[cherry-pick] Update license verifier (#711) (#712)

/cherry-pick

Signed-off-by: Tamal Saha <tamal@appscode.com>
Co-authored-by: Tamal Saha <tamal@appscode.com>

Author: 1gtm

go.mod

@@ -4,7 +4,7 @@ go 1.18
 
 require (
 	github.com/spf13/cobra v1.7.0
-	go.bytebuilders.dev/license-verifier/kubernetes v0.12.0
+	go.bytebuilders.dev/license-verifier/kubernetes v0.13.2
 	gomodules.xyz/flags v0.1.3
 	gomodules.xyz/go-sh v0.1.0
 	gomodules.xyz/logs v0.0.6
@@ -18,6 +18,8 @@ require (
 	stash.appscode.dev/apimachinery v0.30.0
 )
 
+require github.com/cespare/xxhash/v2 v2.2.0 // indirect
+
 require (
 	cloud.google.com/go v0.97.0 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
@@ -60,7 +62,7 @@ require (
 	github.com/yudai/gojsondiff v1.0.0 // indirect
 	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
 	go.bytebuilders.dev/license-proxyserver v0.0.3 // indirect
-	go.bytebuilders.dev/license-verifier v0.13.0 // indirect
+	go.bytebuilders.dev/license-verifier v0.13.2 // indirect
 	golang.org/x/crypto v0.9.0 // indirect
 	golang.org/x/net v0.10.0 // indirect
 	golang.org/x/oauth2 v0.5.0 // indirect

go.sum

@@ -82,9 +82,9 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
-github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
@@ -401,10 +401,10 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go.bytebuilders.dev/license-proxyserver v0.0.3 h1:vAFMBWfrlmFKNspjBm2KfPXnxYnC17xLwZiHmVzUmzs=
 go.bytebuilders.dev/license-proxyserver v0.0.3/go.mod h1:iMJbPzDf2R2EJOZwRi7ziEr5DBMfT9Cm75/XfPb/QnU=
-go.bytebuilders.dev/license-verifier v0.13.0 h1:VyI8XydrZbzClSk45rPcjz9dVhyL0EfpWW4T08SXMGo=
-go.bytebuilders.dev/license-verifier v0.13.0/go.mod h1:PTTlWgokzoisBezn2zt+JeGkhTJZ0flvLzdhHVBy86M=
-go.bytebuilders.dev/license-verifier/kubernetes v0.12.0 h1:YJ/JWjeJgDOHzgI/RYMn60x+R7KpZ+3Nu8BHJLghYc8=
-go.bytebuilders.dev/license-verifier/kubernetes v0.12.0/go.mod h1:XJUtMI5o0QQyaor1SAqL/2YTYU9LxYM6/Q8X8o/750w=
+go.bytebuilders.dev/license-verifier v0.13.2 h1:wV1ynl+GR+zKb3dh19WEzuC0uzTdiSGgVg9G78Nh4XU=
+go.bytebuilders.dev/license-verifier v0.13.2/go.mod h1:PTTlWgokzoisBezn2zt+JeGkhTJZ0flvLzdhHVBy86M=
+go.bytebuilders.dev/license-verifier/kubernetes v0.13.2 h1:ZIPTce9sAR9/GaPvQtkbOTXGE1Nyyv0GcMqnInUaqxM=
+go.bytebuilders.dev/license-verifier/kubernetes v0.13.2/go.mod h1:xiM7bX84LNWQPJRC/m9rQASuCclJSsDdf2qFdafrz1k=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=

vendor/go.bytebuilders.dev/license-verifier/Makefile

@@ -21,7 +21,7 @@ COMPRESS ?= no
 
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
 CRD_OPTIONS          ?= "crd:maxDescLen=0,generateEmbeddedObjectMeta=true,allowDangerousTypes=true"
-CODE_GENERATOR_IMAGE ?= appscode/gengo:release-1.25
+CODE_GENERATOR_IMAGE ?= ghcr.io/appscode/gengo:release-1.25
 API_GROUPS           ?= licenses:v1alpha1
 
 # Where to push the docker image.

vendor/go.bytebuilders.dev/license-verifier/info/lib.go

@@ -138,15 +138,14 @@ func HostedEndpoint(u string) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	host := u2.Hostname()
-	return host == prodDomain ||
-		host == qaDomain ||
-		strings.HasSuffix(host, "."+prodDomain) ||
-		strings.HasSuffix(host, "."+qaDomain), nil
+	return HostedDomain(u2.Hostname()), nil
 }
 
 func HostedDomain(d string) bool {
-	return d == prodDomain || d == qaDomain
+	return d == prodDomain ||
+		d == qaDomain ||
+		strings.HasSuffix(d, "."+prodDomain) ||
+		strings.HasSuffix(d, "."+qaDomain)
 }
 
 func LoadLicenseCA() ([]byte, error) {

vendor/go.bytebuilders.dev/license-verifier/kubernetes/Makefile

@@ -64,8 +64,8 @@ ARCH := $(if $(GOARCH),$(GOARCH),$(shell go env GOARCH))
 BASEIMAGE_PROD   ?= gcr.io/distroless/static
 BASEIMAGE_DBG    ?= debian:stretch
 
-GO_VERSION       ?= 1.19
-BUILD_IMAGE      ?= appscode/golang-dev:$(GO_VERSION)
+GO_VERSION       ?= 1.20
+BUILD_IMAGE      ?= ghcr.io/appscode/golang-dev:$(GO_VERSION)
 
 OUTBIN = bin/$(OS)_$(ARCH)/$(BIN)
 ifeq ($(OS),windows)

vendor/go.bytebuilders.dev/license-verifier/kubernetes/lib.go

@@ -20,7 +20,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"os"
@@ -62,17 +62,17 @@ const (
 )
 
 type LicenseEnforcer struct {
-	opts       verifier.VerifyOptions
-	config     *rest.Config
-	kc         kubernetes.Interface
-	getLicense func() ([]byte, error)
+	licenseFile string
+	opts        verifier.VerifyOptions
+	config      *rest.Config
+	kc          kubernetes.Interface
 }
 
 // NewLicenseEnforcer returns a newly created license enforcer
 func NewLicenseEnforcer(config *rest.Config, licenseFile string) (*LicenseEnforcer, error) {
 	le := LicenseEnforcer{
-		getLicense: getLicense(config, licenseFile),
-		config:     config,
+		config:      config,
+		licenseFile: licenseFile,
 		opts: verifier.VerifyOptions{
 			Features: info.ProductName,
 		},
@@ -97,30 +97,38 @@ func MustLicenseEnforcer(config *rest.Config, licenseFile string) *LicenseEnforc
 	return le
 }
 
-func getLicense(cfg *rest.Config, licenseFile string) func() ([]byte, error) {
-	return func() ([]byte, error) {
-		licenseBytes, err := ioutil.ReadFile(licenseFile)
-		if errors.Is(err, os.ErrNotExist) {
-			req := proxyserver.LicenseRequest{
-				TypeMeta: metav1.TypeMeta{},
-				Request: &proxyserver.LicenseRequestRequest{
-					Features: info.Features(),
-				},
-			}
-			pc, err := proxyclient.NewForConfig(cfg)
-			if err != nil {
-				return nil, errors.Wrap(err, "failed create client for license-proxyserver")
-			}
-			resp, err := pc.ProxyserverV1alpha1().LicenseRequests().Create(context.TODO(), &req, metav1.CreateOptions{})
-			if err != nil {
-				return nil, errors.Wrap(err, "failed to read license")
-			}
-			licenseBytes = []byte(resp.Response.License)
-		} else if err != nil {
+func (le *LicenseEnforcer) getLicense() ([]byte, error) {
+	licenseBytes, err := os.ReadFile(le.licenseFile)
+	if errors.Is(err, os.ErrNotExist) || (err == nil && le.invalidLicense(licenseBytes)) {
+		req := proxyserver.LicenseRequest{
+			TypeMeta: metav1.TypeMeta{},
+			Request: &proxyserver.LicenseRequestRequest{
+				Features: info.Features(),
+			},
+		}
+		pc, err := proxyclient.NewForConfig(le.config)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed create client for license-proxyserver")
+		}
+		resp, err := pc.ProxyserverV1alpha1().LicenseRequests().Create(context.TODO(), &req, metav1.CreateOptions{})
+		if err != nil {
 			return nil, errors.Wrap(err, "failed to read license")
 		}
-		return licenseBytes, nil
+		licenseBytes = []byte(resp.Response.License)
+	} else if err != nil {
+		return nil, errors.Wrap(err, "failed to read license")
 	}
+	return licenseBytes, nil
+}
+
+func (le *LicenseEnforcer) invalidLicense(license []byte) bool {
+	le.opts.License = license
+	// We don't want to acquire license from license-proxyserver is the license file
+	// contains a valid license for a different product.
+	// We want to acquire license-proxyserver is a previously valid license has not expired.
+	// So, we don't check features in the license found is license file.
+	l, err := verifier.ParseLicense(le.opts.ParserOptions)
+	return sets.NewString(l.Features...).HasAny(info.ParseFeatures(le.opts.Features)...) && err != nil
 }
 
 func (le *LicenseEnforcer) createClients() (err error) {
@@ -136,22 +144,13 @@ func (le *LicenseEnforcer) acquireLicense() (err error) {
 }
 
 func (le *LicenseEnforcer) readClusterUID() (err error) {
+	if le.opts.ClusterUID != "" {
+		return
+	}
 	le.opts.ClusterUID, err = clusterid.ClusterUID(le.kc.CoreV1().Namespaces())
 	return err
 }
 
-func (le *LicenseEnforcer) podName() (string, error) {
-	if name, ok := os.LookupEnv("MY_POD_NAME"); ok {
-		return name, nil
-	}
-
-	if meta.PossiblyInCluster() {
-		// Read current pod name
-		return os.Hostname()
-	}
-	return "", errors.New("failed to detect pod name")
-}
-
 func (le *LicenseEnforcer) handleLicenseVerificationFailure(licenseErr error) error {
 	// Send interrupt so that all go-routines shut-down gracefully
 	// https://pracucci.com/graceful-shutdown-of-kubernetes-pods.html
@@ -170,10 +169,6 @@ func (le *LicenseEnforcer) handleLicenseVerificationFailure(licenseErr error) er
 	// Log licenseInfo verification failure
 	klog.Errorln("Failed to verify license. Reason: ", licenseErr.Error())
 
-	podName, err := le.podName()
-	if err != nil {
-		return err
-	}
 	// Read the namespace of current pod
 	namespace := meta.PodNamespace()
 
@@ -183,7 +178,7 @@ func (le *LicenseEnforcer) handleLicenseVerificationFailure(licenseErr error) er
 		le.config,
 		core.SchemeGroupVersion.WithResource(core.ResourcePods.String()),
 		namespace,
-		podName,
+		meta.PodName(),
 	)
 	if err != nil {
 		return err
@@ -297,9 +292,6 @@ func verifyLicensePeriodically(le *LicenseEnforcer, licenseFile string, stopCh <
 		return false, nil
 	}
 
-	if _, err := os.Stat(licenseFile); os.IsNotExist(err) {
-		return errors.New("license file is missing")
-	}
 	return wait.PollImmediateUntil(licenseCheckInterval, fn, stopCh)
 }
 
@@ -382,7 +374,7 @@ func CheckLicenseEndpoint(config *rest.Config, apiServiceName string, features [
 	}
 	defer resp.Body.Close()
 
-	data, err := ioutil.ReadAll(resp.Body)
+	data, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return err
 	}

vendor/modules.txt

@@ -29,6 +29,8 @@ github.com/PuerkitoBio/purell
 # github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2
 ## explicit
 github.com/armon/circbuf
+# github.com/cespare/xxhash/v2 v2.2.0
+## explicit; go 1.11
 # github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0
 ## explicit
 github.com/codegangsta/inject
@@ -148,13 +150,13 @@ go.bytebuilders.dev/license-proxyserver/apis/proxyserver/v1alpha1
 go.bytebuilders.dev/license-proxyserver/client/clientset/versioned
 go.bytebuilders.dev/license-proxyserver/client/clientset/versioned/scheme
 go.bytebuilders.dev/license-proxyserver/client/clientset/versioned/typed/proxyserver/v1alpha1
-# go.bytebuilders.dev/license-verifier v0.13.0
+# go.bytebuilders.dev/license-verifier v0.13.2
 ## explicit; go 1.18
 go.bytebuilders.dev/license-verifier
 go.bytebuilders.dev/license-verifier/apis/licenses
 go.bytebuilders.dev/license-verifier/apis/licenses/v1alpha1
 go.bytebuilders.dev/license-verifier/info
-# go.bytebuilders.dev/license-verifier/kubernetes v0.12.0
+# go.bytebuilders.dev/license-verifier/kubernetes v0.13.2
 ## explicit; go 1.18
 go.bytebuilders.dev/license-verifier/kubernetes
 # golang.org/x/crypto v0.9.0