Load azure secret from vault in JAVA code

.github/workflows/publish-azure-cc-enclave-docker.yaml

@@ -134,6 +134,7 @@ jobs:
 
       - name: Test with Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
+        if: inputs.publish_vulnerabilities == 'true'
         with:
           image-ref: ${{ steps.meta.outputs.tags }}
           format: 'table'

pom.xml

@@ -6,8 +6,7 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-operator</artifactId>
-    <version>5.18.56-213c024b90</version>
-
+    <version>5.18.68-SNAPSHOT</version>
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <vertx.version>4.3.8</vertx.version>
@@ -18,14 +17,28 @@
         <vertx.verticle>com.uid2.operator.vertx.UIDOperatorVerticle</vertx.verticle>
         <!-- check micrometer.version vertx-micrometer-metrics consumes before bumping up -->
         <micrometer.version>1.1.0</micrometer.version>
-        <enclave-api.version>1.4.0-e5df2e10aa</enclave-api.version>
+        <enclave-api.version>1.5.0-676519b018</enclave-api.version>
         <enclave-aws.version>1.1.0</enclave-aws.version>
-        <enclave-azure.version>1.3.0-1246054713</enclave-azure.version>
+        <enclave-azure.version>1.3.2-SNAPSHOT</enclave-azure.version>
         <enclave-gcp.version>1.3.4-649b0b4f7f</enclave-gcp.version>
-        <uid2-shared.version>5.13.0-a714a3ef26</uid2-shared.version>
+        <uid2-shared.version>5.13.2-SNAPSHOT</uid2-shared.version>
         <image.version>${project.version}</image.version>
     </properties>
 
+
+    <repositories>
+        <repository>
+            <id>snapshots-repo</id>
+            <url>https://s01.oss.sonatype.org/content/repositories/snapshots</url>
+            <releases>
+                <enabled>false</enabled>
+            </releases>
+            <snapshots>
+                <enabled>true</enabled>
+            </snapshots>
+        </repository>
+    </repositories>
+
     <dependencies>
         <dependency>
             <groupId>com.google.guava</groupId>

scripts/azure-cc/entrypoint.sh

@@ -2,7 +2,6 @@
 #
 # This script must be compatible with Ash (provided in eclipse-temurin Docker image) and Bash
 
-# -- set API tokens
 if [ -z "${VAULT_NAME}" ]; then
   echo "VAULT_NAME cannot be empty"
   exit 1
@@ -13,20 +12,8 @@ if [ -z "${OPERATOR_KEY_SECRET_NAME}" ]; then
   exit 1
 fi
 
-ACCESS_TOKEN=$(wget "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net" -q --header "Metadata: true" -O -| jq -e -r ".access_token")
-if [ $? -ne 0 -o -z "${ACCESS_TOKEN}" ]; then
-  echo "Failed to get access token"
-  exit 1
-fi
-
-OPERATOR_KEY=$(wget "https://${VAULT_NAME}.vault.azure.net/secrets/${OPERATOR_KEY_SECRET_NAME}/?api-version=7.4" -q --header "authorization: Bearer ${ACCESS_TOKEN}" --header "content-type: application/json" -O - | jq -e -r ".value")
-if [ $? -ne 0 -o -z "${OPERATOR_KEY}" ]; then
-  echo "Failed to get operator key"
-  exit 1
-fi
-
-export core_api_token="${OPERATOR_KEY}"
-export optout_api_token="${OPERATOR_KEY}"
+export azure_vault_name="${VAULT_NAME}"
+export azure_secret_name="${OPERATOR_KEY_SECRET_NAME}"
 
 # -- locate config file
 if [ -z "${DEPLOYMENT_ENVIRONMENT}" ]; then

src/main/java/com/uid2/operator/Const.java

@@ -16,5 +16,9 @@ public class Config extends com.uid2.shared.Const.Config {
         public static final String SharingTokenExpiryProp = "sharing_token_expiry_seconds";
         public static final String EnableClientSideTokenGenerate = "client_side_token_generate";
         public static final String ValidateServiceLinks = "validate_service_links";
+
+        public static final String AzureVaultNameProp = "azure_vault_name";
+        public static final String AzureSecretNameProp = "azure_secret_name";
+
     }
 }

src/main/java/com/uid2/operator/Main.java

@@ -1,12 +1,14 @@
 package com.uid2.operator;
 
 import ch.qos.logback.classic.LoggerContext;
+import com.uid2.enclave.IOperatorKeyRetriever;
 import com.uid2.operator.model.KeyManager;
 import com.uid2.operator.monitoring.IStatsCollectorQueue;
 import com.uid2.operator.monitoring.OperatorMetrics;
 import com.uid2.operator.monitoring.StatsCollectorVerticle;
 import com.uid2.operator.service.SecureLinkValidatorService;
-import com.uid2.operator.store.*;
+import com.uid2.operator.store.CloudSyncOptOutStore;
+import com.uid2.operator.store.OptOutCloudStorage;
 import com.uid2.operator.vertx.OperatorDisableHandler;
 import com.uid2.operator.vertx.UIDOperatorVerticle;
 import com.uid2.shared.ApplicationVersion;
@@ -92,13 +94,16 @@ public Main(Vertx vertx, JsonObject config) throws Exception {
         this.validateServiceLinks = config.getBoolean(Const.Config.ValidateServiceLinks, false);
 
         String coreAttestUrl = this.config.getString(Const.Config.CoreAttestUrlProp);
+
+        var operatorKeyRetriever = createOperatorKeyRetriever();
+        var operatorKey = operatorKeyRetriever.retrieve();
+
         DownloadCloudStorage fsStores;
         if (coreAttestUrl != null) {
-            String coreApiToken = this.config.getString(Const.Config.CoreApiTokenProp);
             Duration disableWaitTime = Duration.ofHours(this.config.getInteger(Const.Config.FailureShutdownWaitHoursProp, 120));
             this.disableHandler = new OperatorDisableHandler(disableWaitTime, Clock.systemUTC());
 
-            var clients = createUidClients(this.vertx, coreAttestUrl, coreApiToken, this.disableHandler::handleResponseStatus);
+            var clients = createUidClients(this.vertx, coreAttestUrl, operatorKey, this.disableHandler::handleResponseStatus);
             UidCoreClient coreClient = clients.getKey();
             UidOptOutClient optOutClient = clients.getValue();
             fsStores = coreClient;
@@ -133,7 +138,7 @@ public Main(Vertx vertx, JsonObject config) throws Exception {
         this.keysetProvider = new RotatingKeysetProvider(fsStores, new GlobalScope(new CloudPath(keysetMdPath)));
         String saltsMdPath = this.config.getString(Const.Config.SaltsMetadataPathProp);
         this.saltProvider = new RotatingSaltProvider(fsStores, saltsMdPath);
-        this.optOutStore = new CloudSyncOptOutStore(vertx, fsLocal, this.config);
+        this.optOutStore = new CloudSyncOptOutStore(vertx, fsLocal, this.config, operatorKey);
 
         if (this.validateServiceLinks) {
             String serviceMdPath = this.config.getString(Const.Config.ServiceMetadataPathProp);
@@ -484,4 +489,19 @@ private Map.Entry<UidCoreClient, UidOptOutClient> createUidClients(Vertx vertx,
         UidOptOutClient optOutClient = new UidOptOutClient(clientApiToken, CloudUtils.defaultProxy, enforceHttps, attestationTokenRetriever);
         return new AbstractMap.SimpleEntry<>(coreClient, optOutClient);
     }
+
+    private IOperatorKeyRetriever createOperatorKeyRetriever() throws Exception {
+        var enclavePlatform = this.config.getString("enclave_platform", "");
+        switch (enclavePlatform) {
+            case "azure-cc": {
+                var vaultName = this.config.getString(Const.Config.AzureVaultNameProp);
+                var secretName = this.config.getString(Const.Config.AzureSecretNameProp);
+                return OperatorKeyRetrieverFactory.getAzureOperatorKeyRetriever(vaultName, secretName);
+            }
+            default: {
+                // default to load from config
+                return () -> this.config.getString(Const.Config.CoreApiTokenProp);
+            }
+        }
+    }
 }

src/main/java/com/uid2/operator/store/CloudSyncOptOutStore.java

@@ -19,11 +19,11 @@
 import io.vertx.core.Handler;
 import io.vertx.core.Vertx;
 import io.vertx.core.json.JsonObject;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import io.vertx.ext.web.client.HttpResponse;
 import io.vertx.ext.web.client.WebClient;
 import io.vertx.ext.web.codec.BodyCodec;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -48,7 +48,7 @@ public class CloudSyncOptOutStore implements IOptOutStore {
     private final String remoteApiPath;
     private final String remoteApiBearerToken;
 
-    public CloudSyncOptOutStore(Vertx vertx, ICloudStorage fsLocal, JsonObject jsonConfig) throws MalformedURLException {
+    public CloudSyncOptOutStore(Vertx vertx, ICloudStorage fsLocal, JsonObject jsonConfig, String operatorKey) throws MalformedURLException {
         this.fsLocal = fsLocal;
         this.webClient = WebClient.create(vertx);
 
@@ -58,7 +58,7 @@ public CloudSyncOptOutStore(Vertx vertx, ICloudStorage fsLocal, JsonObject jsonC
             this.remoteApiPort = -1 == url.getPort() ? 80 : url.getPort();
             this.remoteApiHost = url.getHost();
             this.remoteApiPath = url.getPath();
-            this.remoteApiBearerToken = "Bearer " + jsonConfig.getString(Const.Config.OptOutApiTokenProp);
+            this.remoteApiBearerToken = "Bearer " + operatorKey;
         } else {
             this.remoteApiPort = -1;
             this.remoteApiHost = null;