eventing icon indicating copy to clipboard operation
eventing copied to clipboard
verified publisher icon knative

mt-broker-filter: Allow only requests from Subscriptions OIDC ID

Open creydr opened this issue 1 year ago • 4 comments

We need to verify in the mt-broker-filter, that an request comes only from the Subscriptions OIDC is (.status.auth.serviceAccountName). Therefor we should do the following in the mt-broker-filter handler:

  • In case OIDC is enabled:
    • Get the OIDC identity of the sender
    • check, if the senders identity is the same as the according Subscriptions OIDC ID (in their .status.auth.serviceAccountName).
      • If it matches: continue with the request
      • If not: reject the request with a 403 status code
  • In OIDC is disabled:
    • no change in behaviour

Prerequisites:

  • #7985

Additional context:

Additional hints for new contributors before starting with this issue:

  1. When the issue has the Draft status, the issue is subject to change and thus should not be started to be worked on
  2. Make sure you've read and understood the CONTRIBUTING.md guidelines
  3. Make sure you're able to run Knative Eventing locally and run at least the unit tests.
  4. Feel free to raise any questions you have either directly here in the issue, in the #knative-eventing Slack channel or join the Eventing Workgroup Meeting
  5. When you feel comfortable with this issue, feel free to assign it to you (e.g. by commenting /assign). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.

creydr avatar Jun 11 '24 11:06 creydr

I would like to work on this /assign

babugeet avatar Jun 13 '24 16:06 babugeet

/assign

ayushrakesh avatar Jun 27 '24 04:06 ayushrakesh

Hey @ayushrakesh, thanks for showing interest in this issue. But this issue is currently assigned to @babugeet. @babugeet are you still planing to work on this issue?

creydr avatar Jun 27 '24 06:06 creydr

@creydr : got caught up in some other work, let @ayushrakesh : proceed with the changes

babugeet avatar Jun 27 '24 13:06 babugeet

Hello @ayushrakesh, are there anything I can help you with regarding this issue?

Leo6Leo avatar Jul 09 '24 13:07 Leo6Leo

Hello @ayushrakesh are you still planning to work on the issue?

rahulii avatar Jul 13 '24 07:07 rahulii

I can work on this if @ayushrakesh is not working on this

EraKin575 avatar Jul 13 '24 09:07 EraKin575

@EraKin575 Sorry for delay, you can work on that.

ayushrakesh avatar Jul 13 '24 09:07 ayushrakesh

/assign

EraKin575 avatar Jul 15 '24 17:07 EraKin575

Are there anything I could help you with? @EraKin575

If you're still working on this issue, please let me know within the next 24 hours. We understand that plans and priorities can change, and if you're no longer able to continue with this task, that's completely okay! In case I don't hear back from you in the next 24 hours, I'll unassign the issue from you. Of course, if you'd like to continue working on it later, you can always reassign it to yourself if it is still available.

Leo6Leo avatar Jul 22 '24 12:07 Leo6Leo

Sorry,for the delay. I am still working on this issue and will raise a PR ASAP

EraKin575 avatar Jul 22 '24 16:07 EraKin575

sorry, this took a while

EraKin575 avatar Jul 27 '24 07:07 EraKin575