Skip to content

Refactor the code that rejects for wrong audience #7492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
knative-prow merged 7 commits into from
Dec 14, 2023
Merged

Refactor the code that rejects for wrong audience #7492

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
f6ec974
Save Work progress
Leo6Leo Dec 6, 2023
2e2b2ff
Merge branch 'main' into Refactor-the-code-that-rejects-for-wrong-aud…
Leo6Leo Dec 11, 2023
2067497
Use the newly wrapped function
Leo6Leo Dec 12, 2023
e87690d
Pass the audience string pointer instead
Leo6Leo Dec 12, 2023
7ef6909
Remove the redundant return
Leo6Leo Dec 12, 2023
a12b869
Merge branch 'main' into Refactor-the-code-that-rejects-for-wrong-aud…
Leo6Leo Dec 14, 2023
f8cb477
Move the function under `OIDCTokenVerifier`
Leo6Leo Dec 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions pkg/auth/token_verifier.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,27 @@ func (c *OIDCTokenVerifier) getKubernetesOIDCDiscovery() (*openIDMetadata, error
return openIdConfig, nil
}

// VerifyJWTFromRequest will verify the incoming request contains the correct JWT token
func (tokenVerifier *OIDCTokenVerifier) VerifyJWTFromRequest(ctx context.Context, r *http.Request, audience *string, response http.ResponseWriter) error {
token := GetJWTFromHeader(r.Header)
if token == "" {
response.WriteHeader(http.StatusUnauthorized)
return fmt.Errorf("no JWT token found in request")
}

if audience == nil {
response.WriteHeader(http.StatusInternalServerError)
return fmt.Errorf("no audience is provided")
}

if _, err := tokenVerifier.VerifyJWT(ctx, token, *audience); err != nil {
response.WriteHeader(http.StatusUnauthorized)
return fmt.Errorf("failed to verify JWT: %w", err)
}

return nil
}

type openIDMetadata struct {
Issuer string `json:"issuer"`
JWKSURI string `json:"jwks_uri"`
Expand Down
14 changes: 5 additions & 9 deletions pkg/broker/filter/filter_handler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -193,16 +193,12 @@ func (h *Handler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
features := feature.FromContext(ctx)
if features.IsOIDCAuthentication() {
h.logger.Debug("OIDC authentication is enabled")
token := auth.GetJWTFromHeader(request.Header)
if token == "" {
h.logger.Warn(fmt.Sprintf("No JWT in %s header provided while feature %s is enabled", auth.AuthHeaderKey, feature.OIDCAuthentication))
writer.WriteHeader(http.StatusUnauthorized)
return
}

if _, err := h.tokenVerifier.VerifyJWT(ctx, token, FilterAudience); err != nil {
h.logger.Warn("no valid JWT provided", zap.Error(err))
writer.WriteHeader(http.StatusUnauthorized)
audience := FilterAudience

err = h.tokenVerifier.VerifyJWTFromRequest(ctx, request, &audience, writer)
if err != nil {
h.logger.Warn("Error when validating the JWT token in the request", zap.Error(err))
return
}

Expand Down
19 changes: 3 additions & 16 deletions pkg/broker/ingress/ingress_handler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,22 +228,9 @@ func (h *Handler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
if features.IsOIDCAuthentication() {
h.Logger.Debug("OIDC authentication is enabled")

if broker.Status.Address.Audience == nil {
h.Logger.Warn(fmt.Sprintf("Audience of broker %s/%s must not be nil, while feature %s is enabled", broker.Name, broker.Namespace, feature.OIDCAuthentication))
writer.WriteHeader(http.StatusInternalServerError)
return
}

token := auth.GetJWTFromHeader(request.Header)
if token == "" {
h.Logger.Warn(fmt.Sprintf("No JWT in %s header provided while feature %s is enabled", auth.AuthHeaderKey, feature.OIDCAuthentication))
writer.WriteHeader(http.StatusUnauthorized)
return
}

if _, err := h.tokenVerifier.VerifyJWT(ctx, token, *broker.Status.Address.Audience); err != nil {
h.Logger.Warn("no valid JWT provided", zap.Error(err))
writer.WriteHeader(http.StatusUnauthorized)
err = h.tokenVerifier.VerifyJWTFromRequest(ctx, request, broker.Status.Address.Audience, writer)
if err != nil {
h.Logger.Warn("Error when validating the JWT token in the request", zap.Error(err))
return
}

Expand Down
17 changes: 3 additions & 14 deletions pkg/channel/event_receiver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -250,23 +250,12 @@ func (r *EventReceiver) ServeHTTP(response nethttp.ResponseWriter, request *neth
features := feature.FromContext(ctx)
if features.IsOIDCAuthentication() {
r.logger.Debug("OIDC authentication is enabled")

token := auth.GetJWTFromHeader(request.Header)
if token == "" {
r.logger.Warn(fmt.Sprintf("No JWT in %s header provided while feature %s is enabled", auth.AuthHeaderKey, feature.OIDCAuthentication))
response.WriteHeader(nethttp.StatusUnauthorized)
return
}

if _, err := r.tokenVerifier.VerifyJWT(ctx, token, r.audience); err != nil {
r.logger.Warn("no valid JWT provided", zap.Error(err))
response.WriteHeader(nethttp.StatusUnauthorized)
err = r.tokenVerifier.VerifyJWTFromRequest(ctx, request, &r.audience, response)
if err != nil {
r.logger.Warn("Error when validating the JWT token in the request", zap.Error(err))
return
}

r.logger.Debug("Request contained a valid JWT. Continuing...")
} else {
r.logger.Debug("OIDC authentication is disabled")
}

err = r.receiverFunc(request.Context(), channel, *event, utils.PassThroughHeaders(request.Header))
Expand Down