Add Azure support

[takuro-sato]

Adding Azure support

This PR is adding support for deployment of Google's Bidding and Auction Services on Azure.

Azure Privacy Sandbox architecture: https://1drv.ms/w/s!AmI-86sms1pYqJ5Uqgo5Qv2Ynmrcmw?e=BDC8BH (We'll make a PR for the document in https://github.com/privacysandbox/protected-auction-services-docs/tree/main in future)

Now B&A services can fetch private and public HPKE keys from an Azure KMS, specifically designed to support the B&A services, and handle test requests. To try this changes locally, please visit here.

The PR for bidding-auction-servers repository: https://github.com/privacysandbox/bidding-auction-servers/pull/9

Changes

• Add Azure support
  • Add Azure configurations. e.g. --platform=azure (for Bazel), kAzure (C++ enum value).
  • Add Azure implementation for selected interfaces under cpio/client_providers/

• Add aci_attestation_lib library to fetch attestation in Azure Confidential ACI. We implemented the core functionality of:

  • kms_client_provider
  • parameter_client_provider
  • private_key_fetcher_provider
  • private_key_fetcher_provider.

  On the other hand, we haven't started implementing the following interfaces:

  • auth_token_provider
  • role_credentials_provider

  Also we return dummy values for instance_client_provider for now. Please see "TODOs for future PRs" section for the details.

TODOs for future PRs

• auth_token_provider is not implemented yet. So private_key_fetcher_provider and kms_client_provider are not using authentication token when accessing Azure KMS. It will be implemented using Azure Active Directory (Azure AD).
• instance_client_provider currently returns dummy values. It will be implemented properly after Azure auth_token_provider is ready.
• URL to decrypt the wrapped HPKE key is hard coded as kKMSUnwrapPath. We will either put the URL in KeyData::key_encryption_key_uri or use an environment variable
• Implement telemetry's init_azure
• Implement role_credentials_provider
• Handle private_key_cache_ttl_seconds option.
• Allow to specify key_id for private key API PrivateKeyFetchingRequest.
• Separate azure_cpio_lib_inside_tee and azure_cpio_lib_outside_tee implementation. Current azure_cpio_lib_inside_tee uses fake attestation report silently when it's outside TEE.
• Improve aci_attestation_lib library
  • Add tests. We test them regularly with our internal CI, but we haven't written tests in a similar way as the existing code base.
  • Follow the coding convention
  • Attest to an ephemeral wrapping key as a runtime claim in report_data as a proof-of-possession of a private key that can unwrap the private HPKE key
• Improve definition for Azure blob_storage_client_provider. We defined azure_platform for blob_storage_client_provider_select_lib using the GCP implementation under /src/gcp. We think it's not used in B&A services, but we added it just to avoid build errors when we run build_and_test_all_in_docker.
• Add azure_platform for test_lib_cpio_provider
• Fix license under cloud_initializer/src/azure/ directory. We copied the gcp implementation, but accidentally added the Microsoft copyright. We made this PR without the fix because testing is expensive with our internal test infrastructure at this moment. We'll fix them within this PR if there is other change that needs to be made before merging.

[google-cla[bot]]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.