We need to verify in the channel receiver, that an request is authorized. Therefor we should do the following in the event receiver handler:
Get the OIDC identity of the sender
In case the InMemoryChannels .status.policies is set:
check, if the senders identity is subject of any of the linked EventPolicies (in their .status.from[]).
If it is present: continue with the request
If not: reject the request with a 403 status code
In case the InMemoryChannels .status.policies is empty:
Check the default-authorization-mode and do the following depending on its value:
allow-all: Continue with the request
deny-all: reject the request with a 403 status code
allow-same-namespace: check, if the senders identity is from the same namespace, as the Broker. If so, continue with the request, otherwise reject with a 403
We should also add an e2e test for the above scenarios
When you feel comfortable with this issue, feel free to assign it to you (e.g. by commenting /assign). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.
We need to verify in the channel receiver, that an request is authorized. Therefor we should do the following in the event receiver handler:
.status.policies
is set:EventPolicies
(in their.status.from[]
).403
status code.status.policies
is empty:default-authorization-mode
and do the following depending on its value:allow-all
: Continue with the requestdeny-all
: reject the request with a403
status codeallow-same-namespace
: check, if the senders identity is from the same namespace, as the Broker. If so, continue with the request, otherwise reject with a403
We should also add an e2e test for the above scenarios
Prerequisites:
7985
7974
7977
8009
Additional context:
Additional hints for new contributors before starting with this issue:
Draft
status, the issue is subject to change and thus should not be started to be worked on/assign
). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.