diff --git a/cmd/broker/filter/main.go b/cmd/broker/filter/main.go index 237d8fa097c..f5b9dce7737 100644 --- a/cmd/broker/filter/main.go +++ b/cmd/broker/filter/main.go @@ -153,9 +153,9 @@ func main() { oidcTokenProvider := auth.NewOIDCTokenProvider(ctx) // We are running both the receiver (takes messages in from the Broker) and the dispatcher (send // the messages to the triggers' subscribers) in this binary. - oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()) + authVerifier := auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace()) - handler, err = filter.NewHandler(logger, oidcTokenVerifier, oidcTokenProvider, triggerinformer.Get(ctx), brokerinformer.Get(ctx), subscriptioninformer.Get(ctx), reporter, trustBundleConfigMapInformer, ctxFunc) + handler, err = filter.NewHandler(logger, authVerifier, oidcTokenProvider, triggerinformer.Get(ctx), brokerinformer.Get(ctx), subscriptioninformer.Get(ctx), reporter, trustBundleConfigMapInformer, ctxFunc) if err != nil { logger.Fatal("Error creating Handler", zap.Error(err)) } diff --git a/cmd/broker/ingress/main.go b/cmd/broker/ingress/main.go index 082091d424e..1b1b5c852b9 100644 --- a/cmd/broker/ingress/main.go +++ b/cmd/broker/ingress/main.go @@ -168,9 +168,9 @@ func main() { reporter := ingress.NewStatsReporter(env.ContainerName, kmeta.ChildName(env.PodName, uuid.New().String())) oidcTokenProvider := auth.NewOIDCTokenProvider(ctx) - oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()) + authVerifier := auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace()) - handler, err = ingress.NewHandler(logger, reporter, broker.TTLDefaulter(logger, int32(env.MaxTTL)), brokerInformer, oidcTokenVerifier, oidcTokenProvider, trustBundleConfigMapInformer, ctxFunc) + handler, err = ingress.NewHandler(logger, reporter, broker.TTLDefaulter(logger, int32(env.MaxTTL)), brokerInformer, authVerifier, oidcTokenProvider, trustBundleConfigMapInformer, ctxFunc) if err != nil { logger.Fatal("Error creating Handler", zap.Error(err)) } diff --git a/cmd/jobsink/main.go b/cmd/jobsink/main.go index dc403996195..d06dafdfd84 100644 --- a/cmd/jobsink/main.go +++ b/cmd/jobsink/main.go @@ -115,10 +115,10 @@ func main() { } h := &Handler{ - k8s: kubeclient.Get(ctx), - lister: jobsink.Get(ctx).Lister(), - withContext: ctxFunc, - oidcTokenVerifier: auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()), + k8s: kubeclient.Get(ctx), + lister: jobsink.Get(ctx).Lister(), + withContext: ctxFunc, + authVerifier: auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()), } tlsConfig, err := getServerTLSConfig(ctx) @@ -159,10 +159,10 @@ func main() { } type Handler struct { - k8s kubernetes.Interface - lister sinkslister.JobSinkLister - withContext func(ctx context.Context) context.Context - oidcTokenVerifier *auth.OIDCTokenVerifier + k8s kubernetes.Interface + lister sinkslister.JobSinkLister + withContext func(ctx context.Context) context.Context + authVerifier *auth.Verifier } func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { @@ -201,7 +201,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { logger.Debug("Handling POST request", zap.String("URI", r.RequestURI)) - err = h.oidcTokenVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w) + err = h.authVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w) if err != nil { logger.Warn("Failed to verify AuthN and AuthZ.", zap.Error(err)) return @@ -374,7 +374,7 @@ func (h *Handler) handleGet(ctx context.Context, w http.ResponseWriter, r *http. logger.Debug("Handling GET request", zap.String("URI", r.RequestURI)) - err = h.oidcTokenVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w) + err = h.authVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w) if err != nil { logger.Warn("Failed to verify AuthN and AuthZ.", zap.Error(err)) return diff --git a/pkg/auth/token_verifier.go b/pkg/auth/verifier.go similarity index 88% rename from pkg/auth/token_verifier.go rename to pkg/auth/verifier.go index 899239bfc1d..3cf9c436bc8 100644 --- a/pkg/auth/token_verifier.go +++ b/pkg/auth/verifier.go @@ -45,7 +45,7 @@ const ( kubernetesOIDCDiscoveryBaseURL = "https://kubernetes.default.svc" ) -type OIDCTokenVerifier struct { +type Verifier struct { logger *zap.SugaredLogger restConfig *rest.Config provider *oidc.Provider @@ -61,8 +61,8 @@ type IDToken struct { AccessTokenHash string } -func NewOIDCTokenVerifier(ctx context.Context, eventPolicyLister listerseventingv1alpha1.EventPolicyLister) *OIDCTokenVerifier { - tokenHandler := &OIDCTokenVerifier{ +func NewVerifier(ctx context.Context, eventPolicyLister listerseventingv1alpha1.EventPolicyLister) *Verifier { + tokenHandler := &Verifier{ logger: logging.FromContext(ctx).With("component", "oidc-token-handler"), restConfig: injection.GetConfig(ctx), eventPolicyLister: eventPolicyLister, @@ -77,7 +77,7 @@ func NewOIDCTokenVerifier(ctx context.Context, eventPolicyLister listerseventing // VerifyRequest verifies AuthN and AuthZ in the request. On verification errors, it sets the // responses HTTP status and returns an error -func (v *OIDCTokenVerifier) VerifyRequest(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error { +func (v *Verifier) VerifyRequest(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error { if !features.IsOIDCAuthentication() { return nil } @@ -100,7 +100,7 @@ func (v *OIDCTokenVerifier) VerifyRequest(ctx context.Context, features feature. // On verification errors, it sets the responses HTTP status and returns an error. // This method is similar to VerifyRequest() except that VerifyRequestFromSubject() // verifies in the AuthZ part that the request comes from a given subject. -func (v *OIDCTokenVerifier) VerifyRequestFromSubject(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, allowedSubject string, req *http.Request, resp http.ResponseWriter) error { +func (v *Verifier) VerifyRequestFromSubject(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, allowedSubject string, req *http.Request, resp http.ResponseWriter) error { if !features.IsOIDCAuthentication() { return nil } @@ -119,7 +119,7 @@ func (v *OIDCTokenVerifier) VerifyRequestFromSubject(ctx context.Context, featur } // verifyAuthN verifies if the incoming request contains a correct JWT token -func (v *OIDCTokenVerifier) verifyAuthN(ctx context.Context, audience *string, req *http.Request, resp http.ResponseWriter) (*IDToken, error) { +func (v *Verifier) verifyAuthN(ctx context.Context, audience *string, req *http.Request, resp http.ResponseWriter) (*IDToken, error) { token := GetJWTFromHeader(req.Header) if token == "" { resp.WriteHeader(http.StatusUnauthorized) @@ -141,7 +141,7 @@ func (v *OIDCTokenVerifier) verifyAuthN(ctx context.Context, audience *string, r } // verifyAuthZ verifies if the given idToken is allowed by the resources eventPolicyStatus -func (v *OIDCTokenVerifier) verifyAuthZ(ctx context.Context, features feature.Flags, idToken *IDToken, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error { +func (v *Verifier) verifyAuthZ(ctx context.Context, features feature.Flags, idToken *IDToken, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error { if len(policyRefs) > 0 { req, err := copyRequest(req) if err != nil { @@ -195,7 +195,7 @@ func (v *OIDCTokenVerifier) verifyAuthZ(ctx context.Context, features feature.Fl } // verifyJWT verifies the given JWT for the expected audience and returns the parsed ID token. -func (v *OIDCTokenVerifier) verifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error) { +func (v *Verifier) verifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error) { if v.provider == nil { return nil, fmt.Errorf("provider is nil. Is the OIDC provider config correct?") } @@ -219,7 +219,7 @@ func (v *OIDCTokenVerifier) verifyJWT(ctx context.Context, jwt, audience string) }, nil } -func (v *OIDCTokenVerifier) initOIDCProvider(ctx context.Context) error { +func (v *Verifier) initOIDCProvider(ctx context.Context) error { discovery, err := v.getKubernetesOIDCDiscovery() if err != nil { return fmt.Errorf("could not load Kubernetes OIDC discovery information: %w", err) @@ -247,7 +247,7 @@ func (v *OIDCTokenVerifier) initOIDCProvider(ctx context.Context) error { return nil } -func (v *OIDCTokenVerifier) getHTTPClientForKubeAPIServer() (*http.Client, error) { +func (v *Verifier) getHTTPClientForKubeAPIServer() (*http.Client, error) { client, err := rest.HTTPClientFor(v.restConfig) if err != nil { return nil, fmt.Errorf("could not create HTTP client from rest config: %w", err) @@ -256,7 +256,7 @@ func (v *OIDCTokenVerifier) getHTTPClientForKubeAPIServer() (*http.Client, error return client, nil } -func (v *OIDCTokenVerifier) getKubernetesOIDCDiscovery() (*openIDMetadata, error) { +func (v *Verifier) getKubernetesOIDCDiscovery() (*openIDMetadata, error) { client, err := v.getHTTPClientForKubeAPIServer() if err != nil { return nil, fmt.Errorf("could not get HTTP client for API server: %w", err) diff --git a/pkg/broker/filter/filter_handler.go b/pkg/broker/filter/filter_handler.go index ef2dfd49da7..08ddf1c1a4f 100644 --- a/pkg/broker/filter/filter_handler.go +++ b/pkg/broker/filter/filter_handler.go @@ -90,12 +90,12 @@ type Handler struct { logger *zap.Logger withContext func(ctx context.Context) context.Context filtersMap *subscriptionsapi.FiltersMap - tokenVerifier *auth.OIDCTokenVerifier + tokenVerifier *auth.Verifier EventTypeCreator *eventtype.EventTypeAutoHandler } // NewHandler creates a new Handler and its associated EventReceiver. -func NewHandler(logger *zap.Logger, tokenVerifier *auth.OIDCTokenVerifier, oidcTokenProvider *auth.OIDCTokenProvider, triggerInformer v1.TriggerInformer, brokerInformer v1.BrokerInformer, subscriptionInformer messaginginformers.SubscriptionInformer, reporter StatsReporter, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, wc func(ctx context.Context) context.Context) (*Handler, error) { +func NewHandler(logger *zap.Logger, tokenVerifier *auth.Verifier, oidcTokenProvider *auth.OIDCTokenProvider, triggerInformer v1.TriggerInformer, brokerInformer v1.BrokerInformer, subscriptionInformer messaginginformers.SubscriptionInformer, reporter StatsReporter, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, wc func(ctx context.Context) context.Context) (*Handler, error) { kncloudevents.ConfigureConnectionArgs(&kncloudevents.ConnectionArgs{ MaxIdleConns: defaultMaxIdleConnections, MaxIdleConnsPerHost: defaultMaxIdleConnectionsPerHost, diff --git a/pkg/broker/filter/filter_handler_test.go b/pkg/broker/filter/filter_handler_test.go index 6fe22c7973a..6f020d8870d 100644 --- a/pkg/broker/filter/filter_handler_test.go +++ b/pkg/broker/filter/filter_handler_test.go @@ -444,7 +444,7 @@ func TestReceiver(t *testing.T) { logger := zaptest.NewLogger(t, zaptest.WrapOptions(zap.AddCaller())) oidcTokenProvider := auth.NewOIDCTokenProvider(ctx) - oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister()) + authVerifier := auth.NewVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister()) for _, trig := range tc.triggers { // Replace the SubscriberURI to point at our fake server. @@ -480,7 +480,7 @@ func TestReceiver(t *testing.T) { reporter := &mockReporter{} r, err := NewHandler( logger, - oidcTokenVerifier, + authVerifier, oidcTokenProvider, triggerinformerfake.Get(ctx), brokerinformerfake.Get(ctx), @@ -653,7 +653,7 @@ func TestReceiver_WithSubscriptionsAPI(t *testing.T) { logger := zaptest.NewLogger(t, zaptest.WrapOptions(zap.AddCaller())) oidcTokenProvider := auth.NewOIDCTokenProvider(ctx) - oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister()) + authVerifier := auth.NewVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister()) // Replace the SubscriberURI to point at our fake server. for _, trig := range tc.triggers { @@ -689,7 +689,7 @@ func TestReceiver_WithSubscriptionsAPI(t *testing.T) { reporter := &mockReporter{} r, err := NewHandler( logger, - oidcTokenVerifier, + authVerifier, oidcTokenProvider, triggerinformerfake.Get(ctx), brokerinformerfake.Get(ctx), diff --git a/pkg/broker/ingress/ingress_handler.go b/pkg/broker/ingress/ingress_handler.go index 36f514c0cc6..bdb817e6796 100644 --- a/pkg/broker/ingress/ingress_handler.go +++ b/pkg/broker/ingress/ingress_handler.go @@ -73,12 +73,12 @@ type Handler struct { eventDispatcher *kncloudevents.Dispatcher - tokenVerifier *auth.OIDCTokenVerifier + tokenVerifier *auth.Verifier withContext func(ctx context.Context) context.Context } -func NewHandler(logger *zap.Logger, reporter StatsReporter, defaulter client.EventDefaulter, brokerInformer v1.BrokerInformer, tokenVerifier *auth.OIDCTokenVerifier, oidcTokenProvider *auth.OIDCTokenProvider, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, withContext func(ctx context.Context) context.Context) (*Handler, error) { +func NewHandler(logger *zap.Logger, reporter StatsReporter, defaulter client.EventDefaulter, brokerInformer v1.BrokerInformer, tokenVerifier *auth.Verifier, oidcTokenProvider *auth.OIDCTokenProvider, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, withContext func(ctx context.Context) context.Context) (*Handler, error) { connectionArgs := kncloudevents.ConnectionArgs{ MaxIdleConns: defaultMaxIdleConnections, MaxIdleConnsPerHost: defaultMaxIdleConnectionsPerHost, diff --git a/pkg/broker/ingress/ingress_handler_test.go b/pkg/broker/ingress/ingress_handler_test.go index 1938292d1f7..37982bd27ac 100644 --- a/pkg/broker/ingress/ingress_handler_test.go +++ b/pkg/broker/ingress/ingress_handler_test.go @@ -291,13 +291,13 @@ func TestHandler_ServeHTTP(t *testing.T) { } tokenProvider := auth.NewOIDCTokenProvider(ctx) - tokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister()) + authVerifier := auth.NewVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister()) h, err := NewHandler(logger, &mockReporter{}, tc.defaulter, brokerinformerfake.Get(ctx), - tokenVerifier, + authVerifier, tokenProvider, configmapinformer.Get(ctx).Lister().ConfigMaps("ns"), func(ctx context.Context) context.Context { diff --git a/pkg/channel/event_receiver.go b/pkg/channel/event_receiver.go index 37e56f8b4c3..674b4da7c40 100644 --- a/pkg/channel/event_receiver.go +++ b/pkg/channel/event_receiver.go @@ -71,7 +71,7 @@ type EventReceiver struct { hostToChannelFunc ResolveChannelFromHostFunc pathToChannelFunc ResolveChannelFromPathFunc reporter StatsReporter - tokenVerifier *auth.OIDCTokenVerifier + tokenVerifier *auth.Verifier audience string getPoliciesForFunc GetPoliciesForFunc withContext func(context.Context) context.Context @@ -120,7 +120,7 @@ func ReceiverWithGetPoliciesForFunc(fn GetPoliciesForFunc) EventReceiverOptions } } -func OIDCTokenVerification(tokenVerifier *auth.OIDCTokenVerifier, audience string) EventReceiverOptions { +func OIDCTokenVerification(tokenVerifier *auth.Verifier, audience string) EventReceiverOptions { return func(r *EventReceiver) error { r.tokenVerifier = tokenVerifier r.audience = audience diff --git a/pkg/reconciler/inmemorychannel/dispatcher/controller.go b/pkg/reconciler/inmemorychannel/dispatcher/controller.go index 8bbbd7be222..a919ef7a2d7 100644 --- a/pkg/reconciler/inmemorychannel/dispatcher/controller.go +++ b/pkg/reconciler/inmemorychannel/dispatcher/controller.go @@ -137,7 +137,7 @@ func NewController( eventingClient: eventingclient.Get(ctx).EventingV1beta2(), eventTypeLister: eventtypeinformer.Get(ctx).Lister(), eventDispatcher: kncloudevents.NewDispatcher(clientConfig, oidcTokenProvider), - tokenVerifier: auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()), + authVerifier: auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()), clientConfig: clientConfig, inMemoryChannelLister: inmemorychannelInformer.Lister(), } diff --git a/pkg/reconciler/inmemorychannel/dispatcher/inmemorychannel.go b/pkg/reconciler/inmemorychannel/dispatcher/inmemorychannel.go index 22654823a7d..5949f5b1382 100644 --- a/pkg/reconciler/inmemorychannel/dispatcher/inmemorychannel.go +++ b/pkg/reconciler/inmemorychannel/dispatcher/inmemorychannel.go @@ -62,8 +62,8 @@ type Reconciler struct { featureStore *feature.Store eventDispatcher *kncloudevents.Dispatcher - tokenVerifier *auth.OIDCTokenVerifier - clientConfig eventingtls.ClientConfig + authVerifier *auth.Verifier + clientConfig eventingtls.ClientConfig } // Check the interfaces Reconciler should implement @@ -134,7 +134,7 @@ func (r *Reconciler) reconcile(ctx context.Context, imc *v1.InMemoryChannel) rec channelRef, UID, r.eventDispatcher, - channel.OIDCTokenVerification(r.tokenVerifier, audience(imc)), + channel.OIDCTokenVerification(r.authVerifier, audience(imc)), channel.ReceiverWithContextFunc(wc), channel.ReceiverWithGetPoliciesForFunc(r.getAppliedEventPolicyRef), ) @@ -167,7 +167,7 @@ func (r *Reconciler) reconcile(ctx context.Context, imc *v1.InMemoryChannel) rec UID, r.eventDispatcher, channel.ResolveChannelFromPath(channel.ParseChannelFromPath), - channel.OIDCTokenVerification(r.tokenVerifier, audience(imc)), + channel.OIDCTokenVerification(r.authVerifier, audience(imc)), channel.ReceiverWithContextFunc(wc), channel.ReceiverWithGetPoliciesForFunc(r.getAppliedEventPolicyRef), )