[main] Upgrade to latest dependencies

go.mod

@@ -13,10 +13,10 @@ require (
 	k8s.io/api v0.29.2
 	k8s.io/apimachinery v0.29.2
 	k8s.io/client-go v0.29.2
-	knative.dev/eventing v0.41.1-0.20240613093107-ea8f0fda4c06
+	knative.dev/eventing v0.41.1-0.20240617131715-e298f32440e4
 	knative.dev/hack v0.0.0-20240607132042-09143140a254
-	knative.dev/pkg v0.0.0-20240610120318-15e6cdf2f386
-	knative.dev/serving v0.41.1-0.20240614080555-1f7cc4852a07
+	knative.dev/pkg v0.0.0-20240614135239-339c22b8218c
+	knative.dev/serving v0.41.1-0.20240617141500-f464e2df80bb
 )
 
 require (
@@ -102,7 +102,7 @@ require (
 	k8s.io/klog/v2 v2.120.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
 	k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect
-	knative.dev/networking v0.0.0-20240607132834-85e269dff522 // indirect
+	knative.dev/networking v0.0.0-20240611072033-3b8764c0bb4c // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect

go.sum

@@ -789,16 +789,16 @@ k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/A
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
 k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ=
 k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.41.1-0.20240613093107-ea8f0fda4c06 h1:GYVCeO9+udWWzNfyWlBrclwB07kxzIElbhCCtFrsIRo=
-knative.dev/eventing v0.41.1-0.20240613093107-ea8f0fda4c06/go.mod h1:PQpuuOYjAl6rW74U+1CgcKP9IyKhk7XhS8aAu9zWQG0=
+knative.dev/eventing v0.41.1-0.20240617131715-e298f32440e4 h1:YJfAOdkD0ENKcOCNLqDMR9sqsp7FzvGy81mJvDC7RI4=
+knative.dev/eventing v0.41.1-0.20240617131715-e298f32440e4/go.mod h1:Ja5ThoaajtwMAb7pHhG3t0WRul5oSZPalfP5R/0YP80=
 knative.dev/hack v0.0.0-20240607132042-09143140a254 h1:1YFnu3U6dWZg0oxm6GU8kEdA9A+BvSWKJO7sg3N0kq8=
 knative.dev/hack v0.0.0-20240607132042-09143140a254/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/networking v0.0.0-20240607132834-85e269dff522 h1:zDtZStHJI3La7jSHUAjN4Jgv0/Yynl51kuchlVLHqzA=
-knative.dev/networking v0.0.0-20240607132834-85e269dff522/go.mod h1:WS5A291Vy2unZ1L54ZSKBkz/gVzVmIy15cCcdA6PRN4=
-knative.dev/pkg v0.0.0-20240610120318-15e6cdf2f386 h1:nxFTT6DrXr70Zi2BK8nc57ts0/smyavd/uBRBbtqg94=
-knative.dev/pkg v0.0.0-20240610120318-15e6cdf2f386/go.mod h1:l7R8/SteYph0mZDsVgq3fVs4mWp1DaYx9BJJX68U6ik=
-knative.dev/serving v0.41.1-0.20240614080555-1f7cc4852a07 h1:Qcf6ytf+Ug1Xu7NBn/kFH+qtzXQ8ASoGiEmtNx53UpU=
-knative.dev/serving v0.41.1-0.20240614080555-1f7cc4852a07/go.mod h1:Z58WxiVmEynF1kX8cK4fYmNprj8IkPLl2mEHdvuP6nc=
+knative.dev/networking v0.0.0-20240611072033-3b8764c0bb4c h1:Q+DdJYzvhwAVWMQtP6mbEr5dNxpr+K9HAF9RqJmZefY=
+knative.dev/networking v0.0.0-20240611072033-3b8764c0bb4c/go.mod h1:WhZLv94eOMDGHbdZiMrw6cnRfN3WEcFgpjUcV0A48pI=
+knative.dev/pkg v0.0.0-20240614135239-339c22b8218c h1:OaKrY7L6rzWTvs51JlieJajL40F6CpBbvO1aZspg2EA=
+knative.dev/pkg v0.0.0-20240614135239-339c22b8218c/go.mod h1:l7R8/SteYph0mZDsVgq3fVs4mWp1DaYx9BJJX68U6ik=
+knative.dev/serving v0.41.1-0.20240617141500-f464e2df80bb h1:UcrtFuB3wFqVTxSJoGn/iXyc11n13bJi6XMYP9f7y8k=
+knative.dev/serving v0.41.1-0.20240617141500-f464e2df80bb/go.mod h1:zvjO9iWedTW7/heF8A6rouZP47g4ZvmtDjUW2f88KQo=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

vendor/knative.dev/eventing/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go

@@ -18,6 +18,7 @@ package v1alpha1
 
 import (
 	"context"
+	"strings"
 
 	"knative.dev/pkg/apis"
 )
@@ -36,6 +37,7 @@ func (ets *EventPolicySpec) Validate(ctx context.Context) *apis.FieldError {
 			err = err.Also(apis.ErrMultipleOneOf("ref", "sub").ViaFieldIndex("from", i))
 		}
 		err = err.Also(f.Ref.Validate().ViaField("ref").ViaFieldIndex("from", i))
+		err = err.Also(validateSub(f.Sub).ViaField("sub").ViaFieldIndex("from", i))
 	}
 
 	for i, t := range ets.To {
@@ -53,6 +55,20 @@ func (ets *EventPolicySpec) Validate(ctx context.Context) *apis.FieldError {
 	return err
 }
 
+func validateSub(sub *string) *apis.FieldError {
+	if sub == nil || len(*sub) <= 1 {
+		return nil
+	}
+
+	lastInvalidIdx := len(*sub) - 2
+	firstInvalidIdx := 0
+	if idx := strings.IndexRune(*sub, '*'); idx >= firstInvalidIdx && idx <= lastInvalidIdx {
+		return apis.ErrInvalidValue(*sub, "", "'*' is only allowed as suffix")
+	}
+
+	return nil
+}
+
 func (r *EventPolicyFromReference) Validate() *apis.FieldError {
 	if r == nil {
 		return nil

vendor/knative.dev/eventing/pkg/auth/event_policy.go

@@ -0,0 +1,147 @@
+/*
+Copyright 2024 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"fmt"
+	"strings"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"knative.dev/eventing/pkg/apis/eventing/v1alpha1"
+	listerseventingv1alpha1 "knative.dev/eventing/pkg/client/listers/eventing/v1alpha1"
+	"knative.dev/pkg/resolver"
+)
+
+// GetEventPoliciesForResource returns the applying EventPolicies for a given resource
+func GetEventPoliciesForResource(lister listerseventingv1alpha1.EventPolicyLister, resourceGVK schema.GroupVersionKind, resourceObjectMeta metav1.ObjectMeta) ([]*v1alpha1.EventPolicy, error) {
+	policies, err := lister.EventPolicies(resourceObjectMeta.GetNamespace()).List(labels.Everything())
+	if err != nil {
+		return nil, fmt.Errorf("failed to list eventpolicies: %w", err)
+	}
+
+	relevantPolicies := []*v1alpha1.EventPolicy{}
+
+	for _, policy := range policies {
+		if len(policy.Spec.To) == 0 {
+			// policy applies to all resources in namespace
+			relevantPolicies = append(relevantPolicies, policy)
+		}
+
+		for _, to := range policy.Spec.To {
+			if to.Ref != nil {
+				refGV, err := schema.ParseGroupVersion(to.Ref.APIVersion)
+				if err != nil {
+					return nil, fmt.Errorf("cannot split apiVersion into group and version: %s", to.Ref.APIVersion)
+				}
+
+				if strings.EqualFold(to.Ref.Name, resourceObjectMeta.GetName()) &&
+					strings.EqualFold(refGV.Group, resourceGVK.Group) &&
+					strings.EqualFold(to.Ref.Kind, resourceGVK.Kind) {
+
+					relevantPolicies = append(relevantPolicies, policy)
+					break // no need to check the other .spec.to's from this policy
+				}
+			}
+
+			if to.Selector != nil {
+				selectorGV, err := schema.ParseGroupVersion(to.Selector.APIVersion)
+				if err != nil {
+					return nil, fmt.Errorf("cannot split apiVersion into group and version: %s", to.Selector.APIVersion)
+				}
+
+				if strings.EqualFold(selectorGV.Group, resourceGVK.Group) &&
+					strings.EqualFold(to.Selector.Kind, resourceGVK.Kind) {
+
+					selector, err := metav1.LabelSelectorAsSelector(to.Selector.LabelSelector)
+					if err != nil {
+						return nil, fmt.Errorf("failed to parse selector: %w", err)
+					}
+
+					if selector.Matches(labels.Set(resourceObjectMeta.Labels)) {
+						relevantPolicies = append(relevantPolicies, policy)
+						break // no need to check the other .spec.to's from this policy
+					}
+				}
+			}
+		}
+	}
+
+	return relevantPolicies, nil
+}
+
+// ResolveSubjects returns the OIDC service accounts names for the objects referenced in the EventPolicySpecFrom.
+func ResolveSubjects(resolver *resolver.AuthenticatableResolver, eventPolicy *v1alpha1.EventPolicy) ([]string, error) {
+	allSAs := []string{}
+	for _, from := range eventPolicy.Spec.From {
+		if from.Ref != nil {
+			sas, err := resolveSubjectsFromReference(resolver, *from.Ref, eventPolicy)
+			if err != nil {
+				return nil, fmt.Errorf("could not resolve subjects from reference: %w", err)
+			}
+			allSAs = append(allSAs, sas...)
+		} else if from.Sub != nil {
+			allSAs = append(allSAs, *from.Sub)
+		}
+	}
+
+	return allSAs, nil
+}
+
+func resolveSubjectsFromReference(resolver *resolver.AuthenticatableResolver, reference v1alpha1.EventPolicyFromReference, trackingEventPolicy *v1alpha1.EventPolicy) ([]string, error) {
+	authStatus, err := resolver.AuthStatusFromObjectReference(&corev1.ObjectReference{
+		APIVersion: reference.APIVersion,
+		Kind:       reference.Kind,
+		Namespace:  reference.Namespace,
+		Name:       reference.Name,
+	}, trackingEventPolicy)
+
+	if err != nil {
+		return nil, fmt.Errorf("could not resolve auth status: %w", err)
+	}
+
+	objSAs := authStatus.ServiceAccountNames
+	if authStatus.ServiceAccountName != nil {
+		objSAs = append(objSAs, *authStatus.ServiceAccountName)
+	}
+
+	objFullSANames := make([]string, 0, len(objSAs))
+	for _, sa := range objSAs {
+		objFullSANames = append(objFullSANames, fmt.Sprintf("system:serviceaccount:%s:%s", reference.Namespace, sa))
+	}
+
+	return objFullSANames, nil
+}
+
+// SubjectContained checks if the given sub is contained in the list of allowedSubs
+// or if it matches a prefix pattern in subs (e.g. system:serviceaccounts:my-ns:*)
+func SubjectContained(sub string, allowedSubs []string) bool {
+	for _, s := range allowedSubs {
+		if strings.EqualFold(s, sub) {
+			return true
+		}
+
+		if strings.HasSuffix(s, "*") &&
+			strings.HasPrefix(sub, strings.TrimSuffix(s, "*")) {
+			return true
+		}
+	}
+
+	return false
+}