Rename TokenVerifier into Verifier

knative · Sep 17, 2024 · d1439f6 · d1439f6
1 parent 1cdf022
commit d1439f6
Show file tree

Hide file tree

Showing 11 changed files with 42 additions and 42 deletions.
diff --git a/cmd/broker/filter/main.go b/cmd/broker/filter/main.go
@@ -153,9 +153,9 @@ func main() {
  oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
  // We are running both the receiver (takes messages in from the Broker) and the dispatcher (send
  // the messages to the triggers' subscribers) in this binary.
- oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister())
+ authVerifier := auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister())
  trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
- handler, err = filter.NewHandler(logger, oidcTokenVerifier, oidcTokenProvider, triggerinformer.Get(ctx), brokerinformer.Get(ctx), subscriptioninformer.Get(ctx), reporter, trustBundleConfigMapInformer, ctxFunc)
+ handler, err = filter.NewHandler(logger, authVerifier, oidcTokenProvider, triggerinformer.Get(ctx), brokerinformer.Get(ctx), subscriptioninformer.Get(ctx), reporter, trustBundleConfigMapInformer, ctxFunc)
  if err != nil {
  logger.Fatal("Error creating Handler", zap.Error(err))
  }

diff --git a/cmd/broker/ingress/main.go b/cmd/broker/ingress/main.go
@@ -168,9 +168,9 @@ func main() {
  reporter := ingress.NewStatsReporter(env.ContainerName, kmeta.ChildName(env.PodName, uuid.New().String()))
 
  oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
- oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister())
+ authVerifier := auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister())
  trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
- handler, err = ingress.NewHandler(logger, reporter, broker.TTLDefaulter(logger, int32(env.MaxTTL)), brokerInformer, oidcTokenVerifier, oidcTokenProvider, trustBundleConfigMapInformer, ctxFunc)
+ handler, err = ingress.NewHandler(logger, reporter, broker.TTLDefaulter(logger, int32(env.MaxTTL)), brokerInformer, authVerifier, oidcTokenProvider, trustBundleConfigMapInformer, ctxFunc)
  if err != nil {
  logger.Fatal("Error creating Handler", zap.Error(err))
  }

diff --git a/cmd/jobsink/main.go b/cmd/jobsink/main.go
@@ -115,10 +115,10 @@ func main() {
  }
 
  h := &Handler{
- k8s:  kubeclient.Get(ctx),
- lister:  jobsink.Get(ctx).Lister(),
- withContext:  ctxFunc,
- oidcTokenVerifier: auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()),
+ k8s: kubeclient.Get(ctx),
+ lister: jobsink.Get(ctx).Lister(),
+ withContext: ctxFunc,
+ authVerifier: auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()),
  }
 
  tlsConfig, err := getServerTLSConfig(ctx)
@@ -159,10 +159,10 @@ func main() {
 }
 
 type Handler struct {
- k8s  kubernetes.Interface
- lister  sinkslister.JobSinkLister
- withContext  func(ctx context.Context) context.Context
- oidcTokenVerifier *auth.OIDCTokenVerifier
+ k8s kubernetes.Interface
+ lister sinkslister.JobSinkLister
+ withContext func(ctx context.Context) context.Context
+ authVerifier *auth.Verifier
 }
 
 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -201,7 +201,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
  logger.Debug("Handling POST request", zap.String("URI", r.RequestURI))
 
- err = h.oidcTokenVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w)
+ err = h.authVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w)
  if err != nil {
  logger.Warn("Failed to verify AuthN and AuthZ.", zap.Error(err))
  return
@@ -374,7 +374,7 @@ func (h *Handler) handleGet(ctx context.Context, w http.ResponseWriter, r *http.
 
  logger.Debug("Handling GET request", zap.String("URI", r.RequestURI))
 
- err = h.oidcTokenVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w)
+ err = h.authVerifier.VerifyRequest(ctx, feature.FromContext(ctx), js.Status.Address.Audience, js.Namespace, js.Status.Policies, r, w)
  if err != nil {
  logger.Warn("Failed to verify AuthN and AuthZ.", zap.Error(err))
  return

diff --git a/pkg/auth/token_verifier.go → pkg/auth/verifier.go b/pkg/auth/token_verifier.go → pkg/auth/verifier.go
@@ -45,7 +45,7 @@ const (
  kubernetesOIDCDiscoveryBaseURL = "https://kubernetes.default.svc"
 )
 
-type OIDCTokenVerifier struct {
+type Verifier struct {
  logger *zap.SugaredLogger
  restConfig *rest.Config
  provider *oidc.Provider
@@ -61,8 +61,8 @@ type IDToken struct {
  AccessTokenHash string
 }
 
-func NewOIDCTokenVerifier(ctx context.Context, eventPolicyLister listerseventingv1alpha1.EventPolicyLister) *OIDCTokenVerifier {
- tokenHandler := &OIDCTokenVerifier{
+func NewVerifier(ctx context.Context, eventPolicyLister listerseventingv1alpha1.EventPolicyLister) *Verifier {
+ tokenHandler := &Verifier{
  logger: logging.FromContext(ctx).With("component", "oidc-token-handler"),
  restConfig: injection.GetConfig(ctx),
  eventPolicyLister: eventPolicyLister,
@@ -77,7 +77,7 @@ func NewOIDCTokenVerifier(ctx context.Context, eventPolicyLister listerseventing
 
 // VerifyRequest verifies AuthN and AuthZ in the request. On verification errors, it sets the
 // responses HTTP status and returns an error
-func (v *OIDCTokenVerifier) VerifyRequest(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {
+func (v *Verifier) VerifyRequest(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {
  if !features.IsOIDCAuthentication() {
  return nil
  }
@@ -100,7 +100,7 @@ func (v *OIDCTokenVerifier) VerifyRequest(ctx context.Context, features feature.
 // On verification errors, it sets the responses HTTP status and returns an error.
 // This method is similar to VerifyRequest() except that VerifyRequestFromSubject()
 // verifies in the AuthZ part that the request comes from a given subject.
-func (v *OIDCTokenVerifier) VerifyRequestFromSubject(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, allowedSubject string, req *http.Request, resp http.ResponseWriter) error {
+func (v *Verifier) VerifyRequestFromSubject(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, allowedSubject string, req *http.Request, resp http.ResponseWriter) error {
  if !features.IsOIDCAuthentication() {
  return nil
  }
@@ -119,7 +119,7 @@ func (v *OIDCTokenVerifier) VerifyRequestFromSubject(ctx context.Context, featur
 }
 
 // verifyAuthN verifies if the incoming request contains a correct JWT token
-func (v *OIDCTokenVerifier) verifyAuthN(ctx context.Context, audience *string, req *http.Request, resp http.ResponseWriter) (*IDToken, error) {
+func (v *Verifier) verifyAuthN(ctx context.Context, audience *string, req *http.Request, resp http.ResponseWriter) (*IDToken, error) {
  token := GetJWTFromHeader(req.Header)
  if token == "" {
  resp.WriteHeader(http.StatusUnauthorized)
@@ -141,7 +141,7 @@ func (v *OIDCTokenVerifier) verifyAuthN(ctx context.Context, audience *string, r
 }
 
 // verifyAuthZ verifies if the given idToken is allowed by the resources eventPolicyStatus
-func (v *OIDCTokenVerifier) verifyAuthZ(ctx context.Context, features feature.Flags, idToken *IDToken, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {
+func (v *Verifier) verifyAuthZ(ctx context.Context, features feature.Flags, idToken *IDToken, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error {
  if len(policyRefs) > 0 {
  req, err := copyRequest(req)
  if err != nil {
@@ -195,7 +195,7 @@ func (v *OIDCTokenVerifier) verifyAuthZ(ctx context.Context, features feature.Fl
 }
 
 // verifyJWT verifies the given JWT for the expected audience and returns the parsed ID token.
-func (v *OIDCTokenVerifier) verifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error) {
+func (v *Verifier) verifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error) {
  if v.provider == nil {
  return nil, fmt.Errorf("provider is nil. Is the OIDC provider config correct?")
  }
@@ -219,7 +219,7 @@ func (v *OIDCTokenVerifier) verifyJWT(ctx context.Context, jwt, audience string)
  }, nil
 }
 
-func (v *OIDCTokenVerifier) initOIDCProvider(ctx context.Context) error {
+func (v *Verifier) initOIDCProvider(ctx context.Context) error {
  discovery, err := v.getKubernetesOIDCDiscovery()
  if err != nil {
  return fmt.Errorf("could not load Kubernetes OIDC discovery information: %w", err)
@@ -247,7 +247,7 @@ func (v *OIDCTokenVerifier) initOIDCProvider(ctx context.Context) error {
  return nil
 }
 
-func (v *OIDCTokenVerifier) getHTTPClientForKubeAPIServer() (*http.Client, error) {
+func (v *Verifier) getHTTPClientForKubeAPIServer() (*http.Client, error) {
  client, err := rest.HTTPClientFor(v.restConfig)
  if err != nil {
  return nil, fmt.Errorf("could not create HTTP client from rest config: %w", err)
@@ -256,7 +256,7 @@ func (v *OIDCTokenVerifier) getHTTPClientForKubeAPIServer() (*http.Client, error
  return client, nil
 }
 
-func (v *OIDCTokenVerifier) getKubernetesOIDCDiscovery() (*openIDMetadata, error) {
+func (v *Verifier) getKubernetesOIDCDiscovery() (*openIDMetadata, error) {
  client, err := v.getHTTPClientForKubeAPIServer()
  if err != nil {
  return nil, fmt.Errorf("could not get HTTP client for API server: %w", err)

diff --git a/pkg/broker/filter/filter_handler.go b/pkg/broker/filter/filter_handler.go
@@ -90,12 +90,12 @@ type Handler struct {
  logger *zap.Logger
  withContext func(ctx context.Context) context.Context
  filtersMap *subscriptionsapi.FiltersMap
- tokenVerifier *auth.OIDCTokenVerifier
+ tokenVerifier *auth.Verifier
  EventTypeCreator *eventtype.EventTypeAutoHandler
 }
 
 // NewHandler creates a new Handler and its associated EventReceiver.
-func NewHandler(logger *zap.Logger, tokenVerifier *auth.OIDCTokenVerifier, oidcTokenProvider *auth.OIDCTokenProvider, triggerInformer v1.TriggerInformer, brokerInformer v1.BrokerInformer, subscriptionInformer messaginginformers.SubscriptionInformer, reporter StatsReporter, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, wc func(ctx context.Context) context.Context) (*Handler, error) {
+func NewHandler(logger *zap.Logger, tokenVerifier *auth.Verifier, oidcTokenProvider *auth.OIDCTokenProvider, triggerInformer v1.TriggerInformer, brokerInformer v1.BrokerInformer, subscriptionInformer messaginginformers.SubscriptionInformer, reporter StatsReporter, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, wc func(ctx context.Context) context.Context) (*Handler, error) {
  kncloudevents.ConfigureConnectionArgs(&kncloudevents.ConnectionArgs{
  MaxIdleConns: defaultMaxIdleConnections,
  MaxIdleConnsPerHost: defaultMaxIdleConnectionsPerHost,

diff --git a/pkg/broker/filter/filter_handler_test.go b/pkg/broker/filter/filter_handler_test.go
@@ -444,7 +444,7 @@ func TestReceiver(t *testing.T) {
 
  logger := zaptest.NewLogger(t, zaptest.WrapOptions(zap.AddCaller()))
  oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
- oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister())
+ authVerifier := auth.NewVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister())
 
  for _, trig := range tc.triggers {
  // Replace the SubscriberURI to point at our fake server.
@@ -480,7 +480,7 @@ func TestReceiver(t *testing.T) {
  reporter := &mockReporter{}
  r, err := NewHandler(
  logger,
- oidcTokenVerifier,
+ authVerifier,
  oidcTokenProvider,
  triggerinformerfake.Get(ctx),
  brokerinformerfake.Get(ctx),
@@ -653,7 +653,7 @@ func TestReceiver_WithSubscriptionsAPI(t *testing.T) {
 
  logger := zaptest.NewLogger(t, zaptest.WrapOptions(zap.AddCaller()))
  oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
- oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister())
+ authVerifier := auth.NewVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister())
 
  // Replace the SubscriberURI to point at our fake server.
  for _, trig := range tc.triggers {
@@ -689,7 +689,7 @@ func TestReceiver_WithSubscriptionsAPI(t *testing.T) {
  reporter := &mockReporter{}
  r, err := NewHandler(
  logger,
- oidcTokenVerifier,
+ authVerifier,
  oidcTokenProvider,
  triggerinformerfake.Get(ctx),
  brokerinformerfake.Get(ctx),

diff --git a/pkg/broker/ingress/ingress_handler.go b/pkg/broker/ingress/ingress_handler.go
@@ -73,12 +73,12 @@ type Handler struct {
 
  eventDispatcher *kncloudevents.Dispatcher
 
- tokenVerifier *auth.OIDCTokenVerifier
+ tokenVerifier *auth.Verifier
 
  withContext func(ctx context.Context) context.Context
 }
 
-func NewHandler(logger *zap.Logger, reporter StatsReporter, defaulter client.EventDefaulter, brokerInformer v1.BrokerInformer, tokenVerifier *auth.OIDCTokenVerifier, oidcTokenProvider *auth.OIDCTokenProvider, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, withContext func(ctx context.Context) context.Context) (*Handler, error) {
+func NewHandler(logger *zap.Logger, reporter StatsReporter, defaulter client.EventDefaulter, brokerInformer v1.BrokerInformer, tokenVerifier *auth.Verifier, oidcTokenProvider *auth.OIDCTokenProvider, trustBundleConfigMapLister corev1listers.ConfigMapNamespaceLister, withContext func(ctx context.Context) context.Context) (*Handler, error) {
  connectionArgs := kncloudevents.ConnectionArgs{
  MaxIdleConns: defaultMaxIdleConnections,
  MaxIdleConnsPerHost: defaultMaxIdleConnectionsPerHost,

diff --git a/pkg/broker/ingress/ingress_handler_test.go b/pkg/broker/ingress/ingress_handler_test.go
@@ -291,13 +291,13 @@ func TestHandler_ServeHTTP(t *testing.T) {
  }
 
  tokenProvider := auth.NewOIDCTokenProvider(ctx)
- tokenVerifier := auth.NewOIDCTokenVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister())
+ authVerifier := auth.NewVerifier(ctx, eventpolicyinformerfake.Get(ctx).Lister())
 
  h, err := NewHandler(logger,
  &mockReporter{},
  tc.defaulter,
  brokerinformerfake.Get(ctx),
- tokenVerifier,
+ authVerifier,
  tokenProvider,
  configmapinformer.Get(ctx).Lister().ConfigMaps("ns"),
  func(ctx context.Context) context.Context {

diff --git a/pkg/channel/event_receiver.go b/pkg/channel/event_receiver.go
@@ -71,7 +71,7 @@ type EventReceiver struct {
  hostToChannelFunc ResolveChannelFromHostFunc
  pathToChannelFunc ResolveChannelFromPathFunc
  reporter StatsReporter
- tokenVerifier *auth.OIDCTokenVerifier
+ tokenVerifier *auth.Verifier
  audience string
  getPoliciesForFunc GetPoliciesForFunc
  withContext func(context.Context) context.Context
@@ -120,7 +120,7 @@ func ReceiverWithGetPoliciesForFunc(fn GetPoliciesForFunc) EventReceiverOptions
  }
 }
 
-func OIDCTokenVerification(tokenVerifier *auth.OIDCTokenVerifier, audience string) EventReceiverOptions {
+func OIDCTokenVerification(tokenVerifier *auth.Verifier, audience string) EventReceiverOptions {
  return func(r *EventReceiver) error {
  r.tokenVerifier = tokenVerifier
  r.audience = audience

diff --git a/pkg/reconciler/inmemorychannel/dispatcher/controller.go b/pkg/reconciler/inmemorychannel/dispatcher/controller.go
@@ -137,7 +137,7 @@ func NewController(
  eventingClient: eventingclient.Get(ctx).EventingV1beta2(),
  eventTypeLister: eventtypeinformer.Get(ctx).Lister(),
  eventDispatcher: kncloudevents.NewDispatcher(clientConfig, oidcTokenProvider),
- tokenVerifier: auth.NewOIDCTokenVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()),
+ authVerifier:  auth.NewVerifier(ctx, eventpolicyinformer.Get(ctx).Lister()),
  clientConfig: clientConfig,
  inMemoryChannelLister: inmemorychannelInformer.Lister(),
  }

diff --git a/pkg/reconciler/inmemorychannel/dispatcher/inmemorychannel.go b/pkg/reconciler/inmemorychannel/dispatcher/inmemorychannel.go
@@ -62,8 +62,8 @@ type Reconciler struct {
  featureStore *feature.Store
  eventDispatcher *kncloudevents.Dispatcher
 
- tokenVerifier *auth.OIDCTokenVerifier
- clientConfig  eventingtls.ClientConfig
+ authVerifier *auth.Verifier
+ clientConfig eventingtls.ClientConfig
 }
 
 // Check the interfaces Reconciler should implement
@@ -134,7 +134,7 @@ func (r *Reconciler) reconcile(ctx context.Context, imc *v1.InMemoryChannel) rec
  channelRef,
  UID,
  r.eventDispatcher,
- channel.OIDCTokenVerification(r.tokenVerifier, audience(imc)),
+ channel.OIDCTokenVerification(r.authVerifier, audience(imc)),
  channel.ReceiverWithContextFunc(wc),
  channel.ReceiverWithGetPoliciesForFunc(r.getAppliedEventPolicyRef),
  )
@@ -167,7 +167,7 @@ func (r *Reconciler) reconcile(ctx context.Context, imc *v1.InMemoryChannel) rec
  UID,
  r.eventDispatcher,
  channel.ResolveChannelFromPath(channel.ParseChannelFromPath),
- channel.OIDCTokenVerification(r.tokenVerifier, audience(imc)),
+ channel.OIDCTokenVerification(r.authVerifier, audience(imc)),
  channel.ReceiverWithContextFunc(wc),
  channel.ReceiverWithGetPoliciesForFunc(r.getAppliedEventPolicyRef),
  )