-
Notifications
You must be signed in to change notification settings - Fork 68
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Loading status checks…
upgrade to latest dependencies
bumping golang.org/x/sync 14be23e...411f99e: > 411f99e LICENSE: update per Google Legal bumping knative.dev/pkg 433889b...0991b2f: > 0991b2f Update community files (# 3083) > c88d5da Bump github.com/tsenart/vegeta/v12 from 12.11.3 to 12.12.0 (# 3082) > cb30d00 Bump golang.org/x/sync from 0.7.0 to 0.8.0 (# 3081) bumping knative.dev/reconciler-test dd2ded3...0ff820e: > 0ff820e Update community files (# 747) > a2d1677 upgrade to latest dependencies (# 746) bumping knative.dev/eventing ff37e4e...c521efb: > c521efb Add EventPolicy reconciliation for Parallel (# 8112) > d69b8b4 Improve scheduler memory usage (# 8144) > 5c81d76 Add EventPolicy reconciliation for Sequence (# 8106) > ecb6c01 Set UID in Brokers backing channels EventPolicies OwnerReference (# 8143) > b58b30d Add e2e test for Broker authorization (# 8132) > 20a64a1 [main] Update community files (# 8134) > 7237233 Default EventPolicy `.spec.from[].namespace` to EventPolicies namespace (# 8133) > 32f8491 update trust-manager to version 0.12.0 (# 8130) bumping knative.dev/hack 441a19f...452e340: > 452e340 Update community files (# 392) Signed-off-by: Knative Automation <automation@knative.team>
1 parent
108d111
commit b9b457c
Showing
9 changed files
with
428 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
157 changes: 157 additions & 0 deletions
157
vendor/knative.dev/eventing/test/rekt/features/broker/authz_feature.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,157 @@ | ||
/* | ||
Copyright 2024 The Knative Authors | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package broker | ||
|
||
import ( | ||
"context" | ||
|
||
"github.com/cloudevents/sdk-go/v2/test" | ||
sourcesv1 "knative.dev/eventing/pkg/apis/sources/v1" | ||
"knative.dev/eventing/test/rekt/features/featureflags" | ||
"knative.dev/eventing/test/rekt/resources/broker" | ||
"knative.dev/eventing/test/rekt/resources/eventpolicy" | ||
"knative.dev/eventing/test/rekt/resources/pingsource" | ||
"knative.dev/eventing/test/rekt/resources/trigger" | ||
duckv1 "knative.dev/pkg/apis/duck/v1" | ||
"knative.dev/reconciler-test/pkg/eventshub" | ||
"knative.dev/reconciler-test/pkg/eventshub/assert" | ||
"knative.dev/reconciler-test/pkg/feature" | ||
"knative.dev/reconciler-test/pkg/resources/service" | ||
) | ||
|
||
func BrokerSupportsAuthZ() *feature.FeatureSet { | ||
return &feature.FeatureSet{ | ||
Name: "Broker supports authorization", | ||
Features: []*feature.Feature{ | ||
BrokerAcceptsEventsFromAuthorizedSender(), | ||
BrokerRejectsEventsFromUnauthorizedSender(), | ||
}, | ||
} | ||
} | ||
|
||
func BrokerAcceptsEventsFromAuthorizedSender() *feature.Feature { | ||
f := feature.NewFeatureNamed("Broker accepts events from a authorized sender") | ||
|
||
f.Prerequisite("OIDC Authentication is enabled", featureflags.AuthenticationOIDCEnabled()) | ||
f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) | ||
f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) | ||
|
||
source := feature.MakeRandomK8sName("source") | ||
brokerName := feature.MakeRandomK8sName("broker") | ||
sink := feature.MakeRandomK8sName("sink") | ||
triggerName := feature.MakeRandomK8sName("trigger") | ||
eventPolicyName := feature.MakeRandomK8sName("eventpolicy") | ||
|
||
// Install the broker | ||
f.Setup("Install Broker", broker.Install(brokerName, broker.WithEnvConfig()...)) | ||
f.Setup("Broker is ready", broker.IsReady(brokerName)) | ||
f.Setup("Broker is addressable", broker.IsAddressable(brokerName)) | ||
|
||
// Install the sink | ||
f.Setup("Install Sink", eventshub.Install( | ||
sink, | ||
eventshub.StartReceiver, | ||
)) | ||
|
||
f.Setup("Install the Trigger", trigger.Install(triggerName, | ||
trigger.WithBrokerName(brokerName), | ||
trigger.WithSubscriber(service.AsKReference(sink), ""))) | ||
|
||
f.Setup("Install the EventPolicy", eventpolicy.Install( | ||
eventPolicyName, | ||
eventpolicy.WithToRef( | ||
broker.GVR().GroupVersion().WithKind("Broker"), | ||
brokerName), | ||
eventpolicy.WithFromRef( | ||
pingsource.Gvr().GroupVersion().WithKind("PingSource"), | ||
source, | ||
""), | ||
)) | ||
|
||
// Install source | ||
f.Requirement("Install Pingsource", func(ctx context.Context, t feature.T) { | ||
brokeruri, err := broker.Address(ctx, brokerName) | ||
if err != nil { | ||
t.Error("failed to get address of broker", err) | ||
} | ||
|
||
pingsource.Install(source, | ||
pingsource.WithSink(&duckv1.Destination{URI: brokeruri.URL, CACerts: brokeruri.CACerts, Audience: brokeruri.Audience}), | ||
pingsource.WithData("text/plain", "hello, world!"))(ctx, t) | ||
}) | ||
f.Requirement("PingSource goes ready", pingsource.IsReady(source)) | ||
|
||
f.Alpha("Broker"). | ||
Must("accepts event from valid sender", assert.OnStore(sink).MatchEvent( | ||
test.HasType(sourcesv1.PingSourceEventType)).AtLeast(1)) | ||
|
||
return f | ||
} | ||
|
||
func BrokerRejectsEventsFromUnauthorizedSender() *feature.Feature { | ||
f := feature.NewFeatureNamed("Broker rejects events from an unauthorized sender") | ||
|
||
f.Prerequisite("OIDC Authentication is enabled", featureflags.AuthenticationOIDCEnabled()) | ||
f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) | ||
f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) | ||
|
||
source := feature.MakeRandomK8sName("source") | ||
brokerName := feature.MakeRandomK8sName("broker") | ||
sink := feature.MakeRandomK8sName("sink") | ||
triggerName := feature.MakeRandomK8sName("trigger") | ||
eventPolicyName := feature.MakeRandomK8sName("eventpolicy") | ||
|
||
event := test.FullEvent() | ||
|
||
// Install the broker | ||
f.Setup("Install Broker", broker.Install(brokerName, broker.WithEnvConfig()...)) | ||
f.Setup("Broker is ready", broker.IsReady(brokerName)) | ||
f.Setup("Broker is addressable", broker.IsAddressable(brokerName)) | ||
|
||
// Install the sink | ||
f.Setup("Install Sink", eventshub.Install( | ||
sink, | ||
eventshub.StartReceiver, | ||
)) | ||
|
||
f.Setup("Install the Trigger", trigger.Install(triggerName, | ||
trigger.WithBrokerName(brokerName), | ||
trigger.WithSubscriber(service.AsKReference(sink), ""))) | ||
f.Setup("Trigger goes ready", trigger.IsReady(triggerName)) | ||
|
||
// Install an event policy for Broker allowing from a sample subject, to not fall back to the default-auth-mode | ||
f.Setup("Install an EventPolicy", eventpolicy.Install( | ||
eventPolicyName, | ||
eventpolicy.WithToRef( | ||
broker.GVR().GroupVersion().WithKind("Broker"), | ||
brokerName), | ||
eventpolicy.WithFromSubject("sample-sub"))) | ||
|
||
// Send event | ||
f.Requirement("Install Source", eventshub.Install( | ||
source, | ||
eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil), | ||
eventshub.InputEvent(event), | ||
)) | ||
|
||
f.Alpha("Broker"). | ||
Must("event is sent", assert.OnStore(source).MatchSentEvent( | ||
test.HasId(event.ID())).Exact(1)). | ||
Must("broker rejects event with a 403 response", assert.OnStore(source).Match(assert.MatchStatusCode(403)).Exact(1)) | ||
|
||
return f | ||
} |
163 changes: 163 additions & 0 deletions
163
vendor/knative.dev/eventing/test/rekt/resources/eventpolicy/eventpolicy.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,163 @@ | ||
/* | ||
Copyright 2024 The Knative Authors | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package eventpolicy | ||
|
||
import ( | ||
"context" | ||
"embed" | ||
"time" | ||
|
||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/apimachinery/pkg/runtime/schema" | ||
"knative.dev/reconciler-test/pkg/feature" | ||
"knative.dev/reconciler-test/pkg/k8s" | ||
"knative.dev/reconciler-test/pkg/manifest" | ||
) | ||
|
||
//go:embed *.yaml | ||
var yaml embed.FS | ||
|
||
func GVR() schema.GroupVersionResource { | ||
return schema.GroupVersionResource{Group: "eventing.knative.dev", Version: "v1alpha1", Resource: "eventpolicies"} | ||
} | ||
|
||
// Install will create an EventPolicy resource, augmented with the config fn options. | ||
func Install(name string, opts ...manifest.CfgFn) feature.StepFn { | ||
cfg := map[string]interface{}{ | ||
"name": name, | ||
} | ||
for _, fn := range opts { | ||
fn(cfg) | ||
} | ||
return func(ctx context.Context, t feature.T) { | ||
if _, err := manifest.InstallYamlFS(ctx, yaml, cfg); err != nil { | ||
t.Fatal(err) | ||
} | ||
} | ||
} | ||
|
||
func WithToRef(gvk schema.GroupVersionKind, name string) manifest.CfgFn { | ||
return func(cfg map[string]interface{}) { | ||
if _, set := cfg["to"]; !set { | ||
cfg["to"] = []map[string]interface{}{} | ||
} | ||
|
||
res := cfg["to"].([]map[string]interface{}) | ||
|
||
to := map[string]interface{}{ | ||
"ref": map[string]interface{}{ | ||
"apiVersion": gvk.GroupVersion().String(), | ||
"kind": gvk.Kind, | ||
"name": name, | ||
}} | ||
|
||
res = append(res, to) | ||
|
||
cfg["to"] = res | ||
} | ||
} | ||
|
||
func WithToSelector(gvk schema.GroupVersionKind, labelSelector *metav1.LabelSelector) manifest.CfgFn { | ||
return func(cfg map[string]interface{}) { | ||
if _, set := cfg["to"]; !set { | ||
cfg["to"] = []map[string]interface{}{} | ||
} | ||
|
||
res := cfg["to"].([]map[string]interface{}) | ||
|
||
selector := labelSelectorToStringMap(labelSelector) | ||
selector["apiVersion"] = gvk.GroupVersion().String() | ||
selector["kind"] = gvk.Kind | ||
|
||
to := map[string]interface{}{ | ||
"selector": selector, | ||
} | ||
|
||
res = append(res, to) | ||
|
||
cfg["to"] = res | ||
} | ||
} | ||
|
||
func WithFromRef(gvk schema.GroupVersionKind, name, namespace string) manifest.CfgFn { | ||
return func(cfg map[string]interface{}) { | ||
if _, set := cfg["from"]; !set { | ||
cfg["from"] = []map[string]interface{}{} | ||
} | ||
|
||
res := cfg["from"].([]map[string]interface{}) | ||
|
||
from := map[string]interface{}{ | ||
"ref": map[string]interface{}{ | ||
"apiVersion": gvk.GroupVersion().String(), | ||
"kind": gvk.Kind, | ||
"name": name, | ||
"namespace": namespace, | ||
}} | ||
|
||
res = append(res, from) | ||
|
||
cfg["from"] = res | ||
} | ||
} | ||
|
||
func WithFromSubject(subject string) manifest.CfgFn { | ||
return func(cfg map[string]interface{}) { | ||
if _, set := cfg["from"]; !set { | ||
cfg["from"] = []map[string]interface{}{} | ||
} | ||
|
||
res := cfg["from"].([]map[string]interface{}) | ||
|
||
from := map[string]interface{}{ | ||
"sub": subject, | ||
} | ||
|
||
res = append(res, from) | ||
|
||
cfg["from"] = res | ||
} | ||
} | ||
|
||
// IsReady tests to see if an EventPolicy becomes ready within the time given. | ||
func IsReady(name string, timing ...time.Duration) feature.StepFn { | ||
return k8s.IsReady(GVR(), name, timing...) | ||
} | ||
|
||
func labelSelectorToStringMap(selector *metav1.LabelSelector) map[string]interface{} { | ||
if selector == nil { | ||
return map[string]interface{}{} | ||
} | ||
|
||
r := map[string]interface{}{} | ||
|
||
r["matchLabels"] = selector.MatchLabels | ||
|
||
if selector.MatchExpressions != nil { | ||
me := []map[string]interface{}{} | ||
for _, ml := range selector.MatchExpressions { | ||
me = append(me, map[string]interface{}{ | ||
"key": ml.Key, | ||
"operator": ml.Operator, | ||
"values": ml.Values, | ||
}) | ||
} | ||
r["matchExpressions"] = me | ||
} | ||
|
||
return r | ||
} |
69 changes: 69 additions & 0 deletions
69
vendor/knative.dev/eventing/test/rekt/resources/eventpolicy/eventpolicy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
# Copyright 2020 The Knative Authors | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
apiVersion: eventing.knative.dev/v1alpha1 | ||
kind: EventPolicy | ||
metadata: | ||
name: {{ .name }} | ||
namespace: {{ .namespace }} | ||
spec: | ||
{{ if .to }} | ||
to: | ||
{{ range $to := .to }} | ||
{{ if $to.ref }} | ||
- ref: | ||
apiVersion: {{ $to.ref.apiVersion }} | ||
kind: {{ $to.ref.kind }} | ||
name: {{ $to.ref.name }} | ||
{{ end }} #end if $to.ref | ||
|
||
{{ if $to.selector }} | ||
- selector: | ||
apiVersion: {{ $to.selector.apiVersion }} | ||
kind: {{ $to.selector.kind }} | ||
{{ if $to.selector.matchLabels }} | ||
matchLabels: | ||
{{ range $key, $value := $to.selector.matchLabels }} | ||
{{ $key }}: {{ $value }} | ||
{{ end }} | ||
{{ end }} #end if to.matchLabels | ||
|
||
{{ if $to.selector.matchExpressions }} | ||
matchExpressions: | ||
{{ range $expr := $to.selector.matchExpressions }} | ||
- key: {{ $expr.key }} | ||
operator: {{ $expr.operator }} | ||
values: | ||
{{ range $exprValue := $expr.values }} | ||
- {{ $exprValue }} | ||
{{ end }} | ||
{{ end }} #end matchExpressions range | ||
{{ end }} # end if matchExpressions | ||
{{ end }} #end if $to.selector | ||
{{ end }} #end "range $to" | ||
{{ end }} #end "if .to" | ||
|
||
from: | ||
{{ range $from := .from }} | ||
{{ if $from.ref }} | ||
- ref: | ||
apiVersion: {{ $from.ref.apiVersion }} | ||
kind: {{ $from.ref.kind }} | ||
name: {{ $from.ref.name }} | ||
namespace: {{ $from.ref.namespace }} | ||
{{ end }} | ||
{{ if $from.sub }} | ||
- sub: {{ $from.sub }} | ||
{{ end }} | ||
{{ end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters