Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mt-broker-ingress check audience of received token #7336

Merged
merged 4 commits into from
Oct 19, 2023
Merged

mt-broker-ingress check audience of received token #7336

merged 4 commits into from
Oct 19, 2023

Conversation

creydr
Copy link
Member

@creydr creydr commented Oct 6, 2023
edited
Loading

Fixes #7290

Proposed Changes

  • 🎁 If OIDC authentication is enabled, mt-broker-ingress will check if the audience of the received token matches the audience of the broker. If not it will respond with a 401

/hold
until we have knative-extensions/reconciler-test#595 for the tests

mt-broker-ingress: verify the audience of the received JWT if OIDC authentication is enabled

@knative-prow knative-prow bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. area/test-and-release Test infrastructure, tests or release labels Oct 6, 2023
@creydr creydr force-pushed the mt-broker-ingress-reject-request-for-wrong-audience branch 3 times, most recently from 1081cf6 to d948abb Compare October 12, 2023 12:02
@codecov
Copy link

codecov bot commented Oct 12, 2023
edited
Loading

Codecov Report

Attention: 34 lines in your changes are missing coverage. Please review.

Comparison is base (f9314d8) 76.87% compared to head (39ed673) 76.70%.
Report is 2 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7336      +/-   ##
==========================================
- Coverage   76.87%   76.70%   -0.17%     
==========================================
  Files         252      253       +1     
  Lines       13822    13851      +29     
==========================================
  Hits        10625    10625              
- Misses       2667     2694      +27     
- Partials      530      532       +2
Files Coverage Δ
pkg/auth/utils.go 0.00% <0.00%> (ø)
pkg/broker/ingress/ingress_handler.go 52.77% <29.72%> (-4.15%) ⬇️

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@creydr
Copy link
Member Author

creydr commented Oct 13, 2023

/cc @pierDipi

I added some "conformance" tests for addressables in this PR too, to check, if they handle requests with OIDC tokens correctly.

@knative-prow knative-prow bot requested a review from pierDipi October 13, 2023 10:03
@creydr creydr force-pushed the mt-broker-ingress-reject-request-for-wrong-audience branch from e8af194 to 1d0de43 Compare October 16, 2023 06:42
@creydr creydr force-pushed the mt-broker-ingress-reject-request-for-wrong-audience branch from 1d0de43 to f3a17f3 Compare October 17, 2023 09:11
@creydr
Copy link
Member Author

creydr commented Oct 17, 2023

/cc @pierDipi

@creydr
Copy link
Member Author

creydr commented Oct 17, 2023

/unhold
as knative-extensions/reconciler-test#595 merged

@knative-prow knative-prow bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 17, 2023
@creydr
Copy link
Member Author

creydr commented Oct 18, 2023

Hi @pierDipi,
could you check on this?
We could also think about merging this after the release cut...

@pierDipi
Copy link
Member

I'm looking

pierDipi
pierDipi reviewed Oct 18, 2023
View reviewed changes
Copy link
Member

@pierDipi pierDipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks good, just one edge case handling

@creydr creydr requested a review from pierDipi October 19, 2023 07:18
pierDipi
pierDipi reviewed Oct 19, 2023
View reviewed changes
test/auth/features/oidc/addressable_oidc_conformance.go
Comment on lines +50 to +53
AddressableRejectInvalidAudience(gvr, kind, name),
AddressableRejectCorruptedSignature(gvr, kind, name),
AddressableRejectExpiredToken(gvr, kind, name),
AddressableAllowsValidRequest(gvr, kind, name),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If these functions are only used internally, can we make them package private?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same for the top level one, I believe only AddressableOIDCConformance should be public

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. Currently we have only the problem, that some addressables have the audience feature implemented, but not the token validation (and vice versa). So they fail on AddressableOIDCConformance yet - only either AddressableOIDCTokenConformance or AddressableHasAudiencePopulated.
But IMO no issue with making AddressableReject* and AddressableAllowsValidRequest private.

pierDipi
pierDipi approved these changes Oct 19, 2023
View reviewed changes
Copy link
Member

@pierDipi pierDipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

Non blocking comment

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Oct 19, 2023
@knative-prow
Copy link

knative-prow bot commented Oct 19, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: creydr, pierDipi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@creydr
Copy link
Member Author

creydr commented Oct 19, 2023

/retest

@knative-prow knative-prow bot merged commit 16d75a9 into knative:main Oct 19, 2023
38 of 41 checks passed
@creydr creydr mentioned this pull request Oct 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pierDipi pierDipi pierDipi approved these changes

@evankanderson evankanderson Awaiting requested review from evankanderson

@lberk lberk Awaiting requested review from lberk

Assignees

@pierDipi pierDipi

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/test-and-release Test infrastructure, tests or release lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

mt-broker-ingress: reject request for wrong audience
2 participants
@creydr @pierDipi