diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index ea451d435c4..12c252b516b 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -895,24 +895,8 @@ "Rev": "95a726a27e09030f9ccbd9982a1508f5a6d25ada" }, { - "ImportPath": "github.com/coreos/go-oidc/http", - "Rev": "a4973d9a4225417aecf5d450a9522f00c1f7130f" - }, - { - "ImportPath": "github.com/coreos/go-oidc/jose", - "Rev": "a4973d9a4225417aecf5d450a9522f00c1f7130f" - }, - { - "ImportPath": "github.com/coreos/go-oidc/key", - "Rev": "a4973d9a4225417aecf5d450a9522f00c1f7130f" - }, - { - "ImportPath": "github.com/coreos/go-oidc/oauth2", - "Rev": "a4973d9a4225417aecf5d450a9522f00c1f7130f" - }, - { - "ImportPath": "github.com/coreos/go-oidc/oidc", - "Rev": "a4973d9a4225417aecf5d450a9522f00c1f7130f" + "ImportPath": "github.com/coreos/go-oidc", + "Rev": "065b426bd41667456c1a924468f507673629c46b" }, { "ImportPath": "github.com/coreos/go-semver/semver", @@ -953,21 +937,6 @@ "Comment": "v2-8-gfa29b1d", "Rev": "fa29b1d70f0beaddd4c7021607cc3c3be8ce94b8" }, - { - "ImportPath": "github.com/coreos/pkg/health", - "Comment": "v2-8-gfa29b1d", - "Rev": "fa29b1d70f0beaddd4c7021607cc3c3be8ce94b8" - }, - { - "ImportPath": "github.com/coreos/pkg/httputil", - "Comment": "v2-8-gfa29b1d", - "Rev": "fa29b1d70f0beaddd4c7021607cc3c3be8ce94b8" - }, - { - "ImportPath": "github.com/coreos/pkg/timeutil", - "Comment": "v2-8-gfa29b1d", - "Rev": "fa29b1d70f0beaddd4c7021607cc3c3be8ce94b8" - }, { "ImportPath": "github.com/coreos/rkt/api/v1alpha", "Comment": "v1.25.0", @@ -2480,6 +2449,14 @@ "ImportPath": "github.com/pmezard/go-difflib/difflib", "Rev": "d8ed2627bdf02c080bf22230dbb337003b7aba2d" }, + { + "ImportPath": "github.com/pquerna/cachecontrol", + "Rev": "0dec1b30a0215bb68605dfc568e8855066c9202d" + }, + { + "ImportPath": "github.com/pquerna/cachecontrol/cacheobject", + "Rev": "0dec1b30a0215bb68605dfc568e8855066c9202d" + }, { "ImportPath": "github.com/prometheus/client_golang/prometheus", "Comment": "v0.8.0-83-ge7e9030", diff --git a/Godeps/LICENSES b/Godeps/LICENSES index 0351f79e89b..f8403f098c5 100644 --- a/Godeps/LICENSES +++ b/Godeps/LICENSES @@ -31553,847 +31553,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================================================ -= vendor/github.com/coreos/go-oidc/http licensed under: = - -Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - -= vendor/github.com/coreos/go-oidc/LICENSE d2794c0df5b907fdace235a619d80314 -================================================================================ - - -================================================================================ -= vendor/github.com/coreos/go-oidc/jose licensed under: = - -Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - -= vendor/github.com/coreos/go-oidc/LICENSE d2794c0df5b907fdace235a619d80314 -================================================================================ - - -================================================================================ -= vendor/github.com/coreos/go-oidc/key licensed under: = - -Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - -= vendor/github.com/coreos/go-oidc/LICENSE d2794c0df5b907fdace235a619d80314 -================================================================================ - - -================================================================================ -= vendor/github.com/coreos/go-oidc/oauth2 licensed under: = - -Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - -= vendor/github.com/coreos/go-oidc/LICENSE d2794c0df5b907fdace235a619d80314 -================================================================================ - - -================================================================================ -= vendor/github.com/coreos/go-oidc/oidc licensed under: = += vendor/github.com/coreos/go-oidc licensed under: = Apache License Version 2.0, January 2004 @@ -34227,636 +33387,6 @@ Apache License ================================================================================ -================================================================================ -= vendor/github.com/coreos/pkg/health licensed under: = - -Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - -= vendor/github.com/coreos/pkg/LICENSE d2794c0df5b907fdace235a619d80314 -================================================================================ - - -================================================================================ -= vendor/github.com/coreos/pkg/httputil licensed under: = - -Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - -= vendor/github.com/coreos/pkg/LICENSE d2794c0df5b907fdace235a619d80314 -================================================================================ - - -================================================================================ -= vendor/github.com/coreos/pkg/timeutil licensed under: = - -Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - -= vendor/github.com/coreos/pkg/LICENSE d2794c0df5b907fdace235a619d80314 -================================================================================ - - ================================================================================ = vendor/github.com/coreos/rkt/api/v1alpha licensed under: = @@ -79020,6 +77550,426 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ================================================================================ +================================================================================ += vendor/github.com/pquerna/cachecontrol licensed under: = + + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + += vendor/github.com/pquerna/cachecontrol/LICENSE 3b83ef96387f14655fc854ddc3c6bd57 +================================================================================ + + +================================================================================ += vendor/github.com/pquerna/cachecontrol/cacheobject licensed under: = + + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + += vendor/github.com/pquerna/cachecontrol/LICENSE 3b83ef96387f14655fc854ddc3c6bd57 +================================================================================ + + ================================================================================ = vendor/github.com/prometheus/client_golang/prometheus licensed under: = diff --git a/cmd/kube-apiserver/app/options/options_test.go b/cmd/kube-apiserver/app/options/options_test.go index d3cc1eafddf..f67c86b4373 100644 --- a/cmd/kube-apiserver/app/options/options_test.go +++ b/cmd/kube-apiserver/app/options/options_test.go @@ -210,6 +210,7 @@ func TestAddFlags(t *testing.T) { BootstrapToken: &kubeoptions.BootstrapTokenAuthenticationOptions{}, OIDC: &kubeoptions.OIDCAuthenticationOptions{ UsernameClaim: "sub", + SigningAlgs: []string{"RS256"}, }, PasswordFile: &kubeoptions.PasswordFileAuthenticationOptions{}, RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{}, diff --git a/hack/.golint_failures b/hack/.golint_failures index 6e19d6c222d..c5f1aa2ccc4 100644 --- a/hack/.golint_failures +++ b/hack/.golint_failures @@ -604,7 +604,6 @@ staging/src/k8s.io/apiserver/pkg/util/wsstream staging/src/k8s.io/apiserver/plugin/pkg/audit/log staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc -staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testing staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook @@ -672,7 +671,6 @@ staging/src/k8s.io/client-go/kubernetes/typed/storage/v1alpha1 staging/src/k8s.io/client-go/kubernetes/typed/storage/v1alpha1/fake staging/src/k8s.io/client-go/kubernetes/typed/storage/v1beta1 staging/src/k8s.io/client-go/kubernetes/typed/storage/v1beta1/fake -staging/src/k8s.io/client-go/plugin/pkg/auth/authenticator/token/oidc/testing staging/src/k8s.io/client-go/plugin/pkg/client/auth/oidc staging/src/k8s.io/client-go/rest staging/src/k8s.io/client-go/rest/fake diff --git a/pkg/kubeapiserver/authenticator/config.go b/pkg/kubeapiserver/authenticator/config.go index 5e47f221947..a775eea40f4 100644 --- a/pkg/kubeapiserver/authenticator/config.go +++ b/pkg/kubeapiserver/authenticator/config.go @@ -58,6 +58,7 @@ type AuthenticatorConfig struct { OIDCUsernamePrefix string OIDCGroupsClaim string OIDCGroupsPrefix string + OIDCSigningAlgs []string ServiceAccountKeyFiles []string ServiceAccountLookup bool WebhookTokenAuthnConfigFile string @@ -143,7 +144,7 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe // simply returns an error, the OpenID Connect plugin may query the provider to // update the keys, causing performance hits. if len(config.OIDCIssuerURL) > 0 && len(config.OIDCClientID) > 0 { - oidcAuth, err := newAuthenticatorFromOIDCIssuerURL(config.OIDCIssuerURL, config.OIDCClientID, config.OIDCCAFile, config.OIDCUsernameClaim, config.OIDCUsernamePrefix, config.OIDCGroupsClaim, config.OIDCGroupsPrefix) + oidcAuth, err := newAuthenticatorFromOIDCIssuerURL(config.OIDCIssuerURL, config.OIDCClientID, config.OIDCCAFile, config.OIDCUsernameClaim, config.OIDCUsernamePrefix, config.OIDCGroupsClaim, config.OIDCGroupsPrefix, config.OIDCSigningAlgs) if err != nil { return nil, nil, err } @@ -235,7 +236,7 @@ func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Token, e } // newAuthenticatorFromOIDCIssuerURL returns an authenticator.Token or an error. -func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClaim, usernamePrefix, groupsClaim, groupsPrefix string) (authenticator.Token, error) { +func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClaim, usernamePrefix, groupsClaim, groupsPrefix string, signingAlgs []string) (authenticator.Token, error) { const noUsernamePrefix = "-" if usernamePrefix == "" && usernameClaim != "email" { @@ -251,14 +252,15 @@ func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClai usernamePrefix = "" } - tokenAuthenticator, err := oidc.New(oidc.OIDCOptions{ - IssuerURL: issuerURL, - ClientID: clientID, - CAFile: caFile, - UsernameClaim: usernameClaim, - UsernamePrefix: usernamePrefix, - GroupsClaim: groupsClaim, - GroupsPrefix: groupsPrefix, + tokenAuthenticator, err := oidc.New(oidc.Options{ + IssuerURL: issuerURL, + ClientID: clientID, + CAFile: caFile, + UsernameClaim: usernameClaim, + UsernamePrefix: usernamePrefix, + GroupsClaim: groupsClaim, + GroupsPrefix: groupsPrefix, + SupportedSigningAlgs: signingAlgs, }) if err != nil { return nil, err diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go index 2ed80a8d841..b1b27ba5acb 100644 --- a/pkg/kubeapiserver/options/authentication.go +++ b/pkg/kubeapiserver/options/authentication.go @@ -61,6 +61,7 @@ type OIDCAuthenticationOptions struct { UsernamePrefix string GroupsClaim string GroupsPrefix string + SigningAlgs []string } type PasswordFileAuthenticationOptions struct { @@ -208,6 +209,10 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { "If provided, all groups will be prefixed with this value to prevent conflicts with "+ "other authentication strategies.") + fs.StringSliceVar(&s.OIDC.SigningAlgs, "oidc-signing-algs", []string{"RS256"}, ""+ + "Comma-separated list of allowed JOSE asymmetric signing algorithms. JWTs with a "+ + "'alg' header value not in this list will be rejected. "+ + "Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1.") } if s.PasswordFile != nil { @@ -272,6 +277,7 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au ret.OIDCIssuerURL = s.OIDC.IssuerURL ret.OIDCUsernameClaim = s.OIDC.UsernameClaim ret.OIDCUsernamePrefix = s.OIDC.UsernamePrefix + ret.OIDCSigningAlgs = s.OIDC.SigningAlgs } if s.PasswordFile != nil { diff --git a/staging/BUILD b/staging/BUILD index 8e7d698ed83..e48344604ea 100644 --- a/staging/BUILD +++ b/staging/BUILD @@ -166,7 +166,6 @@ filegroup( "//staging/src/k8s.io/client-go/listers/storage/v1alpha1:all-srcs", "//staging/src/k8s.io/client-go/listers/storage/v1beta1:all-srcs", "//staging/src/k8s.io/client-go/pkg/version:all-srcs", - "//staging/src/k8s.io/client-go/plugin/pkg/auth/authenticator/token/oidc/testing:all-srcs", "//staging/src/k8s.io/client-go/plugin/pkg/client/auth:all-srcs", "//staging/src/k8s.io/client-go/rest:all-srcs", "//staging/src/k8s.io/client-go/scale:all-srcs", diff --git a/staging/src/k8s.io/apiserver/Godeps/Godeps.json b/staging/src/k8s.io/apiserver/Godeps/Godeps.json index 28762db80e6..a9fbe7c4246 100644 --- a/staging/src/k8s.io/apiserver/Godeps/Godeps.json +++ b/staging/src/k8s.io/apiserver/Godeps/Godeps.json @@ -327,24 +327,8 @@ "Rev": "95a726a27e09030f9ccbd9982a1508f5a6d25ada" }, { - "ImportPath": "github.com/coreos/go-oidc/http", - "Rev": "a4973d9a4225417aecf5d450a9522f00c1f7130f" - }, - { - "ImportPath": "github.com/coreos/go-oidc/jose", - "Rev": "a4973d9a4225417aecf5d450a9522f00c1f7130f" - }, - { - "ImportPath": "github.com/coreos/go-oidc/key", - "Rev": "a4973d9a4225417aecf5d450a9522f00c1f7130f" - }, - { - "ImportPath": "github.com/coreos/go-oidc/oauth2", - "Rev": "a4973d9a4225417aecf5d450a9522f00c1f7130f" - }, - { - "ImportPath": "github.com/coreos/go-oidc/oidc", - "Rev": "a4973d9a4225417aecf5d450a9522f00c1f7130f" + "ImportPath": "github.com/coreos/go-oidc", + "Rev": "065b426bd41667456c1a924468f507673629c46b" }, { "ImportPath": "github.com/coreos/go-semver/semver", @@ -362,18 +346,6 @@ "ImportPath": "github.com/coreos/pkg/capnslog", "Rev": "fa29b1d70f0beaddd4c7021607cc3c3be8ce94b8" }, - { - "ImportPath": "github.com/coreos/pkg/health", - "Rev": "fa29b1d70f0beaddd4c7021607cc3c3be8ce94b8" - }, - { - "ImportPath": "github.com/coreos/pkg/httputil", - "Rev": "fa29b1d70f0beaddd4c7021607cc3c3be8ce94b8" - }, - { - "ImportPath": "github.com/coreos/pkg/timeutil", - "Rev": "fa29b1d70f0beaddd4c7021607cc3c3be8ce94b8" - }, { "ImportPath": "github.com/davecgh/go-spew/spew", "Rev": "782f4967f2dc4564575ca782fe2d04090b5faca8" @@ -558,6 +530,14 @@ "ImportPath": "github.com/pmezard/go-difflib/difflib", "Rev": "d8ed2627bdf02c080bf22230dbb337003b7aba2d" }, + { + "ImportPath": "github.com/pquerna/cachecontrol", + "Rev": "0dec1b30a0215bb68605dfc568e8855066c9202d" + }, + { + "ImportPath": "github.com/pquerna/cachecontrol/cacheobject", + "Rev": "0dec1b30a0215bb68605dfc568e8855066c9202d" + }, { "ImportPath": "github.com/prometheus/client_golang/prometheus", "Rev": "e7e903064f5e9eb5da98208bae10b475d4db0f8c" @@ -614,6 +594,14 @@ "ImportPath": "golang.org/x/crypto/blowfish", "Rev": "81e90905daefcd6fd217b62423c0908922eadb30" }, + { + "ImportPath": "golang.org/x/crypto/ed25519", + "Rev": "81e90905daefcd6fd217b62423c0908922eadb30" + }, + { + "ImportPath": "golang.org/x/crypto/ed25519/internal/edwards25519", + "Rev": "81e90905daefcd6fd217b62423c0908922eadb30" + }, { "ImportPath": "golang.org/x/crypto/nacl/secretbox", "Rev": "81e90905daefcd6fd217b62423c0908922eadb30" @@ -670,6 +658,14 @@ "ImportPath": "golang.org/x/net/websocket", "Rev": "1c05540f6879653db88113bc4a2b70aec4bd491f" }, + { + "ImportPath": "golang.org/x/oauth2", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, + { + "ImportPath": "golang.org/x/oauth2/internal", + "Rev": "a6bd8cefa1811bd24b86f8902872e4e8225f74c4" + }, { "ImportPath": "golang.org/x/sys/unix", "Rev": "95c6576299259db960f6c5b9b69ea52422860fce" @@ -814,6 +810,18 @@ "ImportPath": "gopkg.in/natefinch/lumberjack.v2", "Rev": "20b71e5b60d756d3d2f80def009790325acc2b23" }, + { + "ImportPath": "gopkg.in/square/go-jose.v2", + "Rev": "f8f38de21b4dcd69d0413faf231983f5fd6634b1" + }, + { + "ImportPath": "gopkg.in/square/go-jose.v2/cipher", + "Rev": "f8f38de21b4dcd69d0413faf231983f5fd6634b1" + }, + { + "ImportPath": "gopkg.in/square/go-jose.v2/json", + "Rev": "f8f38de21b4dcd69d0413faf231983f5fd6634b1" + }, { "ImportPath": "gopkg.in/yaml.v2", "Rev": "670d4cfef0544295bc27a114dbac37980d83185a" diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/BUILD b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/BUILD index ebc3bfb635f..e62aba93a26 100644 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/BUILD +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/BUILD @@ -9,12 +9,12 @@ load( go_test( name = "go_default_test", srcs = ["oidc_test.go"], + data = glob(["testdata/**"]), embed = [":go_default_library"], deps = [ - "//vendor/github.com/coreos/go-oidc/jose:go_default_library", - "//vendor/github.com/coreos/go-oidc/oidc:go_default_library", + "//vendor/github.com/coreos/go-oidc:go_default_library", + "//vendor/gopkg.in/square/go-jose.v2:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", - "//vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testing:go_default_library", ], ) @@ -23,11 +23,10 @@ go_library( srcs = ["oidc.go"], importpath = "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc", deps = [ - "//vendor/github.com/coreos/go-oidc/jose:go_default_library", - "//vendor/github.com/coreos/go-oidc/oidc:go_default_library", + "//vendor/github.com/coreos/go-oidc:go_default_library", "//vendor/github.com/golang/glog:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/net:go_default_library", - "//vendor/k8s.io/apimachinery/pkg/util/runtime:go_default_library", + "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//vendor/k8s.io/client-go/util/cert:go_default_library", ], @@ -42,9 +41,6 @@ filegroup( filegroup( name = "all-srcs", - srcs = [ - ":package-srcs", - "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testing:all-srcs", - ], + srcs = [":package-srcs"], tags = ["automanaged"], ) diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go index a8c95ecb8b0..c33c540c005 100644 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go @@ -17,7 +17,7 @@ limitations under the License. /* oidc implements the authenticator.Token interface using the OpenID Connect protocol. - config := oidc.OIDCOptions{ + config := oidc.Options{ IssuerURL: "https://accounts.google.com", ClientID: os.Getenv("GOOGLE_CLIENT_ID"), UsernameClaim: "email", @@ -27,25 +27,28 @@ oidc implements the authenticator.Token interface using the OpenID Connect proto package oidc import ( + "context" "crypto/tls" "crypto/x509" + "encoding/base64" + "encoding/json" "errors" "fmt" "net/http" "net/url" - "sync" + "strings" "sync/atomic" + "time" - "github.com/coreos/go-oidc/jose" - "github.com/coreos/go-oidc/oidc" + oidc "github.com/coreos/go-oidc" "github.com/golang/glog" "k8s.io/apimachinery/pkg/util/net" - "k8s.io/apimachinery/pkg/util/runtime" + "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apiserver/pkg/authentication/user" certutil "k8s.io/client-go/util/cert" ) -type OIDCOptions struct { +type Options struct { // IssuerURL is the URL the provider signs ID Tokens as. This will be the "iss" // field of all tokens produced by the provider and is used for configuration // discovery. @@ -83,30 +86,85 @@ type OIDCOptions struct { // GroupsPrefix, if specified, causes claims mapping to group names to be prefixed with the // value. A value "oidc:" would result in groups like "oidc:engineering" and "oidc:marketing". GroupsPrefix string + + // SupportedSigningAlgs sets the accepted set of JOSE signing algorithms that + // can be used by the provider to sign tokens. + // + // https://tools.ietf.org/html/rfc7518#section-3.1 + // + // This value defaults to RS256, the value recommended by the OpenID Connect + // spec: + // + // https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation + SupportedSigningAlgs []string + + // now is used for testing. It defaults to time.Now. + now func() time.Time } -type OIDCAuthenticator struct { +type Authenticator struct { issuerURL string - trustedClientID string - usernameClaim string usernamePrefix string groupsClaim string groupsPrefix string - httpClient *http.Client + // Contains an *oidc.IDTokenVerifier. Do not access directly use the + // idTokenVerifier method. + verifier atomic.Value - // Contains an *oidc.Client. Do not access directly. Use client() method. - oidcClient atomic.Value - - // Guards the close method and is used to lock during initialization and closing. - mu sync.Mutex - close func() // May be nil + cancel context.CancelFunc } -// New creates a token authenticator which validates OpenID Connect ID Tokens. -func New(opts OIDCOptions) (*OIDCAuthenticator, error) { +func (a *Authenticator) setVerifier(v *oidc.IDTokenVerifier) { + a.verifier.Store(v) +} + +func (a *Authenticator) idTokenVerifier() (*oidc.IDTokenVerifier, bool) { + if v := a.verifier.Load(); v != nil { + return v.(*oidc.IDTokenVerifier), true + } + return nil, false +} + +func (a *Authenticator) Close() { + a.cancel() +} + +func New(opts Options) (*Authenticator, error) { + return newAuthenticator(opts, func(ctx context.Context, a *Authenticator, config *oidc.Config) { + // Asynchronously attempt to initialize the authenticator. This enables + // self-hosted providers, providers that run on top of Kubernetes itself. + go wait.PollUntil(time.Second*10, func() (done bool, err error) { + provider, err := oidc.NewProvider(ctx, a.issuerURL) + if err != nil { + glog.Errorf("oidc authenticator: initializing plugin: %v", err) + return false, nil + } + + verifier := provider.Verifier(config) + a.setVerifier(verifier) + return true, nil + }, ctx.Done()) + }) +} + +// whitelist of signing algorithms to ensure users don't mistakenly pass something +// goofy. +var allowedSigningAlgs = map[string]bool{ + oidc.RS256: true, + oidc.RS384: true, + oidc.RS512: true, + oidc.ES256: true, + oidc.ES384: true, + oidc.ES512: true, + oidc.PS256: true, + oidc.PS384: true, + oidc.PS512: true, +} + +func newAuthenticator(opts Options, initVerifier func(ctx context.Context, a *Authenticator, config *oidc.Config)) (*Authenticator, error) { url, err := url.Parse(opts.IssuerURL) if err != nil { return nil, err @@ -120,6 +178,18 @@ func New(opts OIDCOptions) (*OIDCAuthenticator, error) { return nil, errors.New("no username claim provided") } + supportedSigningAlgs := opts.SupportedSigningAlgs + if len(supportedSigningAlgs) == 0 { + // RS256 is the default recommended by OpenID Connect and an 'alg' value + // providers are required to implement. + supportedSigningAlgs = []string{oidc.RS256} + } + for _, alg := range supportedSigningAlgs { + if !allowedSigningAlgs[alg] { + return nil, fmt.Errorf("oidc: unsupported signing alg: %q", alg) + } + } + var roots *x509.CertPool if opts.CAFile != "" { roots, err = certutil.NewPool(opts.CAFile) @@ -137,137 +207,91 @@ func New(opts OIDCOptions) (*OIDCAuthenticator, error) { TLSClientConfig: &tls.Config{RootCAs: roots}, }) - authenticator := &OIDCAuthenticator{ - issuerURL: opts.IssuerURL, - trustedClientID: opts.ClientID, - usernameClaim: opts.UsernameClaim, - usernamePrefix: opts.UsernamePrefix, - groupsClaim: opts.GroupsClaim, - groupsPrefix: opts.GroupsPrefix, - httpClient: &http.Client{Transport: tr}, + client := &http.Client{Transport: tr, Timeout: 30 * time.Second} + + ctx, cancel := context.WithCancel(context.Background()) + ctx = oidc.ClientContext(ctx, client) + + authenticator := &Authenticator{ + issuerURL: opts.IssuerURL, + usernameClaim: opts.UsernameClaim, + usernamePrefix: opts.UsernamePrefix, + groupsClaim: opts.GroupsClaim, + groupsPrefix: opts.GroupsPrefix, + cancel: cancel, } - // Attempt to initialize the authenticator asynchronously. - // - // Ignore errors instead of returning it since the OpenID Connect provider might not be - // available yet, for instance if it's running on the cluster and needs the API server - // to come up first. Errors will be logged within the client() method. - go func() { - defer runtime.HandleCrash() - authenticator.client() - }() + now := opts.now + if now == nil { + now = time.Now + } + verifierConfig := &oidc.Config{ + ClientID: opts.ClientID, + SupportedSigningAlgs: supportedSigningAlgs, + Now: now, + } + + initVerifier(ctx, authenticator, verifierConfig) return authenticator, nil } -// Close stops all goroutines used by the authenticator. -func (a *OIDCAuthenticator) Close() { - a.mu.Lock() - defer a.mu.Unlock() - - if a.close != nil { - a.close() +func hasCorrectIssuer(iss, tokenData string) bool { + parts := strings.Split(tokenData, ".") + if len(parts) != 3 { + return false } - return + payload, err := base64.RawURLEncoding.DecodeString(parts[1]) + if err != nil { + return false + } + claims := struct { + // WARNING: this JWT is not verified. Do not trust these claims. + Issuer string `json:"iss"` + }{} + if err := json.Unmarshal(payload, &claims); err != nil { + return false + } + if claims.Issuer != iss { + return false + } + return true } -func (a *OIDCAuthenticator) client() (*oidc.Client, error) { - // Fast check to see if client has already been initialized. - if client := a.oidcClient.Load(); client != nil { - return client.(*oidc.Client), nil +func (a *Authenticator) AuthenticateToken(token string) (user.Info, bool, error) { + if !hasCorrectIssuer(a.issuerURL, token) { + return nil, false, nil } - // Acquire lock, then recheck initialization. - a.mu.Lock() - defer a.mu.Unlock() - if client := a.oidcClient.Load(); client != nil { - return client.(*oidc.Client), nil - } - - // Try to initialize client. - providerConfig, err := oidc.FetchProviderConfig(a.httpClient, a.issuerURL) - if err != nil { - glog.Errorf("oidc authenticator: failed to fetch provider discovery data: %v", err) - return nil, fmt.Errorf("fetch provider config: %v", err) - } - - clientConfig := oidc.ClientConfig{ - HTTPClient: a.httpClient, - Credentials: oidc.ClientCredentials{ID: a.trustedClientID}, - ProviderConfig: providerConfig, - } - - client, err := oidc.NewClient(clientConfig) - if err != nil { - glog.Errorf("oidc authenticator: failed to create client: %v", err) - return nil, fmt.Errorf("create client: %v", err) - } - - // SyncProviderConfig will start a goroutine to periodically synchronize the provider config. - // The synchronization interval is set by the expiration length of the config, and has a minimum - // and maximum threshold. - stop := client.SyncProviderConfig(a.issuerURL) - a.oidcClient.Store(client) - a.close = func() { - // This assumes the stop is an unbuffered channel. - // So instead of closing the channel, we send am empty struct here. - // This guarantees that when this function returns, there is no flying requests, - // because a send to an unbuffered channel happens after the receive from the channel. - stop <- struct{}{} - } - return client, nil -} - -// AuthenticateToken decodes and verifies an ID Token using the OIDC client, if the verification succeeds, -// then it will extract the user info from the JWT claims. -func (a *OIDCAuthenticator) AuthenticateToken(value string) (user.Info, bool, error) { - jwt, err := jose.ParseJWT(value) - if err != nil { - return nil, false, err - } - - client, err := a.client() - if err != nil { - return nil, false, err - } - if err := client.VerifyJWT(jwt); err != nil { - return nil, false, err - } - claims, err := jwt.Claims() - if err != nil { - return nil, false, err - } - return a.parseTokenClaims(claims) -} - -// parseTokenClaims maps a set of claims to a user. It performs basic validation such as -// ensuring the email is verified. -func (a *OIDCAuthenticator) parseTokenClaims(claims jose.Claims) (user.Info, bool, error) { - username, ok, err := claims.StringClaim(a.usernameClaim) - if err != nil { - return nil, false, err - } + ctx := context.Background() + verifier, ok := a.idTokenVerifier() if !ok { - return nil, false, fmt.Errorf("cannot find %q in JWT claims", a.usernameClaim) + return nil, false, fmt.Errorf("oidc: authenticator not initialized") + } + + idToken, err := verifier.Verify(ctx, token) + if err != nil { + return nil, false, fmt.Errorf("oidc: verify token: %v", err) + } + + var c claims + if err := idToken.Claims(&c); err != nil { + return nil, false, fmt.Errorf("oidc: parse claims: %v", err) + } + var username string + if err := c.unmarshalClaim(a.usernameClaim, &username); err != nil { + return nil, false, fmt.Errorf("oidc: parse username claims %q: %v", a.usernameClaim, err) } if a.usernameClaim == "email" { - verified, ok := claims["email_verified"] - if !ok { - return nil, false, errors.New("'email_verified' claim not present") + // Check the email_verified claim to ensure the email is valid. + // https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims + var emailVerified bool + if err := c.unmarshalClaim("email_verified", &emailVerified); err != nil { + return nil, false, fmt.Errorf("oidc: parse 'email_verified' claim: %v", err) } - - emailVerified, ok := verified.(bool) - if !ok { - // OpenID Connect spec defines 'email_verified' as a boolean. For now, be a pain and error if - // it's a different type. If there are enough misbehaving providers we can relax this latter. - // - // See: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims - return nil, false, fmt.Errorf("malformed claim 'email_verified', expected boolean got %T", verified) - } - if !emailVerified { - return nil, false, errors.New("email not verified") + return nil, false, fmt.Errorf("oidc: email not verified") } } @@ -275,21 +299,18 @@ func (a *OIDCAuthenticator) parseTokenClaims(claims jose.Claims) (user.Info, boo username = a.usernamePrefix + username } - // TODO(yifan): Add UID, also populate the issuer to upper layer. info := &user.DefaultInfo{Name: username} - if a.groupsClaim != "" { - groups, found, err := claims.StringsClaim(a.groupsClaim) - if err != nil { - // Groups type is present but is not an array of strings, try to decode as a string. - group, _, err := claims.StringClaim(a.groupsClaim) - if err != nil { - // Custom claim is present, but isn't an array of strings or a string. - return nil, false, fmt.Errorf("custom group claim contains invalid type: %T", claims[a.groupsClaim]) + if _, ok := c[a.groupsClaim]; ok { + // Some admins want to use string claims like "role" as the group value. + // Allow the group claim to be a single string instead of an array. + // + // See: https://github.com/kubernetes/kubernetes/issues/33290 + var groups stringOrArray + if err := c.unmarshalClaim(a.groupsClaim, &groups); err != nil { + return nil, false, fmt.Errorf("oidc: parse groups claim %q: %v", a.groupsClaim, err) } - info.Groups = []string{group} - } else if found { - info.Groups = groups + info.Groups = []string(groups) } } @@ -298,6 +319,31 @@ func (a *OIDCAuthenticator) parseTokenClaims(claims jose.Claims) (user.Info, boo info.Groups[i] = a.groupsPrefix + group } } - return info, true, nil } + +type stringOrArray []string + +func (s *stringOrArray) UnmarshalJSON(b []byte) error { + var a []string + if err := json.Unmarshal(b, &a); err == nil { + *s = a + return nil + } + var str string + if err := json.Unmarshal(b, &str); err != nil { + return err + } + *s = []string{str} + return nil +} + +type claims map[string]json.RawMessage + +func (c claims) unmarshalClaim(name string, v interface{}) error { + val, ok := c[name] + if !ok { + return fmt.Errorf("claim not present") + } + return json.Unmarshal([]byte(val), v) +} diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc_test.go b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc_test.go index f94d91b1a3f..412c32a6fe1 100644 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc_test.go +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc_test.go @@ -17,518 +17,754 @@ limitations under the License. package oidc import ( - "os" - "path" + "context" + "crypto" + "crypto/x509" + "encoding/hex" + "encoding/json" + "encoding/pem" + "fmt" + "io/ioutil" "reflect" - "sort" "strings" "testing" "time" - "github.com/coreos/go-oidc/jose" - "github.com/coreos/go-oidc/oidc" - + oidc "github.com/coreos/go-oidc" + jose "gopkg.in/square/go-jose.v2" "k8s.io/apiserver/pkg/authentication/user" - oidctesting "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testing" ) -func generateToken(t *testing.T, op *oidctesting.OIDCProvider, iss, sub, aud string, usernameClaim, value, groupsClaim string, groups interface{}, iat, exp time.Time, emailVerified bool) string { - claims := oidc.NewClaims(iss, sub, aud, iat, exp) - claims.Add(usernameClaim, value) - if groups != nil && groupsClaim != "" { - claims.Add(groupsClaim, groups) - } - claims.Add("email_verified", emailVerified) +// utilities for loading JOSE keys. - signer := op.PrivKey.Signer() - jwt, err := jose.NewSignedJWT(claims, signer) +func loadRSAKey(t *testing.T, filepath string, alg jose.SignatureAlgorithm) *jose.JSONWebKey { + return loadKey(t, filepath, alg, func(b []byte) (interface{}, error) { + key, err := x509.ParsePKCS1PrivateKey(b) + if err != nil { + return nil, err + } + return key.Public(), nil + }) +} + +func loadRSAPrivKey(t *testing.T, filepath string, alg jose.SignatureAlgorithm) *jose.JSONWebKey { + return loadKey(t, filepath, alg, func(b []byte) (interface{}, error) { + return x509.ParsePKCS1PrivateKey(b) + }) +} + +func loadECDSAKey(t *testing.T, filepath string, alg jose.SignatureAlgorithm) *jose.JSONWebKey { + return loadKey(t, filepath, alg, func(b []byte) (interface{}, error) { + key, err := x509.ParseECPrivateKey(b) + if err != nil { + return nil, err + } + return key.Public(), nil + }) +} + +func loadECDSAPrivKey(t *testing.T, filepath string, alg jose.SignatureAlgorithm) *jose.JSONWebKey { + return loadKey(t, filepath, alg, func(b []byte) (interface{}, error) { + return x509.ParseECPrivateKey(b) + }) +} + +func loadKey(t *testing.T, filepath string, alg jose.SignatureAlgorithm, unmarshal func([]byte) (interface{}, error)) *jose.JSONWebKey { + data, err := ioutil.ReadFile(filepath) if err != nil { - t.Fatalf("Cannot generate token: %v", err) - return "" + t.Fatalf("load file: %v", err) } - return jwt.Encode() + block, _ := pem.Decode(data) + if block == nil { + t.Fatalf("file contained no PEM encoded data: %s", filepath) + } + priv, err := unmarshal(block.Bytes) + if err != nil { + t.Fatalf("unmarshal key: %v", err) + } + key := &jose.JSONWebKey{Key: priv, Use: "sig", Algorithm: string(alg)} + thumbprint, err := key.Thumbprint(crypto.SHA256) + if err != nil { + t.Fatalf("computing thumbprint: %v", err) + } + key.KeyID = hex.EncodeToString(thumbprint) + return key } -func generateTokenWithUnverifiedEmail(t *testing.T, op *oidctesting.OIDCProvider, iss, sub, aud string, email string) string { - return generateToken(t, op, iss, sub, aud, "email", email, "", nil, time.Now(), time.Now().Add(time.Hour), false) +// staticKeySet implements oidc.KeySet. +type staticKeySet struct { + keys []*jose.JSONWebKey } -func generateGoodToken(t *testing.T, op *oidctesting.OIDCProvider, iss, sub, aud string, usernameClaim, value, groupsClaim string, groups interface{}) string { - return generateToken(t, op, iss, sub, aud, usernameClaim, value, groupsClaim, groups, time.Now(), time.Now().Add(time.Hour), true) +func (s *staticKeySet) VerifySignature(ctx context.Context, jwt string) (payload []byte, err error) { + jws, err := jose.ParseSigned(jwt) + if err != nil { + return nil, err + } + if len(jws.Signatures) == 0 { + return nil, fmt.Errorf("jwt contained no signatures") + } + kid := jws.Signatures[0].Header.KeyID + + for _, key := range s.keys { + if key.KeyID == kid { + return jws.Verify(key) + } + } + + return nil, fmt.Errorf("no keys matches jwk keyid") } -func generateMalformedToken(t *testing.T, op *oidctesting.OIDCProvider, iss, sub, aud string, usernameClaim, value, groupsClaim string, groups interface{}) string { - return generateToken(t, op, iss, sub, aud, usernameClaim, value, groupsClaim, groups, time.Now(), time.Now().Add(time.Hour), true) + "randombits" +var ( + expired, _ = time.Parse(time.RFC3339Nano, "2009-11-10T22:00:00Z") + now, _ = time.Parse(time.RFC3339Nano, "2009-11-10T23:00:00Z") + valid, _ = time.Parse(time.RFC3339Nano, "2009-11-11T00:00:00Z") +) + +type claimsTest struct { + name string + options Options + now time.Time + signingKey *jose.JSONWebKey + pubKeys []*jose.JSONWebKey + claims string + want *user.DefaultInfo + wantSkip bool + wantErr bool + wantInitErr bool } -func generateExpiredToken(t *testing.T, op *oidctesting.OIDCProvider, iss, sub, aud string, usernameClaim, value, groupsClaim string, groups interface{}) string { - return generateToken(t, op, iss, sub, aud, usernameClaim, value, groupsClaim, groups, time.Now().Add(-2*time.Hour), time.Now().Add(-1*time.Hour), true) +func (c *claimsTest) run(t *testing.T) { + a, err := newAuthenticator(c.options, func(ctx context.Context, a *Authenticator, config *oidc.Config) { + // Set the verifier to use the public key set instead of reading + // from a remote. + a.setVerifier(oidc.NewVerifier( + c.options.IssuerURL, + &staticKeySet{keys: c.pubKeys}, + config, + )) + }) + if err != nil { + if !c.wantInitErr { + t.Fatalf("initialize authenticator: %v", err) + } + return + } + if c.wantInitErr { + t.Fatalf("wanted initialization error") + } + + // Sign and serialize the claims in a JWT. + signer, err := jose.NewSigner(jose.SigningKey{ + Algorithm: jose.SignatureAlgorithm(c.signingKey.Algorithm), + Key: c.signingKey, + }, nil) + if err != nil { + t.Fatalf("initialize signer: %v", err) + } + jws, err := signer.Sign([]byte(c.claims)) + if err != nil { + t.Fatalf("sign claims: %v", err) + } + token, err := jws.CompactSerialize() + if err != nil { + t.Fatalf("serialize token: %v", err) + } + + got, ok, err := a.AuthenticateToken(token) + if err != nil { + if !c.wantErr { + t.Fatalf("authenticate token: %v", err) + } + return + } + + if c.wantErr { + t.Fatalf("expected error authenticating token") + } + if !ok { + if !c.wantSkip { + // We don't have any cases where we return (nil, false, nil) + t.Fatalf("no error but token not authenticated") + } + return + } + if c.wantSkip { + t.Fatalf("expected authenticator to skip token") + } + + gotUser := got.(*user.DefaultInfo) + if !reflect.DeepEqual(gotUser, c.want) { + t.Fatalf("wanted user=%#v, got=%#v", c.want, gotUser) + } } -func TestTLSConfig(t *testing.T) { - // Verify the cert/key pair works. - cert1 := path.Join(os.TempDir(), "oidc-cert-1") - key1 := path.Join(os.TempDir(), "oidc-key-1") - cert2 := path.Join(os.TempDir(), "oidc-cert-2") - key2 := path.Join(os.TempDir(), "oidc-key-2") +func TestToken(t *testing.T) { + tests := []claimsTest{ + { + name: "token", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "username": "jane", + "exp": %d + }`, valid.Unix()), + want: &user.DefaultInfo{ + Name: "jane", + }, + }, + { + name: "no-username", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "exp": %d + }`, valid.Unix()), + wantErr: true, + }, + { + name: "email", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "email", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "email": "jane@example.com", + "email_verified": true, + "exp": %d + }`, valid.Unix()), + want: &user.DefaultInfo{ + Name: "jane@example.com", + }, + }, + { + name: "email-not-verified", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "email", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "email": "jane@example.com", + "email_verified": false, + "exp": %d + }`, valid.Unix()), + wantErr: true, + }, + { + // If "email_verified" isn't present, assume false + name: "no-email-verified-claim", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "email", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "email": "jane@example.com", + "exp": %d + }`, valid.Unix()), + wantErr: true, + }, + { + name: "groups", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + GroupsClaim: "groups", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "username": "jane", + "groups": ["team1", "team2"], + "exp": %d + }`, valid.Unix()), + want: &user.DefaultInfo{ + Name: "jane", + Groups: []string{"team1", "team2"}, + }, + }, + { + // Groups should be able to be a single string, not just a slice. + name: "group-string-claim", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + GroupsClaim: "groups", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "username": "jane", + "groups": "team1", + "exp": %d + }`, valid.Unix()), + want: &user.DefaultInfo{ + Name: "jane", + Groups: []string{"team1"}, + }, + }, + { + // if the groups claim isn't provided, this shouldn't error out + name: "no-groups-claim", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + GroupsClaim: "groups", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "username": "jane", + "exp": %d + }`, valid.Unix()), + want: &user.DefaultInfo{ + Name: "jane", + }, + }, + { + name: "invalid-groups-claim", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + GroupsClaim: "groups", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "username": "jane", + "groups": 42, + "exp": %d + }`, valid.Unix()), + wantErr: true, + }, + { + name: "invalid-signature", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_2.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "username": "jane", + "exp": %d + }`, valid.Unix()), + wantErr: true, + }, + { + name: "expired", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "username": "jane", + "exp": %d + }`, expired.Unix()), + wantErr: true, + }, + { + name: "invalid-aud", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "not-my-client", + "username": "jane", + "exp": %d + }`, valid.Unix()), + wantErr: true, + }, + { + // ID tokens may contain multiple audiences: + // https://openid.net/specs/openid-connect-core-1_0.html#IDToken + name: "multiple-audiences", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": ["not-my-client", "my-client"], + "azp": "not-my-client", + "username": "jane", + "exp": %d + }`, valid.Unix()), + want: &user.DefaultInfo{ + Name: "jane", + }, + }, + { + name: "invalid-issuer", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://example.com", + "aud": "my-client", + "username": "jane", + "exp": %d + }`, valid.Unix()), + wantSkip: true, + }, + { + name: "username-prefix", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + UsernamePrefix: "oidc:", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "username": "jane", + "exp": %d + }`, valid.Unix()), + want: &user.DefaultInfo{ + Name: "oidc:jane", + }, + }, + { + name: "groups-prefix", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + UsernamePrefix: "oidc:", + GroupsClaim: "groups", + GroupsPrefix: "groups:", + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "username": "jane", + "groups": ["team1", "team2"], + "exp": %d + }`, valid.Unix()), + want: &user.DefaultInfo{ + Name: "oidc:jane", + Groups: []string{"groups:team1", "groups:team2"}, + }, + }, + { + name: "invalid-signing-alg", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + now: func() time.Time { return now }, + }, + // Correct key but invalid signature algorithm "PS256" + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.PS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "username": "jane", + "exp": %d + }`, valid.Unix()), + wantErr: true, + }, + { + name: "ps256", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + SupportedSigningAlgs: []string{"PS256"}, + now: func() time.Time { return now }, + }, + signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.PS256), + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.PS256), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "username": "jane", + "exp": %d + }`, valid.Unix()), + want: &user.DefaultInfo{ + Name: "jane", + }, + }, + { + name: "es512", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + SupportedSigningAlgs: []string{"ES512"}, + now: func() time.Time { return now }, + }, + signingKey: loadECDSAPrivKey(t, "testdata/ecdsa_2.pem", jose.ES512), + pubKeys: []*jose.JSONWebKey{ + loadECDSAKey(t, "testdata/ecdsa_1.pem", jose.ES512), + loadECDSAKey(t, "testdata/ecdsa_2.pem", jose.ES512), + }, + claims: fmt.Sprintf(`{ + "iss": "https://auth.example.com", + "aud": "my-client", + "username": "jane", + "exp": %d + }`, valid.Unix()), + want: &user.DefaultInfo{ + Name: "jane", + }, + }, + { + name: "not-https", + options: Options{ + IssuerURL: "http://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + now: func() time.Time { return now }, + }, + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + wantInitErr: true, + }, + { + name: "no-username-claim", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + now: func() time.Time { return now }, + }, + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + wantInitErr: true, + }, + { + name: "invalid-sig-alg", + options: Options{ + IssuerURL: "https://auth.example.com", + ClientID: "my-client", + UsernameClaim: "username", + SupportedSigningAlgs: []string{"HS256"}, + now: func() time.Time { return now }, + }, + pubKeys: []*jose.JSONWebKey{ + loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256), + }, + wantInitErr: true, + }, + } + for _, test := range tests { + t.Run(test.name, test.run) + } +} - defer os.Remove(cert1) - defer os.Remove(key1) - defer os.Remove(cert2) - defer os.Remove(key2) +func TestUnmarshalClaimError(t *testing.T) { + // Ensure error strings returned by unmarshaling claims don't include the claim. + const token = "96bb299a-02e9-11e8-8673-54ee7553240e" + payload := fmt.Sprintf(`{ + "token": "%s" + }`, token) - oidctesting.GenerateSelfSignedCert(t, "127.0.0.1", cert1, key1) - oidctesting.GenerateSelfSignedCert(t, "127.0.0.1", cert2, key2) + var c claims + if err := json.Unmarshal([]byte(payload), &c); err != nil { + t.Fatal(err) + } + var n int + err := c.unmarshalClaim("token", &n) + if err == nil { + t.Fatal("expected error") + } + if strings.Contains(err.Error(), token) { + t.Fatalf("unmarshal error included token") + } +} + +func TestUnmarshalClaim(t *testing.T) { tests := []struct { - testCase string - - serverCertFile string - serverKeyFile string - - trustedCertFile string - + name string + claims string + do func(claims) (interface{}, error) + want interface{} wantErr bool }{ { - testCase: "provider using untrusted custom cert", - serverCertFile: cert1, - serverKeyFile: key1, - wantErr: true, + name: "string claim", + claims: `{"aud":"foo"}`, + do: func(c claims) (interface{}, error) { + var s string + err := c.unmarshalClaim("aud", &s) + return s, err + }, + want: "foo", }, { - testCase: "provider using untrusted cert", - serverCertFile: cert1, - serverKeyFile: key1, - trustedCertFile: cert2, - wantErr: true, - }, - { - testCase: "provider using trusted cert", - serverCertFile: cert1, - serverKeyFile: key1, - trustedCertFile: cert1, - wantErr: false, - }, - } + name: "mismatched types", + claims: `{"aud":"foo"}`, + do: func(c claims) (interface{}, error) { + var n int + err := c.unmarshalClaim("aud", &n) + return n, err - for _, tc := range tests { - func() { - op := oidctesting.NewOIDCProvider(t, "") - srv, err := op.ServeTLSWithKeyPair(tc.serverCertFile, tc.serverKeyFile) - if err != nil { - t.Errorf("%s: %v", tc.testCase, err) - return - } - defer srv.Close() - - issuer := srv.URL - clientID := "client-foo" - - options := OIDCOptions{ - IssuerURL: srv.URL, - ClientID: clientID, - CAFile: tc.trustedCertFile, - UsernameClaim: "email", - GroupsClaim: "groups", - } - - authenticator, err := New(options) - if err != nil { - t.Errorf("%s: failed to initialize authenticator: %v", tc.testCase, err) - return - } - defer authenticator.Close() - - email := "user-1@example.com" - groups := []string{"group1", "group2"} - sort.Strings(groups) - - token := generateGoodToken(t, op, issuer, "user-1", clientID, "email", email, "groups", groups) - - // Because this authenticator behaves differently for subsequent requests, run these - // tests multiple times (but expect the same result). - for i := 1; i < 4; i++ { - - user, ok, err := authenticator.AuthenticateToken(token) - if err != nil { - if !tc.wantErr { - t.Errorf("%s (req #%d): failed to authenticate token: %v", tc.testCase, i, err) - } - continue - } - - if tc.wantErr { - t.Errorf("%s (req #%d): expected error authenticating", tc.testCase, i) - continue - } - if !ok { - t.Errorf("%s (req #%d): did not get user or error", tc.testCase, i) - continue - } - - if gotUsername := user.GetName(); email != gotUsername { - t.Errorf("%s (req #%d): GetName() expected=%q got %q", tc.testCase, i, email, gotUsername) - } - gotGroups := user.GetGroups() - sort.Strings(gotGroups) - if !reflect.DeepEqual(gotGroups, groups) { - t.Errorf("%s (req #%d): GetGroups() expected=%q got %q", tc.testCase, i, groups, gotGroups) - } - } - }() - } -} - -func TestOIDCAuthentication(t *testing.T) { - cert := path.Join(os.TempDir(), "oidc-cert") - key := path.Join(os.TempDir(), "oidc-key") - - defer os.Remove(cert) - defer os.Remove(key) - - oidctesting.GenerateSelfSignedCert(t, "127.0.0.1", cert, key) - - // Ensure all tests pass when the issuer is not at a base URL. - for _, path := range []string{"", "/path/with/trailing/slash/"} { - - // Create a TLS server and a client. - op := oidctesting.NewOIDCProvider(t, path) - srv, err := op.ServeTLSWithKeyPair(cert, key) - if err != nil { - t.Fatalf("Cannot start server: %v", err) - } - defer srv.Close() - - tests := []struct { - userClaim string - groupsClaim string - token string - userInfo user.Info - verified bool - err string - }{ - { - "sub", - "", - generateGoodToken(t, op, srv.URL, "client-foo", "client-foo", "sub", "user-foo", "", nil), - &user.DefaultInfo{Name: "user-foo"}, - true, - "", - }, - { - // Use user defined claim (email here). - "email", - "", - generateGoodToken(t, op, srv.URL, "client-foo", "client-foo", "email", "foo@example.com", "", nil), - &user.DefaultInfo{Name: "foo@example.com"}, - true, - "", - }, - { - // Use user defined claim (email here). - "email", - "", - generateGoodToken(t, op, srv.URL, "client-foo", "client-foo", "email", "foo@example.com", "groups", []string{"group1", "group2"}), - &user.DefaultInfo{Name: "foo@example.com"}, - true, - "", - }, - { - // Use user defined claim (email here). - "email", - "groups", - generateGoodToken(t, op, srv.URL, "client-foo", "client-foo", "email", "foo@example.com", "groups", []string{"group1", "group2"}), - &user.DefaultInfo{Name: "foo@example.com", Groups: []string{"group1", "group2"}}, - true, - "", - }, - { - // Group claim is a string rather than an array. Map that string to a single group. - "email", - "groups", - generateGoodToken(t, op, srv.URL, "client-foo", "client-foo", "email", "foo@example.com", "groups", "group1"), - &user.DefaultInfo{Name: "foo@example.com", Groups: []string{"group1"}}, - true, - "", - }, - { - // Group claim is not a string or array of strings. Throw out this as invalid. - "email", - "groups", - generateGoodToken(t, op, srv.URL, "client-foo", "client-foo", "email", "foo@example.com", "groups", 1), - nil, - false, - "custom group claim contains invalid type: float64", - }, - { - // Email not verified - "email", - "", - generateTokenWithUnverifiedEmail(t, op, srv.URL, "client-foo", "client-foo", "foo@example.com"), - nil, - false, - "email not verified", - }, - { - "sub", - "", - generateMalformedToken(t, op, srv.URL, "client-foo", "client-foo", "sub", "user-foo", "", nil), - nil, - false, - "oidc: unable to verify JWT signature: no matching keys", - }, - { - // Invalid 'aud'. - "sub", - "", - generateGoodToken(t, op, srv.URL, "client-foo", "client-bar", "sub", "user-foo", "", nil), - nil, - false, - "oidc: JWT claims invalid: invalid claims, 'aud' claim and 'client_id' do not match", - }, - { - // Invalid issuer. - "sub", - "", - generateGoodToken(t, op, "http://foo-bar.com", "client-foo", "client-foo", "sub", "user-foo", "", nil), - nil, - false, - "oidc: JWT claims invalid: invalid claim value: 'iss'.", - }, - { - "sub", - "", - generateExpiredToken(t, op, srv.URL, "client-foo", "client-foo", "sub", "user-foo", "", nil), - nil, - false, - "oidc: JWT claims invalid: token is expired", - }, - } - - for i, tt := range tests { - client, err := New(OIDCOptions{srv.URL, "client-foo", cert, tt.userClaim, "", tt.groupsClaim, ""}) - if err != nil { - t.Errorf("Unexpected error: %v", err) - continue - } - - user, result, err := client.AuthenticateToken(tt.token) - if tt.err != "" { - if !strings.HasPrefix(err.Error(), tt.err) { - t.Errorf("#%d: Expecting: %v..., but got: %v", i, tt.err, err) - } - } else { - if err != nil { - t.Errorf("#%d: Unexpected error: %v", i, err) - } - } - if !reflect.DeepEqual(tt.verified, result) { - t.Errorf("#%d: Expecting: %v, but got: %v", i, tt.verified, result) - } - if !reflect.DeepEqual(tt.userInfo, user) { - t.Errorf("#%d: Expecting: %v, but got: %v", i, tt.userInfo, user) - } - client.Close() - } - } -} - -func TestParseTokenClaims(t *testing.T) { - tests := []struct { - name string - - // Note this is missing a lot of configuration options because - // parseTokenClaim doesn't handle: - // - // - 'iss' claim matching issuer URL - // - 'exp' claim having not expired - // - 'sub' claim matching a trusted client id - // - // That logic has coverage in other tests. - - issuerURL string - usernameClaim string - usernamePrefix string - groupsClaim string - groupsPrefix string - - claims jose.Claims - - wantUser *user.DefaultInfo - wantErr bool - }{ - { - name: "email username", - issuerURL: "https://foo.com/", - usernameClaim: "email", - claims: jose.Claims{ - "email": "jane.doe@example.com", - "email_verified": true, - }, - wantUser: &user.DefaultInfo{ - Name: "jane.doe@example.com", - }, - }, - { - name: "no email_verified claim", - issuerURL: "https://foo.com/", - usernameClaim: "email", - claims: jose.Claims{ - "email": "jane.doe@example.com", }, wantErr: true, }, { - name: "email unverified", - issuerURL: "https://foo.com/", - usernameClaim: "email", - claims: jose.Claims{ - "email": "jane.doe@example.com", - "email_verified": false, + name: "bool claim", + claims: `{"email":"foo@coreos.com","email_verified":true}`, + do: func(c claims) (interface{}, error) { + var verified bool + err := c.unmarshalClaim("email_verified", &verified) + return verified, err }, - wantErr: true, + want: true, }, { - name: "non-email user claim", - issuerURL: "https://foo.com/", - usernameClaim: "name", - claims: jose.Claims{ - "name": "janedoe", - }, - wantUser: &user.DefaultInfo{ - Name: "janedoe", - }, - }, - { - name: "groups claim", - issuerURL: "https://foo.com/", - usernameClaim: "name", - groupsClaim: "groups", - claims: jose.Claims{ - "name": "janedoe", - "groups": []string{"foo", "bar"}, - }, - wantUser: &user.DefaultInfo{ - Name: "janedoe", - Groups: []string{"foo", "bar"}, - }, - }, - { - name: "groups claim string", - issuerURL: "https://foo.com/", - usernameClaim: "name", - groupsClaim: "groups", - claims: jose.Claims{ - "name": "janedoe", - "groups": "foo", - }, - wantUser: &user.DefaultInfo{ - Name: "janedoe", - Groups: []string{"foo"}, - }, - }, - { - name: "username prefix", - issuerURL: "https://foo.com/", - usernameClaim: "name", - groupsClaim: "groups", - usernamePrefix: "oidc:", - claims: jose.Claims{ - "name": "janedoe", - "groups": []string{"foo", "bar"}, - }, - wantUser: &user.DefaultInfo{ - Name: "oidc:janedoe", - Groups: []string{"foo", "bar"}, - }, - }, - { - name: "username prefix with email", - issuerURL: "https://foo.com/", - usernameClaim: "email", - groupsClaim: "groups", - usernamePrefix: "oidc:", - claims: jose.Claims{ - "email": "jane.doe@example.com", - "email_verified": true, - "groups": []string{"foo", "bar"}, - }, - wantUser: &user.DefaultInfo{ - Name: "oidc:jane.doe@example.com", - Groups: []string{"foo", "bar"}, - }, - }, - { - name: "groups prefix", - issuerURL: "https://foo.com/", - usernameClaim: "name", - groupsClaim: "groups", - groupsPrefix: "oidc:", - claims: jose.Claims{ - "name": "janedoe", - "groups": []string{"foo", "bar"}, - }, - wantUser: &user.DefaultInfo{ - Name: "janedoe", - Groups: []string{"oidc:foo", "oidc:bar"}, - }, - }, - { - name: "username and groups prefix", - issuerURL: "https://foo.com/", - usernameClaim: "name", - groupsClaim: "groups", - usernamePrefix: "oidc-user:", - groupsPrefix: "oidc:", - claims: jose.Claims{ - "name": "janedoe", - "groups": []string{"foo", "bar"}, - }, - wantUser: &user.DefaultInfo{ - Name: "oidc-user:janedoe", - Groups: []string{"oidc:foo", "oidc:bar"}, + name: "strings claim", + claims: `{"groups":["a","b","c"]}`, + do: func(c claims) (interface{}, error) { + var groups []string + err := c.unmarshalClaim("groups", &groups) + return groups, err }, + want: []string{"a", "b", "c"}, }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { - o := OIDCAuthenticator{ - issuerURL: test.issuerURL, - usernameClaim: test.usernameClaim, - usernamePrefix: test.usernamePrefix, - groupsClaim: test.groupsClaim, - groupsPrefix: test.groupsPrefix, + var c claims + if err := json.Unmarshal([]byte(test.claims), &c); err != nil { + t.Fatal(err) } - u, ok, err := o.parseTokenClaims(test.claims) + got, err := test.do(c) if err != nil { - if !test.wantErr { - t.Errorf("failed to authenticate user: %v", err) + if test.wantErr { + return } - return + t.Fatalf("unexpected error: %v", err) } if test.wantErr { - t.Fatalf("expected authentication to fail") + t.Fatalf("expected error") } - if !ok { - // We don't have any cases today when the claims can return - // no error with an unauthenticated signal. - // - // In the future we might. - t.Fatalf("user wasn't authenticated") - } - - got := &user.DefaultInfo{ - Name: u.GetName(), - UID: u.GetUID(), - Groups: u.GetGroups(), - Extra: u.GetExtra(), - } - if !reflect.DeepEqual(got, test.wantUser) { - t.Errorf("wanted user=%#v, got=%#v", test.wantUser, got) + if !reflect.DeepEqual(got, test.want) { + t.Errorf("wanted=%#v, got=%#v", test.want, got) } }) } diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/ecdsa_1.pem b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/ecdsa_1.pem new file mode 100644 index 00000000000..c56852dca2e --- /dev/null +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/ecdsa_1.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIAvxtZy9aI/lEt6LVLIhVrWLSwmlMFThU/nZUPr88nA5yKzJMyKbW/ +QA+umam9YtO78WwzriTGC9qwW6+t+liXrcCgBwYFK4EEACOhgYkDgYYABAGzIO9n +tdTx6oVg1O59ljYP4FHY9RNUy+wHeXFnB6fo9asGg9jwLMg/iX0F+whFkllQjNLf +kKp/9ATWQHrzSbzuqwB9UU5zfQ3ulhMwEBpxbM6aSi1HyYtc5pQn7KB6h1VXiuQK +CIj4kVYHClZuKz0om/XAJL4vWVDwJqDBN6m9Yi9ZLQ== +-----END EC PRIVATE KEY----- diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/ecdsa_2.pem b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/ecdsa_2.pem new file mode 100644 index 00000000000..611a4ba3be2 --- /dev/null +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/ecdsa_2.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIBtxiwrrDmi1U+NxClUKIr2cvmL6PPLxjAULjPuORt0AWbqKakphSJ +43VmIbPBBCuLnN2PuVS9N8jLDlR1KUnnFSGgBwYFK4EEACOhgYkDgYYABAEgshGY +Oflwnz2SQOWIkvSPmijMhS4nWmLYedR2H/Dg9c9nuiyQqL3XpqkPnQQwqOgcXjMT +hTec2tiLcRS3Gj02yQEpe/6Do6if4K4cQ9KsNtVHsn0bibsqLtRuvI7xUu9JJAs7 +vSLNUtmxVzFo4s4spnIjLT71uz1Vag/NrKwot7cz4g== +-----END EC PRIVATE KEY----- diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/ecdsa_3.pem b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/ecdsa_3.pem new file mode 100644 index 00000000000..1bd6e0a3476 --- /dev/null +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/ecdsa_3.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIAQTHP4V93rz1w1D+jF1Jvx5QHzkQQIYxbN1LPuvQjEoplQrjZ4Qiu +h9mKK6DBCaDlfSos+wnTOlZH1z1tpa9soPOgBwYFK4EEACOhgYkDgYYABAFn+QOY +a937Lp+WO1S+zJU9ITnzdvjqQtD/TjtJPQsllV8rD0QNXZb/pLFQFZtDEehiZKEu +WA0REGNs+rVMO63YZAAyDMwZTz87ulH23OR6EaoyDp9qEPx7kpxgaJqeIztla2t8 +SLVpv/FPR92E/OmguT6sFI5mP0AhV8UVlLYuHaovnw== +-----END EC PRIVATE KEY----- diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/gen.sh b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/gen.sh new file mode 100755 index 00000000000..a3daa0fc438 --- /dev/null +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/gen.sh @@ -0,0 +1,27 @@ +#!/bin/bash -e + +# Copyright 2018 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +rm *.pem + +for N in `seq 1 3`; do + ssh-keygen -t rsa -b 2048 -f rsa_$N.pem -N '' +done + +for N in `seq 1 3`; do + ssh-keygen -t ecdsa -b 521 -f ecdsa_$N.pem -N '' +done + +rm *.pub diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/rsa_1.pem b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/rsa_1.pem new file mode 100644 index 00000000000..2c4a9238c95 --- /dev/null +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/rsa_1.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA0pXWMYjWRjBEds/fKj/u9r2E6SIDx0J+TAg+eyVeR20Ky9jZ +mIXW5zSxE/EKpNQpiBWm1e6G9kmhMuqjr7g455S7E+3rD3OVkdTT6SU5AKBNSFoR +XUd+G/YJEtRzrpEYNtEJHkxUxWuyfCHblHSt+wsrE6t0DccCqC87lKQiGb/QfC8u +P6ZS99SCjKBEFp1fZvyNkYwStFc2OH5fBGPXXb6SNsquvDeKX9NeWjXkmxDkbOg2 +kSkel4s/zw5KwcW3JzERfEcLStrDQ8fRbJ1C3uC088sUk4q4APQmKI/8FTvJe431 +Vne9sOSptphiqCjlR+Knja58rc/vt4TkSPZf2wIDAQABAoIBAQDO3UgjMtOi8Wlf ++YW1IEbjdXrp9XMWu9gLYpHWMPgzXAeeBfCDJv7b8uP8ve2By7TcrMBOKVnE+MF0 +nhCb3nFv9KftxOsDK70DG7nrrpgXaGFisK+cHU3hs8hoCfF1y6yotKGrdLpVkR0t +Wak1ZYU/NlJjqSqBGj0e7/8sXivtc7oME8tBBRBCEa8OqPqaelCInfFF1rX5vmxX +pQjPpZoA+vroSJy8SYE0N5oqtGwOPT+9rVuDOL10eaMbGUcssZl8ofwuvzOYPMW4 +KFSVtvdtKnACq94Qy6XQbK5hZbZXSpzxANKq8SFyG2N1wOlpu/ktdXqkyDs08AZY +c/KkpXspAoGBAPdC73GOZn/hxzkwZ2Dl+S9rgrLT3VbeuhMp6GXSdiT+f9babMuw +HlYw6uULmvL1gD/0GmyWrHopPFJxodBG5SlwYS5wl49slcxeKCjK26vbNfK2eCbu +9uMtED4dN/5NlaXF4hqy/FmSyaFhQT+5hvx8n/zvLsgpuSQ+SCiDAHMfAoGBANoH +FCZeCWzzUFhObYG9wxGJ9FBPQa0htafIYEgTwezlKPsrfXfCTnVg1lLkr6Z4IwYQ +9VufJZNAc5V0X9H/ceyKJYxhQ+E01NEVzVpoK8fOC4yCYSYtbJnqkOUQzZJzkjFT +mNcIa8o4UrBOWzMhMQa0AOZH4VrbtZDCZhid+hfFAoGAAbKh9kOmDIa+WXQtoYqy +tVKlqRivUmNhH7SP9fMGAKcGtbD2QkfJTYo0crIrtDNfWBETBV/be1NBKMfC9q0l +8azl3e3D/KYgOTEEUZNjAsEUk8AQ/yNw6opqrCKDOenKd0LulIRaGztYyxTh39Ak +TyOD7bauuY0fylHrKOwNWr0CgYEAsVZ0o0h1rjKyNUGFfLQWyFtHZ1Mv/lye3tvy +xG2dnMxAaxvSr+hR3NNpQH9WB7dL9ZExoNZvv7f6y6OelLaLuXQcWnR6u+E3AOIU +5+Y3RgtoBV+/GUh1PzQ1qrviGa77SDfQ54an9hGd4F27fHkQ4XzkBmqM+FQg+J/G +X1uPomkCgYBo4ZBEA20Wvf1k2iWOVdfsxZNeOLxwcN5x89dAvm0v6RHg2NMy+XKw +Rj+YRuudFdxfg39J/V/Md9qsvjW+4FthD8GhgPs22dksV+7j6ApWkYTmIKG4rmh3 +RhHOr6uLg9BeShnlvMMaMJKf2eA7SaVtmuS6uBGgEUNaa3qEBq0R+Q== +-----END RSA PRIVATE KEY----- diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/rsa_2.pem b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/rsa_2.pem new file mode 100644 index 00000000000..e89fdb86878 --- /dev/null +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/rsa_2.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAxmLv1fqjacxZu5jyfQzytwjdt9/BBDzPM6G+R92YvsB7o2FH +ISiySbT8pyj7wGUgDvBdc9+GT3thf2pKGl/THaYJCLbh90GXVMTTak8Najqp2Qod +kxIpjSOBgukmd0LUtUVGKJg7YTEqsxAUmn9mfFiUZ6ixHr0U2NAXu7TF4dw7C9bt +ORi9DKDfUhEiV3Vcyrc5d/9VdmWG6fs/kq0B/6AboiSIIGAKSugNi4BgV7rNZYwZ +37UT72CW28TQQuuAtmTgXWMkfeWZiQKD1P8Nl1byORpgivp2A+2pMNlcLuogVhGY +TIZstbeMqoPyLW57GitWDg1tbakwJdCR23gCKQIDAQABAoIBACZmDf//1FNtD01F +TGIx+GS/HZMyhvyX/I8E1ny4gpEhVo0IDil35BJqKqD8SMYzjKH3mk8MS8Xknrl3 +zEIQnB9X/NWn+FLQakcpFba0+GbAVhHBaHoIAOzlm3LIR/67e8peTzcaSBwG1Tn1 +eddxo1ecGZV6zFWjyX4xwPY/BjIyA/b1LewqIK6W/I4u3RwtEzqANV9ddVbFH53e +Y+i2X1HVuLm0LETsX4jB/G/ZDP6Y101gOwPFddm+h1ixZ2jrAkyTbvYL5ukIsU8Z +okIEZsd6nv08YN+LOXOPh0CxvgHI347RDzgfbDmHGqq8gh20+wLP/MV+dOiBBAJT +RfnoFcUCgYEA8SpMW64CNhRkH3Nv5A5ffSOa7NqiN7OdNEswgcgkAbjR5YsTATPg +p9iWqGcEodX1FWjnL2NLMdMvYxh4MwMCACIa8FQ2/RDEwViaVjxcOK64MIvyvnNq +NObx8pMClUBXWF/llxxTR+/CJWRdCABBm56lQPuuX/qEi/xqybHPcAcCgYEA0pb9 +FGmGhDXl3bG3zNNIim+FuqG0xQoIjVPwdvkMI30h/ii6qs3jxwHlw6KBf8AI9wI+ +bWbzhwcYVkS6It0Yj4q/mqOVHi89frrAQygsJkMQkdl8WiWwPeiiIdsHYTUcBv5+ +i6YLs8ycnzMeFAxg8kuxrq6mm3yW6u5CuInsEE8CgYAWXqUMj/x2hbevzyZe0hJ7 +ahURyUnovsljM2JBd44XdsxJbXgK0YQSLZ3z6vJcDJuaK8vd8mjkK0GnAHsNyEak +OoWjKzyahrapdI2EWD75pwNAxYpzrgL4+z8QECDaNUik0uhZ9u+mqY+ppkCW4Gc1 +hyau+2l2T6eB0J0bLloeewKBgQC+fZn8JuBpI6AEg8ew3cYWg37CLZgpTEQkIzO3 +StyyFXT0RL9l1cwerha6ensNphX16e+yYpgTIlXfY1fERZ776RQcu7Adl7nWsvNL +TEFzcuLAK60SlljwB0jxuwDX64SoxviNNewL/iAG2eRxWikvw0y8qHtI1tBlPpTX +/NqufQKBgD1jAPRgu+IN9IDXoqnMiXbSfrVsJ1ndyPCRBq4dfvawcbEDTZfkiid0 +aNrdRoOETfLCynAcG6o6uS3+2sumzXLrMNr8MDF8NEa2Rh8nN3IjZqESV4CNgaV6 +JhAlWFp+AvYv6N1iHK52nNAFiX/cfaMpWTUKqk2Z4VZCr5qhLUVs +-----END RSA PRIVATE KEY----- diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/rsa_3.pem b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/rsa_3.pem new file mode 100644 index 00000000000..3c660ed197b --- /dev/null +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/rsa_3.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEA1uO3LV0wHadHjQb8U8KGUpzlZTyBHlinL7lF5yKk2hXOyssT +Z0UVF6ofPq/L+ZN5VkTb1FJWMEBiX1BgXlboDdYKAYTl1QaeEQrfrAM4gp2FdWS4 +fMUuagFdVXs8T2J4GGPEE83ybwz/YEM3p83Qojifvx/IjVtuHCMkUpcj92scjsCY +EeSKRjJicVBmJ1RK0ShEorHhnYmokKYsPl41mV5VdmWZOtmPK4jV05cBfg7eC7yI +cwwYhowLkYvd9d9H74otK5tD7KTxFG6JJ0N5zwf6XBRcXBWKstfOOZ5Qgo9z0Tkm +n3Klp9vwun25aaA1MlSSByByiCb7qvS8jhqMkQIDAQABAoIBAQCjN58AU9GiFFai +ZXXuYMgJo6YRON2RoSCLfRv9LTEtfHbvTUPVooEc0lidEoXJcRwuTGr0X/2a9KxD +XRd1UGk9aR98e+bd4QLaSvoM+v1HKEIgInqGOnbAiXzM2qe6XD5/t/dMW5cShjrK +cQOq7wbS0FN1pbx8sb92m7KREL9+wnXuOCHYtublRf7arsMkaZcpSBBaI+raMaZR +dUC+LmalIvR8+dNegducwWsdE8/Vh+xq97ZbNFlyut3JOvfuHmaAOvUsX/4touj2 +dDkJmvzvmpTBG888t+6hv9eKWaacsTAKuPLThRBD53coTEvHK8iic9fOok65y5Bn +nFP/irUpAoGBAPUsPoAPwcNajZX/E4XeG/2eV+IHMxYR9gJwBzpoUfwHr5mR54HK +POia/z7/M2KVV9kMWBlbTumIHSEylEEDCCKNNIe1gHBxQ7uGuaf+vVXpVgjBigUz +7oiCjb5RdjevfiyudX/z0B9IQSI9djCXebifEHKpUxAOmU3oP0SEMULLAoGBAOBh +G+fDouMU7QN93NG0hssu44yc7xQhb7VLB+isrEQASVG2xWkd3iDrdRxwHAHZqxFd +4DRzDTFC7yeR+FEbVVkWQRaeDwFJM1zmRTXsYjBkK49GNzB4QEtHvPouuxMAQ4UD +zJ9a3LEDSs867R7XEbNF8j9NC9z0vk7w9bHTA1aTAoGBAODUUQBY8sQ1zy8lOf8B +/sMmKMti9Mshb2su1sIOFli7p6F5tkZEcnSQZs+bccDO2T92XXfrTsNDigr+egvg +Pt6IhQqKPB1hEM7wLmLLbU9Sag4fhXVd+TmAF4HW7EUGjvtkhOXwbQOy2+ANYswO +rJXMcGXltwE7kgRqnVI0s4PfAoGBALUrM5Dq0bZwyv6qvYVFMiEUdv6uKAwlA0Fq +l7Qy19UANjMYVEUPrK7/7stLahHEYu/e0I0I6HoCBX/5yHoUi9Emut88N/ld1W8J +LpDfkFhqSRGiLCWisqcWAWwwFzS8XcgkzS9N+iui8OBqP9NK7CvIKlUaLJ33r0Gm +JXuzWVqpAoGBAIQ8+YuvFfyhwXuWwQbzxVpWRURH0FRu8KfFIkFFbdyht6leYXuj +uxcrcHWzkEPSLO22BoJX8ECHq4LadAIjkkpr5GCikKCF+r/bq50RnECqvfoJ629J +gA87C8cLU3dXmSYd+vSg6icZyncTmXyyEV0dqoUGJ2M33kE6hYAbc/ic +-----END RSA PRIVATE KEY----- diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testing/BUILD b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testing/BUILD deleted file mode 100644 index 6dcb14f70b1..00000000000 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testing/BUILD +++ /dev/null @@ -1,30 +0,0 @@ -package(default_visibility = ["//visibility:public"]) - -load( - "@io_bazel_rules_go//go:def.bzl", - "go_library", -) - -go_library( - name = "go_default_library", - srcs = ["provider.go"], - importpath = "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testing", - deps = [ - "//vendor/github.com/coreos/go-oidc/jose:go_default_library", - "//vendor/github.com/coreos/go-oidc/key:go_default_library", - "//vendor/github.com/coreos/go-oidc/oidc:go_default_library", - ], -) - -filegroup( - name = "package-srcs", - srcs = glob(["**"]), - tags = ["automanaged"], - visibility = ["//visibility:private"], -) - -filegroup( - name = "all-srcs", - srcs = [":package-srcs"], - tags = ["automanaged"], -) diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testing/provider.go b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testing/provider.go deleted file mode 100644 index ae7353ff276..00000000000 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testing/provider.go +++ /dev/null @@ -1,200 +0,0 @@ -/* -Copyright 2016 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package testing - -import ( - "bytes" - "crypto/rand" - "crypto/rsa" - "crypto/tls" - "crypto/x509" - "crypto/x509/pkix" - "encoding/json" - "encoding/pem" - "fmt" - "io/ioutil" - "math/big" - "net" - "net/http" - "net/http/httptest" - "net/url" - "os" - "path" - "path/filepath" - "testing" - "time" - - "github.com/coreos/go-oidc/jose" - "github.com/coreos/go-oidc/key" - "github.com/coreos/go-oidc/oidc" -) - -// NewOIDCProvider provides a bare minimum OIDC IdP Server useful for testing. -func NewOIDCProvider(t *testing.T, issuerPath string) *OIDCProvider { - privKey, err := key.GeneratePrivateKey() - if err != nil { - t.Fatalf("Cannot create OIDC Provider: %v", err) - return nil - } - - op := &OIDCProvider{ - Mux: http.NewServeMux(), - PrivKey: privKey, - issuerPath: issuerPath, - } - - op.Mux.HandleFunc(path.Join(issuerPath, "/.well-known/openid-configuration"), op.handleConfig) - op.Mux.HandleFunc(path.Join(issuerPath, "/keys"), op.handleKeys) - - return op -} - -type OIDCProvider struct { - Mux *http.ServeMux - PCFG oidc.ProviderConfig - PrivKey *key.PrivateKey - issuerPath string -} - -func (op *OIDCProvider) ServeTLSWithKeyPair(cert, key string) (*httptest.Server, error) { - srv := httptest.NewUnstartedServer(op.Mux) - - srv.TLS = &tls.Config{Certificates: make([]tls.Certificate, 1)} - var err error - srv.TLS.Certificates[0], err = tls.LoadX509KeyPair(cert, key) - if err != nil { - return nil, fmt.Errorf("Cannot load cert/key pair: %v", err) - } - srv.StartTLS() - - // The issuer's URL is extended by an optional path. This ensures that the plugin can - // handle issuers that use a non-root path for discovery (see kubernetes/kubernetes#29749). - srv.URL = srv.URL + op.issuerPath - - u, err := url.Parse(srv.URL) - if err != nil { - return nil, err - } - pathFor := func(p string) *url.URL { - u2 := *u // Shallow copy. - u2.Path = path.Join(u2.Path, p) - return &u2 - } - - op.PCFG = oidc.ProviderConfig{ - Issuer: u, - AuthEndpoint: pathFor("/auth"), - TokenEndpoint: pathFor("/token"), - KeysEndpoint: pathFor("/keys"), - ResponseTypesSupported: []string{"code"}, - SubjectTypesSupported: []string{"public"}, - IDTokenSigningAlgValues: []string{"RS256"}, - } - return srv, nil -} - -func (op *OIDCProvider) handleConfig(w http.ResponseWriter, req *http.Request) { - b, err := json.Marshal(&op.PCFG) - if err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - w.Header().Set("Content-Type", "application/json") - w.Write(b) -} - -func (op *OIDCProvider) handleKeys(w http.ResponseWriter, req *http.Request) { - keys := struct { - Keys []jose.JWK `json:"keys"` - }{ - Keys: []jose.JWK{op.PrivKey.JWK()}, - } - - b, err := json.Marshal(keys) - if err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - - w.Header().Set("Cache-Control", fmt.Sprintf("public, max-age=%d", int(time.Hour.Seconds()))) - w.Header().Set("Expires", time.Now().Add(time.Hour).Format(time.RFC1123)) - w.Header().Set("Content-Type", "application/json") - w.Write(b) -} - -// generateSelfSignedCert generates a self-signed cert/key pairs and writes to the certPath/keyPath. -// This method is mostly identical to crypto.GenerateSelfSignedCert except for the 'IsCA' and 'KeyUsage' -// in the certificate template. (Maybe we can merge these two methods). -func GenerateSelfSignedCert(t *testing.T, host, certPath, keyPath string) { - priv, err := rsa.GenerateKey(rand.Reader, 2048) - if err != nil { - t.Fatal(err) - } - - template := x509.Certificate{ - SerialNumber: big.NewInt(1), - Subject: pkix.Name{ - CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()), - }, - NotBefore: time.Now(), - NotAfter: time.Now().Add(time.Hour * 24 * 365), - - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, - BasicConstraintsValid: true, - IsCA: true, - } - - if ip := net.ParseIP(host); ip != nil { - template.IPAddresses = append(template.IPAddresses, ip) - } else { - template.DNSNames = append(template.DNSNames, host) - } - - derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv) - if err != nil { - t.Fatal(err) - } - - // Generate cert - certBuffer := bytes.Buffer{} - if err := pem.Encode(&certBuffer, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil { - t.Fatal(err) - } - - // Generate key - keyBuffer := bytes.Buffer{} - if err := pem.Encode(&keyBuffer, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil { - t.Fatal(err) - } - - // Write cert - if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0755)); err != nil { - t.Fatal(err) - } - if err := ioutil.WriteFile(certPath, certBuffer.Bytes(), os.FileMode(0644)); err != nil { - t.Fatal(err) - } - - // Write key - if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0755)); err != nil { - t.Fatal(err) - } - if err := ioutil.WriteFile(keyPath, keyBuffer.Bytes(), os.FileMode(0600)); err != nil { - t.Fatal(err) - } -} diff --git a/staging/src/k8s.io/client-go/Godeps/Godeps.json b/staging/src/k8s.io/client-go/Godeps/Godeps.json index dd3576ac61d..836724fc347 100644 --- a/staging/src/k8s.io/client-go/Godeps/Godeps.json +++ b/staging/src/k8s.io/client-go/Godeps/Godeps.json @@ -30,38 +30,6 @@ "ImportPath": "github.com/Azure/go-autorest/autorest/date", "Rev": "d4e6b95c12a08b4de2d48b45d5b4d594e5d32fab" }, - { - "ImportPath": "github.com/coreos/go-oidc/http", - "Rev": "a4973d9a4225417aecf5d450a9522f00c1f7130f" - }, - { - "ImportPath": "github.com/coreos/go-oidc/jose", - "Rev": "a4973d9a4225417aecf5d450a9522f00c1f7130f" - }, - { - "ImportPath": "github.com/coreos/go-oidc/key", - "Rev": "a4973d9a4225417aecf5d450a9522f00c1f7130f" - }, - { - "ImportPath": "github.com/coreos/go-oidc/oauth2", - "Rev": "a4973d9a4225417aecf5d450a9522f00c1f7130f" - }, - { - "ImportPath": "github.com/coreos/go-oidc/oidc", - "Rev": "a4973d9a4225417aecf5d450a9522f00c1f7130f" - }, - { - "ImportPath": "github.com/coreos/pkg/health", - "Rev": "fa29b1d70f0beaddd4c7021607cc3c3be8ce94b8" - }, - { - "ImportPath": "github.com/coreos/pkg/httputil", - "Rev": "fa29b1d70f0beaddd4c7021607cc3c3be8ce94b8" - }, - { - "ImportPath": "github.com/coreos/pkg/timeutil", - "Rev": "fa29b1d70f0beaddd4c7021607cc3c3be8ce94b8" - }, { "ImportPath": "github.com/davecgh/go-spew/spew", "Rev": "782f4967f2dc4564575ca782fe2d04090b5faca8" @@ -178,10 +146,6 @@ "ImportPath": "github.com/imdario/mergo", "Rev": "6633656539c1639d9d78127b7d47c622b5d7b6dc" }, - { - "ImportPath": "github.com/jonboulle/clockwork", - "Rev": "72f9bd7c4e0c2a40055ab3d0f09654f730cce982" - }, { "ImportPath": "github.com/json-iterator/go", "Rev": "13f86432b882000a51c6e610c620974462691a97" diff --git a/staging/src/k8s.io/client-go/plugin/pkg/auth/authenticator/token/oidc/testing/BUILD b/staging/src/k8s.io/client-go/plugin/pkg/auth/authenticator/token/oidc/testing/BUILD deleted file mode 100644 index 4100f394eeb..00000000000 --- a/staging/src/k8s.io/client-go/plugin/pkg/auth/authenticator/token/oidc/testing/BUILD +++ /dev/null @@ -1,30 +0,0 @@ -package(default_visibility = ["//visibility:public"]) - -load( - "@io_bazel_rules_go//go:def.bzl", - "go_library", -) - -go_library( - name = "go_default_library", - srcs = ["provider.go"], - importpath = "k8s.io/client-go/plugin/pkg/auth/authenticator/token/oidc/testing", - deps = [ - "//vendor/github.com/coreos/go-oidc/jose:go_default_library", - "//vendor/github.com/coreos/go-oidc/key:go_default_library", - "//vendor/github.com/coreos/go-oidc/oidc:go_default_library", - ], -) - -filegroup( - name = "package-srcs", - srcs = glob(["**"]), - tags = ["automanaged"], - visibility = ["//visibility:private"], -) - -filegroup( - name = "all-srcs", - srcs = [":package-srcs"], - tags = ["automanaged"], -) diff --git a/staging/src/k8s.io/client-go/plugin/pkg/auth/authenticator/token/oidc/testing/provider.go b/staging/src/k8s.io/client-go/plugin/pkg/auth/authenticator/token/oidc/testing/provider.go deleted file mode 100644 index ae7353ff276..00000000000 --- a/staging/src/k8s.io/client-go/plugin/pkg/auth/authenticator/token/oidc/testing/provider.go +++ /dev/null @@ -1,200 +0,0 @@ -/* -Copyright 2016 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package testing - -import ( - "bytes" - "crypto/rand" - "crypto/rsa" - "crypto/tls" - "crypto/x509" - "crypto/x509/pkix" - "encoding/json" - "encoding/pem" - "fmt" - "io/ioutil" - "math/big" - "net" - "net/http" - "net/http/httptest" - "net/url" - "os" - "path" - "path/filepath" - "testing" - "time" - - "github.com/coreos/go-oidc/jose" - "github.com/coreos/go-oidc/key" - "github.com/coreos/go-oidc/oidc" -) - -// NewOIDCProvider provides a bare minimum OIDC IdP Server useful for testing. -func NewOIDCProvider(t *testing.T, issuerPath string) *OIDCProvider { - privKey, err := key.GeneratePrivateKey() - if err != nil { - t.Fatalf("Cannot create OIDC Provider: %v", err) - return nil - } - - op := &OIDCProvider{ - Mux: http.NewServeMux(), - PrivKey: privKey, - issuerPath: issuerPath, - } - - op.Mux.HandleFunc(path.Join(issuerPath, "/.well-known/openid-configuration"), op.handleConfig) - op.Mux.HandleFunc(path.Join(issuerPath, "/keys"), op.handleKeys) - - return op -} - -type OIDCProvider struct { - Mux *http.ServeMux - PCFG oidc.ProviderConfig - PrivKey *key.PrivateKey - issuerPath string -} - -func (op *OIDCProvider) ServeTLSWithKeyPair(cert, key string) (*httptest.Server, error) { - srv := httptest.NewUnstartedServer(op.Mux) - - srv.TLS = &tls.Config{Certificates: make([]tls.Certificate, 1)} - var err error - srv.TLS.Certificates[0], err = tls.LoadX509KeyPair(cert, key) - if err != nil { - return nil, fmt.Errorf("Cannot load cert/key pair: %v", err) - } - srv.StartTLS() - - // The issuer's URL is extended by an optional path. This ensures that the plugin can - // handle issuers that use a non-root path for discovery (see kubernetes/kubernetes#29749). - srv.URL = srv.URL + op.issuerPath - - u, err := url.Parse(srv.URL) - if err != nil { - return nil, err - } - pathFor := func(p string) *url.URL { - u2 := *u // Shallow copy. - u2.Path = path.Join(u2.Path, p) - return &u2 - } - - op.PCFG = oidc.ProviderConfig{ - Issuer: u, - AuthEndpoint: pathFor("/auth"), - TokenEndpoint: pathFor("/token"), - KeysEndpoint: pathFor("/keys"), - ResponseTypesSupported: []string{"code"}, - SubjectTypesSupported: []string{"public"}, - IDTokenSigningAlgValues: []string{"RS256"}, - } - return srv, nil -} - -func (op *OIDCProvider) handleConfig(w http.ResponseWriter, req *http.Request) { - b, err := json.Marshal(&op.PCFG) - if err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - w.Header().Set("Content-Type", "application/json") - w.Write(b) -} - -func (op *OIDCProvider) handleKeys(w http.ResponseWriter, req *http.Request) { - keys := struct { - Keys []jose.JWK `json:"keys"` - }{ - Keys: []jose.JWK{op.PrivKey.JWK()}, - } - - b, err := json.Marshal(keys) - if err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - - w.Header().Set("Cache-Control", fmt.Sprintf("public, max-age=%d", int(time.Hour.Seconds()))) - w.Header().Set("Expires", time.Now().Add(time.Hour).Format(time.RFC1123)) - w.Header().Set("Content-Type", "application/json") - w.Write(b) -} - -// generateSelfSignedCert generates a self-signed cert/key pairs and writes to the certPath/keyPath. -// This method is mostly identical to crypto.GenerateSelfSignedCert except for the 'IsCA' and 'KeyUsage' -// in the certificate template. (Maybe we can merge these two methods). -func GenerateSelfSignedCert(t *testing.T, host, certPath, keyPath string) { - priv, err := rsa.GenerateKey(rand.Reader, 2048) - if err != nil { - t.Fatal(err) - } - - template := x509.Certificate{ - SerialNumber: big.NewInt(1), - Subject: pkix.Name{ - CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()), - }, - NotBefore: time.Now(), - NotAfter: time.Now().Add(time.Hour * 24 * 365), - - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, - BasicConstraintsValid: true, - IsCA: true, - } - - if ip := net.ParseIP(host); ip != nil { - template.IPAddresses = append(template.IPAddresses, ip) - } else { - template.DNSNames = append(template.DNSNames, host) - } - - derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv) - if err != nil { - t.Fatal(err) - } - - // Generate cert - certBuffer := bytes.Buffer{} - if err := pem.Encode(&certBuffer, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil { - t.Fatal(err) - } - - // Generate key - keyBuffer := bytes.Buffer{} - if err := pem.Encode(&keyBuffer, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil { - t.Fatal(err) - } - - // Write cert - if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0755)); err != nil { - t.Fatal(err) - } - if err := ioutil.WriteFile(certPath, certBuffer.Bytes(), os.FileMode(0644)); err != nil { - t.Fatal(err) - } - - // Write key - if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0755)); err != nil { - t.Fatal(err) - } - if err := ioutil.WriteFile(keyPath, keyBuffer.Bytes(), os.FileMode(0600)); err != nil { - t.Fatal(err) - } -} diff --git a/vendor/BUILD b/vendor/BUILD index 5efe0326d3d..53a87f89e25 100644 --- a/vendor/BUILD +++ b/vendor/BUILD @@ -119,11 +119,7 @@ filegroup( "//vendor/github.com/coreos/etcd/store:all-srcs", "//vendor/github.com/coreos/etcd/version:all-srcs", "//vendor/github.com/coreos/etcd/wal:all-srcs", - "//vendor/github.com/coreos/go-oidc/http:all-srcs", - "//vendor/github.com/coreos/go-oidc/jose:all-srcs", - "//vendor/github.com/coreos/go-oidc/key:all-srcs", - "//vendor/github.com/coreos/go-oidc/oauth2:all-srcs", - "//vendor/github.com/coreos/go-oidc/oidc:all-srcs", + "//vendor/github.com/coreos/go-oidc:all-srcs", "//vendor/github.com/coreos/go-semver/semver:all-srcs", "//vendor/github.com/coreos/go-systemd/daemon:all-srcs", "//vendor/github.com/coreos/go-systemd/dbus:all-srcs", @@ -132,9 +128,6 @@ filegroup( "//vendor/github.com/coreos/go-systemd/util:all-srcs", "//vendor/github.com/coreos/pkg/capnslog:all-srcs", "//vendor/github.com/coreos/pkg/dlopen:all-srcs", - "//vendor/github.com/coreos/pkg/health:all-srcs", - "//vendor/github.com/coreos/pkg/httputil:all-srcs", - "//vendor/github.com/coreos/pkg/timeutil:all-srcs", "//vendor/github.com/coreos/rkt/api/v1alpha:all-srcs", "//vendor/github.com/cpuguy83/go-md2man/md2man:all-srcs", "//vendor/github.com/cyphar/filepath-securejoin:all-srcs", @@ -314,6 +307,7 @@ filegroup( "//vendor/github.com/pkg/errors:all-srcs", "//vendor/github.com/pkg/sftp:all-srcs", "//vendor/github.com/pmezard/go-difflib/difflib:all-srcs", + "//vendor/github.com/pquerna/cachecontrol:all-srcs", "//vendor/github.com/prometheus/client_golang/prometheus:all-srcs", "//vendor/github.com/prometheus/client_model/go:all-srcs", "//vendor/github.com/prometheus/common/expfmt:all-srcs", diff --git a/vendor/github.com/coreos/go-oidc/.gitignore b/vendor/github.com/coreos/go-oidc/.gitignore new file mode 100644 index 00000000000..c96f2f47bc6 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/.gitignore @@ -0,0 +1,2 @@ +/bin +/gopath diff --git a/vendor/github.com/coreos/go-oidc/.travis.yml b/vendor/github.com/coreos/go-oidc/.travis.yml new file mode 100644 index 00000000000..f2f3c9c81ff --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/.travis.yml @@ -0,0 +1,16 @@ +language: go + +go: + - 1.7.5 + - 1.8 + +install: + - go get -v -t github.com/coreos/go-oidc/... + - go get golang.org/x/tools/cmd/cover + - go get github.com/golang/lint/golint + +script: + - ./test + +notifications: + email: false diff --git a/vendor/github.com/coreos/go-oidc/jose/BUILD b/vendor/github.com/coreos/go-oidc/BUILD similarity index 58% rename from vendor/github.com/coreos/go-oidc/jose/BUILD rename to vendor/github.com/coreos/go-oidc/BUILD index 82f18a17fbb..6caa4780d01 100644 --- a/vendor/github.com/coreos/go-oidc/jose/BUILD +++ b/vendor/github.com/coreos/go-oidc/BUILD @@ -3,17 +3,18 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library") go_library( name = "go_default_library", srcs = [ - "claims.go", - "doc.go", "jose.go", - "jwk.go", - "jws.go", - "jwt.go", - "sig.go", - "sig_rsa.go", + "jwks.go", + "oidc.go", + "verify.go", ], - importpath = "github.com/coreos/go-oidc/jose", + importpath = "github.com/coreos/go-oidc", visibility = ["//visibility:public"], + deps = [ + "//vendor/github.com/pquerna/cachecontrol:go_default_library", + "//vendor/golang.org/x/oauth2:go_default_library", + "//vendor/gopkg.in/square/go-jose.v2:go_default_library", + ], ) filegroup( diff --git a/vendor/github.com/coreos/go-oidc/CONTRIBUTING.md b/vendor/github.com/coreos/go-oidc/CONTRIBUTING.md new file mode 100644 index 00000000000..6662073a848 --- /dev/null +++ b/vendor/github.com/coreos/go-oidc/CONTRIBUTING.md @@ -0,0 +1,71 @@ +# How to Contribute + +CoreOS projects are [Apache 2.0 licensed](LICENSE) and accept contributions via +GitHub pull requests. This document outlines some of the conventions on +development workflow, commit message formatting, contact points and other +resources to make it easier to get your contribution accepted. + +# Certificate of Origin + +By contributing to this project you agree to the Developer Certificate of +Origin (DCO). This document was created by the Linux Kernel community and is a +simple statement that you, as a contributor, have the legal right to make the +contribution. See the [DCO](DCO) file for details. + +# Email and Chat + +The project currently uses the general CoreOS email list and IRC channel: +- Email: [coreos-dev](https://groups.google.com/forum/#!forum/coreos-dev) +- IRC: #[coreos](irc://irc.freenode.org:6667/#coreos) IRC channel on freenode.org + +Please avoid emailing maintainers found in the MAINTAINERS file directly. They +are very busy and read the mailing lists. + +## Getting Started + +- Fork the repository on GitHub +- Read the [README](README.md) for build and test instructions +- Play with the project, submit bugs, submit patches! + +## Contribution Flow + +This is a rough outline of what a contributor's workflow looks like: + +- Create a topic branch from where you want to base your work (usually master). +- Make commits of logical units. +- Make sure your commit messages are in the proper format (see below). +- Push your changes to a topic branch in your fork of the repository. +- Make sure the tests pass, and add any new tests as appropriate. +- Submit a pull request to the original repository. + +Thanks for your contributions! + +### Format of the Commit Message + +We follow a rough convention for commit messages that is designed to answer two +questions: what changed and why. The subject line should feature the what and +the body of the commit should describe the why. + +``` +scripts: add the test-cluster command + +this uses tmux to setup a test cluster that you can easily kill and +start for debugging. + +Fixes #38 +``` + +The format can be described more formally as follows: + +``` +: + + + +