djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

authncache: remove namespace concept

Browse Source 
Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan 2021-02-09 18:16:22 -05:00
parent 741b8fe88d
commit 2eb01bd307
No known key found for this signature in database
GPG Key ID: 52C90ADA01B269B8
7 changed files with 57 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
internal/controller/authenticator/authncache/cache.go
View File

@ -28,10 +28,9 @@ type Cache struct {
} }
type Key struct { type Key struct {
APIGroup string APIGroup string
Kind string Kind string
Namespace string Name string
Name string
} }
type Value interface { type Value interface {
@ -74,7 +73,6 @@ func (c *Cache) Keys() []Key {
sort.Slice(result, func(i, j int) bool { sort.Slice(result, func(i, j int) bool {
return result[i].APIGroup < result[j].APIGroup || return result[i].APIGroup < result[j].APIGroup ||
result[i].Kind < result[j].Kind || result[i].Kind < result[j].Kind ||
result[i].Namespace < result[j].Namespace ||
result[i].Name < result[j].Name result[i].Name < result[j].Name
}) })
return result return result
@ -83,9 +81,8 @@ func (c *Cache) Keys() []Key {
func (c *Cache) AuthenticateTokenCredentialRequest(ctx context.Context, req *loginapi.TokenCredentialRequest) (user.Info, error) { func (c *Cache) AuthenticateTokenCredentialRequest(ctx context.Context, req *loginapi.TokenCredentialRequest) (user.Info, error) {
// Map the incoming request to a cache key. // Map the incoming request to a cache key.
key := Key{ key := Key{
Namespace: req.Namespace, Name: req.Spec.Authenticator.Name,
Name: req.Spec.Authenticator.Name, Kind: req.Spec.Authenticator.Kind,
Kind: req.Spec.Authenticator.Kind,
} }
if req.Spec.Authenticator.APIGroup != nil { if req.Spec.Authenticator.APIGroup != nil {
key.APIGroup = *req.Spec.Authenticator.APIGroup key.APIGroup = *req.Spec.Authenticator.APIGroup
@ -95,7 +92,7 @@ func (c *Cache) AuthenticateTokenCredentialRequest(ctx context.Context, req *log
if val == nil { if val == nil {
plog.Debug( plog.Debug(
"authenticator does not exist", "authenticator does not exist",
"authenticator", klog.KRef(key.Namespace, key.Name), "authenticator", klog.KRef("", key.Name),
"kind", key.Kind, "kind", key.Kind,
"apiGroup", key.APIGroup, "apiGroup", key.APIGroup,
) )

20
internal/controller/authenticator/authncache/cache_test.go
View File

@ -31,13 +31,13 @@ func TestCache(t *testing.T) {
cache := New() cache := New()
require.NotNil(t, cache) require.NotNil(t, cache)
key1 := Key{Namespace: "foo", Name: "authenticator-one"} key1 := Key{Name: "authenticator-one"}
mockToken1 := mocktokenauthenticator.NewMockToken(ctrl) mockToken1 := mocktokenauthenticator.NewMockToken(ctrl)
cache.Store(key1, mockToken1) cache.Store(key1, mockToken1)
require.Equal(t, mockToken1, cache.Get(key1)) require.Equal(t, mockToken1, cache.Get(key1))
require.Equal(t, 1, len(cache.Keys())) require.Equal(t, 1, len(cache.Keys()))
key2 := Key{Namespace: "foo", Name: "authenticator-two"} key2 := Key{Name: "authenticator-two"}
mockToken2 := mocktokenauthenticator.NewMockToken(ctrl) mockToken2 := mocktokenauthenticator.NewMockToken(ctrl)
cache.Store(key2, mockToken2) cache.Store(key2, mockToken2)
require.Equal(t, mockToken2, cache.Get(key2)) require.Equal(t, mockToken2, cache.Get(key2))
@ -50,11 +50,10 @@ func TestCache(t *testing.T) {
// Fill the cache back up with a fixed set of keys, but inserted in shuffled order. // Fill the cache back up with a fixed set of keys, but inserted in shuffled order.
keysInExpectedOrder := []Key{ keysInExpectedOrder := []Key{
{APIGroup: "a", Kind: "a", Namespace: "a", Name: "a"}, {APIGroup: "a", Kind: "a", Name: "a"},
{APIGroup: "b", Kind: "a", Namespace: "a", Name: "a"}, {APIGroup: "b", Kind: "a", Name: "a"},
{APIGroup: "b", Kind: "b", Namespace: "a", Name: "a"}, {APIGroup: "b", Kind: "b", Name: "a"},
{APIGroup: "b", Kind: "b", Namespace: "b", Name: "a"}, {APIGroup: "b", Kind: "b", Name: "b"},
{APIGroup: "b", Kind: "b", Namespace: "b", Name: "b"},
} }
for tries := 0; tries < 10; tries++ { for tries := 0; tries < 10; tries++ {
cache := New() cache := New()
@ -85,10 +84,9 @@ func TestAuthenticateTokenCredentialRequest(t *testing.T) {
Status: loginapi.TokenCredentialRequestStatus{}, Status: loginapi.TokenCredentialRequestStatus{},
} }
validRequestKey := Key{ validRequestKey := Key{
APIGroup: *validRequest.Spec.Authenticator.APIGroup, APIGroup: *validRequest.Spec.Authenticator.APIGroup,
Kind: validRequest.Spec.Authenticator.Kind, Kind: validRequest.Spec.Authenticator.Kind,
Namespace: validRequest.Namespace, Name: validRequest.Spec.Authenticator.Name,
Name: validRequest.Spec.Authenticator.Name,
} }
mockCache := func(t *testing.T, res *authenticator.Response, authenticated bool, err error) *Cache { mockCache := func(t *testing.T, res *authenticator.Response, authenticated bool, err error) *Cache {

16
internal/controller/authenticator/cachecleaner/cachecleaner.go
View File

@ -72,19 +72,17 @@ func (c *controller) Sync(_ controllerlib.Context) error {
authenticatorSet := map[authncache.Key]bool{} authenticatorSet := map[authncache.Key]bool{}
for _, webhook := range webhooks { for _, webhook := range webhooks {
key := authncache.Key{ key := authncache.Key{
Namespace: webhook.Namespace, Name: webhook.Name,
Name: webhook.Name, Kind: "WebhookAuthenticator",
Kind: "WebhookAuthenticator", APIGroup: auth1alpha1.SchemeGroupVersion.Group,
APIGroup: auth1alpha1.SchemeGroupVersion.Group,
} }
authenticatorSet[key] = true authenticatorSet[key] = true
} }
for _, jwtAuthenticator := range jwtAuthenticators { for _, jwtAuthenticator := range jwtAuthenticators {
key := authncache.Key{ key := authncache.Key{
Namespace: jwtAuthenticator.Namespace, Name: jwtAuthenticator.Name,
Name: jwtAuthenticator.Name, Kind: "JWTAuthenticator",
Kind: "JWTAuthenticator", APIGroup: auth1alpha1.SchemeGroupVersion.Group,
APIGroup: auth1alpha1.SchemeGroupVersion.Group,
} }
authenticatorSet[key] = true authenticatorSet[key] = true
} }
@ -97,7 +95,7 @@ func (c *controller) Sync(_ controllerlib.Context) error {
if _, exists := authenticatorSet[key]; !exists { if _, exists := authenticatorSet[key]; !exists {
c.log.WithValues( c.log.WithValues(
"authenticator", "authenticator",
klog.KRef(key.Namespace, key.Name), klog.KRef("", key.Name),
"kind", "kind",
key.Kind, key.Kind,
).Info("deleting authenticator from cache") ).Info("deleting authenticator from cache")

66
internal/controller/authenticator/cachecleaner/cachecleaner_test.go
View File

@ -26,34 +26,29 @@ func TestController(t *testing.T) {
t.Parallel() t.Parallel()
testWebhookKey1 := authncache.Key{ testWebhookKey1 := authncache.Key{
APIGroup: "authentication.concierge.pinniped.dev", APIGroup: "authentication.concierge.pinniped.dev",
Kind: "WebhookAuthenticator", Kind: "WebhookAuthenticator",
Namespace: "test-namespace", Name: "test-webhook-name-one",
Name: "test-webhook-name-one",
} }
testWebhookKey2 := authncache.Key{ testWebhookKey2 := authncache.Key{
APIGroup: "authentication.concierge.pinniped.dev", APIGroup: "authentication.concierge.pinniped.dev",
Kind: "WebhookAuthenticator", Kind: "WebhookAuthenticator",
Namespace: "test-namespace", Name: "test-webhook-name-two",
Name: "test-webhook-name-two",
} }
testJWTAuthenticatorKey1 := authncache.Key{ testJWTAuthenticatorKey1 := authncache.Key{
APIGroup: "authentication.concierge.pinniped.dev", APIGroup: "authentication.concierge.pinniped.dev",
Kind: "JWTAuthenticator", Kind: "JWTAuthenticator",
Namespace: "test-namespace", Name: "test-jwt-authenticator-name-one",
Name: "test-jwt-authenticator-name-one",
} }
testJWTAuthenticatorKey2 := authncache.Key{ testJWTAuthenticatorKey2 := authncache.Key{
APIGroup: "authentication.concierge.pinniped.dev", APIGroup: "authentication.concierge.pinniped.dev",
Kind: "JWTAuthenticator", Kind: "JWTAuthenticator",
Namespace: "test-namespace", Name: "test-jwt-authenticator-name-two",
Name: "test-jwt-authenticator-name-two",
} }
testKeyUnknownType := authncache.Key{ testKeyUnknownType := authncache.Key{
APIGroup: "authentication.concierge.pinniped.dev", APIGroup: "authentication.concierge.pinniped.dev",
Kind: "SomeOtherAuthenticator", Kind: "SomeOtherAuthenticator",
Namespace: "test-namespace", Name: "test-name-one",
Name: "test-name-one",
} }
tests := []struct { tests := []struct {
@ -73,14 +68,12 @@ func TestController(t *testing.T) {
objects: []runtime.Object{ objects: []runtime.Object{
&authv1alpha.WebhookAuthenticator{ &authv1alpha.WebhookAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: testWebhookKey1.Namespace, Name: testWebhookKey1.Name,
Name: testWebhookKey1.Name,
}, },
}, },
&authv1alpha.JWTAuthenticator{ &authv1alpha.JWTAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: testJWTAuthenticatorKey1.Namespace, Name: testJWTAuthenticatorKey1.Name,
Name: testJWTAuthenticatorKey1.Name,
}, },
}, },
}, },
@ -91,26 +84,22 @@ func TestController(t *testing.T) {
objects: []runtime.Object{ objects: []runtime.Object{
&authv1alpha.WebhookAuthenticator{ &authv1alpha.WebhookAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: testWebhookKey1.Namespace, Name: testWebhookKey1.Name,
Name: testWebhookKey1.Name,
}, },
}, },
&authv1alpha.WebhookAuthenticator{ &authv1alpha.WebhookAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: testWebhookKey2.Namespace, Name: testWebhookKey2.Name,
Name: testWebhookKey2.Name,
}, },
}, },
&authv1alpha.JWTAuthenticator{ &authv1alpha.JWTAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: testJWTAuthenticatorKey1.Namespace, Name: testJWTAuthenticatorKey1.Name,
Name: testJWTAuthenticatorKey1.Name,
}, },
}, },
&authv1alpha.JWTAuthenticator{ &authv1alpha.JWTAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: testJWTAuthenticatorKey2.Namespace, Name: testJWTAuthenticatorKey2.Name,
Name: testJWTAuthenticatorKey2.Name,
}, },
}, },
}, },
@ -128,20 +117,18 @@ func TestController(t *testing.T) {
objects: []runtime.Object{ objects: []runtime.Object{
&authv1alpha.WebhookAuthenticator{ &authv1alpha.WebhookAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: testWebhookKey1.Namespace, Name: testWebhookKey1.Name,
Name: testWebhookKey1.Name,
}, },
}, },
&authv1alpha.JWTAuthenticator{ &authv1alpha.JWTAuthenticator{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: testJWTAuthenticatorKey1.Namespace, Name: testJWTAuthenticatorKey1.Name,
Name: testJWTAuthenticatorKey1.Name,
}, },
}, },
}, },
wantLogs: []string{ wantLogs: []string{
`cachecleaner-controller "level"=0 "msg"="deleting authenticator from cache" "authenticator"={"name":"test-jwt-authenticator-name-two","namespace":"test-namespace"} "kind"="JWTAuthenticator"`, `cachecleaner-controller "level"=0 "msg"="deleting authenticator from cache" "authenticator"={"name":"test-jwt-authenticator-name-two"} "kind"="JWTAuthenticator"`,
`cachecleaner-controller "level"=0 "msg"="deleting authenticator from cache" "authenticator"={"name":"test-webhook-name-two","namespace":"test-namespace"} "kind"="WebhookAuthenticator"`, `cachecleaner-controller "level"=0 "msg"="deleting authenticator from cache" "authenticator"={"name":"test-webhook-name-two"} "kind"="WebhookAuthenticator"`,
}, },
wantCacheKeys: []authncache.Key{testWebhookKey1, testJWTAuthenticatorKey1, testKeyUnknownType}, wantCacheKeys: []authncache.Key{testWebhookKey1, testJWTAuthenticatorKey1, testKeyUnknownType},
}, },
@ -173,8 +160,7 @@ func TestController(t *testing.T) {
syncCtx := controllerlib.Context{ syncCtx := controllerlib.Context{
Context: ctx, Context: ctx,
Key: controllerlib.Key{ Key: controllerlib.Key{
Namespace: "test-namespace", Name: "test-webhook-name-one",
Name: "test-webhook-name-one",
}, },
} }

7
internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go
View File

@ -98,10 +98,9 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
} }
cacheKey := authncache.Key{ cacheKey := authncache.Key{
APIGroup: auth1alpha1.GroupName, APIGroup: auth1alpha1.GroupName,
Kind: "JWTAuthenticator", Kind: "JWTAuthenticator",
Namespace: ctx.Key.Namespace, Name: ctx.Key.Name,
Name: ctx.Key.Name,
} }
// If this authenticator already exists, then only recreate it if is different from the desired // If this authenticator already exists, then only recreate it if is different from the desired

7
internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go
View File

@ -356,10 +356,9 @@ func TestController(t *testing.T) {
// We expected the cache to have an entry, so pull that entry from the cache and test it. // We expected the cache to have an entry, so pull that entry from the cache and test it.
expectedCacheKey := authncache.Key{ expectedCacheKey := authncache.Key{
APIGroup: auth1alpha1.GroupName, APIGroup: auth1alpha1.GroupName,
Kind: "JWTAuthenticator", Kind: "JWTAuthenticator",
Namespace: syncCtx.Key.Namespace, Name: syncCtx.Key.Name,
Name: syncCtx.Key.Name,
} }
cachedAuthenticator := cache.Get(expectedCacheKey) cachedAuthenticator := cache.Get(expectedCacheKey)
require.NotNil(t, cachedAuthenticator) require.NotNil(t, cachedAuthenticator)

7
internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
View File

@ -69,10 +69,9 @@ func (c *controller) Sync(ctx controllerlib.Context) error {
} }
c.cache.Store(authncache.Key{ c.cache.Store(authncache.Key{
APIGroup: auth1alpha1.GroupName, APIGroup: auth1alpha1.GroupName,
Kind: "WebhookAuthenticator", Kind: "WebhookAuthenticator",
Namespace: ctx.Key.Namespace, Name: ctx.Key.Name,
Name: ctx.Key.Name,
}, webhookAuthenticator) }, webhookAuthenticator)
c.log.WithValues("webhook", klog.KObj(obj), "endpoint", obj.Spec.Endpoint).Info("added new webhook authenticator") c.log.WithValues("webhook", klog.KObj(obj), "endpoint", obj.Spec.Endpoint).Info("added new webhook authenticator")
return nil return nil