diff --git a/cmd/broker/filter/main.go b/cmd/broker/filter/main.go index 8d7d9612745..51814b35496 100644 --- a/cmd/broker/filter/main.go +++ b/cmd/broker/filter/main.go @@ -24,6 +24,7 @@ import ( "github.com/google/uuid" "github.com/kelseyhightower/envconfig" "go.uber.org/zap" + eventpolicyinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy" kubeclient "knative.dev/pkg/client/injection/kube/client" configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" @@ -151,7 +152,7 @@ func main() { oidcTokenProvider := auth.NewOIDCTokenProvider(ctx) // We are running both the receiver (takes messages in from the Broker) and the dispatcher (send // the messages to the triggers' subscribers) in this binary. - oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx) + oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace()) handler, err = filter.NewHandler(logger, oidcTokenVerifier, oidcTokenProvider, triggerinformer.Get(ctx), brokerinformer.Get(ctx), reporter, trustBundleConfigMapInformer, ctxFunc) if err != nil { diff --git a/cmd/broker/ingress/main.go b/cmd/broker/ingress/main.go index 456154e7508..12d7158f0e6 100644 --- a/cmd/broker/ingress/main.go +++ b/cmd/broker/ingress/main.go @@ -27,6 +27,7 @@ import ( "github.com/google/uuid" "github.com/kelseyhightower/envconfig" "go.uber.org/zap" + eventpolicyinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy" configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered" kubeclient "knative.dev/pkg/client/injection/kube/client" @@ -167,7 +168,7 @@ func main() { reporter := ingress.NewStatsReporter(env.ContainerName, kmeta.ChildName(env.PodName, uuid.New().String())) oidcTokenProvider := auth.NewOIDCTokenProvider(ctx) - oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx) + oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace()) handler, err = ingress.NewHandler(logger, reporter, broker.TTLDefaulter(logger, int32(env.MaxTTL)), brokerInformer, oidcTokenVerifier, oidcTokenProvider, trustBundleConfigMapInformer, ctxFunc) if err != nil { diff --git a/cmd/jobsink/main.go b/cmd/jobsink/main.go index dab0fb8bb4e..70c83f66ce8 100644 --- a/cmd/jobsink/main.go +++ b/cmd/jobsink/main.go @@ -35,6 +35,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/kubernetes" + eventpolicyinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy" kubeclient "knative.dev/pkg/client/injection/kube/client" configmap "knative.dev/pkg/configmap/informer" "knative.dev/pkg/controller" @@ -118,7 +119,7 @@ func main() { k8s: kubeclient.Get(ctx), lister: jobsink.Get(ctx).Lister(), withContext: ctxFunc, - oidcTokenVerifier: auth.NewOIDCTokenVerifier(ctx), + oidcTokenVerifier: auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()), } tlsConfig, err := getServerTLSConfig(ctx) diff --git a/pkg/auth/token_verifier.go b/pkg/auth/token_verifier.go index 0d87cf11f69..29acd7ba5e7 100644 --- a/pkg/auth/token_verifier.go +++ b/pkg/auth/token_verifier.go @@ -26,13 +26,13 @@ import ( "time" duckv1 "knative.dev/eventing/pkg/apis/duck/v1" - eventpolicyinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy" "knative.dev/eventing/pkg/client/listers/eventing/v1alpha1" "github.com/coreos/go-oidc/v3/oidc" "go.uber.org/zap" "k8s.io/client-go/rest" "knative.dev/eventing/pkg/apis/feature" + listerseventingv1alpha1 "knative.dev/eventing/pkg/client/listers/eventing/v1alpha1" "knative.dev/pkg/injection" "knative.dev/pkg/logging" ) @@ -57,11 +57,11 @@ type IDToken struct { AccessTokenHash string } -func NewOIDCTokenVerifier(ctx context.Context) *OIDCTokenVerifier { +func NewOIDCTokenVerifier(ctx context.Context, eventPolicyLister listerseventingv1alpha1.EventPolicyLister) *OIDCTokenVerifier { tokenHandler := &OIDCTokenVerifier{ logger: logging.FromContext(ctx).With("component", "oidc-token-handler"), restConfig: injection.GetConfig(ctx), - eventPolicyLister: eventpolicyinformer.Get(ctx).Lister(), + eventPolicyLister: eventPolicyLister, } if err := tokenHandler.initOIDCProvider(ctx); err != nil { diff --git a/pkg/broker/filter/filter_handler_test.go b/pkg/broker/filter/filter_handler_test.go index e220e401774..0b879cda29b 100644 --- a/pkg/broker/filter/filter_handler_test.go +++ b/pkg/broker/filter/filter_handler_test.go @@ -51,9 +51,9 @@ import ( brokerinformerfake "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker/fake" triggerinformerfake "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/trigger/fake" + eventpolicyinformerfake "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy/fake" // Fake injection client - _ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy/fake" _ "knative.dev/pkg/client/injection/kube/client/fake" ) @@ -439,7 +439,7 @@ func TestReceiver(t *testing.T) { logger := zaptest.NewLogger(t, zaptest.WrapOptions(zap.AddCaller())) oidcTokenProvider := auth.NewOIDCTokenProvider(ctx) - oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx) + oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister()) for _, trig := range tc.triggers { // Replace the SubscriberURI to point at our fake server. @@ -638,7 +638,7 @@ func TestReceiver_WithSubscriptionsAPI(t *testing.T) { logger := zaptest.NewLogger(t, zaptest.WrapOptions(zap.AddCaller())) oidcTokenProvider := auth.NewOIDCTokenProvider(ctx) - oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx) + oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister()) // Replace the SubscriberURI to point at our fake server. for _, trig := range tc.triggers { diff --git a/pkg/broker/ingress/ingress_handler_test.go b/pkg/broker/ingress/ingress_handler_test.go index db6a18dda4c..1938292d1f7 100644 --- a/pkg/broker/ingress/ingress_handler_test.go +++ b/pkg/broker/ingress/ingress_handler_test.go @@ -44,6 +44,7 @@ import ( "knative.dev/eventing/pkg/broker" brokerinformerfake "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker/fake" + eventpolicyinformerfake "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy/fake" // Fake injection client _ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy/fake" @@ -290,7 +291,7 @@ func TestHandler_ServeHTTP(t *testing.T) { } tokenProvider := auth.NewOIDCTokenProvider(ctx) - tokenVerifier := auth.NewOIDCTokenVerifier(ctx) + tokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister()) h, err := NewHandler(logger, &mockReporter{}, diff --git a/pkg/reconciler/inmemorychannel/dispatcher/controller.go b/pkg/reconciler/inmemorychannel/dispatcher/controller.go index fbe1cd4fde3..729f64d3da8 100644 --- a/pkg/reconciler/inmemorychannel/dispatcher/controller.go +++ b/pkg/reconciler/inmemorychannel/dispatcher/controller.go @@ -20,6 +20,7 @@ import ( "context" "time" + eventpolicyinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy" "knative.dev/pkg/injection" "knative.dev/pkg/system" @@ -136,7 +137,7 @@ func NewController( eventingClient: eventingclient.Get(ctx).EventingV1beta2(), eventTypeLister: eventtypeinformer.Get(ctx).Lister(), eventDispatcher: kncloudevents.NewDispatcher(clientConfig, oidcTokenProvider), - tokenVerifier: auth.NewOIDCTokenVerifier(ctx), + tokenVerifier: auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()), clientConfig: clientConfig, }