licenz-core 0.2.0

Offline software license verification with RSA signatures, hardware binding, and anti-tamper detection
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347

//! Container and cloud-aware licensing
//!
//! This module provides licensing modes that work in containerized
//! and cloud environments where traditional hardware binding fails.

use crate::error::{LicenseError, Result};
use serde::{Deserialize, Serialize};
use std::path::PathBuf;
#[cfg(feature = "cloud-metadata")]
use std::time::Duration;

/// Detected runtime environment
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum RuntimeEnvironment {
    /// Traditional bare-metal or VM with stable hardware
    Standalone,
    /// Docker container
    Docker,
    /// Kubernetes pod
    Kubernetes,
    /// AWS EC2 instance
    AwsEc2,
    /// Google Cloud Compute Engine
    GcpCompute,
    /// Microsoft Azure VM
    AzureVm,
    /// Generic cloud/container (unknown provider)
    GenericCloud,
}

impl RuntimeEnvironment {
    /// Detect the current runtime environment
    pub fn detect() -> Self {
        // Check for Kubernetes
        if std::env::var("KUBERNETES_SERVICE_HOST").is_ok() {
            return Self::Kubernetes;
        }

        // Check for Docker
        if std::path::Path::new("/.dockerenv").exists() {
            return Self::Docker;
        }

        // Check cgroup for container indicators
        if let Ok(cgroup) = std::fs::read_to_string("/proc/self/cgroup") {
            if cgroup.contains("docker")
                || cgroup.contains("kubepods")
                || cgroup.contains("containerd")
            {
                return Self::Docker;
            }
        }

        // Cloud provider detection would require network calls
        // For now, check environment variables that cloud providers set
        if std::env::var("AWS_EXECUTION_ENV").is_ok() || std::env::var("AWS_REGION").is_ok() {
            return Self::AwsEc2;
        }

        if std::env::var("GOOGLE_CLOUD_PROJECT").is_ok() || std::env::var("GCP_PROJECT").is_ok() {
            return Self::GcpCompute;
        }

        if std::env::var("AZURE_CLIENT_ID").is_ok() || std::env::var("WEBSITE_SITE_NAME").is_ok() {
            return Self::AzureVm;
        }

        Self::Standalone
    }

    /// Check if this environment has stable hardware identifiers
    pub fn has_stable_hardware(&self) -> bool {
        matches!(
            self,
            Self::Standalone | Self::AwsEc2 | Self::GcpCompute | Self::AzureVm
        )
    }

    /// Get the recommended instance ID source for this environment
    pub fn recommended_id_source(&self) -> Option<InstanceIdSource> {
        match self {
            Self::Standalone => None, // Use hardware binding
            Self::Docker => Some(InstanceIdSource::DockerContainerId),
            Self::Kubernetes => Some(InstanceIdSource::KubernetesPodUid),
            Self::AwsEc2 => Some(InstanceIdSource::AwsInstanceId),
            Self::GcpCompute => Some(InstanceIdSource::GcpInstanceId),
            Self::AzureVm => Some(InstanceIdSource::AzureInstanceId),
            Self::GenericCloud => Some(InstanceIdSource::CustomEnvVar("INSTANCE_ID".to_string())),
        }
    }
}

/// Source for obtaining a stable instance identifier in cloud/container environments
#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum InstanceIdSource {
    /// AWS EC2 instance ID from IMDS
    AwsInstanceId,
    /// GCP instance ID from metadata server
    GcpInstanceId,
    /// Azure instance ID from IMDS
    AzureInstanceId,
    /// Kubernetes pod UID from downward API
    KubernetesPodUid,
    /// Docker container ID from cgroup
    DockerContainerId,
    /// Read from a file (e.g., mounted secret or config)
    CustomFile(PathBuf),
    /// Read from an environment variable
    CustomEnvVar(String),
}

impl InstanceIdSource {
    /// Get the instance ID from this source
    pub fn get_id(&self) -> Option<String> {
        match self {
            Self::AwsInstanceId => get_aws_instance_id(),
            Self::GcpInstanceId => get_gcp_instance_id(),
            Self::AzureInstanceId => get_azure_instance_id(),
            Self::KubernetesPodUid => get_kubernetes_pod_uid(),
            Self::DockerContainerId => get_docker_container_id(),
            Self::CustomFile(path) => std::fs::read_to_string(path)
                .ok()
                .map(|s| s.trim().to_string())
                .filter(|s| !s.is_empty()),
            Self::CustomEnvVar(var) => std::env::var(var).ok().filter(|s| !s.is_empty()),
        }
    }
}

/// Get AWS EC2 instance ID from Instance Metadata Service
fn get_aws_instance_id() -> Option<String> {
    // IMDSv2 with token
    let token = ureq_get_with_header(
        "http://169.254.169.254/latest/api/token",
        "X-aws-ec2-metadata-token-ttl-seconds",
        "21600",
    )
    .ok()?;

    ureq_get_with_header(
        "http://169.254.169.254/latest/meta-data/instance-id",
        "X-aws-ec2-metadata-token",
        &token,
    )
    .ok()
}

/// Get GCP instance ID from metadata server
fn get_gcp_instance_id() -> Option<String> {
    ureq_get_with_header(
        "http://metadata.google.internal/computeMetadata/v1/instance/id",
        "Metadata-Flavor",
        "Google",
    )
    .ok()
}

/// Get Azure instance ID from IMDS
fn get_azure_instance_id() -> Option<String> {
    ureq_get_with_header(
        "http://169.254.169.254/metadata/instance/compute/vmId?api-version=2021-02-01&format=text",
        "Metadata",
        "true",
    )
    .ok()
}

/// Get Kubernetes pod UID from downward API
fn get_kubernetes_pod_uid() -> Option<String> {
    // Standard location when using downward API
    let paths = ["/etc/podinfo/uid", "/var/run/secrets/kubernetes.io/poduid"];

    for path in paths {
        if let Ok(uid) = std::fs::read_to_string(path) {
            let uid = uid.trim().to_string();
            if !uid.is_empty() {
                return Some(uid);
            }
        }
    }

    // Fallback: try environment variable
    std::env::var("POD_UID").ok()
}

/// Get Docker container ID from cgroup
fn get_docker_container_id() -> Option<String> {
    // Read cgroup file
    let cgroup = std::fs::read_to_string("/proc/self/cgroup").ok()?;

    for line in cgroup.lines() {
        // Look for docker or containerd paths
        if let Some(pos) = line.rfind('/') {
            let id = &line[pos + 1..];
            // Container IDs are typically 64 hex characters
            if id.len() >= 12 && id.chars().all(|c| c.is_ascii_hexdigit()) {
                return Some(id[..12].to_string()); // Short form
            }
        }
    }

    // Fallback: check hostname (often set to container ID in Docker)
    std::env::var("HOSTNAME")
        .ok()
        .filter(|h| h.len() == 12 && h.chars().all(|c| c.is_ascii_hexdigit()))
}

/// Helper function for HTTP GET with a custom header
#[allow(unused_variables)]
fn ureq_get_with_header(url: &str, header_name: &str, header_value: &str) -> Result<String> {
    // Use a simple blocking HTTP client
    // In production, you'd want proper async with timeouts

    #[cfg(feature = "cloud-metadata")]
    {
        use std::io::Read;
        use std::io::Write;
        use std::net::TcpStream;

        let url = url::Url::parse(url).map_err(|e| {
            LicenseError::IoError(std::io::Error::new(std::io::ErrorKind::InvalidInput, e))
        })?;

        let host = url.host_str().ok_or_else(|| {
            LicenseError::IoError(std::io::Error::new(
                std::io::ErrorKind::InvalidInput,
                "No host",
            ))
        })?;
        let port = url.port().unwrap_or(80);

        let mut stream = TcpStream::connect_timeout(
            &format!("{}:{}", host, port).parse().unwrap(),
            Duration::from_secs(2),
        )?;
        stream.set_read_timeout(Some(Duration::from_secs(2)))?;

        let request = format!(
            "GET {} HTTP/1.1\r\nHost: {}\r\n{}: {}\r\nConnection: close\r\n\r\n",
            url.path(),
            host,
            header_name,
            header_value
        );

        stream.write_all(request.as_bytes())?;

        let mut response = String::new();
        stream.read_to_string(&mut response)?;

        // Parse HTTP response (very basic)
        if let Some(body_start) = response.find("\r\n\r\n") {
            return Ok(response[body_start + 4..].trim().to_string());
        }
    }

    Err(LicenseError::IoError(std::io::Error::other(
        "Cloud metadata feature not enabled",
    )))
}

/// Container-aware license binding
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ContainerBinding {
    /// The detected environment
    pub environment: RuntimeEnvironment,
    /// The instance ID source used
    pub id_source: Option<InstanceIdSource>,
    /// The bound instance ID (hashed)
    pub instance_id_hash: Option<String>,
}

impl ContainerBinding {
    /// Create a new container binding for the current environment
    pub fn detect() -> Self {
        let environment = RuntimeEnvironment::detect();
        let id_source = environment.recommended_id_source();

        let instance_id_hash = id_source
            .as_ref()
            .and_then(|src| src.get_id())
            .map(|id| sha256_short(&id));

        Self {
            environment,
            id_source,
            instance_id_hash,
        }
    }

    /// Check if the current environment matches this binding
    pub fn matches_current(&self) -> bool {
        if self.instance_id_hash.is_none() {
            // No binding set
            return true;
        }

        let current = Self::detect();
        self.instance_id_hash == current.instance_id_hash
    }

    /// Check if hardware binding should be used instead
    pub fn should_use_hardware_binding(&self) -> bool {
        self.environment.has_stable_hardware() && self.instance_id_hash.is_none()
    }
}

fn sha256_short(input: &str) -> String {
    use sha2::{Digest, Sha256};
    let mut hasher = Sha256::new();
    hasher.update(input.as_bytes());
    hex::encode(&hasher.finalize()[..16])
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_environment_detection() {
        let env = RuntimeEnvironment::detect();
        // In a test environment, should be Standalone or Docker depending on CI
        println!("Detected environment: {:?}", env);
    }

    #[test]
    fn test_custom_env_var_source() {
        std::env::set_var("TEST_INSTANCE_ID", "test-id-12345");

        let source = InstanceIdSource::CustomEnvVar("TEST_INSTANCE_ID".to_string());
        let id = source.get_id();

        assert_eq!(id, Some("test-id-12345".to_string()));

        std::env::remove_var("TEST_INSTANCE_ID");
    }

    #[test]
    fn test_container_binding() {
        let binding = ContainerBinding::detect();

        // Should match itself
        assert!(binding.matches_current());

        println!("Container binding: {:?}", binding);
    }
}