From 3e339de5fbfa5ed42beeb0418d2fdfe695a9674f Mon Sep 17 00:00:00 2001 From: lgtm <1gtm@users.noreply.github.com> Date: Mon, 5 Jun 2023 08:34:24 -0700 Subject: [PATCH] [cherry-pick] Update license verifier (#19) (#20) /cherry-pick Signed-off-by: Tamal Saha Co-authored-by: Tamal Saha --- go.mod | 6 +- go.sum | 12 +-- .../license-verifier/Makefile | 2 +- .../license-verifier/info/lib.go | 11 ++- .../license-verifier/kubernetes/Makefile | 4 +- .../license-verifier/kubernetes/lib.go | 90 +++++++++---------- vendor/modules.txt | 6 +- 7 files changed, 63 insertions(+), 68 deletions(-) diff --git a/go.mod b/go.mod index d4ad9c987..d63fd15da 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/aws/aws-sdk-go v1.44.100 github.com/hashicorp/vault/api v1.8.2 github.com/spf13/cobra v1.7.0 - go.bytebuilders.dev/license-verifier/kubernetes v0.12.0 + go.bytebuilders.dev/license-verifier/kubernetes v0.13.2 gomodules.xyz/flags v0.1.3 gomodules.xyz/go-sh v0.1.0 gomodules.xyz/logs v0.0.6 @@ -30,6 +30,8 @@ require ( stash.appscode.dev/apimachinery v0.30.0 ) +require github.com/cespare/xxhash/v2 v2.2.0 // indirect + require ( cloud.google.com/go v0.105.0 // indirect cloud.google.com/go/compute v1.13.0 // indirect @@ -119,7 +121,7 @@ require ( github.com/yudai/gojsondiff v1.0.0 // indirect github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect go.bytebuilders.dev/license-proxyserver v0.0.3 // indirect - go.bytebuilders.dev/license-verifier v0.13.0 // indirect + go.bytebuilders.dev/license-verifier v0.13.2 // indirect go.opencensus.io v0.24.0 // indirect go.uber.org/atomic v1.9.0 // indirect golang.org/x/crypto v0.9.0 // indirect diff --git a/go.sum b/go.sum index bd5337bbb..f0f68f12c 100644 --- a/go.sum +++ b/go.sum @@ -86,10 +86,10 @@ github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx2 github.com/cenkalti/backoff/v3 v3.0.0 h1:ske+9nBpD9qZsTBoF41nW5L+AIuFBKMeze18XQ3eG1c= github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= +github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= +github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= @@ -473,10 +473,10 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= go.bytebuilders.dev/license-proxyserver v0.0.3 h1:vAFMBWfrlmFKNspjBm2KfPXnxYnC17xLwZiHmVzUmzs= go.bytebuilders.dev/license-proxyserver v0.0.3/go.mod h1:iMJbPzDf2R2EJOZwRi7ziEr5DBMfT9Cm75/XfPb/QnU= -go.bytebuilders.dev/license-verifier v0.13.0 h1:VyI8XydrZbzClSk45rPcjz9dVhyL0EfpWW4T08SXMGo= -go.bytebuilders.dev/license-verifier v0.13.0/go.mod h1:PTTlWgokzoisBezn2zt+JeGkhTJZ0flvLzdhHVBy86M= -go.bytebuilders.dev/license-verifier/kubernetes v0.12.0 h1:YJ/JWjeJgDOHzgI/RYMn60x+R7KpZ+3Nu8BHJLghYc8= -go.bytebuilders.dev/license-verifier/kubernetes v0.12.0/go.mod h1:XJUtMI5o0QQyaor1SAqL/2YTYU9LxYM6/Q8X8o/750w= +go.bytebuilders.dev/license-verifier v0.13.2 h1:wV1ynl+GR+zKb3dh19WEzuC0uzTdiSGgVg9G78Nh4XU= +go.bytebuilders.dev/license-verifier v0.13.2/go.mod h1:PTTlWgokzoisBezn2zt+JeGkhTJZ0flvLzdhHVBy86M= +go.bytebuilders.dev/license-verifier/kubernetes v0.13.2 h1:ZIPTce9sAR9/GaPvQtkbOTXGE1Nyyv0GcMqnInUaqxM= +go.bytebuilders.dev/license-verifier/kubernetes v0.13.2/go.mod h1:xiM7bX84LNWQPJRC/m9rQASuCclJSsDdf2qFdafrz1k= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= diff --git a/vendor/go.bytebuilders.dev/license-verifier/Makefile b/vendor/go.bytebuilders.dev/license-verifier/Makefile index abdf90d50..ac51f2717 100644 --- a/vendor/go.bytebuilders.dev/license-verifier/Makefile +++ b/vendor/go.bytebuilders.dev/license-verifier/Makefile @@ -21,7 +21,7 @@ COMPRESS ?= no # Produce CRDs that work back to Kubernetes 1.11 (no version conversion) CRD_OPTIONS ?= "crd:maxDescLen=0,generateEmbeddedObjectMeta=true,allowDangerousTypes=true" -CODE_GENERATOR_IMAGE ?= appscode/gengo:release-1.25 +CODE_GENERATOR_IMAGE ?= ghcr.io/appscode/gengo:release-1.25 API_GROUPS ?= licenses:v1alpha1 # Where to push the docker image. diff --git a/vendor/go.bytebuilders.dev/license-verifier/info/lib.go b/vendor/go.bytebuilders.dev/license-verifier/info/lib.go index db1601342..12b50db86 100644 --- a/vendor/go.bytebuilders.dev/license-verifier/info/lib.go +++ b/vendor/go.bytebuilders.dev/license-verifier/info/lib.go @@ -138,15 +138,14 @@ func HostedEndpoint(u string) (bool, error) { if err != nil { return false, err } - host := u2.Hostname() - return host == prodDomain || - host == qaDomain || - strings.HasSuffix(host, "."+prodDomain) || - strings.HasSuffix(host, "."+qaDomain), nil + return HostedDomain(u2.Hostname()), nil } func HostedDomain(d string) bool { - return d == prodDomain || d == qaDomain + return d == prodDomain || + d == qaDomain || + strings.HasSuffix(d, "."+prodDomain) || + strings.HasSuffix(d, "."+qaDomain) } func LoadLicenseCA() ([]byte, error) { diff --git a/vendor/go.bytebuilders.dev/license-verifier/kubernetes/Makefile b/vendor/go.bytebuilders.dev/license-verifier/kubernetes/Makefile index 5cd4a0b45..10b65999d 100644 --- a/vendor/go.bytebuilders.dev/license-verifier/kubernetes/Makefile +++ b/vendor/go.bytebuilders.dev/license-verifier/kubernetes/Makefile @@ -64,8 +64,8 @@ ARCH := $(if $(GOARCH),$(GOARCH),$(shell go env GOARCH)) BASEIMAGE_PROD ?= gcr.io/distroless/static BASEIMAGE_DBG ?= debian:stretch -GO_VERSION ?= 1.19 -BUILD_IMAGE ?= appscode/golang-dev:$(GO_VERSION) +GO_VERSION ?= 1.20 +BUILD_IMAGE ?= ghcr.io/appscode/golang-dev:$(GO_VERSION) OUTBIN = bin/$(OS)_$(ARCH)/$(BIN) ifeq ($(OS),windows) diff --git a/vendor/go.bytebuilders.dev/license-verifier/kubernetes/lib.go b/vendor/go.bytebuilders.dev/license-verifier/kubernetes/lib.go index 04735ad6d..3430a33d1 100644 --- a/vendor/go.bytebuilders.dev/license-verifier/kubernetes/lib.go +++ b/vendor/go.bytebuilders.dev/license-verifier/kubernetes/lib.go @@ -20,7 +20,7 @@ import ( "context" "encoding/json" "fmt" - "io/ioutil" + "io" "net/http" "net/url" "os" @@ -62,17 +62,17 @@ const ( ) type LicenseEnforcer struct { - opts verifier.VerifyOptions - config *rest.Config - kc kubernetes.Interface - getLicense func() ([]byte, error) + licenseFile string + opts verifier.VerifyOptions + config *rest.Config + kc kubernetes.Interface } // NewLicenseEnforcer returns a newly created license enforcer func NewLicenseEnforcer(config *rest.Config, licenseFile string) (*LicenseEnforcer, error) { le := LicenseEnforcer{ - getLicense: getLicense(config, licenseFile), - config: config, + config: config, + licenseFile: licenseFile, opts: verifier.VerifyOptions{ Features: info.ProductName, }, @@ -97,30 +97,38 @@ func MustLicenseEnforcer(config *rest.Config, licenseFile string) *LicenseEnforc return le } -func getLicense(cfg *rest.Config, licenseFile string) func() ([]byte, error) { - return func() ([]byte, error) { - licenseBytes, err := ioutil.ReadFile(licenseFile) - if errors.Is(err, os.ErrNotExist) { - req := proxyserver.LicenseRequest{ - TypeMeta: metav1.TypeMeta{}, - Request: &proxyserver.LicenseRequestRequest{ - Features: info.Features(), - }, - } - pc, err := proxyclient.NewForConfig(cfg) - if err != nil { - return nil, errors.Wrap(err, "failed create client for license-proxyserver") - } - resp, err := pc.ProxyserverV1alpha1().LicenseRequests().Create(context.TODO(), &req, metav1.CreateOptions{}) - if err != nil { - return nil, errors.Wrap(err, "failed to read license") - } - licenseBytes = []byte(resp.Response.License) - } else if err != nil { +func (le *LicenseEnforcer) getLicense() ([]byte, error) { + licenseBytes, err := os.ReadFile(le.licenseFile) + if errors.Is(err, os.ErrNotExist) || (err == nil && le.invalidLicense(licenseBytes)) { + req := proxyserver.LicenseRequest{ + TypeMeta: metav1.TypeMeta{}, + Request: &proxyserver.LicenseRequestRequest{ + Features: info.Features(), + }, + } + pc, err := proxyclient.NewForConfig(le.config) + if err != nil { + return nil, errors.Wrap(err, "failed create client for license-proxyserver") + } + resp, err := pc.ProxyserverV1alpha1().LicenseRequests().Create(context.TODO(), &req, metav1.CreateOptions{}) + if err != nil { return nil, errors.Wrap(err, "failed to read license") } - return licenseBytes, nil + licenseBytes = []byte(resp.Response.License) + } else if err != nil { + return nil, errors.Wrap(err, "failed to read license") } + return licenseBytes, nil +} + +func (le *LicenseEnforcer) invalidLicense(license []byte) bool { + le.opts.License = license + // We don't want to acquire license from license-proxyserver is the license file + // contains a valid license for a different product. + // We want to acquire license-proxyserver is a previously valid license has not expired. + // So, we don't check features in the license found is license file. + l, err := verifier.ParseLicense(le.opts.ParserOptions) + return sets.NewString(l.Features...).HasAny(info.ParseFeatures(le.opts.Features)...) && err != nil } func (le *LicenseEnforcer) createClients() (err error) { @@ -136,22 +144,13 @@ func (le *LicenseEnforcer) acquireLicense() (err error) { } func (le *LicenseEnforcer) readClusterUID() (err error) { + if le.opts.ClusterUID != "" { + return + } le.opts.ClusterUID, err = clusterid.ClusterUID(le.kc.CoreV1().Namespaces()) return err } -func (le *LicenseEnforcer) podName() (string, error) { - if name, ok := os.LookupEnv("MY_POD_NAME"); ok { - return name, nil - } - - if meta.PossiblyInCluster() { - // Read current pod name - return os.Hostname() - } - return "", errors.New("failed to detect pod name") -} - func (le *LicenseEnforcer) handleLicenseVerificationFailure(licenseErr error) error { // Send interrupt so that all go-routines shut-down gracefully // https://pracucci.com/graceful-shutdown-of-kubernetes-pods.html @@ -170,10 +169,6 @@ func (le *LicenseEnforcer) handleLicenseVerificationFailure(licenseErr error) er // Log licenseInfo verification failure klog.Errorln("Failed to verify license. Reason: ", licenseErr.Error()) - podName, err := le.podName() - if err != nil { - return err - } // Read the namespace of current pod namespace := meta.PodNamespace() @@ -183,7 +178,7 @@ func (le *LicenseEnforcer) handleLicenseVerificationFailure(licenseErr error) er le.config, core.SchemeGroupVersion.WithResource(core.ResourcePods.String()), namespace, - podName, + meta.PodName(), ) if err != nil { return err @@ -297,9 +292,6 @@ func verifyLicensePeriodically(le *LicenseEnforcer, licenseFile string, stopCh < return false, nil } - if _, err := os.Stat(licenseFile); os.IsNotExist(err) { - return errors.New("license file is missing") - } return wait.PollImmediateUntil(licenseCheckInterval, fn, stopCh) } @@ -382,7 +374,7 @@ func CheckLicenseEndpoint(config *rest.Config, apiServiceName string, features [ } defer resp.Body.Close() - data, err := ioutil.ReadAll(resp.Body) + data, err := io.ReadAll(resp.Body) if err != nil { return err } diff --git a/vendor/modules.txt b/vendor/modules.txt index 651fb7c03..e6de4c318 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -159,6 +159,8 @@ github.com/aws/aws-sdk-go/service/sts/stsiface # github.com/cenkalti/backoff/v3 v3.0.0 ## explicit; go 1.12 github.com/cenkalti/backoff/v3 +# github.com/cespare/xxhash/v2 v2.2.0 +## explicit; go 1.11 # github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 ## explicit github.com/codegangsta/inject @@ -427,13 +429,13 @@ go.bytebuilders.dev/license-proxyserver/apis/proxyserver/v1alpha1 go.bytebuilders.dev/license-proxyserver/client/clientset/versioned go.bytebuilders.dev/license-proxyserver/client/clientset/versioned/scheme go.bytebuilders.dev/license-proxyserver/client/clientset/versioned/typed/proxyserver/v1alpha1 -# go.bytebuilders.dev/license-verifier v0.13.0 +# go.bytebuilders.dev/license-verifier v0.13.2 ## explicit; go 1.18 go.bytebuilders.dev/license-verifier go.bytebuilders.dev/license-verifier/apis/licenses go.bytebuilders.dev/license-verifier/apis/licenses/v1alpha1 go.bytebuilders.dev/license-verifier/info -# go.bytebuilders.dev/license-verifier/kubernetes v0.12.0 +# go.bytebuilders.dev/license-verifier/kubernetes v0.13.2 ## explicit; go 1.18 go.bytebuilders.dev/license-verifier/kubernetes # go.opencensus.io v0.24.0