Add operator license key check (#4925)

Stops the operator on startup if the current operator license key is invalid.
elastic · Oct 11, 2021 · 138b0e1 · 138b0e1
1 parent 995403b
commit 138b0e1
Show file tree

Hide file tree

Showing 10 changed files with 200 additions and 98 deletions.
diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -35,6 +35,7 @@ import (
 	"github.com/elastic/cloud-on-k8s/pkg/controller/beat"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/certificates"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/container"
+	commonlicense "github.com/elastic/cloud-on-k8s/pkg/controller/common/license"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/operator"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/reconciler"
 	controllerscheme "github.com/elastic/cloud-on-k8s/pkg/controller/common/scheme"
@@ -580,12 +581,31 @@ func startOperator(ctx context.Context) error {
 		"build_hash", operatorInfo.BuildInfo.Hash, "build_date", operatorInfo.BuildInfo.Date,
 		"build_snapshot", operatorInfo.BuildInfo.Snapshot)
 
-	if err := mgr.Start(ctx); err != nil {
-		log.Error(err, "Failed to start the controller manager")
-		return err
-	}
+	exitOnErr := make(chan error)
 
-	return nil
+	// start the manager
+	go func() {
+		if err := mgr.Start(ctx); err != nil {
+			log.Error(err, "Failed to start the controller manager")
+			exitOnErr <- err
+		}
+	}()
+
+	// check operator license key
+	go func() {
+		mgr.GetCache().WaitForCacheSync(ctx)
+
+		lc := commonlicense.NewLicenseChecker(mgr.GetClient(), params.OperatorNamespace)
+		licenseType, err := lc.ValidOperatorLicenseKeyType()
+		if err != nil {
+			log.Error(err, "Failed to validate operator license key")
+			exitOnErr <- err
+		} else {
+			log.Info("Operator license key validated", "license_type", licenseType)
+		}
+	}()
+
+	return <-exitOnErr
 }
 
 // asyncTasks schedules some tasks to be started when this instance of the operator is elected

diff --git a/pkg/controller/autoscaling/elasticsearch/controller_test.go b/pkg/controller/autoscaling/elasticsearch/controller_test.go
@@ -94,7 +94,7 @@ func TestReconcile(t *testing.T) {
 			fields: fields{
 				EsClient:       newFakeEsClient(t).withCapacity("frozen-tier"),
 				recorder:       record.NewFakeRecorder(1000),
-				licenseChecker: &fakeLicenceChecker{},
+				licenseChecker: &license.MockLicenseChecker{EnterpriseEnabled: true},
 			},
 			args: args{
 				esManifest: "frozen-tier",
@@ -109,7 +109,7 @@ func TestReconcile(t *testing.T) {
 			fields: fields{
 				EsClient:       newFakeEsClient(t).withCapacity("ml"),
 				recorder:       record.NewFakeRecorder(1000),
-				licenseChecker: &fakeLicenceChecker{},
+				licenseChecker: &license.MockLicenseChecker{EnterpriseEnabled: true},
 			},
 			args: args{
 				esManifest: "ml",
@@ -124,7 +124,7 @@ func TestReconcile(t *testing.T) {
 			fields: fields{
 				EsClient:       newFakeEsClient(t).withErrorOnDeleteAutoscalingAutoscalingPolicies(),
 				recorder:       record.NewFakeRecorder(1000),
-				licenseChecker: &fakeLicenceChecker{},
+				licenseChecker: &license.MockLicenseChecker{EnterpriseEnabled: true},
 			},
 			args: args{
 				esManifest: "min-nodes-increased-by-user",
@@ -139,7 +139,7 @@ func TestReconcile(t *testing.T) {
 			fields: fields{
 				EsClient:       newFakeEsClient(t).withCapacity("empty-autoscaling-api-response"),
 				recorder:       record.NewFakeRecorder(1000),
-				licenseChecker: &fakeLicenceChecker{},
+				licenseChecker: &license.MockLicenseChecker{EnterpriseEnabled: true},
 			},
 			args: args{
 				esManifest: "empty-autoscaling-api-response",
@@ -152,7 +152,7 @@ func TestReconcile(t *testing.T) {
 			fields: fields{
 				EsClient:       newFakeEsClient(t),
 				recorder:       record.NewFakeRecorder(1000),
-				licenseChecker: &fakeLicenceChecker{},
+				licenseChecker: &license.MockLicenseChecker{EnterpriseEnabled: true},
 			},
 			args: args{
 				esManifest: "cluster-creation",
@@ -165,7 +165,7 @@ func TestReconcile(t *testing.T) {
 			fields: fields{
 				EsClient:       newFakeEsClient(t).withCapacity("max-storage-reached"),
 				recorder:       record.NewFakeRecorder(1000),
-				licenseChecker: &fakeLicenceChecker{},
+				licenseChecker: &license.MockLicenseChecker{EnterpriseEnabled: true},
 			},
 			args: args{
 				esManifest: "max-storage-reached",
@@ -182,7 +182,7 @@ func TestReconcile(t *testing.T) {
 			fields: fields{
 				EsClient:       newFakeEsClient(t).withCapacity("storage-scaled-horizontally"),
 				recorder:       record.NewFakeRecorder(1000),
-				licenseChecker: &fakeLicenceChecker{},
+				licenseChecker: &license.MockLicenseChecker{EnterpriseEnabled: true},
 			},
 			args: args{
 				esManifest: "storage-scaled-horizontally",
@@ -195,7 +195,7 @@ func TestReconcile(t *testing.T) {
 			fields: fields{
 				EsClient:       newFakeEsClient(t),
 				recorder:       record.NewFakeRecorder(1000),
-				licenseChecker: &fakeLicenceChecker{},
+				licenseChecker: &license.MockLicenseChecker{EnterpriseEnabled: true},
 			},
 			args: args{
 				esManifest: "",
@@ -374,19 +374,3 @@ func (f *fakeEsClient) GetAutoscalingCapacity(_ context.Context) (esclient.Autos
 func (f *fakeEsClient) UpdateMLNodesSettings(_ context.Context, maxLazyMLNodes int32, maxMemory string) error {
 	return nil
 }
-
-// - Fake licence checker
-
-type fakeLicenceChecker struct{}
-
-func (flc *fakeLicenceChecker) CurrentEnterpriseLicense() (*license.EnterpriseLicense, error) {
-	return nil, nil
-}
-
-func (flc *fakeLicenceChecker) EnterpriseFeaturesEnabled() (bool, error) {
-	return true, nil
-}
-
-func (flc *fakeLicenceChecker) Valid(l license.EnterpriseLicense) (bool, error) {
-	return true, nil
-}
diff --git a/pkg/controller/common/license/check.go b/pkg/controller/common/license/check.go
@@ -6,6 +6,7 @@ package license
 
 import (
 	"context"
+	"fmt"
 	"sort"
 	"time"
 
@@ -24,6 +25,7 @@ type Checker interface {
 	CurrentEnterpriseLicense() (*EnterpriseLicense, error)
 	EnterpriseFeaturesEnabled() (bool, error)
 	Valid(l EnterpriseLicense) (bool, error)
+	ValidOperatorLicenseKeyType() (OperatorLicenseType, error)
 }
 
 // checker contains parameters for license checks.
@@ -64,7 +66,7 @@ func (lc *checker) CurrentEnterpriseLicense() (*EnterpriseLicense, error) {
 	}
 
 	sort.Slice(licenses, func(i, j int) bool {
-		t1, t2 := EnterpriseLicenseTypeOrder[licenses[i].License.Type], EnterpriseLicenseTypeOrder[licenses[j].License.Type]
+		t1, t2 := OperatorLicenseTypeOrder[licenses[i].License.Type], OperatorLicenseTypeOrder[licenses[j].License.Type]
 		if t1 != t2 { // sort by type (first the most features)
 			return t1 > t2
 		}
@@ -115,20 +117,38 @@ func (lc *checker) Valid(l EnterpriseLicense) (bool, error) {
 	return false, nil
 }
 
-type MockChecker struct {
-	MissingLicense bool
+// ValidOperatorLicenseKeyType returns true if the current operator license key is valid
+func (lc checker) ValidOperatorLicenseKeyType() (OperatorLicenseType, error) {
+	lic, err := lc.CurrentEnterpriseLicense()
+	if err != nil {
+		log.V(-1).Info("Invalid Enterprise license, fallback to Basic: " + err.Error())
+	}
+
+	licType := lic.GetOperatorLicenseType()
+	if _, valid := OperatorLicenseTypeOrder[licType]; !valid {
+		return licType, fmt.Errorf("invalid license key: %s", licType)
+	}
+	return licType, nil
 }
 
-func (m MockChecker) CurrentEnterpriseLicense() (*EnterpriseLicense, error) {
+type MockLicenseChecker struct {
+	EnterpriseEnabled bool
+}
+
+func (m MockLicenseChecker) CurrentEnterpriseLicense() (*EnterpriseLicense, error) {
 	return &EnterpriseLicense{}, nil
 }
 
-func (m MockChecker) EnterpriseFeaturesEnabled() (bool, error) {
-	return !m.MissingLicense, nil
+func (m MockLicenseChecker) EnterpriseFeaturesEnabled() (bool, error) {
+	return m.EnterpriseEnabled, nil
+}
+
+func (m MockLicenseChecker) Valid(l EnterpriseLicense) (bool, error) {
+	return m.EnterpriseEnabled, nil
 }
 
-func (m MockChecker) Valid(l EnterpriseLicense) (bool, error) {
-	return !m.MissingLicense, nil
+func (m MockLicenseChecker) ValidOperatorLicenseKeyType() (OperatorLicenseType, error) {
+	return LicenseTypeEnterprise, nil
 }
 
-var _ Checker = &MockChecker{}
+var _ Checker = &MockLicenseChecker{}
diff --git a/pkg/controller/common/license/check_test.go b/pkg/controller/common/license/check_test.go
@@ -236,3 +236,102 @@ func Test_CurrentEnterpriseLicense(t *testing.T) {
 		})
 	}
 }
+
+func Test_ValidOperatorLicenseKey(t *testing.T) {
+	privKey, err := x509.ParsePKCS1PrivateKey(privateKeyFixture)
+	require.NoError(t, err)
+
+	validLicenseFixture := licenseFixtureV3
+	validLicenseFixture.License.ExpiryDateInMillis = chrono.ToMillis(time.Now().Add(1 * time.Hour))
+	signatureBytes, err := NewSigner(privKey).Sign(validLicenseFixture)
+	require.NoError(t, err)
+	validLicense := asRuntimeObjects(validLicenseFixture, signatureBytes)
+
+	trialState, err := NewTrialState()
+	require.NoError(t, err)
+	validTrialLicenseFixture := emptyTrialLicenseFixture
+	require.NoError(t, trialState.InitTrialLicense(&validTrialLicenseFixture))
+	validTrialLicense := asRuntimeObject(validTrialLicenseFixture)
+
+	statusSecret, err := ExpectedTrialStatus(testNS, types.NamespacedName{}, trialState)
+	require.NoError(t, err)
+
+	type fields struct {
+		initialObjects    []runtime.Object
+		operatorNamespace string
+		publicKey         []byte
+	}
+
+	tests := []struct {
+		name     string
+		fields   fields
+		wantErr  bool
+		wantType OperatorLicenseType
+	}{
+		{
+			name: "get valid basic license: OK",
+			fields: fields{
+				initialObjects:    []runtime.Object{},
+				operatorNamespace: "test-system",
+			},
+			wantType: LicenseTypeBasic,
+			wantErr:  false,
+		},
+		{
+			name: "get valid enterprise license: OK",
+			fields: fields{
+				initialObjects:    validLicense,
+				operatorNamespace: "test-system",
+				publicKey:         publicKeyBytesFixture(t),
+			},
+			wantType: LicenseTypeEnterprise,
+			wantErr:  false,
+		},
+		{
+			name: "get valid trial enterprise license: OK",
+			fields: fields{
+				initialObjects:    []runtime.Object{validTrialLicense, &statusSecret},
+				operatorNamespace: "test-system",
+				publicKey:         publicKeyBytesFixture(t),
+			},
+			wantType: LicenseTypeEnterpriseTrial,
+			wantErr:  false,
+		},
+		{
+			name: "get valid enterprise license among two licenses: OK",
+			fields: fields{
+				initialObjects:    append(validLicense, validTrialLicense),
+				operatorNamespace: "test-system",
+				publicKey:         publicKeyBytesFixture(t),
+			},
+			wantType: LicenseTypeEnterprise,
+			wantErr:  false,
+		},
+		{
+			name: "invalid public key: fallback to basic",
+			fields: fields{
+				initialObjects:    validLicense,
+				operatorNamespace: "test-system",
+				publicKey:         []byte("not a public key"),
+			},
+			wantType: LicenseTypeBasic,
+			wantErr:  false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			lc := &checker{
+				k8sClient:         k8s.NewFakeClient(tt.fields.initialObjects...),
+				operatorNamespace: tt.fields.operatorNamespace,
+				publicKey:         tt.fields.publicKey,
+			}
+			licenseType, err := lc.ValidOperatorLicenseKeyType()
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Checker.ValidOperatorLicenseKeyType() err = %v, wantErr %v", err, tt.wantErr)
+			}
+			if licenseType != tt.wantType {
+				t.Errorf("Checker.ValidOperatorLicenseKeyType() licenseType = %v, wantType %v", licenseType, tt.wantType)
+			}
+		})
+	}
+}
diff --git a/pkg/controller/common/license/model.go b/pkg/controller/common/license/model.go
@@ -15,6 +15,7 @@ import (
 type OperatorLicenseType string
 
 const (
+	LicenseTypeBasic           OperatorLicenseType = "basic"
 	LicenseTypeEnterprise      OperatorLicenseType = "enterprise"
 	LicenseTypeEnterpriseTrial OperatorLicenseType = "enterprise_trial"
 	// LicenseTypeLegacyTrial earlier versions of ECK used this as the trial identifier
@@ -47,8 +48,9 @@ type LicenseSpec struct {
 	Version            int                    // not marshalled but part of the signature
 }
 
-// EnterpriseLicenseTypeOrder license types mapped to ints in increasing order of feature sets for sorting purposes.
-var EnterpriseLicenseTypeOrder = map[OperatorLicenseType]int{
+// OperatorLicenseTypeOrder license types mapped to ints in increasing order of feature sets for sorting purposes.
+var OperatorLicenseTypeOrder = map[OperatorLicenseType]int{
+	LicenseTypeBasic:           -1,
 	LicenseTypeLegacyTrial:     0,
 	LicenseTypeEnterpriseTrial: 1,
 	LicenseTypeEnterprise:      2,
@@ -107,6 +109,13 @@ func (l EnterpriseLicense) IsMissingFields() error {
 	return nil
 }
 
+func (l *EnterpriseLicense) GetOperatorLicenseType() OperatorLicenseType {
+	if l == nil {
+		return LicenseTypeBasic
+	}
+	return l.License.Type
+}
+
 // LicenseStatus expresses the validity status of a license.
 type LicenseStatus string