Moving KMS to github to prepare open sourcing

.devcontainer/Dockerfile.devcontainer

@@ -0,0 +1,58 @@
+# Base container image which is built nightly
+# Used as a starting point to make building other containers fast
+
+ARG BASE_CCF_IMAGE=5.0.0-dev10-virtual
+ARG ENVIRONMENT=devcontainer
+
+# ignore this hadolint error as BASE_IMAGE contains an image tag
+# hadolint ignore=DL3006
+FROM mcr.microsoft.com/ccf/app/dev:${BASE_CCF_IMAGE} as base
+
+# Custom Deps
+RUN apt-get update && apt-get install -y \
+    python3-pip \
+    openssh-client \
+    make \
+    libuv1 \
+    jq \
+    lsof \
+    sudo \
+    tar \
+    default-jre
+
+# Install Node.js
+RUN curl -fsSL https://deb.nodesource.com/setup_current.x | bash -
+RUN apt-get install -y nodejs
+RUN pip install --upgrade pip setuptools
+
+
+RUN apt-get -y autoremove \
+    && apt-get -y clean
+
+# Install NPM
+ENV NVM_DIR /root/.nvm
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash \
+    && . $NVM_DIR/nvm.sh \
+    && nvm install node \
+    && nvm use node
+RUN . $NVM_DIR/nvm.sh \
+    && npm install -g npm@latest
+
+# Setup tinkey
+ENV TINKEY_VERSION=tinkey-1.10.1
+RUN curl -O https://storage.googleapis.com/tinkey/$TINKEY_VERSION.tar.gz
+RUN tar -xzvf $TINKEY_VERSION.tar.gz
+RUN cp tinkey /usr/bin/
+RUN cp tinkey_deploy.jar /usr/bin/
+RUN rm tinkey tinkey_deploy.jar tinkey.bat $TINKEY_VERSION.tar.gz
+
+# Define ci
+#FROM base as ci
+#RUN pip install -U -r ./requirements.txt
+
+
+# Define a devcontainer stage that includes the dist directory
+#FROM base as devcontainer
+#COPY ./dist ./dist
+#COPY requirements.txt .
+#RUN pip install -U -r ./requirements.txt

.devcontainer/devcontainer.json

@@ -0,0 +1,31 @@
+{
+  "name": "KMS Dev",
+  "build": {
+    "dockerfile": "Dockerfile.devcontainer",
+    "context": "..",
+  },
+  "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && npm i && make build",
+  "features": {
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {
+      "version": "latest",
+      "enableNonRootDocker": "true",
+      "moby": "true",
+    },
+    "ghcr.io/devcontainers/features/common-utils:2": {},
+    "ghcr.io/devcontainers/features/node:1": {},
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "eamodio.gitlens",
+        "GitHub.copilot",
+        "ms-python.black-formatter",
+        "ms-python.python",
+        "ms-vscode.cpptools-extension-pack",
+      ],
+    },
+    "settings": {
+      "editor.defaultFormatter": "ms-python.black-formatter",
+    },
+  },
+}

.github/Dockerfile.ci

@@ -0,0 +1,37 @@
+# Base container image which is built nightly
+# Used as a starting point to make building other containers fast
+
+ARG BASE_CCF_IMAGE=5.0.0-dev10-virtual
+ARG ENVIRONMENT=ci
+
+# ignore this hadolint error as BASE_IMAGE contains an image tag
+# hadolint ignore=DL3006
+FROM mcr.microsoft.com/ccf/app/dev:${BASE_CCF_IMAGE} as base
+
+# Custom Deps
+RUN apt-get update && apt-get install -y \
+    python3-pip \
+    openssh-client \
+    make \
+    libuv1 \
+    jq \
+    lsof \
+    sudo \
+    tar \
+    default-jre
+
+# Install Node.js
+RUN curl -fsSL https://deb.nodesource.com/setup_current.x | bash -
+RUN apt-get install -y nodejs
+RUN pip install --upgrade pip setuptools
+
+RUN apt-get -y autoremove \
+ && apt-get -y clean
+
+# Setup tinkey
+ENV TINKEY_VERSION=tinkey-1.10.1
+RUN curl -O https://storage.googleapis.com/tinkey/$TINKEY_VERSION.tar.gz
+RUN tar -xzvf $TINKEY_VERSION.tar.gz
+RUN cp tinkey /usr/bin/
+RUN cp tinkey_deploy.jar /usr/bin/
+RUN rm tinkey tinkey_deploy.jar tinkey.bat $TINKEY_VERSION.tar.gz

.github/devcontainer.json

@@ -0,0 +1,16 @@
+{
+  "name": "KMS Dev",
+  "build": {
+    "dockerfile": "Dockerfile.ci",
+    "context": "..",
+  },
+  "postCreateCommand": "cd /workspaces/azure-privacy-sandbox-kms && npm i && make build",
+  "features": {
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {
+      "version": "latest",
+      "enableNonRootDocker": "true",
+      "moby": "true",
+    },
+    "ghcr.io/devcontainers/features/common-utils:2": {},
+  },
+}

.github/workflows/ci.yml

@@ -0,0 +1,27 @@
+name: "KMS CI"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  kms:
+    name: kms
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Build DevContainer
+        uses: devcontainers/ci@v0.3
+        with:
+          push: never
+          configFile: .github/devcontainer.json
+          runCmd: |
+            make demo

.gitignore

@@ -0,0 +1,9 @@
+dist
+node_modules
+package-lock.json
+vol
+.venv_ccf_sandbox
+workspace
+.env
+hello/
+ccf-app/

CONTRIBUTING.md

@@ -0,0 +1,7 @@
+Contributing
+
+Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
+
+When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
+
+This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Makefile

@@ -0,0 +1,64 @@
+SHELL := /bin/bash
+CCF_NAME := "acceu-bingads-500dev10"
+PYTHON_VENV := .venv_ccf_sandbox
+CCF_WORKSPACE ?= .
+WORKSPACE ?= ${CCF_WORKSPACE}/workspace
+KMS_URL ?= https://127.0.0.1:8000
+KEYS_DIR ?= ${CCF_WORKSPACE}/workspace/sandbox_common
+
+ifeq ($(INSTALL),local)
+    CCFSB=../../CCF/tests/sandbox
+else
+    CCFSB=/opt/ccf_virtual/bin
+endif
+
+.PHONY: help
+.DEFAULT_GOAL := help
+
+help: ## 💬 This help message :)
+	@grep -E '[a-zA-Z_-]+:.*?## .*$$' $(firstword $(MAKEFILE_LIST)) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-22s\033[0m %s\n", $$1, $$2}'
+
+build: ## 🔨 Build the Application
+	@echo -e "\e[34m$@\e[0m" || true; 
+	./scripts/set_python_env.sh
+	npm run build
+
+# Start hosting the application using `sandbox.sh` and enable custom JWT authentication
+start-host: build  ## 🏃 Start the CCF network using Sandbox.sh
+	@echo -e "\e[34m$@\e[0m" || true
+	$(CCFSB)/sandbox.sh --js-app-bundle ./dist/ --initial-member-count 3 --initial-user-count 1 --constitution ./governance/constitution/kms_actions.js -v
+
+setup: ## Setup policies and generate a key
+	@echo -e "\e[34m$@\e[0m" || true
+	WORKSPACE=${CCF_WORKSPACE}/workspace; \
+	export WORKSPACE; \
+	./scripts/kms_create_key.sh --network-url "${KMS_URL}"  --certificate_dir "${KEYS_DIR}"
+
+demo: build ## 🎬 Demo the KMS Application in the Sandbox
+	@echo -e "\e[34m$@\e[0m" || true
+	@. ./scripts/test_sandbox.sh --nodeAddress 127.0.0.1:8000 --certificate_dir ${CCF_WORKSPACE}/workspace/sandbox_common --constitution ./governance/constitution/kms_actions.js
+
+# Propose a new key release policy
+propose-add-key-release-policy: ## 🚀 Deploy the add claim key release policy to the sandbox or mCCF
+	@echo -e "\e[34m$@\e[0m" || true
+	@. ./scripts/submit_proposal.sh --network-url "${KMS_URL}" --proposal-file ./governance/policies/key-release-policy-add.json --certificate_dir "${KEYS_DIR}" --member-count 2
+
+propose-rm-key-release-policy: ## 🚀 Deploy the remove claim key release policy to the sandbox or mCCF
+	@echo -e "\e[34m$@\e[0m" || true
+	$(call check_defined, KMS_URL)
+	@./scripts/submit_proposal.sh --network-url "${KMS_URL}" --proposal-file ./governance/policies/key-release-policy-remove.json --certificate_dir "${KEYS_DIR}"
+
+# The following are here in case you forget to change directory!
+deploy: build ## 🚀 Deploy Managed CCF or local
+	@echo -e "\e[34m$@\e[0m" || true
+	@./scripts/deploy.sh --network-url "${KMS_URL}"  --certificate_dir "${KEYS_DIR}"
+
+lint: ## 🔍 Lint the code base (but don't fix)
+	@echo -e "\e[34m$@\e[0m" || true
+	@./scripts/lint.sh
+
+# Keep this at the bottom.
+clean: ## 🧹 Clean the working folders created during build/demo
+	@rm -rf ${CCF_WORKSPACE}/.venv_ccf_sandbox
+	@rm -rf ${CCF_WORKSPACE}/workspace
+	@rm -rf dist

NOTICE

@@ -0,0 +1 @@
+There is third party code under `src/endpoints/proto` which is from Google, the files are unchanged including their license.