Merge pull request #30 from solid-wang/master

feature: support license

Author: myf5

Makefile

@@ -5,7 +5,7 @@ GITHUBACTIONTRIGGERNUMBER = 12
 
 REGISTRY = f5devcentral
 NAME = ces-controller
-RELEASE_TAG = 0.6.0
+RELEASE_TAG = 0.6.1
 COMMIT = git-$(shell git rev-parse --short HEAD)
 DATE = $(shell date +"%Y-%m-%d_%H:%M:%S")
 GOLDFLAGS = "-w -s -X github.com/kubeovn/$(NAME)/versions.COMMIT=$(COMMIT) -X github.com/kubeovn/$(NAME)/versions.VERSION=$(RELEASE_TAG) -X github.com/kubeovn/$(NAME)/versions.BUILDDATE=$(DATE)"

cmd/ces/main.go

@@ -46,6 +46,9 @@ var (
 	bigipPassword string
 	bigipCredsDir string
 	bigipConfDir  string
+
+	license    string
+	licenseKey string
 )
 
 func main() {
@@ -56,6 +59,8 @@ func main() {
 	if bigipCredsDir != "" {
 		usernameFile := filepath.Join(bigipCredsDir, "username")
 		passwordFile := filepath.Join(bigipCredsDir, "password")
+		licenseFIle := filepath.Join(bigipCredsDir, "license")
+		licenseKeyFile := filepath.Join(bigipCredsDir, "licensekey")
 
 		setField := func(field *string, filename, fieldType string) error {
 			fileBytes, readErr := ioutil.ReadFile(filename)
@@ -77,6 +82,12 @@ func main() {
 		if err := setField(&bigipPassword, passwordFile, "password"); err != nil {
 			panic(err)
 		}
+		if err := setField(&license, licenseFIle, "license"); err != nil {
+			panic(err)
+		}
+		if err := setField(&licenseKey, licenseKeyFile, "license key"); err != nil {
+			panic(err)
+		}
 	}
 
 	if bigipUsername == "" || bigipPassword == "" {
@@ -111,6 +122,11 @@ func main() {
 		klog.Fatal("env CES_NAMESPACE can't be empty ")
 	}
 	bigIpClient := as3.NewClient(bigipURL, bigipUsername, bigipPassword, bigipInsecure)
+
+	if err := bigIpClient.VerifyLicense(license, licenseKey); err != nil {
+		klog.Fatalf("failed to verify license: %v", err)
+		return
+	}
 	err = as3.InitAs3Tenant(bigIpClient, bigipConfDir, controllerNamespace)
 	if err != nil {
 		klog.Fatalf("failed to initialize AS3 declaration: %v", err)
@@ -154,6 +170,8 @@ func init() {
 	flag.BoolVar(&bigipInsecure, "bigip-insecure", false, "Optional, when set to true, enable insecure SSL communication to BigIP.")
 	flag.StringVar(&bigipUsername, "bigip-username", "", "User name for the Big-IP user account.")
 	flag.StringVar(&bigipPassword, "bigip-password", "", "Password for the Big-IP user account.")
+	flag.StringVar(&license, "license", "", "license to be used.")
+	flag.StringVar(&licenseKey, "license-key", "", "license key to be used for ces license.")
 	flag.StringVar(&bigipCredsDir, "bigip-creds-dir", "", "Directory that contains the BIG-IP username and password. To be used instead of username and password.")
 	flag.StringVar(&bigipConfDir, "bigip-conf-dir", "", "Directory that ces-conf.yaml file.")
 }

dist/install.sh

@@ -1,6 +1,9 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
+LICENSE=${LICENSE:-}
+LICENSEKEY=${LICENSEKEY:-}
+
 BIGIP_URL=${BIGIP_URL:-}               # IP address of Big-IP server
 BIGIP_USERNAME=${BIGIP_USERNAME:-}     # BigIP username
 BIGIP_PASSWORD=${BIGIP_PASSWORD:-}     # BigIP password
@@ -10,7 +13,7 @@ CES_NAMESPACE=${CES_NAMESPACE:-kube-system} # namespace in which the controller
 CES_DEPLOMENT_NAME=${CES_DEPLOMENT_NAME:-ces-controller}
 
 echo "[Step 1] Create Secret"
-kubectl -n $CES_NAMESPACE create secret generic --from-literal "username=$BIGIP_USERNAME" --from-literal "password=$BIGIP_PASSWORD" bigip-creds
+kubectl -n $CES_NAMESPACE create secret generic --from-literal "license=$LICENSE" --from-literal "licensekey=$LICENSEKEY" --from-literal "username=$BIGIP_USERNAME" --from-literal "password=$BIGIP_PASSWORD" bigip-creds
 echo "-------------------------------"
 echo ""
 
@@ -532,7 +535,7 @@ spec:
       serviceAccountName: ces-controller
       containers:
         - name: ces-controller
-          image: f5devcentral/ces-controller:0.6.0
+          image: f5devcentral/ces-controller:0.6.1
           env:
             - name: CES_NAMESPACE
               value: $CES_NAMESPACE

pkg/as3/client.go

@@ -18,7 +18,10 @@ package as3
 
 import (
 	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
 	"crypto/tls"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -117,11 +120,11 @@ func (c *Client) Get(partition string) (string, error) {
 		return "", err
 	}
 	//Common tenant isn't exist, body is "" == (as3 do not set)
-	if err == nil && resp.StatusCode > 199 && resp.StatusCode <299 && string(respBody) == ""{
+	if err == nil && resp.StatusCode > 199 && resp.StatusCode < 299 && string(respBody) == "" {
 		return "{}", nil
 	}
 	//specified Tenant(s) not found in declaration
-	if resp.StatusCode == 404{
+	if resp.StatusCode == 404 {
 		return "{}", nil
 	}
 	var response map[string]interface{}
@@ -370,3 +373,107 @@ func (c *Client) storeDisk() error {
 	}
 	return handleResponse(resp.StatusCode, response)
 }
+
+// get f5 license key
+func (c *Client) getF5LicenseKey() (string, error) {
+	url := c.host + "/mgmt/tm/sys/license"
+	req, err := http.NewRequest(http.MethodGet, url, nil)
+	if err != nil {
+		klog.Errorf("Failed to get bigdata license: %v", err)
+		return "", err
+	}
+	req.SetBasicAuth(c.username, c.password)
+
+	resp, err := c.Do(req)
+	if err != nil {
+		klog.Errorf("Failed to call bigdata API: %v", err)
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	respBody, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		klog.Errorf("Failed to read response body: %v", err)
+		return "", err
+	}
+
+	if resp.StatusCode != 200 && string(respBody) == "" {
+		return "", fmt.Errorf("Failed to get license key")
+	}
+
+	type RegistrationKey struct {
+		Description string `json:"description"`
+	}
+
+	type License struct {
+		RegistrationKey RegistrationKey `json:"registrationKey"`
+	}
+
+	type NestedStatsEntries struct {
+		Entries License `json:"entries"`
+	}
+
+	type LicentseNestedStats struct {
+		NestedStats NestedStatsEntries `json:"nestedStats"`
+	}
+
+	type LicentseZero struct {
+		Zero LicentseNestedStats `json:"https://localhost/mgmt/tm/sys/license/0"`
+	}
+
+	type BigDataLicense struct {
+		Entries LicentseZero `json:"entries"`
+	}
+
+	var license BigDataLicense
+	if err = json.Unmarshal(respBody, &license); err != nil {
+		klog.Errorf("Failed to unmarshal license body: %v", err)
+		return "", err
+	}
+	return license.Entries.Zero.NestedStats.Entries.RegistrationKey.Description, nil
+}
+
+// verify license, If err is nil, the verification passes.
+func (c *Client) VerifyLicense(license string, key string) error {
+	bigDataLicense, err := c.getF5LicenseKey()
+	if err != nil {
+		return err
+	}
+
+	bytesPass, err := base64.StdEncoding.DecodeString(license)
+	if err != nil {
+		return err
+	}
+
+	tpass, err := AesDecrypt(bytesPass, []byte(key))
+	if err != nil {
+		return err
+	}
+
+	if bigDataLicense != string(tpass) {
+		return fmt.Errorf("license is not ok")
+	}
+
+	return nil
+}
+
+func PKCS5UnPadding(origData []byte) []byte {
+	length := len(origData)
+	unpadding := int(origData[length-1])
+	return origData[:(length - unpadding)]
+}
+
+func AesDecrypt(crypted, key []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	//AES分组长度为128位，所以blockSize=16，单位字节
+	blockSize := block.BlockSize()
+	blockMode := cipher.NewCBCDecrypter(block, key[:blockSize]) //初始向量的长度必须等于块block的长度16字节
+	origData := make([]byte, len(crypted))
+	blockMode.CryptBlocks(origData, crypted)
+	origData = PKCS5UnPadding(origData)
+	return origData, nil
+}