From 36cf0b4cc0fc8c6c11f8abd807c83dc4ddfaf51f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20St=C3=A4bler?= Date: Fri, 20 Oct 2023 00:33:05 +0200 Subject: [PATCH] Update dependencies (#3412) * Update dependencies * Fix build issue --- go.mod | 4 +- go.sum | 8 +-- test/rekt/resources/kafkasink/kafkasink.go | 2 +- .../eventing/pkg/auth/token_provider.go | 4 +- vendor/knative.dev/eventing/pkg/auth/utils.go | 42 ++++++++++++ .../rekt/resources/addressable/addressable.go | 17 ++++- .../test/rekt/resources/broker/broker.go | 14 +--- .../resources/channel_impl/channel_impl.go | 14 +--- .../pkg/environment/namespace.go | 20 +++++- .../reconciler-test/pkg/eventshub/options.go | 10 +++ .../pkg/eventshub/rbac/100-sa.yaml | 6 ++ .../pkg/eventshub/rbac/101-rbac.yaml | 17 +++++ .../pkg/eventshub/rbac/rbac.go | 27 +++++++- .../pkg/eventshub/receiver/receiver.go | 67 ++++++++++++++++++- .../reconciler-test/pkg/eventshub/utils.go | 1 + .../reconciler-test/pkg/feature/feature.go | 4 ++ .../reconciler-test/pkg/feature/logging.go | 18 ++++- vendor/modules.txt | 4 +- 18 files changed, 235 insertions(+), 44 deletions(-) create mode 100644 vendor/knative.dev/eventing/pkg/auth/utils.go diff --git a/go.mod b/go.mod index 873ca9a3a2..912c627be0 100644 --- a/go.mod +++ b/go.mod @@ -35,10 +35,10 @@ require ( k8s.io/apiserver v0.27.6 k8s.io/client-go v0.27.6 k8s.io/utils v0.0.0-20230209194617-a36077c30491 - knative.dev/eventing v0.38.1-0.20231017050713-f9314d883fc0 + knative.dev/eventing v0.38.1-0.20231019094926-16d75a980703 knative.dev/hack v0.0.0-20231016131700-2c938d4918da knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5 - knative.dev/reconciler-test v0.0.0-20231017131250-999d077826b7 + knative.dev/reconciler-test v0.0.0-20231019092754-317033b0f02e sigs.k8s.io/controller-runtime v0.12.3 sigs.k8s.io/yaml v1.3.0 ) diff --git a/go.sum b/go.sum index c2c714fcd8..4168b4428d 100644 --- a/go.sum +++ b/go.sum @@ -1251,14 +1251,14 @@ k8s.io/utils v0.0.0-20200912215256-4140de9c8800/go.mod h1:jPW/WVKK9YHAvNhRxK0md/ k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY= k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/eventing v0.38.1-0.20231017050713-f9314d883fc0 h1:CKeg+12rcm3FhN/MYcbe/EDVScgXjhWObnGxrjeOOVw= -knative.dev/eventing v0.38.1-0.20231017050713-f9314d883fc0/go.mod h1:Ug/SwaXMZVkP17peh2SvKA6I3FSjd8RrXdJuJNyBS2Y= +knative.dev/eventing v0.38.1-0.20231019094926-16d75a980703 h1:JvAE5DCPfOD8Wa8IhrNNOQ0eaSWfQb5Rv+UZ6G8+MLg= +knative.dev/eventing v0.38.1-0.20231019094926-16d75a980703/go.mod h1:swWS48qpCQbBkj+2iS0rVa7PbQBWLD9YAy3CSHfevaU= knative.dev/hack v0.0.0-20231016131700-2c938d4918da h1:xy+fvuz2LDOMsZ5UwXRaMF70NYUs9fsG+EF5/ierYBg= knative.dev/hack v0.0.0-20231016131700-2c938d4918da/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5 h1:9AvFZdEtuwKWDcTV1VSwmrgrRR9f38wbIAm+sNwLivQ= knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5/go.mod h1:HHRXEd7ZlFpthgE+rwAZ6MUVnuJOAeolnaFSthXloUQ= -knative.dev/reconciler-test v0.0.0-20231017131250-999d077826b7 h1:zcFdS5167SauAvKmmPPUmXJtUxlBdKUWmO/a+F67+IM= -knative.dev/reconciler-test v0.0.0-20231017131250-999d077826b7/go.mod h1:0jsKqMXLCIQNdceLuL2SL1LaAZSFtqUY7cLyHt0V2xY= +knative.dev/reconciler-test v0.0.0-20231019092754-317033b0f02e h1:lNnU34Bh3xXekvIcpt7fb2GM9XZI1ihoxVHMv4YTuag= +knative.dev/reconciler-test v0.0.0-20231019092754-317033b0f02e/go.mod h1:0jsKqMXLCIQNdceLuL2SL1LaAZSFtqUY7cLyHt0V2xY= pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= diff --git a/test/rekt/resources/kafkasink/kafkasink.go b/test/rekt/resources/kafkasink/kafkasink.go index 67341f1c64..158eeae2e1 100644 --- a/test/rekt/resources/kafkasink/kafkasink.go +++ b/test/rekt/resources/kafkasink/kafkasink.go @@ -103,7 +103,7 @@ func Address(ctx context.Context, name string, timings ...time.Duration) (*duckv } // ValidateAddress validates the address retured by Address -func ValidateAddress(name string, validate addressable.ValidateAddress, timings ...time.Duration) feature.StepFn { +func ValidateAddress(name string, validate addressable.ValidateAddressFn, timings ...time.Duration) feature.StepFn { return func(ctx context.Context, t feature.T) { addr, err := Address(ctx, name, timings...) if err != nil { diff --git a/vendor/knative.dev/eventing/pkg/auth/token_provider.go b/vendor/knative.dev/eventing/pkg/auth/token_provider.go index dcff66eb42..d35a6e29f7 100644 --- a/vendor/knative.dev/eventing/pkg/auth/token_provider.go +++ b/vendor/knative.dev/eventing/pkg/auth/token_provider.go @@ -32,7 +32,7 @@ import ( ) const ( - expirationBufferTime = time.Second * 30 + expirationBufferTime = 5 * time.Minute ) type OIDCTokenProvider struct { @@ -73,7 +73,7 @@ func (c *OIDCTokenProvider) GetJWT(serviceAccount types.NamespacedName, audience return "", fmt.Errorf("could not request a token for %s: %w", serviceAccount, err) } - // we need a duration until this token expires, use the expiry time - (now + 30s) + // we need a duration until this token expires, use the expiry time - (now + 5min) // this gives us a buffer so that it doesn't expire between when we retrieve it and when we use it expiryTtl := tokenRequestResponse.Status.ExpirationTimestamp.Time.Sub(time.Now().Add(expirationBufferTime)) diff --git a/vendor/knative.dev/eventing/pkg/auth/utils.go b/vendor/knative.dev/eventing/pkg/auth/utils.go new file mode 100644 index 0000000000..0f52c34364 --- /dev/null +++ b/vendor/knative.dev/eventing/pkg/auth/utils.go @@ -0,0 +1,42 @@ +/* +Copyright 2023 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package auth + +import ( + "fmt" + "net/http" + "strings" +) + +const ( + AuthHeaderKey = "Authorization" +) + +// GetJWTFromHeader Returns the JWT from the Authorization header +func GetJWTFromHeader(header http.Header) string { + authHeader := header.Get(AuthHeaderKey) + if authHeader == "" { + return "" + } + + return strings.TrimPrefix(authHeader, "Bearer ") +} + +// SetAuthHeader sets Authorization header with the given JWT +func SetAuthHeader(jwt string, header http.Header) { + header.Set(AuthHeaderKey, fmt.Sprintf("Bearer %s", jwt)) +} diff --git a/vendor/knative.dev/eventing/test/rekt/resources/addressable/addressable.go b/vendor/knative.dev/eventing/test/rekt/resources/addressable/addressable.go index 0c2877b596..0212822644 100644 --- a/vendor/knative.dev/eventing/test/rekt/resources/addressable/addressable.go +++ b/vendor/knative.dev/eventing/test/rekt/resources/addressable/addressable.go @@ -25,10 +25,11 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/wait" duckv1 "knative.dev/pkg/apis/duck/v1" + "knative.dev/reconciler-test/pkg/feature" "knative.dev/reconciler-test/pkg/k8s" ) -type ValidateAddress func(addressable *duckv1.Addressable) error +type ValidateAddressFn func(addressable *duckv1.Addressable) error // Address returns a broker's address. func Address(ctx context.Context, gvr schema.GroupVersionResource, name string, timings ...time.Duration) (*duckv1.Addressable, error) { @@ -55,6 +56,20 @@ func Address(ctx context.Context, gvr schema.GroupVersionResource, name string, return addr, err } +func ValidateAddress(gvr schema.GroupVersionResource, name string, validate ValidateAddressFn, timings ...time.Duration) feature.StepFn { + return func(ctx context.Context, t feature.T) { + addr, err := Address(ctx, gvr, name, timings...) + if err != nil { + t.Error(err) + return + } + if err := validate(addr); err != nil { + t.Error(err) + return + } + } +} + func AssertHTTPSAddress(addr *duckv1.Addressable) error { if addr.URL.Scheme != "https" { return fmt.Errorf("address is not HTTPS: %#v", addr) diff --git a/vendor/knative.dev/eventing/test/rekt/resources/broker/broker.go b/vendor/knative.dev/eventing/test/rekt/resources/broker/broker.go index 06dd93eb8f..4607847a75 100644 --- a/vendor/knative.dev/eventing/test/rekt/resources/broker/broker.go +++ b/vendor/knative.dev/eventing/test/rekt/resources/broker/broker.go @@ -160,18 +160,8 @@ func IsAddressable(name string, timings ...time.Duration) feature.StepFn { } // ValidateAddress validates the address retured by Address -func ValidateAddress(name string, validate addressable.ValidateAddress, timings ...time.Duration) feature.StepFn { - return func(ctx context.Context, t feature.T) { - addr, err := Address(ctx, name, timings...) - if err != nil { - t.Error(err) - return - } - if err := validate(addr); err != nil { - t.Error(err) - return - } - } +func ValidateAddress(name string, validate addressable.ValidateAddressFn, timings ...time.Duration) feature.StepFn { + return addressable.ValidateAddress(GVR(), name, validate, timings...) } // Address returns a broker's address. diff --git a/vendor/knative.dev/eventing/test/rekt/resources/channel_impl/channel_impl.go b/vendor/knative.dev/eventing/test/rekt/resources/channel_impl/channel_impl.go index b7a08d2b9b..9f5ce5df9d 100644 --- a/vendor/knative.dev/eventing/test/rekt/resources/channel_impl/channel_impl.go +++ b/vendor/knative.dev/eventing/test/rekt/resources/channel_impl/channel_impl.go @@ -174,16 +174,6 @@ func AsDestinationRef(name string) *duckv1.Destination { var WithDeadLetterSink = delivery.WithDeadLetterSink // ValidateAddress validates the address retured by Address -func ValidateAddress(name string, validate addressable.ValidateAddress, timings ...time.Duration) feature.StepFn { - return func(ctx context.Context, t feature.T) { - addr, err := Address(ctx, name, timings...) - if err != nil { - t.Error(err) - return - } - if err := validate(addr); err != nil { - t.Error(err) - return - } - } +func ValidateAddress(name string, validate addressable.ValidateAddressFn, timings ...time.Duration) feature.StepFn { + return addressable.ValidateAddress(GVR(), name, validate, timings...) } diff --git a/vendor/knative.dev/reconciler-test/pkg/environment/namespace.go b/vendor/knative.dev/reconciler-test/pkg/environment/namespace.go index 18c73c8e10..939f382eec 100644 --- a/vendor/knative.dev/reconciler-test/pkg/environment/namespace.go +++ b/vendor/knative.dev/reconciler-test/pkg/environment/namespace.go @@ -122,12 +122,26 @@ func (mr *MagicEnvironment) CreateNamespaceIfNeeded() error { return fmt.Errorf("error copying the image pull Secret: %s", err) } - _, err = c.CoreV1().ServiceAccounts(mr.namespace).Patch(context.Background(), sa.Name, types.StrategicMergePatchType, - []byte(`{"imagePullSecrets":[{"name":"`+mr.imagePullSecretName+`"}]}`), metav1.PatchOptions{}) + for _, secret := range sa.ImagePullSecrets { + if secret.Name == mr.imagePullSecretName { + return nil + } + } + + // Prevent overwriting existing imagePullSecrets + patch := `[{"op":"add","path":"/imagePullSecrets/-","value":{"name":"` + mr.imagePullSecretName + `"}}]` + if len(sa.ImagePullSecrets) == 0 { + patch = `[{"op":"add","path":"/imagePullSecrets","value":[{"name":"` + mr.imagePullSecretName + `"}]}]` + } + + _, err = c.CoreV1().ServiceAccounts(mr.namespace).Patch(context.Background(), sa.Name, types.JSONPatchType, + []byte(patch), metav1.PatchOptions{}) if err != nil { - return fmt.Errorf("patch failed on NS/SA (%s/%s): %s", mr.namespace, sa.Name, err) + return fmt.Errorf("patch failed on NS/SA (%s/%s): %w", + mr.namespace, sa.Name, err) } } + return nil } diff --git a/vendor/knative.dev/reconciler-test/pkg/eventshub/options.go b/vendor/knative.dev/reconciler-test/pkg/eventshub/options.go index 0abedbc7f0..b967941edc 100644 --- a/vendor/knative.dev/reconciler-test/pkg/eventshub/options.go +++ b/vendor/knative.dev/reconciler-test/pkg/eventshub/options.go @@ -202,6 +202,11 @@ func DropEventsResponseHeaders(headers map[string]string) EventsHubOption { ) } +// OIDCReceiverAudience sets the expected audience for received OIDC tokens on the receiver side +func OIDCReceiverAudience(aud string) EventsHubOption { + return compose(envOption(OIDCReceiverAudienceEnv, aud), envOIDCEnabled()) +} + // --- Sender options // InitialSenderDelay defines how much the sender has to wait (in millisecond), when started, before start sending events. @@ -283,6 +288,11 @@ func OIDCInvalidAudience() EventsHubOption { return compose(envOption(OIDCGenerateInvalidAudienceTokenEnv, "true"), envOIDCEnabled()) } +// OIDCSinkAudience sets the Audience of the Sink +func OIDCSinkAudience(aud string) EventsHubOption { + return oidcSinkAudience(&aud) +} + func oidcSinkAudience(aud *string) EventsHubOption { if aud != nil && *aud != "" { // if the sink has an audience set, we enable OIDC to get a token added diff --git a/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/100-sa.yaml b/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/100-sa.yaml index f86b523942..2cafc9ab1b 100644 --- a/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/100-sa.yaml +++ b/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/100-sa.yaml @@ -17,3 +17,9 @@ kind: ServiceAccount metadata: name: {{ .name }} namespace: {{ .namespace }} +{{ if .withPullSecrets }} +imagePullSecrets: + {{ range $_, $value := .withPullSecrets.secrets }} + - name: {{ $value }} + {{ end }} +{{ end }} diff --git a/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/101-rbac.yaml b/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/101-rbac.yaml index dffe43896d..4da74ec900 100644 --- a/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/101-rbac.yaml +++ b/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/101-rbac.yaml @@ -45,3 +45,20 @@ subjects: - kind: ServiceAccount name: {{ .name }} namespace: {{ .namespace }} + +{{ if and .withOIDCAuth .isReceiver }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator # e.g. to do a token review +subjects: + - kind: ServiceAccount + name: {{ .name }} + namespace: {{ .namespace }} +{{ end }} diff --git a/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/rbac.go b/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/rbac.go index de8a2cfbde..5c7494231a 100644 --- a/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/rbac.go +++ b/vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/rbac.go @@ -21,6 +21,9 @@ import ( "embed" apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + kubeclient "knative.dev/pkg/client/injection/kube/client" + "knative.dev/reconciler-test/pkg/environment" "knative.dev/reconciler-test/pkg/feature" "knative.dev/reconciler-test/pkg/manifest" @@ -30,11 +33,33 @@ import ( var templates embed.FS // Install creates the necessary ServiceAccount, Role, RoleBinding for the eventshub. -// The resources are named according to the current namespace defined in the environment. func Install(cfg map[string]interface{}) feature.StepFn { return func(ctx context.Context, t feature.T) { + WithPullSecrets(ctx, t)(cfg) if _, err := manifest.InstallYamlFS(ctx, templates, cfg); err != nil && !apierrors.IsAlreadyExists(err) { t.Fatal(err) } } } + +func WithPullSecrets(ctx context.Context, t feature.T) manifest.CfgFn { + namespace := environment.FromContext(ctx).Namespace() + serviceAccount, err := kubeclient.Get(ctx).CoreV1().ServiceAccounts(namespace).Get(ctx, "default", metav1.GetOptions{}) + if err != nil { + t.Fatalf("Failed to read default SA in %s namespace: %v", namespace, err) + } + + return func(cfg map[string]interface{}) { + if len(serviceAccount.ImagePullSecrets) == 0 { + return + } + if _, set := cfg["withPullSecrets"]; !set { + cfg["withPullSecrets"] = map[string]interface{}{} + } + withPullSecrets := cfg["withPullSecrets"].(map[string]interface{}) + withPullSecrets["secrets"] = []string{} + for _, secret := range serviceAccount.ImagePullSecrets { + withPullSecrets["secrets"] = append(withPullSecrets["secrets"].([]string), secret.Name) + } + } +} diff --git a/vendor/knative.dev/reconciler-test/pkg/eventshub/receiver/receiver.go b/vendor/knative.dev/reconciler-test/pkg/eventshub/receiver/receiver.go index 5cff1cfd7c..35aeb73dc9 100644 --- a/vendor/knative.dev/reconciler-test/pkg/eventshub/receiver/receiver.go +++ b/vendor/knative.dev/reconciler-test/pkg/eventshub/receiver/receiver.go @@ -29,10 +29,14 @@ import ( cloudeventshttp "github.com/cloudevents/sdk-go/v2/protocol/http" "github.com/kelseyhightower/envconfig" "go.uber.org/zap" + authv1 "k8s.io/api/authentication/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes" "knative.dev/pkg/logging" "knative.dev/reconciler-test/pkg/eventshub" + kubeclient "knative.dev/pkg/client/injection/kube/client" "knative.dev/reconciler-test/pkg/eventshub/dropevents" ) @@ -53,6 +57,9 @@ type Receiver struct { skipResponseHeaders map[string]string skipResponseBody string EnforceTLS bool + oidcAudience string + + kubeclient kubernetes.Interface } type envConfig struct { @@ -62,6 +69,9 @@ type envConfig struct { // EnforceTLS is used to enforce TLS. EnforceTLS bool `envconfig:"ENFORCE_TLS" default:"false"` + // OIDCAudience is the audience required for OIDC tokens reaching the receiver + OIDCAudience string `envconfig:"OIDC_AUDIENCE" default:""` + // ResponseWaitTime is the seconds to wait for the eventshub to write any response ResponseWaitTime int `envconfig:"RESPONSE_WAIT_TIME" default:"0" required:"false"` @@ -143,6 +153,8 @@ func NewFromEnv(ctx context.Context, eventLogs *eventshub.EventLogs) *Receiver { skipResponseCode: env.SkipResponseCode, skipResponseBody: env.SkipResponseBody, skipResponseHeaders: env.SkipResponseHeaders, + oidcAudience: env.OIDCAudience, + kubeclient: kubeclient.Get(ctx), } } @@ -206,9 +218,18 @@ func (o *Receiver) ServeHTTP(writer http.ResponseWriter, request *http.Request) return } + var statusCode int var rejectErr error if o.EnforceTLS && !isTLS(request) { rejectErr = fmt.Errorf("failed to enforce TLS connection for request %s", request.URL.String()) + statusCode = http.StatusBadRequest + } + + if o.oidcAudience != "" { + if err := o.validateJWT(request); err != nil { + rejectErr = err + statusCode = http.StatusUnauthorized + } } m := cloudeventshttp.NewMessageFromHttpRequest(request) @@ -244,6 +265,10 @@ func (o *Receiver) ServeHTTP(writer http.ResponseWriter, request *http.Request) s = atomic.AddUint64(&o.seq, 1) } + if shouldSkip { + statusCode = o.skipResponseCode + } + eventInfo := eventshub.EventInfo{ Error: errString, Event: event, @@ -254,6 +279,7 @@ func (o *Receiver) ServeHTTP(writer http.ResponseWriter, request *http.Request) Sequence: s, Kind: kind, Connection: eventshub.TLSConnectionStateToConnection(request.TLS), + StatusCode: statusCode, } if err := o.EventLogs.Vent(eventInfo); err != nil { @@ -269,19 +295,56 @@ func (o *Receiver) ServeHTTP(writer http.ResponseWriter, request *http.Request) for headerKey, headerValue := range o.skipResponseHeaders { writer.Header().Set(headerKey, headerValue) } - writer.WriteHeader(http.StatusBadRequest) + + writer.WriteHeader(statusCode) } else if shouldSkip { // Trigger a redelivery for headerKey, headerValue := range o.skipResponseHeaders { writer.Header().Set(headerKey, headerValue) } - writer.WriteHeader(o.skipResponseCode) + + writer.WriteHeader(statusCode) _, _ = writer.Write([]byte(o.skipResponseBody)) } else { o.replyFunc(o.ctx, writer, eventInfo) } } +func (o *Receiver) validateJWT(request *http.Request) error { + authHeader := request.Header.Get("Authorization") + if authHeader == "" { + return fmt.Errorf("could not get Authorization header") + } + + token := strings.TrimPrefix(authHeader, "Bearer ") + if len(token) == len(authHeader) { + return fmt.Errorf("could not get Bearer token from header") + } + + tokenReview, err := o.kubeclient.AuthenticationV1().TokenReviews().Create(o.ctx, &authv1.TokenReview{ + Spec: authv1.TokenReviewSpec{ + Token: token, + Audiences: []string{ + o.oidcAudience, + }, + }, + }, metav1.CreateOptions{}) + + if err != nil { + return fmt.Errorf("could not get token review: %w", err) + } + + if err := tokenReview.Status.Error; err != "" { + return fmt.Errorf(err) + } + + if !tokenReview.Status.Authenticated { + return fmt.Errorf("user not authenticated") + } + + return nil +} + func isTLS(request *http.Request) bool { return request.TLS != nil && request.TLS.HandshakeComplete && !eventshub.IsInsecureCipherSuite(request.TLS) } diff --git a/vendor/knative.dev/reconciler-test/pkg/eventshub/utils.go b/vendor/knative.dev/reconciler-test/pkg/eventshub/utils.go index 4de5e1bc6d..b136c0f6c4 100644 --- a/vendor/knative.dev/reconciler-test/pkg/eventshub/utils.go +++ b/vendor/knative.dev/reconciler-test/pkg/eventshub/utils.go @@ -43,6 +43,7 @@ const ( OIDCGenerateInvalidAudienceTokenEnv = "OIDC_GENERATE_INVALID_AUDIENCE_TOKEN" OIDCGenerateCorruptedSignatureTokenEnv = "OIDC_GENERATE_CORRUPTED_SIG_TOKEN" OIDCSinkAudienceEnv = "OIDC_SINK_AUDIENCE" + OIDCReceiverAudienceEnv = "OIDC_AUDIENCE" OIDCTokenEnv = "OIDC_TOKEN" EnforceTLS = "ENFORCE_TLS" diff --git a/vendor/knative.dev/reconciler-test/pkg/feature/feature.go b/vendor/knative.dev/reconciler-test/pkg/feature/feature.go index 1c4aef8738..4113bc3d0d 100644 --- a/vendor/knative.dev/reconciler-test/pkg/feature/feature.go +++ b/vendor/knative.dev/reconciler-test/pkg/feature/feature.go @@ -227,6 +227,8 @@ func DeleteResources(ctx context.Context, t T, refs []corev1.ObjectReference) er } } + var lastResource corev1.ObjectReference // One still present resource + err := wait.Poll(time.Second, 4*time.Minute, func() (bool, error) { for _, ref := range refs { gv, err := schema.ParseGroupVersion(ref.APIVersion) @@ -248,6 +250,7 @@ func DeleteResources(ctx context.Context, t T, refs []corev1.ObjectReference) er return false, fmt.Errorf("failed to get resource %+v %s/%s: %w", resource, ref.Namespace, ref.Name, err) } + lastResource = ref t.Logf("Resource %+v %s/%s still present", resource, ref.Namespace, ref.Name) return false, nil } @@ -255,6 +258,7 @@ func DeleteResources(ctx context.Context, t T, refs []corev1.ObjectReference) er return true, nil }) if err != nil { + LogReferences(lastResource)(ctx, t) return fmt.Errorf("failed to wait for resources to be deleted: %v", err) } diff --git a/vendor/knative.dev/reconciler-test/pkg/feature/logging.go b/vendor/knative.dev/reconciler-test/pkg/feature/logging.go index cbbc572e06..2261e30886 100644 --- a/vendor/knative.dev/reconciler-test/pkg/feature/logging.go +++ b/vendor/knative.dev/reconciler-test/pkg/feature/logging.go @@ -26,6 +26,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" "knative.dev/pkg/apis" + kubeclient "knative.dev/pkg/client/injection/kube/client" "knative.dev/pkg/injection/clients/dynamicclient" ) @@ -62,13 +63,26 @@ func logReference(ref corev1.ObjectReference) StepFn { return } - b, err := json.MarshalIndent(r, "", " ") + b, err := json.MarshalIndent(r, "", " ") if err != nil { t.Logf("Failed to marshal %s: %v\n", resourceStr, err) return } - t.Logf("%s\n%s", resourceStr, string(b)) + // Get events for the given resource + events, _ := kubeclient.Get(ctx).EventsV1(). + Events(ref.Namespace). + List(ctx, metav1.ListOptions{ + TypeMeta: metav1.TypeMeta{ + Kind: ref.Kind, + APIVersion: ref.APIVersion, + }, + FieldSelector: fmt.Sprintf("involvedObject.name=%s", ref.Name), + Limit: 50, + }) + eBytes, _ := json.MarshalIndent(events, "", " ") + + t.Logf("%s\n%s\nEvents:\n%s\n", resourceStr, string(b), string(eBytes)) // Recursively log owners for _, or := range r.GetOwnerReferences() { diff --git a/vendor/modules.txt b/vendor/modules.txt index 5ff7d7be6f..86118fec42 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1302,7 +1302,7 @@ k8s.io/utils/net k8s.io/utils/pointer k8s.io/utils/strings/slices k8s.io/utils/trace -# knative.dev/eventing v0.38.1-0.20231017050713-f9314d883fc0 +# knative.dev/eventing v0.38.1-0.20231019094926-16d75a980703 ## explicit; go 1.19 knative.dev/eventing/cmd/event_display knative.dev/eventing/cmd/heartbeats @@ -1581,7 +1581,7 @@ knative.dev/pkg/webhook/json knative.dev/pkg/webhook/resourcesemantics knative.dev/pkg/webhook/resourcesemantics/defaulting knative.dev/pkg/webhook/resourcesemantics/validation -# knative.dev/reconciler-test v0.0.0-20231017131250-999d077826b7 +# knative.dev/reconciler-test v0.0.0-20231019092754-317033b0f02e ## explicit; go 1.20 knative.dev/reconciler-test/cmd/eventshub knative.dev/reconciler-test/pkg/environment