summaryrefslogtreecommitdiff
path: root/vendor/k8s.io/apiserver/pkg/authentication
diff options
context:
space:
mode:
authorMatthew Heon <matthew.heon@gmail.com>2017-11-01 11:24:59 -0400
committerMatthew Heon <matthew.heon@gmail.com>2017-11-01 11:24:59 -0400
commita031b83a09a8628435317a03f199cdc18b78262f (patch)
treebc017a96769ce6de33745b8b0b1304ccf38e9df0 /vendor/k8s.io/apiserver/pkg/authentication
parent2b74391cd5281f6fdf391ff8ad50fd1490f6bf89 (diff)
downloadpodman-a031b83a09a8628435317a03f199cdc18b78262f.tar.gz
podman-a031b83a09a8628435317a03f199cdc18b78262f.tar.bz2
podman-a031b83a09a8628435317a03f199cdc18b78262f.zip
Initial checkin from CRI-O repo
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Diffstat (limited to 'vendor/k8s.io/apiserver/pkg/authentication')
-rw-r--r--vendor/k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go68
-rw-r--r--vendor/k8s.io/apiserver/pkg/authentication/serviceaccount/util.go73
-rw-r--r--vendor/k8s.io/apiserver/pkg/authentication/user/doc.go19
-rw-r--r--vendor/k8s.io/apiserver/pkg/authentication/user/user.go83
4 files changed, 243 insertions, 0 deletions
diff --git a/vendor/k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go b/vendor/k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go
new file mode 100644
index 000000000..fd3d0383e
--- /dev/null
+++ b/vendor/k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go
@@ -0,0 +1,68 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authenticator
+
+import (
+ "net/http"
+
+ "k8s.io/apiserver/pkg/authentication/user"
+)
+
+// Token checks a string value against a backing authentication store and returns
+// information about the current user and true if successful, false if not successful,
+// or an error if the token could not be checked.
+type Token interface {
+ AuthenticateToken(token string) (user.Info, bool, error)
+}
+
+// Request attempts to extract authentication information from a request and returns
+// information about the current user and true if successful, false if not successful,
+// or an error if the request could not be checked.
+type Request interface {
+ AuthenticateRequest(req *http.Request) (user.Info, bool, error)
+}
+
+// Password checks a username and password against a backing authentication store and
+// returns information about the user and true if successful, false if not successful,
+// or an error if the username and password could not be checked
+type Password interface {
+ AuthenticatePassword(user, password string) (user.Info, bool, error)
+}
+
+// TokenFunc is a function that implements the Token interface.
+type TokenFunc func(token string) (user.Info, bool, error)
+
+// AuthenticateToken implements authenticator.Token.
+func (f TokenFunc) AuthenticateToken(token string) (user.Info, bool, error) {
+ return f(token)
+}
+
+// RequestFunc is a function that implements the Request interface.
+type RequestFunc func(req *http.Request) (user.Info, bool, error)
+
+// AuthenticateRequest implements authenticator.Request.
+func (f RequestFunc) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
+ return f(req)
+}
+
+// PasswordFunc is a function that implements the Password interface.
+type PasswordFunc func(user, password string) (user.Info, bool, error)
+
+// AuthenticatePassword implements authenticator.Password.
+func (f PasswordFunc) AuthenticatePassword(user, password string) (user.Info, bool, error) {
+ return f(user, password)
+}
diff --git a/vendor/k8s.io/apiserver/pkg/authentication/serviceaccount/util.go b/vendor/k8s.io/apiserver/pkg/authentication/serviceaccount/util.go
new file mode 100644
index 000000000..ac3c252b7
--- /dev/null
+++ b/vendor/k8s.io/apiserver/pkg/authentication/serviceaccount/util.go
@@ -0,0 +1,73 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package serviceaccount
+
+import (
+ "fmt"
+ "strings"
+
+ apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
+)
+
+const (
+ ServiceAccountUsernamePrefix = "system:serviceaccount:"
+ ServiceAccountUsernameSeparator = ":"
+ ServiceAccountGroupPrefix = "system:serviceaccounts:"
+ AllServiceAccountsGroup = "system:serviceaccounts"
+)
+
+// MakeUsername generates a username from the given namespace and ServiceAccount name.
+// The resulting username can be passed to SplitUsername to extract the original namespace and ServiceAccount name.
+func MakeUsername(namespace, name string) string {
+ return ServiceAccountUsernamePrefix + namespace + ServiceAccountUsernameSeparator + name
+}
+
+var invalidUsernameErr = fmt.Errorf("Username must be in the form %s", MakeUsername("namespace", "name"))
+
+// SplitUsername returns the namespace and ServiceAccount name embedded in the given username,
+// or an error if the username is not a valid name produced by MakeUsername
+func SplitUsername(username string) (string, string, error) {
+ if !strings.HasPrefix(username, ServiceAccountUsernamePrefix) {
+ return "", "", invalidUsernameErr
+ }
+ trimmed := strings.TrimPrefix(username, ServiceAccountUsernamePrefix)
+ parts := strings.Split(trimmed, ServiceAccountUsernameSeparator)
+ if len(parts) != 2 {
+ return "", "", invalidUsernameErr
+ }
+ namespace, name := parts[0], parts[1]
+ if len(apimachineryvalidation.ValidateNamespaceName(namespace, false)) != 0 {
+ return "", "", invalidUsernameErr
+ }
+ if len(apimachineryvalidation.ValidateServiceAccountName(name, false)) != 0 {
+ return "", "", invalidUsernameErr
+ }
+ return namespace, name, nil
+}
+
+// MakeGroupNames generates service account group names for the given namespace and ServiceAccount name
+func MakeGroupNames(namespace, name string) []string {
+ return []string{
+ AllServiceAccountsGroup,
+ MakeNamespaceGroupName(namespace),
+ }
+}
+
+// MakeNamespaceGroupName returns the name of the group all service accounts in the namespace are included in
+func MakeNamespaceGroupName(namespace string) string {
+ return ServiceAccountGroupPrefix + namespace
+}
diff --git a/vendor/k8s.io/apiserver/pkg/authentication/user/doc.go b/vendor/k8s.io/apiserver/pkg/authentication/user/doc.go
new file mode 100644
index 000000000..570c51ae9
--- /dev/null
+++ b/vendor/k8s.io/apiserver/pkg/authentication/user/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package user contains utilities for dealing with simple user exchange in the auth
+// packages. The user.Info interface defines an interface for exchanging that info.
+package user
diff --git a/vendor/k8s.io/apiserver/pkg/authentication/user/user.go b/vendor/k8s.io/apiserver/pkg/authentication/user/user.go
new file mode 100644
index 000000000..f02dc39ec
--- /dev/null
+++ b/vendor/k8s.io/apiserver/pkg/authentication/user/user.go
@@ -0,0 +1,83 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package user
+
+// Info describes a user that has been authenticated to the system.
+type Info interface {
+ // GetName returns the name that uniquely identifies this user among all
+ // other active users.
+ GetName() string
+ // GetUID returns a unique value for a particular user that will change
+ // if the user is removed from the system and another user is added with
+ // the same name.
+ GetUID() string
+ // GetGroups returns the names of the groups the user is a member of
+ GetGroups() []string
+
+ // GetExtra can contain any additional information that the authenticator
+ // thought was interesting. One example would be scopes on a token.
+ // Keys in this map should be namespaced to the authenticator or
+ // authenticator/authorizer pair making use of them.
+ // For instance: "example.org/foo" instead of "foo"
+ // This is a map[string][]string because it needs to be serializeable into
+ // a SubjectAccessReviewSpec.authorization.k8s.io for proper authorization
+ // delegation flows
+ // In order to faithfully round-trip through an impersonation flow, these keys
+ // MUST be lowercase.
+ GetExtra() map[string][]string
+}
+
+// DefaultInfo provides a simple user information exchange object
+// for components that implement the UserInfo interface.
+type DefaultInfo struct {
+ Name string
+ UID string
+ Groups []string
+ Extra map[string][]string
+}
+
+func (i *DefaultInfo) GetName() string {
+ return i.Name
+}
+
+func (i *DefaultInfo) GetUID() string {
+ return i.UID
+}
+
+func (i *DefaultInfo) GetGroups() []string {
+ return i.Groups
+}
+
+func (i *DefaultInfo) GetExtra() map[string][]string {
+ return i.Extra
+}
+
+// well-known user and group names
+const (
+ SystemPrivilegedGroup = "system:masters"
+ NodesGroup = "system:nodes"
+ AllUnauthenticated = "system:unauthenticated"
+ AllAuthenticated = "system:authenticated"
+
+ Anonymous = "system:anonymous"
+ APIServerUser = "system:apiserver"
+
+ // core kubernetes process identities
+ KubeProxy = "system:kube-proxy"
+ KubeControllerManager = "system:kube-controller-manager"
+ KubeScheduler = "system:kube-scheduler"
+)