From 06e664c7830665590f0795f5a8f062bf8ff2daec Mon Sep 17 00:00:00 2001
From: Thomas Manson <thomas.manson@thetradedesk.com>
Date: Mon, 17 Jun 2024 09:47:02 +1000
Subject: [PATCH 1/4] Prevent the adding of env variables to Azure operator

---
 .../generate-deployment-artifacts.sh          | 16 ++++++++++-----
 scripts/azure-cc/deployment/generate.py       | 20 +++++++++++++++++++
 2 files changed, 31 insertions(+), 5 deletions(-)
 create mode 100644 scripts/azure-cc/deployment/generate.py

diff --git a/scripts/azure-cc/deployment/generate-deployment-artifacts.sh b/scripts/azure-cc/deployment/generate-deployment-artifacts.sh
index 375511366..4e6cf97b8 100644
--- a/scripts/azure-cc/deployment/generate-deployment-artifacts.sh
+++ b/scripts/azure-cc/deployment/generate-deployment-artifacts.sh
@@ -76,9 +76,15 @@ if [[ $? -ne 0 ]]; then
   exit 1
 fi
 
+# Export the policy, update it to turn off allow_environment_variable_dropping, and then insert it into the template
+# note that the EnclaveId is generated by generate.py on the raw policy, not the base64 version
 POLICY_DIGEST_FILE=azure-cc-operator-digest-$VERSION_NUMBER.txt
-az confcom acipolicygen --approve-wildcards --template-file ${OUTPUT_DIR}/operator.json > ${MANIFEST_DIR}/${POLICY_DIGEST_FILE}
-if [[ $? -ne 0 ]]; then
-  echo "Failed to generate operator template file"
-  exit 1
-fi
+az confcom acipolicygen --approve-wildcards --template-file ${OUTPUT_DIR}/operator.json --print-policy > ${OUTPUT_DIR}/policy.base64
+base64 -di < ${OUTPUT_DIR}/policy.base64 > ${OUTPUT_DIR}/generated.rego
+sed -i "s#allow_environment_variable_dropping := true#allow_environment_variable_dropping := false#g" ${OUTPUT_DIR}/generated.rego
+base64 -w0 < ${OUTPUT_DIR}/generated.rego > ${OUTPUT_DIR}/generated.rego.base64
+python3 ${SCRIPT_DIR}/generate.py ${OUTPUT_DIR}/generated.rego > ${MANIFEST_DIR}/${POLICY_DIGEST_FILE}
+
+cp ${OUTPUT_DIR}/operator.json ${OUTPUT_DIR}/source.json
+jq --arg policy "$(cat ${OUTPUT_DIR}/generated.rego.base64)" '.resources[].properties.confidentialComputeProperties.ccePolicy = $policy' ${OUTPUT_DIR}/source.json > ${OUTPUT_DIR}/operator.json
+
diff --git a/scripts/azure-cc/deployment/generate.py b/scripts/azure-cc/deployment/generate.py
new file mode 100644
index 000000000..07845beac
--- /dev/null
+++ b/scripts/azure-cc/deployment/generate.py
@@ -0,0 +1,20 @@
+import sys
+from hashlib import sha256
+
+def str_to_sha256(x: str) -> str:
+    return sha256(x.encode('utf-8')).hexdigest()
+
+def print_data_sha256(data: str) -> str:
+    print(str_to_sha256(data))
+
+def print_data_sha256_stripped(data: str) -> str:
+    print(str_to_sha256(data.strip()))
+
+def main():
+    with open(sys.argv[1], 'r') as file:
+        data = file.read()
+
+    print_data_sha256(data)
+
+if __name__ == '__main__':
+    main()

From b2435284acd23a207dcf17c3fa3bb71afeeccc95 Mon Sep 17 00:00:00 2001
From: Release Workflow <unifiedid-admin+release@thetradedesk.com>
Date: Sun, 16 Jun 2024 23:49:55 +0000
Subject: [PATCH 2/4] [CI Pipeline] Released Snapshot version:
 5.37.16-alpha-109-SNAPSHOT

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 0754e7e4b..afe4c3796 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-operator</artifactId>
-    <version>5.37.15</version>
+    <version>5.37.16-alpha-109-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

From 65c8d155525676d8676e630df4d92e98b67485d6 Mon Sep 17 00:00:00 2001
From: Thomas Manson <thomas.manson@thetradedesk.com>
Date: Mon, 17 Jun 2024 10:19:48 +1000
Subject: [PATCH 3/4] Removed the temp files from the output

---
 .../deployment/generate-deployment-artifacts.sh    | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/scripts/azure-cc/deployment/generate-deployment-artifacts.sh b/scripts/azure-cc/deployment/generate-deployment-artifacts.sh
index 4e6cf97b8..4dd4252c6 100644
--- a/scripts/azure-cc/deployment/generate-deployment-artifacts.sh
+++ b/scripts/azure-cc/deployment/generate-deployment-artifacts.sh
@@ -79,12 +79,12 @@ fi
 # Export the policy, update it to turn off allow_environment_variable_dropping, and then insert it into the template
 # note that the EnclaveId is generated by generate.py on the raw policy, not the base64 version
 POLICY_DIGEST_FILE=azure-cc-operator-digest-$VERSION_NUMBER.txt
-az confcom acipolicygen --approve-wildcards --template-file ${OUTPUT_DIR}/operator.json --print-policy > ${OUTPUT_DIR}/policy.base64
-base64 -di < ${OUTPUT_DIR}/policy.base64 > ${OUTPUT_DIR}/generated.rego
-sed -i "s#allow_environment_variable_dropping := true#allow_environment_variable_dropping := false#g" ${OUTPUT_DIR}/generated.rego
-base64 -w0 < ${OUTPUT_DIR}/generated.rego > ${OUTPUT_DIR}/generated.rego.base64
-python3 ${SCRIPT_DIR}/generate.py ${OUTPUT_DIR}/generated.rego > ${MANIFEST_DIR}/${POLICY_DIGEST_FILE}
+az confcom acipolicygen --approve-wildcards --template-file ${OUTPUT_DIR}/operator.json --print-policy > ${INPUT_DIR}/policy.base64
+base64 -di < ${INPUT_DIR}/policy.base64 > ${INPUT_DIR}/generated.rego
+sed -i "s#allow_environment_variable_dropping := true#allow_environment_variable_dropping := false#g" ${INPUT_DIR}/generated.rego
+base64 -w0 < ${INPUT_DIR}/generated.rego > ${INPUT_DIR}/generated.rego.base64
+python3 ${SCRIPT_DIR}/generate.py ${INPUT_DIR}/generated.rego > ${MANIFEST_DIR}/${POLICY_DIGEST_FILE}
 
-cp ${OUTPUT_DIR}/operator.json ${OUTPUT_DIR}/source.json
-jq --arg policy "$(cat ${OUTPUT_DIR}/generated.rego.base64)" '.resources[].properties.confidentialComputeProperties.ccePolicy = $policy' ${OUTPUT_DIR}/source.json > ${OUTPUT_DIR}/operator.json
+cp ${OUTPUT_DIR}/operator.json ${INPUT_DIR}/source.json
+jq --arg policy "$(cat ${INPUT_DIR}/generated.rego.base64)" '.resources[].properties.confidentialComputeProperties.ccePolicy = $policy' ${INPUT_DIR}/source.json > ${OUTPUT_DIR}/operator.json
 

From a62593fa85a7149393838a2ac93c0a7a5d65818c Mon Sep 17 00:00:00 2001
From: Release Workflow <unifiedid-admin+release@thetradedesk.com>
Date: Mon, 17 Jun 2024 00:22:59 +0000
Subject: [PATCH 4/4] [CI Pipeline] Released Snapshot version:
 5.37.17-alpha-110-SNAPSHOT

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index afe4c3796..8366cc540 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-operator</artifactId>
-    <version>5.37.16-alpha-109-SNAPSHOT</version>
+    <version>5.37.17-alpha-110-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>