djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove fallback support for implicitly choosing an IDP in TokenCredentialRequest.

Browse Source 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
Matt Moyer 2020-09-21 17:42:27 -05:00
parent 07f0181fa3
commit 81f2362543
No known key found for this signature in database
GPG Key ID: EAE88AD172C5AE2D
2 changed files with 0 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
internal/controller/identityprovider/idpcache/cache.go
View File

@ -18,12 +18,6 @@ import (
var ( var (
// ErrNoSuchIDP is returned by Cache.AuthenticateTokenCredentialRequest() when the requested IDP is not configured. // ErrNoSuchIDP is returned by Cache.AuthenticateTokenCredentialRequest() when the requested IDP is not configured.
ErrNoSuchIDP = fmt.Errorf("no such identity provider") ErrNoSuchIDP = fmt.Errorf("no such identity provider")
// ErrNoIDPs is returned by Cache.AuthenticateTokenCredentialRequest() when there are no IDPs configured.
ErrNoIDPs = fmt.Errorf("no identity providers are loaded")
// ErrIndeterminateIDP is returned by Cache.AuthenticateTokenCredentialRequest() when the correct IDP cannot be determined.
ErrIndeterminateIDP = fmt.Errorf("could not uniquely match against an identity provider")
) )
// Cache implements the authenticator.Token interface by multiplexing across a dynamic set of identity providers // Cache implements the authenticator.Token interface by multiplexing across a dynamic set of identity providers
@ -88,19 +82,6 @@ func (c *Cache) AuthenticateTokenCredentialRequest(ctx context.Context, req *log
key.APIGroup = *req.Spec.IdentityProvider.APIGroup key.APIGroup = *req.Spec.IdentityProvider.APIGroup
} }
// If the IDP is unspecified (legacy requests), choose the single loaded IDP or fail if there is not exactly
// one IDP configured.
if key.Name == "" || key.Kind == "" || key.APIGroup == "" {
keys := c.Keys()
if len(keys) == 0 {
return nil, ErrNoIDPs
}
if len(keys) > 1 {
return nil, ErrIndeterminateIDP
}
key = keys[0]
}
val := c.Get(key) val := c.Get(key)
if val == nil { if val == nil {
return nil, ErrNoSuchIDP return nil, ErrNoSuchIDP

35
internal/controller/identityprovider/idpcache/cache_test.go
View File

@ -51,41 +51,6 @@ func TestCache(t *testing.T) {
func TestAuthenticateTokenCredentialRequest(t *testing.T) { func TestAuthenticateTokenCredentialRequest(t *testing.T) {
t.Parallel() t.Parallel()
t.Run("missing IDP selector", func(t *testing.T) {
t.Run("no IDPs", func(t *testing.T) {
c := New()
res, err := c.AuthenticateTokenCredentialRequest(context.Background(), &loginapi.TokenCredentialRequest{})
require.EqualError(t, err, "no identity providers are loaded")
require.Nil(t, res)
})
t.Run("multiple IDPs", func(t *testing.T) {
c := New()
c.Store(Key{Name: "idp-one"}, nil)
c.Store(Key{Name: "idp-two"}, nil)
res, err := c.AuthenticateTokenCredentialRequest(context.Background(), &loginapi.TokenCredentialRequest{})
require.EqualError(t, err, "could not uniquely match against an identity provider")
require.Nil(t, res)
})
t.Run("single IDP", func(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
c := New()
mockToken := mocktokenauthenticator.NewMockToken(ctrl)
mockToken.EXPECT().AuthenticateToken(gomock.Any(), "test-token").
Return(&authenticator.Response{User: &user.DefaultInfo{Name: "test-user"}}, true, nil)
c.Store(Key{Name: "idp-one"}, mockToken)
res, err := c.AuthenticateTokenCredentialRequest(context.Background(), &loginapi.TokenCredentialRequest{
Spec: loginapi.TokenCredentialRequestSpec{Token: "test-token"},
})
require.NoError(t, err)
require.Equal(t, "test-user", res.GetName())
})
})
validRequest := loginapi.TokenCredentialRequest{ validRequest := loginapi.TokenCredentialRequest{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: "test-namespace", Namespace: "test-namespace",