Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JobSink: Reject unauthorized requests #8166

Closed
creydr opened this issue Aug 19, 2024 · 0 comments · Fixed by #8169
Closed

JobSink: Reject unauthorized requests #8166

creydr opened this issue Aug 19, 2024 · 0 comments · Fixed by #8169
Assignees
@creydr
Labels
triage/accepted Issues which should be fixed (post-triage)

Comments

@creydr
Copy link
Member

creydr commented Aug 19, 2024
edited
Loading

We need to verify in the job-sink, that an request is authorized. Therefor we should do the following in the job sink handler:

  • Get the OIDC identity of the sender
  • In case the JobSinks .status.policies is set:
    • check, if the senders identity is subject of any of the linked EventPolicies (in their .status.from[]).
      • If it is present: continue with the request
      • If not: reject the request with a 403 status code
  • In case the JobSinks .status.policies is empty:
    • Check the default-authorization-mode and do the following depending on its value:
      • allow-all: Continue with the request
      • deny-all: reject the request with a 403 status code
      • allow-same-namespace: check, if the senders identity is from the same namespace, as the Broker. If so, continue with the request, otherwise reject with a 403

For this we can reuse the existing VerifyRequest method from the TokenVerifier and switch from VerifyJWTFromRequest to VerifyRequest (similar as done in #8105).

We should also add an e2e test for the above scenarios

Prerequisites:

Additional context:

Additional hints for new contributors before starting with this issue:

  1. When the issue has the Draft status, the issue is subject to change and thus should not be started to be worked on
  2. Make sure you've read and understood the CONTRIBUTING.md guidelines
  3. Make sure you're able to run Knative Eventing locally and run at least the unit tests.
  4. Feel free to raise any questions you have either directly here in the issue, in the #knative-eventing Slack channel or join the Eventing Workgroup Meeting
  5. When you feel comfortable with this issue, feel free to assign it to you (e.g. by commenting /assign). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.
@creydr creydr self-assigned this Aug 20, 2024
@creydr creydr added the triage/accepted Issues which should be fixed (post-triage) label Aug 20, 2024
@creydr creydr mentioned this issue Aug 20, 2024
Merged
2 tasks
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@creydr creydr

Labels
triage/accepted Issues which should be fixed (post-triage)
Projects
Eventing Authorization
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

JobSink: Reject unauthorized requests creydr/knative-eventing
1 participant
@creydr