InMemoryChannel ingress: Reject unauthorized requests

[creydr]

We need to verify in the channel receiver, that an request is authorized. Therefor we should do the following in the event receiver handler:

• Get the OIDC identity of the sender
• In case the InMemoryChannels .status.policies is set:
  • check, if the senders identity is subject of any of the linked EventPolicies (in their .status.from[]).
  • If it is present: continue with the request
  • If not: reject the request with a 403 status code
• In case the InMemoryChannels .status.policies is empty:
  • Check the default-authorization-mode and do the following depending on its value:
  • allow-all: Continue with the request
  • deny-all: reject the request with a 403 status code
  • allow-same-namespace: check, if the senders identity is from the same namespace, as the Broker. If so, continue with the request, otherwise reject with a 403

We should also add an e2e test for the above scenarios

Prerequisites:

• 7985

• 7974

• 7977

• 8009

Additional context:

• Feature track document

Additional hints for new contributors before starting with this issue:

1. When the issue has the Draft status, the issue is subject to change and thus should not be started to be worked on
2. Make sure you've read and understood the CONTRIBUTING.md guidelines
3. Make sure you're able to run Knative Eventing locally and run at least the unit tests.
4. Feel free to raise any questions you have either directly here in the issue, in the #knative-eventing Slack channel or join the Eventing Workgroup Meeting
5. When you feel comfortable with this issue, feel free to assign it to you (e.g. by commenting /assign). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.

[pratikkumar-mohite]

I would like to work on it, @creydr could you please assign it to me?

[7h3-3mp7y-m4n]

/assign