Add Azure support#1
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
| "//:azure_platform": [ | ||
| "//scp/cc/cpio/client_providers/auth_token_provider/src/gcp:gcp_auth_token_provider_lib", | ||
| ], |
There was a problem hiding this comment.
We are not doing anything here, because auth_token_provider is not implemented yet.
| return SuccessExecutionResult(); | ||
| } | ||
|
|
||
| ExecutionResult AzurePrivateKeyFetcherProvider::SignHttpRequest( |
There was a problem hiding this comment.
We are not doing anything here, because auth_token_provider is not implemented yet.
| http_context.callback = bind(&AzureKmsClientProvider::OnDecryptCallback, | ||
| this, decrypt_context, _1); | ||
|
|
||
| auto execution_result = http_client_->PerformRequest(http_context); |
There was a problem hiding this comment.
We will use auth_token_provider for authentication once it's implemented.
There was a problem hiding this comment.
This class currently returns fake values or FailureExecutionResult(SC_UNKNOWN). We will implement them in a future PR.
| "//:azure_platform": [ | ||
| "//scp/cc/cpio/client_providers/role_credentials_provider/src/gcp:gcp_role_credentials_provider_lib", | ||
| ], |
There was a problem hiding this comment.
This is because we haven't implemented our version. We will Azure our version in a future PR.
|
|
||
| namespace google::scp::cpio::client_providers { | ||
|
|
||
| void AzurePrivateKeyFetchingClientUtils::CreateHttpRequest( |
There was a problem hiding this comment.
We have TODOs for future PRs in this function:
- Handle
private_key_cache_ttl_secondsoption. - Allow to specify
key_idfor private key API
| # We should split implementation here. Currently it uses fake attestation silently when it's outside TEE. | ||
| "//scp/cc/public/cpio/interface:azure_cpio_lib_inside_tee": [ | ||
| "//scp/cc/cpio/client_providers/kms_client_provider/src/azure:azure_kms_client_provider_lib", | ||
| ], | ||
| "//scp/cc/public/cpio/interface:azure_cpio_lib_outside_tee": [ | ||
| "//scp/cc/cpio/client_providers/kms_client_provider/src/azure:azure_kms_client_provider_lib", | ||
| ], |
There was a problem hiding this comment.
We will separate these two properly in a future PR. Current azure_cpio_lib_inside_tee uses fake attestation report silently when it's outside TEE.
There was a problem hiding this comment.
aci_attestation_lib has the following TODOs for future PRs:
- Add tests. We test them regularly with our internal CI, but we haven't written tests in a similar way as the existing code base.
- Follow the coding convention
- Attest to an ephemeral wrapping key as a runtime claim in
report_dataas a proof-of-possession of a private key that can unwrap the private HPKE key
| "//:azure_platform": [ | ||
| "//scp/cc/cpio/client_providers/blob_storage_client_provider/src/gcp:gcp_blob_storage_client_provider_lib", | ||
| ], |
There was a problem hiding this comment.
We defined azure_platform for blob_storage_client_provider_select_lib using the GCP implementation under /src/gcp. We think it's not used in B&A services at this moment, but we added it just to avoid build errors when we run build_and_test_all_in_docker. We will find a better solution for that problem in a future PR.
| @@ -0,0 +1,42 @@ | |||
| # Portions Copyright (c) Microsoft Corporation | |||
There was a problem hiding this comment.
We copied the gcp implementation, but accidentally added the Microsoft copyright. We made this PR without the fix because testing is expensive with our infrastructure at this moment. We'll fix them within this PR if there is other change that needs to be made before merging.
| @@ -0,0 +1,46 @@ | |||
| /* | |||
| * Portions Copyright (c) Microsoft Corporation | |||
There was a problem hiding this comment.
We copied the gcp implementation, but accidentally added the Microsoft copyright. We made this PR without the fix because testing is expensive with our infrastructure at this moment. We'll fix them within this PR if there is other change that needs to be made before merging.
| @@ -0,0 +1,40 @@ | |||
| /* | |||
| * Portions Copyright (c) Microsoft Corporation | |||
There was a problem hiding this comment.
We copied the gcp implementation, but accidentally added the Microsoft copyright. We made this PR without the fix because testing is expensive with our infrastructure at this moment. We'll fix them within this PR if there is other change that needs to be made before merging.
b2c825f to
bf865c7
Compare
Co-authored-by: Dominic Ayre <dominicayre@microsoft.com> Co-authored-by: Joe Powell <joepowell@microsoft.com> Co-authored-by: Kapil Vaswani <kapilv@microsoft.com> Co-authored-by: Ken Gordon <Ken.Gordon@microsoft.com> Co-authored-by: Mahati Chamarthy <mahati.chamarthy@microsoft.com> Co-authored-by: Ronny Bjones <ronny.bjones@microsoft.com>
10d0c87 to
46b4a32
Compare
|
Thanks for the PR. This pull request is being marked closed given we are actively working on this feature. Interested stakeholders can contribute to the discussion on the change in WICG here. |
Adding Azure support
This PR is adding support for deployment of Google's Bidding and Auction Services on Azure.
Azure Privacy Sandbox architecture: https://1drv.ms/w/s!AmI-86sms1pYqJ5Uqgo5Qv2Ynmrcmw?e=BDC8BH
(We'll make a PR for the document in https://github.com/privacysandbox/protected-auction-services-docs/tree/main in future)
Now B&A services can fetch private and public HPKE keys from an Azure KMS, specifically designed to support the B&A services, and handle test requests.
To try this changes locally, please visit here.
The PR for bidding-auction-servers repository: privacysandbox/bidding-auction-servers#9
Changes
Add Azure support
--platform=azure(for Bazel),kAzure(C++ enum value).cpio/client_providers/Add
aci_attestation_liblibrary to fetch attestation in Azure Confidential ACI. We implemented the core functionality of:kms_client_providerparameter_client_providerprivate_key_fetcher_providerprivate_key_fetcher_provider.On the other hand, we haven't started implementing the following interfaces:
auth_token_providerrole_credentials_providerAlso we return dummy values for
instance_client_providerfor now. Please see "TODOs for future PRs" section for the details.TODOs for future PRs
auth_token_provideris not implemented yet. Soprivate_key_fetcher_providerandkms_client_providerare not using authentication token when accessing Azure KMS. It will be implemented using Azure Active Directory (Azure AD).instance_client_providercurrently returns dummy values. It will be implemented properly after Azure auth_token_provider is ready.kKMSUnwrapPath. We will either put the URL inKeyData::key_encryption_key_urior use an environment variableinit_azurerole_credentials_providerprivate_key_cache_ttl_secondsoption.key_idfor private key APIPrivateKeyFetchingRequest.azure_cpio_lib_inside_teeandazure_cpio_lib_outside_teeimplementation. Current azure_cpio_lib_inside_tee uses fake attestation report silently when it's outside TEE.aci_attestation_liblibraryreport_dataas a proof-of-possession of a private key that can unwrap the private HPKE keyblob_storage_client_provider. We definedazure_platformforblob_storage_client_provider_select_libusing the GCP implementation under/src/gcp. We think it's not used in B&A services, but we added it just to avoid build errors when we runbuild_and_test_all_in_docker.azure_platformfortest_lib_cpio_providercloud_initializer/src/azure/directory. We copied the gcp implementation, but accidentally added the Microsoft copyright. We made this PR without the fix because testing is expensive with our internal test infrastructure at this moment. We'll fix them within this PR if there is other change that needs to be made before merging.