Update dependencies (#5518)

vendor/github.com/open-policy-agent/opa/internal/providers/aws/NOTICE.txt

@@ -0,0 +1,3 @@
+AWS SDK for Go
+Copyright 2015 Amazon.com, Inc. or its affiliates. All Rights Reserved. 
+Copyright 2014-2015 Stripe, Inc.

vendor/github.com/open-policy-agent/opa/internal/providers/aws/crypto/compare.go

@@ -0,0 +1,30 @@
+package crypto
+
+import "fmt"
+
+// ConstantTimeByteCompare is a constant-time byte comparison of x and y. This function performs an absolute comparison
+// if the two byte slices assuming they represent a big-endian number.
+//
+//		 error if len(x) != len(y)
+//	  -1 if x <  y
+//	   0 if x == y
+//	  +1 if x >  y
+func ConstantTimeByteCompare(x, y []byte) (int, error) {
+	if len(x) != len(y) {
+		return 0, fmt.Errorf("slice lengths do not match")
+	}
+
+	xLarger, yLarger := 0, 0
+
+	for i := 0; i < len(x); i++ {
+		xByte, yByte := int(x[i]), int(y[i])
+
+		x := ((yByte - xByte) >> 8) & 1
+		y := ((xByte - yByte) >> 8) & 1
+
+		xLarger |= x &^ yLarger
+		yLarger |= y &^ xLarger
+	}
+
+	return xLarger - yLarger, nil
+}

vendor/github.com/open-policy-agent/opa/internal/providers/aws/crypto/ecc.go

@@ -0,0 +1,113 @@
+package crypto
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/hmac"
+	"encoding/asn1"
+	"encoding/binary"
+	"fmt"
+	"hash"
+	"math"
+	"math/big"
+)
+
+type ecdsaSignature struct {
+	R, S *big.Int
+}
+
+// ECDSAKey takes the given elliptic curve, and private key (d) byte slice
+// and returns the private ECDSA key.
+func ECDSAKey(curve elliptic.Curve, d []byte) *ecdsa.PrivateKey {
+	return ECDSAKeyFromPoint(curve, (&big.Int{}).SetBytes(d))
+}
+
+// ECDSAKeyFromPoint takes the given elliptic curve and point and returns the
+// private and public keypair
+func ECDSAKeyFromPoint(curve elliptic.Curve, d *big.Int) *ecdsa.PrivateKey {
+	pX, pY := curve.ScalarBaseMult(d.Bytes())
+
+	privKey := &ecdsa.PrivateKey{
+		PublicKey: ecdsa.PublicKey{
+			Curve: curve,
+			X:     pX,
+			Y:     pY,
+		},
+		D: d,
+	}
+
+	return privKey
+}
+
+// ECDSAPublicKey takes the provide curve and (x, y) coordinates and returns
+// *ecdsa.PublicKey. Returns an error if the given points are not on the curve.
+func ECDSAPublicKey(curve elliptic.Curve, x, y []byte) (*ecdsa.PublicKey, error) {
+	xPoint := (&big.Int{}).SetBytes(x)
+	yPoint := (&big.Int{}).SetBytes(y)
+
+	if !curve.IsOnCurve(xPoint, yPoint) {
+		return nil, fmt.Errorf("point(%v, %v) is not on the given curve", xPoint.String(), yPoint.String())
+	}
+
+	return &ecdsa.PublicKey{
+		Curve: curve,
+		X:     xPoint,
+		Y:     yPoint,
+	}, nil
+}
+
+// VerifySignature takes the provided public key, hash, and asn1 encoded signature and returns
+// whether the given signature is valid.
+func VerifySignature(key *ecdsa.PublicKey, hash []byte, signature []byte) (bool, error) {
+	var ecdsaSignature ecdsaSignature
+
+	_, err := asn1.Unmarshal(signature, &ecdsaSignature)
+	if err != nil {
+		return false, err
+	}
+
+	return ecdsa.Verify(key, hash, ecdsaSignature.R, ecdsaSignature.S), nil
+}
+
+// HMACKeyDerivation provides an implementation of a NIST-800-108 of a KDF (Key Derivation Function) in Counter Mode.
+// For the purposes of this implantation HMAC is used as the PRF (Pseudorandom function), where the value of
+// `r` is defined as a 4 byte counter.
+func HMACKeyDerivation(hash func() hash.Hash, bitLen int, key []byte, label, context []byte) ([]byte, error) {
+	// verify that we won't overflow the counter
+	n := int64(math.Ceil((float64(bitLen) / 8) / float64(hash().Size())))
+	if n > 0x7FFFFFFF {
+		return nil, fmt.Errorf("unable to derive key of size %d using 32-bit counter", bitLen)
+	}
+
+	// verify the requested bit length is not larger then the length encoding size
+	if int64(bitLen) > 0x7FFFFFFF {
+		return nil, fmt.Errorf("bitLen is greater than 32-bits")
+	}
+
+	fixedInput := bytes.NewBuffer(nil)
+	fixedInput.Write(label)
+	fixedInput.WriteByte(0x00)
+	fixedInput.Write(context)
+	if err := binary.Write(fixedInput, binary.BigEndian, int32(bitLen)); err != nil {
+		return nil, fmt.Errorf("failed to write bit length to fixed input string: %v", err)
+	}
+
+	var output []byte
+
+	h := hmac.New(hash, key)
+
+	for i := int64(1); i <= n; i++ {
+		h.Reset()
+		if err := binary.Write(h, binary.BigEndian, int32(i)); err != nil {
+			return nil, err
+		}
+		_, err := h.Write(fixedInput.Bytes())
+		if err != nil {
+			return nil, err
+		}
+		output = append(output, h.Sum(nil)...)
+	}
+
+	return output[:bitLen/8], nil
+}

vendor/github.com/open-policy-agent/opa/internal/providers/aws/signing_v4.go

@@ -0,0 +1,164 @@
+// Copyright 2022 The OPA Authors.  All rights reserved.
+// Use of this source code is governed by an Apache2
+// license that can be found in the LICENSE file.
+
+package aws
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"fmt"
+	"net/url"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/open-policy-agent/opa/ast"
+)
+
+func stringFromTerm(t *ast.Term) string {
+	if v, ok := t.Value.(ast.String); ok {
+		return string(v)
+	}
+	return ""
+}
+
+// Headers that may be mutated before reaching an aws service (eg by a proxy) should be added here to omit them from
+// the sigv4 canonical request
+// ref. https://github.com/aws/aws-sdk-go/blob/master/aws/signer/v4/v4.go#L92
+var awsSigv4IgnoredHeaders = map[string]struct{}{
+	"authorization":   {},
+	"user-agent":      {},
+	"x-amzn-trace-id": {},
+}
+
+type Credentials struct {
+	AccessKey    string
+	SecretKey    string
+	RegionName   string
+	SessionToken string
+}
+
+func CredentialsFromObject(v ast.Object) Credentials {
+	var creds Credentials
+	awsAccessKey := v.Get(ast.StringTerm("aws_access_key"))
+	awsSecretKey := v.Get(ast.StringTerm("aws_secret_access_key"))
+	awsRegion := v.Get(ast.StringTerm("aws_region"))
+	awsSessionToken := v.Get(ast.StringTerm("aws_session_token"))
+
+	creds.AccessKey = stringFromTerm(awsAccessKey)
+	creds.SecretKey = stringFromTerm(awsSecretKey)
+	creds.RegionName = stringFromTerm(awsRegion)
+	if awsSessionToken != nil {
+		creds.SessionToken = stringFromTerm(awsSessionToken)
+	}
+	return creds
+}
+
+func sha256MAC(message string, key []byte) []byte {
+	mac := hmac.New(sha256.New, key)
+	mac.Write([]byte(message))
+	return mac.Sum(nil)
+}
+
+func sortKeys(strMap map[string][]string) []string {
+	keys := make([]string, len(strMap))
+
+	i := 0
+	for k := range strMap {
+		keys[i] = k
+		i++
+	}
+	sort.Strings(keys)
+
+	return keys
+}
+
+// SignV4 modifies a map[string][]string of headers to generate an AWS V4 signature + headers based on the config/credentials provided.
+func SignV4(headers map[string][]string, method string, theURL *url.URL, body []byte, service string, awsCreds Credentials, theTime time.Time) (string, map[string]string) {
+	// General ref. https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
+	// S3 ref. https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
+	// APIGateway ref. https://docs.aws.amazon.com/apigateway/api-reference/signing-requests/
+	bodyHexHash := fmt.Sprintf("%x", sha256.Sum256(body))
+
+	now := theTime.UTC()
+
+	// V4 signing has specific ideas of how it wants to see dates/times encoded
+	dateNow := now.Format("20060102")
+	iso8601Now := now.Format("20060102T150405Z")
+
+	awsHeaders := map[string]string{
+		"host":       theURL.Host,
+		"x-amz-date": iso8601Now,
+	}
+
+	// s3 and glacier require the extra x-amz-content-sha256 header. other services do not.
+	if service == "s3" || service == "glacier" {
+		awsHeaders["x-amz-content-sha256"] = bodyHexHash
+	}
+
+	// the security token header is necessary for ephemeral credentials, e.g. from
+	// the EC2 metadata service
+	if awsCreds.SessionToken != "" {
+		awsHeaders["x-amz-security-token"] = awsCreds.SessionToken
+	}
+
+	headersToSign := map[string][]string{}
+	// sign all of the aws headers.
+	for k, v := range awsHeaders {
+		headersToSign[k] = []string{v}
+	}
+
+	// sign all of the request's headers, except for those in the ignore list
+	for k, v := range headers {
+		lowercaseHeader := strings.ToLower(k)
+		if _, ok := awsSigv4IgnoredHeaders[lowercaseHeader]; !ok {
+			headersToSign[lowercaseHeader] = v
+		}
+	}
+
+	// the "canonical request" is the normalized version of the AWS service access
+	// that we're attempting to perform; in this case, a GET from an S3 bucket
+	canonicalReq := method + "\n"               // HTTP method
+	canonicalReq += theURL.EscapedPath() + "\n" // URI-escaped path
+	canonicalReq += theURL.RawQuery + "\n"      // RAW Query String
+
+	// include the values for the signed headers
+	orderedKeys := sortKeys(headersToSign)
+	for _, k := range orderedKeys {
+		canonicalReq += k + ":" + strings.Join(headersToSign[k], ",") + "\n"
+	}
+	canonicalReq += "\n" // linefeed to terminate headers
+
+	// include the list of the signed headers
+	headerList := strings.Join(orderedKeys, ";")
+	canonicalReq += headerList + "\n"
+	canonicalReq += bodyHexHash
+
+	// the "string to sign" is a time-bounded, scoped request token which
+	// is linked to the "canonical request" by inclusion of its SHA-256 hash
+	strToSign := "AWS4-HMAC-SHA256\n"                                                    // V4 signing with SHA-256 HMAC
+	strToSign += iso8601Now + "\n"                                                       // ISO 8601 time
+	strToSign += dateNow + "/" + awsCreds.RegionName + "/" + service + "/aws4_request\n" // scoping for signature
+	strToSign += fmt.Sprintf("%x", sha256.Sum256([]byte(canonicalReq)))                  // SHA-256 of canonical request
+
+	// the "signing key" is generated by repeated HMAC-SHA256 based on the same
+	// scoping that's included in the "string to sign"; but including the secret key
+	// to allow AWS to validate it
+	signingKey := sha256MAC(dateNow, []byte("AWS4"+awsCreds.SecretKey))
+	signingKey = sha256MAC(awsCreds.RegionName, signingKey)
+	signingKey = sha256MAC(service, signingKey)
+	signingKey = sha256MAC("aws4_request", signingKey)
+
+	// the "signature" is finally the "string to sign" signed by the "signing key"
+	signature := sha256MAC(strToSign, signingKey)
+
+	// required format of Authorization header; n.b. the access key corresponding to
+	// the secret key is included here
+	authHeader := "AWS4-HMAC-SHA256 Credential=" + awsCreds.AccessKey + "/" + dateNow
+	authHeader += "/" + awsCreds.RegionName + "/" + service + "/aws4_request,"
+	authHeader += "SignedHeaders=" + headerList + ","
+	authHeader += "Signature=" + fmt.Sprintf("%x", signature)
+
+	return authHeader, awsHeaders
+}

vendor/github.com/open-policy-agent/opa/internal/providers/aws/signing_v4a.go

@@ -0,0 +1,410 @@
+// modified from github.com/aws/aws-sdk-go-v2/internal/v4a@7a32d707af
+package aws
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"hash"
+	"io"
+	"math/big"
+	"net/http"
+	"net/url"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	signerCrypto "github.com/open-policy-agent/opa/internal/providers/aws/crypto"
+	v4Internal "github.com/open-policy-agent/opa/internal/providers/aws/v4"
+)
+
+const (
+	// AmzRegionSetKey represents the region set header used for sigv4a
+	AmzRegionSetKey     = "X-Amz-Region-Set"
+	amzSecurityTokenKey = v4Internal.AmzSecurityTokenKey
+	amzDateKey          = v4Internal.AmzDateKey
+	authorizationHeader = "Authorization"
+
+	signingAlgorithm = "AWS4-ECDSA-P256-SHA256"
+
+	timeFormat      = "20060102T150405Z"
+	shortTimeFormat = "20060102"
+)
+
+var (
+	p256          elliptic.Curve
+	nMinusTwoP256 *big.Int
+
+	one = new(big.Int).SetInt64(1)
+
+	cache = credsCache{}
+
+	randomSource = rand.Reader
+)
+
+func init() {
+	// Ensure the elliptic curve parameters are initialized on package import rather then on first usage
+	p256 = elliptic.P256()
+
+	nMinusTwoP256 = new(big.Int).SetBytes(p256.Params().N.Bytes())
+	nMinusTwoP256 = nMinusTwoP256.Sub(nMinusTwoP256, new(big.Int).SetInt64(2))
+}
+
+type credsCache struct {
+	asymmetric atomic.Value
+	m          sync.Mutex
+}
+
+// SetRandomSource used for testing to override rand so tests can expect stable output
+func SetRandomSource(reader io.Reader) {
+	randomSource = reader
+}
+
+// deriveKeyFromAccessKeyPair derives a NIST P-256 PrivateKey from the given
+// IAM AccessKey and SecretKey pair.
+//
+// Based on FIPS.186-4 Appendix B.4.2
+func deriveKeyFromAccessKeyPair(accessKey, secretKey string) (*ecdsa.PrivateKey, error) {
+	params := p256.Params()
+	bitLen := params.BitSize // Testing random candidates does not require an additional 64 bits
+	counter := 0x01
+
+	buffer := make([]byte, 1+len(accessKey)) // 1 byte counter + len(accessKey)
+	kdfContext := bytes.NewBuffer(buffer)
+
+	inputKey := append([]byte("AWS4A"), []byte(secretKey)...)
+
+	d := new(big.Int)
+	for {
+		kdfContext.Reset()
+		kdfContext.WriteString(accessKey)
+		kdfContext.WriteByte(byte(counter))
+
+		key, err := signerCrypto.HMACKeyDerivation(sha256.New, bitLen, inputKey, []byte(signingAlgorithm), kdfContext.Bytes())
+		if err != nil {
+			return nil, err
+		}
+
+		// Check key first before calling SetBytes if key is in fact a valid candidate.
+		// This ensures the byte slice is the correct length (32-bytes) to compare in constant-time
+		cmp, err := signerCrypto.ConstantTimeByteCompare(key, nMinusTwoP256.Bytes())
+		if err != nil {
+			return nil, err
+		}
+		if cmp == -1 {
+			d.SetBytes(key)
+			break
+		}
+
+		counter++
+		if counter > 0xFF {
+			return nil, fmt.Errorf("exhausted single byte external counter")
+		}
+	}
+	d = d.Add(d, one)
+
+	priv := new(ecdsa.PrivateKey)
+	priv.PublicKey.Curve = p256
+	priv.D = d
+	priv.PublicKey.X, priv.PublicKey.Y = p256.ScalarBaseMult(d.Bytes())
+
+	return priv, nil
+}
+
+// v4aCredentials is Context, ECDSA, and Optional Session Token that can be used
+// to sign requests using SigV4a
+type v4aCredentials struct {
+	Context      string
+	PrivateKey   *ecdsa.PrivateKey
+	SessionToken string
+}
+
+// retrievePrivateKey returns credentials suitable for SigV4a signing
+func retrievePrivateKey(symmetric Credentials) (v4aCredentials, error) {
+	cache.m.Lock()
+	defer cache.m.Unlock()
+
+	// try to get creds from cache
+	v := cache.asymmetric.Load()
+	if v != nil {
+		c := v.(*v4aCredentials)
+		// if the cached Context matches the symmetric AccessKey ID, then use cached value. Otherwise, creds have
+		// changed and we need to derive new asymmetric creds
+		if c != nil && c.Context == symmetric.AccessKey {
+			return *c, nil
+		}
+	}
+
+	privateKey, err := deriveKeyFromAccessKeyPair(symmetric.AccessKey, symmetric.SecretKey)
+	if err != nil {
+		return v4aCredentials{}, fmt.Errorf("failed to derive asymmetric key from credentials")
+	}
+
+	creds := v4aCredentials{
+		Context:      symmetric.AccessKey,
+		PrivateKey:   privateKey,
+		SessionToken: symmetric.SessionToken,
+	}
+
+	// cache derived asymmetric creds so we don't derive new ones until symmetric creds change
+	cache.asymmetric.Store(&creds)
+
+	return creds, nil
+}
+
+type httpSigner struct {
+	Request     *http.Request
+	ServiceName string
+	RegionSet   []string
+	Time        time.Time
+	Credentials v4aCredentials
+
+	// PayloadHash is the hex encoded SHA-256 hash of the request payload
+	// If len(PayloadHash) == 0 the signer will attempt to send the request
+	// as an unsigned payload. Note: Unsigned payloads only work for a subset of services.
+	PayloadHash string
+}
+
+func (s *httpSigner) setRequiredSigningFields(headers http.Header, query url.Values) {
+	amzDate := s.Time.Format(timeFormat)
+
+	headers.Set(AmzRegionSetKey, strings.Join(s.RegionSet, ","))
+	headers.Set(amzDateKey, amzDate)
+	if len(s.Credentials.SessionToken) > 0 {
+		headers.Set(amzSecurityTokenKey, s.Credentials.SessionToken)
+	}
+}
+
+// Build modifies the Request attribute of the httpSigner, adding an Authorization header
+func (s *httpSigner) Build() (signedRequest, error) {
+	req := s.Request
+
+	query := req.URL.Query()
+	headers := req.Header
+
+	// seemingly required by S3/MRAP -- 403 Forbidden otherwise
+	headers.Set("host", req.URL.Host)
+	headers.Set("x-amz-content-sha256", s.PayloadHash)
+
+	s.setRequiredSigningFields(headers, query)
+
+	// Sort Each Query Key's Values
+	for key := range query {
+		sort.Strings(query[key])
+	}
+
+	v4Internal.SanitizeHostForHeader(req)
+
+	credentialScope := s.buildCredentialScope()
+	credentialStr := s.Credentials.Context + "/" + credentialScope
+
+	unsignedHeaders := headers
+
+	host := req.URL.Host
+	if len(req.Host) > 0 {
+		host = req.Host
+	}
+
+	signedHeaders, signedHeadersStr, canonicalHeaderStr := s.buildCanonicalHeaders(host, v4Internal.IgnoredHeaders, unsignedHeaders, s.Request.ContentLength)
+
+	rawQuery := strings.Replace(query.Encode(), "+", "%20", -1)
+
+	canonicalURI := v4Internal.GetURIPath(req.URL)
+
+	canonicalString := s.buildCanonicalString(
+		req.Method,
+		canonicalURI,
+		rawQuery,
+		signedHeadersStr,
+		canonicalHeaderStr,
+	)
+
+	strToSign := s.buildStringToSign(credentialScope, canonicalString)
+	signingSignature, err := s.buildSignature(strToSign)
+	if err != nil {
+		return signedRequest{}, err
+	}
+
+	headers[authorizationHeader] = append(headers[authorizationHeader][:0], buildAuthorizationHeader(credentialStr, signedHeadersStr, signingSignature))
+
+	req.URL.RawQuery = rawQuery
+
+	return signedRequest{
+		Request:         req,
+		SignedHeaders:   signedHeaders,
+		CanonicalString: canonicalString,
+		StringToSign:    strToSign,
+	}, nil
+}
+
+func (s *httpSigner) buildCredentialScope() string {
+	return strings.Join([]string{
+		s.Time.Format(shortTimeFormat),
+		s.ServiceName,
+		"aws4_request",
+	}, "/")
+
+}
+
+func buildAuthorizationHeader(credentialStr, signedHeadersStr, signingSignature string) string {
+	const credential = "Credential="
+	const signedHeaders = "SignedHeaders="
+	const signature = "Signature="
+	const commaSpace = ", "
+
+	var parts strings.Builder
+	parts.Grow(len(signingAlgorithm) + 1 +
+		len(credential) + len(credentialStr) + len(commaSpace) +
+		len(signedHeaders) + len(signedHeadersStr) + len(commaSpace) +
+		len(signature) + len(signingSignature),
+	)
+	parts.WriteString(signingAlgorithm)
+	parts.WriteRune(' ')
+	parts.WriteString(credential)
+	parts.WriteString(credentialStr)
+	parts.WriteString(commaSpace)
+	parts.WriteString(signedHeaders)
+	parts.WriteString(signedHeadersStr)
+	parts.WriteString(commaSpace)
+	parts.WriteString(signature)
+	parts.WriteString(signingSignature)
+	return parts.String()
+}
+
+func (s *httpSigner) buildCanonicalHeaders(host string, rule v4Internal.Rule, header http.Header, length int64) (signed http.Header, signedHeaders, canonicalHeadersStr string) {
+	signed = make(http.Header)
+
+	const hostHeader = "host"
+	headers := make([]string, 0)
+
+	if length > 0 {
+		const contentLengthHeader = "content-length"
+		headers = append(headers, contentLengthHeader)
+		signed[contentLengthHeader] = append(signed[contentLengthHeader], strconv.FormatInt(length, 10))
+	}
+
+	for k, v := range header {
+		if !rule.IsValid(k) {
+			continue // ignored header
+		}
+
+		lowerCaseKey := strings.ToLower(k)
+		if _, ok := signed[lowerCaseKey]; ok {
+			// include additional values
+			signed[lowerCaseKey] = append(signed[lowerCaseKey], v...)
+			continue
+		}
+
+		headers = append(headers, lowerCaseKey)
+		signed[lowerCaseKey] = v
+	}
+	sort.Strings(headers)
+
+	signedHeaders = strings.Join(headers, ";")
+
+	var canonicalHeaders strings.Builder
+	n := len(headers)
+	const colon = ':'
+	for i := 0; i < n; i++ {
+		if headers[i] == hostHeader {
+			canonicalHeaders.WriteString(hostHeader)
+			canonicalHeaders.WriteRune(colon)
+			canonicalHeaders.WriteString(v4Internal.StripExcessSpaces(host))
+		} else {
+			canonicalHeaders.WriteString(headers[i])
+			canonicalHeaders.WriteRune(colon)
+			// Trim out leading, trailing, and dedup inner spaces from signed header values.
+			values := signed[headers[i]]
+			for j, v := range values {
+				cleanedValue := strings.TrimSpace(v4Internal.StripExcessSpaces(v))
+				canonicalHeaders.WriteString(cleanedValue)
+				if j < len(values)-1 {
+					canonicalHeaders.WriteRune(',')
+				}
+			}
+		}
+		canonicalHeaders.WriteRune('\n')
+	}
+	canonicalHeadersStr = canonicalHeaders.String()
+
+	return signed, signedHeaders, canonicalHeadersStr
+}
+
+func (s *httpSigner) buildCanonicalString(method, uri, query, signedHeaders, canonicalHeaders string) string {
+	return strings.Join([]string{
+		method,
+		uri,
+		query,
+		canonicalHeaders,
+		signedHeaders,
+		s.PayloadHash,
+	}, "\n")
+}
+
+func (s *httpSigner) buildStringToSign(credentialScope, canonicalRequestString string) string {
+	return strings.Join([]string{
+		signingAlgorithm,
+		s.Time.Format(timeFormat),
+		credentialScope,
+		hex.EncodeToString(makeHash(sha256.New(), []byte(canonicalRequestString))),
+	}, "\n")
+}
+
+func makeHash(hash hash.Hash, b []byte) []byte {
+	hash.Reset()
+	hash.Write(b)
+	return hash.Sum(nil)
+}
+
+func (s *httpSigner) buildSignature(strToSign string) (string, error) {
+	sig, err := s.Credentials.PrivateKey.Sign(randomSource, makeHash(sha256.New(), []byte(strToSign)), crypto.SHA256)
+	if err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(sig), nil
+}
+
+type signedRequest struct {
+	Request         *http.Request
+	SignedHeaders   http.Header
+	CanonicalString string
+	StringToSign    string
+}
+
+// SignV4a returns a map[string][]string of headers, including an added AWS V4a signature based on the config/credentials provided.
+func SignV4a(headers map[string][]string, method string, theURL *url.URL, body []byte, service string, awsCreds Credentials, theTime time.Time) map[string][]string {
+	bodyHexHash := fmt.Sprintf("%x", sha256.Sum256(body))
+
+	key, err := retrievePrivateKey(awsCreds)
+	if err != nil {
+		return map[string][]string{}
+	}
+
+	bodyReader := bytes.NewReader(body)
+	req, _ := http.NewRequest(method, theURL.String(), bodyReader)
+	req.Header = headers
+
+	signer := &httpSigner{
+		Request:     req,
+		PayloadHash: bodyHexHash,
+		ServiceName: service,
+		RegionSet:   []string{"*"},
+		Credentials: key,
+		Time:        theTime,
+	}
+
+	_, err = signer.Build()
+	if err != nil {
+		return map[string][]string{}
+	}
+
+	return req.Header
+}

vendor/github.com/open-policy-agent/opa/internal/providers/aws/v4/const.go

@@ -0,0 +1,36 @@
+package v4
+
+const (
+	// EmptyStringSHA256 is the hex encoded sha256 value of an empty string
+	EmptyStringSHA256 = `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
+
+	// UnsignedPayload indicates that the request payload body is unsigned
+	UnsignedPayload = "UNSIGNED-PAYLOAD"
+
+	// AmzAlgorithmKey indicates the signing algorithm
+	AmzAlgorithmKey = "X-Amz-Algorithm"
+
+	// AmzSecurityTokenKey indicates the security token to be used with temporary credentials
+	AmzSecurityTokenKey = "X-Amz-Security-Token"
+
+	// AmzDateKey is the UTC timestamp for the request in the format YYYYMMDD'T'HHMMSS'Z'
+	AmzDateKey = "X-Amz-Date"
+
+	// AmzCredentialKey is the access key ID and credential scope
+	AmzCredentialKey = "X-Amz-Credential"
+
+	// AmzSignedHeadersKey is the set of headers signed for the request
+	AmzSignedHeadersKey = "X-Amz-SignedHeaders"
+
+	// AmzSignatureKey is the query parameter to store the SigV4 signature
+	AmzSignatureKey = "X-Amz-Signature"
+
+	// TimeFormat is the time format to be used in the X-Amz-Date header or query parameter
+	TimeFormat = "20060102T150405Z"
+
+	// ShortTimeFormat is the shorten time format used in the credential scope
+	ShortTimeFormat = "20060102"
+
+	// ContentSHAKey is the SHA256 of request body
+	ContentSHAKey = "X-Amz-Content-Sha256"
+)

vendor/github.com/open-policy-agent/opa/internal/providers/aws/v4/header_rules.go

@@ -0,0 +1,87 @@
+package v4
+
+import (
+	"strings"
+)
+
+// Rules houses a set of Rule needed for validation of a
+// string value
+type Rules []Rule
+
+// Rule interface allows for more flexible rules and just simply
+// checks whether or not a value adheres to that Rule
+type Rule interface {
+	IsValid(value string) bool
+}
+
+// IsValid will iterate through all rules and see if any rules
+// apply to the value and supports nested rules
+func (r Rules) IsValid(value string) bool {
+	for _, rule := range r {
+		if rule.IsValid(value) {
+			return true
+		}
+	}
+	return false
+}
+
+// MapRule generic Rule for maps
+type MapRule map[string]struct{}
+
+// IsValid for the map Rule satisfies whether it exists in the map
+func (m MapRule) IsValid(value string) bool {
+	_, ok := m[value]
+	return ok
+}
+
+// AllowList is a generic Rule for whitelisting
+type AllowList struct {
+	Rule
+}
+
+// IsValid for AllowList checks if the value is within the AllowList
+func (w AllowList) IsValid(value string) bool {
+	return w.Rule.IsValid(value)
+}
+
+// DenyList is a generic Rule for blacklisting
+type DenyList struct {
+	Rule
+}
+
+// IsValid for AllowList checks if the value is within the AllowList
+func (b DenyList) IsValid(value string) bool {
+	return !b.Rule.IsValid(value)
+}
+
+// Patterns is a list of strings to match against
+type Patterns []string
+
+// FORK: copied from aws-sdk-go-v2/internal/strings
+func hasPrefixFold(s, prefix string) bool {
+	return len(s) >= len(prefix) && strings.EqualFold(s[0:len(prefix)], prefix)
+}
+
+// IsValid for Patterns checks each pattern and returns if a match has
+// been found
+func (p Patterns) IsValid(value string) bool {
+	for _, pattern := range p {
+		if hasPrefixFold(value, pattern) {
+			return true
+		}
+	}
+	return false
+}
+
+// InclusiveRules rules allow for rules to depend on one another
+type InclusiveRules []Rule
+
+// IsValid will return true if all rules are true
+func (r InclusiveRules) IsValid(value string) bool {
+	for _, rule := range r {
+		if !rule.IsValid(value) {
+			return false
+		}
+	}
+	return true
+}

vendor/github.com/open-policy-agent/opa/internal/providers/aws/v4/headers.go

@@ -0,0 +1,67 @@
+package v4
+
+// IgnoredHeaders is a list of headers that are ignored during signing
+var IgnoredHeaders = Rules{
+	DenyList{
+		MapRule{
+			"Authorization":   struct{}{},
+			"User-Agent":      struct{}{},
+			"X-Amzn-Trace-Id": struct{}{},
+		},
+	},
+}
+
+// RequiredSignedHeaders is a whitelist for Build canonical headers.
+var RequiredSignedHeaders = Rules{
+	AllowList{
+		MapRule{
+			"Cache-Control":                         struct{}{},
+			"Content-Disposition":                   struct{}{},
+			"Content-Encoding":                      struct{}{},
+			"Content-Language":                      struct{}{},
+			"Content-Md5":                           struct{}{},
+			"Content-Type":                          struct{}{},
+			"Expires":                               struct{}{},
+			"If-Match":                              struct{}{},
+			"If-Modified-Since":                     struct{}{},
+			"If-None-Match":                         struct{}{},
+			"If-Unmodified-Since":                   struct{}{},
+			"Range":                                 struct{}{},
+			"X-Amz-Acl":                             struct{}{},
+			"X-Amz-Copy-Source":                     struct{}{},
+			"X-Amz-Copy-Source-If-Match":            struct{}{},
+			"X-Amz-Copy-Source-If-Modified-Since":   struct{}{},
+			"X-Amz-Copy-Source-If-None-Match":       struct{}{},
+			"X-Amz-Copy-Source-If-Unmodified-Since": struct{}{},
+			"X-Amz-Copy-Source-Range":               struct{}{},
+			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{},
+			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key":       struct{}{},
+			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5":   struct{}{},
+			"X-Amz-Grant-Full-control":                                    struct{}{},
+			"X-Amz-Grant-Read":                                            struct{}{},
+			"X-Amz-Grant-Read-Acp":                                        struct{}{},
+			"X-Amz-Grant-Write":                                           struct{}{},
+			"X-Amz-Grant-Write-Acp":                                       struct{}{},
+			"X-Amz-Metadata-Directive":                                    struct{}{},
+			"X-Amz-Mfa":                                                   struct{}{},
+			"X-Amz-Request-Payer":                                         struct{}{},
+			"X-Amz-Server-Side-Encryption":                                struct{}{},
+			"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id":                 struct{}{},
+			"X-Amz-Server-Side-Encryption-Customer-Algorithm":             struct{}{},
+			"X-Amz-Server-Side-Encryption-Customer-Key":                   struct{}{},
+			"X-Amz-Server-Side-Encryption-Customer-Key-Md5":               struct{}{},
+			"X-Amz-Storage-Class":                                         struct{}{},
+			"X-Amz-Website-Redirect-Location":                             struct{}{},
+			"X-Amz-Content-Sha256":                                        struct{}{},
+			"X-Amz-Tagging":                                               struct{}{},
+		},
+	},
+	Patterns{"X-Amz-Meta-"},
+}
+
+// AllowedQueryHoisting is a whitelist for Build query headers. The boolean value
+// represents whether or not it is a pattern.
+var AllowedQueryHoisting = InclusiveRules{
+	DenyList{RequiredSignedHeaders},
+	Patterns{"X-Amz-"},
+}

vendor/github.com/open-policy-agent/opa/internal/providers/aws/v4/host.go

@@ -0,0 +1,75 @@
+package v4
+
+import (
+	"net/http"
+	"strings"
+)
+
+// SanitizeHostForHeader removes default port from host and updates request.Host
+func SanitizeHostForHeader(r *http.Request) {
+	host := getHost(r)
+	port := portOnly(host)
+	if port != "" && isDefaultPort(r.URL.Scheme, port) {
+		r.Host = stripPort(host)
+	}
+}
+
+// Returns host from request
+func getHost(r *http.Request) string {
+	if r.Host != "" {
+		return r.Host
+	}
+
+	return r.URL.Host
+}
+
+// Hostname returns u.Host, without any port number.
+//
+// If Host is an IPv6 literal with a port number, Hostname returns the
+// IPv6 literal without the square brackets. IPv6 literals may include
+// a zone identifier.
+//
+// Copied from the Go 1.8 standard library (net/url)
+func stripPort(hostport string) string {
+	colon := strings.IndexByte(hostport, ':')
+	if colon == -1 {
+		return hostport
+	}
+	if i := strings.IndexByte(hostport, ']'); i != -1 {
+		return strings.TrimPrefix(hostport[:i], "[")
+	}
+	return hostport[:colon]
+}
+
+// Port returns the port part of u.Host, without the leading colon.
+// If u.Host doesn't contain a port, Port returns an empty string.
+//
+// Copied from the Go 1.8 standard library (net/url)
+func portOnly(hostport string) string {
+	colon := strings.IndexByte(hostport, ':')
+	if colon == -1 {
+		return ""
+	}
+	if i := strings.Index(hostport, "]:"); i != -1 {
+		return hostport[i+len("]:"):]
+	}
+	if strings.Contains(hostport, "]") {
+		return ""
+	}
+	return hostport[colon+len(":"):]
+}
+
+// Returns true if the specified URI is using the standard port
+// (i.e. port 80 for HTTP URIs or 443 for HTTPS URIs)
+func isDefaultPort(scheme, port string) bool {
+	if port == "" {
+		return true
+	}
+
+	lowerCaseScheme := strings.ToLower(scheme)
+	if (lowerCaseScheme == "http" && port == "80") || (lowerCaseScheme == "https" && port == "443") {
+		return true
+	}
+
+	return false
+}

vendor/github.com/open-policy-agent/opa/internal/providers/aws/v4/util.go

@@ -0,0 +1,64 @@
+package v4
+
+import (
+	"net/url"
+	"strings"
+)
+
+const doubleSpace = "  "
+
+// StripExcessSpaces will rewrite the passed in slice's string values to not
+// contain multiple side-by-side spaces.
+func StripExcessSpaces(str string) string {
+	var j, k, l, m, spaces int
+	// Trim trailing spaces
+	for j = len(str) - 1; j >= 0 && str[j] == ' '; j-- {
+	}
+
+	// Trim leading spaces
+	for k = 0; k < j && str[k] == ' '; k++ {
+	}
+	str = str[k : j+1]
+
+	// Strip multiple spaces.
+	j = strings.Index(str, doubleSpace)
+	if j < 0 {
+		return str
+	}
+
+	buf := []byte(str)
+	for k, m, l = j, j, len(buf); k < l; k++ {
+		if buf[k] == ' ' {
+			if spaces == 0 {
+				// First space.
+				buf[m] = buf[k]
+				m++
+			}
+			spaces++
+		} else {
+			// End of multiple spaces.
+			spaces = 0
+			buf[m] = buf[k]
+			m++
+		}
+	}
+
+	return string(buf[:m])
+}
+
+// GetURIPath returns the escaped URI component from the provided URL
+func GetURIPath(u *url.URL) string {
+	var uri string
+
+	if len(u.Opaque) > 0 {
+		uri = "/" + strings.Join(strings.Split(u.Opaque, "/")[3:], "/")
+	} else {
+		uri = u.EscapedPath()
+	}
+
+	if len(uri) == 0 {
+		uri = "/"
+	}
+
+	return uri
+}