# See the OWNERS docs at https://go.k8s.io/owners

approvers:
  - sig-auth-authenticators-approvers
reviewers:
  - sig-auth-authenticators-reviewers
labels:

func New(
	ca CertificateAuthority,
	ttl time.Duration,
	authenticators []security.Authenticator,
	controller multicluster.ComponentBuilder,
) (*Server, error) {
	certBundle := ca.GetCAKeyCertBundle()
	if len(certBundle.GetRootCertPem()) != 0 {
		recordCertsExpiry(certBundle)
	}

	server := &Server{
		Authenticators: authenticators,
		serverCertTTL:  ttl,
		ca:             ca,

// authenticate authenticates the ADS request using the configured authenticators.
// Returns the validated principals or an error.
// If no authenticators are configured, or if the request is on a non-secure
// stream ( 15010 ) - returns an empty list of principals and no errors.
func (s *DiscoveryServer) authenticate(ctx context.Context) ([]string, error) {
	c, err := security.Authenticate(ctx, s.Authenticators)
	if c != nil {
		return c.Identities, nil
	}

		response := &pb.IstioCertificateResponse{
			CertChain: []string{},
		}
		return response, nil
	}
	id := []string{"client-identity"}
	if len(s.Authenticators) > 0 {
		caller, err := security.Authenticate(ctx, s.Authenticators)
		if caller == nil || err != nil {
			return nil, status.Error(codes.Unauthenticated, "request authenticate failure")
		}
		id = caller.Identities
	}

		ca := fuzz.Struct[mockca.FakeCA](fg)
		ca.SignErr = caerror.NewError(caerror.CSRError, fmt.Errorf("cannot sign"))
		server := &Server{
			ca:             &ca,
			Authenticators: []security.Authenticator{&mockAuthenticator{}},
			monitoring:     newMonitoringMetrics(),
		}
		_, _ = server.CreateCertificate(context.Background(), &csr)
	})

import (
	"net/http"

	utilerrors "k8s.io/apimachinery/pkg/util/errors"
	"k8s.io/apiserver/pkg/authentication/authenticator"
)

// unionAuthRequestHandler authenticates requests using a chain of authenticator.Requests
type unionAuthRequestHandler struct {
	// Handlers is a chain of request authenticators to delegate to
	Handlers []authenticator.Request
	// FailOnError determines whether an error returns short-circuits the chain
	FailOnError bool
}

	}
	if len(features.TrustedGatewayCIDR) > 0 {
		authenticators = append(authenticators, &authenticate.XfccAuthenticator{})
	}
	if features.XDSAuth {
		s.XDSServer.Authenticators = authenticators
	}
	caOpts.Authenticators = authenticators

	// Start CA or RA server. This should be called after CA and Istiod certs have been created.
	s.startCA(caOpts)

// The first error short-circuits the chain.
func NewFailOnError(authTokenHandlers ...authenticator.Token) authenticator.Token {
	if len(authTokenHandlers) == 1 {
		return authTokenHandlers[0]
	}
	return &unionAuthTokenHandler{Handlers: authTokenHandlers, FailOnError: true}
}

// AuthenticateToken authenticates the token using a chain of authenticator.Token objects.

	// other authenticators may run before or after the JWT authenticators.
	// The specific position of JWT authenticators in relation to other
	// authenticators is neither defined nor stable across releases.  Since
	// each JWT authenticator must have a unique issuer URL, at most one
	// JWT authenticator will attempt to cryptographically validate the token.
	//

	// other authenticators may run before or after the JWT authenticators.
	// The specific position of JWT authenticators in relation to other
	// authenticators is neither defined nor stable across releases.  Since
	// each JWT authenticator must have a unique issuer URL, at most one
	// JWT authenticator will attempt to cryptographically validate the token.
	//