Skip to content

Commit

Permalink
Reject unauthorized requests in JobSink
Browse files Browse the repository at this point in the history
  • Loading branch information
@creydr
creydr committed Aug 20, 2024
1 parent bf945f9 commit 9c763ec
Showing 1 changed file with 11 additions and 21 deletions.
32 changes: 11 additions & 21 deletions cmd/jobsink/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -191,22 +191,19 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
Name: parts[2],
}

logger.Debug("Handling POST request", zap.String("URI", r.RequestURI))

features := feature.FromContext(ctx)
logger.Debug("features", zap.Any("features", features))

if features.IsOIDCAuthentication() {
logger.Debug("OIDC authentication is enabled")
js, err := h.lister.JobSinks(ref.Namespace).Get(ref.Name)
if err != nil {
logger.Warn("Failed to retrieve jobsink", zap.String("ref", ref.String()), zap.Error(err))
w.WriteHeader(http.StatusBadRequest)
return
}

audience := auth.GetAudienceDirect(sinksv.SchemeGroupVersion.WithKind("JobSink"), ref.Namespace, ref.Name)
logger.Debug("Handling POST request", zap.String("URI", r.RequestURI))

err := h.oidcTokenVerifier.VerifyJWTFromRequest(ctx, r, &audience, w)
if err != nil {
logger.Warn("Error when validating the JWT token in the request", zap.Error(err))
return
}
logger.Debug("Request contained a valid JWT. Continuing...")
err = h.oidcTokenVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w)
if err != nil {
logger.Warn("Failed to verify AuthN and AuthZ.", zap.Error(err))
return
}

message := cehttp.NewMessageFromHttpRequest(r)
Expand All @@ -225,13 +222,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
return
}

js, err := h.lister.JobSinks(ref.Namespace).Get(ref.Name)
if err != nil {
logger.Warn("Failed to retrieve jobsink", zap.String("ref", ref.String()), zap.Error(err))
w.WriteHeader(http.StatusBadRequest)
return
}

id := toIdHashLabelValue(event.Source(), event.ID())
logger.Debug("Getting job for event", zap.String("URI", r.RequestURI), zap.String("id", id))

Expand Down

0 comments on commit 9c763ec

Please sign in to comment.