implement default-off local license check

This is controlled by a build-time compilation macro, OC_LICENSE_PATH
By default, this will have a value of 'cli', which will preserve the
existing license check behavior of using the automate cli when present.

If the macro is set to a file path (this can be done by setting the
environment variable OC_LICENSE_PATH to the target location, prior to
build) then at run-time, erchef will expect to find a license file in
this location.

If the specified the license file is missing or invalid, it is treated as
a 90 day trial license from time of upgrade to the version that
implements this change.

When the file is present, the expiration is pulled from the file, based
on the entitlement end time furthest in the future. This was chosen
because the license content does not directly contain expiration date.

Author: marcparadise

src/oc_erchef/apps/chef_license/src/chef_license_worker.erl

@@ -19,6 +19,7 @@
     terminate/2
 ]).
 
+
 -record(state, {
     scanned_time,
     license_type,
@@ -27,16 +28,23 @@
     expiration_date,
     message,
     customer_name,
-    license_id
+    license_id,
+    install_time
 }).
 
 -define(DEFAULT_LICENSE_SCAN_INTERVAL, 30000). %milli seconds
-
 -define(DEFAULT_FILE_PATH, "/tmp/lic").
-
 -define(LICENSE_SCAN_CMD, "chef-automate license status --result-json ").
 
 
+%% Valid options: cli, or a path to a file
+%% Note that this is defaulted to cli in erl_opts in rebar.config.script but can be overridden
+%% with the path at build time by setting OC_LICENSE_PATH=<path> in the environment.
+%% (In that case, path should be something like /var/opt/opscode/license.lic)
+-ifndef(OC_LICENSE_PATH).
+-define(OC_LICENSE_PATH, cli).
+-endif.
+
 %%% ======================================
 %%% Exported
 %%% ======================================
@@ -51,7 +59,7 @@ get_license() ->
 %%% Gen Server callbacks
 %%% ======================================
 init(_Config) ->
-    State = check_license(#state{}),
+    State = check_license(#state{install_time = install_time()}, ?OC_LICENSE_PATH),
     erlang:send_after(?DEFAULT_LICENSE_SCAN_INTERVAL, self(), check_license),
     {ok, State}.
 
@@ -66,7 +74,7 @@ handle_cast(_Message, State) ->
     {noreply, State}.
 
 handle_info(check_license, State) ->
-    State1 = check_license(State),
+    State1 = check_license(State, ?OC_LICENSE_PATH),
     erlang:send_after(?DEFAULT_LICENSE_SCAN_INTERVAL, self(), check_license),
     {noreply, State1};
 
@@ -79,35 +87,147 @@ code_change(_OldVsn, State) ->
 terminate(_Reason, _State) ->
     ok.
 
+%%%
+%%% Internal Implementation
+%%%
+
+%% Return an approximate installation time based on the unix timestamp found kvpairs
+install_time() ->
+  DefaultTime = os:system_time(second),
+  case chef_sql:select_rows({value_for_key, [<<"itime">>]}) of
+    [[{<<"value">>, Itime}]]->
+      try
+        binary_to_integer(Itime)
+      catch error:badarg ->
+        DefaultTime
+      end;
+    not_found -> {ok, 0};
+    {error, Reason} -> {error, Reason}
+  end.
+
+% This will continue to be the default behavior - license will only be checked
+% as part of an automate install, when the automate CLI is present.
+get_license_info(_InstallTime, cli) ->
+  os:cmd(?LICENSE_SCAN_CMD ++ ?DEFAULT_FILE_PATH),
+  {ok, Bin} = file:read_file(?DEFAULT_FILE_PATH),
+  {Json} = jiffy:decode(Bin),
+  Json;
+% This is for the file-based license mode, where we read the license directly from a file path.
+get_license_info(InstallTime, Path) ->
+  case load_local_license(InstallTime, Path) of
+    {ok, Json} ->
+      io:format("Data: ~p~n", Json),
+      Json;
+    {error, Reason} ->
+      io:format("Failed to load local license going with default: ~p~n", [Reason]),
+      make_license_payload(InstallTime, #{})
+  end.
+
+load_local_license(InstallTime, Loader) when is_function(Loader) ->
+  case Loader() of
+    {ok, Bin} ->
+      %% Input format is the dotted three-part JWT style base64url encoded string, so
+      %% we start by splitting on dot and ensuring we get the expected three parts
+      case binary:split(Bin, [<<".">>], [trim_all, global]) of
+        %% NOTE: This implementation does not verify signature. To implement signature verification,
+        %%       we will need to have the license service public key available to the license worker
+        %%       at a known path.
+        [_Header, Payload, _Signature] ->
+          try base64:decode(Payload, #{ padding => false, mode => urlsafe } ) of
+            Decoded ->
+              try jiffy:decode(Decoded, [return_maps]) of
+                J -> {ok, make_license_payload(InstallTime, J)}
+              catch _:Reason ->
+                { error , {invalid_json, Reason } } % %, Decoded } }
+              end
+          catch _:Reason ->
+            { error, { invalid_base64, Reason } } %, Payload } }
+          end;
+        _ ->
+          { error, { invalid_license_format } }
+      end;
+    {error, Reason} ->
+      { error, { load_failed, Reason } }
+  end;
+load_local_license(InstallTime, Path) ->
+  load_local_license( InstallTime, fun() -> file:read_file(Path) end ).
+
+
+%% Generates a license payload using a parsed license.  The generated license is 's compatiable with the
+%% automate-ctl license status json output object, so that we can use the same processing function for both
+%% the CLI and file-based license modes.
+%% In some cases, we don't have all the data that the license service would provide, so we'll make substitutes.
+make_license_payload(_InstallTime, #{ <<"id">> := LicenseId,
+                                      <<"customer">> := CustomerName,
+                                      <<"entitlements">> := Entitlements,
+                                      <<"type">> := LicenseType
+                                    }) ->
+
+  %% The license server itself would give us actual expiration date. We have to
+  %% approximate as best we can based the latest end date of available entitilements.
+  ExpireInSeconds = case Entitlements of
+                      [] ->  0;  % No entitlements, treat as expired or invalid license
+                      _ -> lists:max([Ent || #{ <<"end">> := #{<<"seconds">> := Ent}} <- Entitlements])
+                    end,
+
+  [ {<<"result">>, {[
+                    {<<"license_id">>, LicenseId},
+                    {<<"customer_name">>, CustomerName},
+                    {<<"expiration_date">>, {[{<<"seconds">>, ExpireInSeconds}]}},
+                    {<<"license_type">>, LicenseType},
+                    {<<"grace_period">>, false}
+                   ]}}
+    ];
+make_license_payload(InstallTime, _Other) ->
+  %% If we don't have the expected fields, we don't have a valid license - so let's make something that looks like one,
+  %% but is valid from the install date + 90 days.
+  ExpirationTime = InstallTime + (60 * 60 * 24 * 90), % 90 days from install time
+  lager:warning("License payload is missing expected fields, treating as valid license with expiration : ~p", [ExpirationTime]),
+  [ {<<"result">>, {[
+                    {<<"license_id">>, <<>>},
+                    {<<"customer_name">>, <<>>},
+                    {<<"expiration_date">>, {[{<<"seconds">>, ExpirationTime}]}},
+                    {<<"license_type">>, <<"commercial">>},
+                    {<<"grace_period">>, false}
+                   ]}}
+  ].
+
+
+
+%%%
 %%% =====================
 %%% Internal functions
 %%% =====================
-check_license(State) ->
-    JsonStr =
-        case catch get_license_info() of
-            Result when is_list(Result) -> Result;
-            {'EXIT', _} -> <<"">>
-        end,
-    case process_license(JsonStr) of
-        {ok, valid_license, ExpDate, CustomerName, LicenseId} ->
-            State#state{license_cache=valid_license, grace_period=undefined, scanned_time = erlang:timestamp(), expiration_date=ExpDate, customer_name=CustomerName, license_id = LicenseId};
-        {ok, commercial_expired, ExpDate, Msg, CustomerName, LicenseId} ->
-            State#state{license_cache=commercial_expired, license_type = <<"commercial">>, grace_period=undefined, scanned_time = erlang:timestamp(), expiration_date=ExpDate, message=Msg, customer_name=CustomerName, license_id = LicenseId};
-        {ok, commercial_grace_period, ExpDate, Msg, CustomerName, LicenseId} ->
-            State#state{license_cache=commercial_grace_period, grace_period=true, scanned_time = erlang:timestamp(), expiration_date=ExpDate, message=Msg, customer_name=CustomerName, license_id = LicenseId};
-        {ok, trial_expired, ExpDate, Msg, CustomerName, LicenseId} ->
-            State#state{license_cache=trial_expired_expired, license_type = <<"trial">>, grace_period=undefined, scanned_time = erlang:timestamp(), expiration_date=ExpDate, message=Msg, customer_name=CustomerName, license_id = LicenseId};
-        {error, no_license} ->
-            State#state{license_cache=trial_expired_expired, license_type = <<"trial">>, grace_period=undefined, scanned_time = erlang:timestamp(), expiration_date="", message=get_alert_message(trial_expired, "")};
-        {error, _} -> State
-    end.
+check_license(#state{install_time = InstallTime} = State,  ModeOrPath) ->
+  JsonStr = case catch get_license_info(InstallTime, ModeOrPath) of
+              Result when is_list(Result) -> Result;
+              {'EXIT', N} ->
+                io:format("Oopsie, exited license check ~p~n", [N]),
+                <<"">>
+            end,
+  R2 = process_license(JsonStr),
 
-get_license_info() ->
-    os:cmd(?LICENSE_SCAN_CMD ++ ?DEFAULT_FILE_PATH),
-    {ok, Bin} = file:read_file(?DEFAULT_FILE_PATH),
-    {JsonStr} = jiffy:decode(Bin),
-    JsonStr.
+  io:format("process_license result: ~p ~p~n", [JsonStr, R2]),
+  case process_license(JsonStr) of
+    {ok, valid_license, ExpDate, CustomerName, LicenseId} ->
+      State#state{license_cache=valid_license, grace_period=undefined, scanned_time = erlang:timestamp(), expiration_date=ExpDate, customer_name=CustomerName, license_id = LicenseId};
+    {ok, commercial_expired, ExpDate, Msg, CustomerName, LicenseId} ->
+      State#state{license_cache=commercial_expired, license_type = <<"commercial">>, grace_period=undefined, scanned_time = erlang:timestamp(), expiration_date=ExpDate, message=Msg, customer_name=CustomerName, license_id = LicenseId};
+    {ok, commercial_grace_period, ExpDate, Msg, CustomerName, LicenseId} ->
+      State#state{license_cache=commercial_grace_period, grace_period=true, scanned_time = erlang:timestamp(), expiration_date=ExpDate, message=Msg, customer_name=CustomerName, license_id = LicenseId};
+    {ok, trial_expired, ExpDate, Msg, CustomerName, LicenseId} ->
+      State#state{license_cache=trial_expired_expired, license_type = <<"trial">>, grace_period=undefined, scanned_time = erlang:timestamp(), expiration_date=ExpDate, message=Msg, customer_name=CustomerName, license_id = LicenseId};
+    {error, no_license} ->
+      State#state{license_cache=trial_expired_expired, license_type = <<"trial">>, grace_period=undefined, scanned_time = erlang:timestamp(), expiration_date="", message=get_alert_message(trial_expired, "")};
+    {error, _} -> State
+  end.
 
+
+% missing license: gets treated as a trial that expires at TRACK_INSTALL_DATE + 90 days (configurable at build)
+% a present license that is not valid gets treated as an expired license.
+% a valid unexpired license gets treated as valid
+% a valid expired license gets treated as expired. license gets treated as valid, and we don not
+%
 process_license(<<"">>) ->
     {error, invalid_json};
 process_license(LicJson) ->
@@ -125,10 +245,9 @@ process_license(LicJson) ->
                                 <<"commercial">> ->
                                     case ej:get({<<"grace_period">>}, LicDetails) of
                                         true ->
-                                            {ok, commercial_grace_period, ExpDate,
-                                                get_alert_message(commercial_grace_period, ExpDate), CustomerName, LicenseId};
+                                            {ok, commercial_grace_period, ExpDate, get_alert_message(commercial_grace_period, ExpDate), CustomerName, LicenseId};
                                         _ ->
-                                            { ok, commercial_expired, ExpDate, get_alert_message(commercial_expired, ExpDate), CustomerName, LicenseId}
+                                            {ok, commercial_expired, ExpDate, get_alert_message(commercial_expired, ExpDate), CustomerName, LicenseId}
                                     end;
                                 _ ->
                                     {ok, trial_expired, ExpDate, get_alert_message(trial_expired, ExpDate), CustomerName, LicenseId}
@@ -148,6 +267,7 @@ process_license(LicJson) ->
             {error, invalid_response}
     end.
 
+
 get_alert_message(Type, ExpDate) ->
     case Type of
         trial_expired ->

src/oc_erchef/apps/chef_license/test/chef_license_worker_test.erl

@@ -31,14 +31,14 @@ license_test()->
     {Result, _, _, _, _,_,_} = chef_license_worker:get_license(),
     ?assertEqual(valid_license, Result),
     os:cmd("rm -rf " ++ ?DEFAULT_FILE_PATH),
-    
+
     file:write_file(?DEFAULT_FILE_PATH,get_commercial_license_expired()),
     refresh_license(),
     timer:sleep(100),
     {Result1, _, _, _, _,_,_} = chef_license_worker:get_license(),
     ?assertEqual(commercial_expired, Result1),
     os:cmd("rm -rf " ++ ?DEFAULT_FILE_PATH),
-    
+
     file:write_file(?DEFAULT_FILE_PATH,get_commercial_grace_license()),
     refresh_license(),
     timer:sleep(100),
@@ -61,4 +61,5 @@ license_test()->
     os:cmd("rm -rf " ++ ?DEFAULT_FILE_PATH).
 
 refresh_license()->
-    erlang:send(chef_license_worker, check_license).
+    erlang:send(chef_license_worker, check_license).
+

src/oc_erchef/rebar.config

@@ -26,8 +26,6 @@
         {git, "https://github.com/chef/ej",                         {branch, "master"}}},
     {envy, ".*",
         {git, "https://github.com/markan/envy",                     {branch, "master"}}},
-%    {eper, ".*",
-%        {git, "https://github.com/massemanet/eper",                 {branch, "master"}}},
     {erlcloud, ".*",
         {git, "https://github.com/chef/erlcloud",                   {branch, "CHEF-11677/CHEF-12498/lbaker"}}},
     {erlware_commons, ".*",
@@ -78,6 +76,8 @@
             {d, 'OC_CHEF'},
             {d, 'CHEF_DB_DARKLAUNCH', xdarklaunch_req},
             {d, 'CHEF_WM_DARKLAUNCH', xdarklaunch_req},
+            % Note: OC_LICENSE_PATH value is set dynamically in rebar.config.script
+            % {d, OC_LICENSE_PATH, cli|"path/to/license/file"}
             {parse_transform, lager_transform},
                 warnings_as_errors,
                 debug_info,
@@ -114,7 +114,7 @@
 {profiles, [
     {test, [
         {deps, [
-            {meck, 
+            {meck,
                 {git,"https://github.com/eproxus/meck", {ref,"e48641a20a605174e640ac91a528d443be11c9b9"}}},
             {automeck,
                 {git, "https://github.com/chef/automeck", {branch, "otp_24"}}},

src/oc_erchef/rebar.config.script

@@ -0,0 +1,12 @@
+%% -*- mode: erlang -*-
+%% ex: ts=4 sw=4 ft=erlang
+
+%% Include erl_opts {d, OC_LICENSE_PATH, X} where X is determined based on the OC_LICENSE_PATH environment variable for compile-time resolution of the path.
+%% Special value 'cli' means to use the automate CLI
+%% to obtain license information intead.  This is the default.
+LicensePath = os:getenv("OC_LICENSE_PATH", cli),
+ErlOpts = proplists:get_value(erl_opts, CONFIG, []),
+UpdatedErlOpts = lists:keystore(d, 99, ErlOpts,
+    {d, 'OC_LICENSE_PATH', LicensePath}),
+Config1 = lists:keydelete(erl_opts, 1, CONFIG),
+[{erl_opts, UpdatedErlOpts} | Config1].

src/oc_erchef/rebar.lock

@@ -52,7 +52,7 @@
   1},
  {<<"erlcloud">>,
   {git,"https://github.com/chef/erlcloud",
-       {branch,"CHEF-11677/CHEF-12498/lbaker"}},
+       {ref,"398d67ecfe6d398a444d42ab9e94e8b1df0171a5"}},
   0},
  {<<"erlware_commons">>,
   {git,"https://github.com/chef/erlware_commons",
@@ -100,7 +100,7 @@
   1},
  {<<"mini_s3">>,
   {git,"https://github.com/chef/mini_s3",
-       {branch,"CHEF-11677/CHEF-12498/lbaker"}},
+       {ref,"aa206d4d5a8380aff68629b46c15b87931e5c801"}},
   0},
  {<<"mixer">>,
   {git,"https://github.com/inaka/mixer",