upgrade to latest dependencies (#3933)

bumping knative.dev/pkg 15e6cdf...339c22b:
  > 339c22b Add AuthenticatableType duck type (# 3056)
bumping knative.dev/eventing ea8f0fd...18dfe3c:
  > 18dfe3c JobSink: Test OIDC support (# 8000)
  > e298f32 Add authz library (# 8002)
  > 1a21fee Add all JobSink symlinks in config/ (# 8007)
  > 2157639 Add validation for EventPolicy sub suffix matching (# 8008)
  > 0eee301 Propagate read error correctly in event-dispatcher (# 8005)
  > 43cf75a [main] Upgrade to latest dependencies (# 8004)
bumping knative.dev/reconciler-test 199a526...5bf0b86:
  > 5bf0b86 upgrade to latest dependencies (# 738)

Signed-off-by: Knative Automation <automation@knative.team>

go.mod

@@ -35,10 +35,10 @@ require (
 	k8s.io/apiserver v0.29.2
 	k8s.io/client-go v0.29.2
 	k8s.io/utils v0.0.0-20240102154912-e7106e64919e
-	knative.dev/eventing v0.41.1-0.20240613093107-ea8f0fda4c06
+	knative.dev/eventing v0.41.1-0.20240620085917-18dfe3c0ac90
 	knative.dev/hack v0.0.0-20240607132042-09143140a254
-	knative.dev/pkg v0.0.0-20240610120318-15e6cdf2f386
-	knative.dev/reconciler-test v0.0.0-20240611155001-199a5264927d
+	knative.dev/pkg v0.0.0-20240614135239-339c22b8218c
+	knative.dev/reconciler-test v0.0.0-20240618170853-5bf0b86114f8
 	sigs.k8s.io/controller-runtime v0.12.3
 	sigs.k8s.io/yaml v1.4.0
 )

go.sum

@@ -1275,14 +1275,14 @@ k8s.io/utils v0.0.0-20200912215256-4140de9c8800/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
 k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ=
 k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.41.1-0.20240613093107-ea8f0fda4c06 h1:GYVCeO9+udWWzNfyWlBrclwB07kxzIElbhCCtFrsIRo=
-knative.dev/eventing v0.41.1-0.20240613093107-ea8f0fda4c06/go.mod h1:PQpuuOYjAl6rW74U+1CgcKP9IyKhk7XhS8aAu9zWQG0=
+knative.dev/eventing v0.41.1-0.20240620085917-18dfe3c0ac90 h1:rieOHfbsEveC/30tfSCf3g7Ocu9mJ+w4Dv22FBMC5lY=
+knative.dev/eventing v0.41.1-0.20240620085917-18dfe3c0ac90/go.mod h1:Ja5ThoaajtwMAb7pHhG3t0WRul5oSZPalfP5R/0YP80=
 knative.dev/hack v0.0.0-20240607132042-09143140a254 h1:1YFnu3U6dWZg0oxm6GU8kEdA9A+BvSWKJO7sg3N0kq8=
 knative.dev/hack v0.0.0-20240607132042-09143140a254/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/pkg v0.0.0-20240610120318-15e6cdf2f386 h1:nxFTT6DrXr70Zi2BK8nc57ts0/smyavd/uBRBbtqg94=
-knative.dev/pkg v0.0.0-20240610120318-15e6cdf2f386/go.mod h1:l7R8/SteYph0mZDsVgq3fVs4mWp1DaYx9BJJX68U6ik=
-knative.dev/reconciler-test v0.0.0-20240611155001-199a5264927d h1:FBpgtMooLXWfl8QjGNVEosw9QGPhJzkPip+x5jBVrT8=
-knative.dev/reconciler-test v0.0.0-20240611155001-199a5264927d/go.mod h1:iKOTdGVwm+SmVA/blgirYTdYU/Kw3Znj2arDYLlhoXw=
+knative.dev/pkg v0.0.0-20240614135239-339c22b8218c h1:OaKrY7L6rzWTvs51JlieJajL40F6CpBbvO1aZspg2EA=
+knative.dev/pkg v0.0.0-20240614135239-339c22b8218c/go.mod h1:l7R8/SteYph0mZDsVgq3fVs4mWp1DaYx9BJJX68U6ik=
+knative.dev/reconciler-test v0.0.0-20240618170853-5bf0b86114f8 h1:A+rsitEiTX3GudM51g7zUMza+Ripj+boncmlJ2jZp50=
+knative.dev/reconciler-test v0.0.0-20240618170853-5bf0b86114f8/go.mod h1:2uUx3U6kdIzgJgMGgrGmdDdcFrFiex/DjuI2gM7Tte8=
 pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw=
 pgregory.net/rapid v1.1.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

vendor/knative.dev/eventing/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go

@@ -18,6 +18,7 @@ package v1alpha1
 
 import (
 	"context"
+	"strings"
 
 	"knative.dev/pkg/apis"
 )
@@ -36,6 +37,7 @@ func (ets *EventPolicySpec) Validate(ctx context.Context) *apis.FieldError {
 			err = err.Also(apis.ErrMultipleOneOf("ref", "sub").ViaFieldIndex("from", i))
 		}
 		err = err.Also(f.Ref.Validate().ViaField("ref").ViaFieldIndex("from", i))
+		err = err.Also(validateSub(f.Sub).ViaField("sub").ViaFieldIndex("from", i))
 	}
 
 	for i, t := range ets.To {
@@ -53,6 +55,20 @@ func (ets *EventPolicySpec) Validate(ctx context.Context) *apis.FieldError {
 	return err
 }
 
+func validateSub(sub *string) *apis.FieldError {
+	if sub == nil || len(*sub) <= 1 {
+		return nil
+	}
+
+	lastInvalidIdx := len(*sub) - 2
+	firstInvalidIdx := 0
+	if idx := strings.IndexRune(*sub, '*'); idx >= firstInvalidIdx && idx <= lastInvalidIdx {
+		return apis.ErrInvalidValue(*sub, "", "'*' is only allowed as suffix")
+	}
+
+	return nil
+}
+
 func (r *EventPolicyFromReference) Validate() *apis.FieldError {
 	if r == nil {
 		return nil

vendor/knative.dev/eventing/pkg/apis/feature/store.go

@@ -40,12 +40,12 @@ func FromContext(ctx context.Context) Flags {
 }
 
 // FromContextOrDefaults is like FromContext, but when no Flags is attached it
-// returns an empty Flags.
+// returns default Flags.
 func FromContextOrDefaults(ctx context.Context) Flags {
 	if cfg := FromContext(ctx); cfg != nil {
 		return cfg
 	}
-	return Flags{}
+	return newDefaults()
 }
 
 // ToContext attaches the provided Flags to the provided context, returning the

vendor/knative.dev/eventing/pkg/auth/event_policy.go

@@ -0,0 +1,147 @@
+/*
+Copyright 2024 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"fmt"
+	"strings"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"knative.dev/eventing/pkg/apis/eventing/v1alpha1"
+	listerseventingv1alpha1 "knative.dev/eventing/pkg/client/listers/eventing/v1alpha1"
+	"knative.dev/pkg/resolver"
+)
+
+// GetEventPoliciesForResource returns the applying EventPolicies for a given resource
+func GetEventPoliciesForResource(lister listerseventingv1alpha1.EventPolicyLister, resourceGVK schema.GroupVersionKind, resourceObjectMeta metav1.ObjectMeta) ([]*v1alpha1.EventPolicy, error) {
+	policies, err := lister.EventPolicies(resourceObjectMeta.GetNamespace()).List(labels.Everything())
+	if err != nil {
+		return nil, fmt.Errorf("failed to list eventpolicies: %w", err)
+	}
+
+	relevantPolicies := []*v1alpha1.EventPolicy{}
+
+	for _, policy := range policies {
+		if len(policy.Spec.To) == 0 {
+			// policy applies to all resources in namespace
+			relevantPolicies = append(relevantPolicies, policy)
+		}
+
+		for _, to := range policy.Spec.To {
+			if to.Ref != nil {
+				refGV, err := schema.ParseGroupVersion(to.Ref.APIVersion)
+				if err != nil {
+					return nil, fmt.Errorf("cannot split apiVersion into group and version: %s", to.Ref.APIVersion)
+				}
+
+				if strings.EqualFold(to.Ref.Name, resourceObjectMeta.GetName()) &&
+					strings.EqualFold(refGV.Group, resourceGVK.Group) &&
+					strings.EqualFold(to.Ref.Kind, resourceGVK.Kind) {
+
+					relevantPolicies = append(relevantPolicies, policy)
+					break // no need to check the other .spec.to's from this policy
+				}
+			}
+
+			if to.Selector != nil {
+				selectorGV, err := schema.ParseGroupVersion(to.Selector.APIVersion)
+				if err != nil {
+					return nil, fmt.Errorf("cannot split apiVersion into group and version: %s", to.Selector.APIVersion)
+				}
+
+				if strings.EqualFold(selectorGV.Group, resourceGVK.Group) &&
+					strings.EqualFold(to.Selector.Kind, resourceGVK.Kind) {
+
+					selector, err := metav1.LabelSelectorAsSelector(to.Selector.LabelSelector)
+					if err != nil {
+						return nil, fmt.Errorf("failed to parse selector: %w", err)
+					}
+
+					if selector.Matches(labels.Set(resourceObjectMeta.Labels)) {
+						relevantPolicies = append(relevantPolicies, policy)
+						break // no need to check the other .spec.to's from this policy
+					}
+				}
+			}
+		}
+	}
+
+	return relevantPolicies, nil
+}
+
+// ResolveSubjects returns the OIDC service accounts names for the objects referenced in the EventPolicySpecFrom.
+func ResolveSubjects(resolver *resolver.AuthenticatableResolver, eventPolicy *v1alpha1.EventPolicy) ([]string, error) {
+	allSAs := []string{}
+	for _, from := range eventPolicy.Spec.From {
+		if from.Ref != nil {
+			sas, err := resolveSubjectsFromReference(resolver, *from.Ref, eventPolicy)
+			if err != nil {
+				return nil, fmt.Errorf("could not resolve subjects from reference: %w", err)
+			}
+			allSAs = append(allSAs, sas...)
+		} else if from.Sub != nil {
+			allSAs = append(allSAs, *from.Sub)
+		}
+	}
+
+	return allSAs, nil
+}
+
+func resolveSubjectsFromReference(resolver *resolver.AuthenticatableResolver, reference v1alpha1.EventPolicyFromReference, trackingEventPolicy *v1alpha1.EventPolicy) ([]string, error) {
+	authStatus, err := resolver.AuthStatusFromObjectReference(&corev1.ObjectReference{
+		APIVersion: reference.APIVersion,
+		Kind:       reference.Kind,
+		Namespace:  reference.Namespace,
+		Name:       reference.Name,
+	}, trackingEventPolicy)
+
+	if err != nil {
+		return nil, fmt.Errorf("could not resolve auth status: %w", err)
+	}
+
+	objSAs := authStatus.ServiceAccountNames
+	if authStatus.ServiceAccountName != nil {
+		objSAs = append(objSAs, *authStatus.ServiceAccountName)
+	}
+
+	objFullSANames := make([]string, 0, len(objSAs))
+	for _, sa := range objSAs {
+		objFullSANames = append(objFullSANames, fmt.Sprintf("system:serviceaccount:%s:%s", reference.Namespace, sa))
+	}
+
+	return objFullSANames, nil
+}
+
+// SubjectContained checks if the given sub is contained in the list of allowedSubs
+// or if it matches a prefix pattern in subs (e.g. system:serviceaccounts:my-ns:*)
+func SubjectContained(sub string, allowedSubs []string) bool {
+	for _, s := range allowedSubs {
+		if strings.EqualFold(s, sub) {
+			return true
+		}
+
+		if strings.HasSuffix(s, "*") &&
+			strings.HasPrefix(sub, strings.TrimSuffix(s, "*")) {
+			return true
+		}
+	}
+
+	return false
+}

vendor/knative.dev/eventing/pkg/kncloudevents/event_dispatcher.go

@@ -352,6 +352,7 @@ func (d *Dispatcher) executeRequest(ctx context.Context, target duckv1.Addressab
 	var responseMessageBody []byte
 	if err != nil && err != io.EOF {
 		responseMessageBody = []byte(fmt.Sprintf("Failed to read response body: %s", err.Error()))
+		dispatchInfo.ResponseCode = http.StatusInternalServerError
 	} else {
 		responseMessageBody = body.Bytes()
 		dispatchInfo.ResponseBody = responseMessageBody

vendor/knative.dev/pkg/apis/duck/v1/auth_types.go

@@ -16,6 +16,21 @@ limitations under the License.
 
 package v1
 
+import (
+	"context"
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"knative.dev/pkg/apis"
+	"knative.dev/pkg/apis/duck/ducktypes"
+	"knative.dev/pkg/kmeta"
+	"knative.dev/pkg/ptr"
+)
+
+// +genduck
+
 // AuthStatus is meant to provide the generated service account name
 // in the resource status.
 type AuthStatus struct {
@@ -28,3 +43,81 @@ type AuthStatus struct {
 	// when the component uses multiple identities (e.g. in case of a Parallel).
 	ServiceAccountNames []string `json:"serviceAccountNames,omitempty"`
 }
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// AuthenticatableType is a skeleton type wrapping AuthStatus in the manner we expect
+// resource writers defining compatible resources to embed it.  We will
+// typically use this type to deserialize AuthenticatableType ObjectReferences and
+// access the AuthenticatableType data.  This is not a real resource.
+type AuthenticatableType struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Status AuthenticatableStatus `json:"status"`
+}
+
+type AuthenticatableStatus struct {
+	// Auth contains the service account name for the subscription
+	// +optional
+	Auth *AuthStatus `json:"auth,omitempty"`
+}
+
+var (
+	// AuthStatus is a Convertible type.
+	_ apis.Convertible = (*AuthStatus)(nil)
+
+	// Verify AuthenticatableType resources meet duck contracts.
+	_ apis.Listable         = (*AuthenticatableType)(nil)
+	_ ducktypes.Populatable = (*AuthenticatableType)(nil)
+	_ kmeta.OwnerRefable    = (*AuthenticatableType)(nil)
+)
+
+// GetFullType implements duck.Implementable
+func (*AuthStatus) GetFullType() ducktypes.Populatable {
+	return &AuthenticatableType{}
+}
+
+// ConvertTo implements apis.Convertible
+func (a *AuthStatus) ConvertTo(_ context.Context, to apis.Convertible) error {
+	return fmt.Errorf("v1 is the highest known version, got: %T", to)
+}
+
+// ConvertFrom implements apis.Convertible
+func (a *AuthStatus) ConvertFrom(_ context.Context, from apis.Convertible) error {
+	return fmt.Errorf("v1 is the highest known version, got: %T", from)
+}
+
+// Populate implements duck.Populatable
+func (t *AuthenticatableType) Populate() {
+	t.Status = AuthenticatableStatus{
+		Auth: &AuthStatus{
+			// Populate ALL fields
+			ServiceAccountName: ptr.String("foo"),
+			ServiceAccountNames: []string{
+				"bar",
+				"baz",
+			},
+		},
+	}
+}
+
+// GetGroupVersionKind implements kmeta.OwnerRefable
+func (t *AuthenticatableType) GetGroupVersionKind() schema.GroupVersionKind {
+	return t.GroupVersionKind()
+}
+
+// GetListType implements apis.Listable
+func (*AuthenticatableType) GetListType() runtime.Object {
+	return &AuthenticatableTypeList{}
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// AuthenticatableTypeList is a list of AuthenticatableType resources
+type AuthenticatableTypeList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+
+	Items []AuthenticatableType `json:"items"`
+}