Merge remote-tracking branch 'origin/main' into syw-UID2-4159-token-gen-code-refactoring-UserIdentity

Author: sunnywu

.github/actions/build_ami/action.yaml

@@ -87,6 +87,11 @@ runs:
         FILE=$(echo $ARTIFACTS | jq -r '.[0].name')
         unzip -o -d ./scripts/aws/uid2-operator-ami/artifacts $FILE.zip
         rm $FILE.zip
+        cd "./scripts/aws/uid2-operator-ami/artifacts/"
+        zip "uid2operatoreif.zip" "uid2operator.eif"
+        cd -
+        rm ./scripts/aws/uid2-operator-ami/artifacts/uid2operator.eif
+        ls ./scripts/aws/uid2-operator-ami/artifacts/ -al
 
     - name: Configure UID2 AWS credentials
       uses: aws-actions/configure-aws-credentials@v4

.github/actions/build_aws_eif/action.yaml

@@ -117,10 +117,22 @@ runs:
         docker cp amazonlinux:/sockd                                    ${ARTIFACTS_OUTPUT_DIR}/
         docker cp amazonlinux:/vsockpx                                  ${ARTIFACTS_OUTPUT_DIR}/
         docker cp amazonlinux:/${{ inputs.identity_scope }}operator.eif ${ARTIFACTS_OUTPUT_DIR}/uid2operator.eif
+        
+        eifsize=$(wc -c < "${ARTIFACTS_OUTPUT_DIR}/uid2operator.eif")
+        if [ $eifsize -le 1 ]; then
+          echo "The eif was less then 1 byte. This indicates a build failure"
+          exit 1
+        fi
 
         docker cp amazonlinux:/pcr0.txt                                 ${{ steps.buildFolder.outputs.BUILD_FOLDER }}
         docker cp amazonlinux:/pcr0.txt                                 ${ARTIFACTS_OUTPUT_DIR}/
         echo "enclave_id=$(cat ${{ steps.buildFolder.outputs.BUILD_FOLDER}}/pcr0.txt)" >> $GITHUB_OUTPUT
+        
+        pcrsize=$(wc -c < "${{ steps.buildFolder.outputs.BUILD_FOLDER}}/pcr0.txt")
+        if [ $pcrsize -le 1 ]; then
+          echo "The pcr0.txt file was less then 1 byte. This indicates a build failure"
+          exit 1
+        fi
 
     - name: Cleanup
       shell: bash

.github/actions/update_operator_version/action.yaml

@@ -34,7 +34,7 @@ runs:
   steps:
     - name: Check branch and release type
       id: checkRelease
-      uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v2
+      uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v3
       with:
         release_type: ${{ inputs.release_type }}
 
@@ -81,7 +81,7 @@ runs:
 
     - name: Set version number
       id: version
-      uses: IABTechLab/uid2-shared-actions/actions/version_number@v2
+      uses: IABTechLab/uid2-shared-actions/actions/version_number@v3
       with:
         type: ${{ inputs.release_type }}
         version_number: ${{ inputs.version_number_input }}

.github/workflows/publish-all-operators.yaml

@@ -59,7 +59,7 @@ jobs:
             GITHUB_CONTEXT: ${{ toJson(github) }}
 
       - name: Check branch and release type
-        uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v2
+        uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v3
         with:
           release_type: ${{ inputs.release_type }}
 
@@ -69,14 +69,15 @@ jobs:
           fetch-depth: 0
 
       - name: Scan vulnerabilities
-        uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan_filesystem@v3
+        uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3
         with:
           scan_severity: HIGH,CRITICAL
           failure_severity: CRITICAL
+          scan_type: 'fs'
 
       - name: Set version number
         id: version
-        uses: IABTechLab/uid2-shared-actions/actions/version_number@v2
+        uses: IABTechLab/uid2-shared-actions/actions/version_number@v3
         with:
           type: ${{ env.RELEASE_TYPE }}
           branch_name: ${{ github.ref }}

.trivyignore

@@ -5,8 +5,5 @@
 # https://thetradedesk.atlassian.net/browse/UID2-4460
 CVE-2024-47535
 
-# https://thetradedesk.atlassian.net/browse/UID2-4874
-CVE-2025-24970 exp:2025-04-03
-
 # https://thetradedesk.atlassian.net/browse/UID2-5186
-CVE-2024-8176 exp:2025-04-03
+CVE-2024-8176 exp:2025-06-03

Dockerfile

@@ -1,5 +1,5 @@
-# sha from https://hub.docker.com/layers/amd64/eclipse-temurin/21.0.6_7-jre-alpine/images/sha256-f184bb601f9e6068dd0a92738764d1ff447ab68c15ddbf8c303c5c29de9a1df8
-FROM eclipse-temurin@sha256:f184bb601f9e6068dd0a92738764d1ff447ab68c15ddbf8c303c5c29de9a1df8
+# sha from https://hub.docker.com/layers/amd64/eclipse-temurin/21.0.7_6-jre-alpine-3.21/images/sha256-62fa775039897e4420368514ba6c167741f6d45a0de9ff9125bee57e5aca8b75
+FROM eclipse-temurin@sha256:62fa775039897e4420368514ba6c167741f6d45a0de9ff9125bee57e5aca8b75
 
 WORKDIR /app
 EXPOSE 8080
@@ -17,11 +17,10 @@ COPY ./target/${JAR_NAME}-${JAR_VERSION}-sources.jar /app
 COPY ./target/${JAR_NAME}-${JAR_VERSION}-static.tar.gz /app/static.tar.gz
 COPY ./conf/default-config.json /app/conf/
 COPY ./conf/*.xml /app/conf/
-COPY ./conf/runtime-config-defaults.json /app/conf/
 
 RUN tar xzvf /app/static.tar.gz --no-same-owner --no-same-permissions && rm -f /app/static.tar.gz
 
-RUN adduser -D uid2-operator && mkdir -p /opt/uid2 && chmod 777 -R /opt/uid2 && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads
+RUN adduser -D uid2-operator && mkdir -p /opt/uid2 && chmod 777 -R /opt/uid2 && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads && mkdir -p /app/pod_terminating && chmod 777 -R /app/pod_terminating
 USER uid2-operator
 
 CMD java \

conf/default-config.json

@@ -32,12 +32,12 @@
   "service_links_metadata_path": "service_links/metadata.json",
   "cloud_encryption_keys_metadata_path": "cloud_encryption_keys/metadata.json",
   "encrypted_files": false,
-  "cloud_encryption_keys_refresh_ms": 300000,
   "optout_metadata_path": null,
   "optout_inmem_cache": false,
   "enclave_platform": null,
   "failure_shutdown_wait_hours": 120,
   "sharing_token_expiry_seconds": 2592000,
   "operator_type": "public",
-  "enable_remote_config": false
+  "enable_remote_config": false,
+  "uid_instance_id_prefix": "local-operator"
 }

conf/docker-config.json

@@ -32,22 +32,16 @@
   "services_metadata_path": "/com.uid2.core/test/services/metadata.json",
   "service_links_metadata_path": "/com.uid2.core/test/service_links/metadata.json",
   "cloud_encryption_keys_metadata_path": "/com.uid2.core/test/cloud_encryption_keys/metadata.json",
-  "encrypted_files": true,
+  "runtime_config_metadata_path": "/com.uid2.core/test/runtime_config/metadata.json",
+  "encrypted_files": false,
   "identity_token_expires_after_seconds": 3600,
   "optout_metadata_path": null,
   "optout_inmem_cache": false,
   "enclave_platform": null,
   "failure_shutdown_wait_hours": 120,
   "salts_expired_shutdown_hours": 12,
   "operator_type": "public",
-  "runtime_config_store": {
-    "type": "file",
-    "config" : {
-      "path": "conf/runtime-config-defaults.json",
-      "format": "json"
-    },
-    "config_scan_period_ms": 5000
-  },
-  "disable_optout_token": false,
-  "enable_remote_config": false
+  "disable_optout_token": true,
+  "enable_remote_config": false,
+  "uid_instance_id_prefix": "local-operator"
 }

conf/integ-config.json

@@ -14,15 +14,10 @@
   "optout_api_token": "test-operator-key",
   "optout_api_uri": "http://localhost:8081/optout/replicate",
   "cloud_encryption_keys_metadata_path": "http://localhost:8088/cloud_encryption_keys/retrieve",
+  "runtime_config_metadata_path": "http://localhost:8088/operator/config",
   "salts_expired_shutdown_hours": 12,
   "operator_type": "public",
-  "runtime_config_store": {
-    "type": "http",
-    "config" : {
-      "url": "http://localhost:8088/operator/config"
-    },
-    "config_scan_period_ms": 300000
-  },
-  "disable_optout_token": false,
-  "enable_remote_config": false
+  "disable_optout_token": true,
+  "enable_remote_config": false,
+  "uid_instance_id_prefix": "local-operator"
 }

conf/local-config.json

@@ -10,6 +10,7 @@
   "services_metadata_path": "/com.uid2.core/test/services/metadata.json",
   "service_links_metadata_path": "/com.uid2.core/test/service_links/metadata.json",
   "cloud_encryption_keys_metadata_path": "/com.uid2.core/test/cloud_encryption_keys/metadata.json",
+  "runtime_config_metadata_path": "/com.uid2.core/test/runtime_config/metadata.json",
   "identity_token_expires_after_seconds": 3600,
   "refresh_token_expires_after_seconds": 86400,
   "refresh_identity_token_after_seconds": 900,
@@ -38,15 +39,8 @@
   "client_side_token_generate_log_invalid_http_origins": true,
   "salts_expired_shutdown_hours": 12,
   "operator_type": "public",
-  "encrypted_files": true,
-  "runtime_config_store": {
-    "type": "file",
-    "config" : {
-      "path": "conf/runtime-config-defaults.json",
-      "format": "json"
-    },
-    "config_scan_period_ms": 5000
-  },
-  "disable_optout_token": false,
-  "enable_remote_config": false
+  "encrypted_files": false,
+  "disable_optout_token": true,
+  "enable_remote_config": false,
+  "uid_instance_id_prefix": "local-operator"
 }