mt-broker-filter: reject request for wrong audience

[xiangpingjiang]

Fixes #7291

Proposed Changes

• 🎁 If OIDC authentication is enabled, mt-broker-filter will check if the audience of the received token matches the audience of the Triggers Subscription. If not it will respond with a 401

Pre-review Checklist

• At least 80% unit test coverage
• E2E tests for any new behavior
• Docs PR for any user-facing impact
• Spec PR for any new API feature
• Conformance test for any change to the spec

Release Note

Docs

[knative-prow]

Hi @xiangpingjiang. Thanks for your PR.

I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[codecov]

Codecov Report

Attention: 14 lines in your changes are missing coverage. Please review.

Comparison is base (3fcc78a) 76.70% compared to head (7ec92be) 76.63%.

Files	Patch %	Lines
pkg/broker/filter/filter_handler.go	17.64%	13 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7427      +/-   ##
==========================================
- Coverage   76.70%   76.63%   -0.08%     
==========================================
  Files         259      259              
  Lines       14254    14270      +16     
==========================================
+ Hits        10934    10936       +2     
- Misses       2765     2778      +13     
- Partials      555      556       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[creydr]

Hello @xiangpingjiang,
thanks for working on this. Do you have an ETA, when this PR is ready for review?

[xiangpingjiang]

Hello @xiangpingjiang, thanks for working on this. Do you have an ETA, when this PR is ready for review?

hello, @creydr
I will try to finish it in the next two weeks.

[creydr]

Hello @xiangpingjiang,
thanks for your work on this PR so far. Is there anything we can help you to finish this?

[xiangpingjiang]

Hello @xiangpingjiang, thanks for your work on this PR so far. Is there anything we can help you to finish this?

hello， @creydr
I saw there was a auth e2e test failed. I tried to run it locally to find the reason. But blocked by ko and Local Registry in kind or minikube.

Is there a way to build the image by docker not by ko ?

[creydr]

hello， @creydr I saw there was a auth e2e test failed. I tried to run it locally to find the reason. But blocked by ko and Local Registry in kind or minikube.

Is there a way to build the image by docker not by ko ?

Hello @xiangpingjiang,
AFAIK there is no direct way without ko (you would need to create a Dockerfile, ...). What are the issues you face? For another repo, we have a kind setup script, which adds a local registry (then available at localhost:5001): https://github.com/knative-extensions/eventing-kafka-broker/blob/main/hack/create-kind-cluster.sh

then you could apply via KO_DOCKER_REPO=localhost:5001 ko apply ...

Edit: you need to update line 51 to:

        "service-account-issuer": "https://kubernetes.default.svc"

[xiangpingjiang]

hello， @creydr I saw there was a auth e2e test failed. I tried to run it locally to find the reason. But blocked by ko and Local Registry in kind or minikube.
Is there a way to build the image by docker not by ko ?

Hello @xiangpingjiang, AFAIK there is no direct way without ko (you would need to create a Dockerfile, ...). What are the issues you face? For another repo, we have a kind setup script, which adds a local registry (then available at localhost:5001): https://github.com/knative-extensions/eventing-kafka-broker/blob/main/hack/create-kind-cluster.sh

then you could apply via KO_DOCKER_REPO=localhost:5001 ko apply ...

Edit: you need to update line 51 to:

        "service-account-issuer": "https://kubernetes.default.svc"

Thanks， I will try that

[creydr]

Hey @xiangpingjiang,
I just went over your PR and saw something, what probably makes the implementation easier.

[creydr]

/ok-to-test

[creydr]

It seems your PR could need a rebase to get the latest changes & fixes from main to have some e2e tests passing here too.

[creydr]

@xiangpingjiang thanks for the update. Can you mark the PR "ready for review", when it's done from your side?

[creydr]

/retest

[creydr]

Thanks a lot @xiangpingjiang for your contribution on this and solving this issue!
👍

/lgtm

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: creydr, xiangpingjiang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [creydr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment