Skip to content

Refactor the code that rejects for wrong audience #7487

Closed
#7492
Closed
Refactor the code that rejects for wrong audience#7487
#7492
Assignees
Leo6Leo
Labels
good first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/good-first-issueDenotes an issue ready for a new contributor.triage/acceptedIssues which should be fixed (post-triage)
@Leo6Leo

Description

@Leo6Leo
Leo6Leo
opened on Dec 4, 2023

Currently we have multiple places which validate the OIDC audience of an incoming request. E.g.:

eventing/pkg/channel/event_receiver.go

Lines 248 to 269 in 256a41d

/// Here we do the OIDC audience verification
features := feature.FromContext(ctx)
if features.IsOIDCAuthentication() {
r.logger.Debug("OIDC authentication is enabled")
token := auth.GetJWTFromHeader(request.Header)
if token == "" {
r.logger.Warn(fmt.Sprintf("No JWT in %s header provided while feature %s is enabled", auth.AuthHeaderKey, feature.OIDCAuthentication))
response.WriteHeader(nethttp.StatusUnauthorized)
return
}
if _, err := r.tokenVerifier.VerifyJWT(ctx, token, r.audience); err != nil {
r.logger.Warn("no valid JWT provided", zap.Error(err))
response.WriteHeader(nethttp.StatusUnauthorized)
return
}
r.logger.Debug("Request contained a valid JWT. Continuing...")
} else {
r.logger.Debug("OIDC authentication is disabled")
}

eventing/pkg/broker/ingress/ingress_handler.go

Lines 227 to 251 in 79bb385

features := feature.FromContext(ctx)
if features.IsOIDCAuthentication() {
h.Logger.Debug("OIDC authentication is enabled")
if broker.Status.Address.Audience == nil {
h.Logger.Warn(fmt.Sprintf("Audience of broker %s/%s must not be nil, while feature %s is enabled", broker.Name, broker.Namespace, feature.OIDCAuthentication))
writer.WriteHeader(http.StatusInternalServerError)
return
}
token := auth.GetJWTFromHeader(request.Header)
if token == "" {
h.Logger.Warn(fmt.Sprintf("No JWT in %s header provided while feature %s is enabled", auth.AuthHeaderKey, feature.OIDCAuthentication))
writer.WriteHeader(http.StatusUnauthorized)
return
}
if _, err := h.tokenVerifier.VerifyJWT(ctx, token, *broker.Status.Address.Audience); err != nil {
h.Logger.Warn("no valid JWT provided", zap.Error(err))
writer.WriteHeader(http.StatusUnauthorized)
return
}
h.Logger.Debug("Request contained a valid JWT. Continuing...")
}

or

eventing/pkg/broker/filter/filter_handler.go

Lines 211 to 228 in 79bb385

features := feature.FromContext(ctx)
if features.IsOIDCAuthentication() {
h.logger.Debug("OIDC authentication is enabled")
token := auth.GetJWTFromHeader(request.Header)
if token == "" {
h.logger.Warn(fmt.Sprintf("No JWT in %s header provided while feature %s is enabled", auth.AuthHeaderKey, feature.OIDCAuthentication))
writer.WriteHeader(http.StatusUnauthorized)
return
}
if _, err := h.tokenVerifier.VerifyJWT(ctx, token, FilterAudience); err != nil {
h.logger.Warn("no valid JWT provided", zap.Error(err))
writer.WriteHeader(http.StatusUnauthorized)
return
}
h.logger.Debug("Request contained a valid JWT. Continuing...")
}

(and maybe others).

As they all have a similar logic, this could be refactored into a common method and reused.

Originally posted by @Cali0707 in #7449 (comment)

Metadata

Metadata

Assignees

Labels

good first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/good-first-issueDenotes an issue ready for a new contributor.triage/acceptedIssues which should be fixed (post-triage)

Type

No type

Projects

Eventing Sender Identity

Status

✅ Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions