Merge pull request #6 from IABTechLab/ysh-UID2-2123-load-azure-secret…

…-from-vault load azure secret key from vault
IABTechLab · Oct 27, 2023 · 2195ee8 · 2195ee8
2 parents 7522a25 + ee56b1c
commit 2195ee8
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 1 deletion.
diff --git a/pom.xml b/pom.xml
@@ -36,14 +36,39 @@
         <dependency>
             <groupId>com.uid2</groupId>
             <artifactId>uid2-attestation-api</artifactId>
-            <version>1.1.0</version>
+            <version>1.5.0-676519b018</version>
         </dependency>
         <dependency>
             <groupId>com.google.code.gson</groupId>
             <artifactId>gson</artifactId>
             <version>2.10</version>
             <scope>compile</scope>
         </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>32.1.2-jre</version>
+        </dependency>
+        <dependency>
+            <groupId>com.azure</groupId>
+            <artifactId>azure-security-keyvault-secrets</artifactId>
+            <version>4.7.0</version>
+        </dependency>
+        <dependency>
+            <groupId>com.azure</groupId>
+            <artifactId>azure-identity</artifactId>
+            <version>1.10.1</version>
+        </dependency>
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-core</artifactId>
+            <version>1.3.5</version>
+        </dependency>
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-classic</artifactId>
+            <version>1.3.5</version>
+        </dependency>
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>

diff --git a/src/main/java/com/uid2/attestation/azure/AzureVaultOperatorKeyRetriever.java b/src/main/java/com/uid2/attestation/azure/AzureVaultOperatorKeyRetriever.java
@@ -0,0 +1,43 @@
+package com.uid2.attestation.azure;
+
+import com.azure.identity.ManagedIdentityCredentialBuilder;
+import com.azure.security.keyvault.secrets.SecretClientBuilder;
+import com.google.common.base.Strings;
+import com.uid2.enclave.IOperatorKeyRetriever;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AzureVaultOperatorKeyRetriever implements IOperatorKeyRetriever {
+    private static final Logger LOGGER = LoggerFactory.getLogger(AzureVaultOperatorKeyRetriever.class);
+
+    private final String vaultName;
+    private final String secretName;
+
+    public AzureVaultOperatorKeyRetriever(String vaultName, String secretName) {
+        if (Strings.isNullOrEmpty(vaultName)) {
+            throw new IllegalArgumentException("vaultName is null or empty");
+        }
+        if (Strings.isNullOrEmpty(secretName)) {
+            throw new IllegalArgumentException("secretName is null or empty");
+        }
+        this.vaultName = vaultName;
+        this.secretName = secretName;
+    }
+
+    // ManagedIdentityCredential is used here.
+    @Override
+    public String retrieve() {
+        String vaultUrl = "https://" + this.vaultName + ".vault.azure.net";
+        LOGGER.info(String.format("Load OperatorKey secret (%s) from %s", this.secretName, vaultUrl));
+        // Use default ExponentialBackoff retry policy
+        var secretClient = new SecretClientBuilder()
+                .vaultUrl(vaultUrl)
+                .credential(new ManagedIdentityCredentialBuilder().build())
+                .buildClient();
+
+        var retrievedSecret = secretClient.getSecret(secretName);
+
+        LOGGER.info("OperatorKey secret is loaded.");
+        return retrievedSecret.getValue();
+    }
+}