Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InMemoryChannel: reject request for wrong audience #7449

Merged
merged 12 commits into from
Dec 5, 2023
Merged

InMemoryChannel: reject request for wrong audience #7449

merged 12 commits into from
Dec 5, 2023

Conversation

Leo6Leo
Copy link
Member

@Leo6Leo Leo6Leo commented Nov 14, 2023
edited
Loading

Fixes #7289

Proposed Changes

  • If OIDC authentication is enabled, imc will check if the audience of the received token matches the audience of the broker. If not it will respond with a 401

Pre-review Checklist

  • At least 80% unit test coverage
  • E2E tests for any new behavior
  • Docs PR for any user-facing impact
  • Spec PR for any new API feature
  • Conformance test for any change to the spec

Backporting

  • [] Upstream
  • [] Midstream

Release Note

Docs

@knative-prow Knative Prow
Copy link

knative-prow bot commented Nov 14, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@knative-prow knative-prow bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 14, 2023
@knative-prow knative-prow bot requested review from aslom and Cali0707 November 14, 2023 14:26
@knative-prow knative-prow bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Nov 14, 2023
@codecov Codecov
Copy link

codecov bot commented Nov 23, 2023
edited
Loading

Codecov Report

Attention: 34 lines in your changes are missing coverage. Please review.

Comparison is base (3fcc78a) 76.70% compared to head (c01f073) 76.48%.
Report is 2 commits behind head on main.

❗ Current head c01f073 differs from pull request most recent head 27f4517. Consider uploading reports for the commit 27f4517 to get more accurate results

Files Patch % Lines
pkg/channel/event_receiver.go 17.14% 27 Missing and 2 partials ⚠️
...iler/inmemorychannel/dispatcher/inmemorychannel.go 66.66% 2 Missing and 1 partial ⚠️
pkg/channel/fanout/fanout_event_handler.go 80.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7449      +/-   ##
==========================================
- Coverage   76.70%   76.48%   -0.23%     
==========================================
  Files         259      259              
  Lines       14254    14315      +61     
==========================================
+ Hits        10934    10949      +15     
- Misses       2765     2807      +42     
- Partials      555      559       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@Leo6Leo @creydr
Running the rekt test
256a41d 
Co-authored-by: Christoph Stäbler <cstabler@redhat.com>
@knative-prow knative-prow bot added the area/test-and-release Test infrastructure, tests or release label Nov 23, 2023
@Leo6Leo Leo6Leo marked this pull request as ready for review November 24, 2023 06:10
@creydr
Copy link
Member

creydr commented Nov 24, 2023

@Cali0707 as I worked together with @Leo6Leo on this, my review is probably a bit "biased" 😁 and should be done by someone else.
Could you review this PR?

Regarding the failing TestBrokerSupportsOIDC auth test: this is because the broker ingress does not yet authenticate the requests to the underlying channel, while with this PR, the channel requires a valid token if oidc is enabled. #7473 should fix it.

Cali0707
Cali0707 reviewed Nov 24, 2023
View reviewed changes
pkg/channel/event_receiver.go Show resolved Hide resolved
pkg/channel/fanout/fanout_event_handler.go Outdated Show resolved Hide resolved
test/auth/oidc_test.go Show resolved Hide resolved
creydr
creydr requested changes Nov 27, 2023
View reviewed changes
pkg/auth/token_verifier.go Outdated Show resolved Hide resolved
pkg/auth/token_verifier.go Outdated Show resolved Hide resolved
@knative-prow knative-prow bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Dec 4, 2023
@Leo6Leo Leo6Leo changed the title [WIP] InMemoryChannel: reject request for wrong audience InMemoryChannel: reject request for wrong audience Dec 4, 2023
@knative-prow knative-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 4, 2023
@Leo6Leo
Copy link
Member Author

Leo6Leo commented Dec 4, 2023

/cc @Cali0707 @pierDipi

Ready for review

@knative-prow knative-prow bot requested review from Cali0707 and pierDipi December 4, 2023 15:05
@Leo6Leo Leo6Leo mentioned this pull request Dec 4, 2023
Closed
Cali0707
Cali0707 reviewed Dec 4, 2023
View reviewed changes
Copy link
Member

@Cali0707 Cali0707 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one small nit @Leo6Leo

pkg/channel/event_receiver.go Outdated Show resolved Hide resolved
@Leo6Leo
Fix the linter issue
27f4517 
Signed-off-by: Leo Li <leoli@redhat.com>
Cali0707
Cali0707 approved these changes Dec 4, 2023
View reviewed changes
Copy link
Member

@Cali0707 Cali0707 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

Thanks @Leo6Leo !!

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Dec 4, 2023
@knative-prow Knative Prow
Copy link

knative-prow bot commented Dec 4, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Cali0707, Leo6Leo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 4, 2023
@Cali0707
Copy link
Member

Cali0707 commented Dec 4, 2023
edited
Loading

/hold

In case you have any final opinions @creydr, I noticed you still have 1 change requested in the GitHub UI

@knative-prow knative-prow bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 4, 2023
@creydr
Copy link
Member

creydr commented Dec 5, 2023

Thanks @Cali0707 for checking this. My review points were addressed 👍

/unhold

@knative-prow knative-prow bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 5, 2023
@knative-prow knative-prow bot merged commit 83125a9 into knative:main Dec 5, 2023
32 of 33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@creydr creydr creydr requested changes

@Cali0707 Cali0707 Cali0707 approved these changes

@aslom aslom Awaiting requested review from aslom

@aliok aliok Awaiting requested review from aliok

@evankanderson evankanderson Awaiting requested review from evankanderson

@pierDipi pierDipi Awaiting requested review from pierDipi

Assignees

@creydr creydr

@Cali0707 Cali0707

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/test-and-release Test infrastructure, tests or release lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

InMemoryChannel: reject request for wrong audience
3 participants
@Leo6Leo @creydr @Cali0707