Merge pull request #636 from IABTechLab/tjm-UID2-3194-azure-env-varia…

…bles Prevent the addition of environment variables for Azure
IABTechLab · Jun 17, 2024 · cb7703c · cb7703c
2 parents 9cf89bb + a62593f
commit cb7703c
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 6 deletions.
diff --git a/pom.xml b/pom.xml
@@ -6,7 +6,7 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-operator</artifactId>
-    <version>5.37.15</version>
+    <version>5.37.17-alpha-110-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

diff --git a/scripts/azure-cc/deployment/generate-deployment-artifacts.sh b/scripts/azure-cc/deployment/generate-deployment-artifacts.sh
@@ -76,9 +76,15 @@ if [[ $? -ne 0 ]]; then
   exit 1
 fi
 
+# Export the policy, update it to turn off allow_environment_variable_dropping, and then insert it into the template
+# note that the EnclaveId is generated by generate.py on the raw policy, not the base64 version
 POLICY_DIGEST_FILE=azure-cc-operator-digest-$VERSION_NUMBER.txt
-az confcom acipolicygen --approve-wildcards --template-file ${OUTPUT_DIR}/operator.json > ${MANIFEST_DIR}/${POLICY_DIGEST_FILE}
-if [[ $? -ne 0 ]]; then
-  echo "Failed to generate operator template file"
-  exit 1
-fi
+az confcom acipolicygen --approve-wildcards --template-file ${OUTPUT_DIR}/operator.json --print-policy > ${INPUT_DIR}/policy.base64
+base64 -di < ${INPUT_DIR}/policy.base64 > ${INPUT_DIR}/generated.rego
+sed -i "s#allow_environment_variable_dropping := true#allow_environment_variable_dropping := false#g" ${INPUT_DIR}/generated.rego
+base64 -w0 < ${INPUT_DIR}/generated.rego > ${INPUT_DIR}/generated.rego.base64
+python3 ${SCRIPT_DIR}/generate.py ${INPUT_DIR}/generated.rego > ${MANIFEST_DIR}/${POLICY_DIGEST_FILE}
+
+cp ${OUTPUT_DIR}/operator.json ${INPUT_DIR}/source.json
+jq --arg policy "$(cat ${INPUT_DIR}/generated.rego.base64)" '.resources[].properties.confidentialComputeProperties.ccePolicy = $policy' ${INPUT_DIR}/source.json > ${OUTPUT_DIR}/operator.json
+
diff --git a/scripts/azure-cc/deployment/generate.py b/scripts/azure-cc/deployment/generate.py
@@ -0,0 +1,20 @@
+import sys
+from hashlib import sha256
+
+def str_to_sha256(x: str) -> str:
+    return sha256(x.encode('utf-8')).hexdigest()
+
+def print_data_sha256(data: str) -> str:
+    print(str_to_sha256(data))
+
+def print_data_sha256_stripped(data: str) -> str:
+    print(str_to_sha256(data.strip()))
+
+def main():
+    with open(sys.argv[1], 'r') as file:
+        data = file.read()
+
+    print_data_sha256(data)
+
+if __name__ == '__main__':
+    main()