AuthenticateTokenCredentialRequest(ctx, validRequest.DeepCopy())`
			`errchan <- err`
			`}()`
			`cancel()`
			`require.EqualError(t, <-errchan, "context canceled")`
			`})`

			`t.Run("authenticator returns success", func(t *testing.T) {`
			`userInfo := user.DefaultInfo{`
			`Name: "test-user",`
			`UID: "test-uid",`
			`Groups: []string{"test-group-1", "test-group-2"},`
			`Extra: map[string][]string{"extra-key-1": {"extra-value-1", "extra-value-2"}},`
			`}`
Revert server side token credential request API group changes Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 20:51:35 +00:00			`c := mockCache(t, &authenticator.Response{User: &userInfo}, true, nil)`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00
			`audienceCtx := authenticator.WithAudiences(context.Background(), authenticator.Audiences{"test-audience-1"})`
			`res, err := c.AuthenticateTokenCredentialRequest(audienceCtx, validRequest.DeepCopy())`
			`require.NoError(t, err)`
			`require.NotNil(t, res)`
			`require.Equal(t, "test-user", res.GetName())`
			`require.Equal(t, "test-uid", res.GetUID())`
			`require.Equal(t, []string{"test-group-1", "test-group-2"}, res.GetGroups())`
			`require.Equal(t, map[string][]string{"extra-key-1": {"extra-value-1", "extra-value-2"}}, res.GetExtra())`
			`})`
			`}`

			`type audienceFreeContext struct{}`

			`func (audienceFreeContext) Matches(in interface{}) bool {`
			`ctx, isCtx := in.(context.Context)`
			`if !isCtx {`
			`return false`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`}`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`_, hasAudiences := authenticator.AudiencesFrom(ctx)`
			`return !hasAudiences`
			`}`

			`func (audienceFreeContext) String() string {`
			`return "is a context without authenticator audiences"`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`}`