Refactoring UserIdentity logics

.github/actions/build_ami/action.yaml

@@ -59,7 +59,7 @@ runs:
       uses: actions/checkout@v4
 
     - name: Get EIF for Release ${{ inputs.operator_release }}
-      uses: IABTechLab/uid2-operator/.github/actions/download_release_artifact@main
+      uses: ./.github/actions/download_release_artifact
       if: ${{ inputs.operator_release != '' }}
       with:
         github_token: ${{ inputs.github_token }}
@@ -87,6 +87,11 @@ runs:
         FILE=$(echo $ARTIFACTS | jq -r '.[0].name')
         unzip -o -d ./scripts/aws/uid2-operator-ami/artifacts $FILE.zip
         rm $FILE.zip
+        cd "./scripts/aws/uid2-operator-ami/artifacts/"
+        zip "uid2operatoreif.zip" "uid2operator.eif"
+        cd -
+        rm ./scripts/aws/uid2-operator-ami/artifacts/uid2operator.eif
+        ls ./scripts/aws/uid2-operator-ami/artifacts/ -al
 
     - name: Configure UID2 AWS credentials
       uses: aws-actions/configure-aws-credentials@v4

.github/actions/build_aws_eif/action.yaml

@@ -96,8 +96,9 @@ runs:
 
         cp ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/identity_scope.txt                                       ${ARTIFACTS_OUTPUT_DIR}/
         cp ${{ steps.buildFolder.outputs.BUILD_FOLDER }}/version_number.txt                                       ${ARTIFACTS_OUTPUT_DIR}/
-        cp ./scripts/aws/start.sh                                                                                 ${ARTIFACTS_OUTPUT_DIR}/
-        cp ./scripts/aws/stop.sh                                                                                  ${ARTIFACTS_OUTPUT_DIR}/
+        cp ./scripts/aws/ec2.py                                                                                   ${ARTIFACTS_OUTPUT_DIR}/
+        cp ./scripts/confidential_compute.py                                                                      ${ARTIFACTS_OUTPUT_DIR}/
+        cp ./scripts/aws/requirements.txt                                                                         ${ARTIFACTS_OUTPUT_DIR}/
         cp ./scripts/aws/proxies.host.yaml                                                                        ${ARTIFACTS_OUTPUT_DIR}/
         cp ./scripts/aws/sockd.conf                                                                               ${ARTIFACTS_OUTPUT_DIR}/
         cp ./scripts/aws/uid2operator.service                                                                     ${ARTIFACTS_OUTPUT_DIR}/
@@ -116,10 +117,22 @@ runs:
         docker cp amazonlinux:/sockd                                    ${ARTIFACTS_OUTPUT_DIR}/
         docker cp amazonlinux:/vsockpx                                  ${ARTIFACTS_OUTPUT_DIR}/
         docker cp amazonlinux:/${{ inputs.identity_scope }}operator.eif ${ARTIFACTS_OUTPUT_DIR}/uid2operator.eif
+
+        eifsize=$(wc -c < "${ARTIFACTS_OUTPUT_DIR}/uid2operator.eif")
+        if [ $eifsize -le 1 ]; then
+          echo "The eif was less then 1 byte. This indicates a build failure"
+          exit 1
+        fi
 
         docker cp amazonlinux:/pcr0.txt                                 ${{ steps.buildFolder.outputs.BUILD_FOLDER }}
         docker cp amazonlinux:/pcr0.txt                                 ${ARTIFACTS_OUTPUT_DIR}/
         echo "enclave_id=$(cat ${{ steps.buildFolder.outputs.BUILD_FOLDER}}/pcr0.txt)" >> $GITHUB_OUTPUT
+
+        pcrsize=$(wc -c < "${{ steps.buildFolder.outputs.BUILD_FOLDER}}/pcr0.txt")
+        if [ $pcrsize -le 1 ]; then
+          echo "The pcr0.txt file was less then 1 byte. This indicates a build failure"
+          exit 1
+        fi
 
     - name: Cleanup
       shell: bash

.github/actions/build_eks_docker_image/action.yaml

@@ -47,7 +47,7 @@ runs:
         mkdir ${{ inputs.artifacts_output_dir }} -p
 
     - name: Get EIF for Release ${{ inputs.operator_release }}
-      uses: IABTechLab/uid2-operator/.github/actions/download_release_artifact@main
+      uses: ./.github/actions/download_release_artifact
       if: ${{ inputs.operator_release != '' }}
       with:
         github_token: ${{ inputs.github_token }}

.github/actions/install_az_cli/action.yaml

@@ -0,0 +1,36 @@
+name: 'Install Azure CLI'
+description: 'Install Azure CLI'
+runs:
+  using: 'composite'
+  steps:
+    - name: uninstall azure-cli
+      shell: bash
+      run: |
+        sudo apt-get remove -y azure-cli
+
+    - name: install azure-cli 2.61.0
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
+        sudo mkdir -p /etc/apt/keyrings
+        curl -sLS https://packages.microsoft.com/keys/microsoft.asc |
+          gpg --dearmor | sudo tee /etc/apt/keyrings/microsoft.gpg > /dev/null
+        sudo chmod go+r /etc/apt/keyrings/microsoft.gpg
+        AZ_DIST=$(lsb_release -cs)
+        echo "Types: deb
+        URIs: https://packages.microsoft.com/repos/azure-cli/
+        Suites: ${AZ_DIST}
+        Components: main
+        Architectures: $(dpkg --print-architecture)
+        Signed-by: /etc/apt/keyrings/microsoft.gpg" | sudo tee /etc/apt/sources.list.d/azure-cli.sources
+        sudo apt-get update
+        sudo apt-get install azure-cli
+
+        apt-cache policy azure-cli
+        # Obtain the currently installed distribution
+        AZ_DIST=$(lsb_release -cs)
+        # Store an Azure CLI version of choice
+        AZ_VER=2.61.0
+        # Install a specific version
+        sudo apt-get install azure-cli=${AZ_VER}-1~${AZ_DIST} --allow-downgrades

.github/actions/update_operator_version/action.yaml

@@ -34,7 +34,7 @@ runs:
   steps:
     - name: Check branch and release type
       id: checkRelease
-      uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v2
+      uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v3
       with:
         release_type: ${{ inputs.release_type }}
 
@@ -43,7 +43,7 @@ runs:
       uses: trstringer/manual-approval@v1
       with:
         secret: ${{ github.token }}
-        approvers: thomasm-ttd,atarassov-ttd,cody-constine-ttd
+        approvers: atarassov-ttd,vishalegbert-ttd,sunnywu,cody-constine-ttd
         minimum-approvals: 1
         issue-title: Creating Major version of UID2-Operator
 
@@ -81,7 +81,7 @@ runs:
 
     - name: Set version number
       id: version
-      uses: IABTechLab/uid2-shared-actions/actions/version_number@v2
+      uses: IABTechLab/uid2-shared-actions/actions/version_number@v3
       with:
         type: ${{ inputs.release_type }}
         version_number: ${{ inputs.version_number_input }}

.github/workflows/build-and-test.yaml

@@ -3,7 +3,7 @@ on: [pull_request, push, workflow_dispatch]
 
 jobs:
   build:
-    uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-build-and-test.yaml@v2
+    uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-build-and-test.yaml@v3
     with:
       java_version: 21
     secrets: inherit

.github/workflows/build-uid2-ami.yaml

@@ -42,7 +42,7 @@ jobs:
 
       - name: Build UID2 Operator AMI
         id: buildAMI
-        uses: IABTechLab/uid2-operator/.github/actions/build_ami@main
+        uses: ./.github/actions/build_ami
         with:
           identity_scope: uid2
           eif_repo_owner: ${{ env.REPO_OWNER }}
@@ -92,7 +92,7 @@ jobs:
 
         - name: Build EUID Operator AMI
           id: buildAMI
-          uses: IABTechLab/uid2-operator/.github/actions/build_ami@main
+          uses: ./.github/actions/build_ami
           with:
             identity_scope: euid
             eif_repo_owner: ${{ env.REPO_OWNER }}

.github/workflows/publish-all-operators.yaml

@@ -1,5 +1,5 @@
 name: Publish All Operators
-run-name: ${{ format('Publish All Operators - {0} Release', inputs.release_type) }}
+run-name: ${{ format('Publish All Operators - {0} Release', github.event.inputs.release_type || 'scheduled') }}
 on:
   workflow_dispatch:
     inputs:
@@ -18,6 +18,8 @@ on:
         - CRITICAL,HIGH
         - CRITICAL,HIGH,MEDIUM
         - CRITICAL (DO NOT use if JIRA ticket not raised)
+  schedule:
+    - cron: "0 0 * * *"
 
 jobs:
   start:
@@ -26,13 +28,25 @@ jobs:
     outputs:
         new_version: ${{ steps.version.outputs.new_version }}
         commit_sha: ${{ steps.commit-and-tag.outputs.commit_sha }}
+        release_type: ${{ steps.set-env.outputs.release_type }}
+        vulnerability_severity: ${{ steps.set-env.outputs.vulnerability_severity }}
+    env:
+        RELEASE_TYPE: ${{ inputs.release_type || (github.event_name == 'schedule' && 'patch') }}
+        VULNERABILITY_SEVERITY: ${{ inputs.vulnerability_severity || (github.event_name == 'schedule' && 'CRITICAL,HIGH') }}
     steps:
+      - name: Set Environment Variables
+        id: set-env
+        run: |
+          echo "release_type=${{ inputs.release_type || (github.event_name == 'schedule' && 'patch') }}" >> $GITHUB_ENV
+          echo "vulnerability_severity=${{ inputs.vulnerability_severity || (github.event_name == 'schedule' && 'CRITICAL,HIGH') }}" >> $GITHUB_ENV
+          echo "release_type=${RELEASE_TYPE}" >> $GITHUB_OUTPUT
+          echo "vulnerability_severity=${VULNERABILITY_SEVERITY}" >> $GITHUB_OUTPUT
       - name: Approve Major release
-        if: inputs.release_type == 'Major'
+        if: env.RELEASE_TYPE == 'Major'
         uses: trstringer/manual-approval@v1
         with:
           secret: ${{ github.token }}
-          approvers: thomasm-ttd,atarassov-ttd,cody-constine-ttd
+          approvers: atarassov-ttd,vishalegbert-ttd,sunnywu,cody-constine-ttd
           minimum-approvals: 1
           issue-title: Creating Major version of UID2-Operator
 
@@ -45,7 +59,7 @@ jobs:
             GITHUB_CONTEXT: ${{ toJson(github) }}
 
       - name: Check branch and release type
-        uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v2
+        uses: IABTechLab/uid2-shared-actions/actions/check_branch_and_release_type@v3
         with:
           release_type: ${{ inputs.release_type }}
 
@@ -55,16 +69,17 @@ jobs:
           fetch-depth: 0
 
       - name: Scan vulnerabilities
-        uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan_filesystem@v2
+        uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3
         with:
           scan_severity: HIGH,CRITICAL
           failure_severity: CRITICAL
+          scan_type: 'fs'
 
       - name: Set version number
         id: version
-        uses: IABTechLab/uid2-shared-actions/actions/version_number@v2
+        uses: IABTechLab/uid2-shared-actions/actions/version_number@v3
         with:
-          type: ${{ inputs.release_type }}
+          type: ${{ env.RELEASE_TYPE }}
           branch_name: ${{ github.ref }}
 
       - name: Update pom.xml
@@ -79,47 +94,47 @@ jobs:
         uses: IABTechLab/uid2-shared-actions/actions/commit_pr_and_merge@v3
         with:
           add: 'pom.xml version.json'
-          message: 'Released ${{ inputs.release_type }} version: ${{ steps.version.outputs.new_version }}'
+          message: 'Released ${{ env.RELEASE_TYPE }} version: ${{ steps.version.outputs.new_version }}'
           tag: v${{ steps.version.outputs.new_version }} 
 
   buildPublic:
     name: Public Operator
     needs: start
     uses: ./.github/workflows/publish-public-operator-docker-image.yaml
     with:
-      release_type: ${{ inputs.release_type }}
+      release_type: ${{ needs.start.outputs.release_type }}
       version_number_input: ${{ needs.start.outputs.new_version }}
-      vulnerability_severity: ${{ inputs.vulnerability_severity }}
+      vulnerability_severity: ${{ needs.start.outputs.vulnerability_severity }}
     secrets: inherit
 
   buildGCP:
     name: GCP Private Operator
     needs: start
     uses: ./.github/workflows/publish-gcp-oidc-enclave-docker.yaml
     with:
-      release_type: ${{ inputs.release_type }}
+      release_type: ${{ needs.start.outputs.release_type }}
       version_number_input: ${{ needs.start.outputs.new_version }}
       commit_sha: ${{ needs.start.outputs.commit_sha }}
-      vulnerability_severity: ${{ inputs.vulnerability_severity }}
+      vulnerability_severity: ${{ needs.start.outputs.vulnerability_severity }}
     secrets: inherit
 
   buildAzure:
     name: Azure Private Operator
     needs: start
     uses: ./.github/workflows/publish-azure-cc-enclave-docker.yaml
     with:
-      release_type: ${{ inputs.release_type }}
+      release_type: ${{ needs.start.outputs.release_type }}
       version_number_input: ${{ needs.start.outputs.new_version }}
       commit_sha: ${{ needs.start.outputs.commit_sha }}
-      vulnerability_severity: ${{ inputs.vulnerability_severity }}
+      vulnerability_severity: ${{ needs.start.outputs.vulnerability_severity }}
     secrets: inherit
 
   buildAWS:
     name: AWS Private Operator EIF
     needs: start
     uses: ./.github/workflows/publish-aws-nitro-eif.yaml
     with:
-      release_type: ${{ inputs.release_type }}
+      release_type: ${{ needs.start.outputs.release_type }}
       version_number_input: ${{ needs.start.outputs.new_version }}
       commit_sha: ${{ needs.start.outputs.commit_sha }}
     secrets: inherit
@@ -132,18 +147,11 @@ jobs:
       operator_run_number: ${{ github.run_id }}
     secrets: inherit
 
-  buildEKS:
-    name: Build AWS EKS Docker
-    needs: [start, buildAWS]
-    uses: ./.github/workflows/publish-aws-eks-nitro-enclave-docker.yaml
-    with:
-      operator_run_number: ${{ github.run_id }}
-    secrets: inherit
-
   createRelease:
     name: Create Release
     runs-on: ubuntu-latest
-    needs: [start, buildPublic, buildGCP, buildAzure, buildAWS, buildAMI, buildEKS]
+    if: github.event_name == 'workflow_dispatch'
+    needs: [start, buildPublic, buildGCP, buildAzure, buildAWS, buildAMI]
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
@@ -162,12 +170,18 @@ jobs:
           pattern: gcp-oidc-enclave-ids-*
           path: ./manifests/gcp_oidc_operator
 
-      - name: Download Azure manifest
+      - name: Download Azure CC manifest
         uses: actions/download-artifact@v4
         with:
           pattern: azure-cc-enclave-id-*
           path: ./manifests/azure_cc_operator
 
+      - name: Download Azure AKS manifest
+        uses: actions/download-artifact@v4
+        with:
+          pattern: azure-aks-enclave-id-*
+          path: ./manifests/azure_aks_operator
+
       - name: Download EIF manifest
         uses: actions/download-artifact@v4
         with:
@@ -180,12 +194,6 @@ jobs:
           pattern: 'aws-ami-ids-*'
           path: ./manifests/aws_ami
 
-      - name: Download AWS EKS manifest
-        uses: actions/download-artifact@v4
-        with:
-          pattern: 'aws-eks-enclave-ids-*'
-          path: ./manifests/aws_eks
-
       - name: Download Deployment Files
         uses: actions/download-artifact@v4
         with:
@@ -216,6 +224,7 @@ jobs:
           (cd ./deployment/aws-euid-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../aws-euid-deployment-files-${{ needs.start.outputs.new_version }}.zip . )
           (cd ./deployment/aws-uid2-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../aws-uid2-deployment-files-${{ needs.start.outputs.new_version }}.zip . )
           (cd ./deployment/azure-cc-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../azure-cc-deployment-files-${{ needs.start.outputs.new_version }}.zip . )
+          (cd ./deployment/azure-aks-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../azure-aks-deployment-files-${{ needs.start.outputs.new_version }}.zip . )
           (cd ./deployment/gcp-oidc-deployment-files-${{ needs.start.outputs.new_version }} && zip -r ../../gcp-oidc-deployment-files-${{ needs.start.outputs.new_version }}.zip . )
           (cd manifests && zip -r ../uid2-operator-release-manifests-${{ needs.start.outputs.new_version }}.zip .)
 
@@ -229,5 +238,19 @@ jobs:
               ./aws-euid-deployment-files-${{ needs.start.outputs.new_version }}.zip
               ./aws-uid2-deployment-files-${{ needs.start.outputs.new_version }}.zip
               ./azure-cc-deployment-files-${{ needs.start.outputs.new_version }}.zip
+              ./azure-aks-deployment-files-${{ needs.start.outputs.new_version }}.zip
               ./gcp-oidc-deployment-files-${{ needs.start.outputs.new_version }}.zip
               ./uid2-operator-release-manifests-${{ needs.start.outputs.new_version }}.zip
+  notifyFailure:
+      name: Notify Slack on Failure
+      runs-on: ubuntu-latest
+      if: failure() && github.ref == 'refs/heads/main'
+      needs: [start, buildPublic, buildGCP, buildAzure, buildAWS, buildAMI]
+      steps:
+        - name: Send Slack Alert
+          env:
+            SLACK_COLOR: danger
+            SLACK_MESSAGE: ':x: Operator Pipeline failed'
+            SLACK_TITLE: Pipeline Failed in ${{ github.workflow }}
+            SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+          uses: rtCamp/action-slack-notify@v2