mirror of
https://gitea.com/Lydanne/buildx.git
synced 2025-07-09 21:17:09 +08:00
vendor: update buildkit to 2943a0838
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This commit is contained in:
Tonis Tiigi
29
vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go
generated
vendored
29
vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go
generated
vendored
@ -31,11 +31,11 @@ import (
|
||||
"golang.org/x/oauth2"
|
||||
"k8s.io/apimachinery/pkg/util/net"
|
||||
restclient "k8s.io/client-go/rest"
|
||||
"k8s.io/klog"
|
||||
"k8s.io/klog/v2"
|
||||
)
|
||||
|
||||
const (
|
||||
cfgIssuerUrl = "idp-issuer-url"
|
||||
cfgIssuerURL = "idp-issuer-url"
|
||||
cfgClientID = "client-id"
|
||||
cfgClientSecret = "client-secret"
|
||||
cfgCertificateAuthority = "idp-certificate-authority"
|
||||
@ -76,24 +76,25 @@ func newClientCache() *clientCache {
|
||||
}
|
||||
|
||||
type cacheKey struct {
|
||||
clusterAddress string
|
||||
// Canonical issuer URL string of the provider.
|
||||
issuerURL string
|
||||
clientID string
|
||||
}
|
||||
|
||||
func (c *clientCache) getClient(issuer, clientID string) (*oidcAuthProvider, bool) {
|
||||
func (c *clientCache) getClient(clusterAddress, issuer, clientID string) (*oidcAuthProvider, bool) {
|
||||
c.mu.RLock()
|
||||
defer c.mu.RUnlock()
|
||||
client, ok := c.cache[cacheKey{issuer, clientID}]
|
||||
client, ok := c.cache[cacheKey{clusterAddress: clusterAddress, issuerURL: issuer, clientID: clientID}]
|
||||
return client, ok
|
||||
}
|
||||
|
||||
// setClient attempts to put the client in the cache but may return any clients
|
||||
// with the same keys set before. This is so there's only ever one client for a provider.
|
||||
func (c *clientCache) setClient(issuer, clientID string, client *oidcAuthProvider) *oidcAuthProvider {
|
||||
func (c *clientCache) setClient(clusterAddress, issuer, clientID string, client *oidcAuthProvider) *oidcAuthProvider {
|
||||
c.mu.Lock()
|
||||
defer c.mu.Unlock()
|
||||
key := cacheKey{issuer, clientID}
|
||||
key := cacheKey{clusterAddress: clusterAddress, issuerURL: issuer, clientID: clientID}
|
||||
|
||||
// If another client has already initialized a client for the given provider we want
|
||||
// to use that client instead of the one we're trying to set. This is so all transports
|
||||
@ -107,10 +108,10 @@ func (c *clientCache) setClient(issuer, clientID string, client *oidcAuthProvide
|
||||
return client
|
||||
}
|
||||
|
||||
func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
|
||||
issuer := cfg[cfgIssuerUrl]
|
||||
func newOIDCAuthProvider(clusterAddress string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
|
||||
issuer := cfg[cfgIssuerURL]
|
||||
if issuer == "" {
|
||||
return nil, fmt.Errorf("Must provide %s", cfgIssuerUrl)
|
||||
return nil, fmt.Errorf("Must provide %s", cfgIssuerURL)
|
||||
}
|
||||
|
||||
clientID := cfg[cfgClientID]
|
||||
@ -119,7 +120,7 @@ func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.A
|
||||
}
|
||||
|
||||
// Check cache for existing provider.
|
||||
if provider, ok := cache.getClient(issuer, clientID); ok {
|
||||
if provider, ok := cache.getClient(clusterAddress, issuer, clientID); ok {
|
||||
return provider, nil
|
||||
}
|
||||
|
||||
@ -157,7 +158,7 @@ func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.A
|
||||
persister: persister,
|
||||
}
|
||||
|
||||
return cache.setClient(issuer, clientID, provider), nil
|
||||
return cache.setClient(clusterAddress, issuer, clientID, provider), nil
|
||||
}
|
||||
|
||||
type oidcAuthProvider struct {
|
||||
@ -215,7 +216,7 @@ func (r *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
|
||||
return r.wrapped.RoundTrip(r2)
|
||||
}
|
||||
|
||||
func (t *roundTripper) WrappedRoundTripper() http.RoundTripper { return t.wrapped }
|
||||
func (r *roundTripper) WrappedRoundTripper() http.RoundTripper { return r.wrapped }
|
||||
|
||||
func (p *oidcAuthProvider) idToken() (string, error) {
|
||||
p.mu.Lock()
|
||||
@ -239,7 +240,7 @@ func (p *oidcAuthProvider) idToken() (string, error) {
|
||||
}
|
||||
|
||||
// Determine provider's OAuth2 token endpoint.
|
||||
tokenURL, err := tokenEndpoint(p.client, p.cfg[cfgIssuerUrl])
|
||||
tokenURL, err := tokenEndpoint(p.client, p.cfg[cfgIssuerURL])
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
@ -262,7 +263,7 @@ func (p *oidcAuthProvider) idToken() (string, error) {
|
||||
// providers (Okta) don't return this value.
|
||||
//
|
||||
// See https://github.com/kubernetes/kubernetes/issues/36847
|
||||
return "", fmt.Errorf("token response did not contain an id_token, either the scope \"openid\" wasn't requested upon login, or the provider doesn't support id_tokens as part of the refresh response.")
|
||||
return "", fmt.Errorf("token response did not contain an id_token, either the scope \"openid\" wasn't requested upon login, or the provider doesn't support id_tokens as part of the refresh response")
|
||||
}
|
||||
|
||||
// Create a new config to persist.
|
||||
|
||||
Reference in New Issue
Block a user