-
Notifications
You must be signed in to change notification settings - Fork 22
/
offline.go
160 lines (136 loc) · 3.61 KB
/
offline.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
package premium
import (
"crypto/ed25519"
_ "embed"
"encoding/hex"
"encoding/json"
"errors"
"os"
"path/filepath"
"slices"
"strings"
"time"
"github.com/cloudquery/plugin-sdk/v4/plugin"
"github.com/rs/zerolog"
)
type License struct {
LicensedTo string `json:"licensed_to"` // Customers name, e.g. "Acme Inc"
Plugins []string `json:"plugins,omitempty"` // List of plugins, each in the format <org>/<kind>/<name>, e.g. "cloudquery/source/aws". Optional, if empty all plugins are allowed.
IssuedAt time.Time `json:"issued_at"`
ValidFrom time.Time `json:"valid_from"`
ExpiresAt time.Time `json:"expires_at"`
}
type LicenseWrapper struct {
LicenseBytes []byte `json:"license"`
Signature string `json:"signature"` // crypto
}
var (
ErrInvalidLicenseSignature = errors.New("invalid license signature")
ErrLicenseNotValidYet = errors.New("license not valid yet")
ErrLicenseExpired = errors.New("license expired")
ErrLicenseNotApplicable = errors.New("license not applicable to this plugin")
)
//go:embed offline.key
var publicKey string
var timeFunc = time.Now
func ValidateLicense(logger zerolog.Logger, meta plugin.Meta, licenseFileOrDirectory string) error {
fi, err := os.Stat(licenseFileOrDirectory)
if err != nil {
return err
}
if !fi.IsDir() {
return validateLicenseFile(logger, meta, licenseFileOrDirectory)
}
found := false
var lastError error
err = filepath.WalkDir(licenseFileOrDirectory, func(path string, d os.DirEntry, err error) error {
if d.IsDir() {
if path == licenseFileOrDirectory {
return nil
}
return filepath.SkipDir
}
if err != nil {
return err
}
if filepath.Ext(path) != ".cqlicense" {
return nil
}
logger.Debug().Str("path", path).Msg("considering license file")
lastError = validateLicenseFile(logger, meta, path)
switch lastError {
case nil:
found = true
return filepath.SkipAll
case ErrLicenseNotApplicable:
return nil
default:
return lastError
}
})
if err != nil {
return err
}
if found {
return nil
}
if lastError != nil {
return lastError
}
return errors.New("failed to validate license directory")
}
func validateLicenseFile(logger zerolog.Logger, meta plugin.Meta, licenseFile string) error {
licenseContents, err := os.ReadFile(licenseFile)
if err != nil {
return err
}
l, err := UnpackLicense(licenseContents)
if err != nil {
return err
}
if len(l.Plugins) > 0 {
ref := strings.Join([]string{meta.Team, string(meta.Kind), meta.Name}, "/")
teamRef := meta.Team + "/*"
if !slices.Contains(l.Plugins, ref) && !slices.Contains(l.Plugins, teamRef) {
return ErrLicenseNotApplicable
}
}
return l.IsValid(logger)
}
func UnpackLicense(lic []byte) (*License, error) {
publicKeyBytes, err := hex.DecodeString(publicKey)
if err != nil {
return nil, err
}
var lw LicenseWrapper
if err := json.Unmarshal(lic, &lw); err != nil {
return nil, err
}
signatureBytes, err := hex.DecodeString(lw.Signature)
if err != nil {
return nil, err
}
if !ed25519.Verify(publicKeyBytes, lw.LicenseBytes, signatureBytes) {
return nil, ErrInvalidLicenseSignature
}
var l License
if err := json.Unmarshal(lw.LicenseBytes, &l); err != nil {
return nil, err
}
return &l, nil
}
func (l *License) IsValid(logger zerolog.Logger) error {
now := timeFunc().UTC()
if now.Before(l.ValidFrom) {
return ErrLicenseNotValidYet
}
if now.After(l.ExpiresAt) {
return ErrLicenseExpired
}
msg := logger.Info()
if now.Add(15 * 24 * time.Hour).After(l.ExpiresAt) {
msg = logger.Warn()
}
msg.Time("expires_at", l.ExpiresAt).Msgf("Offline license for %s loaded.", l.LicensedTo)
return nil
}