move non-oauthserver packages out

Author: deads2k

hack/import-restrictions.json

@@ -374,7 +374,6 @@
       "github.com/openshift/origin/pkg/oauth/apis/oauth/validation",
       "github.com/openshift/origin/pkg/oauth/scope",
       "github.com/openshift/origin/pkg/oauth/apis/oauth",
-      "github.com/openshift/origin/pkg/util/rankedset",
       "github.com/openshift/origin/pkg/oauth/registry/oauthclientauthorization",
       "github.com/openshift/origin/pkg/cmd/server/api",
       "github.com/openshift/origin/pkg/cmd/server/api/latest",

pkg/oauthserver/oauth/registry/expirationvalidator.go pkg/apiserver/authentication/internaloauth/expirationvalidator.go

@@ -1,18 +1,17 @@
-package registry
+package internaloauth
 
 import (
 	"errors"
 	"time"
 
 	userv1 "github.com/openshift/api/user/v1"
 	"github.com/openshift/origin/pkg/oauth/apis/oauth"
-	"github.com/openshift/origin/pkg/oauthserver/authenticator"
 )
 
 var errExpired = errors.New("token is expired")
 
-func NewExpirationValidator() authenticator.OAuthTokenValidator {
-	return authenticator.OAuthTokenValidatorFunc(
+func NewExpirationValidator() OAuthTokenValidator {
+	return OAuthTokenValidatorFunc(
 		func(token *oauth.OAuthAccessToken, _ *userv1.User) error {
 			if token.ExpiresIn > 0 {
 				if expire(token).Before(time.Now()) {

pkg/apiserver/authentication/internaloauth/expirationvalidator_test.go

@@ -0,0 +1,70 @@
+package internaloauth
+
+import (
+	"testing"
+	"time"
+
+	userapi "github.com/openshift/api/user/v1"
+	userfake "github.com/openshift/client-go/user/clientset/versioned/fake"
+	oapi "github.com/openshift/origin/pkg/oauth/apis/oauth"
+	oauthfake "github.com/openshift/origin/pkg/oauth/generated/internalclientset/fake"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestAuthenticateTokenExpired(t *testing.T) {
+	fakeOAuthClient := oauthfake.NewSimpleClientset(
+		// expired token that had a lifetime of 10 minutes
+		&oapi.OAuthAccessToken{
+			ObjectMeta: metav1.ObjectMeta{Name: "token1", CreationTimestamp: metav1.Time{Time: time.Now().Add(-1 * time.Hour)}},
+			ExpiresIn:  600,
+			UserName:   "foo",
+		},
+		// non-expired token that has a lifetime of 10 minutes, but has a non-nil deletion timestamp
+		&oapi.OAuthAccessToken{
+			ObjectMeta: metav1.ObjectMeta{Name: "token2", CreationTimestamp: metav1.Time{Time: time.Now()}, DeletionTimestamp: &metav1.Time{}},
+			ExpiresIn:  600,
+			UserName:   "foo",
+		},
+	)
+	fakeUserClient := userfake.NewSimpleClientset(&userapi.User{ObjectMeta: metav1.ObjectMeta{Name: "foo", UID: "bar"}})
+
+	tokenAuthenticator := NewTokenAuthenticator(fakeOAuthClient.Oauth().OAuthAccessTokens(), fakeUserClient.UserV1().Users(), NoopGroupMapper{}, NewExpirationValidator())
+
+	for _, tokenName := range []string{"token1", "token2"} {
+		userInfo, found, err := tokenAuthenticator.AuthenticateToken(tokenName)
+		if found {
+			t.Error("Found token, but it should be missing!")
+		}
+		if err != errExpired {
+			t.Errorf("Unexpected error: %v", err)
+		}
+		if userInfo != nil {
+			t.Errorf("Unexpected user: %v", userInfo)
+		}
+	}
+}
+
+func TestAuthenticateTokenValidated(t *testing.T) {
+	fakeOAuthClient := oauthfake.NewSimpleClientset(
+		&oapi.OAuthAccessToken{
+			ObjectMeta: metav1.ObjectMeta{Name: "token", CreationTimestamp: metav1.Time{Time: time.Now()}},
+			ExpiresIn:  600, // 10 minutes
+			UserName:   "foo",
+			UserUID:    string("bar"),
+		},
+	)
+	fakeUserClient := userfake.NewSimpleClientset(&userapi.User{ObjectMeta: metav1.ObjectMeta{Name: "foo", UID: "bar"}})
+
+	tokenAuthenticator := NewTokenAuthenticator(fakeOAuthClient.Oauth().OAuthAccessTokens(), fakeUserClient.UserV1().Users(), NoopGroupMapper{}, NewExpirationValidator(), NewUIDValidator())
+
+	userInfo, found, err := tokenAuthenticator.AuthenticateToken("token")
+	if !found {
+		t.Error("Did not find a token!")
+	}
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+	if userInfo == nil {
+		t.Error("Did not get a user!")
+	}
+}

pkg/apiserver/authentication/internaloauth/interfaces.go

@@ -0,0 +1,41 @@
+package internaloauth
+
+import (
+	userapi "github.com/openshift/api/user/v1"
+	"github.com/openshift/origin/pkg/oauth/apis/oauth"
+)
+
+type OAuthTokenValidator interface {
+	Validate(token *oauth.OAuthAccessToken, user *userapi.User) error
+}
+
+var _ OAuthTokenValidator = OAuthTokenValidatorFunc(nil)
+
+type OAuthTokenValidatorFunc func(token *oauth.OAuthAccessToken, user *userapi.User) error
+
+func (f OAuthTokenValidatorFunc) Validate(token *oauth.OAuthAccessToken, user *userapi.User) error {
+	return f(token, user)
+}
+
+var _ OAuthTokenValidator = OAuthTokenValidators(nil)
+
+type OAuthTokenValidators []OAuthTokenValidator
+
+func (v OAuthTokenValidators) Validate(token *oauth.OAuthAccessToken, user *userapi.User) error {
+	for _, validator := range v {
+		if err := validator.Validate(token, user); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+type UserToGroupMapper interface {
+	GroupsFor(username string) ([]*userapi.Group, error)
+}
+
+type NoopGroupMapper struct{}
+
+func (n NoopGroupMapper) GroupsFor(username string) ([]*userapi.Group, error) {
+	return []*userapi.Group{}, nil
+}

pkg/oauthserver/oauth/registry/timeoutvalidator.go pkg/apiserver/authentication/internaloauth/timeoutvalidator.go

@@ -1,4 +1,4 @@
-package registry
+package internaloauth
 
 import (
 	"errors"

pkg/oauthserver/oauth/registry/tokenauthenticator.go pkg/apiserver/authentication/internaloauth/tokenauthenticator.go

@@ -1,4 +1,4 @@
-package registry
+package internaloauth
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -8,23 +8,21 @@ import (
 	userclient "github.com/openshift/client-go/user/clientset/versioned/typed/user/v1"
 	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
 	oauthclient "github.com/openshift/origin/pkg/oauth/generated/internalclientset/typed/oauth/internalversion"
-	"github.com/openshift/origin/pkg/oauthserver/authenticator"
-	"github.com/openshift/origin/pkg/oauthserver/userregistry/identitymapper"
 )
 
 type tokenAuthenticator struct {
 	tokens      oauthclient.OAuthAccessTokenInterface
 	users       userclient.UserInterface
-	groupMapper identitymapper.UserToGroupMapper
-	validators  authenticator.OAuthTokenValidator
+	groupMapper UserToGroupMapper
+	validators  OAuthTokenValidator
 }
 
-func NewTokenAuthenticator(tokens oauthclient.OAuthAccessTokenInterface, users userclient.UserInterface, groupMapper identitymapper.UserToGroupMapper, validators ...authenticator.OAuthTokenValidator) kauthenticator.Token {
+func NewTokenAuthenticator(tokens oauthclient.OAuthAccessTokenInterface, users userclient.UserInterface, groupMapper UserToGroupMapper, validators ...OAuthTokenValidator) kauthenticator.Token {
 	return &tokenAuthenticator{
 		tokens:      tokens,
 		users:       users,
 		groupMapper: groupMapper,
-		validators:  authenticator.OAuthTokenValidators(validators),
+		validators:  OAuthTokenValidators(validators),
 	}
 }