feat[backend](billing): license authority with edition/MSSP feature gating and datasource usage

Author: Kbayero

.github/workflows/reusable-golang.yml

@@ -22,6 +22,10 @@ on:
         type: string
         default: ""
         description: "Path to the Dockerfile (defaults to ./<image_name>/Dockerfile)"
+    secrets:
+      API_SECRET:
+        required: false
+        description: "Token to fetch private github.com/utmstack Go modules. Optional; when unset, only public modules are fetchable (backwards-compatible)."
 jobs:
   build:
     name: Build
@@ -36,6 +40,15 @@ jobs:
           go-version: ^1.20
         id: go
 
+      - name: Configure git for private modules
+        run: |
+          if [ -n "${{ secrets.API_SECRET }}" ]; then
+            git config --global url."https://${{ secrets.API_SECRET }}:x-oauth-basic@github.com/".insteadOf "https://github.com/"
+            echo "GOPRIVATE=github.com/utmstack" >> $GITHUB_ENV
+            echo "GONOPROXY=github.com/utmstack" >> $GITHUB_ENV
+            echo "GONOSUMDB=github.com/utmstack" >> $GITHUB_ENV
+          fi
+
       - name: Running Tests
         working-directory: ./${{inputs.image_name}}
         run: go test -v ./...

.github/workflows/v11-deployment-pipeline.yml

@@ -450,6 +450,11 @@ jobs:
       tag: ${{ needs.setup_deployment.outputs.tag }}
       build_context: "."
       dockerfile: "./backend/Dockerfile"
+      flags: >-
+        -X 'github.com/utmstack/utmstack/backend/modules/billing.PublicKey=${{ secrets.CM_SIGN_PUBLIC_KEY }}'
+        -X 'github.com/utmstack/utmstack/backend/modules/billing.EncryptSalt=${{ secrets.CM_ENCRYPT_SALT }}'
+    secrets:
+      API_SECRET: ${{ secrets.API_SECRET }}
   build_frontend:
     name: Build Frontend Microservice
     needs: [validations, setup_deployment]

backend/main.go

@@ -43,10 +43,11 @@ func main() {
 		panic(err)
 	}
 
-	modules.alerts.Start(appCtx)
+	modules.billing.Start(appCtx)
 	modules.eventProcessing.Start(appCtx)
 	modules.compliance.Start(appCtx)
 	modules.integrations.Start(appCtx)
+	modules.datasources.Start(appCtx)
 	if err := modules.soar.Start(appCtx); err != nil {
 		_ = catcher.Error("soar flow bootstrap failed", err, nil)
 	}

backend/modules.go

@@ -12,6 +12,7 @@ import (
 	"github.com/utmstack/utmstack/backend/modules/alerts"
 	"github.com/utmstack/utmstack/backend/modules/appconfig"
 	"github.com/utmstack/utmstack/backend/modules/audit"
+	"github.com/utmstack/utmstack/backend/modules/billing"
 	"github.com/utmstack/utmstack/backend/modules/compliance"
 	"github.com/utmstack/utmstack/backend/modules/dashboards"
 	"github.com/utmstack/utmstack/backend/modules/datasources"
@@ -52,6 +53,7 @@ type modules struct {
 	iam               *iam.Module
 	audit             *audit.Module
 	appconfig         *appconfig.Module
+	billing           *billing.Module
 	mail              *mail.Module
 	compliance        *compliance.Module
 	dashboards        *dashboards.Module
@@ -89,6 +91,7 @@ func initModules(db *gorm.DB, cfg *config) *modules {
 	limiter := ratelimit.NewLoginLimiter(loginMaxFailures, loginBlockTTL, loginWindowTTL)
 
 	auditMod := audit.NewModule(db)
+	billingMod := billing.NewModule(env.String("UPDATES_DIR", "/updates", false), 25)
 	configMod := appconfig.NewModule(db, cipher)
 	mailMod := mail.NewModule(configMod.Store())
 	configMod.SetMailer(mailMod.Service())
@@ -121,7 +124,7 @@ func initModules(db *gorm.DB, cfg *config) *modules {
 		_ = catcher.Error("opensearch SDK connect failed", err, nil)
 	}
 
-	alertsMod := alerts.NewModule(db, env.Bool("ALERTS_SCHEDULER_ENABLED", false))
+	alertsMod := alerts.NewModule(db)
 
 	agentClient, agentErr := agentmanager.NewClient()
 	if agentErr != nil {
@@ -132,17 +135,20 @@ func initModules(db *gorm.DB, cfg *config) *modules {
 	soarMod := soar.NewModule(db, agentClient, signer, cipher)
 	eventProcessingMod := eventprocessing.NewModule(db, auditMod.Logger())
 
-	integrationsMod := integrations.NewModule(db, cipher,
-		env.String("INTEGRATIONS_TENANT_DIR", "/workdir/pipeline", false),
-	)
-
-	// datasources: registered log sources (agents, collectors, pullers, direct inputs)
-	// and their groups. Registration + liveness arrive via the ping endpoint.
 	dsRepo := ns_repository.NewDatasourceRepository(db)
 	dsGroupRepo := ns_repository.NewAssetGroupRepository(db)
 	dsUC := ns_usecase.NewDatasourceUsecase(dsRepo)
 	dsGroupUC := ns_usecase.NewAssetGroupUsecase(dsGroupRepo)
-	datasourcesMod := datasources.NewModule(dsUC, dsGroupUC)
+	var dsReconciler *ns_usecase.StatsReconciler
+	if cfg.esHost != "" {
+		dsReconciler = ns_usecase.NewStatsReconciler(dsRepo, ns_repository.NewStatsReader())
+	}
+	datasourcesMod := datasources.NewModule(dsUC, dsGroupUC, dsReconciler, billingMod.License())
+
+	integrationsMod := integrations.NewModule(db, cipher,
+		env.String("INTEGRATIONS_TENANT_DIR", "/workdir/pipeline", false),
+		dsUC,
+	)
 
 	opensearchMod := opensearchgw.NewModule(db, cfg.esHost != "")
 	notificationsMod := notifications.NewModule(db, auditMod.Logger())
@@ -165,6 +171,7 @@ func initModules(db *gorm.DB, cfg *config) *modules {
 		iam:               iam.NewModule(authUsecase, userUsecase, roleUsecase, tfaUsecase, apiKeyUsecase, idpUsecase, samlUsecase, cfg.uploadDir),
 		audit:             auditMod,
 		appconfig:         configMod,
+		billing:           billingMod,
 		mail:              mailMod,
 		compliance:        complianceMod,
 		dashboards:        dashboardsMod,

backend/modules/appconfig/routes.go

@@ -5,7 +5,7 @@ import (
 	"github.com/utmstack/utmstack/backend/pkg/http/middleware"
 )
 
-func RegisterRoutes(api *gin.RouterGroup, m *Module, userAuth gin.HandlerFunc) {
+func RegisterRoutes(api *gin.RouterGroup, m *Module, userAuth gin.HandlerFunc, mssp gin.HandlerFunc) {
 	g := api.Group("/config", userAuth)
 	g.GET("", middleware.RequirePermission("config.read"), m.Handler().List)
 	g.GET("/:key", middleware.RequirePermission("config.read"), m.Handler().Get)
@@ -14,6 +14,6 @@ func RegisterRoutes(api *gin.RouterGroup, m *Module, userAuth gin.HandlerFunc) {
 
 	b := api.Group("/branding")
 	b.GET("", userAuth, middleware.RequirePermission("config.read"), m.BrandingHandler().Get)
-	b.PUT("", userAuth, middleware.RequirePermission("config.write"), m.BrandingHandler().Update)
+	b.PUT("", userAuth, mssp, middleware.RequirePermission("config.write"), m.BrandingHandler().Update)
 	b.GET("/public", m.BrandingHandler().Public)
 }

backend/modules/billing/domain/license.go

@@ -0,0 +1,24 @@
+package domain
+
+import "time"
+
+type Edition string
+
+const (
+	EditionCommunity  Edition = "community"
+	EditionEnterprise Edition = "enterprise"
+)
+
+type License struct {
+	Edition     Edition   `json:"edition"`
+	MSSP        bool      `json:"mssp"`
+	Datasources int64     `json:"datasources"` // cap; 0 = unlimited
+	Type        string    `json:"type"`        // online | offline ("" when community)
+	ExpiresAt   time.Time `json:"expiresAt,omitempty"`
+}
+
+func Community() License { return License{Edition: EditionCommunity} }
+
+func (l License) IsEnterprise() bool { return l.Edition == EditionEnterprise }
+func (l License) IsMSSP() bool       { return l.MSSP }
+func (l License) Unlimited() bool    { return l.Datasources == 0 }

backend/modules/billing/dto/version.go

@@ -0,0 +1,9 @@
+package dto
+
+type VersionInfo struct {
+	Version    string `json:"version"`
+	Edition    string `json:"edition"`
+	Changelog  string `json:"changelog,omitempty"`
+	Server     string `json:"server,omitempty"`
+	InstanceID string `json:"instanceId,omitempty"`
+}

backend/modules/billing/handler/license.go

@@ -0,0 +1,34 @@
+package handler
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/utmstack/utmstack/backend/modules/billing/domain"
+)
+
+type licenseProvider interface {
+	Current() domain.License
+}
+
+type LicenseHandler struct {
+	license licenseProvider
+}
+
+func NewLicenseHandler(license licenseProvider) *LicenseHandler {
+	return &LicenseHandler{license: license}
+}
+
+// Get godoc
+//
+//	@Summary     Get the evaluated license / edition
+//	@Description Authoritative edition (community|enterprise) and capabilities,
+//	@Description derived from the signed LICENSE envelope.
+//	@Tags        Billing
+//	@Security    BearerAuth
+//	@Produce     json
+//	@Success     200 {object} domain.License
+//	@Router      /billing/license [get]
+func (h *LicenseHandler) Get(c *gin.Context) {
+	c.JSON(http.StatusOK, h.license.Current())
+}

backend/modules/billing/handler/version.go

@@ -0,0 +1,47 @@
+package handler
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/utmstack/utmstack/backend/modules/billing/domain"
+	"github.com/utmstack/utmstack/backend/modules/billing/dto"
+)
+
+type versionProvider interface {
+	Info() (dto.VersionInfo, error)
+}
+
+type editionProvider interface {
+	Current() domain.License
+}
+
+type VersionHandler struct {
+	usecase versionProvider
+	license editionProvider
+}
+
+func NewVersionHandler(uc versionProvider, license editionProvider) *VersionHandler {
+	return &VersionHandler{usecase: uc, license: license}
+}
+
+// Get godoc
+//
+//	@Summary     Get deployment version and instance info
+//	@Description Reads version.json and instance-config.yml from the updates folder.
+//	@Tags        Billing
+//	@Security    BearerAuth
+//	@Produce     json
+//	@Success     200 {object} dto.VersionInfo
+//	@Failure     500 {object} map[string]string
+//	@Router      /billing/version [get]
+func (h *VersionHandler) Get(c *gin.Context) {
+	info, err := h.usecase.Info()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	// Edition is authoritative from the license, not version.json.
+	info.Edition = string(h.license.Current().Edition)
+	c.JSON(http.StatusOK, info)
+}

backend/modules/billing/module.go

@@ -0,0 +1,32 @@
+package billing
+
+import (
+	"context"
+
+	"github.com/utmstack/utmstack/backend/modules/billing/usecase"
+)
+
+var (
+	PublicKey   string
+	EncryptSalt string
+)
+
+type Module struct {
+	version *usecase.VersionUsecase
+	license *usecase.LicenseService
+}
+
+func NewModule(updatesDir string, communityDatasourceCap int64) *Module {
+	return &Module{
+		version: usecase.NewVersionUsecase(updatesDir),
+		license: usecase.NewLicenseService(updatesDir, PublicKey, EncryptSalt, communityDatasourceCap),
+	}
+}
+
+func (m *Module) Start(ctx context.Context) {
+	m.license.Start(ctx)
+}
+
+func (m *Module) Version() *usecase.VersionUsecase { return m.version }
+
+func (m *Module) License() *usecase.LicenseService { return m.license }