Skip to content

Commit

Permalink
Rename TokenVerifier into Verifier
Browse files Browse the repository at this point in the history
  • Loading branch information
creydr committed Sep 16, 2024
1 parent 26da730 commit 830605a
Show file tree
Hide file tree
Showing 11 changed files with 44 additions and 44 deletions.
4 changes: 2 additions & 2 deletions cmd/broker/filter/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,9 +153,9 @@ func main() {
oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
// We are running both the receiver (takes messages in from the Broker) and the dispatcher (send
// the messages to the triggers' subscribers) in this binary.
oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister())
authVerifier := auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister())
trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
handler, err = filter.NewHandler(logger, oidcTokenVerifier, oidcTokenProvider, triggerinformer.Get(ctx), brokerinformer.Get(ctx), subscriptioninformer.Get(ctx), reporter, trustBundleConfigMapInformer, ctxFunc)
handler, err = filter.NewHandler(logger, authVerifier, oidcTokenProvider, triggerinformer.Get(ctx), brokerinformer.Get(ctx), subscriptioninformer.Get(ctx), reporter, trustBundleConfigMapInformer, ctxFunc)
if err != nil {
logger.Fatal("Error creating Handler", zap.Error(err))
}
Expand Down
4 changes: 2 additions & 2 deletions cmd/broker/ingress/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -168,9 +168,9 @@ func main() {
reporter := ingress.NewStatsReporter(env.ContainerName, kmeta.ChildName(env.PodName, uuid.New().String()))

oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister())
authVerifier := auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister())
trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
handler, err = ingress.NewHandler(logger, reporter, broker.TTLDefaulter(logger, int32(env.MaxTTL)), brokerInformer, oidcTokenVerifier, oidcTokenProvider, trustBundleConfigMapInformer, ctxFunc)
handler, err = ingress.NewHandler(logger, reporter, broker.TTLDefaulter(logger, int32(env.MaxTTL)), brokerInformer, authVerifier, oidcTokenProvider, trustBundleConfigMapInformer, ctxFunc)
if err != nil {
logger.Fatal("Error creating Handler", zap.Error(err))
}
Expand Down
20 changes: 10 additions & 10 deletions cmd/jobsink/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,10 +115,10 @@ func main() {
}

h := &Handler{
k8s: kubeclient.Get(ctx),
lister: jobsink.Get(ctx).Lister(),
withContext: ctxFunc,
oidcTokenVerifier: auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()),
k8s: kubeclient.Get(ctx),
lister: jobsink.Get(ctx).Lister(),
withContext: ctxFunc,
authVerifier: auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()),
}

tlsConfig, err := getServerTLSConfig(ctx)
Expand Down Expand Up @@ -159,10 +159,10 @@ func main() {
}

type Handler struct {
k8s kubernetes.Interface
lister sinkslister.JobSinkLister
withContext func(ctx context.Context) context.Context
oidcTokenVerifier *auth.OIDCTokenVerifier
k8s kubernetes.Interface
lister sinkslister.JobSinkLister
withContext func(ctx context.Context) context.Context
authVerifier *auth.Verifier
}

func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
Expand Down Expand Up @@ -201,7 +201,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {

logger.Debug("Handling POST request", zap.String("URI", r.RequestURI))

err = h.oidcTokenVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w)
err = h.authVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w)
if err != nil {
logger.Warn("Failed to verify AuthN and AuthZ.", zap.Error(err))
return
Expand Down Expand Up @@ -373,7 +373,7 @@ func (h *Handler) handleGet(ctx context.Context, w http.ResponseWriter, r *http.

audience := auth.GetAudienceDirect(sinksv.SchemeGroupVersion.WithKind("JobSink"), ref.Namespace, ref.Name)

err := h.oidcTokenVerifier.VerifyJWTFromRequest(ctx, r, &audience, w)
err := h.authVerifier.VerifyJWTFromRequest(ctx, r, &audience, w)

Check failure on line 376 in cmd/jobsink/main.go

View workflow job for this annotation

GitHub Actions / style / Golang / Lint

SA1019: h.authVerifier.VerifyJWTFromRequest is deprecated: use Verifier.Verify() instead to bundle AuthN and AuthZ verification (staticcheck)
if err != nil {
logger.Warn("Error when validating the JWT token in the request", zap.Error(err))
return
Expand Down
26 changes: 13 additions & 13 deletions pkg/auth/token_verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ const (
kubernetesOIDCDiscoveryBaseURL = "https://kubernetes.default.svc"
)

type OIDCTokenVerifier struct {
type Verifier struct {
logger *zap.SugaredLogger
restConfig *rest.Config
provider *oidc.Provider
Expand All @@ -61,8 +61,8 @@ type IDToken struct {
AccessTokenHash string
}

func NewOIDCTokenVerifier(ctx context.Context, eventPolicyLister listerseventingv1alpha1.EventPolicyLister) *OIDCTokenVerifier {
tokenHandler := &OIDCTokenVerifier{
func NewVerifier(ctx context.Context, eventPolicyLister listerseventingv1alpha1.EventPolicyLister) *Verifier {
tokenHandler := &Verifier{
logger: logging.FromContext(ctx).With("component", "oidc-token-handler"),
restConfig: injection.GetConfig(ctx),
eventPolicyLister: eventPolicyLister,
Expand All @@ -77,16 +77,16 @@ func NewOIDCTokenVerifier(ctx context.Context, eventPolicyLister listerseventing

// VerifyJWTFromRequest verifies if the incoming request contains a correct JWT token
//
// Deprecated: use OIDCTokenVerifier.Verify() instead to bundle AuthN and AuthZ verification
func (v *OIDCTokenVerifier) VerifyJWTFromRequest(ctx context.Context, r *http.Request, audience *string, response http.ResponseWriter) error {
// Deprecated: use Verifier.Verify() instead to bundle AuthN and AuthZ verification
func (v *Verifier) VerifyJWTFromRequest(ctx context.Context, r *http.Request, audience *string, response http.ResponseWriter) error {
_, err := v.verifyAuthN(ctx, audience, r, response)

return err
}

// VerifyRequest verifies AuthN and AuthZ in the request. On verification errors, it sets the
// responses HTTP status and returns an error
func (v *OIDCTokenVerifier) VerifyRequest(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {
func (v *Verifier) VerifyRequest(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {
if !features.IsOIDCAuthentication() {
return nil
}
Expand All @@ -109,7 +109,7 @@ func (v *OIDCTokenVerifier) VerifyRequest(ctx context.Context, features feature.
// On verification errors, it sets the responses HTTP status and returns an error.
// This method is similar to VerifyRequest() except that VerifyRequestFromSubject()
// verifies in the AuthZ part that the request comes from a given subject.
func (v *OIDCTokenVerifier) VerifyRequestFromSubject(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, allowedSubject string, req *http.Request, resp http.ResponseWriter) error {
func (v *Verifier) VerifyRequestFromSubject(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, allowedSubject string, req *http.Request, resp http.ResponseWriter) error {
if !features.IsOIDCAuthentication() {
return nil
}
Expand All @@ -128,7 +128,7 @@ func (v *OIDCTokenVerifier) VerifyRequestFromSubject(ctx context.Context, featur
}

// verifyAuthN verifies if the incoming request contains a correct JWT token
func (v *OIDCTokenVerifier) verifyAuthN(ctx context.Context, audience *string, req *http.Request, resp http.ResponseWriter) (*IDToken, error) {
func (v *Verifier) verifyAuthN(ctx context.Context, audience *string, req *http.Request, resp http.ResponseWriter) (*IDToken, error) {
token := GetJWTFromHeader(req.Header)
if token == "" {
resp.WriteHeader(http.StatusUnauthorized)
Expand All @@ -150,7 +150,7 @@ func (v *OIDCTokenVerifier) verifyAuthN(ctx context.Context, audience *string, r
}

// verifyAuthZ verifies if the given idToken is allowed by the resources eventPolicyStatus
func (v *OIDCTokenVerifier) verifyAuthZ(ctx context.Context, features feature.Flags, idToken *IDToken, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {
func (v *Verifier) verifyAuthZ(ctx context.Context, features feature.Flags, idToken *IDToken, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {
if len(policyRefs) > 0 {
req, err := copyRequest(req)
if err != nil {
Expand Down Expand Up @@ -204,7 +204,7 @@ func (v *OIDCTokenVerifier) verifyAuthZ(ctx context.Context, features feature.Fl
}

// verifyJWT verifies the given JWT for the expected audience and returns the parsed ID token.
func (v *OIDCTokenVerifier) verifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error) {
func (v *Verifier) verifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error) {
if v.provider == nil {
return nil, fmt.Errorf("provider is nil. Is the OIDC provider config correct?")
}
Expand All @@ -228,7 +228,7 @@ func (v *OIDCTokenVerifier) verifyJWT(ctx context.Context, jwt, audience string)
}, nil
}

func (v *OIDCTokenVerifier) initOIDCProvider(ctx context.Context) error {
func (v *Verifier) initOIDCProvider(ctx context.Context) error {
discovery, err := v.getKubernetesOIDCDiscovery()
if err != nil {
return fmt.Errorf("could not load Kubernetes OIDC discovery information: %w", err)
Expand Down Expand Up @@ -256,7 +256,7 @@ func (v *OIDCTokenVerifier) initOIDCProvider(ctx context.Context) error {
return nil
}

func (v *OIDCTokenVerifier) getHTTPClientForKubeAPIServer() (*http.Client, error) {
func (v *Verifier) getHTTPClientForKubeAPIServer() (*http.Client, error) {
client, err := rest.HTTPClientFor(v.restConfig)
if err != nil {
return nil, fmt.Errorf("could not create HTTP client from rest config: %w", err)
Expand All @@ -265,7 +265,7 @@ func (v *OIDCTokenVerifier) getHTTPClientForKubeAPIServer() (*http.Client, error
return client, nil
}

func (v *OIDCTokenVerifier) getKubernetesOIDCDiscovery() (*openIDMetadata, error) {
func (v *Verifier) getKubernetesOIDCDiscovery() (*openIDMetadata, error) {
client, err := v.getHTTPClientForKubeAPIServer()
if err != nil {
return nil, fmt.Errorf("could not get HTTP client for API server: %w", err)
Expand Down
4 changes: 2 additions & 2 deletions pkg/broker/filter/filter_handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -90,12 +90,12 @@ type Handler struct {
logger *zap.Logger
withContext func(ctx context.Context) context.Context
filtersMap *subscriptionsapi.FiltersMap
tokenVerifier *auth.OIDCTokenVerifier
tokenVerifier *auth.Verifier
EventTypeCreator *eventtype.EventTypeAutoHandler
}

// NewHandler creates a new Handler and its associated EventReceiver.
func NewHandler(logger *zap.Logger, tokenVerifier *auth.OIDCTokenVerifier, oidcTokenProvider *auth.OIDCTokenProvider, triggerInformer v1.TriggerInformer, brokerInformer v1.BrokerInformer, subscriptionInformer messaginginformers.SubscriptionInformer, reporter StatsReporter, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, wc func(ctx context.Context) context.Context) (*Handler, error) {
func NewHandler(logger *zap.Logger, tokenVerifier *auth.Verifier, oidcTokenProvider *auth.OIDCTokenProvider, triggerInformer v1.TriggerInformer, brokerInformer v1.BrokerInformer, subscriptionInformer messaginginformers.SubscriptionInformer, reporter StatsReporter, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, wc func(ctx context.Context) context.Context) (*Handler, error) {
kncloudevents.ConfigureConnectionArgs(&kncloudevents.ConnectionArgs{
MaxIdleConns: defaultMaxIdleConnections,
MaxIdleConnsPerHost: defaultMaxIdleConnectionsPerHost,
Expand Down
8 changes: 4 additions & 4 deletions pkg/broker/filter/filter_handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -444,7 +444,7 @@ func TestReceiver(t *testing.T) {

logger := zaptest.NewLogger(t, zaptest.WrapOptions(zap.AddCaller()))
oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister())
authVerifier := auth.NewVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister())

for _, trig := range tc.triggers {
// Replace the SubscriberURI to point at our fake server.
Expand Down Expand Up @@ -480,7 +480,7 @@ func TestReceiver(t *testing.T) {
reporter := &mockReporter{}
r, err := NewHandler(
logger,
oidcTokenVerifier,
authVerifier,
oidcTokenProvider,
triggerinformerfake.Get(ctx),
brokerinformerfake.Get(ctx),
Expand Down Expand Up @@ -653,7 +653,7 @@ func TestReceiver_WithSubscriptionsAPI(t *testing.T) {

logger := zaptest.NewLogger(t, zaptest.WrapOptions(zap.AddCaller()))
oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister())
authVerifier := auth.NewVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister())

// Replace the SubscriberURI to point at our fake server.
for _, trig := range tc.triggers {
Expand Down Expand Up @@ -689,7 +689,7 @@ func TestReceiver_WithSubscriptionsAPI(t *testing.T) {
reporter := &mockReporter{}
r, err := NewHandler(
logger,
oidcTokenVerifier,
authVerifier,
oidcTokenProvider,
triggerinformerfake.Get(ctx),
brokerinformerfake.Get(ctx),
Expand Down
4 changes: 2 additions & 2 deletions pkg/broker/ingress/ingress_handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,12 +73,12 @@ type Handler struct {

eventDispatcher *kncloudevents.Dispatcher

tokenVerifier *auth.OIDCTokenVerifier
tokenVerifier *auth.Verifier

withContext func(ctx context.Context) context.Context
}

func NewHandler(logger *zap.Logger, reporter StatsReporter, defaulter client.EventDefaulter, brokerInformer v1.BrokerInformer, tokenVerifier *auth.OIDCTokenVerifier, oidcTokenProvider *auth.OIDCTokenProvider, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, withContext func(ctx context.Context) context.Context) (*Handler, error) {
func NewHandler(logger *zap.Logger, reporter StatsReporter, defaulter client.EventDefaulter, brokerInformer v1.BrokerInformer, tokenVerifier *auth.Verifier, oidcTokenProvider *auth.OIDCTokenProvider, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, withContext func(ctx context.Context) context.Context) (*Handler, error) {
connectionArgs := kncloudevents.ConnectionArgs{
MaxIdleConns: defaultMaxIdleConnections,
MaxIdleConnsPerHost: defaultMaxIdleConnectionsPerHost,
Expand Down
4 changes: 2 additions & 2 deletions pkg/broker/ingress/ingress_handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -291,13 +291,13 @@ func TestHandler_ServeHTTP(t *testing.T) {
}

tokenProvider := auth.NewOIDCTokenProvider(ctx)
tokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister())
authVerifier := auth.NewVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister())

h, err := NewHandler(logger,
&mockReporter{},
tc.defaulter,
brokerinformerfake.Get(ctx),
tokenVerifier,
authVerifier,
tokenProvider,
configmapinformer.Get(ctx).Lister().ConfigMaps("ns"),
func(ctx context.Context) context.Context {
Expand Down
4 changes: 2 additions & 2 deletions pkg/channel/event_receiver.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ type EventReceiver struct {
hostToChannelFunc ResolveChannelFromHostFunc
pathToChannelFunc ResolveChannelFromPathFunc
reporter StatsReporter
tokenVerifier *auth.OIDCTokenVerifier
tokenVerifier *auth.Verifier
audience string
getPoliciesForFunc GetPoliciesForFunc
withContext func(context.Context) context.Context
Expand Down Expand Up @@ -120,7 +120,7 @@ func ReceiverWithGetPoliciesForFunc(fn GetPoliciesForFunc) EventReceiverOptions
}
}

func OIDCTokenVerification(tokenVerifier *auth.OIDCTokenVerifier, audience string) EventReceiverOptions {
func OIDCTokenVerification(tokenVerifier *auth.Verifier, audience string) EventReceiverOptions {
return func(r *EventReceiver) error {
r.tokenVerifier = tokenVerifier
r.audience = audience
Expand Down
2 changes: 1 addition & 1 deletion pkg/reconciler/inmemorychannel/dispatcher/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ func NewController(
eventingClient: eventingclient.Get(ctx).EventingV1beta2(),
eventTypeLister: eventtypeinformer.Get(ctx).Lister(),
eventDispatcher: kncloudevents.NewDispatcher(clientConfig, oidcTokenProvider),
tokenVerifier: auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()),
authVerifier: auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()),
clientConfig: clientConfig,
inMemoryChannelLister: inmemorychannelInformer.Lister(),
}
Expand Down
8 changes: 4 additions & 4 deletions pkg/reconciler/inmemorychannel/dispatcher/inmemorychannel.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,8 +62,8 @@ type Reconciler struct {
featureStore *feature.Store
eventDispatcher *kncloudevents.Dispatcher

tokenVerifier *auth.OIDCTokenVerifier
clientConfig eventingtls.ClientConfig
authVerifier *auth.Verifier
clientConfig eventingtls.ClientConfig
}

// Check the interfaces Reconciler should implement
Expand Down Expand Up @@ -134,7 +134,7 @@ func (r *Reconciler) reconcile(ctx context.Context, imc *v1.InMemoryChannel) rec
channelRef,
UID,
r.eventDispatcher,
channel.OIDCTokenVerification(r.tokenVerifier, audience(imc)),
channel.OIDCTokenVerification(r.authVerifier, audience(imc)),
channel.ReceiverWithContextFunc(wc),
channel.ReceiverWithGetPoliciesForFunc(r.getAppliedEventPolicyRef),
)
Expand Down Expand Up @@ -167,7 +167,7 @@ func (r *Reconciler) reconcile(ctx context.Context, imc *v1.InMemoryChannel) rec
UID,
r.eventDispatcher,
channel.ResolveChannelFromPath(channel.ParseChannelFromPath),
channel.OIDCTokenVerification(r.tokenVerifier, audience(imc)),
channel.OIDCTokenVerification(r.authVerifier, audience(imc)),
channel.ReceiverWithContextFunc(wc),
channel.ReceiverWithGetPoliciesForFunc(r.getAppliedEventPolicyRef),
)
Expand Down

0 comments on commit 830605a

Please sign in to comment.