feat: require that the provided license matches the binary (#397)

* update ChannelRelease object to parse slug and channel

* check license upon initial install

* update test app release file

* do not provide license to host preflight tests

* do not provide license to unsupported override test

* add license+norelease and release+nolicense tests

Author: laverya

.github/workflows/pull-request.yaml

@@ -78,7 +78,6 @@ jobs:
       if: github.actor != 'dependabot[bot]'
       run: |
         export SHORT_SHA=$(git rev-parse --short=7 HEAD)
-        echo "# channel release object" > e2e/kots-release-install/release.yaml
         echo "versionLabel: \"${SHORT_SHA}\"" >> e2e/kots-release-install/release.yaml
         cat e2e/kots-release-install/release.yaml
         cp output/bin/embedded-cluster output/bin/embedded-cluster-original

.github/workflows/release-dev.yaml

@@ -59,7 +59,6 @@ jobs:
         if: github.actor != 'dependabot[bot]'
         run: |
           export SHORT_SHA=$(git rev-parse --short=7 HEAD)
-          echo "# channel release object" > e2e/kots-release-install/release.yaml
           echo "versionLabel: \"${SHORT_SHA}\"" >> e2e/kots-release-install/release.yaml
           cat e2e/kots-release-install/release.yaml
           cp output/bin/embedded-cluster output/bin/embedded-cluster-original

cmd/embedded-cluster/install.go

@@ -118,6 +118,47 @@ func isAlreadyInstalled() (bool, error) {
 	}
 }
 
+func checkLicenseMatches(c *cli.Context) error {
+	rel, err := release.GetChannelRelease()
+	if err != nil {
+		return fmt.Errorf("failed to get release from binary: %w", err) // this should only be if the release is malformed
+	}
+
+	// handle the three cases that do not require parsing the license file
+	// 1. no release and no license, which is OK
+	// 2. no license and a release, which is not OK
+	// 3. a license and no release, which is not OK
+	if rel == nil && c.String("license") == "" {
+		// no license and no release, this is OK
+		return nil
+	} else if rel == nil && c.String("license") != "" {
+		// license is present but no release, this means we would install without vendor charts and k0s overrides
+		return fmt.Errorf("a license was provided but no release was found in binary")
+	} else if rel != nil && c.String("license") == "" {
+		// release is present but no license, this is not OK
+		return fmt.Errorf("no license was provided for %s", rel.AppSlug)
+	}
+
+	license, err := helpers.ParseLicense(c.String("license"))
+	if err != nil {
+		return fmt.Errorf("unable to parse license: %w", err)
+	}
+
+	// Check if the license matches the application version data
+	if rel.AppSlug != license.Spec.AppSlug {
+		// if the app is different, we will not be able to provide the correct vendor supplied charts and k0s overrides
+		return fmt.Errorf("license app %s does not match binary app %s", license.Spec.AppSlug, rel.AppSlug)
+	}
+	if rel.ChannelID != license.Spec.ChannelID {
+		// if the channel is different, we will not be able to install the pinned vendor application version within kots
+		// this may result in an immediate k8s upgrade after installation, which is undesired
+		return fmt.Errorf("license channel %s (%s) does not match binary channel %s", license.Spec.ChannelID, license.Spec.ChannelName, rel.ChannelID)
+	}
+
+	return nil
+
+}
+
 // createK0sConfig creates a new k0s.yaml configuration file. The file is saved in the
 // global location (as returned by defaults.PathToK0sConfig()). If a file already sits
 // there, this function returns an error.
@@ -296,6 +337,12 @@ var installCommand = &cli.Command{
 			return ErrNothingElseToAdd
 		}
 		metrics.ReportApplyStarted(c)
+		logrus.Debugf("checking license matches")
+		if err := checkLicenseMatches(c); err != nil {
+			err := fmt.Errorf("unable to check license: %w", err)
+			metrics.ReportApplyFinished(c, err)
+			return err
+		}
 		logrus.Debugf("materializing binaries")
 		if err := goods.Materialize(); err != nil {
 			err := fmt.Errorf("unable to materialize binaries: %w", err)

e2e/install_test.go

@@ -342,6 +342,7 @@ func TestInstallWithoutEmbed(t *testing.T) {
 		T:                   t,
 		Nodes:               1,
 		Image:               "rockylinux/8",
+		LicensePath:         "license.yaml",
 		EmbeddedClusterPath: "../output/bin/embedded-cluster-original",
 	})
 	defer tc.Destroy()

e2e/kots-release-install/release.yaml

@@ -0,0 +1,3 @@
+# channel release object
+channelID: "2cHXb1RCttzpR0xvnNWyaZCgDBP"
+appSlug: "embedded-cluster-smoke-test-staging-app"

e2e/scripts/default-install.sh

@@ -56,6 +56,11 @@ check_openebs_storage_class() {
 }
 
 main() {
+    if embedded-cluster install --no-prompt --license /tmp/license.yaml 2>&1 | tee /tmp/log ; then
+        echo "Expected installation to fail with a license provided"
+        exit 1
+    fi
+
     if ! embedded-cluster install --no-prompt 2>&1 | tee /tmp/log ; then
         cat /etc/os-release
         echo "Failed to install embedded-cluster"

e2e/scripts/embedded-preflight.sh

@@ -151,7 +151,7 @@ wait_for_healthy_node() {
 main() {
     cp -Rfp /usr/local/bin/embedded-cluster /usr/local/bin/embedded-cluster-copy
     embed_preflight "$preflight_with_failure"
-    if embedded-cluster install --no-prompt --license /tmp/license.yaml 2>&1 | tee /tmp/log ; then
+    if embedded-cluster install --no-prompt 2>&1 | tee /tmp/log ; then
         cat /tmp/log
         echo "Expected installation to fail"
         exit 1
@@ -163,7 +163,7 @@ main() {
     fi
     mv /tmp/log /tmp/log-failure
     embed_preflight "$preflight_with_warning"
-    if ! embedded-cluster install --no-prompt --license /tmp/license.yaml 2>&1 | tee /tmp/log ; then
+    if ! embedded-cluster install --no-prompt 2>&1 | tee /tmp/log ; then
         cat /etc/os-release
         echo "Failed to install embedded-cluster"
         exit 1

e2e/scripts/single-node-install.sh

@@ -120,6 +120,11 @@ ensure_app_not_upgraded() {
 }
 
 main() {
+    if embedded-cluster install --no-prompt 2>&1 | tee /tmp/log ; then
+        echo "Expected installation to fail without a license provided"
+        exit 1
+    fi
+
     if ! embedded-cluster install --no-prompt --license /tmp/license.yaml 2>&1 | tee /tmp/log ; then
         cat /etc/os-release
         echo "Failed to install embedded-cluster"

e2e/scripts/unsupported-overrides.sh

@@ -127,7 +127,7 @@ wait_for_memcached_pods() {
 main() {
     cp -Rfp /usr/local/bin/embedded-cluster /usr/local/bin/embedded-cluster-copy
     embed_cluster_config "$embedded_cluster_config"
-    if ! embedded-cluster install --no-prompt --license /tmp/license.yaml 2>&1 | tee /tmp/log ; then
+    if ! embedded-cluster install --no-prompt 2>&1 | tee /tmp/log ; then
         echo "Failed to install embedded-cluster"
         cat /tmp/log
         exit 1

pkg/release/release.go

@@ -137,6 +137,8 @@ func (r *ReleaseData) GetEmbeddedClusterConfig() (*embeddedclusterv1beta1.Config
 // ChannelRelease contains information about a specific app release inside a channel.
 type ChannelRelease struct {
 	VersionLabel string `yaml:"versionLabel"`
+	ChannelID    string `yaml:"channelID"`
+	AppSlug      string `yaml:"appSlug"`
 }
 
 // GetChannelRelease reads the embedded channel release object. If no channel release