Azure Confidential Container MAA token parse and policy validation logic

[yishi-ttd]

What does this MR do?

• Logic to parse MAA token, validate signature against MAA server, and check policy.
• Policy to check for MAA payload:
  • Is running in expected SKU (VM is AMD & Host Utility VM).
  • VM is not in debug mode.
  • Location is not China or EU.
  • PK matches in runtime info.

Test Plan

• UT to verify token parse and policy check logic
• E2E verified locally that the real token string can be parsed and validated by MAA

Where should the reviewer start

• src/main/java/com/uid2/shared/secure/azurecc/AzurePublicKeyProvider.java logic to provide Azure public key.
• src/main/java/com/uid2/shared/secure/azurecc/MaaTokenSignatureValidator.java logic to parse the token and validate signature against MAA
• src/main/java/com/uid2/shared/secure/azurecc/PolicyValidator.java logic to check policy against the parsed MAA payload.

Notes

• Why implements a new publickey provider？
  • MAA certs are stored as x5c(X.509 certificate chain), not supported by Google auth lib.
• How to generate x-ms-runtime field
  • When generate MAA token, we could pass a RunTime Info string to MAA sever. It's the base64 string of JSON payload: { "location": "East US", "publicKey": "abc" }

[lunwang-ttd]

LGTM