ContainerImage.Pinniped/internal/controller/authenticator/authncache/cache.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// Package authncache implements a cache of active authenticators.
package authncache

import (
	"context"
	"fmt"
	"sort"
	"sync"

	"k8s.io/apiserver/pkg/authentication/authenticator"
	"k8s.io/apiserver/pkg/authentication/user"

	loginapi "go.pinniped.dev/generated/1.19/apis/concierge/login"
)

var (
	// ErrNoSuchAuthenticator is returned by Cache.AuthenticateTokenCredentialRequest() when the requested authenticator is not configured.
	ErrNoSuchAuthenticator = fmt.Errorf("no such authenticator")
)

// Cache implements the authenticator.Token interface by multiplexing across a dynamic set of authenticators
// loaded from authenticator resources.
type Cache struct {
	cache sync.Map
}

type Key struct {
	APIGroup  string
	Kind      string
	Namespace string
	Name      string
}

type Value interface {
	authenticator.Token
}

// New returns an empty cache.
func New() *Cache {
	return &Cache{}
}

// Get an authenticator by key.
func (c *Cache) Get(key Key) Value {
	res, _ := c.cache.Load(key)
	if res == nil {
		return nil
	}
	return res.(Value)
}

// Store an authenticator into the cache.
func (c *Cache) Store(key Key, value Value) {
	c.cache.Store(key, value)
}

// Delete an authenticator from the cache.
func (c *Cache) Delete(key Key) {
	c.cache.Delete(key)
}

// Keys currently stored in the cache.
func (c *Cache) Keys() []Key {
	var result []Key
	c.cache.Range(func(key, _ interface{}) bool {
		result = append(result, key.(Key))
		return true
	})

	// Sort the results for consistency.
	sort.Slice(result, func(i, j int) bool {
		return result[i].APIGroup < result[j].APIGroup ||
			result[i].Kind < result[j].Kind ||
			result[i].Namespace < result[j].Namespace ||
			result[i].Name < result[j].Name
	})
	return result
}

func (c *Cache) AuthenticateTokenCredentialRequest(ctx context.Context, req *loginapi.TokenCredentialRequest) (user.Info, error) {
	// Map the incoming request to a cache key.
	key := Key{
		Namespace: req.Namespace,
		Name:      req.Spec.Authenticator.Name,
		Kind:      req.Spec.Authenticator.Kind,
	}
	if req.Spec.Authenticator.APIGroup != nil {
		key.APIGroup = *req.Spec.Authenticator.APIGroup
	}

	val := c.Get(key)
	if val == nil {
		return nil, ErrNoSuchAuthenticator
	}

	// The incoming context could have an audience. Since we do not want to handle audiences right now, do not pass it
	// through directly to the authentication webhook.
	ctx = valuelessContext{ctx}

	// Call the selected authenticator.
	resp, authenticated, err := val.AuthenticateToken(ctx, req.Spec.Token)
	if err != nil {
		return nil, err
	}
	if !authenticated {
		return nil, nil
	}

	// Return the user.Info from the response (if it is non-nil).
	var respUser user.Info
	if resp != nil {
		respUser = resp.User
	}
	return respUser, nil
}

type valuelessContext struct{ context.Context }

func (valuelessContext) Value(interface{}) interface{} { return nil }
Save 2 lines by using inline-style comments for Copyright Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-16 14:19:51 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00
Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`// Package authncache implements a cache of active authenticators.`
			`package authncache`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00
			`import (`
			`"context"`
			`"fmt"`
Sort idpcache keys to make things as deterministic as possible. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-22 14:50:34 +00:00			`"sort"`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`"sync"`

			`"k8s.io/apiserver/pkg/authentication/authenticator"`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`"k8s.io/apiserver/pkg/authentication/user"`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00
Rename login API to `login.concierge.pinniped.dev`. This is the first of a few related changes that re-organize our API after the big recent changes that introduced the supervisor component. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 14:34:43 +00:00			`loginapi "go.pinniped.dev/generated/1.19/apis/concierge/login"`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`)`

			`var (`
Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`// ErrNoSuchAuthenticator is returned by Cache.AuthenticateTokenCredentialRequest() when the requested authenticator is not configured.`
			`ErrNoSuchAuthenticator = fmt.Errorf("no such authenticator")`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`)`

Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`// Cache implements the authenticator.Token interface by multiplexing across a dynamic set of authenticators`
			`// loaded from authenticator resources.`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`type Cache struct {`
			`cache sync.Map`
			`}`

Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`type Key struct {`
			`APIGroup string`
			`Kind string`
			`Namespace string`
			`Name string`
			`}`

			`type Value interface {`
			`authenticator.Token`
			`}`

Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`// New returns an empty cache.`
			`func New() *Cache {`
			`return &Cache{}`
			`}`

Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`// Get an authenticator by key.`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`func (c *Cache) Get(key Key) Value {`
			`res, _ := c.cache.Load(key)`
			`if res == nil {`
			`return nil`
			`}`
			`return res.(Value)`
			`}`

Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`// Store an authenticator into the cache.`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`func (c *Cache) Store(key Key, value Value) {`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`c.cache.Store(key, value)`
			`}`

Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`// Delete an authenticator from the cache.`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`func (c *Cache) Delete(key Key) {`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`c.cache.Delete(key)`
			`}`

			`// Keys currently stored in the cache.`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`func (c *Cache) Keys() []Key {`
			`var result []Key`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`c.cache.Range(func(key, _ interface{}) bool {`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`result = append(result, key.(Key))`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`return true`
			`})`
Sort idpcache keys to make things as deterministic as possible. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-22 14:50:34 +00:00
			`// Sort the results for consistency.`
			`sort.Slice(result, func(i, j int) bool {`
			`return result[i].APIGroup < result[j].APIGroup \|\|`
			`result[i].Kind < result[j].Kind \|\|`
			`result[i].Namespace < result[j].Namespace \|\|`
			`result[i].Name < result[j].Name`
			`})`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`return result`
			`}`

Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`func (c Cache) AuthenticateTokenCredentialRequest(ctx context.Context, req loginapi.TokenCredentialRequest) (user.Info, error) {`
			`// Map the incoming request to a cache key.`
			`key := Key{`
			`Namespace: req.Namespace,`
Rename the IdentityProvider field to Authenticator in TokenCredentialRequest. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 17:41:21 +00:00			`Name: req.Spec.Authenticator.Name,`
			`Kind: req.Spec.Authenticator.Kind,`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`}`
Rename the IdentityProvider field to Authenticator in TokenCredentialRequest. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 17:41:21 +00:00			`if req.Spec.Authenticator.APIGroup != nil {`
			`key.APIGroup = *req.Spec.Authenticator.APIGroup`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`}`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`val := c.Get(key)`
			`if val == nil {`
Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`return nil, ErrNoSuchAuthenticator`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`}`

Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`// The incoming context could have an audience. Since we do not want to handle audiences right now, do not pass it`
			`// through directly to the authentication webhook.`
			`ctx = valuelessContext{ctx}`

Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`// Call the selected authenticator.`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00			`resp, authenticated, err := val.AuthenticateToken(ctx, req.Spec.Token)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !authenticated {`
			`return nil, nil`
			`}`

			`// Return the user.Info from the response (if it is non-nil).`
			`var respUser user.Info`
			`if resp != nil {`
			`respUser = resp.User`
			`}`
			`return respUser, nil`
Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 14:36:06 +00:00			`}`
Add support for multiple IDPs selected using IdentityProvider field. This also has fallback compatibility support if no IDP is specified and there is exactly one IDP in the cache. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-21 16:37:54 +00:00
			`type valuelessContext struct{ context.Context }`

			`func (valuelessContext) Value(interface{}) interface{} { return nil }`