Upgrade dependent version: github.com/open-policy-agent/opa (#5315)

Upgrade dependent version: github.com/open-policy-agent/opa v0.18.0 -> v0.45.0

Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io>

Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io>

vendor/github.com/open-policy-agent/opa/internal/jwx/jws/sign/ecdsa.go

@@ -0,0 +1,90 @@
+package sign
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"io"
+
+	"github.com/open-policy-agent/opa/internal/jwx/jwa"
+)
+
+var ecdsaSignFuncs = map[jwa.SignatureAlgorithm]ecdsaSignFunc{}
+
+func init() {
+	algs := map[jwa.SignatureAlgorithm]crypto.Hash{
+		jwa.ES256: crypto.SHA256,
+		jwa.ES384: crypto.SHA384,
+		jwa.ES512: crypto.SHA512,
+	}
+
+	for alg, h := range algs {
+		ecdsaSignFuncs[alg] = makeECDSASignFunc(h)
+	}
+}
+
+func makeECDSASignFunc(hash crypto.Hash) ecdsaSignFunc {
+	return ecdsaSignFunc(func(payload []byte, key *ecdsa.PrivateKey, rnd io.Reader) ([]byte, error) {
+		curveBits := key.Curve.Params().BitSize
+		keyBytes := curveBits / 8
+		// Curve bits do not need to be a multiple of 8.
+		if curveBits%8 > 0 {
+			keyBytes++
+		}
+		h := hash.New()
+		h.Write(payload)
+		r, s, err := ecdsa.Sign(rnd, key, h.Sum(nil))
+		if err != nil {
+			return nil, fmt.Errorf("failed to sign payload using ecdsa: %w", err)
+		}
+
+		rBytes := r.Bytes()
+		rBytesPadded := make([]byte, keyBytes)
+		copy(rBytesPadded[keyBytes-len(rBytes):], rBytes)
+
+		sBytes := s.Bytes()
+		sBytesPadded := make([]byte, keyBytes)
+		copy(sBytesPadded[keyBytes-len(sBytes):], sBytes)
+
+		out := append(rBytesPadded, sBytesPadded...)
+		return out, nil
+	})
+}
+
+func newECDSA(alg jwa.SignatureAlgorithm) (*ECDSASigner, error) {
+	signfn, ok := ecdsaSignFuncs[alg]
+	if !ok {
+		return nil, fmt.Errorf("unsupported algorithm while trying to create ECDSA signer: %s", alg)
+	}
+
+	return &ECDSASigner{
+		alg:  alg,
+		sign: signfn,
+	}, nil
+}
+
+// Algorithm returns the signer algorithm
+func (s ECDSASigner) Algorithm() jwa.SignatureAlgorithm {
+	return s.alg
+}
+
+// SignWithRand signs payload with a ECDSA private key and a provided randomness
+// source (such as `rand.Reader`).
+func (s ECDSASigner) SignWithRand(payload []byte, key interface{}, r io.Reader) ([]byte, error) {
+	if key == nil {
+		return nil, errors.New("missing private key while signing payload")
+	}
+
+	privateKey, ok := key.(*ecdsa.PrivateKey)
+	if !ok {
+		return nil, fmt.Errorf("invalid key type %T. *ecdsa.PrivateKey is required", key)
+	}
+	return s.sign(payload, privateKey, r)
+}
+
+// Sign signs payload with a ECDSA private key
+func (s ECDSASigner) Sign(payload []byte, key interface{}) ([]byte, error) {
+	return s.SignWithRand(payload, key, rand.Reader)
+}

vendor/github.com/open-policy-agent/opa/internal/jwx/jws/sign/hmac.go

@@ -0,0 +1,66 @@
+package sign
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"crypto/sha512"
+	"hash"
+
+	"github.com/open-policy-agent/opa/internal/jwx/jwa"
+
+	"github.com/pkg/errors"
+)
+
+var hmacSignFuncs = map[jwa.SignatureAlgorithm]hmacSignFunc{}
+
+func init() {
+	algs := map[jwa.SignatureAlgorithm]func() hash.Hash{
+		jwa.HS256: sha256.New,
+		jwa.HS384: sha512.New384,
+		jwa.HS512: sha512.New,
+	}
+
+	for alg, h := range algs {
+		hmacSignFuncs[alg] = makeHMACSignFunc(h)
+
+	}
+}
+
+func newHMAC(alg jwa.SignatureAlgorithm) (*HMACSigner, error) {
+	signer, ok := hmacSignFuncs[alg]
+	if !ok {
+		return nil, errors.Errorf(`unsupported algorithm while trying to create HMAC signer: %s`, alg)
+	}
+
+	return &HMACSigner{
+		alg:  alg,
+		sign: signer,
+	}, nil
+}
+
+func makeHMACSignFunc(hfunc func() hash.Hash) hmacSignFunc {
+	return hmacSignFunc(func(payload []byte, key []byte) ([]byte, error) {
+		h := hmac.New(hfunc, key)
+		h.Write(payload)
+		return h.Sum(nil), nil
+	})
+}
+
+// Algorithm returns the signer algorithm
+func (s HMACSigner) Algorithm() jwa.SignatureAlgorithm {
+	return s.alg
+}
+
+// Sign signs payload with a Symmetric  key
+func (s HMACSigner) Sign(payload []byte, key interface{}) ([]byte, error) {
+	hmackey, ok := key.([]byte)
+	if !ok {
+		return nil, errors.Errorf(`invalid key type %T. []byte is required`, key)
+	}
+
+	if len(hmackey) == 0 {
+		return nil, errors.New(`missing key while signing payload`)
+	}
+
+	return s.sign(payload, hmackey)
+}

vendor/github.com/open-policy-agent/opa/internal/jwx/jws/sign/interface.go

@@ -0,0 +1,46 @@
+package sign
+
+import (
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"io"
+
+	"github.com/open-policy-agent/opa/internal/jwx/jwa"
+)
+
+// Signer provides a common interface for supported alg signing methods
+type Signer interface {
+	// Sign creates a signature for the given `payload`.
+	// `key` is the key used for signing the payload, and is usually
+	// the private key type associated with the signature method. For example,
+	// for `jwa.RSXXX` and `jwa.PSXXX` types, you need to pass the
+	// `*"crypto/rsa".PrivateKey` type.
+	// Check the documentation for each signer for details
+	Sign(payload []byte, key interface{}) ([]byte, error)
+
+	Algorithm() jwa.SignatureAlgorithm
+}
+
+type rsaSignFunc func([]byte, *rsa.PrivateKey) ([]byte, error)
+
+// RSASigner uses crypto/rsa to sign the payloads.
+type RSASigner struct {
+	alg  jwa.SignatureAlgorithm
+	sign rsaSignFunc
+}
+
+type ecdsaSignFunc func([]byte, *ecdsa.PrivateKey, io.Reader) ([]byte, error)
+
+// ECDSASigner uses crypto/ecdsa to sign the payloads.
+type ECDSASigner struct {
+	alg  jwa.SignatureAlgorithm
+	sign ecdsaSignFunc
+}
+
+type hmacSignFunc func([]byte, []byte) ([]byte, error)
+
+// HMACSigner uses crypto/hmac to sign the payloads.
+type HMACSigner struct {
+	alg  jwa.SignatureAlgorithm
+	sign hmacSignFunc
+}

vendor/github.com/open-policy-agent/opa/internal/jwx/jws/sign/rsa.go

@@ -0,0 +1,97 @@
+package sign
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+
+	"github.com/open-policy-agent/opa/internal/jwx/jwa"
+
+	"github.com/pkg/errors"
+)
+
+var rsaSignFuncs = map[jwa.SignatureAlgorithm]rsaSignFunc{}
+
+func init() {
+	algs := map[jwa.SignatureAlgorithm]struct {
+		Hash     crypto.Hash
+		SignFunc func(crypto.Hash) rsaSignFunc
+	}{
+		jwa.RS256: {
+			Hash:     crypto.SHA256,
+			SignFunc: makeSignPKCS1v15,
+		},
+		jwa.RS384: {
+			Hash:     crypto.SHA384,
+			SignFunc: makeSignPKCS1v15,
+		},
+		jwa.RS512: {
+			Hash:     crypto.SHA512,
+			SignFunc: makeSignPKCS1v15,
+		},
+		jwa.PS256: {
+			Hash:     crypto.SHA256,
+			SignFunc: makeSignPSS,
+		},
+		jwa.PS384: {
+			Hash:     crypto.SHA384,
+			SignFunc: makeSignPSS,
+		},
+		jwa.PS512: {
+			Hash:     crypto.SHA512,
+			SignFunc: makeSignPSS,
+		},
+	}
+
+	for alg, item := range algs {
+		rsaSignFuncs[alg] = item.SignFunc(item.Hash)
+	}
+}
+
+func makeSignPKCS1v15(hash crypto.Hash) rsaSignFunc {
+	return rsaSignFunc(func(payload []byte, key *rsa.PrivateKey) ([]byte, error) {
+		h := hash.New()
+		h.Write(payload)
+		return rsa.SignPKCS1v15(rand.Reader, key, hash, h.Sum(nil))
+	})
+}
+
+func makeSignPSS(hash crypto.Hash) rsaSignFunc {
+	return rsaSignFunc(func(payload []byte, key *rsa.PrivateKey) ([]byte, error) {
+		h := hash.New()
+		h.Write(payload)
+		return rsa.SignPSS(rand.Reader, key, hash, h.Sum(nil), &rsa.PSSOptions{
+			SaltLength: rsa.PSSSaltLengthAuto,
+		})
+	})
+}
+
+func newRSA(alg jwa.SignatureAlgorithm) (*RSASigner, error) {
+	signfn, ok := rsaSignFuncs[alg]
+	if !ok {
+		return nil, errors.Errorf(`unsupported algorithm while trying to create RSA signer: %s`, alg)
+	}
+	return &RSASigner{
+		alg:  alg,
+		sign: signfn,
+	}, nil
+}
+
+// Algorithm returns the signer algorithm
+func (s RSASigner) Algorithm() jwa.SignatureAlgorithm {
+	return s.alg
+}
+
+// Sign creates a signature using crypto/rsa. key must be a non-nil instance of
+// `*"crypto/rsa".PrivateKey`.
+func (s RSASigner) Sign(payload []byte, key interface{}) ([]byte, error) {
+	if key == nil {
+		return nil, errors.New(`missing private key while signing payload`)
+	}
+	rsakey, ok := key.(*rsa.PrivateKey)
+	if !ok {
+		return nil, errors.Errorf(`invalid key type %T. *rsa.PrivateKey is required`, key)
+	}
+
+	return s.sign(payload, rsakey)
+}

vendor/github.com/open-policy-agent/opa/internal/jwx/jws/sign/sign.go

@@ -0,0 +1,67 @@
+package sign
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+
+	"github.com/pkg/errors"
+
+	"github.com/open-policy-agent/opa/internal/jwx/jwa"
+)
+
+// New creates a signer that signs payloads using the given signature algorithm.
+func New(alg jwa.SignatureAlgorithm) (Signer, error) {
+	switch alg {
+	case jwa.RS256, jwa.RS384, jwa.RS512, jwa.PS256, jwa.PS384, jwa.PS512:
+		return newRSA(alg)
+	case jwa.ES256, jwa.ES384, jwa.ES512:
+		return newECDSA(alg)
+	case jwa.HS256, jwa.HS384, jwa.HS512:
+		return newHMAC(alg)
+	default:
+		return nil, errors.Errorf(`unsupported signature algorithm %s`, alg)
+	}
+}
+
+// GetSigningKey returns a *rsa.PrivateKey or *ecdsa.PrivateKey typically encoded in PEM blocks of type "RSA PRIVATE KEY"
+// or "EC PRIVATE KEY" for RSA and ECDSA family of algorithms.
+// For HMAC family, it return a []byte value
+func GetSigningKey(key string, alg jwa.SignatureAlgorithm) (interface{}, error) {
+	switch alg {
+	case jwa.RS256, jwa.RS384, jwa.RS512, jwa.PS256, jwa.PS384, jwa.PS512:
+		block, _ := pem.Decode([]byte(key))
+		if block == nil {
+			return nil, fmt.Errorf("failed to parse PEM block containing the key")
+		}
+
+		priv, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+		if err != nil {
+			pkcs8priv, err2 := x509.ParsePKCS8PrivateKey(block.Bytes)
+			if err2 != nil {
+				return nil, fmt.Errorf("error parsing private key (%v), (%v)", err, err2)
+			}
+			return pkcs8priv, nil
+		}
+		return priv, nil
+	case jwa.ES256, jwa.ES384, jwa.ES512:
+		block, _ := pem.Decode([]byte(key))
+		if block == nil {
+			return nil, fmt.Errorf("failed to parse PEM block containing the key")
+		}
+
+		priv, err := x509.ParseECPrivateKey(block.Bytes)
+		if err != nil {
+			pkcs8priv, err2 := x509.ParsePKCS8PrivateKey(block.Bytes)
+			if err2 != nil {
+				return nil, fmt.Errorf("error parsing private key (%v), (%v)", err, err2)
+			}
+			return pkcs8priv, nil
+		}
+		return priv, nil
+	case jwa.HS256, jwa.HS384, jwa.HS512:
+		return []byte(key), nil
+	default:
+		return nil, errors.Errorf("unsupported signature algorithm: %s", alg)
+	}
+}