update dependencies (#6267)

Signed-off-by: hongming <coder.scala@gmail.com>
2024-11-06 10:27:06 +08:00
parent faf255a084
commit cfebd96a1f
4263 changed files with 341374 additions and 132036 deletions
--- a/vendor/github.com/open-policy-agent/opa/internal/providers/aws/signing_v4.go
+++ b/vendor/github.com/open-policy-agent/opa/internal/providers/aws/signing_v4.go
@@ -17,6 +17,8 @@ import (
 	"strings"
 	"time"

+	v4 "github.com/open-policy-agent/opa/internal/providers/aws/v4"
+
 	"github.com/open-policy-agent/opa/ast"
 )

@@ -104,7 +106,7 @@ func SignRequest(req *http.Request, service string, creds Credentials, theTime t
 		signedHeaders := SignV4a(req.Header, req.Method, req.URL, body, service, creds, now)
 		req.Header = signedHeaders
 	} else {
-		authHeader, awsHeaders := SignV4(req.Header, req.Method, req.URL, body, service, creds, now)
+		authHeader, awsHeaders := SignV4(req.Header, req.Method, req.URL, body, service, creds, now, false)
 		req.Header.Set("Authorization", authHeader)
 		for k, v := range awsHeaders {
 			req.Header.Add(k, v)
@@ -115,14 +117,16 @@ func SignRequest(req *http.Request, service string, creds Credentials, theTime t
 }

 // SignV4 modifies a map[string][]string of headers to generate an AWS V4 signature + headers based on the config/credentials provided.
-func SignV4(headers map[string][]string, method string, theURL *url.URL, body []byte, service string, awsCreds Credentials, theTime time.Time) (string, map[string]string) {
+func SignV4(headers map[string][]string, method string, theURL *url.URL, body []byte, service string,
+	awsCreds Credentials, theTime time.Time, disablePayloadSigning bool) (string, map[string]string) {
 	// General ref. https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
 	// S3 ref. https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
 	// APIGateway ref. https://docs.aws.amazon.com/apigateway/api-reference/signing-requests/
-	bodyHexHash := fmt.Sprintf("%x", sha256.Sum256(body))

 	now := theTime.UTC()

+	contentSha256 := getContentHash(disablePayloadSigning, body)
+
 	// V4 signing has specific ideas of how it wants to see dates/times encoded
 	dateNow := now.Format("20060102")
 	iso8601Now := now.Format("20060102T150405Z")
@@ -134,7 +138,7 @@ func SignV4(headers map[string][]string, method string, theURL *url.URL, body []

 	// s3 and glacier require the extra x-amz-content-sha256 header. other services do not.
 	if service == "s3" || service == "glacier" {
-		awsHeaders["x-amz-content-sha256"] = bodyHexHash
+		awsHeaders[amzContentSha256Key] = contentSha256
 	}

 	// the security token header is necessary for ephemeral credentials, e.g. from
@@ -173,7 +177,7 @@ func SignV4(headers map[string][]string, method string, theURL *url.URL, body []
 	// include the list of the signed headers
 	headerList := strings.Join(orderedKeys, ";")
 	canonicalReq += headerList + "\n"
-	canonicalReq += bodyHexHash
+	canonicalReq += contentSha256

 	// the "string to sign" is a time-bounded, scoped request token which
 	// is linked to the "canonical request" by inclusion of its SHA-256 hash
@@ -202,3 +206,11 @@ func SignV4(headers map[string][]string, method string, theURL *url.URL, body []

 	return authHeader, awsHeaders
 }
+
+// getContentHash returns UNSIGNED-PAYLOAD if payload signing is disabled else will compute sha256 from body
+func getContentHash(disablePayloadSigning bool, body []byte) string {
+	if disablePayloadSigning {
+		return v4.UnsignedPayload
+	}
+	return fmt.Sprintf("%x", sha256.Sum256(body))
+}
--- a/vendor/github.com/open-policy-agent/opa/internal/providers/aws/signing_v4a.go
+++ b/vendor/github.com/open-policy-agent/opa/internal/providers/aws/signing_v4a.go
@@ -32,6 +32,7 @@ const (
 	amzSecurityTokenKey = v4Internal.AmzSecurityTokenKey
 	amzDateKey          = v4Internal.AmzDateKey
 	authorizationHeader = "Authorization"
+	amzContentSha256Key = "x-amz-content-sha256"

 	signingAlgorithm = "AWS4-ECDSA-P256-SHA256"

@@ -173,7 +174,7 @@ type httpSigner struct {
 	PayloadHash string
 }

-func (s *httpSigner) setRequiredSigningFields(headers http.Header, query url.Values) {
+func (s *httpSigner) setRequiredSigningFields(headers http.Header, _ url.Values) {
 	amzDate := s.Time.Format(timeFormat)

 	headers.Set(AmzRegionSetKey, strings.Join(s.RegionSet, ","))
@@ -192,7 +193,7 @@ func (s *httpSigner) Build() (signedRequest, error) {

 	// seemingly required by S3/MRAP -- 403 Forbidden otherwise
 	headers.Set("host", req.URL.Host)
-	headers.Set("x-amz-content-sha256", s.PayloadHash)
+	headers.Set(amzContentSha256Key, s.PayloadHash)

 	s.setRequiredSigningFields(headers, query)

@@ -381,8 +382,7 @@ type signedRequest struct {

 // SignV4a returns a map[string][]string of headers, including an added AWS V4a signature based on the config/credentials provided.
 func SignV4a(headers map[string][]string, method string, theURL *url.URL, body []byte, service string, awsCreds Credentials, theTime time.Time) map[string][]string {
-	bodyHexHash := fmt.Sprintf("%x", sha256.Sum256(body))
-
+	contentSha256 := getContentHash(false, body)
 	key, err := retrievePrivateKey(awsCreds)
 	if err != nil {
 		return map[string][]string{}
@@ -394,7 +394,7 @@ func SignV4a(headers map[string][]string, method string, theURL *url.URL, body [

 	signer := &httpSigner{
 		Request:     req,
-		PayloadHash: bodyHexHash,
+		PayloadHash: contentSha256,
 		ServiceName: service,
 		RegionSet:   []string{"*"},
 		Credentials: key,
--- a/vendor/github.com/open-policy-agent/opa/internal/providers/aws/util.go
+++ b/vendor/github.com/open-policy-agent/opa/internal/providers/aws/util.go
@@ -8,7 +8,7 @@ import (
 	"github.com/open-policy-agent/opa/logging"
 )

-// DoRequestWithClient is a convenience function to get the body of an http response with
+// DoRequestWithClient is a convenience function to get the body of an HTTP response with
 // appropriate error-handling boilerplate and logging.
 func DoRequestWithClient(req *http.Request, client *http.Client, desc string, logger logging.Logger) ([]byte, error) {
 	resp, err := client.Do(req)
@@ -24,22 +24,16 @@ func DoRequestWithClient(req *http.Request, client *http.Client, desc string, lo
 		"headers": resp.Header,
 	}).Debug("Received response from " + desc + " service.")

-	if resp.StatusCode != 200 {
-		if logger.GetLevel() == logging.Debug {
-			body, err := io.ReadAll(resp.Body)
-			if err == nil {
-				logger.Debug("Error response with response body: %s", body)
-			}
-		}
-		// could be 404 for role that's not available, but cover all the bases
-		return nil, errors.New(desc + " HTTP request returned unexpected status: " + resp.Status)
-	}
-
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		// deal with problems reading the body, whatever those might be
 		return nil, errors.New(desc + " HTTP response body could not be read: " + err.Error())
 	}

+	if resp.StatusCode != 200 {
+		logger.Debug("Error response with response body: %s", body)
+		// could be 404 for role that's not available, but cover all the bases
+		return nil, errors.New(desc + " HTTP request returned unexpected status: " + resp.Status)
+	}
 	return body, nil
 }
--- a/vendor/github.com/open-policy-agent/opa/internal/providers/aws/v4/util.go
+++ b/vendor/github.com/open-policy-agent/opa/internal/providers/aws/v4/util.go
@@ -11,14 +11,9 @@ const doubleSpace = "  "
 // contain multiple side-by-side spaces.
 func StripExcessSpaces(str string) string {
 	var j, k, l, m, spaces int
-	// Trim trailing spaces
-	for j = len(str) - 1; j >= 0 && str[j] == ' '; j-- {
-	}

-	// Trim leading spaces
-	for k = 0; k < j && str[k] == ' '; k++ {
-	}
-	str = str[k : j+1]
+	// Trim leading and trailing spaces
+	str = strings.Trim(str, " ")

 	// Strip multiple spaces.
 	j = strings.Index(str, doubleSpace)