-
Notifications
You must be signed in to change notification settings - Fork 590
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
InMemoryChannel ingress: Reject unauthorized requests #7981
Comments
I would like to work on it, @creydr could you please assign it to me? |
/assign |
Hello @7h3-3mp7y-m4n , are there anything I can help you with regarding this issue? |
hey @7h3-3mp7y-m4n , are you still planning to work on it ? |
@7h3-3mp7y-m4n Thanks for picking up the issue. If you're still working on this issue, please let me know within the next 24 hours. We understand that plans and priorities can change, and if you're no longer able to continue with this task, that's completely okay! In case I don't hear back from you in the next 24 hours, I'll reassign the issue to @rahulii to ensure our workflow continues smoothly. |
hey @Leo6Leo I'm sorry for creating a mess, I was caught up in my exams, but yeah I'll definitely work on this and get in touch on Slack. Sorry for not responding |
Since there are no updates regarding this and we are really close to the deadline, I can take this up. |
@rahulii: As we didn't see any progress on this, I think you can take this over if you want! |
I was learning about code base and trying to implement the function as it was said, but it's okay if you don't find me a perfect fit to fix this |
@7h3-3mp7y-m4n it's not about being the perfect fit, you can open a draft PR and can ask for review. if you still feel you can pull this off abiding the timelines, please LMK, I will assign it to you. |
Thanks for the PR @7h3-3mp7y-m4n , and @rahulii feel free to review the PR! Ping me if any of you have any questions. |
/assign @7h3-3mp7y-m4n |
We need to verify in the channel receiver, that an request is authorized. Therefor we should do the following in the event receiver handler:
.status.policies
is set:EventPolicies
(in their.status.from[]
).403
status code.status.policies
is empty:default-authorization-mode
and do the following depending on its value:allow-all
: Continue with the requestdeny-all
: reject the request with a403
status codeallow-same-namespace
: check, if the senders identity is from the same namespace, as the Broker. If so, continue with the request, otherwise reject with a403
We should also add an e2e test for the above scenarios
Prerequisites:
default-authorization-mode
feature flag #7974.status.policies
#7977Additional context:
Additional hints for new contributors before starting with this issue:
Draft
status, the issue is subject to change and thus should not be started to be worked on/assign
). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.The text was updated successfully, but these errors were encountered: