upgrade to latest dependencies (#607)

bumping knative.dev/eventing c521efb...7a90257: > 7a90257 [main] Upgrade to latest dependencies (# 8126) > f0ccedc mt-broker-filter: Allow only requests from Triggers Subscriptions OIDC ID (# 8147) > 941a9e1 fix: tracker can track resources in different ns (# 8110) > a4e5a0e added event format to dispatcher (# 8096) bumping knative.dev/serving 64ac199...221b632: > 221b632 Update net-gateway-api nightly (# 15464) Signed-off-by: Knative Automation <[email protected]>
knative-extensions · Aug 13, 2024 · b1e89ac · b1e89ac
1 parent 89a6db3
commit b1e89ac
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 9 deletions.
diff --git a/go.mod b/go.mod
@@ -13,10 +13,10 @@ require (
 	k8s.io/api v0.30.3
 	k8s.io/apimachinery v0.30.3
 	k8s.io/client-go v0.30.3
-	knative.dev/eventing v0.42.1-0.20240809140631-c521efb66dc2
+	knative.dev/eventing v0.42.1-0.20240812175435-7a90257edb04
 	knative.dev/hack v0.0.0-20240808014239-452e340cbb4b
 	knative.dev/pkg v0.0.0-20240812053209-cd3311cbab65
-	knative.dev/serving v0.42.1-0.20240812073246-64ac199eccfa
+	knative.dev/serving v0.42.1-0.20240813122104-221b63235aa7
 )
 
 require (

diff --git a/go.sum b/go.sum
@@ -792,16 +792,16 @@ k8s.io/kube-openapi v0.0.0-20240808142205-8e686545bdb8 h1:1Wof1cGQgA5pqgo8MxKPtf
 k8s.io/kube-openapi v0.0.0-20240808142205-8e686545bdb8/go.mod h1:Os6V6dZwLNii3vxFpxcNaTmH8LJJBkOTg1N0tOA0fvA=
 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.42.1-0.20240809140631-c521efb66dc2 h1:bDcuAW1YnJgF4R5UlfHga8Q+JbXTyjwcNsiZNErcROs=
-knative.dev/eventing v0.42.1-0.20240809140631-c521efb66dc2/go.mod h1:sW8btFd57JF2hS2T92Jh/k1PgSOVTQdPzZODXaQs54E=
+knative.dev/eventing v0.42.1-0.20240812175435-7a90257edb04 h1:OFdDY9UvmJvZMDPW1hbzHG8EL+4eIGaK2l8xRl35rxU=
+knative.dev/eventing v0.42.1-0.20240812175435-7a90257edb04/go.mod h1:ys++jt+DbovXKZ23cWDZRcaQM1KG9mfNnt+tBL9IQ3w=
 knative.dev/hack v0.0.0-20240808014239-452e340cbb4b h1:pDzlX6d8cCbp5PDU9BdEIPJVI/4HLTM4mV2gMN1bKlk=
 knative.dev/hack v0.0.0-20240808014239-452e340cbb4b/go.mod h1:R0ritgYtjLDO9527h5vb5X6gfvt5LCrJ55BNbVDsWiY=
 knative.dev/networking v0.0.0-20240802083044-f1702380495f h1:1mIVNRZELhQLuDDFti6R26ZQXqeL2UkS/K0cMqKzBxw=
 knative.dev/networking v0.0.0-20240802083044-f1702380495f/go.mod h1:FNWuEcSif270xzNwQx5xFvEsv7wKiKGPUKzpAXkajT8=
 knative.dev/pkg v0.0.0-20240812053209-cd3311cbab65 h1:9r795uNPp2f/dIUzHlJW4Prz3U+8+1ZpW4z6EBUxpwc=
 knative.dev/pkg v0.0.0-20240812053209-cd3311cbab65/go.mod h1:2kizutszzGp+EcVXivdigNd6dUM7O77QaLUTZeKaN5s=
-knative.dev/serving v0.42.1-0.20240812073246-64ac199eccfa h1:+423o+8FvoxywSS1EPIXZYDEqcY2VtJ79ORKtpUvgIU=
-knative.dev/serving v0.42.1-0.20240812073246-64ac199eccfa/go.mod h1:gHq0Gm9DC2Kx4HwXFZKH4IcC9sXgoVln9AP93OYFujQ=
+knative.dev/serving v0.42.1-0.20240813122104-221b63235aa7 h1:7b6oA6O17xrMLX4Yt0Fd3z3VewYaCk6nBK4o/w0IWpw=
+knative.dev/serving v0.42.1-0.20240813122104-221b63235aa7/go.mod h1:gHq0Gm9DC2Kx4HwXFZKH4IcC9sXgoVln9AP93OYFujQ=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

diff --git a/vendor/knative.dev/eventing/pkg/auth/token_verifier.go b/vendor/knative.dev/eventing/pkg/auth/token_verifier.go
@@ -100,6 +100,29 @@ func (v *OIDCTokenVerifier) VerifyRequest(ctx context.Context, features feature.
 	return nil
 }
 
+// VerifyRequestFromSubject verifies AuthN and AuthZ in the request.
+// In the AuthZ part it checks if the request comes from the given allowedSubject.
+// On verification errors, it sets the responses HTTP status and returns an error.
+// This method is similar to VerifyRequest() except that VerifyRequestFromSubject()
+// verifies in the AuthZ part that the request comes from a given subject.
+func (v *OIDCTokenVerifier) VerifyRequestFromSubject(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, allowedSubject string, req *http.Request, resp http.ResponseWriter) error {
+	if !features.IsOIDCAuthentication() {
+		return nil
+	}
+
+	idToken, err := v.verifyAuthN(ctx, requiredOIDCAudience, req, resp)
+	if err != nil {
+		return fmt.Errorf("authentication of request could not be verified: %w", err)
+	}
+
+	if idToken.Subject != allowedSubject {
+		resp.WriteHeader(http.StatusForbidden)
+		return fmt.Errorf("token is from subject %q, but only %q is allowed", idToken.Subject, allowedSubject)
+	}
+
+	return nil
+}
+
 // verifyAuthN verifies if the incoming request contains a correct JWT token
 func (v *OIDCTokenVerifier) verifyAuthN(ctx context.Context, audience *string, req *http.Request, resp http.ResponseWriter) (*IDToken, error) {
 	token := GetJWTFromHeader(req.Header)

diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -981,8 +981,8 @@ k8s.io/utils/pointer
 k8s.io/utils/ptr
 k8s.io/utils/strings/slices
 k8s.io/utils/trace
-# knative.dev/eventing v0.42.1-0.20240809140631-c521efb66dc2
-## explicit; go 1.22
+# knative.dev/eventing v0.42.1-0.20240812175435-7a90257edb04
+## explicit; go 1.22.0
 knative.dev/eventing/pkg/adapter/v2
 knative.dev/eventing/pkg/adapter/v2/util/crstatusevent
 knative.dev/eventing/pkg/apis
@@ -1131,7 +1131,7 @@ knative.dev/pkg/tracker
 knative.dev/pkg/version
 knative.dev/pkg/webhook
 knative.dev/pkg/webhook/certificates/resources
-# knative.dev/serving v0.42.1-0.20240812073246-64ac199eccfa
+# knative.dev/serving v0.42.1-0.20240813122104-221b63235aa7
 ## explicit; go 1.22
 knative.dev/serving/pkg/apis/autoscaling
 knative.dev/serving/pkg/apis/autoscaling/v1alpha1