Merge branch 'master' of https://github.com/opencart/opencart

upload/admin/controller/error/permission.php

@@ -28,6 +28,8 @@ public function index(): void {
 			'href' => $this->url->link($this->request->get['route'], 'user_token=' . $this->session->data['user_token'])
 		];
 
+		$this->response->addheader($this->request->server['SERVER_PROTOCOL'] . ' 401 Unauthorized');
+
 		$data['header'] = $this->load->controller('common/header');
 		$data['column_left'] = $this->load->controller('common/column_left');
 		$data['footer'] = $this->load->controller('common/footer');

upload/system/storage/vendor/aws/aws-sdk-php/src/Auth/AuthSchemeResolver.php

@@ -0,0 +1,169 @@
+<?php
+
+namespace Aws\Auth;
+
+use Aws\Auth\Exception\UnresolvedAuthSchemeException;
+use Aws\Identity\AwsCredentialIdentity;
+use Aws\Identity\BearerTokenIdentity;
+use GuzzleHttp\Promise\PromiseInterface;
+
+/**
+ * Houses logic for selecting an auth scheme modeled in a service's `auth` trait.
+ * The `auth` trait can be modeled either in a service's metadata, or at the operation level.
+ */
+class AuthSchemeResolver implements AuthSchemeResolverInterface
+{
+    const UNSIGNED_BODY = '-unsigned-body';
+
+    /**
+     * @var string[] Default mapping of modeled auth trait auth schemes
+     *               to the SDK's supported signature versions.
+     */
+    private static $defaultAuthSchemeMap = [
+        'aws.auth#sigv4' => 'v4',
+        'aws.auth#sigv4a' => 'v4a',
+        'smithy.api#httpBearerAuth' => 'bearer',
+        'smithy.auth#noAuth' => 'anonymous'
+    ];
+
+    /**
+     * @var array Mapping of auth schemes to signature versions used in
+     *            resolving a signature version.
+     */
+    private $authSchemeMap;
+    private $tokenProvider;
+    private $credentialProvider;
+
+
+    public function __construct(
+        callable $credentialProvider,
+        callable $tokenProvider = null,
+        array $authSchemeMap = []
+    ){
+        $this->credentialProvider = $credentialProvider;
+        $this->tokenProvider = $tokenProvider;
+        $this->authSchemeMap = empty($authSchemeMap)
+            ? self::$defaultAuthSchemeMap
+            : $authSchemeMap;
+    }
+
+    /**
+     * Accepts a priority-ordered list of auth schemes and an Identity
+     * and selects the first compatible auth schemes, returning a normalized
+     * signature version.  For example, based on the default auth scheme mapping,
+     * if `aws.auth#sigv4` is selected, `v4` will be returned.
+     *
+     * @param array $authSchemes
+     * @param $identity
+     *
+     * @return string
+     * @throws UnresolvedAuthSchemeException
+     */
+    public function selectAuthScheme(
+        array $authSchemes,
+        array $args = []
+    ): string
+    {
+        $failureReasons = [];
+
+        foreach($authSchemes as $authScheme) {
+            $normalizedAuthScheme = $this->authSchemeMap[$authScheme] ?? $authScheme;
+
+            if ($this->isCompatibleAuthScheme($normalizedAuthScheme)) {
+                if ($normalizedAuthScheme === 'v4' && !empty($args['unsigned_payload'])) {
+                    return $normalizedAuthScheme . self::UNSIGNED_BODY;
+                }
+
+                return $normalizedAuthScheme;
+            } else {
+                $failureReasons[] = $this->getIncompatibilityMessage($normalizedAuthScheme);
+            }
+        }
+
+        throw new UnresolvedAuthSchemeException(
+            'Could not resolve an authentication scheme: '
+            . implode('; ', $failureReasons)
+        );
+    }
+
+    /**
+     * Determines compatibility based on either Identity or the availability
+     * of the CRT extension.
+     *
+     * @param $authScheme
+     *
+     * @return bool
+     */
+    private function isCompatibleAuthScheme($authScheme): bool
+    {
+        switch ($authScheme) {
+            case 'v4':
+            case 'anonymous':
+                return $this->hasAwsCredentialIdentity();
+            case 'v4a':
+                return extension_loaded('awscrt') && $this->hasAwsCredentialIdentity();
+            case 'bearer':
+                return $this->hasBearerTokenIdentity();
+            default:
+                return false;
+        }
+    }
+
+    /**
+     * Provides incompatibility messages in the event an incompatible auth scheme
+     * is encountered.
+     *
+     * @param $authScheme
+     *
+     * @return string
+     */
+    private function getIncompatibilityMessage($authScheme): string
+    {
+        switch ($authScheme) {
+            case 'v4':
+                return 'Signature V4 requires AWS credentials for request signing';
+            case 'anonymous':
+                return 'Anonymous signatures require AWS credentials for request signing';
+            case 'v4a':
+                return 'The aws-crt-php extension and AWS credentials are required to use Signature V4A';
+            case 'bearer':
+                return 'Bearer token credentials must be provided to use Bearer authentication';
+            default:
+                return "The service does not support `{$authScheme}` authentication.";
+        }
+    }
+
+    /**
+     * @return bool
+     */
+    private function hasAwsCredentialIdentity(): bool
+    {
+        $fn = $this->credentialProvider;
+        $result = $fn();
+
+        if ($result instanceof PromiseInterface) {
+            return $result->wait() instanceof AwsCredentialIdentity;
+        }
+
+        return $result instanceof AwsCredentialIdentity;
+    }
+
+    /**
+     * @return bool
+     */
+    private function hasBearerTokenIdentity(): bool
+    {
+        if ($this->tokenProvider) {
+            $fn = $this->tokenProvider;
+            $result = $fn();
+
+            if ($result instanceof PromiseInterface) {
+                return $result->wait() instanceof BearerTokenIdentity;
+            }
+
+            return $result instanceof BearerTokenIdentity;
+        }
+
+        return false;
+    }
+}

upload/system/storage/vendor/aws/aws-sdk-php/src/Auth/AuthSchemeResolverInterface.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace Aws\Auth;
+
+use Aws\Identity\IdentityInterface;
+
+/**
+ * An AuthSchemeResolver object determines which auth scheme will be used for request signing.
+ */
+interface AuthSchemeResolverInterface
+{
+    /**
+     * Selects an auth scheme for request signing.
+     *
+     * @param array $authSchemes a priority-ordered list of authentication schemes.
+     * @param IdentityInterface $identity Credentials to be used in request signing.
+     *
+     * @return string
+     */
+    public function selectAuthScheme(
+        array $authSchemes,
+        array $args
+    ): ?string;
+}

upload/system/storage/vendor/aws/aws-sdk-php/src/Auth/AuthSelectionMiddleware.php

@@ -0,0 +1,99 @@
+<?php
+namespace Aws\Auth;
+
+use Aws\Api\Service;
+use Aws\CommandInterface;
+use Closure;
+use GuzzleHttp\Promise\Promise;
+
+/**
+ * Handles auth scheme resolution. If a service models and auth scheme using
+ * the `auth` trait and the operation or metadata levels, this middleware will
+ * attempt to select the first compatible auth scheme it encounters and apply its
+ * signature version to the command's `@context` property bag.
+ *
+ * IMPORTANT: this middleware must be added to the "build" step.
+ *
+ * @internal
+ */
+class AuthSelectionMiddleware
+{
+    /** @var callable */
+    private $nextHandler;
+
+    /** @var AuthSchemeResolverInterface */
+    private $authResolver;
+
+    /** @var Service */
+    private $api;
+
+    /**
+     * Create a middleware wrapper function
+     *
+     * @param AuthSchemeResolverInterface $authResolver
+     * @param Service $api
+     * @return Closure
+     */
+    public static function wrap(
+        AuthSchemeResolverInterface $authResolver,
+        Service $api
+    ): Closure
+    {
+        return function (callable $handler) use ($authResolver, $api) {
+            return new self($handler, $authResolver, $api);
+        };
+    }
+
+    /**
+     * @param callable $nextHandler
+     * @param $authResolver
+     * @param callable $identityProvider
+     * @param Service $api
+     */
+    public function __construct(
+        callable $nextHandler,
+        AuthSchemeResolverInterface $authResolver,
+        Service $api
+    )
+    {
+        $this->nextHandler = $nextHandler;
+        $this->authResolver = $authResolver;
+        $this->api = $api;
+    }
+
+    /**
+     * @param CommandInterface $command
+     *
+     * @return Promise
+     */
+    public function __invoke(CommandInterface $command)
+    {
+        $nextHandler = $this->nextHandler;
+        $serviceAuth = $this->api->getMetadata('auth') ?: [];
+        $operation = $this->api->getOperation($command->getName());
+        $operationAuth = $operation['auth'] ?? [];
+        $unsignedPayload = $operation['unsignedpayload'] ?? false;
+        $resolvableAuth = $operationAuth ?: $serviceAuth;
+
+        if (!empty($resolvableAuth)) {
+            if (isset($command['@context']['auth_scheme_resolver'])
+                && $command['@context']['auth_scheme_resolver'] instanceof AuthSchemeResolverInterface
+            ){
+                $resolver = $command['@context']['auth_scheme_resolver'];
+            } else {
+                $resolver = $this->authResolver;
+            }
+
+            $selectedAuthScheme = $resolver->selectAuthScheme(
+                $resolvableAuth,
+                ['unsigned_payload' => $unsignedPayload]
+            );
+
+            if (!empty($selectedAuthScheme)) {
+                $command['@context']['signature_version'] = $selectedAuthScheme;
+            }
+        }
+
+        return $nextHandler($command);
+    }
+}