InMemoryChannel ingress: Reject unauthorized requests

[creydr]

We need to verify in the channel receiver, that an request is authorized. Therefor we should do the following in the event receiver handler:

• Get the OIDC identity of the sender
• In case the InMemoryChannels .status.policies is set:
  • check, if the senders identity is subject of any of the linked EventPolicies (in their .status.from[]).
    • If it is present: continue with the request
    • If not: reject the request with a 403 status code
• In case the InMemoryChannels .status.policies is empty:
  • Check the default-authorization-mode and do the following depending on its value:
    • allow-all: Continue with the request
    • deny-all: reject the request with a 403 status code
    • allow-same-namespace: check, if the senders identity is from the same namespace, as the Broker. If so, continue with the request, otherwise reject with a 403

We should also add an e2e test for the above scenarios

Prerequisites:

• Add Library to support on AuthZ #7985
• Add default-authorization-mode feature flag #7974
• List applying policies in InMemoryChannel .status.policies #7977
• Add rekt test resource for EventPolicy #8009

Additional context:

• Feature track document
• Update TokenVerifier to verify AuthZ too #8063 should help by providing the "verify methods"

Additional hints for new contributors before starting with this issue:

1. When the issue has the Draft status, the issue is subject to change and thus should not be started to be worked on
2. Make sure you've read and understood the CONTRIBUTING.md guidelines
3. Make sure you're able to run Knative Eventing locally and run at least the unit tests.
4. Feel free to raise any questions you have either directly here in the issue, in the #knative-eventing Slack channel or join the Eventing Workgroup Meeting
5. When you feel comfortable with this issue, feel free to assign it to you (e.g. by commenting /assign). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.

[pratikkumar-mohite]

I would like to work on it, @creydr could you please assign it to me?

[7h3-3mp7y-m4n]

/assign

[Leo6Leo]

Hello @7h3-3mp7y-m4n , are there anything I can help you with regarding this issue?

[rahulii]

hey @7h3-3mp7y-m4n , are you still planning to work on it ?

[Leo6Leo]

@7h3-3mp7y-m4n Thanks for picking up the issue. If you're still working on this issue, please let me know within the next 24 hours. We understand that plans and priorities can change, and if you're no longer able to continue with this task, that's completely okay!

In case I don't hear back from you in the next 24 hours, I'll reassign the issue to @rahulii to ensure our workflow continues smoothly.

[7h3-3mp7y-m4n]

hey @Leo6Leo I'm sorry for creating a mess, I was caught up in my exams, but yeah I'll definitely work on this and get in touch on Slack. Sorry for not responding

[rahulii]

Since there are no updates regarding this and we are really close to the deadline, I can take this up.
/Cc: @Leo6Leo

[Leo6Leo]

@rahulii: As we didn't see any progress on this, I think you can take this over if you want!
/unassign @7h3-3mp7y-m4n
/assign @rahulii

[7h3-3mp7y-m4n]

I was learning about code base and trying to implement the function as it was said, but it's okay if you don't find me a perfect fit to fix this
Thanks for giving me this opportunity and I'm sorry that I failed you ...
All the best @rahulii

[rahulii]

@7h3-3mp7y-m4n it's not about being the perfect fit, you can open a draft PR and can ask for review. if you still feel you can pull this off abiding the timelines, please LMK, I will assign it to you.
Thanks!

[Leo6Leo]

Thanks for the PR @7h3-3mp7y-m4n , and @rahulii feel free to review the PR! Ping me if any of you have any questions.

[Leo6Leo]

/assign @7h3-3mp7y-m4n