Skip to content

Commit

Permalink
upgrade to latest dependencies (#3933)
Browse files Browse the repository at this point in the history
bumping knative.dev/pkg 15e6cdf...339c22b:
  > 339c22b Add AuthenticatableType duck type (# 3056)
bumping knative.dev/eventing ea8f0fd...18dfe3c:
  > 18dfe3c JobSink: Test OIDC support (# 8000)
  > e298f32 Add authz library (# 8002)
  > 1a21fee Add all JobSink symlinks in config/ (# 8007)
  > 2157639 Add validation for EventPolicy sub suffix matching (# 8008)
  > 0eee301 Propagate read error correctly in event-dispatcher (# 8005)
  > 43cf75a [main] Upgrade to latest dependencies (# 8004)
bumping knative.dev/reconciler-test 199a526...5bf0b86:
  > 5bf0b86 upgrade to latest dependencies (# 738)

Signed-off-by: Knative Automation <automation@knative.team>
  • Loading branch information
knative-automation authored Jun 20, 2024
1 parent 83728d2 commit 046eb4b
Show file tree
Hide file tree
Showing 11 changed files with 530 additions and 14 deletions.
6 changes: 3 additions & 3 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,10 @@ require (
k8s.io/apiserver v0.29.2
k8s.io/client-go v0.29.2
k8s.io/utils v0.0.0-20240102154912-e7106e64919e
knative.dev/eventing v0.41.1-0.20240613093107-ea8f0fda4c06
knative.dev/eventing v0.41.1-0.20240620085917-18dfe3c0ac90
knative.dev/hack v0.0.0-20240607132042-09143140a254
knative.dev/pkg v0.0.0-20240610120318-15e6cdf2f386
knative.dev/reconciler-test v0.0.0-20240611155001-199a5264927d
knative.dev/pkg v0.0.0-20240614135239-339c22b8218c
knative.dev/reconciler-test v0.0.0-20240618170853-5bf0b86114f8
sigs.k8s.io/controller-runtime v0.12.3
sigs.k8s.io/yaml v1.4.0
)
Expand Down
12 changes: 6 additions & 6 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -1275,14 +1275,14 @@ k8s.io/utils v0.0.0-20200912215256-4140de9c8800/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ=
k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
knative.dev/eventing v0.41.1-0.20240613093107-ea8f0fda4c06 h1:GYVCeO9+udWWzNfyWlBrclwB07kxzIElbhCCtFrsIRo=
knative.dev/eventing v0.41.1-0.20240613093107-ea8f0fda4c06/go.mod h1:PQpuuOYjAl6rW74U+1CgcKP9IyKhk7XhS8aAu9zWQG0=
knative.dev/eventing v0.41.1-0.20240620085917-18dfe3c0ac90 h1:rieOHfbsEveC/30tfSCf3g7Ocu9mJ+w4Dv22FBMC5lY=
knative.dev/eventing v0.41.1-0.20240620085917-18dfe3c0ac90/go.mod h1:Ja5ThoaajtwMAb7pHhG3t0WRul5oSZPalfP5R/0YP80=
knative.dev/hack v0.0.0-20240607132042-09143140a254 h1:1YFnu3U6dWZg0oxm6GU8kEdA9A+BvSWKJO7sg3N0kq8=
knative.dev/hack v0.0.0-20240607132042-09143140a254/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
knative.dev/pkg v0.0.0-20240610120318-15e6cdf2f386 h1:nxFTT6DrXr70Zi2BK8nc57ts0/smyavd/uBRBbtqg94=
knative.dev/pkg v0.0.0-20240610120318-15e6cdf2f386/go.mod h1:l7R8/SteYph0mZDsVgq3fVs4mWp1DaYx9BJJX68U6ik=
knative.dev/reconciler-test v0.0.0-20240611155001-199a5264927d h1:FBpgtMooLXWfl8QjGNVEosw9QGPhJzkPip+x5jBVrT8=
knative.dev/reconciler-test v0.0.0-20240611155001-199a5264927d/go.mod h1:iKOTdGVwm+SmVA/blgirYTdYU/Kw3Znj2arDYLlhoXw=
knative.dev/pkg v0.0.0-20240614135239-339c22b8218c h1:OaKrY7L6rzWTvs51JlieJajL40F6CpBbvO1aZspg2EA=
knative.dev/pkg v0.0.0-20240614135239-339c22b8218c/go.mod h1:l7R8/SteYph0mZDsVgq3fVs4mWp1DaYx9BJJX68U6ik=
knative.dev/reconciler-test v0.0.0-20240618170853-5bf0b86114f8 h1:A+rsitEiTX3GudM51g7zUMza+Ripj+boncmlJ2jZp50=
knative.dev/reconciler-test v0.0.0-20240618170853-5bf0b86114f8/go.mod h1:2uUx3U6kdIzgJgMGgrGmdDdcFrFiex/DjuI2gM7Tte8=
pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw=
pgregory.net/rapid v1.1.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package v1alpha1

import (
"context"
"strings"

"knative.dev/pkg/apis"
)
Expand All @@ -36,6 +37,7 @@ func (ets *EventPolicySpec) Validate(ctx context.Context) *apis.FieldError {
err = err.Also(apis.ErrMultipleOneOf("ref", "sub").ViaFieldIndex("from", i))
}
err = err.Also(f.Ref.Validate().ViaField("ref").ViaFieldIndex("from", i))
err = err.Also(validateSub(f.Sub).ViaField("sub").ViaFieldIndex("from", i))
}

for i, t := range ets.To {
Expand All @@ -53,6 +55,20 @@ func (ets *EventPolicySpec) Validate(ctx context.Context) *apis.FieldError {
return err
}

func validateSub(sub *string) *apis.FieldError {
if sub == nil || len(*sub) <= 1 {
return nil
}

lastInvalidIdx := len(*sub) - 2
firstInvalidIdx := 0
if idx := strings.IndexRune(*sub, '*'); idx >= firstInvalidIdx && idx <= lastInvalidIdx {
return apis.ErrInvalidValue(*sub, "", "'*' is only allowed as suffix")
}

return nil
}

func (r *EventPolicyFromReference) Validate() *apis.FieldError {
if r == nil {
return nil
Expand Down
4 changes: 2 additions & 2 deletions vendor/knative.dev/eventing/pkg/apis/feature/store.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,12 @@ func FromContext(ctx context.Context) Flags {
}

// FromContextOrDefaults is like FromContext, but when no Flags is attached it
// returns an empty Flags.
// returns default Flags.
func FromContextOrDefaults(ctx context.Context) Flags {
if cfg := FromContext(ctx); cfg != nil {
return cfg
}
return Flags{}
return newDefaults()
}

// ToContext attaches the provided Flags to the provided context, returning the
Expand Down
147 changes: 147 additions & 0 deletions vendor/knative.dev/eventing/pkg/auth/event_policy.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
/*
Copyright 2024 The Knative Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package auth

import (
"fmt"
"strings"

corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime/schema"
"knative.dev/eventing/pkg/apis/eventing/v1alpha1"
listerseventingv1alpha1 "knative.dev/eventing/pkg/client/listers/eventing/v1alpha1"
"knative.dev/pkg/resolver"
)

// GetEventPoliciesForResource returns the applying EventPolicies for a given resource
func GetEventPoliciesForResource(lister listerseventingv1alpha1.EventPolicyLister, resourceGVK schema.GroupVersionKind, resourceObjectMeta metav1.ObjectMeta) ([]*v1alpha1.EventPolicy, error) {
policies, err := lister.EventPolicies(resourceObjectMeta.GetNamespace()).List(labels.Everything())
if err != nil {
return nil, fmt.Errorf("failed to list eventpolicies: %w", err)
}

relevantPolicies := []*v1alpha1.EventPolicy{}

for _, policy := range policies {
if len(policy.Spec.To) == 0 {
// policy applies to all resources in namespace
relevantPolicies = append(relevantPolicies, policy)
}

for _, to := range policy.Spec.To {
if to.Ref != nil {
refGV, err := schema.ParseGroupVersion(to.Ref.APIVersion)
if err != nil {
return nil, fmt.Errorf("cannot split apiVersion into group and version: %s", to.Ref.APIVersion)
}

if strings.EqualFold(to.Ref.Name, resourceObjectMeta.GetName()) &&
strings.EqualFold(refGV.Group, resourceGVK.Group) &&
strings.EqualFold(to.Ref.Kind, resourceGVK.Kind) {

relevantPolicies = append(relevantPolicies, policy)
break // no need to check the other .spec.to's from this policy
}
}

if to.Selector != nil {
selectorGV, err := schema.ParseGroupVersion(to.Selector.APIVersion)
if err != nil {
return nil, fmt.Errorf("cannot split apiVersion into group and version: %s", to.Selector.APIVersion)
}

if strings.EqualFold(selectorGV.Group, resourceGVK.Group) &&
strings.EqualFold(to.Selector.Kind, resourceGVK.Kind) {

selector, err := metav1.LabelSelectorAsSelector(to.Selector.LabelSelector)
if err != nil {
return nil, fmt.Errorf("failed to parse selector: %w", err)
}

if selector.Matches(labels.Set(resourceObjectMeta.Labels)) {
relevantPolicies = append(relevantPolicies, policy)
break // no need to check the other .spec.to's from this policy
}
}
}
}
}

return relevantPolicies, nil
}

// ResolveSubjects returns the OIDC service accounts names for the objects referenced in the EventPolicySpecFrom.
func ResolveSubjects(resolver *resolver.AuthenticatableResolver, eventPolicy *v1alpha1.EventPolicy) ([]string, error) {
allSAs := []string{}
for _, from := range eventPolicy.Spec.From {
if from.Ref != nil {
sas, err := resolveSubjectsFromReference(resolver, *from.Ref, eventPolicy)
if err != nil {
return nil, fmt.Errorf("could not resolve subjects from reference: %w", err)
}
allSAs = append(allSAs, sas...)
} else if from.Sub != nil {
allSAs = append(allSAs, *from.Sub)
}
}

return allSAs, nil
}

func resolveSubjectsFromReference(resolver *resolver.AuthenticatableResolver, reference v1alpha1.EventPolicyFromReference, trackingEventPolicy *v1alpha1.EventPolicy) ([]string, error) {
authStatus, err := resolver.AuthStatusFromObjectReference(&corev1.ObjectReference{
APIVersion: reference.APIVersion,
Kind: reference.Kind,
Namespace: reference.Namespace,
Name: reference.Name,
}, trackingEventPolicy)

if err != nil {
return nil, fmt.Errorf("could not resolve auth status: %w", err)
}

objSAs := authStatus.ServiceAccountNames
if authStatus.ServiceAccountName != nil {
objSAs = append(objSAs, *authStatus.ServiceAccountName)
}

objFullSANames := make([]string, 0, len(objSAs))
for _, sa := range objSAs {
objFullSANames = append(objFullSANames, fmt.Sprintf("system:serviceaccount:%s:%s", reference.Namespace, sa))
}

return objFullSANames, nil
}

// SubjectContained checks if the given sub is contained in the list of allowedSubs
// or if it matches a prefix pattern in subs (e.g. system:serviceaccounts:my-ns:*)
func SubjectContained(sub string, allowedSubs []string) bool {
for _, s := range allowedSubs {
if strings.EqualFold(s, sub) {
return true
}

if strings.HasSuffix(s, "*") &&
strings.HasPrefix(sub, strings.TrimSuffix(s, "*")) {
return true
}
}

return false
}
Original file line number Diff line number Diff line change
Expand Up @@ -352,6 +352,7 @@ func (d *Dispatcher) executeRequest(ctx context.Context, target duckv1.Addressab
var responseMessageBody []byte
if err != nil && err != io.EOF {
responseMessageBody = []byte(fmt.Sprintf("Failed to read response body: %s", err.Error()))
dispatchInfo.ResponseCode = http.StatusInternalServerError
} else {
responseMessageBody = body.Bytes()
dispatchInfo.ResponseBody = responseMessageBody
Expand Down
93 changes: 93 additions & 0 deletions vendor/knative.dev/pkg/apis/duck/v1/auth_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,21 @@ limitations under the License.

package v1

import (
"context"
"fmt"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"knative.dev/pkg/apis"
"knative.dev/pkg/apis/duck/ducktypes"
"knative.dev/pkg/kmeta"
"knative.dev/pkg/ptr"
)

// +genduck

// AuthStatus is meant to provide the generated service account name
// in the resource status.
type AuthStatus struct {
Expand All @@ -28,3 +43,81 @@ type AuthStatus struct {
// when the component uses multiple identities (e.g. in case of a Parallel).
ServiceAccountNames []string `json:"serviceAccountNames,omitempty"`
}

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

// AuthenticatableType is a skeleton type wrapping AuthStatus in the manner we expect
// resource writers defining compatible resources to embed it. We will
// typically use this type to deserialize AuthenticatableType ObjectReferences and
// access the AuthenticatableType data. This is not a real resource.
type AuthenticatableType struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`

Status AuthenticatableStatus `json:"status"`
}

type AuthenticatableStatus struct {
// Auth contains the service account name for the subscription
// +optional
Auth *AuthStatus `json:"auth,omitempty"`
}

var (
// AuthStatus is a Convertible type.
_ apis.Convertible = (*AuthStatus)(nil)

// Verify AuthenticatableType resources meet duck contracts.
_ apis.Listable = (*AuthenticatableType)(nil)
_ ducktypes.Populatable = (*AuthenticatableType)(nil)
_ kmeta.OwnerRefable = (*AuthenticatableType)(nil)
)

// GetFullType implements duck.Implementable
func (*AuthStatus) GetFullType() ducktypes.Populatable {
return &AuthenticatableType{}
}

// ConvertTo implements apis.Convertible
func (a *AuthStatus) ConvertTo(_ context.Context, to apis.Convertible) error {
return fmt.Errorf("v1 is the highest known version, got: %T", to)
}

// ConvertFrom implements apis.Convertible
func (a *AuthStatus) ConvertFrom(_ context.Context, from apis.Convertible) error {
return fmt.Errorf("v1 is the highest known version, got: %T", from)
}

// Populate implements duck.Populatable
func (t *AuthenticatableType) Populate() {
t.Status = AuthenticatableStatus{
Auth: &AuthStatus{
// Populate ALL fields
ServiceAccountName: ptr.String("foo"),
ServiceAccountNames: []string{
"bar",
"baz",
},
},
}
}

// GetGroupVersionKind implements kmeta.OwnerRefable
func (t *AuthenticatableType) GetGroupVersionKind() schema.GroupVersionKind {
return t.GroupVersionKind()
}

// GetListType implements apis.Listable
func (*AuthenticatableType) GetListType() runtime.Object {
return &AuthenticatableTypeList{}
}

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

// AuthenticatableTypeList is a list of AuthenticatableType resources
type AuthenticatableTypeList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`

Items []AuthenticatableType `json:"items"`
}
Loading

0 comments on commit 046eb4b

Please sign in to comment.