Update OIDC user matcher to work with .authStatus.serviceAccountNames

go.mod

@@ -22,7 +22,7 @@ require (
 	k8s.io/client-go v0.29.2
 	k8s.io/utils v0.0.0-20240102154912-e7106e64919e
 	knative.dev/hack v0.0.0-20240507013718-68e3bfb39d11
-	knative.dev/pkg v0.0.0-20240507013158-1d1616aa15db
+	knative.dev/pkg v0.0.0-20240507092124-360b72e4948e
 	sigs.k8s.io/yaml v1.4.0
 )
 

go.sum

@@ -725,8 +725,8 @@ k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCf
 k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 knative.dev/hack v0.0.0-20240507013718-68e3bfb39d11 h1:CYoD72R8/R35REjeY2nnWfBak+Q3f+NxXwEfwcID1eU=
 knative.dev/hack v0.0.0-20240507013718-68e3bfb39d11/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/pkg v0.0.0-20240507013158-1d1616aa15db h1:wc8y5CoKhGWsIUxdkTqILXr2i1rJUxtVKQRc3P0tEKI=
-knative.dev/pkg v0.0.0-20240507013158-1d1616aa15db/go.mod h1:PQiq+p9Gr++TnU+w5P+ZpFS5MOwcMF6Y2oWFU8Ou7bw=
+knative.dev/pkg v0.0.0-20240507092124-360b72e4948e h1:By0c/FKLZlisAerWiMj9crtaEhcl/sp8gN8Rp0s8fKM=
+knative.dev/pkg v0.0.0-20240507092124-360b72e4948e/go.mod h1:PQiq+p9Gr++TnU+w5P+ZpFS5MOwcMF6Y2oWFU8Ou7bw=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

pkg/eventshub/assert/event_info_matchers.go

@@ -162,16 +162,25 @@ func MatchOIDCUserFromResource(gvr schema.GroupVersionResource, resourceName str
 			return fmt.Errorf("error from DefaultUnstructured.Dynamiconverter: %w", err)
 		}
 
-		if obj.Status.Auth == nil || obj.Status.Auth.ServiceAccountName == nil {
+		if obj.Status.Auth == nil || (obj.Status.Auth.ServiceAccountName == nil && len(obj.Status.Auth.ServiceAccountNames) == 0) {
 			return fmt.Errorf("resource does not have an OIDC service account set")
 		}
 
-		objFullSAName := fmt.Sprintf("system:serviceaccount:%s:%s", obj.GetNamespace(), *obj.Status.Auth.ServiceAccountName)
-		if objFullSAName != info.OIDCUserInfo.Username {
-			return fmt.Errorf("OIDC identity in event does not match identity of resource. Event: %q, resource: %q", info.OIDCUserInfo.Username, objFullSAName)
+		objSAs := obj.Status.Auth.ServiceAccountNames
+		if obj.Status.Auth.ServiceAccountName != nil {
+			objSAs = append(objSAs, *obj.Status.Auth.ServiceAccountName)
 		}
 
-		return nil
+		for _, sa := range objSAs {
+			objFullSAName := fmt.Sprintf("system:serviceaccount:%s:%s", obj.GetNamespace(), sa)
+
+			if objFullSAName == info.OIDCUserInfo.Username {
+				// found
+				return nil
+			}
+		}
+
+		return fmt.Errorf("OIDC identity in event does not match identity/identities of resource. Event: %q, resource: %q", info.OIDCUserInfo.Username, strings.Join(objSAs, ", "))
 	}
 }
 

vendor/knative.dev/pkg/apis/duck/v1/auth_types.go

@@ -22,4 +22,9 @@ type AuthStatus struct {
 	// ServiceAccountName is the name of the generated service account
 	// used for this components OIDC authentication.
 	ServiceAccountName *string `json:"serviceAccountName,omitempty"`
+
+	// ServiceAccountNames is the list of names of the generated service accounts
+	// used for this components OIDC authentication. This list can have len() > 1,
+	// when the component uses multiple identities (e.g. in case of a Parallel).
+	ServiceAccountNames []string `json:"serviceAccountNames,omitempty"`
 }

vendor/modules.txt

@@ -843,7 +843,7 @@ k8s.io/utils/trace
 # knative.dev/hack v0.0.0-20240507013718-68e3bfb39d11
 ## explicit; go 1.18
 knative.dev/hack
-# knative.dev/pkg v0.0.0-20240507013158-1d1616aa15db
+# knative.dev/pkg v0.0.0-20240507092124-360b72e4948e
 ## explicit; go 1.21
 knative.dev/pkg/apis
 knative.dev/pkg/apis/duck