vendor dependencies

2026-04-07 10:17:51 +00:00 · 2019-04-24 11:06:03 +02:00 · 2019-04-24 11:06:03 +02:00 · 72abf135d6
commit 72abf135d6
parent 604208ef4f
1156 changed files with 78178 additions and 105799 deletions
--- a/vendor/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go
@ -30,7 +30,14 @@ const (
 )

 func NewAuthenticator() authenticator.Request {
-	return authenticator.RequestFunc(func(req *http.Request) (user.Info, bool, error) {
-		return &user.DefaultInfo{Name: anonymousUser, Groups: []string{unauthenticatedGroup}}, true, nil
+	return authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
+		auds, _ := authenticator.AudiencesFrom(req.Context())
+		return &authenticator.Response{
+			User: &user.DefaultInfo{
+				Name:   anonymousUser,
+				Groups: []string{unauthenticatedGroup},
+			},
+			Audiences: auds,
+		}, true, nil
 	})
 }
--- a/vendor/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken.go
@ -22,7 +22,6 @@ import (
 	"strings"

 	"k8s.io/apiserver/pkg/authentication/authenticator"
-	"k8s.io/apiserver/pkg/authentication/user"
 )

 type Authenticator struct {
@ -35,7 +34,7 @@ func New(auth authenticator.Token) *Authenticator {

 var invalidToken = errors.New("invalid bearer token")

-func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
+func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
 	auth := strings.TrimSpace(req.Header.Get("Authorization"))
 	if auth == "" {
 		return nil, false, nil
@ -52,7 +51,7 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool,
 		return nil, false, nil
 	}

-	user, ok, err := a.auth.AuthenticateToken(token)
+	resp, ok, err := a.auth.AuthenticateToken(req.Context(), token)
 	// if we authenticated successfully, go ahead and remove the bearer token so that no one
 	// is ever tempted to use it inside of the API server
 	if ok {
@ -64,5 +63,5 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool,
 		err = invalidToken
 	}

-	return user, ok, err
+	return resp, ok, err
 }
--- a/vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader.go
@ -105,7 +105,7 @@ func NewSecure(clientCA string, proxyClientNames []string, nameHeaders []string,
 	return x509request.NewVerifier(opts, headerAuthenticator, sets.NewString(proxyClientNames...)), nil
 }

-func (a *requestHeaderAuthRequestHandler) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
+func (a *requestHeaderAuthRequestHandler) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
 	name := headerValue(req.Header, a.nameHeaders)
 	if len(name) == 0 {
 		return nil, false, nil
@ -126,10 +126,12 @@ func (a *requestHeaderAuthRequestHandler) AuthenticateRequest(req *http.Request)
 		}
 	}

-	return &user.DefaultInfo{
-		Name:   name,
-		Groups: groups,
-		Extra:  extra,
+	return &authenticator.Response{
+		User: &user.DefaultInfo{
+			Name:   name,
+			Groups: groups,
+			Extra:  extra,
+		},
 	}, true, nil
 }

--- a/vendor/k8s.io/apiserver/pkg/authentication/request/union/union.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/request/union/union.go
@ -21,7 +21,6 @@ import (

 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
-	"k8s.io/apiserver/pkg/authentication/user"
 )

 // unionAuthRequestHandler authenticates requests using a chain of authenticator.Requests
@ -51,20 +50,20 @@ func NewFailOnError(authRequestHandlers ...authenticator.Request) authenticator.
 }

 // AuthenticateRequest authenticates the request using a chain of authenticator.Request objects.
-func (authHandler *unionAuthRequestHandler) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
+func (authHandler *unionAuthRequestHandler) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
 	var errlist []error
 	for _, currAuthRequestHandler := range authHandler.Handlers {
-		info, ok, err := currAuthRequestHandler.AuthenticateRequest(req)
+		resp, ok, err := currAuthRequestHandler.AuthenticateRequest(req)
 		if err != nil {
 			if authHandler.FailOnError {
-				return info, ok, err
+				return resp, ok, err
 			}
 			errlist = append(errlist, err)
 			continue
 		}

 		if ok {
-			return info, ok, err
+			return resp, ok, err
 		}
 	}

--- a/vendor/k8s.io/apiserver/pkg/authentication/request/websocket/protocol.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/request/websocket/protocol.go
@ -25,7 +25,6 @@ import (
 	"unicode/utf8"

 	"k8s.io/apiserver/pkg/authentication/authenticator"
-	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/util/wsstream"
 )

@ -46,7 +45,7 @@ func NewProtocolAuthenticator(auth authenticator.Token) *ProtocolAuthenticator {
 	return &ProtocolAuthenticator{auth}
 }

-func (a *ProtocolAuthenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
+func (a *ProtocolAuthenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
 	// Only accept websocket connections
 	if !wsstream.IsWebSocketRequest(req) {
 		return nil, false, nil
@ -91,7 +90,7 @@ func (a *ProtocolAuthenticator) AuthenticateRequest(req *http.Request) (user.Inf
 		return nil, false, nil
 	}

-	user, ok, err := a.auth.AuthenticateToken(token)
+	resp, ok, err := a.auth.AuthenticateToken(req.Context(), token)

 	// on success, remove the protocol with the token
 	if ok {
@ -105,5 +104,5 @@ func (a *ProtocolAuthenticator) AuthenticateRequest(req *http.Request) (user.Inf
 		err = errInvalidToken
 	}

-	return user, ok, err
+	return resp, ok, err
 }
--- a/vendor/k8s.io/apiserver/pkg/authentication/request/x509/OWNERS
+++ b/vendor/k8s.io/apiserver/pkg/authentication/request/x509/OWNERS
@ -0,0 +1,9 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+- sig-auth-certificates-approvers
+reviewers:
+- sig-auth-certificates-reviewers
+labels:
+- sig/auth
+
--- a/vendor/k8s.io/apiserver/pkg/authentication/request/x509/x509.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/request/x509/x509.go
@ -19,12 +19,10 @@ package x509
 import (
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/asn1"
 	"fmt"
 	"net/http"
 	"time"

-	"github.com/golang/glog"
 	"github.com/prometheus/client_golang/prometheus"

 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
@ -41,6 +39,9 @@ var clientCertificateExpirationHistogram = prometheus.NewHistogram(
 		Help:      "Distribution of the remaining lifetime on the certificate used to authenticate a request.",
 		Buckets: []float64{
 			0,
+			(30 * time.Minute).Seconds(),
+			(1 * time.Hour).Seconds(),
+			(2 * time.Hour).Seconds(),
 			(6 * time.Hour).Seconds(),
 			(12 * time.Hour).Seconds(),
 			(24 * time.Hour).Seconds(),
@ -61,14 +62,14 @@ func init() {

 // UserConversion defines an interface for extracting user info from a client certificate chain
 type UserConversion interface {
-	User(chain []*x509.Certificate) (user.Info, bool, error)
+	User(chain []*x509.Certificate) (*authenticator.Response, bool, error)
 }

 // UserConversionFunc is a function that implements the UserConversion interface.
-type UserConversionFunc func(chain []*x509.Certificate) (user.Info, bool, error)
+type UserConversionFunc func(chain []*x509.Certificate) (*authenticator.Response, bool, error)

 // User implements x509.UserConversion
-func (f UserConversionFunc) User(chain []*x509.Certificate) (user.Info, bool, error) {
+func (f UserConversionFunc) User(chain []*x509.Certificate) (*authenticator.Response, bool, error) {
 	return f(chain)
 }

@ -85,7 +86,7 @@ func New(opts x509.VerifyOptions, user UserConversion) *Authenticator {
 }

 // AuthenticateRequest authenticates the request using presented client certificates
-func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
+func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
 	if req.TLS == nil || len(req.TLS.PeerCertificates) == 0 {
 		return nil, false, nil
 	}
@ -137,7 +138,7 @@ func NewVerifier(opts x509.VerifyOptions, auth authenticator.Request, allowedCom
 }

 // AuthenticateRequest verifies the presented client certificate, then delegates to the wrapped auth
-func (a *Verifier) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
+func (a *Verifier) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
 	if req.TLS == nil || len(req.TLS.PeerCertificates) == 0 {
 		return nil, false, nil
 	}
@ -169,8 +170,7 @@ func (a *Verifier) verifySubject(subject pkix.Name) error {
 	if a.allowedCommonNames.Has(subject.CommonName) {
 		return nil
 	}
-	glog.Warningf("x509: subject with cn=%s is not in the allowed list: %v", subject.CommonName, a.allowedCommonNames.List())
-	return fmt.Errorf("x509: subject with cn=%s is not allowed", subject.CommonName)
+	return fmt.Errorf("x509: subject with cn=%s is not in the allowed list", subject.CommonName)
 }

 // DefaultVerifyOptions returns VerifyOptions that use the system root certificates, current time,
@ -182,34 +182,14 @@ func DefaultVerifyOptions() x509.VerifyOptions {
 }

 // CommonNameUserConversion builds user info from a certificate chain using the subject's CommonName
-var CommonNameUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) {
+var CommonNameUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (*authenticator.Response, bool, error) {
 	if len(chain[0].Subject.CommonName) == 0 {
 		return nil, false, nil
 	}
-	return &user.DefaultInfo{
-		Name:   chain[0].Subject.CommonName,
-		Groups: chain[0].Subject.Organization,
+	return &authenticator.Response{
+		User: &user.DefaultInfo{
+			Name:   chain[0].Subject.CommonName,
+			Groups: chain[0].Subject.Organization,
+		},
 	}, true, nil
 })
-
-// DNSNameUserConversion builds user info from a certificate chain using the first DNSName on the certificate
-var DNSNameUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) {
-	if len(chain[0].DNSNames) == 0 {
-		return nil, false, nil
-	}
-	return &user.DefaultInfo{Name: chain[0].DNSNames[0]}, true, nil
-})
-
-// EmailAddressUserConversion builds user info from a certificate chain using the first EmailAddress on the certificate
-var EmailAddressUserConversion = UserConversionFunc(func(chain []*x509.Certificate) (user.Info, bool, error) {
-	var emailAddressOID asn1.ObjectIdentifier = []int{1, 2, 840, 113549, 1, 9, 1}
-	if len(chain[0].EmailAddresses) == 0 {
-		for _, name := range chain[0].Subject.Names {
-			if name.Type.Equal(emailAddressOID) {
-				return &user.DefaultInfo{Name: name.Value.(string)}, true, nil
-			}
-		}
-		return nil, false, nil
-	}
-	return &user.DefaultInfo{Name: chain[0].EmailAddresses[0]}, true, nil
-})