Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor the code that rejects for wrong audience #7487

Closed
Leo6Leo opened this issue Dec 4, 2023 · 2 comments · Fixed by #7492
Closed

Refactor the code that rejects for wrong audience #7487

Leo6Leo opened this issue Dec 4, 2023 · 2 comments · Fixed by #7492
Assignees
@Leo6Leo
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/good-first-issue Denotes an issue ready for a new contributor. triage/accepted Issues which should be fixed (post-triage)

Comments

@Leo6Leo
Copy link
Member

Leo6Leo commented Dec 4, 2023
edited by creydr
Loading

Currently we have multiple places which validate the OIDC audience of an incoming request. E.g.:

eventing/pkg/channel/event_receiver.go

Lines 248 to 269 in 256a41d

/// Here we do the OIDC audience verification
features := feature.FromContext(ctx)
if features.IsOIDCAuthentication() {
r.logger.Debug("OIDC authentication is enabled")
token := auth.GetJWTFromHeader(request.Header)
if token == "" {
r.logger.Warn(fmt.Sprintf("No JWT in %s header provided while feature %s is enabled", auth.AuthHeaderKey, feature.OIDCAuthentication))
response.WriteHeader(nethttp.StatusUnauthorized)
return
}
if _, err := r.tokenVerifier.VerifyJWT(ctx, token, r.audience); err != nil {
r.logger.Warn("no valid JWT provided", zap.Error(err))
response.WriteHeader(nethttp.StatusUnauthorized)
return
}
r.logger.Debug("Request contained a valid JWT. Continuing...")
} else {
r.logger.Debug("OIDC authentication is disabled")
}

eventing/pkg/broker/ingress/ingress_handler.go

Lines 227 to 251 in 79bb385

features := feature.FromContext(ctx)
if features.IsOIDCAuthentication() {
h.Logger.Debug("OIDC authentication is enabled")
if broker.Status.Address.Audience == nil {
h.Logger.Warn(fmt.Sprintf("Audience of broker %s/%s must not be nil, while feature %s is enabled", broker.Name, broker.Namespace, feature.OIDCAuthentication))
writer.WriteHeader(http.StatusInternalServerError)
return
}
token := auth.GetJWTFromHeader(request.Header)
if token == "" {
h.Logger.Warn(fmt.Sprintf("No JWT in %s header provided while feature %s is enabled", auth.AuthHeaderKey, feature.OIDCAuthentication))
writer.WriteHeader(http.StatusUnauthorized)
return
}
if _, err := h.tokenVerifier.VerifyJWT(ctx, token, *broker.Status.Address.Audience); err != nil {
h.Logger.Warn("no valid JWT provided", zap.Error(err))
writer.WriteHeader(http.StatusUnauthorized)
return
}
h.Logger.Debug("Request contained a valid JWT. Continuing...")
}

or

eventing/pkg/broker/filter/filter_handler.go

Lines 211 to 228 in 79bb385

features := feature.FromContext(ctx)
if features.IsOIDCAuthentication() {
h.logger.Debug("OIDC authentication is enabled")
token := auth.GetJWTFromHeader(request.Header)
if token == "" {
h.logger.Warn(fmt.Sprintf("No JWT in %s header provided while feature %s is enabled", auth.AuthHeaderKey, feature.OIDCAuthentication))
writer.WriteHeader(http.StatusUnauthorized)
return
}
if _, err := h.tokenVerifier.VerifyJWT(ctx, token, FilterAudience); err != nil {
h.logger.Warn("no valid JWT provided", zap.Error(err))
writer.WriteHeader(http.StatusUnauthorized)
return
}
h.logger.Debug("Request contained a valid JWT. Continuing...")
}

(and maybe others).

As they all have a similar logic, this could be refactored into a common method and reused.

Originally posted by @Cali0707 in #7449 (comment)
@Leo6Leo Leo6Leo changed the title Could we refactor this into a method in the auth package? I.e. something similar to https://github.com/knative/eventing/issues/7377? Refactor the code that rejects for wrong audience Dec 4, 2023
@Leo6Leo
Copy link
Member Author

Leo6Leo commented Dec 4, 2023

/assign

@creydr creydr mentioned this issue Dec 4, 2023
Merged
5 tasks
@creydr creydr added help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/good-first-issue Denotes an issue ready for a new contributor. good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. labels Dec 4, 2023
@Leo6Leo Leo6Leo moved this to 🏗 In progress in Eventing Sender Identity Dec 5, 2023
@Cali0707
Copy link
Member

Cali0707 commented Dec 5, 2023

/triage accepted

@knative-prow knative-prow bot added the triage/accepted Issues which should be fixed (post-triage) label Dec 5, 2023
@Leo6Leo Leo6Leo mentioned this issue Dec 6, 2023
Merged
5 tasks
@github-project-automation github-project-automation bot moved this from 🏗 In progress to ✅ Done in Eventing Sender Identity Dec 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Leo6Leo Leo6Leo

Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/good-first-issue Denotes an issue ready for a new contributor. triage/accepted Issues which should be fixed (post-triage)
Projects
Eventing Sender Identity
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Refactor the code that rejects for wrong audience Leo6Leo/eventing
3 participants
@creydr @Leo6Leo @Cali0707