Fix JobSink to support AuthZ on GET too (#8196)

* Fix JobSink to support AuthZ on GET too * Remove deprecated auth.VerifyJWTFromRequest() method.
knative · Sep 16, 2024 · ae6ed99 · ae6ed99
1 parent 608e76c
commit ae6ed99
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 21 deletions.
diff --git a/cmd/jobsink/main.go b/cmd/jobsink/main.go
@@ -364,20 +364,19 @@ func (h *Handler) handleGet(ctx context.Context, w http.ResponseWriter, r *http.
 		Name:      parts[4],
 	}
 
-	logger.Debug("Handling GET request", zap.String("URI", r.RequestURI))
-
-	features := feature.FromContext(ctx)
-	if features.IsOIDCAuthentication() {
-		logger.Debug("OIDC authentication is enabled")
+	js, err := h.lister.JobSinks(ref.Namespace).Get(ref.Name)
+	if err != nil {
+		logger.Warn("Failed to retrieve jobsink", zap.String("ref", ref.String()), zap.Error(err))
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
 
-		audience := auth.GetAudienceDirect(sinksv.SchemeGroupVersion.WithKind("JobSink"), ref.Namespace, ref.Name)
+	logger.Debug("Handling GET request", zap.String("URI", r.RequestURI))
 
-		err := h.oidcTokenVerifier.VerifyJWTFromRequest(ctx, r, &audience, w)
-		if err != nil {
-			logger.Warn("Error when validating the JWT token in the request", zap.Error(err))
-			return
-		}
-		logger.Debug("Request contained a valid JWT. Continuing...")
+	err = h.oidcTokenVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w)
+	if err != nil {
+		logger.Warn("Failed to verify AuthN and AuthZ.", zap.Error(err))
+		return
 	}
 
 	eventSource := parts[6]

diff --git a/pkg/auth/token_verifier.go b/pkg/auth/token_verifier.go
@@ -75,15 +75,6 @@ func NewOIDCTokenVerifier(ctx context.Context) *OIDCTokenVerifier {
 	return tokenHandler
 }
 
-// VerifyJWTFromRequest verifies if the incoming request contains a correct JWT token
-//
-// Deprecated: use OIDCTokenVerifier.Verify() instead to bundle AuthN and AuthZ verification
-func (v *OIDCTokenVerifier) VerifyJWTFromRequest(ctx context.Context, r *http.Request, audience *string, response http.ResponseWriter) error {
-	_, err := v.verifyAuthN(ctx, audience, r, response)
-
-	return err
-}
-
 // VerifyRequest verifies AuthN and AuthZ in the request. On verification errors, it sets the
 // responses HTTP status and returns an error
 func (v *OIDCTokenVerifier) VerifyRequest(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {