update dependencies (#6267)
Signed-off-by: hongming <coder.scala@gmail.com>
This commit is contained in:
hongming
115
vendor/github.com/open-policy-agent/opa/plugins/rest/auth.go
generated
vendored
115
vendor/github.com/open-policy-agent/opa/plugins/rest/auth.go
generated
vendored
@@ -40,6 +40,8 @@ import (
|
||||
const (
|
||||
// Default to s3 when the service for sigv4 signing is not specified for backwards compatibility
|
||||
awsSigv4SigningDefaultService = "s3"
|
||||
// Default to urn:ietf:params:oauth:client-assertion-type:jwt-bearer for ClientAssertionType when not specified
|
||||
defaultClientAssertionType = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
|
||||
)
|
||||
|
||||
// DefaultTLSConfig defines standard TLS configurations based on the Config
|
||||
@@ -281,6 +283,9 @@ type oauth2ClientCredentialsAuthPlugin struct {
|
||||
AdditionalParameters map[string]string `json:"additional_parameters,omitempty"`
|
||||
AWSKmsKey *awsKmsKeyConfig `json:"aws_kms,omitempty"`
|
||||
AWSSigningPlugin *awsSigningAuthPlugin `json:"aws_signing,omitempty"`
|
||||
ClientAssertionType string `json:"client_assertion_type"`
|
||||
ClientAssertion string `json:"client_assertion"`
|
||||
ClientAssertionPath string `json:"client_assertion_path"`
|
||||
|
||||
signingKey *keys.Config
|
||||
signingKeyParsed interface{}
|
||||
@@ -294,16 +299,13 @@ type oauth2Token struct {
|
||||
ExpiresAt time.Time
|
||||
}
|
||||
|
||||
func (ap *oauth2ClientCredentialsAuthPlugin) createAuthJWT(ctx context.Context, claims map[string]interface{}, signingKey interface{}) (*string, error) {
|
||||
func (ap *oauth2ClientCredentialsAuthPlugin) createAuthJWT(ctx context.Context, extClaims map[string]interface{}, signingKey interface{}) (*string, error) {
|
||||
now := time.Now()
|
||||
baseClaims := map[string]interface{}{
|
||||
claims := map[string]interface{}{
|
||||
"iat": now.Unix(),
|
||||
"exp": now.Add(10 * time.Minute).Unix(),
|
||||
}
|
||||
if claims == nil {
|
||||
claims = make(map[string]interface{})
|
||||
}
|
||||
for k, v := range baseClaims {
|
||||
for k, v := range extClaims {
|
||||
claims[k] = v
|
||||
}
|
||||
|
||||
@@ -462,14 +464,30 @@ func (ap *oauth2ClientCredentialsAuthPlugin) NewClient(c Config) (*http.Client,
|
||||
return nil, errors.New("token_url required to use https scheme")
|
||||
}
|
||||
if ap.GrantType == grantTypeClientCredentials {
|
||||
if ap.AWSKmsKey != nil && (ap.ClientSecret != "" || ap.SigningKeyID != "") ||
|
||||
(ap.ClientSecret != "" && ap.SigningKeyID != "") {
|
||||
return nil, errors.New("can only use one of client_secret, signing_key or signing_kms_key for client_credentials")
|
||||
clientCredentialExists := make(map[string]bool)
|
||||
clientCredentialExists["client_secret"] = ap.ClientSecret != ""
|
||||
clientCredentialExists["signing_key"] = ap.SigningKeyID != ""
|
||||
clientCredentialExists["aws_kms"] = ap.AWSKmsKey != nil
|
||||
clientCredentialExists["client_assertion"] = ap.ClientAssertion != ""
|
||||
clientCredentialExists["client_assertion_path"] = ap.ClientAssertionPath != ""
|
||||
|
||||
var notEmptyVarCount int
|
||||
|
||||
for _, credentialSet := range clientCredentialExists {
|
||||
if credentialSet {
|
||||
notEmptyVarCount++
|
||||
}
|
||||
}
|
||||
if ap.SigningKeyID == "" && ap.AWSKmsKey == nil && (ap.ClientID == "" || ap.ClientSecret == "") {
|
||||
return nil, errors.New("client_id and client_secret required")
|
||||
|
||||
if notEmptyVarCount == 0 {
|
||||
return nil, errors.New("please provide one of client_secret, signing_key, aws_kms, client_assertion, or client_assertion_path required")
|
||||
}
|
||||
if ap.AWSKmsKey != nil {
|
||||
|
||||
if notEmptyVarCount > 1 {
|
||||
return nil, errors.New("can only use one of client_secret, signing_key, aws_kms, client_assertion, or client_assertion_path")
|
||||
}
|
||||
|
||||
if clientCredentialExists["aws_kms"] {
|
||||
if ap.AWSSigningPlugin == nil {
|
||||
return nil, errors.New("aws_kms and aws_signing required")
|
||||
}
|
||||
@@ -478,6 +496,24 @@ func (ap *oauth2ClientCredentialsAuthPlugin) NewClient(c Config) (*http.Client,
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
} else if clientCredentialExists["client_assertion"] {
|
||||
if ap.ClientAssertionType == "" {
|
||||
ap.ClientAssertionType = defaultClientAssertionType
|
||||
}
|
||||
if ap.ClientID == "" {
|
||||
return nil, errors.New("client_id and client_assertion required")
|
||||
}
|
||||
} else if clientCredentialExists["client_assertion_path"] {
|
||||
if ap.ClientAssertionType == "" {
|
||||
ap.ClientAssertionType = defaultClientAssertionType
|
||||
}
|
||||
if ap.ClientID == "" {
|
||||
return nil, errors.New("client_id and client_assertion_path required")
|
||||
}
|
||||
} else if clientCredentialExists["client_secret"] {
|
||||
if ap.ClientID == "" {
|
||||
return nil, errors.New("client_id and client_secret required")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -505,12 +541,34 @@ func (ap *oauth2ClientCredentialsAuthPlugin) requestToken(ctx context.Context) (
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
body.Add("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer")
|
||||
body.Add("client_assertion_type", defaultClientAssertionType)
|
||||
body.Add("client_assertion", *authJwt)
|
||||
|
||||
if ap.ClientID != "" {
|
||||
body.Add("client_id", ap.ClientID)
|
||||
}
|
||||
} else if ap.ClientAssertion != "" {
|
||||
if ap.ClientAssertionType == "" {
|
||||
ap.ClientAssertionType = defaultClientAssertionType
|
||||
}
|
||||
if ap.ClientID != "" {
|
||||
body.Add("client_id", ap.ClientID)
|
||||
}
|
||||
body.Add("client_assertion_type", ap.ClientAssertionType)
|
||||
body.Add("client_assertion", ap.ClientAssertion)
|
||||
} else if ap.ClientAssertionPath != "" {
|
||||
if ap.ClientAssertionType == "" {
|
||||
ap.ClientAssertionType = defaultClientAssertionType
|
||||
}
|
||||
bytes, err := os.ReadFile(ap.ClientAssertionPath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if ap.ClientID != "" {
|
||||
body.Add("client_id", ap.ClientID)
|
||||
}
|
||||
body.Add("client_assertion_type", ap.ClientAssertionType)
|
||||
body.Add("client_assertion", strings.TrimSpace(string(bytes)))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -541,6 +599,7 @@ func (ap *oauth2ClientCredentialsAuthPlugin) requestToken(ctx context.Context) (
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer response.Body.Close()
|
||||
|
||||
bodyRaw, err := io.ReadAll(response.Body)
|
||||
if err != nil {
|
||||
@@ -692,7 +751,7 @@ func (ap *clientTLSAuthPlugin) NewClient(c Config) (*http.Client, error) {
|
||||
return client, nil
|
||||
}
|
||||
|
||||
func (ap *clientTLSAuthPlugin) Prepare(req *http.Request) error {
|
||||
func (ap *clientTLSAuthPlugin) Prepare(_ *http.Request) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -700,12 +759,14 @@ func (ap *clientTLSAuthPlugin) Prepare(req *http.Request) error {
|
||||
type awsSigningAuthPlugin struct {
|
||||
AWSEnvironmentCredentials *awsEnvironmentCredentialService `json:"environment_credentials,omitempty"`
|
||||
AWSMetadataCredentials *awsMetadataCredentialService `json:"metadata_credentials,omitempty"`
|
||||
AWSAssumeRoleCredentials *awsAssumeRoleCredentialService `json:"assume_role_credentials,omitempty"`
|
||||
AWSWebIdentityCredentials *awsWebIdentityCredentialService `json:"web_identity_credentials,omitempty"`
|
||||
AWSProfileCredentials *awsProfileCredentialService `json:"profile_credentials,omitempty"`
|
||||
|
||||
AWSService string `json:"service,omitempty"`
|
||||
AWSSignatureVersion string `json:"signature_version,omitempty"`
|
||||
|
||||
host string
|
||||
ecrAuthPlugin *ecrAuthPlugin
|
||||
kmsSignPlugin *awsKMSSignPlugin
|
||||
|
||||
@@ -796,6 +857,11 @@ func (ap *awsSigningAuthPlugin) awsCredentialService() awsCredentialService {
|
||||
chain.addService(ap.AWSEnvironmentCredentials)
|
||||
}
|
||||
|
||||
if ap.AWSAssumeRoleCredentials != nil {
|
||||
ap.AWSAssumeRoleCredentials.logger = ap.logger
|
||||
chain.addService(ap.AWSAssumeRoleCredentials)
|
||||
}
|
||||
|
||||
if ap.AWSWebIdentityCredentials != nil {
|
||||
ap.AWSWebIdentityCredentials.logger = ap.logger
|
||||
chain.addService(ap.AWSWebIdentityCredentials)
|
||||
@@ -820,6 +886,13 @@ func (ap *awsSigningAuthPlugin) NewClient(c Config) (*http.Client, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
url, err := url.Parse(c.URL)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
ap.host = url.Host
|
||||
|
||||
if ap.logger == nil {
|
||||
ap.logger = c.logger
|
||||
}
|
||||
@@ -832,6 +905,13 @@ func (ap *awsSigningAuthPlugin) NewClient(c Config) (*http.Client, error) {
|
||||
}
|
||||
|
||||
func (ap *awsSigningAuthPlugin) Prepare(req *http.Request) error {
|
||||
if ap.host != req.URL.Host {
|
||||
// Return early if the host does not match.
|
||||
// This can happen when the OCI registry responded with a redirect to another host.
|
||||
// For instance, ECR redirects to S3 and the ECR auth header should not be included in the S3 request.
|
||||
return nil
|
||||
}
|
||||
|
||||
switch ap.AWSService {
|
||||
case "ecr":
|
||||
return ap.ecrAuthPlugin.Prepare(req)
|
||||
@@ -851,6 +931,7 @@ func (ap *awsSigningAuthPlugin) validateAndSetDefaults(serviceType string) error
|
||||
cfgs := map[bool]int{}
|
||||
cfgs[ap.AWSEnvironmentCredentials != nil]++
|
||||
cfgs[ap.AWSMetadataCredentials != nil]++
|
||||
cfgs[ap.AWSAssumeRoleCredentials != nil]++
|
||||
cfgs[ap.AWSWebIdentityCredentials != nil]++
|
||||
cfgs[ap.AWSProfileCredentials != nil]++
|
||||
|
||||
@@ -864,6 +945,12 @@ func (ap *awsSigningAuthPlugin) validateAndSetDefaults(serviceType string) error
|
||||
}
|
||||
}
|
||||
|
||||
if ap.AWSAssumeRoleCredentials != nil {
|
||||
if err := ap.AWSAssumeRoleCredentials.populateFromEnv(); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
if ap.AWSWebIdentityCredentials != nil {
|
||||
if err := ap.AWSWebIdentityCredentials.populateFromEnv(); err != nil {
|
||||
return err
|
||||
|
||||
Reference in New Issue
Block a user