mt-broker ingress: Reject unauthorized requests

[joyxxi]

Fixes #7980

Proposed Changes

• Replace the logic of deprecated function VerifyJWTFromRequest with VerifyRequest in ingress_handler
• Handle both AuthN and AuthZ in the request
• Check broker.Status.Address.audience before proceeding verification

Pre-review Checklist

• At least 80% unit test coverage
• E2E tests for any new behavior
• Docs PR for any user-facing impact
• Spec PR for any new API feature
• Conformance test for any change to the spec

Release Note

Docs

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: joyxxi / name: Zhixi Xu (6274697, a9a3cb8, 76eb3b0)

[knative-prow]

Welcome @joyxxi! It looks like this is your first PR to knative/eventing 🎉

[knative-prow]

Hi @joyxxi. Thanks for your PR.

I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[joyxxi]

@Cali0707 Hi Calum, the unit tests start to fail from “valid (happy path POST)“, and here is the error message:

=== RUN   TestHandler_ServeHTTP/valid_(happy_path_POST)
    /Users/nanwang/go/src/knative.dev/eventing/pkg/broker/ingress/logger.go:146: 2024-07-17T19:00:58.411-0700 ERRORauth/token_verifier.go:68       could not initialize provider. You can ignore this message, when the authentication-oidc feature is disabled{error 26 0  could not load Kubernetes OIDC discovery information: could not get response: Get "https://kubernetes.default.svc/.well-known/openid-configuration": EOF}        {"component": "oidc-token-handler"}
--- FAIL: TestHandler_ServeHTTP/valid_(happy_path_POST) (0.16s)
--- FAIL: TestHandler_ServeHTTP (1.08s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
        panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x18 pc=0x105ce8298]

goroutine 40 [running]:
testing.tRunner.func1.2({0x106217ae0, 0x10757ec50})
        /usr/local/go/src/testing/testing.go:1631 +0x1c4
testing.tRunner.func1()
        /usr/local/go/src/testing/testing.go:1634 +0x33c
panic({0x106217ae0?, 0x10757ec50?})
        /usr/local/go/src/runtime/panic.go:770 +0x124
knative.dev/eventing/pkg/broker/ingress.(*Handler).ServeHTTP(0x1400027ec80, {0x1065389f0, 0x1400068c600}, 0x14000682b40)
        /Users/nanwang/go/src/knative.dev/eventing/pkg/broker/ingress/ingress_handler.go:234 +0xa08
knative.dev/eventing/pkg/broker/ingress.TestHandler_ServeHTTP.func1(0x1400059e1a0)
        /Users/nanwang/go/src/knative.dev/eventing/pkg/broker/ingress/ingress_handler_test.go:309 +0x56c
testing.tRunner(0x1400059e1a0, 0x1400000ee88)
        /usr/local/go/src/testing/testing.go:1689 +0xec
created by testing.(*T).Run in goroutine 11
        /usr/local/go/src/testing/testing.go:1742 +0x318
FAIL    knative.dev/eventing/pkg/broker/ingress 1.704s

I tried to trace the error, and it occurrs when calling VerifyRequest -> NewOIDCTokenVerifier -> initOIDCProvider -> getKubernetesOIDCDiscovery. I get the CertificateVerificationError when getting the resp, with message: “could not get response: Get \“https://kubernetes.default.svc/.well-known/openid-configuration\“: tls: failed to verify certificate: x509: certificate is valid for *.nextplaysearch.com, nextplaysearch.com, not kubernetes.default.svc”.

In the previous setup, the logic bypassed the verification step because features.IsOIDCAuthentication() returned false, so it never triggered h.tokenVerifier.VerifyJWTFromRequest, allowing the test to pass. When I isolated that function to run the test independently, I encountered the same error related to being unable to initialize the provider and received an invalid memory address error.

I’m currently unsure whether this issue arises from my local environment settings, the configuration in the test file, or if there are other underlying problems. 🤔

[Leo6Leo]

/ok-to-test

[codecov]

Codecov Report

Attention: Patch coverage is 28.57143% with 5 lines in your changes missing coverage. Please review.

Project coverage is 67.88%. Comparing base (57b52ea) to head (a9a3cb8).
Report is 9 commits behind head on main.

Files	Patch %	Lines
pkg/broker/ingress/ingress_handler.go	28.57%	3 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8105      +/-   ##
==========================================
+ Coverage   67.80%   67.88%   +0.08%     
==========================================
  Files         367      368       +1     
  Lines       17373    17554     +181     
==========================================
+ Hits        11779    11917     +138     
- Misses       4859     4891      +32     
- Partials      735      746      +11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pierDipi]

Thanks @joyxxi left a small comment

[joyxxi]

/retest

[pierDipi]

/test reconciler-tests

[pierDipi]

/lgtm
/approve

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: joyxxi, pierDipi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [pierDipi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dsimansk]

/easycla