Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cbc UI d2 4454 cloud encryption operator #1175

Open
wants to merge 42 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 27 commits
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
0a1154c
configs+initiate s3 key provider
lizk886 Jul 26, 2024
582ea54
small changes
lizk886 Jul 30, 2024
590b67e
update client
lizk886 Jul 30, 2024
e06509a
update shared repo
lizk886 Jul 30, 2024
275e5cb
keep origional constuctor
lizk886 Jul 30, 2024
4ef6e87
fix https
lizk886 Jul 30, 2024
7c25f1c
working
lizk886 Jul 31, 2024
12131f9
clean up
lizk886 Jul 31, 2024
1d85892
clean up
lizk886 Jul 31, 2024
08bf71a
clean up
lizk886 Jul 31, 2024
4c10d2d
clean up
lizk886 Jul 31, 2024
d106180
clean up
lizk886 Jul 31, 2024
195ec0d
push pom
lizk886 Aug 2, 2024
8700b1f
update configs to extreme big number
lizk886 Aug 2, 2024
20481ef
refactor
lizk886 Aug 2, 2024
88f2716
refactor'
lizk886 Aug 2, 2024
8975886
update shared
lizk886 Aug 2, 2024
fc96012
only be able to decrypt keyset and keyset_keys, needs to figure out w…
lizk886 Aug 3, 2024
1083e59
update
lizk886 Aug 6, 2024
18ccab1
update with unit tests
lizk886 Aug 7, 2024
578992c
update site
lizk886 Aug 7, 2024
264eefe
Merging up to main
cody-constine-ttd Nov 12, 2024
3343974
Merge branch 'wzh-uid2-3573-call-endpoint-for-s3encyrptionkeys-list' …
cody-constine-ttd Nov 19, 2024
a0a099c
Merging
cody-constine-ttd Nov 20, 2024
07f4da8
Catching up to rename changes
cody-constine-ttd Nov 20, 2024
eb0fd11
Renaming + adding get version for api key class
cody-constine-ttd Nov 22, 2024
aad4592
Renaming and adding small fixes
cody-constine-ttd Nov 25, 2024
bc2d667
Catching up to main
cody-constine-ttd Dec 2, 2024
5922a29
Updated the API readed to make simplier
cody-constine-ttd Dec 6, 2024
5383c0b
Adding new readers for salts and client side keypairs
cody-constine-ttd Dec 12, 2024
bfe7849
Finishing salts and clientside keys
cody-constine-ttd Dec 13, 2024
9c9b1b9
Adding new constructor to rotatingCloudEncryptionProvider
cody-constine-ttd Dec 13, 2024
3452457
Updating shared
cody-constine-ttd Dec 13, 2024
fd2c0c5
[CI Pipeline] Released Snapshot version: 5.42.1-alpha-144-SNAPSHOT
Dec 13, 2024
d075362
Adding new operator version
cody-constine-ttd Dec 15, 2024
1a8635f
[CI Pipeline] Released Snapshot version: 5.42.1-alpha-145-SNAPSHOT
Dec 15, 2024
0740739
Merging up to main
cody-constine-ttd Dec 15, 2024
d2e25af
[CI Pipeline] Released Snapshot version: 5.43.5-alpha-146-SNAPSHOT
Dec 15, 2024
bdcaf8b
[CI Pipeline] Released Snapshot version: 5.43.6-alpha-147-SNAPSHOT
Dec 16, 2024
33763cc
Adding all the configs for private operators
cody-constine-ttd Dec 16, 2024
e63d5e2
Merge branch 'cbc-UID2-4454-cloud-encryption-operator' of github.com:…
cody-constine-ttd Dec 16, 2024
5163db8
Upping the default cloud encryption rotation interval
cody-constine-ttd Dec 16, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions conf/default-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
"salts_metadata_path": "salts/metadata.json",
"services_metadata_path": "services/metadata.json",
"service_links_metadata_path": "service_links/metadata.json",
"cloud_encryption_keys_metadata_path": "cloud_encryption_keys/metadata.json",
"optout_metadata_path": null,
"optout_inmem_cache": false,
"enclave_platform": null,
Expand Down
1 change: 1 addition & 0 deletions conf/docker-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
"salts_metadata_path": "/com.uid2.core/test/salts/metadata.json",
"services_metadata_path": "/com.uid2.core/test/services/metadata.json",
"service_links_metadata_path": "/com.uid2.core/test/service_links/metadata.json",
"cloud_encryption_keys_metadata_path": "/com.uid2.core/test/cloud_encryption_keys/metadata.json",
"identity_token_expires_after_seconds": 3600,
"optout_metadata_path": null,
"optout_inmem_cache": false,
Expand Down
2 changes: 1 addition & 1 deletion conf/integ-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,6 @@
"optout_api_token": "test-operator-key",
"optout_api_uri": "http://localhost:8081/optout/replicate",
"salts_expired_shutdown_hours": 12,
"cloud_encryption_keys_metadata_path": "http://localhost:8088/cloud_encryption_keys/retrieve",
"operator_type": "public"

}
1 change: 1 addition & 0 deletions conf/local-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
"salts_metadata_path": "/com.uid2.core/test/salts/metadata.json",
"services_metadata_path": "/com.uid2.core/test/services/metadata.json",
"service_links_metadata_path": "/com.uid2.core/test/service_links/metadata.json",
"cloud_encryption_keys_metadata_path":"/com.uid2.core/test/cloud_encryption_keys/metadata.json",
"identity_token_expires_after_seconds": 3600,
"refresh_token_expires_after_seconds": 86400,
"refresh_identity_token_after_seconds": 900,
Expand Down
1 change: 1 addition & 0 deletions conf/local-e2e-docker-private-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
"keysets_metadata_path": "http://core:8088/key/keyset/refresh",
"keyset_keys_metadata_path": "http://core:8088/key/keyset-keys/refresh",
"salts_metadata_path": "http://core:8088/salt/refresh",
"cloud_encryption_keys_metadata_path": "http://core:8088/cloud_encryption_keys/retrieve",
"identity_token_expires_after_seconds": 3600,
"refresh_token_expires_after_seconds": 86400,
"refresh_identity_token_after_seconds": 900,
Expand Down
1 change: 1 addition & 0 deletions conf/local-e2e-docker-public-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
"salts_metadata_path": "http://core:8088/salt/refresh",
"services_metadata_path": "http://core:8088/services/refresh",
"service_links_metadata_path": "http://core:8088/service_links/refresh",
"cloud_encryption_keys_metadata_path": "http://core:8088/cloud_encryption_keys/retrieve",
"identity_token_expires_after_seconds": 3600,
"refresh_token_expires_after_seconds": 86400,
"refresh_identity_token_after_seconds": 900,
Expand Down
1 change: 1 addition & 0 deletions conf/local-e2e-private-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
"salts_metadata_path": "http://localhost:8088/salt/refresh",
"services_metadata_path": "http://localhost:8088/services/refresh",
"service_links_metadata_path": "http://localhost:8088/service_links/refresh",
"cloud_encryption_keys_metadata_path": "http://core:8088/cloud_encryption_keys/retrieve",
"identity_token_expires_after_seconds": 3600,
"refresh_token_expires_after_seconds": 86400,
"refresh_identity_token_after_seconds": 900,
Expand Down
1 change: 1 addition & 0 deletions conf/local-e2e-public-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
"salts_metadata_path": "http://localhost:8088/salt/refresh",
"services_metadata_path": "http://localhost:8088/services/refresh",
"service_links_metadata_path": "http://localhost:8088/service_links/refresh",
"cloud_encryption_keys_metadata_path": "http://core:8088/cloud_encryption_keys/retrieve",
"identity_token_expires_after_seconds": 3600,
"refresh_token_expires_after_seconds": 86400,
"refresh_identity_token_after_seconds": 900,
Expand Down
1 change: 1 addition & 0 deletions conf/validator-latest-e2e-docker-public-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
"salts_metadata_path": "http://core:8088/salt/refresh",
"services_metadata_path": "http://core:8088/services/refresh",
"service_links_metadata_path": "http://core:8088/service_links/refresh",
"cloud_encryption_keys_metadata_path": "https://core:8088/cloud_encryption_keys/retrieve",
"identity_token_expires_after_seconds": 3600,
"refresh_token_expires_after_seconds": 86400,
"refresh_identity_token_after_seconds": 900,
Expand Down
4 changes: 2 additions & 2 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

<groupId>com.uid2</groupId>
<artifactId>uid2-operator</artifactId>
<version>5.42.6</version>
<version>6.0.0</version>

<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
Expand All @@ -22,7 +22,7 @@
<enclave-aws.version>2.1.0</enclave-aws.version>
<enclave-azure.version>2.1.0</enclave-azure.version>
<enclave-gcp.version>2.1.0</enclave-gcp.version>
<uid2-shared.version>7.20.4</uid2-shared.version>
<uid2-shared.version>8.0.0</uid2-shared.version>
<image.version>${project.version}</image.version>
<maven.compiler.source>21</maven.compiler.source>
<maven.compiler.target>21</maven.compiler.target>
Expand Down
16 changes: 12 additions & 4 deletions src/main/java/com/uid2/operator/Main.java
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
import com.uid2.operator.monitoring.IStatsCollectorQueue;
import com.uid2.operator.monitoring.OperatorMetrics;
import com.uid2.operator.monitoring.StatsCollectorVerticle;
import com.uid2.operator.reader.RotatingCloudEncryptionKeyApiProvider;
import com.uid2.operator.service.SecureLinkValidatorService;
import com.uid2.operator.service.ShutdownService;
import com.uid2.operator.vertx.Endpoints;
Expand Down Expand Up @@ -81,6 +82,7 @@ public class Main {
private IStatsCollectorQueue _statsCollectorQueue;
private RotatingServiceStore serviceProvider;
private RotatingServiceLinkStore serviceLinkProvider;
private RotatingCloudEncryptionKeyApiProvider cloudEncryptionKeyProvider;

public Main(Vertx vertx, JsonObject config) throws Exception {
this.vertx = vertx;
Expand Down Expand Up @@ -132,15 +134,17 @@ public Main(Vertx vertx, JsonObject config) throws Exception {
this.fsOptOut = configureCloudOptOutStore();
}

String cloudEncryptionKeyMdPath = this.config.getString(Const.Config.CloudEncryptionKeysMetadataPathProp);
this.cloudEncryptionKeyProvider = new RotatingCloudEncryptionKeyApiProvider(fsStores, new GlobalScope(new CloudPath(cloudEncryptionKeyMdPath)));
String sitesMdPath = this.config.getString(Const.Config.SitesMetadataPathProp);
String keypairMdPath = this.config.getString(Const.Config.ClientSideKeypairsMetadataPathProp);
this.clientSideKeypairProvider = new RotatingClientSideKeypairStore(fsStores, new GlobalScope(new CloudPath(keypairMdPath)));
String clientsMdPath = this.config.getString(Const.Config.ClientsMetadataPathProp);
this.clientKeyProvider = new RotatingClientKeyProvider(fsStores, new GlobalScope(new CloudPath(clientsMdPath)));
this.clientKeyProvider = new RotatingClientKeyProvider(fsStores, new GlobalScope(new CloudPath(clientsMdPath)), cloudEncryptionKeyProvider);
String keysetKeysMdPath = this.config.getString(Const.Config.KeysetKeysMetadataPathProp);
this.keysetKeyStore = new RotatingKeysetKeyStore(fsStores, new GlobalScope(new CloudPath(keysetKeysMdPath)));
this.keysetKeyStore = new RotatingKeysetKeyStore(fsStores, new GlobalScope(new CloudPath(keysetKeysMdPath)), cloudEncryptionKeyProvider);
String keysetMdPath = this.config.getString(Const.Config.KeysetsMetadataPathProp);
this.keysetProvider = new RotatingKeysetProvider(fsStores, new GlobalScope(new CloudPath(keysetMdPath)));
this.keysetProvider = new RotatingKeysetProvider(fsStores, new GlobalScope(new CloudPath(keysetMdPath)), cloudEncryptionKeyProvider);
String saltsMdPath = this.config.getString(Const.Config.SaltsMetadataPathProp);
this.saltProvider = new RotatingSaltProvider(fsStores, saltsMdPath);
this.optOutStore = new CloudSyncOptOutStore(vertx, fsLocal, this.config, operatorKey, Clock.systemUTC());
Expand All @@ -152,7 +156,7 @@ public Main(Vertx vertx, JsonObject config) throws Exception {
this.serviceLinkProvider = new RotatingServiceLinkStore(fsStores, new GlobalScope(new CloudPath(serviceLinkMdPath)));
}

this.siteProvider = clientSideTokenGenerate ? new RotatingSiteStore(fsStores, new GlobalScope(new CloudPath(sitesMdPath))) : null;
this.siteProvider = clientSideTokenGenerate ? new RotatingSiteStore(fsStores, new GlobalScope(new CloudPath(sitesMdPath)), cloudEncryptionKeyProvider) : null;

if (useStorageMock && coreAttestUrl == null) {
if (clientSideTokenGenerate) {
Expand All @@ -163,6 +167,7 @@ public Main(Vertx vertx, JsonObject config) throws Exception {
this.saltProvider.loadContent();
this.keysetProvider.loadContent();
this.keysetKeyStore.loadContent();
this.cloudEncryptionKeyProvider.loadContent();

if (this.validateServiceLinks) {
this.serviceProvider.loadContent();
Expand Down Expand Up @@ -302,6 +307,8 @@ private void run() throws Exception {

private Future<Void> createStoreVerticles() throws Exception {
// load metadatas for the first time
cloudEncryptionKeyProvider.loadContent();

if (clientSideTokenGenerate) {
siteProvider.getMetadata();
clientSideKeypairProvider.getMetadata();
Expand Down Expand Up @@ -330,6 +337,7 @@ private Future<Void> createStoreVerticles() throws Exception {
fs.add(createAndDeployRotatingStoreVerticle("auth", clientKeyProvider, "auth_refresh_ms"));
fs.add(createAndDeployRotatingStoreVerticle("keyset", keysetProvider, "keyset_refresh_ms"));
fs.add(createAndDeployRotatingStoreVerticle("keysetkey", keysetKeyStore, "keysetkey_refresh_ms"));
fs.add(createAndDeployRotatingStoreVerticle("cloud_encryption_keys", cloudEncryptionKeyProvider, "cloud_encryption_keys_refresh_ms"));
fs.add(createAndDeployRotatingStoreVerticle("salt", saltProvider, "salt_refresh_ms"));
fs.add(createAndDeployCloudSyncStoreVerticle("optout", fsOptOut, optOutCloudSync));
CompositeFuture.all(fs).onComplete(ar -> {
Expand Down
51 changes: 51 additions & 0 deletions src/main/java/com/uid2/operator/reader/ApiStoreReader.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
package com.uid2.operator.reader;

import com.uid2.shared.cloud.DownloadCloudStorage;
import com.uid2.shared.store.ScopedStoreReader;
import com.uid2.shared.store.parser.Parser;
import com.uid2.shared.store.parser.ParsingResult;
import com.uid2.shared.store.scope.StoreScope;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;

public class ApiStoreReader<T> extends ScopedStoreReader<T> {
private static final Logger LOGGER = LoggerFactory.getLogger(ApiStoreReader.class);

public ApiStoreReader(DownloadCloudStorage fileStreamProvider, StoreScope scope, Parser<T> parser, String dataTypeName) {
super(fileStreamProvider, scope, parser, dataTypeName);
}

@Override
public long loadContent(JsonObject contents, String dataType) throws Exception {
if (contents == null) {
throw new IllegalArgumentException(String.format("No contents provided for loading data type %s, cannot load content", dataType));
}

try {
JsonArray dataArray = contents.getJsonArray(dataType);
if (dataArray == null) {
throw new IllegalArgumentException("No array found in the contents");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be useful to include the dataType in the error message?

}

String jsonString = dataArray.toString();
InputStream inputStream = new ByteArrayInputStream(jsonString.getBytes(StandardCharsets.UTF_8));

ParsingResult<T> parsed = parser.deserialize(inputStream);
latestSnapshot.set(parsed.getData());

final int count = parsed.getCount();
latestEntryCount.set(count);
LOGGER.info(String.format("Loaded %d %s", count, dataTypeName));
return count;
} catch (Exception e) {
LOGGER.error(String.format("Unable to load %s", dataTypeName));
throw e;
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
package com.uid2.operator.reader;

import com.uid2.shared.cloud.DownloadCloudStorage;
import com.uid2.shared.model.CloudEncryptionKey;
import com.uid2.shared.store.CloudPath;
import com.uid2.shared.store.parser.CloudEncryptionKeyParser;
import com.uid2.shared.store.reader.RotatingCloudEncryptionKeyProvider;
import com.uid2.shared.store.scope.StoreScope;
import io.vertx.core.json.JsonObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.time.Instant;
import java.util.*;

public class RotatingCloudEncryptionKeyApiProvider extends RotatingCloudEncryptionKeyProvider {
private static final Logger LOGGER = LoggerFactory.getLogger(RotatingCloudEncryptionKeyApiProvider.class);

public ApiStoreReader<Map<Integer, CloudEncryptionKey>> apiStoreReader;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this need to be public?


public RotatingCloudEncryptionKeyApiProvider(DownloadCloudStorage fileStreamProvider, StoreScope scope) {
super(fileStreamProvider, scope);
this.apiStoreReader = new ApiStoreReader<>(fileStreamProvider, scope, new CloudEncryptionKeyParser(), "cloud_encryption_keys");
}

@Override
public JsonObject getMetadata() throws Exception {
return apiStoreReader.getMetadata();
}

@Override
public CloudPath getMetadataPath() {
return apiStoreReader.getMetadataPath();
}

@Override
public long loadContent(JsonObject metadata) throws Exception {
return apiStoreReader.loadContent(metadata, "cloudEncryptionKeys");
}

@Override
public long getVersion(JsonObject metadata) {
return Instant.now().getEpochSecond();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why isn't it metadata.getLong("version") ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because this is using an API to get the data not a file, so there is no metadata to look the version up in. So I just used the time here to force a refresh everytime

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This probably needs a comment explaining why you are doing this as I feel we will forget

}

@Override
public Map<Integer, CloudEncryptionKey> getAll() {
Map<Integer, CloudEncryptionKey> keys = apiStoreReader.getSnapshot();
return keys != null ? keys : new HashMap<>();
}

@Override
public void loadContent() throws Exception {
this.loadContent(this.getMetadata());
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
[ {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"id" : 1,
"siteId" : 999,
"activates" : 1720641670,
"created" : 1720641670,
"secret" : "mydrCudb2PZOm01Qn0SpthltmexHUAA11Hy1m+uxjVw="
}, {
"id" : 2,
"siteId" : 999,
"activates" : 1720728070,
"created" : 1720641670,
"secret" : "FtdslrFSsvVXOuhOWGwEI+0QTkCvM8SGZAP3k2u3PgY="
}, {
"id" : 3,
"siteId" : 999,
"activates" : 1720814470,
"created" : 1720641670,
"secret" : "/7zO6QbKrhZKIV36G+cU9UR4hZUVg5bD+KjbczICjHw="
}, {
"id" : 4,
"siteId" : 123,
"activates" : 1720641671,
"created" : 1720641671,
"secret" : "XjiqRlWQQJGLr7xfV1qbueKwyzt881GVohuUkQt/ht4="
}, {
"id" : 5,
"siteId" : 123,
"activates" : 1720728071,
"created" : 1720641671,
"secret" : "QmpIf5NzO+UROjl5XjB/BmF6paefM8n6ub9B2plC9aI="
}, {
"id" : 6,
"siteId" : 123,
"activates" : 1720814471,
"created" : 1720641671,
"secret" : "40w9UMSYxGm+KldOWOXhBGI8QgjvUUQjivtkP4VpKV8="
}, {
"id" : 7,
"siteId" : 124,
"activates" : 1720641671,
"created" : 1720641671,
"secret" : "QdwD0kQV1BwmLRD0PH1YpqgaOrgpVTfu08o98mSZ6uE="
}, {
"id" : 8,
"siteId" : 124,
"activates" : 1720728071,
"created" : 1720641671,
"secret" : "yCVCM/HLf9/6k+aUNrx7w17VbyfSzI8JykLQLSR+CW0="
}, {
"id" : 9,
"siteId" : 124,
"activates" : 1720814471,
"created" : 1720641671,
"secret" : "JqHl8BrTyx9XpR2lYj/5xvUpzgnibGeomETTwF4rn1U="
}, {
"id" : 10,
"siteId" : 127,
"activates" : 1720641671,
"created" : 1720641671,
"secret" : "JqiG1b34AvrdO3Aj6cCcjOBJMijrDzTmrR+p9ZtP2es="
}, {
"id" : 11,
"siteId" : 127,
"activates" : 1720728072,
"created" : 1720641672,
"secret" : "lp1CyHdfc7K0aO5JGpA+Ve5Z/V5LImtGEQwCg/YB0kY="
}, {
"id" : 12,
"siteId" : 127,
"activates" : 1720814472,
"created" : 1720641672,
"secret" : "G99rFYJF+dnSlk/xG6fuC3WNqQxTLJbDIdVyPMbGQ6s="
} ]
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"version": 1,
"generated": 1620253519,
"cloud_encryption_keys": {
"location": "/com.uid2.core/test/cloud_encryption_keys/cloud_encryption_keys.json"
}
}
Loading