Refactoring UserIdentity logics

.github/workflows/build-and-test.yaml

@@ -3,7 +3,7 @@ on: [pull_request, push, workflow_dispatch]
 
 jobs:
   build:
-    uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-build-and-test.yaml@v2
+    uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-build-and-test.yaml@v3
     with:
       java_version: 21
     secrets: inherit

.github/workflows/publish-all-operators.yaml

@@ -55,7 +55,7 @@ jobs:
           fetch-depth: 0
 
       - name: Scan vulnerabilities
-        uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan_filesystem@v2
+        uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan_filesystem@v3
         with:
           scan_severity: HIGH,CRITICAL
           failure_severity: CRITICAL

.github/workflows/validate-image.yaml

@@ -19,15 +19,15 @@ on:
 
 jobs:
   build-publish-docker-default:
-    uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v2
+    uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3
     with: 
       failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }}
       fail_on_error: ${{ inputs.fail_on_error || true }}
       cloud_provider: 'default'
       java_version: 21
     secrets: inherit
   build-publish-docker-aws:
-    uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v2
+    uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3
     with: 
       failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }}
       fail_on_error: ${{ inputs.fail_on_error || true }}
@@ -36,7 +36,7 @@ jobs:
     secrets: inherit
     needs: [build-publish-docker-default]
   build-publish-docker-gcp:
-    uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v2
+    uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3
     with: 
       failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }}
       fail_on_error: ${{ inputs.fail_on_error || true }}
@@ -45,7 +45,7 @@ jobs:
     secrets: inherit
     needs: [build-publish-docker-aws]
   build-publish-docker-azure:
-    uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v2
+    uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-validate-image.yaml@v3
     with: 
       failure_severity: ${{ inputs.failure_severity || 'CRITICAL,HIGH' }}
       fail_on_error: ${{ inputs.fail_on_error || true }}

.trivyignore

@@ -2,4 +2,6 @@
 # See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/ 
 # for more details
 # e.g. 
-# CVE-2022-3996
+
+# https://thetradedesk.atlassian.net/browse/UID2-4460
+CVE-2024-47535

Makefile.eif

@@ -14,11 +14,11 @@ all: build_eif
 build_eif: uid2operator.eif euidoperator.eif
 
 uid2operator.eif: build_artifacts build_configs build/proxies.nitro.yaml build/syslog-ng-client.conf build/syslog-ng-core_4.6.0-1_amd64.deb build/syslog-ng-ose-pub.asc build/entrypoint.sh build/vsockpx build/Dockerfile build/load_config.py build/make_config.py
-	cd build; docker build -t uid2operator . --build-arg JAR_VERSION=`cat package.version` --build-arg IMAGE_VERSION=`cat package.version`-`git show --format="%h" --no-patch`; docker save -o ./uid2operator.tar uid2operator; docker cp ./uid2operator.tar amazonlinux:/uid2operator.tar
+	cd build; docker build -t uid2operator . --build-arg JAR_VERSION=`cat package.version` --build-arg IMAGE_VERSION=`cat package.version`-`git show --format="%h" --no-patch`; docker save -o ./uid2operator.tar uid2operator; docker cp ./uid2operator.tar amazonlinux:/uid2operator.tar; rm -f ./uid2operator.tar
 	docker exec amazonlinux bash aws_nitro_eif.sh uid2operator
 
 euidoperator.eif: build_artifacts build_configs build/proxies.nitro.yaml build/syslog-ng-client.conf build/syslog-ng-core_4.6.0-1_amd64.deb build/syslog-ng-ose-pub.asc build/entrypoint.sh build/vsockpx build/Dockerfile build/load_config.py build/make_config.py
-	cd build; docker build -t euidoperator . --build-arg IDENTITY_SCOPE='EUID' --build-arg JAR_VERSION=`cat package.version` --build-arg IMAGE_VERSION=`cat package.version`-`git show --format="%h" --no-patch`; docker save -o ./euidoperator.tar euidoperator; docker cp ./euidoperator.tar amazonlinux:/euidoperator.tar
+	cd build; docker build -t euidoperator . --build-arg IDENTITY_SCOPE='EUID' --build-arg JAR_VERSION=`cat package.version` --build-arg IMAGE_VERSION=`cat package.version`-`git show --format="%h" --no-patch`; docker save -o ./euidoperator.tar euidoperator; docker cp ./euidoperator.tar amazonlinux:/euidoperator.tar; rm -f ./euidoperator.tar
 	docker exec amazonlinux bash aws_nitro_eif.sh euidoperator
 
 ##################################################################################################################################################################
@@ -37,7 +37,7 @@ build/make_config.py: ./scripts/aws/make_config.py
 
 .PHONY: build_configs
 
-build_configs: build/conf/default-config.json build/conf/prod-uid2-config.json build/conf/integ-uid2-config.json build/conf/prod-euid-config.json build/conf/integ-euid-config.json build/conf/logback.xml
+build_configs: build/conf/default-config.json build/conf/prod-uid2-config.json build/conf/integ-uid2-config.json build/conf/prod-euid-config.json build/conf/integ-euid-config.json build/conf/logback.xml build/conf/logback-debug.xml
 
 build/conf/default-config.json: build_artifacts ./scripts/aws/conf/default-config.json
 	cp ./scripts/aws/conf/default-config.json ./build/conf/
@@ -57,6 +57,9 @@ build/conf/integ-euid-config.json: build_artifacts ./scripts/aws/conf/integ-euid
 build/conf/logback.xml: build_artifacts ./scripts/aws/conf/logback.xml
 	cp ./scripts/aws/conf/logback.xml ./build/conf/
 
+build/conf/logback-debug.xml: build_artifacts ./scripts/aws/conf/logback-debug.xml
+	cp ./scripts/aws/conf/logback-debug.xml ./build/conf/
+
 build/Dockerfile: build_artifacts ./scripts/aws/Dockerfile
 	cp ./scripts/aws/Dockerfile ./build/
 

conf/docker-config.json

@@ -4,7 +4,6 @@
   "storage_mock": true,
   "refresh_token_expires_after_seconds": 86400,
   "refresh_identity_token_after_seconds": 900,
-  "advertising_token_v3": false,
   "refresh_token_v3": false,
   "identity_v3": false,
   "identity_scope": "uid2",

conf/local-config.json

@@ -12,9 +12,6 @@
   "identity_token_expires_after_seconds": 3600,
   "refresh_token_expires_after_seconds": 86400,
   "refresh_identity_token_after_seconds": 900,
-  "advertising_token_v3": false,
-  "advertising_token_v4_percentage": 0,
-  "site_ids_using_v4_tokens": "",
   "refresh_token_v3": false,
   "identity_v3": false,
   "identity_scope": "uid2",

conf/local-e2e-docker-private-config.json

@@ -14,7 +14,6 @@
   "identity_token_expires_after_seconds": 3600,
   "refresh_token_expires_after_seconds": 86400,
   "refresh_identity_token_after_seconds": 900,
-  "advertising_token_v3": false,
   "refresh_token_v3": true,
   "identity_v3": false,
   "identity_scope": "uid2",

conf/local-e2e-docker-public-config.json

@@ -16,7 +16,6 @@
   "identity_token_expires_after_seconds": 3600,
   "refresh_token_expires_after_seconds": 86400,
   "refresh_identity_token_after_seconds": 900,
-  "advertising_token_v3": false,
   "refresh_token_v3": true,
   "identity_v3": false,
   "identity_scope": "uid2",

conf/local-e2e-private-config.json

@@ -16,7 +16,6 @@
   "identity_token_expires_after_seconds": 3600,
   "refresh_token_expires_after_seconds": 86400,
   "refresh_identity_token_after_seconds": 900,
-  "advertising_token_v3": false,
   "refresh_token_v3": true,
   "identity_v3": false,
   "identity_scope": "uid2",

conf/local-e2e-public-config.json

@@ -16,7 +16,6 @@
   "identity_token_expires_after_seconds": 3600,
   "refresh_token_expires_after_seconds": 86400,
   "refresh_identity_token_after_seconds": 900,
-  "advertising_token_v3": false,
   "refresh_token_v3": true,
   "identity_v3": false,
   "identity_scope": "uid2",

conf/validator-latest-e2e-docker-public-config.json

@@ -17,7 +17,6 @@
   "identity_token_expires_after_seconds": 3600,
   "refresh_token_expires_after_seconds": 86400,
   "refresh_identity_token_after_seconds": 900,
-  "advertising_token_v3": false,
   "refresh_token_v3": true,
   "identity_v3": false,
   "identity_scope": "uid2",

pom.xml

@@ -6,11 +6,11 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-operator</artifactId>
-    <version>5.40.86</version>
+    <version>5.43.4</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <vertx.version>4.5.3</vertx.version>
+        <vertx.version>4.5.11</vertx.version>
         <vertx-maven-plugin.version>1.0.22</vertx-maven-plugin.version>
         <junit-jupiter.version>5.11.2</junit-jupiter.version>
         <junit-vintage.version>5.11.2</junit-vintage.version>
@@ -22,7 +22,7 @@
         <enclave-aws.version>2.1.0</enclave-aws.version>
         <enclave-azure.version>2.1.0</enclave-azure.version>
         <enclave-gcp.version>2.1.0</enclave-gcp.version>
-        <uid2-shared.version>7.19.0</uid2-shared.version>
+        <uid2-shared.version>8.0.9</uid2-shared.version>
         <image.version>${project.version}</image.version>
         <maven.compiler.source>21</maven.compiler.source>
         <maven.compiler.target>21</maven.compiler.target>

scripts/aws/conf/default-config.json

@@ -34,7 +34,5 @@
   "failure_shutdown_wait_hours": 120,
   "sharing_token_expiry_seconds": 2592000,
   "validate_service_links": false,
-  "advertising_token_v4_percentage": 100,
-  "site_ids_using_v4_tokens": "",
   "operator_type": "private"
 }

scripts/aws/conf/logback-debug.xml

@@ -0,0 +1,15 @@
+<configuration>
+    <statusListener class="ch.qos.logback.core.status.OnConsoleStatusListener" />
+
+    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder class="net.logstash.logback.encoder.LogstashEncoder">
+            <jsonGeneratorDecorator class="net.logstash.logback.mask.MaskingJsonGeneratorDecorator">
+                <defaultMask>REDACTED - S3</defaultMask>
+                <value>\S+s3\.amazonaws\.com\/\S*X-Amz-Security-Token=\S+</value>
+            </jsonGeneratorDecorator>
+        </encoder>
+    </appender>
+    <root level="INFO">
+        <appender-ref ref="STDOUT" />
+    </root>
+</configuration>

scripts/aws/conf/prod-euid-config.json

@@ -24,9 +24,8 @@
   "refresh_identity_token_after_seconds": 3600,
   "allow_legacy_api": false,
   "identity_scope": "euid",
-  "advertising_token_v3": true,
   "refresh_token_v3": true,
-  "enable_phone_support": false,
+  "enable_phone_support": true,
   "enable_v1_phone_support": false,
   "enable_v2_encryption": true
 }

scripts/aws/eks-pod/entrypoint.sh

@@ -3,6 +3,7 @@ CID=42
 EIF_PATH=/home/uid2operator.eif
 MEMORY_MB=24576
 CPU_COUNT=6
+DEBUG_MODE="false"
 
 set -x
 
@@ -26,7 +27,7 @@ function setup_vsockproxy() {
     echo "setup_vsockproxy"
     VSOCK_PROXY=${VSOCK_PROXY:-/home/vsockpx}
     VSOCK_CONFIG=${VSOCK_CONFIG:-/home/proxies.host.yaml}
-    VSOCK_THREADS=${VSOCK_THREADS:-$(( $(nproc) * 2 )) }
+    VSOCK_THREADS=${VSOCK_THREADS:-$(( ( $(nproc) + 1 ) / 2 )) }
     VSOCK_LOG_LEVEL=${VSOCK_LOG_LEVEL:-3}
     echo "starting vsock proxy at $VSOCK_PROXY with $VSOCK_THREADS worker threads..."
     $VSOCK_PROXY -c $VSOCK_CONFIG --workers $VSOCK_THREADS --log-level $VSOCK_LOG_LEVEL --daemon
@@ -87,12 +88,20 @@ function update_config() {
         { set +x; } 2>/dev/null; { CPU_COUNT=$(echo $IDENTITY_SERVICE_CONFIG | jq -r '.enclave_cpu_count'); set -x; }
         { set +x; } 2>/dev/null; { MEMORY_MB=$(echo $IDENTITY_SERVICE_CONFIG | jq -r '.enclave_memory_mb'); set -x; }
     fi
+
+    { set +x; } 2>/dev/null; { DEBUG_MODE=$(echo $IDENTITY_SERVICE_CONFIG | jq -r '.debug_mode'); set -x; }
+
     shopt -u nocasematch
 }
 
 function run_enclave() {
-    echo "starting enclave... --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID"
-    nitro-cli run-enclave --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID --enclave-name uid2-operator
+    if [ "$DEBUG_MODE" == "true" ]; then
+      echo "starting enclave... --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID --debug-mode --attach-console"
+      nitro-cli run-enclave --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID --enclave-name uid2-operator --debug-mode --attach-console
+    else
+      echo "starting enclave... --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID"
+      nitro-cli run-enclave --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID --enclave-name uid2-operator
+    fi
 }
 
 echo "starting ..."

scripts/aws/entrypoint.sh

@@ -5,8 +5,7 @@
 LOG_FILE="/home/start.txt"
 
 set -x
-exec > $LOG_FILE
-exec 2>&1
+exec &> >(tee -a "$LOG_FILE")
 
 set -o pipefail
 ulimit -n 65536
@@ -17,11 +16,7 @@ ifconfig lo 127.0.0.1
 
 # -- start vsock proxy
 echo "Starting vsock proxy..."
-/app/vsockpx --config /app/proxies.nitro.yaml --daemon --workers $(( $(nproc) * 2 )) --log-level 3
-
-# -- setup syslog-ng
-echo "Starting syslog-ng..."
-/usr/sbin/syslog-ng --verbose
+/app/vsockpx --config /app/proxies.nitro.yaml --daemon --workers $(( ( $(nproc) + 3 ) / 4 )) --log-level 3
 
 # -- load config from identity service
 echo "Loading config from identity service via proxy..."
@@ -42,6 +37,17 @@ do
   sleep 2
 done
 
+DEBUG_MODE=$(jq -r ".debug_mode" < "${OVERRIDES_CONFIG}")
+
+if [[ "$DEBUG_MODE" == "true" ]]; then
+  LOGBACK_CONF="./conf/logback-debug.xml"
+else
+  LOGBACK_CONF="./conf/logback.xml"
+  # -- setup syslog-ng
+  echo "Starting syslog-ng..."
+  /usr/sbin/syslog-ng --verbose
+fi
+
 # check the config is valid. Querying for a known missing element (empty) makes jq parse the file, but does not echo the results
 if jq empty "${OVERRIDES_CONFIG}"; then
     echo "Identity service returned valid config"
@@ -101,6 +107,6 @@ java \
   -Djava.library.path=/app/lib \
   -Dvertx-config-path="${FINAL_CONFIG}" \
   -Dvertx.logger-delegate-factory-class-name=io.vertx.core.logging.SLF4JLogDelegateFactory \
-  -Dlogback.configurationFile=./conf/logback.xml \
+  -Dlogback.configurationFile=${LOGBACK_CONF} \
   -Dhttp_proxy=socks5://127.0.0.1:3305 \
   -jar /app/"${JAR_NAME}"-"${JAR_VERSION}".jar

scripts/aws/make_config.py

@@ -26,7 +26,7 @@ def apply_override(config, overrides, key, type):
 config['optout_api_token'] = overrides['api_token']
 
 # number of threads
-config['service_instances'] = thread_count
+config['service_instances'] = int((thread_count + 1) * 2 / 3)
 
 # environment
 if overrides.get('environment') == 'integ':

scripts/aws/pipeline/amazonlinux2023.Dockerfile

@@ -4,8 +4,9 @@ FROM amazonlinux:2023
 RUN dnf update -y
     # systemd is not a hard requirement for Amazon ECS Anywhere, but the installation script currently only supports systemd to run.
     # Amazon ECS Anywhere can be used without systemd, if you set up your nodes and register them into your ECS cluster **without** the installation script.
-RUN dnf -y groupinstall "Development Tools"
-RUN dnf -y install systemd vim-common wget git tar libstdc++-static.x86_64 cmake cmake3 aws-nitro-enclaves-cli aws-nitro-enclaves-cli-devel
+RUN dnf -y groupinstall "Development Tools" \
+    && dnf -y install systemd vim-common wget git tar libstdc++-static.x86_64 cmake cmake3 aws-nitro-enclaves-cli aws-nitro-enclaves-cli-devel \
+    && dnf clean all
 
 RUN systemctl enable docker
 
@@ -14,12 +15,14 @@ RUN wget https://www.inet.no/dante/files/dante-1.4.3.tar.gz \
     && sha256sum --check dante_checksum \
     && tar -xf dante-1.4.3.tar.gz \
     && cd dante-1.4.3; ./configure; make; cd .. \
-    && cp dante-1.4.3/sockd/sockd ./
+    && cp dante-1.4.3/sockd/sockd ./ \
+    && rm -rf dante-1.4.3 dante-1.4.3.tar.gz
 
 RUN git clone https://github.com/IABTechLab/uid2-aws-enclave-vsockproxy.git \
     && mkdir uid2-aws-enclave-vsockproxy/build \
     && cd uid2-aws-enclave-vsockproxy/build; cmake .. -DCMAKE_BUILD_TYPE=RelWithDebInfo; make; cd ../.. \
-    && cp uid2-aws-enclave-vsockproxy/build/vsock-bridge/src/vsock-bridge ./vsockpx
+    && cp uid2-aws-enclave-vsockproxy/build/vsock-bridge/src/vsock-bridge ./vsockpx \
+    && rm -rf uid2-aws-enclave-vsockproxy
 
 COPY ./scripts/aws/pipeline/aws_nitro_eif.sh /aws_nitro_eif.sh
 

scripts/aws/pipeline/aws_nitro_eif.sh

@@ -10,5 +10,6 @@ while (! docker stats --no-stream >/dev/null 2>&1); do
     sleep 1
 done
 docker load -i $1.tar
+rm -f $1.tar
 nitro-cli build-enclave --docker-uri $1 --output-file $1.eif
 nitro-cli describe-eif --eif-path $1.eif | jq -r '.Measurements.PCR0' | xxd -r -p | base64 > pcr0.txt

scripts/aws/start.sh

@@ -81,7 +81,7 @@ function update_allocation() {
 function setup_vsockproxy() {
     VSOCK_PROXY=${VSOCK_PROXY:-/usr/bin/vsockpx}
     VSOCK_CONFIG=${VSOCK_CONFIG:-/etc/uid2operator/proxy.yaml}
-    VSOCK_THREADS=${VSOCK_THREADS:-$(( $(nproc) * 2 )) }
+    VSOCK_THREADS=${VSOCK_THREADS:-$(( ( $(nproc) + 1 ) / 2 )) }
     VSOCK_LOG_LEVEL=${VSOCK_LOG_LEVEL:-3}
     echo "starting vsock proxy at $VSOCK_PROXY with $VSOCK_THREADS worker threads..."
     $VSOCK_PROXY -c $VSOCK_CONFIG --workers $VSOCK_THREADS --log-level $VSOCK_LOG_LEVEL --daemon

scripts/azure-cc/conf/default-config.json

@@ -38,7 +38,5 @@
   "failure_shutdown_wait_hours": 120,
   "sharing_token_expiry_seconds": 2592000,
   "validate_service_links": false,
-  "advertising_token_v4_percentage": 100,
-  "site_ids_using_v4_tokens": "",
   "operator_type": "private"
 }

scripts/gcp-oidc/conf/default-config.json

@@ -38,7 +38,5 @@
   "failure_shutdown_wait_hours": 120,
   "sharing_token_expiry_seconds": 2592000,
   "validate_service_links": false,
-  "advertising_token_v4_percentage": 100,
-  "site_ids_using_v4_tokens": "",
   "operator_type": "private"
 }

src/main/java/com/uid2/operator/Main.java

@@ -414,7 +414,7 @@ private static Vertx createVertx() {
     }
 
     private static void setupMetrics(MicrometerMetricsOptions metricOptions) {
-        BackendRegistries.setupBackend(metricOptions);
+        BackendRegistries.setupBackend(metricOptions, null);
 
         MeterRegistry backendRegistry = BackendRegistries.getDefaultNow();
         if (backendRegistry instanceof PrometheusMeterRegistry) {
@@ -467,14 +467,14 @@ public DistributionStatisticConfig configure(Meter.Id id, DistributionStatisticC
                 .register(globalRegistry);
     }
 
-    private Map.Entry<UidCoreClient, UidOptOutClient> createUidClients(Vertx vertx, String attestationUrl, String clientApiToken, Handler<Pair<Integer, String>> responseWatcher) throws Exception {
+    private Map.Entry<UidCoreClient, UidOptOutClient> createUidClients(Vertx vertx, String attestationUrl, String clientApiToken, Handler<Pair<AttestationResponseCode, String>> responseWatcher) throws Exception {
         AttestationResponseHandler attestationResponseHandler = getAttestationTokenRetriever(vertx, attestationUrl, clientApiToken, responseWatcher);
         UidCoreClient coreClient = new UidCoreClient(clientApiToken, CloudUtils.defaultProxy, attestationResponseHandler);
         UidOptOutClient optOutClient = new UidOptOutClient(clientApiToken, CloudUtils.defaultProxy, attestationResponseHandler);
         return new AbstractMap.SimpleEntry<>(coreClient, optOutClient);
     }
 
-    private AttestationResponseHandler getAttestationTokenRetriever(Vertx vertx, String attestationUrl, String clientApiToken, Handler<Pair<Integer, String>> responseWatcher) throws Exception {
+    private AttestationResponseHandler getAttestationTokenRetriever(Vertx vertx, String attestationUrl, String clientApiToken, Handler<Pair<AttestationResponseCode, String>> responseWatcher) throws Exception {
         String enclavePlatform = this.config.getString(Const.Config.EnclavePlatformProp);
         String operatorType = this.config.getString(Const.Config.OperatorTypeProp, "");