From 3b46f04e2bc1b065d5aa52e8e24ffb21bd9785cb Mon Sep 17 00:00:00 2001 From: Knative Automation Date: Thu, 14 Dec 2023 13:29:03 +0000 Subject: [PATCH] upgrade to latest dependencies bumping knative.dev/eventing 0b45ad8...c38f800: > c38f800 Refactor the code that rejects for wrong audience (# 7492) > c24dab5 Eventing TLS: Add E2E TLS test for Parallel (# 7395) > 1f38c2e Move containersource OIDC feature to test/auth (# 7506) Signed-off-by: Knative Automation --- go.mod | 2 +- go.sum | 4 ++-- .../eventing/pkg/auth/token_verifier.go | 21 +++++++++++++++++++ vendor/modules.txt | 2 +- 4 files changed, 25 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 4da18da60d..de1e5691bf 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( k8s.io/apimachinery v0.27.6 k8s.io/client-go v0.27.6 k8s.io/utils v0.0.0-20230209194617-a36077c30491 - knative.dev/eventing v0.39.1-0.20231212143445-0b45ad82cfd5 + knative.dev/eventing v0.39.1-0.20231214122719-c38f800db203 knative.dev/hack v0.0.0-20231201014241-7030d5bf584d knative.dev/pkg v0.0.0-20231211072236-4914c472e81a knative.dev/reconciler-test v0.0.0-20231205070418-c92305962aa8 diff --git a/go.sum b/go.sum index 7df1436f5a..6e2ad328c1 100644 --- a/go.sum +++ b/go.sum @@ -935,8 +935,8 @@ k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5F k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY= k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/eventing v0.39.1-0.20231212143445-0b45ad82cfd5 h1:gsbWF0/itl6yfamq6NYCy6hXLdDrP3UlSL0w1lSHRuk= -knative.dev/eventing v0.39.1-0.20231212143445-0b45ad82cfd5/go.mod h1:1KXqyrFfvj1ZTStoDOzIl7mnag+hMY/NxWnl0IJ5adU= +knative.dev/eventing v0.39.1-0.20231214122719-c38f800db203 h1:gY+CIATxCZhkqPN1OGBn7QAmu0jOYM3eHwEHuntKu2E= +knative.dev/eventing v0.39.1-0.20231214122719-c38f800db203/go.mod h1:1KXqyrFfvj1ZTStoDOzIl7mnag+hMY/NxWnl0IJ5adU= knative.dev/hack v0.0.0-20231201014241-7030d5bf584d h1:IqXY770znXS9tLJDEh+OUcLMgtIFslSxqao3uplpUlY= knative.dev/hack v0.0.0-20231201014241-7030d5bf584d/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= knative.dev/pkg v0.0.0-20231211072236-4914c472e81a h1:rvQ83jR984Ow/O6Kjo2svp1G09bSfjn+fCvo/rKiEp4= diff --git a/vendor/knative.dev/eventing/pkg/auth/token_verifier.go b/vendor/knative.dev/eventing/pkg/auth/token_verifier.go index a37f806001..5571b67f2b 100644 --- a/vendor/knative.dev/eventing/pkg/auth/token_verifier.go +++ b/vendor/knative.dev/eventing/pkg/auth/token_verifier.go @@ -151,6 +151,27 @@ func (c *OIDCTokenVerifier) getKubernetesOIDCDiscovery() (*openIDMetadata, error return openIdConfig, nil } +// VerifyJWTFromRequest will verify the incoming request contains the correct JWT token +func (tokenVerifier *OIDCTokenVerifier) VerifyJWTFromRequest(ctx context.Context, r *http.Request, audience *string, response http.ResponseWriter) error { + token := GetJWTFromHeader(r.Header) + if token == "" { + response.WriteHeader(http.StatusUnauthorized) + return fmt.Errorf("no JWT token found in request") + } + + if audience == nil { + response.WriteHeader(http.StatusInternalServerError) + return fmt.Errorf("no audience is provided") + } + + if _, err := tokenVerifier.VerifyJWT(ctx, token, *audience); err != nil { + response.WriteHeader(http.StatusUnauthorized) + return fmt.Errorf("failed to verify JWT: %w", err) + } + + return nil +} + type openIDMetadata struct { Issuer string `json:"issuer"` JWKSURI string `json:"jwks_uri"` diff --git a/vendor/modules.txt b/vendor/modules.txt index c2973e4af2..458d4a725b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1283,7 +1283,7 @@ k8s.io/utils/net k8s.io/utils/pointer k8s.io/utils/strings/slices k8s.io/utils/trace -# knative.dev/eventing v0.39.1-0.20231212143445-0b45ad82cfd5 +# knative.dev/eventing v0.39.1-0.20231214122719-c38f800db203 ## explicit; go 1.19 knative.dev/eventing/cmd/heartbeats knative.dev/eventing/pkg/adapter/v2