Merge pull request #132 from IABTechLab/wzh-uid2-3572-s3encryption-keys-distribution-endpoint

Wzh uid2 3572 s3encryption keys distribution endpoint

Author: lizk886

pom.xml

@@ -6,7 +6,7 @@
 
   <groupId>com.uid2</groupId>
   <artifactId>uid2-core</artifactId>
-  <version>2.16.0</version>
+  <version>2.16.2-alpha-33-SNAPSHOT</version>
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -24,7 +24,7 @@
     <vertx.verticle>com.uid2.core.vertx.CoreVerticle</vertx.verticle>
     <launcher.class>io.vertx.core.Launcher</launcher.class>
 
-    <uid2-shared.version>7.16.0</uid2-shared.version>
+    <uid2-shared.version>7.17.0</uid2-shared.version>
     <image.version>${project.version}</image.version>
   </properties>
 

src/main/java/com/uid2/core/Main.java

@@ -157,7 +157,7 @@ public static void main(String[] args) {
 
                 JwtService jwtService = new JwtService(config);
 
-                coreVerticle = new CoreVerticle(cloudStorage, operatorKeyProvider, attestationService, attestationTokenService, enclaveIdProvider, operatorJWTTokenProvider, jwtService);
+                coreVerticle = new CoreVerticle(cloudStorage, operatorKeyProvider, attestationService, attestationTokenService, enclaveIdProvider, operatorJWTTokenProvider, jwtService, s3KeyProvider);
             } catch (Exception e) {
                 System.out.println("failed to initialize core verticle: " + e.getMessage());
                 System.exit(-1);

src/main/java/com/uid2/core/vertx/CoreVerticle.java

@@ -50,6 +50,8 @@
 import java.security.spec.X509EncodedKeySpec;
 import java.time.Instant;
 import java.util.*;
+import com.uid2.shared.store.reader.RotatingS3KeyProvider;
+import com.uid2.shared.model.S3Key;
 
 import static com.uid2.shared.Const.Config.EnforceJwtProp;
 
@@ -78,14 +80,16 @@ public class CoreVerticle extends AbstractVerticle {
     private final IPartnerMetadataProvider partnerMetadataProvider;
     private final OperatorJWTTokenProvider operatorJWTTokenProvider;
     private final JwtService jwtService;
+    private final RotatingS3KeyProvider s3KeyProvider;
 
     public CoreVerticle(ICloudStorage cloudStorage,
                         IAuthorizableProvider authProvider,
                         AttestationService attestationService,
                         IAttestationTokenService attestationTokenService,
                         IEnclaveIdentifierProvider enclaveIdentifierProvider,
                         OperatorJWTTokenProvider operatorJWTTokenProvider,
-                        JwtService jwtService) throws Exception {
+                        JwtService jwtService,
+                        RotatingS3KeyProvider s3KeyProvider) throws Exception {
         this.operatorJWTTokenProvider = operatorJWTTokenProvider;
         this.healthComponent.setHealthStatus(false, "not started");
 
@@ -96,6 +100,7 @@ public CoreVerticle(ICloudStorage cloudStorage,
         this.jwtService = jwtService;
         this.enclaveIdentifierProvider = enclaveIdentifierProvider;
         this.enclaveIdentifierProvider.addListener(this.attestationService);
+        this.s3KeyProvider = s3KeyProvider;
 
         final String jwtAudience = ConfigStore.Global.get(Const.Config.CorePublicUrlProp);
         final String jwtIssuer = ConfigStore.Global.get(Const.Config.CorePublicUrlProp);
@@ -122,6 +127,16 @@ public CoreVerticle(ICloudStorage cloudStorage,
         this.serviceLinkMetadataProvider = new ServiceLinkMetadataProvider(cloudStorage);
     }
 
+    public CoreVerticle(ICloudStorage cloudStorage,
+                        IAuthorizableProvider authorizableProvider,
+                        AttestationService attestationService,
+                        IAttestationTokenService attestationTokenService,
+                        IEnclaveIdentifierProvider enclaveIdentifierProvider,
+                        OperatorJWTTokenProvider jwtTokenProvider,
+                        JwtService jwtService) throws Exception {
+        this(cloudStorage, authorizableProvider, attestationService, attestationTokenService, enclaveIdentifierProvider, jwtTokenProvider, jwtService, null);
+    }
+
     @Override
     public void start(Promise<Void> startPromise) {
         this.healthComponent.setHealthStatus(false, "still starting");
@@ -165,6 +180,7 @@ private Router createRoutesSetup() {
         router.post("/attest")
                 .handler(new AttestationFailureHandler())
                 .handler(auth.handle(this::handleAttestAsync, Role.OPERATOR, Role.OPTOUT_SERVICE));
+        router.get("/s3encryption_keys/retrieve").handler(auth.handle(attestationMiddleware.handle(this::handleS3EncryptionKeysRetrieval), Role.OPERATOR));
         router.get("/sites/refresh").handler(auth.handle(attestationMiddleware.handle(this::handleSiteRefresh), Role.OPERATOR));
         router.get("/key/refresh").handler(auth.handle(attestationMiddleware.handle(this::handleKeyRefresh), Role.OPERATOR));
         router.get("/key/acl/refresh").handler(auth.handle(attestationMiddleware.handle(this::handleKeyAclRefresh), Role.OPERATOR));
@@ -565,6 +581,28 @@ private void handleEnclaveUnregister(RoutingContext rc) {
         handleEnclaveChange(rc, true);
     }
 
+    void handleS3EncryptionKeysRetrieval(RoutingContext rc) {
+        try {
+            OperatorInfo info = OperatorInfo.getOperatorInfo(rc);
+            int siteId = info.getSiteId();
+            List<S3Key> s3Keys = s3KeyProvider.getKeys(siteId);
+
+            if (s3Keys == null || s3Keys.isEmpty()) {
+                Error("No S3 keys found", 500, rc, "No S3 keys found for siteId: " + siteId);
+                return;
+            }
+
+            JsonObject response = new JsonObject()
+                    .put("s3Keys", new JsonArray(s3Keys));
+
+            rc.response().putHeader(HttpHeaders.CONTENT_TYPE, "application/json")
+                    .end(response.encode());
+        } catch (Exception e) {
+            logger.error("Error in handleRefreshS3Keys: ", e);
+            Error("error", 500, rc, "error generating attestation token");
+        }
+    }
+
     //region test endpoints
     private void handleTestGetAttestationToken(RoutingContext rc) {
         HttpMethod method = rc.request().method();

src/test/java/com/uid2/core/vertx/TestCoreVerticle.java

@@ -14,8 +14,10 @@
 import com.uid2.shared.secure.AttestationFailure;
 import com.uid2.shared.secure.AttestationResult;
 import com.uid2.shared.secure.ICoreAttestationService;
+import com.uid2.shared.store.reader.RotatingS3KeyProvider;
 import io.vertx.core.*;
 import io.vertx.core.buffer.Buffer;
+import io.vertx.core.json.JsonArray;
 import io.vertx.core.json.JsonObject;
 import io.vertx.ext.web.client.HttpResponse;
 import io.vertx.ext.web.client.WebClient;
@@ -25,7 +27,9 @@
 import static org.junit.jupiter.api.Assertions.*;
 
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Tag;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestInfo;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.MockitoAnnotations;
@@ -38,6 +42,9 @@
 import java.util.*;
 import java.util.concurrent.Callable;
 
+import com.uid2.shared.model.S3Key;
+import java.util.Arrays;
+
 import static org.mockito.Mockito.*;
 
 @ExtendWith(VertxExtension.class)
@@ -56,23 +63,31 @@ public class TestCoreVerticle {
     private OperatorJWTTokenProvider operatorJWTTokenProvider;
     @Mock
     private JwtService jwtService;
+    @Mock
+    private RotatingS3KeyProvider s3KeyProvider;
 
     private AttestationService attestationService;
 
     private static final String attestationProtocol = "test-attestation-protocol";
+    private static final String attestationProtocolPublic = "trusted";
 
     @BeforeEach
-    void deployVerticle(Vertx vertx, VertxTestContext testContext) throws Throwable {
+    void deployVerticle(TestInfo info, Vertx vertx, VertxTestContext testContext) throws Throwable {
         JsonObject config = new JsonObject();
         config.put(Const.Config.OptOutUrlProp, "test_optout_url");
         config.put(Const.Config.CorePublicUrlProp, "test_core_url");
         config.put(Const.Config.AwsKmsJwtSigningKeyIdProp, "test_aws_kms_keyId");
-        config.put(Const.Config.EnforceJwtProp, true);
+        if (info.getTags().contains("dontForceJwt")) {
+            config.put(Const.Config.EnforceJwtProp, false);
+        } else {
+            config.put(Const.Config.EnforceJwtProp, true);
+        }
         ConfigStore.Global.load(config);
 
         attestationService = new AttestationService();
         MockitoAnnotations.initMocks(this);
-        CoreVerticle verticle = new CoreVerticle(cloudStorage, authProvider, attestationService, attestationTokenService, enclaveIdentifierProvider, operatorJWTTokenProvider, jwtService);
+
+        CoreVerticle verticle = new CoreVerticle(cloudStorage, authProvider, attestationService, attestationTokenService, enclaveIdentifierProvider, operatorJWTTokenProvider, jwtService, s3KeyProvider);
         vertx.deployVerticle(verticle, testContext.succeeding(id -> testContext.completeNow()));
     }
 
@@ -81,6 +96,10 @@ private String getUrlForEndpoint(String endpoint) {
     }
 
     private void fakeAuth(Role... roles) {
+        this.fakeAuth(attestationProtocol, roles);
+    }
+
+    private void fakeAuth(String attestationProtocol, Role... roles) {
         OperatorKey operatorKey = new OperatorKey("test-key-hash", "test-key-salt", "test-name", "test-contact", attestationProtocol, 0, false, 88, new HashSet<>(Arrays.asList(roles)), OperatorType.PRIVATE,  "test-key-id");
         when(authProvider.get(any())).thenReturn(operatorKey);
     }
@@ -108,6 +127,11 @@ private void get(Vertx vertx, String endpoint, MultiMap form, Handler<AsyncResul
         client.getAbs(getUrlForEndpoint(endpoint)).putHeader("content-type", "multipart/form-data").sendForm(form, handler);
     }
 
+    private void get(Vertx vertx, String endpoint, Handler<AsyncResult<HttpResponse<Buffer>>> handler) {
+        WebClient client = WebClient.create(vertx);
+        client.getAbs(getUrlForEndpoint(endpoint)).send(handler);
+    }
+
     private void addAttestationProvider(String protocol) {
         attestationService.with(protocol, attestationProvider);
     }
@@ -450,4 +474,146 @@ void wrongMethodForEndpoint(Vertx vertx, VertxTestContext testContext) {
             testContext.completeNow();
         });
     }
+
+    @Test
+    void wrongMethodForEndpointS3(Vertx vertx, VertxTestContext testContext) {
+        post(vertx, "/s3encryption_keys/retrieve", makeAttestationRequestJson(null, null), ar -> {
+            HttpResponse response = ar.result();
+            assertEquals(405, response.statusCode());
+            assertEquals("Method Not Allowed", response.statusMessage());
+            testContext.completeNow();
+        });
+    }
+
+    @Tag("dontForceJwt")
+    @Test
+    void s3encryptionKeyRetrieveSuccess(Vertx vertx, VertxTestContext testContext) {
+        fakeAuth(attestationProtocolPublic, Role.OPERATOR);
+        addAttestationProvider(attestationProtocolPublic);
+        onHandleAttestationRequest(() -> {
+            byte[] resultPublicKey = null;
+            return Future.succeededFuture(new AttestationResult(resultPublicKey, "test"));
+        });
+
+        S3Key key = new S3Key(1, 88, 1687635529, 1687808329, "newSecret");
+
+        List<S3Key> keys = Arrays.asList(key);
+        when(s3KeyProvider.getKeys(88)).thenReturn(keys);
+
+        get(vertx, "s3encryption_keys/retrieve", ar -> {
+            if (ar.succeeded()) {
+                HttpResponse<Buffer> response = ar.result();
+                assertEquals(200, response.statusCode());
+
+                JsonObject json = response.bodyAsJsonObject();
+                JsonArray s3KeysArray = json.getJsonArray("s3Keys");
+
+                assertNotNull(s3KeysArray);
+                assertEquals(1, s3KeysArray.size());
+
+                JsonObject s3KeyJson = s3KeysArray.getJsonObject(0);
+                assertEquals(1, s3KeyJson.getInteger("id"));
+                assertEquals(88, s3KeyJson.getInteger("siteId"));
+                assertEquals(1687635529, s3KeyJson.getLong("activates"));
+                assertEquals(1687808329, s3KeyJson.getLong("created"));
+                assertEquals("newSecret", s3KeyJson.getString("secret"));
+
+                testContext.completeNow();
+            } else {
+                testContext.failNow(ar.cause());
+            }
+        });
+    }
+
+
+    @Tag("dontForceJwt")
+    @Test
+    void s3encryptionKeyRetrieveSuccessWithThreeKeys(Vertx vertx, VertxTestContext testContext) {
+        fakeAuth(attestationProtocolPublic, Role.OPERATOR);
+        addAttestationProvider(attestationProtocolPublic);
+        onHandleAttestationRequest(() -> {
+            byte[] resultPublicKey = null;
+            return Future.succeededFuture(new AttestationResult(resultPublicKey, "test"));
+        });
+
+        // Create 3 S3Key objects
+        S3Key key1 = new S3Key(1, 88, 1687635529, 1687808329, "secret1");
+        S3Key key2 = new S3Key(2, 88, 1687635530, 1687808330, "secret2");
+        S3Key key3 = new S3Key(3, 88, 1687635531, 1687808331, "secret3");
+
+        List<S3Key> keys = Arrays.asList(key1, key2, key3);
+        when(s3KeyProvider.getKeys(88)).thenReturn(keys);
+
+        get(vertx, "s3encryption_keys/retrieve", ar -> {
+            if (ar.succeeded()) {
+                HttpResponse<Buffer> response = ar.result();
+                assertEquals(200, response.statusCode());
+
+                JsonObject json = response.bodyAsJsonObject();
+                JsonArray s3KeysArray = json.getJsonArray("s3Keys");
+
+                assertNotNull(s3KeysArray);
+                assertEquals(3, s3KeysArray.size());
+
+                for (int i = 0; i < 3; i++) {
+                    JsonObject s3KeyJson = s3KeysArray.getJsonObject(i);
+                    assertEquals(i + 1, s3KeyJson.getInteger("id"));
+                    assertEquals(88, s3KeyJson.getInteger("siteId"));
+                    assertEquals(1687635529 + i, s3KeyJson.getLong("activates"));
+                    assertEquals(1687808329 + i, s3KeyJson.getLong("created"));
+                    assertEquals("secret" + (i + 1), s3KeyJson.getString("secret"));
+                }
+
+                testContext.completeNow();
+            } else {
+                testContext.failNow(ar.cause());
+            }
+        });
+    }
+
+    @Tag("dontForceJwt")
+    @Test
+    void s3encryptionKeyRetrieveNoKeysOrError(Vertx vertx, VertxTestContext testContext) {
+        fakeAuth(attestationProtocolPublic, Role.OPERATOR);
+        addAttestationProvider(attestationProtocolPublic);
+        onHandleAttestationRequest(() -> {
+            byte[] resultPublicKey = null;
+            return Future.succeededFuture(new AttestationResult(resultPublicKey, "test"));
+        });
+
+        // Test case 1: No keys found
+        when(s3KeyProvider.getKeys(anyInt())).thenReturn(Collections.emptyList());
+
+        get(vertx, "s3encryption_keys/retrieve", ar -> {
+            if (ar.succeeded()) {
+                HttpResponse<Buffer> response = ar.result();
+                assertEquals(500, response.statusCode());
+
+                JsonObject json = response.bodyAsJsonObject();
+                assertEquals("No S3 keys found", json.getString("status"));
+                assertTrue(json.getString("message").contains("No S3 keys found for siteId:"));
+
+                // Test case 2: Exception thrown
+                when(s3KeyProvider.getKeys(anyInt())).thenThrow(new RuntimeException("Test exception"));
+
+                get(vertx, "s3encryption_keys/retrieve", ar2 -> {
+                    if (ar2.succeeded()) {
+                        HttpResponse<Buffer> response2 = ar2.result();
+                        assertEquals(500, response2.statusCode());
+
+                        JsonObject json2 = response2.bodyAsJsonObject();
+                        System.out.println(json2);
+                        assertEquals("error", json2.getString("status"));
+                        assertEquals("error generating attestation token", json2.getString("message"));
+
+                        testContext.completeNow();
+                    } else {
+                        testContext.failNow(ar2.cause());
+                    }
+                });
+            } else {
+                testContext.failNow(ar.cause());
+            }
+        });
+    }
 }

src/test/resources/com.uid2.core/model/test-config.json

@@ -22,5 +22,6 @@
     "att_token_enc_key": "<key-for-attestation-token>",
     "att_token_enc_salt": "<salt-for-attestation-token>",
     "att_token_lifetime_seconds": 120,
-    "provide_private_site_data": true
+    "provide_private_site_data": true,
+    "s3_keys_metadata_path": "s3encryption_keys/metadata.json"
 }