Upgrade dependent version: github.com/open-policy-agent/opa (#5315)

Upgrade dependent version: github.com/open-policy-agent/opa v0.18.0 -> v0.45.0

Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io>

Signed-off-by: hongzhouzi <hongzhouzi@kubesphere.io>

vendor/github.com/open-policy-agent/opa/internal/jwx/jws/verify/ecdsa.go

@@ -0,0 +1,67 @@
+package verify
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"math/big"
+
+	"github.com/pkg/errors"
+
+	"github.com/open-policy-agent/opa/internal/jwx/jwa"
+)
+
+var ecdsaVerifyFuncs = map[jwa.SignatureAlgorithm]ecdsaVerifyFunc{}
+
+func init() {
+	algs := map[jwa.SignatureAlgorithm]crypto.Hash{
+		jwa.ES256: crypto.SHA256,
+		jwa.ES384: crypto.SHA384,
+		jwa.ES512: crypto.SHA512,
+	}
+
+	for alg, h := range algs {
+		ecdsaVerifyFuncs[alg] = makeECDSAVerifyFunc(h)
+	}
+}
+
+func makeECDSAVerifyFunc(hash crypto.Hash) ecdsaVerifyFunc {
+	return ecdsaVerifyFunc(func(payload []byte, signature []byte, key *ecdsa.PublicKey) error {
+
+		r, s := &big.Int{}, &big.Int{}
+		n := len(signature) / 2
+		r.SetBytes(signature[:n])
+		s.SetBytes(signature[n:])
+
+		h := hash.New()
+		h.Write(payload)
+
+		if !ecdsa.Verify(key, h.Sum(nil), r, s) {
+			return errors.New(`failed to verify signature using ecdsa`)
+		}
+		return nil
+	})
+}
+
+func newECDSA(alg jwa.SignatureAlgorithm) (*ECDSAVerifier, error) {
+	verifyfn, ok := ecdsaVerifyFuncs[alg]
+	if !ok {
+		return nil, errors.Errorf(`unsupported algorithm while trying to create ECDSA verifier: %s`, alg)
+	}
+
+	return &ECDSAVerifier{
+		verify: verifyfn,
+	}, nil
+}
+
+// Verify checks whether the signature for a given input and key is correct
+func (v ECDSAVerifier) Verify(payload []byte, signature []byte, key interface{}) error {
+	if key == nil {
+		return errors.New(`missing public key while verifying payload`)
+	}
+	ecdsakey, ok := key.(*ecdsa.PublicKey)
+	if !ok {
+		return errors.Errorf(`invalid key type %T. *ecdsa.PublicKey is required`, key)
+	}
+
+	return v.verify(payload, signature, ecdsakey)
+}

vendor/github.com/open-policy-agent/opa/internal/jwx/jws/verify/hmac.go

@@ -0,0 +1,33 @@
+package verify
+
+import (
+	"crypto/hmac"
+	"fmt"
+
+	"github.com/open-policy-agent/opa/internal/jwx/jwa"
+	"github.com/open-policy-agent/opa/internal/jwx/jws/sign"
+	"github.com/pkg/errors"
+)
+
+func newHMAC(alg jwa.SignatureAlgorithm) (*HMACVerifier, error) {
+
+	s, err := sign.New(alg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate HMAC signer: %w", err)
+	}
+	return &HMACVerifier{signer: s}, nil
+}
+
+// Verify checks whether the signature for a given input and key is correct
+func (v HMACVerifier) Verify(signingInput, signature []byte, key interface{}) (err error) {
+
+	expected, err := v.signer.Sign(signingInput, key)
+	if err != nil {
+		return fmt.Errorf("failed to generated signature: %w", err)
+	}
+
+	if !hmac.Equal(signature, expected) {
+		return errors.New("failed to match hmac signature")
+	}
+	return nil
+}

vendor/github.com/open-policy-agent/opa/internal/jwx/jws/verify/interface.go

@@ -0,0 +1,39 @@
+package verify
+
+import (
+	"crypto/ecdsa"
+	"crypto/rsa"
+
+	"github.com/open-policy-agent/opa/internal/jwx/jws/sign"
+)
+
+// Verifier provides a common interface for supported alg verification methods
+type Verifier interface {
+	// Verify checks whether the payload and signature are valid for
+	// the given key.
+	// `key` is the key used for verifying the payload, and is usually
+	// the public key associated with the signature method. For example,
+	// for `jwa.RSXXX` and `jwa.PSXXX` types, you need to pass the
+	// `*"crypto/rsa".PublicKey` type.
+	// Check the documentation for each verifier for details
+	Verify(payload []byte, signature []byte, key interface{}) error
+}
+
+type rsaVerifyFunc func([]byte, []byte, *rsa.PublicKey) error
+
+// RSAVerifier implements the Verifier interface
+type RSAVerifier struct {
+	verify rsaVerifyFunc
+}
+
+type ecdsaVerifyFunc func([]byte, []byte, *ecdsa.PublicKey) error
+
+// ECDSAVerifier implements the Verifier interface
+type ECDSAVerifier struct {
+	verify ecdsaVerifyFunc
+}
+
+// HMACVerifier implements the Verifier interface
+type HMACVerifier struct {
+	signer sign.Signer
+}

vendor/github.com/open-policy-agent/opa/internal/jwx/jws/verify/rsa.go

@@ -0,0 +1,88 @@
+package verify
+
+import (
+	"crypto"
+	"crypto/rsa"
+
+	"github.com/open-policy-agent/opa/internal/jwx/jwa"
+
+	"github.com/pkg/errors"
+)
+
+var rsaVerifyFuncs = map[jwa.SignatureAlgorithm]rsaVerifyFunc{}
+
+func init() {
+	algs := map[jwa.SignatureAlgorithm]struct {
+		Hash       crypto.Hash
+		VerifyFunc func(crypto.Hash) rsaVerifyFunc
+	}{
+		jwa.RS256: {
+			Hash:       crypto.SHA256,
+			VerifyFunc: makeVerifyPKCS1v15,
+		},
+		jwa.RS384: {
+			Hash:       crypto.SHA384,
+			VerifyFunc: makeVerifyPKCS1v15,
+		},
+		jwa.RS512: {
+			Hash:       crypto.SHA512,
+			VerifyFunc: makeVerifyPKCS1v15,
+		},
+		jwa.PS256: {
+			Hash:       crypto.SHA256,
+			VerifyFunc: makeVerifyPSS,
+		},
+		jwa.PS384: {
+			Hash:       crypto.SHA384,
+			VerifyFunc: makeVerifyPSS,
+		},
+		jwa.PS512: {
+			Hash:       crypto.SHA512,
+			VerifyFunc: makeVerifyPSS,
+		},
+	}
+
+	for alg, item := range algs {
+		rsaVerifyFuncs[alg] = item.VerifyFunc(item.Hash)
+	}
+}
+
+func makeVerifyPKCS1v15(hash crypto.Hash) rsaVerifyFunc {
+	return rsaVerifyFunc(func(payload, signature []byte, key *rsa.PublicKey) error {
+		h := hash.New()
+		h.Write(payload)
+		return rsa.VerifyPKCS1v15(key, hash, h.Sum(nil), signature)
+	})
+}
+
+func makeVerifyPSS(hash crypto.Hash) rsaVerifyFunc {
+	return rsaVerifyFunc(func(payload, signature []byte, key *rsa.PublicKey) error {
+		h := hash.New()
+		h.Write(payload)
+		return rsa.VerifyPSS(key, hash, h.Sum(nil), signature, nil)
+	})
+}
+
+func newRSA(alg jwa.SignatureAlgorithm) (*RSAVerifier, error) {
+	verifyfn, ok := rsaVerifyFuncs[alg]
+	if !ok {
+		return nil, errors.Errorf(`unsupported algorithm while trying to create RSA verifier: %s`, alg)
+	}
+
+	return &RSAVerifier{
+		verify: verifyfn,
+	}, nil
+}
+
+// Verify checks if a JWS is valid.
+func (v RSAVerifier) Verify(payload, signature []byte, key interface{}) error {
+	if key == nil {
+		return errors.New(`missing public key while verifying payload`)
+	}
+	rsaKey, ok := key.(*rsa.PublicKey)
+	if !ok {
+		return errors.Errorf(`invalid key type %T. *rsa.PublicKey is required`, key)
+	}
+
+	return v.verify(payload, signature, rsaKey)
+}

vendor/github.com/open-policy-agent/opa/internal/jwx/jws/verify/verify.go

@@ -0,0 +1,57 @@
+package verify
+
+import (
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+
+	"github.com/pkg/errors"
+
+	"github.com/open-policy-agent/opa/internal/jwx/jwa"
+)
+
+// New creates a new JWS verifier using the specified algorithm
+// and the public key
+func New(alg jwa.SignatureAlgorithm) (Verifier, error) {
+	switch alg {
+	case jwa.RS256, jwa.RS384, jwa.RS512, jwa.PS256, jwa.PS384, jwa.PS512:
+		return newRSA(alg)
+	case jwa.ES256, jwa.ES384, jwa.ES512:
+		return newECDSA(alg)
+	case jwa.HS256, jwa.HS384, jwa.HS512:
+		return newHMAC(alg)
+	default:
+		return nil, errors.Errorf(`unsupported signature algorithm: %s`, alg)
+	}
+}
+
+// GetSigningKey returns a *rsa.PublicKey or *ecdsa.PublicKey typically encoded in PEM blocks of type "PUBLIC KEY",
+// for RSA and ECDSA family of algorithms.
+// For HMAC family, it return a []byte value
+func GetSigningKey(key string, alg jwa.SignatureAlgorithm) (interface{}, error) {
+	switch alg {
+	case jwa.RS256, jwa.RS384, jwa.RS512, jwa.PS256, jwa.PS384, jwa.PS512, jwa.ES256, jwa.ES384, jwa.ES512:
+		block, _ := pem.Decode([]byte(key))
+		if block == nil {
+			return nil, fmt.Errorf("failed to parse PEM block containing the key")
+		}
+
+		pub, err := x509.ParsePKIXPublicKey(block.Bytes)
+		if err != nil {
+			return nil, err
+		}
+
+		switch pub := pub.(type) {
+		case *rsa.PublicKey, *ecdsa.PublicKey:
+			return pub, nil
+		default:
+			return nil, fmt.Errorf("invalid key type %T", pub)
+		}
+	case jwa.HS256, jwa.HS384, jwa.HS512:
+		return []byte(key), nil
+	default:
+		return nil, errors.Errorf("unsupported signature algorithm: %s", alg)
+	}
+}