mirror of
https://github.com/OpenMaxIO/openmaxio-object-browser
synced 2026-07-01 07:41:18 -07:00
Product license verification in Console (#518)
Operator UI - Provide and store License key - New License section in Operator UI will allow user to provide the license key via input form - New License section in Operator UI will allow the user to fetch the license key using subnet credentials - Console backend has to verify provided license is valid - https://godoc.org/github.com/minio/minio/pkg/licverifier#example-package - Console backend has to store the license key in k8s secrets Operator UI - Set license to tenant during provisioning - Check if license key exists in k8s secret during tenant creation - If License is present attach the license-key jwt to the new console tenant via an environment variable Operator UI - Set license for an existing tenant - Tenant view will display information about the current status of the Tenant License - If Tenant doesn't have a License then Operator-UI will allow to attach new license by clicking the Add License button - Console backend will extract the license from the k8s secret and save the license-key jwt in the tenant console environment variable and redeploy
This commit is contained in:
173
pkg/subnet/subnet.go
Normal file
173
pkg/subnet/subnet.go
Normal file
@@ -0,0 +1,173 @@
|
||||
// This file is part of MinIO Console Server
|
||||
// Copyright (c) 2020 MinIO, Inc.
|
||||
//
|
||||
// This program is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU Affero General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU Affero General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU Affero General Public License
|
||||
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
//
|
||||
|
||||
package subnet
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"net/http"
|
||||
|
||||
"github.com/minio/console/cluster"
|
||||
"github.com/minio/minio/pkg/licverifier"
|
||||
)
|
||||
|
||||
// subnetLoginRequest body request for subnet login
|
||||
type subnetLoginRequest struct {
|
||||
Username string `json:"username"`
|
||||
Password string `json:"password"`
|
||||
}
|
||||
|
||||
// tokenInfo
|
||||
type tokenInfo struct {
|
||||
AccessToken string `json:"access_token"`
|
||||
ExpiresIn float64 `json:"expires_in"`
|
||||
TokenType string `json:"token_type"`
|
||||
}
|
||||
|
||||
// subnetLoginResponse body resonse from subnet after login
|
||||
type subnetLoginResponse struct {
|
||||
HasMembership bool `json:"has_memberships"`
|
||||
TokenInfo tokenInfo `json:"token_info"`
|
||||
}
|
||||
|
||||
// LicenseMetadata claims in subnet license
|
||||
type LicenseMetadata struct {
|
||||
Email string `json:"email"`
|
||||
Issuer string `json:"issuer"`
|
||||
TeamName string `json:"teamName"`
|
||||
ServiceType string `json:"serviceType"`
|
||||
RequestedAt string `json:"requestedAt"`
|
||||
ExpiresAt string `json:"expiresAt"`
|
||||
AccountID int64 `json:"accountId"`
|
||||
Capacity int64 `json:"capacity"`
|
||||
}
|
||||
|
||||
// subnetLicenseResponse body response returned by subnet license endpoint
|
||||
type subnetLicenseResponse struct {
|
||||
License string `json:"license"`
|
||||
Metadata LicenseMetadata `json:"metadata"`
|
||||
}
|
||||
|
||||
// getLicenseFromCredentials will perform authentication against subnet using
|
||||
// user provided credentials and return the current subnet license key
|
||||
func getLicenseFromCredentials(client cluster.HTTPClientI, username, password string) (string, error) {
|
||||
request := subnetLoginRequest{
|
||||
Username: username,
|
||||
Password: password,
|
||||
}
|
||||
// http body for login request
|
||||
payloadBytes, err := json.Marshal(request)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
subnetURL := GetSubnetURL()
|
||||
url := fmt.Sprintf("%s%s", subnetURL, loginEndpoint)
|
||||
// Authenticate against subnet using email/password provided by user
|
||||
resp, err := client.Post(url, "application/json", bytes.NewReader(payloadBytes))
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
bodyBytes, err := ioutil.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
subnetSession := &subnetLoginResponse{}
|
||||
// Parse subnet login response
|
||||
err = json.Unmarshal(bodyBytes, subnetSession)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
// Get license key using session token
|
||||
token := subnetSession.TokenInfo.AccessToken
|
||||
url = fmt.Sprintf("%s%s", subnetURL, licenseKeyEndpoint)
|
||||
req, err := http.NewRequest("POST", url, nil)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", token))
|
||||
resp, err = client.Do(req)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
bodyBytes, err = ioutil.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
userLicense := &subnetLicenseResponse{}
|
||||
// Parse subnet license response
|
||||
err = json.Unmarshal(bodyBytes, userLicense)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return userLicense.License, nil
|
||||
}
|
||||
|
||||
// downloadSubnetPublicKey will download the current subnet public key.
|
||||
func downloadSubnetPublicKey(client cluster.HTTPClientI) (string, error) {
|
||||
// Get the public key directly from Subnet
|
||||
url := fmt.Sprintf("%s%s", GetSubnetURL(), publicKey)
|
||||
resp, err := client.Get(url)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
buf := new(bytes.Buffer)
|
||||
_, err = buf.ReadFrom(resp.Body)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return buf.String(), err
|
||||
}
|
||||
|
||||
// ValidateLicense will download the current subnet public key, if the public key its not available for license
|
||||
// verification then console will fall back to verification with hardcoded public keys
|
||||
func ValidateLicense(client cluster.HTTPClientI, licenseKey, email, password string) (licInfo *licverifier.LicenseInfo, license string, err error) {
|
||||
var publicKeys []string
|
||||
if email != "" && password != "" {
|
||||
// fetch subnet license key using user credentials
|
||||
license, err = getLicenseFromCredentials(client, email, password)
|
||||
if err != nil {
|
||||
return nil, "", err
|
||||
}
|
||||
} else if licenseKey != "" {
|
||||
license = licenseKey
|
||||
} else {
|
||||
return nil, "", errors.New("invalid license")
|
||||
}
|
||||
subnetPubKey, err := downloadSubnetPublicKey(client)
|
||||
if err != nil {
|
||||
log.Print(err)
|
||||
// there was an issue getting the subnet public key
|
||||
// use hardcoded public keys instead
|
||||
publicKeys = OfflinePublicKeys
|
||||
} else {
|
||||
publicKeys = append(publicKeys, subnetPubKey)
|
||||
}
|
||||
licInfo, err = GetLicenseInfoFromJWT(license, publicKeys)
|
||||
if err != nil {
|
||||
return nil, "", err
|
||||
}
|
||||
return licInfo, license, nil
|
||||
}
|
||||
Reference in New Issue
Block a user