Feature/#21232 Refactor license system NG (#42) (#43)

* fix logrus import path in glide.lock and main.go

* enable network access for RPM build process

* update redborder-dswatcher.spec to disable debug package creation and enhance service restart on upgrade

* fix %postun condition to ensure ldconfig runs only on package removal

* add ensureBlockedField method to manage 'blocked' attribute in nodes

* add RPM build workflow and version file for automated packaging

* refactor AllowLicense method to simplify license check and improve readability

* If the license/s are empty or expired execute BlockOrganization

Co-authored-by: Rafa Gómez <rgomez@redborder.com>

Author: manegron

.github/workflows/rpm.yml

@@ -0,0 +1,84 @@
+name: RPM Build and Upload
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'main'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    env:
+      TAG: $(cat ./VERSION)
+      ACTIONS_ALLOW_UNSECURE_COMMANDS: true
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Create tag based on metadata.rb
+        id: create_tag
+        run: |
+          TAG=$(cat ./VERSION)
+          echo "TAG=$TAG" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Check if Tag Exists
+        id: check_tag
+        run: |
+          if git rev-parse "refs/tags/${{ env.TAG }}" >/dev/null 2>&1; then
+            echo "Tag ${{ env.TAG }} already exists, exiting."
+            exit 1
+          fi
+        shell: bash
+
+      - name: Set Version
+        if: success()
+        run: echo "VERSION=${{ env.TAG }}" >> $GITHUB_ENV
+
+      - name: Run Docker Container
+        if: success()
+        run: docker run --privileged -d --name builder --network host rockylinux:9 /bin/sleep infinity
+
+      - name: Install build tools RPM
+        if: success()
+        run: |
+          docker cp ./ builder:/build
+          docker exec builder bash -c "yum install -y epel-release && yum install -y make git mock"
+          docker exec builder bash -c "rm -rf /etc/mock/default.cfg"
+
+      - name: Setup SDK
+        if: success()
+        run: |
+          docker exec builder bash -c "curl https://raw.githubusercontent.com/redBorder/repoinit/master/sdk9.cfg > /build/sdk9.cfg"
+          docker exec builder bash -c "echo \"config_opts['use_host_resolv'] = True\" >> /build/sdk9.cfg"
+          docker exec builder bash -c "ln -s /build/sdk9.cfg /etc/mock/default.cfg"
+
+      - name: Build RPM using mock
+        if: success()
+        run: |
+          docker exec builder bash -c "git config --global --add safe.directory /build"
+          docker exec builder bash -c "cd /build/ && VERSION=${{ env.TAG }} make rpm"
+
+      - name: Copy RPMS
+        if: success()
+        run: |
+          docker cp builder:/build/packaging/rpm/pkgs/. ./rpms
+
+      - name: Delete non-.rpm files
+        if: success()
+        run: |
+          find ./rpms -type f -not -name '*.rpm' -exec rm {} \;
+
+      - name: Release
+        if: success()
+        uses: softprops/action-gh-release@v1
+        with:
+          files: ./rpms/*
+          tag_name: ${{ env.TAG }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

VERSION

@@ -0,0 +1 @@
+3.0.0

cmd/main.go

@@ -26,10 +26,10 @@ import (
 	"sync"
 	"time"
 
-	"github.com/Sirupsen/logrus"
 	"github.com/redBorder/dswatcher/internal/consumer"
 	"github.com/redBorder/dswatcher/internal/decoder"
 	"github.com/redBorder/dswatcher/internal/updater"
+	"github.com/sirupsen/logrus"
 	prefixed "github.com/x-cray/logrus-prefixed-formatter"
 )
 
@@ -120,7 +120,7 @@ func main() {
 		LicenseUUIDPath:      config.Updater.LicenseUUIDPath,
 		DataBagName:          config.Updater.DataBagName,
 		DataBagItem:          config.Updater.DataBagItem,
-		SkipSSL:              config.Updater.SkipSSL, 
+		SkipSSL:              config.Updater.SkipSSL,
 	})
 	if err != nil {
 		log.Fatal("Error creating Chef API client: " + err.Error())

glide.lock

@@ -128,9 +128,9 @@ func (kc *KafkaConsumer) ConsumeNetflow() (chan FlowData, chan string) {
 // "messages" channel receives actual messages and "info" channel receives
 // notifications from the Kafka broker.
 //
-// - "limit_reached": All sensors belonging to an organization are blocked.
-// - "allowed_licenses": All sensors are blocked and the only the sensors
-// 	 with a valid license are allowed.
+//   - "limit_reached": All sensors belonging to an organization are blocked.
+//   - "allowed_licenses": All sensors are blocked and the only the sensors
+//     with a valid license are allowed.
 func (kc *KafkaConsumer) ConsumeLimits() (chan Message, chan string) {
 	messages := make(chan Message)
 	inputMessages, info := receiveLoop(kc.LimitsConsumer, kc.terminate)
@@ -150,6 +150,10 @@ func (kc *KafkaConsumer) ConsumeLimits() (chan Message, chan string) {
 			case "limit_reached":
 				messages <- BlockOrganization(data.UUID)
 
+			// If the license/s are empty or expired
+			case "unknown_uuid":
+				messages <- BlockOrganization(data.UUID)
+
 			case "allowed_licenses":
 				messages <- ResetSensors{}
 				for _, license := range data.Licenses {

internal/consumer/kafka_consumer.go

@@ -19,11 +19,17 @@ package updater
 
 import (
 	"errors"
+	"fmt"
 	"net"
 	"strconv"
 	"strings"
 
 	"github.com/go-chef/chef"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	log = logrus.New()
 )
 
 ///////////////
@@ -131,12 +137,17 @@ func (cu *ChefUpdater) FetchNodes() error {
 			return errors.New("Error getting node info: " + err.Error())
 		}
 
-		attributes, err := getParent(node.NormalAttributes, cu.SerialNumberPath)
+		// Ensure redborder.blocked exists
+		cu.ensureBlockedField(n, &node)
+
+		// Get parent of sensor UUID path
+		parentAttrs, err := getParent(node.NormalAttributes, cu.SensorUUIDPath)
 		if err != nil {
-			return errors.New("Error getting node info: " + err.Error())
+			return fmt.Errorf("Failed to get parent attributes for node %s: %v", n, err)
 		}
 
-		sensorUUID, ok := attributes[getKeyFromPath(cu.SensorUUIDPath)].(string)
+		sensorKey := getKeyFromPath(cu.SensorUUIDPath)
+		sensorUUID, ok := parentAttrs[sensorKey].(string)
 		if !ok {
 			continue
 		}
@@ -223,6 +234,8 @@ func (cu *ChefUpdater) BlockOrganization(organization string, productType uint32
 	pType := getKeyFromPath(cu.ProductTypePath)
 
 	for _, node := range cu.nodes {
+		log.Infof("Blocking node: %s", node.Name)
+
 		attributes, err := getParent(node.NormalAttributes, cu.BlockedStatusPath)
 		if err != nil {
 			errs = append(errs, err)
@@ -238,20 +251,22 @@ func (cu *ChefUpdater) BlockOrganization(organization string, productType uint32
 			nodeProductType, err := strconv.ParseUint(nodeProductTypeStr, 10, 32)
 			if err != nil || uint32(nodeProductType) == productType {
 				if err != nil {
-					errs = append(errs, errors.New(
-						"Blocking sensor with unknown product type"),
-					)
+					errs = append(errs, errors.New("Blocking sensor with unknown product type"))
 				}
 
 				attributes[blocked] = true
 
 				if cu.client != nil {
-					cu.client.Nodes.Put(*node)
+					_, err := cu.client.Nodes.Put(*node)
+					if err != nil {
+						errs = append(errs, err)
+					} else {
+						log.Infof("Successfully blocked and updated node %s", node.Name)
+					}
 				}
 			}
 		}
 	}
-
 	return errs
 }
 
@@ -260,7 +275,6 @@ func (cu *ChefUpdater) BlockOrganization(organization string, productType uint32
 func (cu *ChefUpdater) AllowLicense(license string) []error {
 	var errs []error
 	blocked := getKeyFromPath(cu.BlockedStatusPath)
-	lic := getKeyFromPath(cu.LicenseUUIDPath)
 
 	for _, node := range cu.nodes {
 		attributes, err := getParent(node.NormalAttributes, cu.BlockedStatusPath)
@@ -269,12 +283,10 @@ func (cu *ChefUpdater) AllowLicense(license string) []error {
 			continue
 		}
 
-		if attributes[lic] == license {
-			attributes[blocked] = false
+		attributes[blocked] = false
 
-			if cu.client != nil {
-				cu.client.Nodes.Put(*node)
-			}
+		if cu.client != nil {
+			cu.client.Nodes.Put(*node)
 		}
 	}
 
@@ -306,18 +318,27 @@ func (cu *ChefUpdater) ResetAllSensors() error {
 // node and returns the inner object given a path
 func getParent(root map[string]interface{}, path string) (map[string]interface{}, error) {
 	keys := strings.Split(path, "/")
-	var ok bool
+	if len(keys) == 0 {
+		return nil, fmt.Errorf("invalid path: %q", path)
+	}
 
-	attrs := root
-	for i, key := range keys {
-		if i < len(keys)-1 {
-			if attrs, ok = attrs[key].(map[string]interface{}); !ok || attrs == nil {
-				return nil, errors.New("Cannot find key: " + path)
-			}
+	current := root
+
+	for _, key := range keys[:len(keys)-1] {
+		next, ok := current[key]
+		if !ok {
+			return nil, fmt.Errorf("key %q not found in path %q", key, path)
+		}
+
+		nextMap, ok := next.(map[string]interface{})
+		if !ok {
+			return nil, fmt.Errorf("expected map[string]interface{} at key %q but got %T", key, next)
 		}
+
+		current = nextMap
 	}
 
-	return attrs, nil
+	return current, nil
 }
 
 func findNode(keyPath string, value string, nodes map[string]*chef.Node,
@@ -342,3 +363,21 @@ func getKeyFromPath(path string) string {
 	keys := strings.Split(path, "/")
 	return keys[len(keys)-1]
 }
+
+// Create blocked (redborder -> blocked) field if it doesn't exist in the passed node as parameter
+func (cu *ChefUpdater) ensureBlockedField(n string, node *chef.Node) {
+	redborderAttrs, ok := node.NormalAttributes["redborder"].(map[string]interface{})
+	if !ok || redborderAttrs == nil {
+		redborderAttrs = make(map[string]interface{})
+		node.NormalAttributes["redborder"] = redborderAttrs
+	}
+
+	if _, exists := redborderAttrs["blocked"]; !exists {
+		log.Infof("Adding missing 'blocked: false' field to node %s", n)
+		redborderAttrs["blocked"] = false
+
+		if _, err := cu.client.Nodes.Put(*node); err != nil {
+			log.Errorf("Failed to update node %s: %v", n, err)
+		}
+	}
+}

internal/updater/chef_updater.go

@@ -40,6 +40,7 @@ srpm: build_prepare
 rpm: srpm
 	/usr/bin/mock \
 		-r $(MOCK_CONFIG) \
+		--enable-network \
 		--define "__version $(VERSION)"\
 		--define "__release $(BUILD_NUMBER)"\
 		--resultdir=$(RESULT_DIR) \

packaging/rpm/Makefile

@@ -12,6 +12,8 @@ Requires: librd0 librdkafka
 Summary: Dynamic Sensors Watcher
 Group:   Development/Libraries/Go
 
+%global debug_package %{nil}
+
 %description
 %{summary}
 
@@ -53,9 +55,24 @@ getent passwd redborder-dswatcher >/dev/null || \
     -c "User of redborder-dswatcher service" redborder-dswatcher
 exit 0
 
-%post -p /sbin/ldconfig
-%postun -p /sbin/ldconfig
+%post
+/sbin/ldconfig
 systemctl daemon-reload
+case "$1" in
+  1)
+    # Initial install
+    :
+  ;;
+  2)
+    # Upgrade: Try to restart only if it was running to apply new config
+    systemctl try-restart redborder-dswatcher.service >/dev/null 2>&1 || :
+  ;;
+esac
+
+%postun
+if [ "$1" -eq 0 ]; then
+  /sbin/ldconfig
+fi
 
 %files
 %defattr(755,root,root)
@@ -65,6 +82,8 @@ systemctl daemon-reload
 /usr/lib/systemd/system/redborder-dswatcher.service
 
 %changelog
+* Tue May 20 2025 Rafael Gómez <rgomez@redborder.com> - 3.0.0-1
+- Disable debug package creation and restarting redborder-dswatcher.service when upgrading to apply new config.
 * Wed Oct 04 2023 David Vanhoucke <dvanhoucke@redborder.com> - 2.0.0-1
 - adapt for go mod
 * Mon Oct 04 2021 Miguel Negrón <manegron@redborder.com> & David Vanhoucke <dvanhoucke@redborder.com> - 1.0.0-1