From d7b8613488e1162aeae4d958af82a732ff0f28b6 Mon Sep 17 00:00:00 2001 From: Martin Proffitt Date: Mon, 19 Feb 2024 23:22:23 +0100 Subject: [PATCH 1/2] Disable license entitlement --- cmd/clusters-service/app/server.go | 9 ---- common/entitlement/entitlement.go | 41 +++++++-------- common/entitlement/entitlement_test.go | 45 ++-------------- go.mod | 1 - go.sum | 2 - pkg/bootstrap/bootstrap.go | 1 - pkg/bootstrap/bootstrap_auth.go | 1 - pkg/bootstrap/steps/entitlement.go | 68 ------------------------- pkg/bootstrap/steps/entitlement_test.go | 68 ------------------------- 9 files changed, 21 insertions(+), 215 deletions(-) delete mode 100644 pkg/bootstrap/steps/entitlement_test.go diff --git a/cmd/clusters-service/app/server.go b/cmd/clusters-service/app/server.go index 281a4c5b3e..6dd4483627 100644 --- a/cmd/clusters-service/app/server.go +++ b/cmd/clusters-service/app/server.go @@ -45,7 +45,6 @@ import ( capiv1 "github.com/weaveworks/templates-controller/apis/capi/v1alpha2" gapiv1 "github.com/weaveworks/templates-controller/apis/gitops/v1alpha2" tfctrl "github.com/weaveworks/tf-controller/api/v1alpha1" - ent "github.com/weaveworks/weave-gitops-enterprise-credentials/pkg/entitlement" csgit "github.com/weaveworks/weave-gitops-enterprise/cmd/clusters-service/pkg/git" "github.com/weaveworks/weave-gitops-enterprise/cmd/clusters-service/pkg/mgmtfetcher" capi_proto "github.com/weaveworks/weave-gitops-enterprise/cmd/clusters-service/pkg/protos" @@ -121,8 +120,6 @@ func EnterprisePublicRoutes() []string { // Options contains all the options for the `ui run` command. type Params struct { - EntitlementSecretName string `mapstructure:"entitlement-secret-name"` - EntitlementSecretNamespace string `mapstructure:"entitlement-secret-namespace"` HelmRepoNamespace string `mapstructure:"helm-repo-namespace"` HelmRepoName string `mapstructure:"helm-repo-name"` ProfileCacheLocation string `mapstructure:"profile-cache-location"` @@ -214,8 +211,6 @@ func NewAPIServerCommand() *cobra.Command { // Have to declare a flag for viper to correctly read and then bind environment variables too // FIXME: why? We don't actually use the flags in helm templates etc. // - cmdFlags.String("entitlement-secret-name", ent.DefaultSecretName, "The name of the entitlement secret") - cmdFlags.String("entitlement-secret-namespace", "flux-system", "The namespace of the entitlement secret") cmdFlags.String("helm-repo-namespace", os.Getenv("RUNTIME_NAMESPACE"), "the namespace of the Helm Repository resource to scan for profiles") cmdFlags.String("helm-repo-name", "weaveworks-charts", "the name of the Helm Repository resource to scan for profiles") cmdFlags.String("profile-cache-location", "/tmp/helm-cache", "the location where the cache Profile data lives") @@ -556,10 +551,6 @@ func StartServer(ctx context.Context, p Params, logOptions flux_logger.Options) return RunInProcessGateway(ctx, "0.0.0.0:8000", WithLog(log), WithProfileHelmRepository(types.NamespacedName{Name: p.HelmRepoName, Namespace: p.HelmRepoNamespace}), - WithEntitlementSecretKey(client.ObjectKey{ - Name: p.EntitlementSecretName, - Namespace: p.EntitlementSecretNamespace, - }), WithKubernetesClient(kubeClient), WithDiscoveryClient(discoveryClient), WithGitProvider(csgit.NewGitProviderService(log)), diff --git a/common/entitlement/entitlement.go b/common/entitlement/entitlement.go index 5408fde06a..5af080413b 100644 --- a/common/entitlement/entitlement.go +++ b/common/entitlement/entitlement.go @@ -6,17 +6,19 @@ import ( "encoding/json" "net/http" "net/url" - "strings" "time" "github.com/go-logr/logr" - "github.com/weaveworks/weave-gitops-enterprise-credentials/pkg/entitlement" - v1 "k8s.io/api/core/v1" + "sigs.k8s.io/controller-runtime/pkg/client" ) type contextKey string +type entitlement struct { + LicencedUntil time.Time `json:"licencedUntil"` +} + func (c contextKey) String() string { return "entitlement context key " + string(c) } @@ -28,8 +30,6 @@ const ( ) var ( - //go:embed public.pem - public string contextKeyEntitlement = contextKey("entitlement") ) @@ -41,16 +41,8 @@ type response struct { // LoadEntitlementIntoContextHandler retrieves the entitlement from Kubernetes // and adds it to the request context. func EntitlementHandler(ctx context.Context, log logr.Logger, c client.Client, key client.ObjectKey, next http.Handler) http.Handler { - var sec v1.Secret - if err := c.Get(ctx, key, &sec); err != nil { - log.Error(err, "Entitlement cannot be retrieved") - return next - } - - ent, err := entitlement.VerifyEntitlement(strings.NewReader(public), string(sec.Data["entitlement"])) - if err != nil { - log.Error(err, "Entitlement was not verified successfully") - return next + var ent *entitlement = &entitlement{ + LicencedUntil: time.Now().AddDate(1, 0, 0), } return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { @@ -68,7 +60,7 @@ func CheckEntitlementHandler(log logr.Logger, next http.Handler, publicRoutes [] return } ent, ok := entitlementFromContext(r.Context()) - if ent == nil { + if !ok { log.Info("Entitlement was not found.") w.WriteHeader(http.StatusInternalServerError) response, err := json.Marshal( @@ -79,21 +71,22 @@ func CheckEntitlementHandler(log logr.Logger, next http.Handler, publicRoutes [] if err != nil { log.Error(err, "unexpected error while handling entitlement not found response") } - w.Write(response) + if _, err := w.Write(response); err != nil { + log.Error(err, "unexpected error while writing entitlement not found response") + } return } - if ok { - if time.Now().After(ent.LicencedUntil) { - log.Info("Entitlement expired.", "licencedUntil", ent.LicencedUntil.Format("Mon 02 January, 2006")) - w.Header().Add(entitlementExpiredMessageHeader, expiredMessage) - } + + if time.Now().After(ent.LicencedUntil) { + log.Info("Entitlement expired.", "licencedUntil", ent.LicencedUntil.Format("Mon 02 January, 2006")) + w.Header().Add(entitlementExpiredMessageHeader, expiredMessage) } next.ServeHTTP(w, r) }) } -func entitlementFromContext(ctx context.Context) (*entitlement.Entitlement, bool) { - ent, ok := ctx.Value(contextKeyEntitlement).(*entitlement.Entitlement) +func entitlementFromContext(ctx context.Context) (*entitlement, bool) { + ent, ok := ctx.Value(contextKeyEntitlement).(*entitlement) return ent, ok } diff --git a/common/entitlement/entitlement_test.go b/common/entitlement/entitlement_test.go index ea82cc33ef..33fd2666bd 100644 --- a/common/entitlement/entitlement_test.go +++ b/common/entitlement/entitlement_test.go @@ -2,7 +2,6 @@ package entitlement import ( "context" - "fmt" "io" "net/http" "net/http/httptest" @@ -11,7 +10,7 @@ import ( "github.com/go-logr/logr" "github.com/golang-jwt/jwt/v4" - "github.com/weaveworks/weave-gitops-enterprise-credentials/pkg/entitlement" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -23,10 +22,6 @@ var ( // This entitlement has been generated with the right private key for 1 day validEntitlement = `eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJsaWNlbmNlZFVudGlsIjoxNjMxMzYxMjg2LCJpYXQiOjE2MzEyNzQ4ODYsImlzcyI6InNhbGVzQHdlYXZlLndvcmtzIiwibmJmIjoxNjMxMjc0ODg2LCJzdWIiOiJ0ZXN0QHdlYXZlLndvcmtzIn0.EKGp89DFcRKZ_kGmC8FuLVPB0wiab2KddkQKAmVNC9UH459v63tCP13eFybx9dAmMuaC77SA8rp7ukN1qZM7DA` validTimestamp = time.Unix(1631274886, 0) - - // This entitlement has been generated with a different private key - invalidEntitlement = `eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJsaWNlbmNlZFVudGlsIjoxNjMxMzYxNDkwLCJpYXQiOjE2MzEyNzUwOTAsImlzcyI6InNhbGVzQHdlYXZlLndvcmtzIiwibmJmIjoxNjMxMjc1MDkwLCJzdWIiOiJ0ZXN0QHdlYXZlLndvcmtzIn0.E3Kfg4YzDOYJsTN9lD6B4uoW29tE0IB9X7lOpirSTwcZ7vVHk5PUXznYdiPIi9aSgLGAPIQL3YkAM4lyft3BDg` - invalidTimestamp = time.Unix(1631275090, 0) ) func TestEntitlementHandler(t *testing.T) { @@ -36,23 +31,6 @@ func TestEntitlementHandler(t *testing.T) { verified time.Time exists bool }{ - { - name: "secret does not exist", - state: []runtime.Object{}, - exists: false, - }, - { - name: "invalid entitlement", - state: []runtime.Object{createSecret(invalidEntitlement)}, - verified: invalidTimestamp, - exists: false, - }, - { - name: "expired entitlement", - state: []runtime.Object{createSecret(validEntitlement)}, - verified: validTimestamp.AddDate(0, 0, 2), - exists: true, - }, { name: "valid entitlement", state: []runtime.Object{createSecret(validEntitlement)}, @@ -98,25 +76,10 @@ func TestCheckEntitlementHandler(t *testing.T) { response string headerValue string }{ - { - name: "no entitlement", - status: http.StatusInternalServerError, - header: false, - response: fmt.Sprintf(`{"message":"%s"}`, errorMessage), - }, - { - name: "expired entitlement", - ctxValue: &entitlement.Entitlement{ - LicencedUntil: time.Now().Add(-1 * time.Minute), - }, - status: http.StatusOK, - header: true, - headerValue: expiredMessage, - }, { name: "valid entitlement", - ctxValue: &entitlement.Entitlement{ - LicencedUntil: time.Now().Add(time.Minute), + ctxValue: &entitlement{ + LicencedUntil: time.Now().AddDate(1, 0, 0), }, status: http.StatusOK, header: false, @@ -172,7 +135,7 @@ func createFakeClient(clusterState []runtime.Object) client.Client { schemeBuilder := runtime.SchemeBuilder{ corev1.AddToScheme, } - schemeBuilder.AddToScheme(scheme) + _ = schemeBuilder.AddToScheme(scheme) c := fake.NewClientBuilder(). WithScheme(scheme). diff --git a/go.mod b/go.mod index ddd36a9e0f..585cb2cc02 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,6 @@ require ( github.com/spf13/cobra v1.7.0 github.com/stretchr/testify v1.8.4 github.com/weaveworks/weave-gitops v0.38.1-0.20231228113211-a38fbeca6a75 - github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2 github.com/weaveworks/weave-gitops-enterprise/common v0.0.0 gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/api v0.27.7 diff --git a/go.sum b/go.sum index ef614fffa1..f04bf5f3f6 100644 --- a/go.sum +++ b/go.sum @@ -1228,8 +1228,6 @@ github.com/weaveworks/tf-controller/api v0.0.0-20231101110059-994a65055198 h1:lx github.com/weaveworks/tf-controller/api v0.0.0-20231101110059-994a65055198/go.mod h1:201u5xXY+YI7+ggWljE0VvqMxa+zP1Y1lyRXc1RlXBc= github.com/weaveworks/weave-gitops v0.38.1-0.20231228113211-a38fbeca6a75 h1:+udUl2vbhDBaRUhnpJd+hukDUv+iDCkBrk7hFWJwhpw= github.com/weaveworks/weave-gitops v0.38.1-0.20231228113211-a38fbeca6a75/go.mod h1:rJL3PRaPIaWY4Nduss4Ws6H2zTNWw15sd1z8OSCqYBs= -github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2 h1:7jeiQehqmI4ds6YIq8TW1Vqhlb6V7G2BVRJ8VM3r99I= -github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2/go.mod h1:6PMYg+VtSNePnP7EXyNG+/hNRNZ3r0mQtolIZU4s/J0= github.com/xanzy/go-gitlab v0.90.0 h1:j8ZUHfLfXdnC+B8njeNaW/kM44c1zw8fiuNj7D+qQN8= github.com/xanzy/go-gitlab v0.90.0/go.mod h1:5ryv+MnpZStBH8I/77HuQBsMbBGANtVpLWC15qOjWAw= github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= diff --git a/pkg/bootstrap/bootstrap.go b/pkg/bootstrap/bootstrap.go index 853a59e4d7..10a8cf3e48 100644 --- a/pkg/bootstrap/bootstrap.go +++ b/pkg/bootstrap/bootstrap.go @@ -33,7 +33,6 @@ func Bootstrap(config steps.Config) error { steps.NewAskBootstrapFluxStep(config), repositoryConfig, steps.NewBootstrapFlux(config), - steps.CheckEntitlementSecret, adminCredentials, installWge, steps.NewInstallOIDCStep(config), diff --git a/pkg/bootstrap/bootstrap_auth.go b/pkg/bootstrap/bootstrap_auth.go index ea401170b7..5e65a92e52 100644 --- a/pkg/bootstrap/bootstrap_auth.go +++ b/pkg/bootstrap/bootstrap_auth.go @@ -26,7 +26,6 @@ func bootstrapOIDC(config steps.Config) error { var steps = []steps.BootstrapStep{ // FIXE: remove this steps after checking for WGE as it is our only dependency steps.VerifyFluxInstallation, - steps.CheckEntitlementSecret, steps.NewBootstrapFlux(config), steps.NewInstallOIDCStep(config), diff --git a/pkg/bootstrap/steps/entitlement.go b/pkg/bootstrap/steps/entitlement.go index 0151162fb5..4cf0127646 100644 --- a/pkg/bootstrap/steps/entitlement.go +++ b/pkg/bootstrap/steps/entitlement.go @@ -2,77 +2,9 @@ package steps import ( _ "embed" - "errors" - "fmt" - "strings" - "time" - - "github.com/weaveworks/weave-gitops-enterprise-credentials/pkg/entitlement" - "github.com/weaveworks/weave-gitops-enterprise/pkg/bootstrap/utils" - k8s_client "sigs.k8s.io/controller-runtime/pkg/client" -) - -// user messages -const ( - entitlementCheckConfirmMsg = "entitlement file exists and is valid" - nonExistingEntitlementSecretMsg = "entitlement file is not found, To get Weave GitOps Entitelment secret, please contact *sales@weave.works* and add it to your cluster" - invalidEntitlementSecretMsg = "entitlement file is invalid, please verify the secret content. If you still facing issues, please contact *sales@weave.works*" - expiredEntitlementSecretMsg = "entitlement file is expired at: %s, please contact *sales@weave.works*" - entitlementCheckMsg = "verifying Weave GitOps Entitlement File" ) // wge consts const ( entitlementSecretName = "weave-gitops-enterprise-credentials" ) - -var ( - //go:embed public.pem - publicKey string -) - -var CheckEntitlementSecret = BootstrapStep{ - Name: "checking entitlement", - Step: checkEntitlementSecret, -} - -func checkEntitlementSecret(input []StepInput, c *Config) ([]StepOutput, error) { - c.Logger.Actionf(entitlementCheckMsg) - err := verifyEntitlementSecret(c.KubernetesClient) - if err != nil { - return []StepOutput{}, err - } - c.Logger.Successf(entitlementCheckConfirmMsg) - - return []StepOutput{}, nil -} - -// verifyEntitlementSecret ensures the entitlement is valid and not expired also verifying username & password -// verifing entitlement by the public key (private key is used for encrypting and public is for verification) -// and making sure it's not expired -// verifying username and password by making http request for downloading charts and ensuring it's authenticated -func verifyEntitlementSecret(client k8s_client.Client) error { - secret, err := utils.GetSecret(client, entitlementSecretName, WGEDefaultNamespace) - if err != nil { - return fmt.Errorf("%s: %v", nonExistingEntitlementSecretMsg, err) - } - - if secret.Data["entitlement"] == nil || secret.Data["username"] == nil || secret.Data["password"] == nil { - return errors.New(invalidEntitlementSecretMsg) - } - - ent, err := entitlement.VerifyEntitlement(strings.NewReader(string(publicKey)), string(secret.Data["entitlement"])) - if err != nil { - return fmt.Errorf("%s: %v", invalidEntitlementSecretMsg, err) - } - if time.Now().Compare(ent.LicencedUntil) >= 0 { - return fmt.Errorf(expiredEntitlementSecretMsg, ent.LicencedUntil) - } - - body, err := doBasicAuthGetRequest(wgeChartUrl, string(secret.Data["username"]), string(secret.Data["password"])) - if err != nil || body == nil { - return fmt.Errorf("%s: %v", invalidEntitlementSecretMsg, err) - } - - return nil -} diff --git a/pkg/bootstrap/steps/entitlement_test.go b/pkg/bootstrap/steps/entitlement_test.go deleted file mode 100644 index ee37f80ae3..0000000000 --- a/pkg/bootstrap/steps/entitlement_test.go +++ /dev/null @@ -1,68 +0,0 @@ -package steps - -import ( - "testing" - - v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -// CheckEntitlementFile test CheckEntitlementFile -func TestCheckEntitlementFile(t *testing.T) { - var ( - expiredEntitlement = `eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJsaWNlbmNlZFVudGlsIjoxNjMxMzYxMjg2LCJpYXQiOjE2MzEyNzQ4ODYsImlzcyI6InNhbGVzQHdlYXZlLndvcmtzIiwibmJmIjoxNjMxMjc0ODg2LCJzdWIiOiJ0ZXN0QHdlYXZlLndvcmtzIn0.EKGp89DFcRKZ_kGmC8FuLVPB0wiab2KddkQKAmVNC9UH459v63tCP13eFybx9dAmMuaC77SA8rp7ukN1qZM7DA` - invalidEntitlement = `eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJsaWNlbmNlZFVudGlsIjoxNjMxMzYxNDkwLCJpYXQiOjE2MzEyNzUwOTAsImlzcyI6InNhbGVzQHdlYXZlLndvcmtzIiwibmJmIjoxNjMxMjc1MDkwLCJzdWIiOiJ0ZXN0QHdlYXZlLndvcmtzIn0.E3Kfg4YzDOYJsTN9lD6B4uoW29tE0IB9X7lOpirSTwcZ7vVHk5PUXznYdiPIi9aSgLGAPIQL3YkAM4lyft3BDg` - ) - - tests := []struct { - name string - secret *v1.Secret - err bool - }{ - { - name: "secret does not exist", - secret: &v1.Secret{}, - err: true, - }, - { - name: "invalid entitlement", - secret: &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{Name: entitlementSecretName, Namespace: WGEDefaultNamespace}, - Type: "Opaque", - Data: map[string][]byte{ - "entitlement": []byte(invalidEntitlement), - "username": []byte("test-username"), - "password": []byte("test-password"), - }, - }, - err: true, - }, - { - name: "expired entitlement", - secret: &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{Name: entitlementSecretName, Namespace: WGEDefaultNamespace}, - Type: "Opaque", - Data: map[string][]byte{ - "entitlement": []byte(expiredEntitlement), - "username": []byte("test-username"), - "password": []byte("test-password"), - }, - }, - err: true, - }, - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - config := MakeTestConfig(t, Config{}, tt.secret) - _, err := checkEntitlementSecret([]StepInput{}, &config) - if err != nil { - if tt.err { - return - } - t.Fatalf("error validating entitlement: %v", err) - } - }) - } - -} From 0850f40041eb32b8170505c47cdf2fba281d0563 Mon Sep 17 00:00:00 2001 From: Martin Proffitt Date: Tue, 20 Feb 2024 19:12:09 +0100 Subject: [PATCH 2/2] Delete public key from entitlement and update common/go.mod --- common/entitlement/public.pem | 3 --- common/go.mod | 1 - common/go.sum | 2 -- 3 files changed, 6 deletions(-) delete mode 100644 common/entitlement/public.pem diff --git a/common/entitlement/public.pem b/common/entitlement/public.pem deleted file mode 100644 index fd210c6913..0000000000 --- a/common/entitlement/public.pem +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN PUBLIC KEY----- -MCowBQYDK2VwAyEA140z8yf4+R9MQwwS6yTrWIl/1IBOjLVvh9x87Wd84TU= ------END PUBLIC KEY----- diff --git a/common/go.mod b/common/go.mod index 63d1f13d78..7625cf8c57 100644 --- a/common/go.mod +++ b/common/go.mod @@ -5,7 +5,6 @@ go 1.20 require ( github.com/go-logr/logr v1.2.3 github.com/golang-jwt/jwt/v4 v4.0.0 - github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2 k8s.io/api v0.26.2 k8s.io/apimachinery v0.26.2 sigs.k8s.io/controller-runtime v0.14.5 diff --git a/common/go.sum b/common/go.sum index af90e7f6fb..8385b8aba0 100644 --- a/common/go.sum +++ b/common/go.sum @@ -186,8 +186,6 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= -github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2 h1:7jeiQehqmI4ds6YIq8TW1Vqhlb6V7G2BVRJ8VM3r99I= -github.com/weaveworks/weave-gitops-enterprise-credentials v0.0.2/go.mod h1:6PMYg+VtSNePnP7EXyNG+/hNRNZ3r0mQtolIZU4s/J0= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=