diff --git a/go.mod b/go.mod index 16625f0c..9ff13c11 100644 --- a/go.mod +++ b/go.mod @@ -13,10 +13,10 @@ require ( k8s.io/api v0.30.3 k8s.io/apimachinery v0.30.3 k8s.io/client-go v0.30.3 - knative.dev/eventing v0.42.1-0.20240809140631-c521efb66dc2 + knative.dev/eventing v0.42.1-0.20240812175435-7a90257edb04 knative.dev/hack v0.0.0-20240808014239-452e340cbb4b knative.dev/pkg v0.0.0-20240812053209-cd3311cbab65 - knative.dev/serving v0.42.1-0.20240812073246-64ac199eccfa + knative.dev/serving v0.42.1-0.20240813122104-221b63235aa7 ) require ( diff --git a/go.sum b/go.sum index 2f0e3c20..96ee6e3d 100644 --- a/go.sum +++ b/go.sum @@ -792,16 +792,16 @@ k8s.io/kube-openapi v0.0.0-20240808142205-8e686545bdb8 h1:1Wof1cGQgA5pqgo8MxKPtf k8s.io/kube-openapi v0.0.0-20240808142205-8e686545bdb8/go.mod h1:Os6V6dZwLNii3vxFpxcNaTmH8LJJBkOTg1N0tOA0fvA= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/eventing v0.42.1-0.20240809140631-c521efb66dc2 h1:bDcuAW1YnJgF4R5UlfHga8Q+JbXTyjwcNsiZNErcROs= -knative.dev/eventing v0.42.1-0.20240809140631-c521efb66dc2/go.mod h1:sW8btFd57JF2hS2T92Jh/k1PgSOVTQdPzZODXaQs54E= +knative.dev/eventing v0.42.1-0.20240812175435-7a90257edb04 h1:OFdDY9UvmJvZMDPW1hbzHG8EL+4eIGaK2l8xRl35rxU= +knative.dev/eventing v0.42.1-0.20240812175435-7a90257edb04/go.mod h1:ys++jt+DbovXKZ23cWDZRcaQM1KG9mfNnt+tBL9IQ3w= knative.dev/hack v0.0.0-20240808014239-452e340cbb4b h1:pDzlX6d8cCbp5PDU9BdEIPJVI/4HLTM4mV2gMN1bKlk= knative.dev/hack v0.0.0-20240808014239-452e340cbb4b/go.mod h1:R0ritgYtjLDO9527h5vb5X6gfvt5LCrJ55BNbVDsWiY= knative.dev/networking v0.0.0-20240802083044-f1702380495f h1:1mIVNRZELhQLuDDFti6R26ZQXqeL2UkS/K0cMqKzBxw= knative.dev/networking v0.0.0-20240802083044-f1702380495f/go.mod h1:FNWuEcSif270xzNwQx5xFvEsv7wKiKGPUKzpAXkajT8= knative.dev/pkg v0.0.0-20240812053209-cd3311cbab65 h1:9r795uNPp2f/dIUzHlJW4Prz3U+8+1ZpW4z6EBUxpwc= knative.dev/pkg v0.0.0-20240812053209-cd3311cbab65/go.mod h1:2kizutszzGp+EcVXivdigNd6dUM7O77QaLUTZeKaN5s= -knative.dev/serving v0.42.1-0.20240812073246-64ac199eccfa h1:+423o+8FvoxywSS1EPIXZYDEqcY2VtJ79ORKtpUvgIU= -knative.dev/serving v0.42.1-0.20240812073246-64ac199eccfa/go.mod h1:gHq0Gm9DC2Kx4HwXFZKH4IcC9sXgoVln9AP93OYFujQ= +knative.dev/serving v0.42.1-0.20240813122104-221b63235aa7 h1:7b6oA6O17xrMLX4Yt0Fd3z3VewYaCk6nBK4o/w0IWpw= +knative.dev/serving v0.42.1-0.20240813122104-221b63235aa7/go.mod h1:gHq0Gm9DC2Kx4HwXFZKH4IcC9sXgoVln9AP93OYFujQ= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/vendor/knative.dev/eventing/pkg/auth/token_verifier.go b/vendor/knative.dev/eventing/pkg/auth/token_verifier.go index 0d87cf11..b3be913b 100644 --- a/vendor/knative.dev/eventing/pkg/auth/token_verifier.go +++ b/vendor/knative.dev/eventing/pkg/auth/token_verifier.go @@ -100,6 +100,29 @@ func (v *OIDCTokenVerifier) VerifyRequest(ctx context.Context, features feature. return nil } +// VerifyRequestFromSubject verifies AuthN and AuthZ in the request. +// In the AuthZ part it checks if the request comes from the given allowedSubject. +// On verification errors, it sets the responses HTTP status and returns an error. +// This method is similar to VerifyRequest() except that VerifyRequestFromSubject() +// verifies in the AuthZ part that the request comes from a given subject. +func (v *OIDCTokenVerifier) VerifyRequestFromSubject(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, allowedSubject string, req *http.Request, resp http.ResponseWriter) error { + if !features.IsOIDCAuthentication() { + return nil + } + + idToken, err := v.verifyAuthN(ctx, requiredOIDCAudience, req, resp) + if err != nil { + return fmt.Errorf("authentication of request could not be verified: %w", err) + } + + if idToken.Subject != allowedSubject { + resp.WriteHeader(http.StatusForbidden) + return fmt.Errorf("token is from subject %q, but only %q is allowed", idToken.Subject, allowedSubject) + } + + return nil +} + // verifyAuthN verifies if the incoming request contains a correct JWT token func (v *OIDCTokenVerifier) verifyAuthN(ctx context.Context, audience *string, req *http.Request, resp http.ResponseWriter) (*IDToken, error) { token := GetJWTFromHeader(req.Header) diff --git a/vendor/modules.txt b/vendor/modules.txt index 6f1527cd..fa34313d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -981,8 +981,8 @@ k8s.io/utils/pointer k8s.io/utils/ptr k8s.io/utils/strings/slices k8s.io/utils/trace -# knative.dev/eventing v0.42.1-0.20240809140631-c521efb66dc2 -## explicit; go 1.22 +# knative.dev/eventing v0.42.1-0.20240812175435-7a90257edb04 +## explicit; go 1.22.0 knative.dev/eventing/pkg/adapter/v2 knative.dev/eventing/pkg/adapter/v2/util/crstatusevent knative.dev/eventing/pkg/apis @@ -1131,7 +1131,7 @@ knative.dev/pkg/tracker knative.dev/pkg/version knative.dev/pkg/webhook knative.dev/pkg/webhook/certificates/resources -# knative.dev/serving v0.42.1-0.20240812073246-64ac199eccfa +# knative.dev/serving v0.42.1-0.20240813122104-221b63235aa7 ## explicit; go 1.22 knative.dev/serving/pkg/apis/autoscaling knative.dev/serving/pkg/apis/autoscaling/v1alpha1