From 81f2362543f31c38269f1b2c0335a8cb8e2e2610 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Mon, 21 Sep 2020 17:42:27 -0500 Subject: [PATCH] Remove fallback support for implicitly choosing an IDP in TokenCredentialRequest. Signed-off-by: Matt Moyer --- .../identityprovider/idpcache/cache.go | 19 ---------- .../identityprovider/idpcache/cache_test.go | 35 ------------------- 2 files changed, 54 deletions(-) diff --git a/internal/controller/identityprovider/idpcache/cache.go b/internal/controller/identityprovider/idpcache/cache.go index ddbe63c7..d9ffa614 100644 --- a/internal/controller/identityprovider/idpcache/cache.go +++ b/internal/controller/identityprovider/idpcache/cache.go @@ -18,12 +18,6 @@ import ( var ( // ErrNoSuchIDP is returned by Cache.AuthenticateTokenCredentialRequest() when the requested IDP is not configured. ErrNoSuchIDP = fmt.Errorf("no such identity provider") - - // ErrNoIDPs is returned by Cache.AuthenticateTokenCredentialRequest() when there are no IDPs configured. - ErrNoIDPs = fmt.Errorf("no identity providers are loaded") - - // ErrIndeterminateIDP is returned by Cache.AuthenticateTokenCredentialRequest() when the correct IDP cannot be determined. - ErrIndeterminateIDP = fmt.Errorf("could not uniquely match against an identity provider") ) // Cache implements the authenticator.Token interface by multiplexing across a dynamic set of identity providers @@ -88,19 +82,6 @@ func (c *Cache) AuthenticateTokenCredentialRequest(ctx context.Context, req *log key.APIGroup = *req.Spec.IdentityProvider.APIGroup } - // If the IDP is unspecified (legacy requests), choose the single loaded IDP or fail if there is not exactly - // one IDP configured. - if key.Name == "" || key.Kind == "" || key.APIGroup == "" { - keys := c.Keys() - if len(keys) == 0 { - return nil, ErrNoIDPs - } - if len(keys) > 1 { - return nil, ErrIndeterminateIDP - } - key = keys[0] - } - val := c.Get(key) if val == nil { return nil, ErrNoSuchIDP diff --git a/internal/controller/identityprovider/idpcache/cache_test.go b/internal/controller/identityprovider/idpcache/cache_test.go index 33d156da..e400ff0e 100644 --- a/internal/controller/identityprovider/idpcache/cache_test.go +++ b/internal/controller/identityprovider/idpcache/cache_test.go @@ -51,41 +51,6 @@ func TestCache(t *testing.T) { func TestAuthenticateTokenCredentialRequest(t *testing.T) { t.Parallel() - t.Run("missing IDP selector", func(t *testing.T) { - t.Run("no IDPs", func(t *testing.T) { - c := New() - res, err := c.AuthenticateTokenCredentialRequest(context.Background(), &loginapi.TokenCredentialRequest{}) - require.EqualError(t, err, "no identity providers are loaded") - require.Nil(t, res) - }) - - t.Run("multiple IDPs", func(t *testing.T) { - c := New() - c.Store(Key{Name: "idp-one"}, nil) - c.Store(Key{Name: "idp-two"}, nil) - res, err := c.AuthenticateTokenCredentialRequest(context.Background(), &loginapi.TokenCredentialRequest{}) - require.EqualError(t, err, "could not uniquely match against an identity provider") - require.Nil(t, res) - }) - - t.Run("single IDP", func(t *testing.T) { - ctrl := gomock.NewController(t) - defer ctrl.Finish() - - c := New() - mockToken := mocktokenauthenticator.NewMockToken(ctrl) - mockToken.EXPECT().AuthenticateToken(gomock.Any(), "test-token"). - Return(&authenticator.Response{User: &user.DefaultInfo{Name: "test-user"}}, true, nil) - c.Store(Key{Name: "idp-one"}, mockToken) - - res, err := c.AuthenticateTokenCredentialRequest(context.Background(), &loginapi.TokenCredentialRequest{ - Spec: loginapi.TokenCredentialRequestSpec{Token: "test-token"}, - }) - require.NoError(t, err) - require.Equal(t, "test-user", res.GetName()) - }) - }) - validRequest := loginapi.TokenCredentialRequest{ ObjectMeta: metav1.ObjectMeta{ Namespace: "test-namespace",