Remove fallback support for implicitly choosing an IDP in TokenCredentialRequest.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
parent
07f0181fa3
commit
81f2362543
@ -18,12 +18,6 @@ import (
|
||||
var (
|
||||
// ErrNoSuchIDP is returned by Cache.AuthenticateTokenCredentialRequest() when the requested IDP is not configured.
|
||||
ErrNoSuchIDP = fmt.Errorf("no such identity provider")
|
||||
|
||||
// ErrNoIDPs is returned by Cache.AuthenticateTokenCredentialRequest() when there are no IDPs configured.
|
||||
ErrNoIDPs = fmt.Errorf("no identity providers are loaded")
|
||||
|
||||
// ErrIndeterminateIDP is returned by Cache.AuthenticateTokenCredentialRequest() when the correct IDP cannot be determined.
|
||||
ErrIndeterminateIDP = fmt.Errorf("could not uniquely match against an identity provider")
|
||||
)
|
||||
|
||||
// Cache implements the authenticator.Token interface by multiplexing across a dynamic set of identity providers
|
||||
@ -88,19 +82,6 @@ func (c *Cache) AuthenticateTokenCredentialRequest(ctx context.Context, req *log
|
||||
key.APIGroup = *req.Spec.IdentityProvider.APIGroup
|
||||
}
|
||||
|
||||
// If the IDP is unspecified (legacy requests), choose the single loaded IDP or fail if there is not exactly
|
||||
// one IDP configured.
|
||||
if key.Name == "" || key.Kind == "" || key.APIGroup == "" {
|
||||
keys := c.Keys()
|
||||
if len(keys) == 0 {
|
||||
return nil, ErrNoIDPs
|
||||
}
|
||||
if len(keys) > 1 {
|
||||
return nil, ErrIndeterminateIDP
|
||||
}
|
||||
key = keys[0]
|
||||
}
|
||||
|
||||
val := c.Get(key)
|
||||
if val == nil {
|
||||
return nil, ErrNoSuchIDP
|
||||
|
@ -51,41 +51,6 @@ func TestCache(t *testing.T) {
|
||||
func TestAuthenticateTokenCredentialRequest(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
t.Run("missing IDP selector", func(t *testing.T) {
|
||||
t.Run("no IDPs", func(t *testing.T) {
|
||||
c := New()
|
||||
res, err := c.AuthenticateTokenCredentialRequest(context.Background(), &loginapi.TokenCredentialRequest{})
|
||||
require.EqualError(t, err, "no identity providers are loaded")
|
||||
require.Nil(t, res)
|
||||
})
|
||||
|
||||
t.Run("multiple IDPs", func(t *testing.T) {
|
||||
c := New()
|
||||
c.Store(Key{Name: "idp-one"}, nil)
|
||||
c.Store(Key{Name: "idp-two"}, nil)
|
||||
res, err := c.AuthenticateTokenCredentialRequest(context.Background(), &loginapi.TokenCredentialRequest{})
|
||||
require.EqualError(t, err, "could not uniquely match against an identity provider")
|
||||
require.Nil(t, res)
|
||||
})
|
||||
|
||||
t.Run("single IDP", func(t *testing.T) {
|
||||
ctrl := gomock.NewController(t)
|
||||
defer ctrl.Finish()
|
||||
|
||||
c := New()
|
||||
mockToken := mocktokenauthenticator.NewMockToken(ctrl)
|
||||
mockToken.EXPECT().AuthenticateToken(gomock.Any(), "test-token").
|
||||
Return(&authenticator.Response{User: &user.DefaultInfo{Name: "test-user"}}, true, nil)
|
||||
c.Store(Key{Name: "idp-one"}, mockToken)
|
||||
|
||||
res, err := c.AuthenticateTokenCredentialRequest(context.Background(), &loginapi.TokenCredentialRequest{
|
||||
Spec: loginapi.TokenCredentialRequestSpec{Token: "test-token"},
|
||||
})
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, "test-user", res.GetName())
|
||||
})
|
||||
})
|
||||
|
||||
validRequest := loginapi.TokenCredentialRequest{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: "test-namespace",
|
||||
|
Loading…
Reference in New Issue
Block a user