Implement providers.aws.sign_req builtin#151
Conversation
…loses open-policy-agent#146) Signed-off-by: Muhammad Umer Hammad <umerhammad010@gmail.com>
sspaink
left a comment
There was a problem hiding this comment.
Verified against OPA's topdown/providers.go + internal/providers/aws/signing_v4.go, with the divergences below confirmed by running Go directly. The SigV4 chain, string-to-sign, credential scope, header precedence (including the subtle "existing x-amz-content-sha256 wins in the canonical request but computed hash wins in output"), raw_body precedence, and error-message wording all match, and the fixture-driven test is solid. Because signing is byte-exact, the findings all manifest as wrong signatures on inputs the 18 fixtures don't cover — so the suite passes while real requests would fail AWS verification. Findings 1 and 3 share a root cause: canonicalJson reimplements Go's encoding/json and misses two of its behaviors.
… formatting to match Go byte-exactly Signed-off-by: Muhammad Umer Hammad <umerhammad010@gmail.com>
| } | ||
|
|
||
| private static void writeJson(RegoValue value, StringBuilder sb) { | ||
| if (value == null || value instanceof RegoNull) { |
Summary
Implements providers.aws.sign_req (AWS SigV4 header-based request signing) as described in #146.
Changes
Testing
Closes #146.