Cbc UI d2 4454 cloud encryption operator

conf/default-config.json

@@ -30,6 +30,7 @@
   "salts_metadata_path": "salts/metadata.json",
   "services_metadata_path": "services/metadata.json",
   "service_links_metadata_path": "service_links/metadata.json",
+  "cloud_encryption_keys_metadata_path": "cloud_encryption_keys/metadata.json",
   "optout_metadata_path": null,
   "optout_inmem_cache": false,
   "enclave_platform": null,

conf/docker-config.json

@@ -32,6 +32,7 @@
   "salts_metadata_path": "/com.uid2.core/test/salts/metadata.json",
   "services_metadata_path": "/com.uid2.core/test/services/metadata.json",
   "service_links_metadata_path": "/com.uid2.core/test/service_links/metadata.json",
+  "cloud_encryption_keys_metadata_path": "/com.uid2.core/test/cloud_encryption_keys/metadata.json",
   "identity_token_expires_after_seconds": 3600,
   "optout_metadata_path": null,
   "optout_inmem_cache": false,

conf/integ-config.json

@@ -14,6 +14,6 @@
   "optout_api_token": "test-operator-key",
   "optout_api_uri": "http://localhost:8081/optout/replicate",
   "salts_expired_shutdown_hours": 12,
+  "cloud_encryption_keys_metadata_path": "http://localhost:8088/cloud_encryption_keys/retrieve",
   "operator_type": "public"
-
 }

conf/local-config.json

@@ -9,6 +9,7 @@
   "salts_metadata_path": "/com.uid2.core/test/salts/metadata.json",
   "services_metadata_path": "/com.uid2.core/test/services/metadata.json",
   "service_links_metadata_path": "/com.uid2.core/test/service_links/metadata.json",
+  "cloud_encryption_keys_metadata_path":"/com.uid2.core/test/cloud_encryption_keys/metadata.json",
   "identity_token_expires_after_seconds": 3600,
   "refresh_token_expires_after_seconds": 86400,
   "refresh_identity_token_after_seconds": 900,

conf/local-e2e-docker-private-config.json

@@ -11,6 +11,7 @@
   "keysets_metadata_path": "http://core:8088/key/keyset/refresh",
   "keyset_keys_metadata_path": "http://core:8088/key/keyset-keys/refresh",
   "salts_metadata_path": "http://core:8088/salt/refresh",
+  "cloud_encryption_keys_metadata_path": "http://core:8088/cloud_encryption_keys/retrieve",
   "identity_token_expires_after_seconds": 3600,
   "refresh_token_expires_after_seconds": 86400,
   "refresh_identity_token_after_seconds": 900,

conf/local-e2e-docker-public-config.json

@@ -13,6 +13,7 @@
   "salts_metadata_path": "http://core:8088/salt/refresh",
   "services_metadata_path": "http://core:8088/services/refresh",
   "service_links_metadata_path": "http://core:8088/service_links/refresh",
+  "cloud_encryption_keys_metadata_path": "http://core:8088/cloud_encryption_keys/retrieve",
   "identity_token_expires_after_seconds": 3600,
   "refresh_token_expires_after_seconds": 86400,
   "refresh_identity_token_after_seconds": 900,

conf/local-e2e-private-config.json

@@ -13,6 +13,7 @@
   "salts_metadata_path": "http://localhost:8088/salt/refresh",
   "services_metadata_path": "http://localhost:8088/services/refresh",
   "service_links_metadata_path": "http://localhost:8088/service_links/refresh",
+  "cloud_encryption_keys_metadata_path": "http://core:8088/cloud_encryption_keys/retrieve",
   "identity_token_expires_after_seconds": 3600,
   "refresh_token_expires_after_seconds": 86400,
   "refresh_identity_token_after_seconds": 900,

conf/local-e2e-public-config.json

@@ -13,6 +13,7 @@
   "salts_metadata_path": "http://localhost:8088/salt/refresh",
   "services_metadata_path": "http://localhost:8088/services/refresh",
   "service_links_metadata_path": "http://localhost:8088/service_links/refresh",
+  "cloud_encryption_keys_metadata_path": "http://core:8088/cloud_encryption_keys/retrieve",
   "identity_token_expires_after_seconds": 3600,
   "refresh_token_expires_after_seconds": 86400,
   "refresh_identity_token_after_seconds": 900,

conf/validator-latest-e2e-docker-public-config.json

@@ -14,6 +14,7 @@
   "salts_metadata_path": "http://core:8088/salt/refresh",
   "services_metadata_path": "http://core:8088/services/refresh",
   "service_links_metadata_path": "http://core:8088/service_links/refresh",
+  "cloud_encryption_keys_metadata_path": "https://core:8088/cloud_encryption_keys/retrieve",
   "identity_token_expires_after_seconds": 3600,
   "refresh_token_expires_after_seconds": 86400,
   "refresh_identity_token_after_seconds": 900,

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-operator</artifactId>
-    <version>5.42.7-alpha-139-SNAPSHOT</version>
+    <version>5.42.1-alpha-144-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -22,7 +22,7 @@
         <enclave-aws.version>2.1.0</enclave-aws.version>
         <enclave-azure.version>2.1.0</enclave-azure.version>
         <enclave-gcp.version>2.1.0</enclave-gcp.version>
-        <uid2-shared.version>8.0.6</uid2-shared.version>
+        <uid2-shared.version>8.0.15-alpha-177-SNAPSHOT</uid2-shared.version>
         <image.version>${project.version}</image.version>
         <maven.compiler.source>21</maven.compiler.source>
         <maven.compiler.target>21</maven.compiler.target>

src/main/java/com/uid2/operator/Main.java

@@ -8,6 +8,7 @@
 import com.uid2.operator.monitoring.IStatsCollectorQueue;
 import com.uid2.operator.monitoring.OperatorMetrics;
 import com.uid2.operator.monitoring.StatsCollectorVerticle;
+import com.uid2.operator.reader.RotatingCloudEncryptionKeyApiProvider;
 import com.uid2.operator.service.SecureLinkValidatorService;
 import com.uid2.operator.service.ShutdownService;
 import com.uid2.operator.vertx.Endpoints;
@@ -22,6 +23,7 @@
 import com.uid2.shared.jmx.AdminApi;
 import com.uid2.shared.optout.OptOutCloudSync;
 import com.uid2.shared.store.CloudPath;
+import com.uid2.shared.store.EncryptedRotatingSaltProvider;
 import com.uid2.shared.store.RotatingSaltProvider;
 import com.uid2.shared.store.reader.*;
 import com.uid2.shared.store.scope.GlobalScope;
@@ -81,6 +83,7 @@ public class Main {
     private IStatsCollectorQueue _statsCollectorQueue;
     private RotatingServiceStore serviceProvider;
     private RotatingServiceLinkStore serviceLinkProvider;
+    private RotatingCloudEncryptionKeyApiProvider cloudEncryptionKeyProvider;
 
     public Main(Vertx vertx, JsonObject config) throws Exception {
         this.vertx = vertx;
@@ -132,17 +135,19 @@ public Main(Vertx vertx, JsonObject config) throws Exception {
             this.fsOptOut = configureCloudOptOutStore();
         }
 
+        String cloudEncryptionKeyMdPath = this.config.getString(Const.Config.CloudEncryptionKeysMetadataPathProp);
+        this.cloudEncryptionKeyProvider = new RotatingCloudEncryptionKeyApiProvider(fsStores, new GlobalScope(new CloudPath(cloudEncryptionKeyMdPath)));
         String sitesMdPath = this.config.getString(Const.Config.SitesMetadataPathProp);
         String keypairMdPath = this.config.getString(Const.Config.ClientSideKeypairsMetadataPathProp);
-        this.clientSideKeypairProvider = new RotatingClientSideKeypairStore(fsStores, new GlobalScope(new CloudPath(keypairMdPath)));
+        this.clientSideKeypairProvider = new RotatingClientSideKeypairStore(fsStores, new GlobalScope(new CloudPath(keypairMdPath)), cloudEncryptionKeyProvider);
         String clientsMdPath = this.config.getString(Const.Config.ClientsMetadataPathProp);
-        this.clientKeyProvider = new RotatingClientKeyProvider(fsStores, new GlobalScope(new CloudPath(clientsMdPath)));
+        this.clientKeyProvider = new RotatingClientKeyProvider(fsStores, new GlobalScope(new CloudPath(clientsMdPath)), cloudEncryptionKeyProvider);
         String keysetKeysMdPath = this.config.getString(Const.Config.KeysetKeysMetadataPathProp);
-        this.keysetKeyStore = new RotatingKeysetKeyStore(fsStores, new GlobalScope(new CloudPath(keysetKeysMdPath)));
+        this.keysetKeyStore = new RotatingKeysetKeyStore(fsStores, new GlobalScope(new CloudPath(keysetKeysMdPath)), cloudEncryptionKeyProvider);
         String keysetMdPath = this.config.getString(Const.Config.KeysetsMetadataPathProp);
-        this.keysetProvider = new RotatingKeysetProvider(fsStores, new GlobalScope(new CloudPath(keysetMdPath)));
+        this.keysetProvider = new RotatingKeysetProvider(fsStores, new GlobalScope(new CloudPath(keysetMdPath)), cloudEncryptionKeyProvider);
         String saltsMdPath = this.config.getString(Const.Config.SaltsMetadataPathProp);
-        this.saltProvider = new RotatingSaltProvider(fsStores, saltsMdPath);
+        this.saltProvider = new EncryptedRotatingSaltProvider(fsStores, cloudEncryptionKeyProvider, new GlobalScope(new CloudPath(saltsMdPath)));
         this.optOutStore = new CloudSyncOptOutStore(vertx, fsLocal, this.config, operatorKey, Clock.systemUTC());
 
         if (this.validateServiceLinks) {
@@ -152,7 +157,7 @@ public Main(Vertx vertx, JsonObject config) throws Exception {
             this.serviceLinkProvider = new RotatingServiceLinkStore(fsStores, new GlobalScope(new CloudPath(serviceLinkMdPath)));
         }
 
-        this.siteProvider = clientSideTokenGenerate ? new RotatingSiteStore(fsStores, new GlobalScope(new CloudPath(sitesMdPath))) : null;
+        this.siteProvider = clientSideTokenGenerate ? new RotatingSiteStore(fsStores, new GlobalScope(new CloudPath(sitesMdPath)), cloudEncryptionKeyProvider) : null;
 
         if (useStorageMock && coreAttestUrl == null) {
             if (clientSideTokenGenerate) {
@@ -163,6 +168,7 @@ public Main(Vertx vertx, JsonObject config) throws Exception {
             this.saltProvider.loadContent();
             this.keysetProvider.loadContent();
             this.keysetKeyStore.loadContent();
+            this.cloudEncryptionKeyProvider.loadContent();
 
             if (this.validateServiceLinks) {
                 this.serviceProvider.loadContent();
@@ -302,6 +308,8 @@ private void run() throws Exception {
 
     private Future<Void> createStoreVerticles() throws Exception {
         // load metadatas for the first time
+        cloudEncryptionKeyProvider.loadContent();
+
         if (clientSideTokenGenerate) {
             siteProvider.getMetadata();
             clientSideKeypairProvider.getMetadata();
@@ -330,6 +338,7 @@ private Future<Void> createStoreVerticles() throws Exception {
         fs.add(createAndDeployRotatingStoreVerticle("auth", clientKeyProvider, "auth_refresh_ms"));
         fs.add(createAndDeployRotatingStoreVerticle("keyset", keysetProvider, "keyset_refresh_ms"));
         fs.add(createAndDeployRotatingStoreVerticle("keysetkey", keysetKeyStore, "keysetkey_refresh_ms"));
+        fs.add(createAndDeployRotatingStoreVerticle("cloud_encryption_keys", cloudEncryptionKeyProvider, "cloud_encryption_keys_refresh_ms"));
         fs.add(createAndDeployRotatingStoreVerticle("salt", saltProvider, "salt_refresh_ms"));
         fs.add(createAndDeployCloudSyncStoreVerticle("optout", fsOptOut, optOutCloudSync));
         CompositeFuture.all(fs).onComplete(ar -> {

src/main/java/com/uid2/operator/reader/ApiStoreReader.java

@@ -0,0 +1,57 @@
+package com.uid2.operator.reader;
+
+import com.uid2.shared.cloud.DownloadCloudStorage;
+import com.uid2.shared.store.ScopedStoreReader;
+import com.uid2.shared.store.parser.Parser;
+import com.uid2.shared.store.parser.ParsingResult;
+import com.uid2.shared.store.scope.StoreScope;
+import io.vertx.core.json.JsonArray;
+import io.vertx.core.json.JsonObject;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+
+public class ApiStoreReader<T> extends ScopedStoreReader<T> {
+    private static final Logger LOGGER = LoggerFactory.getLogger(ApiStoreReader.class);
+
+    public ApiStoreReader(DownloadCloudStorage fileStreamProvider, StoreScope scope, Parser<T> parser, String dataTypeName) {
+        super(fileStreamProvider, scope, parser, dataTypeName);
+    }
+
+
+    public long loadContent(JsonObject contents) throws Exception {
+        return loadContent(contents, dataTypeName);
+    }
+
+    @Override
+    public long loadContent(JsonObject contents, String dataType) throws IOException {
+        if (contents == null) {
+            throw new IllegalArgumentException(String.format("No contents provided for loading data type %s, cannot load content", dataType));
+        }
+
+        try {
+            JsonArray dataArray = contents.getJsonArray(dataType);
+            if (dataArray == null) {
+                throw new IllegalArgumentException("No array found in the contents");
+            }
+
+            String jsonString = dataArray.toString();
+            InputStream inputStream = new ByteArrayInputStream(jsonString.getBytes(StandardCharsets.UTF_8));
+
+            ParsingResult<T> parsed = parser.deserialize(inputStream);
+            latestSnapshot.set(parsed.getData());
+
+            final int count = parsed.getCount();
+            latestEntryCount.set(count);
+            LOGGER.info(String.format("Loaded %d %s", count, dataType));
+            return count;
+        } catch (Exception e) {
+            LOGGER.error(String.format("Unable to load %s", dataType));
+            throw e;
+        }
+    }
+}

src/main/java/com/uid2/operator/reader/RotatingCloudEncryptionKeyApiProvider.java

@@ -0,0 +1,32 @@
+package com.uid2.operator.reader;
+
+import com.uid2.shared.cloud.DownloadCloudStorage;
+import com.uid2.shared.model.CloudEncryptionKey;
+import com.uid2.shared.store.CloudPath;
+import com.uid2.shared.store.parser.CloudEncryptionKeyParser;
+import com.uid2.shared.store.reader.RotatingCloudEncryptionKeyProvider;
+import com.uid2.shared.store.scope.StoreScope;
+import io.vertx.core.json.JsonObject;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.time.Instant;
+import java.util.*;
+
+public class RotatingCloudEncryptionKeyApiProvider extends RotatingCloudEncryptionKeyProvider {
+    private static final Logger LOGGER = LoggerFactory.getLogger(RotatingCloudEncryptionKeyApiProvider.class);
+
+    public RotatingCloudEncryptionKeyApiProvider(DownloadCloudStorage fileStreamProvider, StoreScope scope) {
+        super(fileStreamProvider, scope, new ApiStoreReader<>(fileStreamProvider, scope, new CloudEncryptionKeyParser(), "cloud_encryption_keys"));
+    }
+
+    public RotatingCloudEncryptionKeyApiProvider(DownloadCloudStorage fileStreamProvider, StoreScope scope, ApiStoreReader<Map<Integer, CloudEncryptionKey>> reader) {
+        super(fileStreamProvider, scope, reader);
+    }
+
+
+    @Override
+    public long getVersion(JsonObject metadata) {
+        return Instant.now().getEpochSecond();
+    }
+}

src/main/resources/com.uid2.core/test/cloud_encryption_keys/cloud_encryption_keys.json

@@ -0,0 +1,73 @@
+[ {
+  "id" : 1,
+  "siteId" : 999,
+  "activates" : 1720641670,
+  "created" : 1720641670,
+  "secret" : "mydrCudb2PZOm01Qn0SpthltmexHUAA11Hy1m+uxjVw="
+}, {
+  "id" : 2,
+  "siteId" : 999,
+  "activates" : 1720728070,
+  "created" : 1720641670,
+  "secret" : "FtdslrFSsvVXOuhOWGwEI+0QTkCvM8SGZAP3k2u3PgY="
+}, {
+  "id" : 3,
+  "siteId" : 999,
+  "activates" : 1720814470,
+  "created" : 1720641670,
+  "secret" : "/7zO6QbKrhZKIV36G+cU9UR4hZUVg5bD+KjbczICjHw="
+}, {
+  "id" : 4,
+  "siteId" : 123,
+  "activates" : 1720641671,
+  "created" : 1720641671,
+  "secret" : "XjiqRlWQQJGLr7xfV1qbueKwyzt881GVohuUkQt/ht4="
+}, {
+  "id" : 5,
+  "siteId" : 123,
+  "activates" : 1720728071,
+  "created" : 1720641671,
+  "secret" : "QmpIf5NzO+UROjl5XjB/BmF6paefM8n6ub9B2plC9aI="
+}, {
+  "id" : 6,
+  "siteId" : 123,
+  "activates" : 1720814471,
+  "created" : 1720641671,
+  "secret" : "40w9UMSYxGm+KldOWOXhBGI8QgjvUUQjivtkP4VpKV8="
+}, {
+  "id" : 7,
+  "siteId" : 124,
+  "activates" : 1720641671,
+  "created" : 1720641671,
+  "secret" : "QdwD0kQV1BwmLRD0PH1YpqgaOrgpVTfu08o98mSZ6uE="
+}, {
+  "id" : 8,
+  "siteId" : 124,
+  "activates" : 1720728071,
+  "created" : 1720641671,
+  "secret" : "yCVCM/HLf9/6k+aUNrx7w17VbyfSzI8JykLQLSR+CW0="
+}, {
+  "id" : 9,
+  "siteId" : 124,
+  "activates" : 1720814471,
+  "created" : 1720641671,
+  "secret" : "JqHl8BrTyx9XpR2lYj/5xvUpzgnibGeomETTwF4rn1U="
+}, {
+  "id" : 10,
+  "siteId" : 127,
+  "activates" : 1720641671,
+  "created" : 1720641671,
+  "secret" : "JqiG1b34AvrdO3Aj6cCcjOBJMijrDzTmrR+p9ZtP2es="
+}, {
+  "id" : 11,
+  "siteId" : 127,
+  "activates" : 1720728072,
+  "created" : 1720641672,
+  "secret" : "lp1CyHdfc7K0aO5JGpA+Ve5Z/V5LImtGEQwCg/YB0kY="
+}, {
+  "id" : 12,
+  "siteId" : 127,
+  "activates" : 1720814472,
+  "created" : 1720641672,
+  "secret" : "G99rFYJF+dnSlk/xG6fuC3WNqQxTLJbDIdVyPMbGQ6s="
+} ]

src/main/resources/com.uid2.core/test/cloud_encryption_keys/metadata.json

@@ -0,0 +1,7 @@
+{
+  "version": 1,
+  "generated": 1620253519,
+  "cloud_encryption_keys": {
+    "location": "/com.uid2.core/test/cloud_encryption_keys/cloud_encryption_keys.json"
+  }
+}