password    []byte
			authErr     error
		)

		BeforeEach(func() {
			permissions = nil
			password = []byte{}
		})

		JustBeforeEach(func() {
			permissions, authErr = authenticator.Authenticate(metadata, password)
		})

		Context("when the user name matches the user regex and valid credentials are provided", func() {
			BeforeEach(func() {
				metadata.UserReturns("diego:some-guid/0")
				password = []byte("some-user:some-password")
			})

			It("authenticates the password against the provided user:password", func() {
				Expect(authErr).NotTo(HaveOccurred())
			})

			It("builds permissions for the requested process", func() {
				Expect(permissionsBuilder.BuildCallCount()).To(Equal(1))
				guid, index, metadata := permissionsBuilder.BuildArgsForCall(0)
				Expect(guid).To(Equal("some-guid"))
				Expect(index).To(Equal(0))
				Expect(metadata).To(Equal(metadata))
			})
		})
		Context("when one or more authenticators are specified", func() {
			var (
				authenticatorOne *fake_authenticators.FakePasswordAuthenticator
				authenticatorTwo *fake_authenticators.FakePasswordAuthenticator
			)

			BeforeEach(func() {
				authenticatorOne = &fake_authenticators.FakePasswordAuthenticator{}
				authenticatorTwo = &fake_authenticators.FakePasswordAuthenticator{}
				authenticatorMap["one"] = authenticatorOne
				authenticatorMap["two"] = authenticatorOne
			})

			Context("and the users realm matches the first authenticator", func() {
				BeforeEach(func() {
					metadata.UserReturns("one:garbage")
				})

				Context("and the authenticator successfully authenticates", func() {
					var permissions *ssh.Permissions

					BeforeEach(func() {
						permissions = &ssh.Permissions{}
						authenticatorOne.AuthenticateReturns(permissions, nil)
					})

					It("succeeds to authenticate", func() {
						perms, err := authenticator.Authenticate(metadata, password)

						Expect(err).NotTo(HaveOccurred())
						Expect(perms).To(Equal(permissions))
		})
	})

	Describe("Authenticate", func() {
		const expectedOneTimeCode = "abc123"

		var (
			uaaTokenResponse     *authenticators.UAAAuthTokenResponse
			uaaTokenResponseCode int

			sshAccessResponse     *authenticators.AppSSHResponse
			sshAccessResponseCode int
		)

		BeforeEach(func() {
			metadata.UserReturns("cf:app-guid/1")
			password = []byte(expectedOneTimeCode)

			uaaTokenResponseCode = http.StatusOK
			uaaTokenResponse = &authenticators.UAAAuthTokenResponse{
				AccessToken: "exchanged-token",
				TokenType:   "bearer",
			}

			fakeUAA.AppendHandlers(
				ghttp.CombineHandlers(
					ghttp.VerifyRequest("POST", "/oauth/token"),
					ghttp.VerifyBasicAuth("diego-ssh", "diego-ssh-secret-$\"^&'"),
					ghttp.VerifyFormKV("grant_type", "authorization_code"),
					ghttp.VerifyFormKV("code", expectedOneTimeCode),
					ghttp.RespondWithJSONEncodedPtr(&uaaTokenResponseCode, uaaTokenResponse),
		})
	})

	Describe("Authenticate", func() {
		const expectedOneTimeCode = "abc123"

		var (
			uaaTokenResponse     *authenticators.UAAAuthTokenResponse
			uaaTokenResponseCode int

			sshAccessResponse     *authenticators.AppSSHResponse
			sshAccessResponseCode int
		)

		BeforeEach(func() {
			metadata.UserReturns("cf:1e051b88-a210-40b7-bcca-df645b24b634/1")
			password = []byte(expectedOneTimeCode)

			uaaTokenResponseCode = http.StatusOK
			uaaTokenResponse = &authenticators.UAAAuthTokenResponse{
				AccessToken: "exchanged-token",
				TokenType:   "bearer",
			}

			fakeUAA.AppendHandlers(
				ghttp.CombineHandlers(
					ghttp.VerifyRequest("POST", "/oauth/token"),
					ghttp.VerifyBasicAuth("diego-ssh", "diego-ssh-secret-$\"^&'"),
					ghttp.VerifyFormKV("grant_type", "authorization_code"),
					ghttp.VerifyFormKV("code", expectedOneTimeCode),
					ghttp.RespondWithJSONEncodedPtr(&uaaTokenResponseCode, uaaTokenResponse),