From c1da70151ca37fed0bae7f5d01935810b193baef Mon Sep 17 00:00:00 2001 From: lgtm <1gtm@users.noreply.github.com> Date: Mon, 5 Jun 2023 23:56:11 -0700 Subject: [PATCH] [cherry-pick] Update license verifier (#1401) (#1410) Signed-off-by: Tamal Saha --- go.mod | 6 +- go.sum | 12 +-- .../license-verifier/Makefile | 2 +- .../license-verifier/info/lib.go | 11 ++- .../license-verifier/kubernetes/Makefile | 4 +- .../license-verifier/kubernetes/lib.go | 90 +++++++++---------- vendor/modules.txt | 6 +- 7 files changed, 63 insertions(+), 68 deletions(-) diff --git a/go.mod b/go.mod index 00b1ca23a..f00d64089 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.18 require ( github.com/spf13/cobra v1.7.0 - go.bytebuilders.dev/license-verifier/kubernetes v0.12.0 + go.bytebuilders.dev/license-verifier/kubernetes v0.13.2 gomodules.xyz/flags v0.1.3 gomodules.xyz/go-sh v0.1.0 gomodules.xyz/logs v0.0.6 @@ -19,6 +19,8 @@ require ( stash.appscode.dev/apimachinery v0.30.0 ) +require github.com/cespare/xxhash/v2 v2.2.0 // indirect + require ( cloud.google.com/go v0.97.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect @@ -61,7 +63,7 @@ require ( github.com/yudai/gojsondiff v1.0.0 // indirect github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect go.bytebuilders.dev/license-proxyserver v0.0.3 // indirect - go.bytebuilders.dev/license-verifier v0.13.0 // indirect + go.bytebuilders.dev/license-verifier v0.13.2 // indirect golang.org/x/crypto v0.9.0 // indirect golang.org/x/net v0.10.0 // indirect golang.org/x/oauth2 v0.5.0 // indirect diff --git a/go.sum b/go.sum index 7a9e8324a..33e33b3b1 100644 --- a/go.sum +++ b/go.sum @@ -82,9 +82,9 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= -github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= +github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= +github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= @@ -401,10 +401,10 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= go.bytebuilders.dev/license-proxyserver v0.0.3 h1:vAFMBWfrlmFKNspjBm2KfPXnxYnC17xLwZiHmVzUmzs= go.bytebuilders.dev/license-proxyserver v0.0.3/go.mod h1:iMJbPzDf2R2EJOZwRi7ziEr5DBMfT9Cm75/XfPb/QnU= -go.bytebuilders.dev/license-verifier v0.13.0 h1:VyI8XydrZbzClSk45rPcjz9dVhyL0EfpWW4T08SXMGo= -go.bytebuilders.dev/license-verifier v0.13.0/go.mod h1:PTTlWgokzoisBezn2zt+JeGkhTJZ0flvLzdhHVBy86M= -go.bytebuilders.dev/license-verifier/kubernetes v0.12.0 h1:YJ/JWjeJgDOHzgI/RYMn60x+R7KpZ+3Nu8BHJLghYc8= -go.bytebuilders.dev/license-verifier/kubernetes v0.12.0/go.mod h1:XJUtMI5o0QQyaor1SAqL/2YTYU9LxYM6/Q8X8o/750w= +go.bytebuilders.dev/license-verifier v0.13.2 h1:wV1ynl+GR+zKb3dh19WEzuC0uzTdiSGgVg9G78Nh4XU= +go.bytebuilders.dev/license-verifier v0.13.2/go.mod h1:PTTlWgokzoisBezn2zt+JeGkhTJZ0flvLzdhHVBy86M= +go.bytebuilders.dev/license-verifier/kubernetes v0.13.2 h1:ZIPTce9sAR9/GaPvQtkbOTXGE1Nyyv0GcMqnInUaqxM= +go.bytebuilders.dev/license-verifier/kubernetes v0.13.2/go.mod h1:xiM7bX84LNWQPJRC/m9rQASuCclJSsDdf2qFdafrz1k= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= diff --git a/vendor/go.bytebuilders.dev/license-verifier/Makefile b/vendor/go.bytebuilders.dev/license-verifier/Makefile index abdf90d50..ac51f2717 100644 --- a/vendor/go.bytebuilders.dev/license-verifier/Makefile +++ b/vendor/go.bytebuilders.dev/license-verifier/Makefile @@ -21,7 +21,7 @@ COMPRESS ?= no # Produce CRDs that work back to Kubernetes 1.11 (no version conversion) CRD_OPTIONS ?= "crd:maxDescLen=0,generateEmbeddedObjectMeta=true,allowDangerousTypes=true" -CODE_GENERATOR_IMAGE ?= appscode/gengo:release-1.25 +CODE_GENERATOR_IMAGE ?= ghcr.io/appscode/gengo:release-1.25 API_GROUPS ?= licenses:v1alpha1 # Where to push the docker image. diff --git a/vendor/go.bytebuilders.dev/license-verifier/info/lib.go b/vendor/go.bytebuilders.dev/license-verifier/info/lib.go index db1601342..12b50db86 100644 --- a/vendor/go.bytebuilders.dev/license-verifier/info/lib.go +++ b/vendor/go.bytebuilders.dev/license-verifier/info/lib.go @@ -138,15 +138,14 @@ func HostedEndpoint(u string) (bool, error) { if err != nil { return false, err } - host := u2.Hostname() - return host == prodDomain || - host == qaDomain || - strings.HasSuffix(host, "."+prodDomain) || - strings.HasSuffix(host, "."+qaDomain), nil + return HostedDomain(u2.Hostname()), nil } func HostedDomain(d string) bool { - return d == prodDomain || d == qaDomain + return d == prodDomain || + d == qaDomain || + strings.HasSuffix(d, "."+prodDomain) || + strings.HasSuffix(d, "."+qaDomain) } func LoadLicenseCA() ([]byte, error) { diff --git a/vendor/go.bytebuilders.dev/license-verifier/kubernetes/Makefile b/vendor/go.bytebuilders.dev/license-verifier/kubernetes/Makefile index 5cd4a0b45..10b65999d 100644 --- a/vendor/go.bytebuilders.dev/license-verifier/kubernetes/Makefile +++ b/vendor/go.bytebuilders.dev/license-verifier/kubernetes/Makefile @@ -64,8 +64,8 @@ ARCH := $(if $(GOARCH),$(GOARCH),$(shell go env GOARCH)) BASEIMAGE_PROD ?= gcr.io/distroless/static BASEIMAGE_DBG ?= debian:stretch -GO_VERSION ?= 1.19 -BUILD_IMAGE ?= appscode/golang-dev:$(GO_VERSION) +GO_VERSION ?= 1.20 +BUILD_IMAGE ?= ghcr.io/appscode/golang-dev:$(GO_VERSION) OUTBIN = bin/$(OS)_$(ARCH)/$(BIN) ifeq ($(OS),windows) diff --git a/vendor/go.bytebuilders.dev/license-verifier/kubernetes/lib.go b/vendor/go.bytebuilders.dev/license-verifier/kubernetes/lib.go index 04735ad6d..3430a33d1 100644 --- a/vendor/go.bytebuilders.dev/license-verifier/kubernetes/lib.go +++ b/vendor/go.bytebuilders.dev/license-verifier/kubernetes/lib.go @@ -20,7 +20,7 @@ import ( "context" "encoding/json" "fmt" - "io/ioutil" + "io" "net/http" "net/url" "os" @@ -62,17 +62,17 @@ const ( ) type LicenseEnforcer struct { - opts verifier.VerifyOptions - config *rest.Config - kc kubernetes.Interface - getLicense func() ([]byte, error) + licenseFile string + opts verifier.VerifyOptions + config *rest.Config + kc kubernetes.Interface } // NewLicenseEnforcer returns a newly created license enforcer func NewLicenseEnforcer(config *rest.Config, licenseFile string) (*LicenseEnforcer, error) { le := LicenseEnforcer{ - getLicense: getLicense(config, licenseFile), - config: config, + config: config, + licenseFile: licenseFile, opts: verifier.VerifyOptions{ Features: info.ProductName, }, @@ -97,30 +97,38 @@ func MustLicenseEnforcer(config *rest.Config, licenseFile string) *LicenseEnforc return le } -func getLicense(cfg *rest.Config, licenseFile string) func() ([]byte, error) { - return func() ([]byte, error) { - licenseBytes, err := ioutil.ReadFile(licenseFile) - if errors.Is(err, os.ErrNotExist) { - req := proxyserver.LicenseRequest{ - TypeMeta: metav1.TypeMeta{}, - Request: &proxyserver.LicenseRequestRequest{ - Features: info.Features(), - }, - } - pc, err := proxyclient.NewForConfig(cfg) - if err != nil { - return nil, errors.Wrap(err, "failed create client for license-proxyserver") - } - resp, err := pc.ProxyserverV1alpha1().LicenseRequests().Create(context.TODO(), &req, metav1.CreateOptions{}) - if err != nil { - return nil, errors.Wrap(err, "failed to read license") - } - licenseBytes = []byte(resp.Response.License) - } else if err != nil { +func (le *LicenseEnforcer) getLicense() ([]byte, error) { + licenseBytes, err := os.ReadFile(le.licenseFile) + if errors.Is(err, os.ErrNotExist) || (err == nil && le.invalidLicense(licenseBytes)) { + req := proxyserver.LicenseRequest{ + TypeMeta: metav1.TypeMeta{}, + Request: &proxyserver.LicenseRequestRequest{ + Features: info.Features(), + }, + } + pc, err := proxyclient.NewForConfig(le.config) + if err != nil { + return nil, errors.Wrap(err, "failed create client for license-proxyserver") + } + resp, err := pc.ProxyserverV1alpha1().LicenseRequests().Create(context.TODO(), &req, metav1.CreateOptions{}) + if err != nil { return nil, errors.Wrap(err, "failed to read license") } - return licenseBytes, nil + licenseBytes = []byte(resp.Response.License) + } else if err != nil { + return nil, errors.Wrap(err, "failed to read license") } + return licenseBytes, nil +} + +func (le *LicenseEnforcer) invalidLicense(license []byte) bool { + le.opts.License = license + // We don't want to acquire license from license-proxyserver is the license file + // contains a valid license for a different product. + // We want to acquire license-proxyserver is a previously valid license has not expired. + // So, we don't check features in the license found is license file. + l, err := verifier.ParseLicense(le.opts.ParserOptions) + return sets.NewString(l.Features...).HasAny(info.ParseFeatures(le.opts.Features)...) && err != nil } func (le *LicenseEnforcer) createClients() (err error) { @@ -136,22 +144,13 @@ func (le *LicenseEnforcer) acquireLicense() (err error) { } func (le *LicenseEnforcer) readClusterUID() (err error) { + if le.opts.ClusterUID != "" { + return + } le.opts.ClusterUID, err = clusterid.ClusterUID(le.kc.CoreV1().Namespaces()) return err } -func (le *LicenseEnforcer) podName() (string, error) { - if name, ok := os.LookupEnv("MY_POD_NAME"); ok { - return name, nil - } - - if meta.PossiblyInCluster() { - // Read current pod name - return os.Hostname() - } - return "", errors.New("failed to detect pod name") -} - func (le *LicenseEnforcer) handleLicenseVerificationFailure(licenseErr error) error { // Send interrupt so that all go-routines shut-down gracefully // https://pracucci.com/graceful-shutdown-of-kubernetes-pods.html @@ -170,10 +169,6 @@ func (le *LicenseEnforcer) handleLicenseVerificationFailure(licenseErr error) er // Log licenseInfo verification failure klog.Errorln("Failed to verify license. Reason: ", licenseErr.Error()) - podName, err := le.podName() - if err != nil { - return err - } // Read the namespace of current pod namespace := meta.PodNamespace() @@ -183,7 +178,7 @@ func (le *LicenseEnforcer) handleLicenseVerificationFailure(licenseErr error) er le.config, core.SchemeGroupVersion.WithResource(core.ResourcePods.String()), namespace, - podName, + meta.PodName(), ) if err != nil { return err @@ -297,9 +292,6 @@ func verifyLicensePeriodically(le *LicenseEnforcer, licenseFile string, stopCh < return false, nil } - if _, err := os.Stat(licenseFile); os.IsNotExist(err) { - return errors.New("license file is missing") - } return wait.PollImmediateUntil(licenseCheckInterval, fn, stopCh) } @@ -382,7 +374,7 @@ func CheckLicenseEndpoint(config *rest.Config, apiServiceName string, features [ } defer resp.Body.Close() - data, err := ioutil.ReadAll(resp.Body) + data, err := io.ReadAll(resp.Body) if err != nil { return err } diff --git a/vendor/modules.txt b/vendor/modules.txt index 56b9775ff..250e69157 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -29,6 +29,8 @@ github.com/PuerkitoBio/purell # github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2 ## explicit github.com/armon/circbuf +# github.com/cespare/xxhash/v2 v2.2.0 +## explicit; go 1.11 # github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 ## explicit github.com/codegangsta/inject @@ -148,13 +150,13 @@ go.bytebuilders.dev/license-proxyserver/apis/proxyserver/v1alpha1 go.bytebuilders.dev/license-proxyserver/client/clientset/versioned go.bytebuilders.dev/license-proxyserver/client/clientset/versioned/scheme go.bytebuilders.dev/license-proxyserver/client/clientset/versioned/typed/proxyserver/v1alpha1 -# go.bytebuilders.dev/license-verifier v0.13.0 +# go.bytebuilders.dev/license-verifier v0.13.2 ## explicit; go 1.18 go.bytebuilders.dev/license-verifier go.bytebuilders.dev/license-verifier/apis/licenses go.bytebuilders.dev/license-verifier/apis/licenses/v1alpha1 go.bytebuilders.dev/license-verifier/info -# go.bytebuilders.dev/license-verifier/kubernetes v0.12.0 +# go.bytebuilders.dev/license-verifier/kubernetes v0.13.2 ## explicit; go 1.18 go.bytebuilders.dev/license-verifier/kubernetes # golang.org/x/crypto v0.9.0