From 6274697f1d8c6abcac67d1804d940a1f1e867ac2 Mon Sep 17 00:00:00 2001
From: joyxxi <joyx29580@gmail.com>
Date: Wed, 17 Jul 2024 11:15:44 -0700
Subject: [PATCH] mt-broker ingress: Reject unauthorized requests

---
 pkg/broker/ingress/ingress_handler.go | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/pkg/broker/ingress/ingress_handler.go b/pkg/broker/ingress/ingress_handler.go
index fc9bc0778a6..1cd2d755917 100644
--- a/pkg/broker/ingress/ingress_handler.go
+++ b/pkg/broker/ingress/ingress_handler.go
@@ -231,16 +231,11 @@ func (h *Handler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 	}
 
 	features := feature.FromContext(ctx)
-	if features.IsOIDCAuthentication() {
-		h.Logger.Debug("OIDC authentication is enabled")
-
-		err = h.tokenVerifier.VerifyJWTFromRequest(ctx, request, broker.Status.Address.Audience, writer)
-		if err != nil {
-			h.Logger.Warn("Error when validating the JWT token in the request", zap.Error(err))
-			return
-		}
-
-		h.Logger.Debug("Request contained a valid JWT. Continuing...")
+	err = h.tokenVerifier.VerifyRequest(ctx, features, broker.Status.Address.Audience, brokerNamespace, broker.Status.Policies, request, writer)
+	if err != nil {
+		h.Logger.Warn("Failed to verify AuthN and AuthZ.", zap.Error(err))
+		writer.WriteHeader(http.StatusForbidden)
+		return
 	}
 
 	ctx, span := trace.StartSpan(ctx, tracing.BrokerMessagingDestination(brokerNamespacedName))