Add SigV4 and SigV4A migration diff validation

Overview

~~Dependent on #2250, which is the first commit of this PR~~

These changes add SigV4 (aws.auth#sigv4, sigv4) and SigV4A (aws.auth#sigv4a, sigv4a) migration diff validation.

This is important since not all SigV4 credentials work with SigV4A, so migration from SigV4 to SigV4A is not backward compatible.

At the time of writing, it is uncertain whether migrating from SigV4A to SigV4 is backward compatible.

Simplified, the SigV4 migration validation events are emitted when:

aws.auth#sigv4 is replaced by aws.auth#sigv4a, or vice versa
the order of aws.auth#sigv4 and aws.auth#sigv4a is changed in the effective auth schemes
aws.auth#sigv4a is added before an existing aws.auth#sigv4, or vice versa

Validation Tables

Keywords:

sigv4 = aws.auth#sigv4
sigv4a = aws.auth#sigv4a
+ = set addition
, = list addition (order matters)
... = set, e.g. any, no sigv4, with sigv4

For both @auth and @smithy.rules#endpointRuleSet auth schemes, these are the following validations:

SigV4Migration checks for service and operation @auth diffs.
EndpointSigV4Migration checks for service @auth and @smithy.rules#endpointRuleSet diffs.
- At the time of writing, sigv4 also includes sigv4- sub-schemes except sigv4-s3express.
- At the time of writing, sigv4a also includes sigv4-s3express.
- beta auth schemes are not considered during SigV4 migration, and will have to manually be added.

Old Model Auth	New Model Auth	Expectation
[`no sigv4` + `no sigv4a`]	[`any`]	Skips validation since no migration
[`with sigv4` + `no sigv4a`]	[`no sigv4a`]	Skips validation since no migration
[`with sigv4a` + `no sigv4`]	[`no sigv4`]	Skips validation since no migration
[`with sigv4`, `with sigv4a`]	[`with sigv4`, `with sigv4a`]	Skips validation since no migration
[`with sigv4` + `no sigv4a`]	[`with sigv4a` + `no sigv4`]	Danger: `sigv4a` replaced `sigv4`, but not all `sigv4` credentials are compatible with `sigv4a`
[`with sigv4a` + `no sigv4`]	[`with sigv4` + `no sigv4a`]	Danger: `sigv4` replaced `sigv4a`, but signing scope could be narrowed (typically from `*`)
[`with sigv4` + `no sigv4a`]	[`with sigv4`, `with sigv4a`]	Backward compatible: `sigv4` will still resolve before `sigv4a`
[`with sigv4a` + `no sigv4`]	[`with sigv4a`, `with sigv4`]	Backward compatible: `sigv4a` will still resolve before `sigv4`
[`with sigv4` + `no sigv4a`]	[`with sigv4a`, `with sigv4`]	Danger: `sigv4a` will resolve before `sigv4`, but not all `sigv4` credentials are compatible with `sigv4a`
[`with sigv4a` + `no sigv4`]	[`with sigv4`, `with sigv4a`]	Danger: `sigv4` will resolve before `sigv4a`, but signing scope could be narrowed (typically from `*`)
[`with sigv4`, `with sigv4a`]	[`with sigv4a`, `with sigv4`]	Danger: `sigv4` and `sigv4a` order is changed, but not all `sigv4` credentials are compatible with `sigv4a`
[`with sigv4a`, `with sigv4`]	[`with sigv4`, `with sigv4a`]	Danger: `sigv4` and `sigv4a` order is changed, but signing scope could be narrowed (typically from `*`)

Testing

[x] Added diff tests according to the validation table
[x] CI passes

AWS Authentication Traits: https://smithy.io/2.0/aws/aws-auth.html
Endpoint authSchemes list property: https://smithy.io/2.0/additional-specs/rules-engine/specification.html#endpoint-authschemes-list-property

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

smithy-lang / smithy