Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mt-broker-filter: Allow only requests from Triggers Subscriptions OIDC ID #8147

Conversation

creydr
Copy link
Member

@creydr creydr commented Aug 12, 2024

Fixes #7989

Proposed Changes

  • 🎁 Update mt-broker-filter to allow only requests from the triggers subscription OIDC id

Release Note

mt-broker-filter: Allow only requests from Triggers Subscriptions OIDC ID

@knative-prow knative-prow bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Aug 12, 2024
Copy link

knative-prow bot commented Aug 12, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: creydr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 12, 2024
@knative-prow knative-prow bot requested review from aslom and matzew August 12, 2024 05:32
Copy link

codecov bot commented Aug 12, 2024

Codecov Report

Attention: Patch coverage is 46.80851% with 25 lines in your changes missing coverage. Please review.

Project coverage is 67.75%. Comparing base (ecb6c01) to head (897d9ee).
Report is 5 commits behind head on main.

Files Patch % Lines
pkg/auth/token_verifier.go 0.00% 10 Missing ⚠️
pkg/broker/filter/filter_handler.go 60.00% 9 Missing and 1 partial ⚠️
pkg/reconciler/broker/resources/subscription.go 63.63% 1 Missing and 3 partials ⚠️
cmd/broker/filter/main.go 0.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8147      +/-   ##
==========================================
- Coverage   67.89%   67.75%   -0.14%     
==========================================
  Files         368      370       +2     
  Lines       17571    17915     +344     
==========================================
+ Hits        11930    12139     +209     
- Misses       4893     5001     +108     
- Partials      748      775      +27     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@creydr creydr force-pushed the mt-broker-filter-allow-only-requests-from-subscription-oidc-id branch 4 times, most recently from 9a249dc to 5ba81fe Compare August 12, 2024 06:32
@creydr creydr force-pushed the mt-broker-filter-allow-only-requests-from-subscription-oidc-id branch from 5ba81fe to 897d9ee Compare August 12, 2024 06:52
@creydr
Copy link
Member Author

creydr commented Aug 12, 2024

Can't really do a unit test, as tokenVerifier can only run inside a cluster, and for an e2e test it is too implementation specific :/. So tested via the following:

  • created a broker, sink and trigger...
  • run the tests to try to send events directly to the mt-broker-filter

with a token from the "default" service account:

k run curl --image=curlimages/curl --rm=true --restart=Never -ti -- -k -X POST -v -H "content-type: application/json"  -H "ce-specversion: 1.0" -H "ce-source: my/curl/command" -H "ce-type: my.demo.event" -H "ce-id: 0816" -H "Authorization: Bearer $(k create token default --audience "mt-broker-filter")" -d '{"name":"Hello"}' https://broker-filter.knative-eventing.svc.cluster.local/triggers/default/my-trigger/5d8c93e2-2837-41c8-a8f4-8710f11b427a
...
< HTTP/2 403

and in the mt-broker-filter logs:

{"level":"warn","ts":"2024-08-12T07:49:55.514Z","logger":"mt_broker_filter","caller":"filter/filter_handler.go:230","msg":"Error when validating the JWT token in the request","commit":"897d9ee-dirty","error":"token is from subject \"system:serviceaccount:default:default\", but only \"system:serviceaccount:default:my-broker-my-trigger-5d8c93e2-2ff563f9f3e3f325c50751600735ac587\" is allowed"}

then with a token from the SA which is of the triggers subscription:

k run curl --image=curlimages/curl --rm=true --restart=Never -ti -- -k -X POST -v -H "content-type: application/json"  -H "ce-specversion: 1.0" -H "ce-source: my/curl/command" -H "ce-type: my.demo.event" -H "ce-id: 0816" -H "Authorization: Bearer $(k create token my-broker-my-trigger-5d8c93e2-2ff563f9f3e3f325c50751600735ac587 --audience "mt-broker-filter")" -d '{"name":"Hello"}' https://broker-filter.knative-eventing.svc.cluster.local/triggers/default/my-trigger/5d8c93e2-2837-41c8-a8f4-8710f11b427a
...
< HTTP/2 400 #<- 400 is because of the sent events structure

and in the mt-broker-filter logs:

{"level":"debug","ts":"2024-08-12T07:54:53.365Z","logger":"mt_broker_filter","caller":"filter/filter_handler.go:234","msg":"Request contained a valid JWT. Continuing...","commit":"897d9ee-dirty"}

@creydr
Copy link
Member Author

creydr commented Aug 12, 2024

/cc @rahulii @Leo6Leo

@knative-prow knative-prow bot requested a review from rahulii August 12, 2024 08:04
@Leo6Leo
Copy link
Member

Leo6Leo commented Aug 12, 2024

/lgtm
I don't see any issues, and following the tests procedures above with my local build, get the same result. Thanks @creydr !

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Aug 12, 2024
@creydr
Copy link
Member Author

creydr commented Aug 12, 2024

/test conformance-tests

@knative-prow knative-prow bot merged commit f0ccedc into knative:main Aug 12, 2024
35 of 36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

mt-broker-filter: Allow only requests from Subscriptions OIDC ID
2 participants