vendor dependencies

vendor/k8s.io/apiserver/pkg/authentication/token/cache/cache_simple.go

@@ -0,0 +1,49 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"time"
+
+	lrucache "k8s.io/apimachinery/pkg/util/cache"
+	"k8s.io/apimachinery/pkg/util/clock"
+)
+
+type simpleCache struct {
+	lru *lrucache.LRUExpireCache
+}
+
+func newSimpleCache(size int, clock clock.Clock) cache {
+	return &simpleCache{lru: lrucache.NewLRUExpireCacheWithClock(size, clock)}
+}
+
+func (c *simpleCache) get(key string) (*cacheRecord, bool) {
+	record, ok := c.lru.Get(key)
+	if !ok {
+		return nil, false
+	}
+	value, ok := record.(*cacheRecord)
+	return value, ok
+}
+
+func (c *simpleCache) set(key string, value *cacheRecord, ttl time.Duration) {
+	c.lru.Add(key, value, ttl)
+}
+
+func (c *simpleCache) remove(key string) {
+	c.lru.Remove(key)
+}

vendor/k8s.io/apiserver/pkg/authentication/token/cache/cache_striped.go

@@ -0,0 +1,60 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"hash/fnv"
+	"time"
+)
+
+// split cache lookups across N striped caches
+type stripedCache struct {
+	stripeCount uint32
+	hashFunc    func(string) uint32
+	caches      []cache
+}
+
+type hashFunc func(string) uint32
+type newCacheFunc func() cache
+
+func newStripedCache(stripeCount int, hash hashFunc, newCacheFunc newCacheFunc) cache {
+	caches := []cache{}
+	for i := 0; i < stripeCount; i++ {
+		caches = append(caches, newCacheFunc())
+	}
+	return &stripedCache{
+		stripeCount: uint32(stripeCount),
+		hashFunc:    hash,
+		caches:      caches,
+	}
+}
+
+func (c *stripedCache) get(key string) (*cacheRecord, bool) {
+	return c.caches[c.hashFunc(key)%c.stripeCount].get(key)
+}
+func (c *stripedCache) set(key string, value *cacheRecord, ttl time.Duration) {
+	c.caches[c.hashFunc(key)%c.stripeCount].set(key, value, ttl)
+}
+func (c *stripedCache) remove(key string) {
+	c.caches[c.hashFunc(key)%c.stripeCount].remove(key)
+}
+
+func fnvHashFunc(key string) uint32 {
+	f := fnv.New32()
+	f.Write([]byte(key))
+	return f.Sum32()
+}

vendor/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go

@@ -0,0 +1,95 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	utilclock "k8s.io/apimachinery/pkg/util/clock"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+)
+
+// cacheRecord holds the three return values of the authenticator.Token AuthenticateToken method
+type cacheRecord struct {
+	resp *authenticator.Response
+	ok   bool
+	err  error
+}
+
+type cachedTokenAuthenticator struct {
+	authenticator authenticator.Token
+
+	cacheErrs  bool
+	successTTL time.Duration
+	failureTTL time.Duration
+
+	cache cache
+}
+
+type cache interface {
+	// given a key, return the record, and whether or not it existed
+	get(key string) (value *cacheRecord, exists bool)
+	// caches the record for the key
+	set(key string, value *cacheRecord, ttl time.Duration)
+	// removes the record for the key
+	remove(key string)
+}
+
+// New returns a token authenticator that caches the results of the specified authenticator. A ttl of 0 bypasses the cache.
+func New(authenticator authenticator.Token, cacheErrs bool, successTTL, failureTTL time.Duration) authenticator.Token {
+	return newWithClock(authenticator, cacheErrs, successTTL, failureTTL, utilclock.RealClock{})
+}
+
+func newWithClock(authenticator authenticator.Token, cacheErrs bool, successTTL, failureTTL time.Duration, clock utilclock.Clock) authenticator.Token {
+	return &cachedTokenAuthenticator{
+		authenticator: authenticator,
+		cacheErrs:     cacheErrs,
+		successTTL:    successTTL,
+		failureTTL:    failureTTL,
+		cache:         newStripedCache(32, fnvHashFunc, func() cache { return newSimpleCache(128, clock) }),
+	}
+}
+
+// AuthenticateToken implements authenticator.Token
+func (a *cachedTokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) {
+	auds, _ := authenticator.AudiencesFrom(ctx)
+
+	key := keyFunc(auds, token)
+	if record, ok := a.cache.get(key); ok {
+		return record.resp, record.ok, record.err
+	}
+
+	resp, ok, err := a.authenticator.AuthenticateToken(ctx, token)
+	if !a.cacheErrs && err != nil {
+		return resp, ok, err
+	}
+
+	switch {
+	case ok && a.successTTL > 0:
+		a.cache.set(key, &cacheRecord{resp: resp, ok: ok, err: err}, a.successTTL)
+	case !ok && a.failureTTL > 0:
+		a.cache.set(key, &cacheRecord{resp: resp, ok: ok, err: err}, a.failureTTL)
+	}
+
+	return resp, ok, err
+}
+
+func keyFunc(auds []string, token string) string {
+	return fmt.Sprintf("%#v|%v", auds, token)
+}

vendor/k8s.io/apiserver/pkg/authentication/token/tokenfile/tokenfile.go

@@ -17,14 +17,16 @@ limitations under the License.
 package tokenfile
 
 import (
+	"context"
 	"encoding/csv"
 	"fmt"
 	"io"
 	"os"
 	"strings"
 
-	"github.com/golang/glog"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/klog"
 )
 
 type TokenAuthenticator struct {
@@ -65,7 +67,7 @@ func NewCSV(path string) (*TokenAuthenticator, error) {
 
 		recordNum++
 		if record[0] == "" {
-			glog.Warningf("empty token has been found in token file '%s', record number '%d'", path, recordNum)
+			klog.Warningf("empty token has been found in token file '%s', record number '%d'", path, recordNum)
 			continue
 		}
 
@@ -74,7 +76,7 @@ func NewCSV(path string) (*TokenAuthenticator, error) {
 			UID:  record[2],
 		}
 		if _, exist := tokens[record[0]]; exist {
-			glog.Warningf("duplicate token has been found in token file '%s', record number '%d'", path, recordNum)
+			klog.Warningf("duplicate token has been found in token file '%s', record number '%d'", path, recordNum)
 		}
 		tokens[record[0]] = obj
 
@@ -88,10 +90,10 @@ func NewCSV(path string) (*TokenAuthenticator, error) {
 	}, nil
 }
 
-func (a *TokenAuthenticator) AuthenticateToken(value string) (user.Info, bool, error) {
+func (a *TokenAuthenticator) AuthenticateToken(ctx context.Context, value string) (*authenticator.Response, bool, error) {
 	user, ok := a.tokens[value]
 	if !ok {
 		return nil, false, nil
 	}
-	return user, true, nil
+	return &authenticator.Response{User: user}, true, nil
 }