Use kube auth interfaces for union and group

Signed-off-by: Monis Khan <[email protected]>

Author: enj

pkg/auth/authenticator/request/unionrequest/union.go

@@ -5,27 +5,25 @@ import (
 	"time"
 
 	"k8s.io/kubernetes/pkg/auth/authenticator"
+	"k8s.io/kubernetes/pkg/auth/group"
 	unversionedauthentication "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authentication/internalversion"
+	"k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union"
 
-	oauthenticator "github.com/openshift/origin/pkg/auth/authenticator"
 	"github.com/openshift/origin/pkg/auth/authenticator/anonymous"
 	"github.com/openshift/origin/pkg/auth/authenticator/request/bearertoken"
-	"github.com/openshift/origin/pkg/auth/authenticator/request/unionrequest"
 	"github.com/openshift/origin/pkg/auth/authenticator/request/x509request"
 	authncache "github.com/openshift/origin/pkg/auth/authenticator/token/cache"
 	authnremote "github.com/openshift/origin/pkg/auth/authenticator/token/remotetokenreview"
-	"github.com/openshift/origin/pkg/auth/group"
-	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
 )
 
 // NewRemoteAuthenticator creates an authenticator that checks the provided remote endpoint for tokens, allows any linked clientCAs to be checked, and caches
 // responses as indicated.  If no authentication is possible, the user will be system:anonymous.
 func NewRemoteAuthenticator(authenticationClient unversionedauthentication.TokenReviewsGetter, clientCAs *x509.CertPool, cacheTTL time.Duration, cacheSize int) (authenticator.Request, error) {
-	authenticators := []oauthenticator.Request{}
+	authenticators := []authenticator.Request{}
 
 	// API token auth
 	var (
-		tokenAuthenticator oauthenticator.Token
+		tokenAuthenticator authenticator.Token
 		err                error
 	)
 	// Authenticate against the remote master
@@ -50,17 +48,12 @@ func NewRemoteAuthenticator(authenticationClient unversionedauthentication.Token
 		authenticators = append(authenticators, certauth)
 	}
 
-	ret := &unionrequest.Authenticator{
-		// Anonymous requests will pass the token and cert checks without errors
-		// Bad tokens or bad certs will produce errors, in which case we should not continue to authenticate them as "system:anonymous"
-		FailOnError: true,
-		Handlers: []oauthenticator.Request{
-			// Add the "system:authenticated" group to users that pass token/cert authentication
-			group.NewGroupAdder(unionrequest.NewUnionAuthentication(authenticators...), []string{bootstrappolicy.AuthenticatedGroup}),
-			// Fall back to the "system:anonymous" user
-			anonymous.NewAuthenticator(),
-		},
-	}
-
-	return ret, nil
+	// Anonymous requests will pass the token and cert checks without errors
+	// Bad tokens or bad certs will produce errors, in which case we should not continue to authenticate them as "system:anonymous"
+	return union.NewFailOnError(
+		// Add the "system:authenticated" group to users that pass token/cert authentication
+		group.NewAuthenticatedGroupAdder(union.New(authenticators...)),
+		// Fall back to the "system:anonymous" user
+		anonymous.NewAuthenticator(),
+	), nil
 }

pkg/auth/authenticator/request/unionrequest/unionauth_test.go

@@ -17,12 +17,13 @@ import (
 
 	kapi "k8s.io/kubernetes/pkg/api"
 	kerrs "k8s.io/kubernetes/pkg/api/errors"
+	"k8s.io/kubernetes/pkg/auth/authenticator"
 	kuser "k8s.io/kubernetes/pkg/auth/user"
 	"k8s.io/kubernetes/pkg/client/retry"
 	knet "k8s.io/kubernetes/pkg/util/net"
 	"k8s.io/kubernetes/pkg/util/sets"
+	"k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union"
 
-	"github.com/openshift/origin/pkg/auth/authenticator"
 	"github.com/openshift/origin/pkg/auth/authenticator/challenger/passwordchallenger"
 	"github.com/openshift/origin/pkg/auth/authenticator/challenger/placeholderchallenger"
 	"github.com/openshift/origin/pkg/auth/authenticator/password/allowanypassword"
@@ -34,7 +35,6 @@ import (
 	"github.com/openshift/origin/pkg/auth/authenticator/redirector"
 	"github.com/openshift/origin/pkg/auth/authenticator/request/basicauthrequest"
 	"github.com/openshift/origin/pkg/auth/authenticator/request/headerrequest"
-	"github.com/openshift/origin/pkg/auth/authenticator/request/unionrequest"
 	"github.com/openshift/origin/pkg/auth/authenticator/request/x509request"
 	"github.com/openshift/origin/pkg/auth/ldaputil"
 	"github.com/openshift/origin/pkg/auth/oauth/external"
@@ -739,7 +739,7 @@ func (c *AuthConfig) getAuthenticationRequestHandler() (authenticator.Request, e
 		}
 	}
 
-	authRequestHandler := unionrequest.NewUnionAuthentication(authRequestHandlers...)
+	authRequestHandler := union.New(authRequestHandlers...)
 	return authRequestHandler, nil
 }
 

pkg/auth/group/group_adder.go

@@ -18,6 +18,7 @@ import (
 	kapierrors "k8s.io/kubernetes/pkg/api/errors"
 	"k8s.io/kubernetes/pkg/api/unversioned"
 	"k8s.io/kubernetes/pkg/apiserver/request"
+	"k8s.io/kubernetes/pkg/auth/authenticator"
 	"k8s.io/kubernetes/pkg/auth/group"
 	"k8s.io/kubernetes/pkg/client/cache"
 	kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
@@ -35,12 +36,11 @@ import (
 	saadmit "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
 	storageclassdefaultadmission "k8s.io/kubernetes/plugin/pkg/admission/storageclass/default"
 	"k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/headerrequest"
+	"k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union"
 
-	"github.com/openshift/origin/pkg/auth/authenticator"
 	"github.com/openshift/origin/pkg/auth/authenticator/anonymous"
 	"github.com/openshift/origin/pkg/auth/authenticator/request/bearertoken"
 	"github.com/openshift/origin/pkg/auth/authenticator/request/paramtoken"
-	"github.com/openshift/origin/pkg/auth/authenticator/request/unionrequest"
 	"github.com/openshift/origin/pkg/auth/authenticator/request/x509request"
 	authnregistry "github.com/openshift/origin/pkg/auth/oauth/registry"
 	"github.com/openshift/origin/pkg/auth/userregistry/identitymapper"
@@ -648,11 +648,11 @@ func newAuthenticator(config configapi.MasterConfig, restOptionsGetter restoptio
 		tokenAuthenticators = append(tokenAuthenticators,
 			// if you have a bearer token, you're a human (usually)
 			// if you change this, have a look at the impersonationFilter where we attach groups to the impersonated user
-			group.NewGroupAdder(unionrequest.NewUnionAuthentication(oauthTokenRequestAuthenticators...), []string{bootstrappolicy.AuthenticatedOAuthGroup}))
+			group.NewGroupAdder(union.New(oauthTokenRequestAuthenticators...), []string{bootstrappolicy.AuthenticatedOAuthGroup}))
 	}
 
 	if len(tokenAuthenticators) > 0 {
-		authenticators = append(authenticators, unionrequest.NewUnionAuthentication(tokenAuthenticators...))
+		authenticators = append(authenticators, union.New(tokenAuthenticators...))
 	}
 
 	if configapi.UseTLS(config.ServingInfo.ServingInfo) {
@@ -665,10 +665,10 @@ func newAuthenticator(config configapi.MasterConfig, restOptionsGetter restoptio
 		authenticators = append(authenticators, certauth)
 	}
 
-	resultingAuthenticator := &unionrequest.Authenticator{FailOnError: true, Handlers: authenticators}
+	resultingAuthenticator := union.NewFailOnError(authenticators...)
 
 	topLevelAuthenticators := []authenticator.Request{}
-	//	if we have a front proxy providing authentication configuration, wire it up and it should come first
+	// if we have a front proxy providing authentication configuration, wire it up and it should come first
 	if config.AuthConfig.RequestHeader != nil {
 		requestHeaderAuthenticator, err := headerrequest.NewSecure(
 			config.AuthConfig.RequestHeader.ClientCA,
@@ -680,10 +680,7 @@ func newAuthenticator(config configapi.MasterConfig, restOptionsGetter restoptio
 		if err != nil {
 			return nil, fmt.Errorf("Error building front proxy auth config: %v", err)
 		}
-		topLevelAuthenticators = append(topLevelAuthenticators, &unionrequest.Authenticator{
-			FailOnError: false,
-			Handlers:    []authenticator.Request{requestHeaderAuthenticator, resultingAuthenticator},
-		})
+		topLevelAuthenticators = append(topLevelAuthenticators, union.New(requestHeaderAuthenticator, resultingAuthenticator))
 
 	} else {
 		topLevelAuthenticators = append(topLevelAuthenticators, resultingAuthenticator)
@@ -692,10 +689,7 @@ func newAuthenticator(config configapi.MasterConfig, restOptionsGetter restoptio
 
 	topLevelAuthenticators = append(topLevelAuthenticators, anonymous.NewAuthenticator())
 
-	return group.NewAuthenticatedGroupAdder(&unionrequest.Authenticator{
-		FailOnError: true,
-		Handlers:    topLevelAuthenticators,
-	}), nil
+	return group.NewAuthenticatedGroupAdder(union.NewFailOnError(topLevelAuthenticators...)), nil
 }
 
 func newProjectAuthorizationCache(authorizer authorizer.Authorizer, kubeClient *kclientset.Clientset, informerFactory shared.InformerFactory) *projectauth.AuthorizationCache {