upgrade to latest dependencies

bumping knative.dev/eventing ff37e4e...b58b30d: > b58b30d Add e2e test for Broker authorization (# 8132) > 20a64a1 [main] Update community files (# 8134) > 7237233 Default EventPolicy `.spec.from[].namespace` to EventPolicies namespace (# 8133) > 32f8491 update trust-manager to version 0.12.0 (# 8130) bumping golang.org/x/sync 14be23e...411f99e: > 411f99e LICENSE: update per Google Legal bumping knative.dev/pkg 433889b...0991b2f: > 0991b2f Update community files (# 3083) > c88d5da Bump github.com/tsenart/vegeta/v12 from 12.11.3 to 12.12.0 (# 3082) > cb30d00 Bump golang.org/x/sync from 0.7.0 to 0.8.0 (# 3081) bumping knative.dev/hack 441a19f...452e340: > 452e340 Update community files (# 392) bumping knative.dev/reconciler-test dd2ded3...0ff820e: > 0ff820e Update community files (# 747) > a2d1677 upgrade to latest dependencies (# 746) Signed-off-by: Knative Automation <automation@knative.team>
knative-extensions · Aug 9, 2024 · b6d9677 · b6d9677
1 parent 6025c96
commit b6d9677
Show file tree

Hide file tree

Showing 8 changed files with 422 additions and 22 deletions.
diff --git a/go.mod b/go.mod
@@ -20,10 +20,10 @@ require (
 	k8s.io/client-go v0.29.2
 	k8s.io/code-generator v0.29.2
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00
-	knative.dev/eventing v0.42.1-0.20240801183138-ff37e4e2fc0f
-	knative.dev/hack v0.0.0-20240801232131-441a19fc9ead
-	knative.dev/pkg v0.0.0-20240802082807-433889b44ec7
-	knative.dev/reconciler-test v0.0.0-20240730134611-dd2ded3ede25
+	knative.dev/eventing v0.42.1-0.20240808211956-b58b30d96a50
+	knative.dev/hack v0.0.0-20240808014239-452e340cbb4b
+	knative.dev/pkg v0.0.0-20240808013630-0991b2f920f4
+	knative.dev/reconciler-test v0.0.0-20240808014154-0ff820e7a190
 	sigs.k8s.io/controller-runtime v0.15.2
 )
 
@@ -95,7 +95,7 @@ require (
 	golang.org/x/mod v0.19.0 // indirect
 	golang.org/x/net v0.27.0 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.22.0 // indirect
 	golang.org/x/term v0.22.0 // indirect
 	golang.org/x/text v0.16.0 // indirect

diff --git a/go.sum b/go.sum
@@ -545,8 +545,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -821,14 +821,14 @@ k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/A
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
 k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ=
 k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.42.1-0.20240801183138-ff37e4e2fc0f h1:nxcX0qPKzBc/n+gFEhT2sWTnT5xbRdx1QH8TPsXMxqM=
-knative.dev/eventing v0.42.1-0.20240801183138-ff37e4e2fc0f/go.mod h1:sW8btFd57JF2hS2T92Jh/k1PgSOVTQdPzZODXaQs54E=
-knative.dev/hack v0.0.0-20240801232131-441a19fc9ead h1:ViH1OEO0LViKa6W61YKUpLzOp7CJCFL9yLyIojHIuQ8=
-knative.dev/hack v0.0.0-20240801232131-441a19fc9ead/go.mod h1:R0ritgYtjLDO9527h5vb5X6gfvt5LCrJ55BNbVDsWiY=
-knative.dev/pkg v0.0.0-20240802082807-433889b44ec7 h1:s64T+IESVOqH/2aE4XmNjKvWVCwMVs9xoCAN+y/MICo=
-knative.dev/pkg v0.0.0-20240802082807-433889b44ec7/go.mod h1:AjUNSfsVtV6jCU0rQkZGguiC0tzmIQM4YS6RTdtfJBQ=
-knative.dev/reconciler-test v0.0.0-20240730134611-dd2ded3ede25 h1:xN3rE1pYf0GKhLNzsSa8heHxd4yn1Mb0m8Qwv6FCr4w=
-knative.dev/reconciler-test v0.0.0-20240730134611-dd2ded3ede25/go.mod h1:2MK5Kr6hEzlqbkdWup+GqVrRVs3f0YR2UVnS+XyRabg=
+knative.dev/eventing v0.42.1-0.20240808211956-b58b30d96a50 h1:H+F/bX5nBigiJnfhydlt2NBB+sf6eIt2YZ9fGPJKW1s=
+knative.dev/eventing v0.42.1-0.20240808211956-b58b30d96a50/go.mod h1:sW8btFd57JF2hS2T92Jh/k1PgSOVTQdPzZODXaQs54E=
+knative.dev/hack v0.0.0-20240808014239-452e340cbb4b h1:pDzlX6d8cCbp5PDU9BdEIPJVI/4HLTM4mV2gMN1bKlk=
+knative.dev/hack v0.0.0-20240808014239-452e340cbb4b/go.mod h1:R0ritgYtjLDO9527h5vb5X6gfvt5LCrJ55BNbVDsWiY=
+knative.dev/pkg v0.0.0-20240808013630-0991b2f920f4 h1:ao+O7yRAMHJmW9f/1YaCv+YTg8WlCRUwo08B9QQGvqw=
+knative.dev/pkg v0.0.0-20240808013630-0991b2f920f4/go.mod h1:H+5rS2GEWpAZzrmQoXOEVq/1M77LLMhR7+4jZBMOQ24=
+knative.dev/reconciler-test v0.0.0-20240808014154-0ff820e7a190 h1:/wTrKcivj6TDqkADt2pQXNdtCsUH68sUKEmvYYHoZMc=
+knative.dev/reconciler-test v0.0.0-20240808014154-0ff820e7a190/go.mod h1:c7sotScqKgjO5QibmIG77za1uJbnFWrFsVHLhu6kJGA=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

diff --git a/vendor/golang.org/x/sync/LICENSE b/vendor/golang.org/x/sync/LICENSE
diff --git a/vendor/knative.dev/eventing/pkg/apis/eventing/v1alpha1/eventpolicy_defaults.go b/vendor/knative.dev/eventing/pkg/apis/eventing/v1alpha1/eventpolicy_defaults.go
@@ -28,4 +28,14 @@ func (ep *EventPolicy) SetDefaults(ctx context.Context) {
 }
 
 func (ets *EventPolicySpec) SetDefaults(ctx context.Context) {
+	for i := range ets.From {
+		ets.From[i].SetDefaults(ctx)
+	}
+}
+
+func (from *EventPolicySpecFrom) SetDefaults(ctx context.Context) {
+	if from.Ref != nil && from.Ref.Namespace == "" {
+		// default to event policies namespace
+		from.Ref.Namespace = apis.ParentMeta(ctx).Namespace
+	}
 }
diff --git a/vendor/knative.dev/eventing/test/rekt/features/broker/authz_feature.go b/vendor/knative.dev/eventing/test/rekt/features/broker/authz_feature.go
@@ -0,0 +1,157 @@
+/*
+Copyright 2024 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package broker
+
+import (
+	"context"
+
+	"github.com/cloudevents/sdk-go/v2/test"
+	sourcesv1 "knative.dev/eventing/pkg/apis/sources/v1"
+	"knative.dev/eventing/test/rekt/features/featureflags"
+	"knative.dev/eventing/test/rekt/resources/broker"
+	"knative.dev/eventing/test/rekt/resources/eventpolicy"
+	"knative.dev/eventing/test/rekt/resources/pingsource"
+	"knative.dev/eventing/test/rekt/resources/trigger"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
+	"knative.dev/reconciler-test/pkg/eventshub"
+	"knative.dev/reconciler-test/pkg/eventshub/assert"
+	"knative.dev/reconciler-test/pkg/feature"
+	"knative.dev/reconciler-test/pkg/resources/service"
+)
+
+func BrokerSupportsAuthZ() *feature.FeatureSet {
+	return &feature.FeatureSet{
+		Name: "Broker supports authorization",
+		Features: []*feature.Feature{
+			BrokerAcceptsEventsFromAuthorizedSender(),
+			BrokerRejectsEventsFromUnauthorizedSender(),
+		},
+	}
+}
+
+func BrokerAcceptsEventsFromAuthorizedSender() *feature.Feature {
+	f := feature.NewFeatureNamed("Broker accepts events from a authorized sender")
+
+	f.Prerequisite("OIDC Authentication is enabled", featureflags.AuthenticationOIDCEnabled())
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
+	source := feature.MakeRandomK8sName("source")
+	brokerName := feature.MakeRandomK8sName("broker")
+	sink := feature.MakeRandomK8sName("sink")
+	triggerName := feature.MakeRandomK8sName("trigger")
+	eventPolicyName := feature.MakeRandomK8sName("eventpolicy")
+
+	// Install the broker
+	f.Setup("Install Broker", broker.Install(brokerName, broker.WithEnvConfig()...))
+	f.Setup("Broker is ready", broker.IsReady(brokerName))
+	f.Setup("Broker is addressable", broker.IsAddressable(brokerName))
+
+	// Install the sink
+	f.Setup("Install Sink", eventshub.Install(
+		sink,
+		eventshub.StartReceiver,
+	))
+
+	f.Setup("Install the Trigger", trigger.Install(triggerName,
+		trigger.WithBrokerName(brokerName),
+		trigger.WithSubscriber(service.AsKReference(sink), "")))
+
+	f.Setup("Install the EventPolicy", eventpolicy.Install(
+		eventPolicyName,
+		eventpolicy.WithToRef(
+			broker.GVR().GroupVersion().WithKind("Broker"),
+			brokerName),
+		eventpolicy.WithFromRef(
+			pingsource.Gvr().GroupVersion().WithKind("PingSource"),
+			source,
+			""),
+	))
+
+	// Install source
+	f.Requirement("Install Pingsource", func(ctx context.Context, t feature.T) {
+		brokeruri, err := broker.Address(ctx, brokerName)
+		if err != nil {
+			t.Error("failed to get address of broker", err)
+		}
+
+		pingsource.Install(source,
+			pingsource.WithSink(&duckv1.Destination{URI: brokeruri.URL, CACerts: brokeruri.CACerts, Audience: brokeruri.Audience}),
+			pingsource.WithData("text/plain", "hello, world!"))(ctx, t)
+	})
+	f.Requirement("PingSource goes ready", pingsource.IsReady(source))
+
+	f.Alpha("Broker").
+		Must("accepts event from valid sender", assert.OnStore(sink).MatchEvent(
+			test.HasType(sourcesv1.PingSourceEventType)).AtLeast(1))
+
+	return f
+}
+
+func BrokerRejectsEventsFromUnauthorizedSender() *feature.Feature {
+	f := feature.NewFeatureNamed("Broker rejects events from an unauthorized sender")
+
+	f.Prerequisite("OIDC Authentication is enabled", featureflags.AuthenticationOIDCEnabled())
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
+	source := feature.MakeRandomK8sName("source")
+	brokerName := feature.MakeRandomK8sName("broker")
+	sink := feature.MakeRandomK8sName("sink")
+	triggerName := feature.MakeRandomK8sName("trigger")
+	eventPolicyName := feature.MakeRandomK8sName("eventpolicy")
+
+	event := test.FullEvent()
+
+	// Install the broker
+	f.Setup("Install Broker", broker.Install(brokerName, broker.WithEnvConfig()...))
+	f.Setup("Broker is ready", broker.IsReady(brokerName))
+	f.Setup("Broker is addressable", broker.IsAddressable(brokerName))
+
+	// Install the sink
+	f.Setup("Install Sink", eventshub.Install(
+		sink,
+		eventshub.StartReceiver,
+	))
+
+	f.Setup("Install the Trigger", trigger.Install(triggerName,
+		trigger.WithBrokerName(brokerName),
+		trigger.WithSubscriber(service.AsKReference(sink), "")))
+	f.Setup("Trigger goes ready", trigger.IsReady(triggerName))
+
+	// Install an event policy for Broker allowing from a sample subject, to not fall back to the default-auth-mode
+	f.Setup("Install an EventPolicy", eventpolicy.Install(
+		eventPolicyName,
+		eventpolicy.WithToRef(
+			broker.GVR().GroupVersion().WithKind("Broker"),
+			brokerName),
+		eventpolicy.WithFromSubject("sample-sub")))
+
+	// Send event
+	f.Requirement("Install Source", eventshub.Install(
+		source,
+		eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil),
+		eventshub.InputEvent(event),
+	))
+
+	f.Alpha("Broker").
+		Must("event is sent", assert.OnStore(source).MatchSentEvent(
+			test.HasId(event.ID())).Exact(1)).
+		Must("broker rejects event with a 403 response", assert.OnStore(source).Match(assert.MatchStatusCode(403)).Exact(1))
+
+	return f
+}