cameleer/cameleer-saas
2
0
Fork 0
Code Issues 23 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add license service with Ed25519 JWT signing and verification

Browse Source 
Generates tier-aware license tokens with features/limits per tier.
Verifies signature and expiry. Audit logged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-04 14:58:56 +02:00
parent a74894e0f1
commit d987969e05
3 changed files with 307 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
src/main/java/net/siegeln/cameleer/saas/license/LicenseDefaults.java Normal file
View File

@@ -0,0 +1,44 @@
package net.siegeln.cameleer.saas.license;
import net.siegeln.cameleer.saas.tenant.Tier;
import java.util.Map;
public final class LicenseDefaults {
private LicenseDefaults() {}
public static Map<String, Object> featuresForTier(Tier tier) {
return switch (tier) {
case LOW -> Map.of(
"topology", true, "lineage", false,
"correlation", false, "debugger", false, "replay", false);
case MID -> Map.of(
"topology", true, "lineage", true,
"correlation", true, "debugger", false, "replay", false);
case HIGH -> Map.of(
"topology", true, "lineage", true,
"correlation", true, "debugger", true, "replay", true);
case BUSINESS -> Map.of(
"topology", true, "lineage", true,
"correlation", true, "debugger", true, "replay", true);
};
}
public static Map<String, Object> limitsForTier(Tier tier) {
return switch (tier) {
case LOW -> Map.of(
"max_agents", 3, "retention_days", 7,
"max_environments", 1);
case MID -> Map.of(
"max_agents", 10, "retention_days", 30,
"max_environments", 2);
case HIGH -> Map.of(
"max_agents", 50, "retention_days", 90,
"max_environments", -1);
case BUSINESS -> Map.of(
"max_agents", -1, "retention_days", 365,
"max_environments", -1);
};
}
}

121
src/main/java/net/siegeln/cameleer/saas/license/LicenseService.java Normal file
View File

@@ -0,0 +1,121 @@
package net.siegeln.cameleer.saas.license;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import net.siegeln.cameleer.saas.audit.AuditAction;
import net.siegeln.cameleer.saas.audit.AuditService;
import net.siegeln.cameleer.saas.config.JwtConfig;
import net.siegeln.cameleer.saas.tenant.TenantEntity;
import org.springframework.stereotype.Service;
import java.security.Signature;
import java.time.Duration;
import java.time.Instant;
import java.util.Base64;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Optional;
import java.util.UUID;
@Service
public class LicenseService {
private final LicenseRepository licenseRepository;
private final JwtConfig jwtConfig;
private final AuditService auditService;
private final ObjectMapper objectMapper = new ObjectMapper();
public LicenseService(LicenseRepository licenseRepository, JwtConfig jwtConfig, AuditService auditService) {
this.licenseRepository = licenseRepository;
this.jwtConfig = jwtConfig;
this.auditService = auditService;
}
public LicenseEntity generateLicense(TenantEntity tenant, Duration validity, UUID actorId) {
var features = LicenseDefaults.featuresForTier(tenant.getTier());
var limits = LicenseDefaults.limitsForTier(tenant.getTier());
Instant now = Instant.now();
Instant expiresAt = now.plus(validity);
String token = signLicenseJwt(tenant.getId(), tenant.getTier().name(), features, limits, now, expiresAt);
var entity = new LicenseEntity();
entity.setTenantId(tenant.getId());
entity.setTier(tenant.getTier().name());
entity.setFeatures(features);
entity.setLimits(limits);
entity.setIssuedAt(now);
entity.setExpiresAt(expiresAt);
entity.setToken(token);
var saved = licenseRepository.save(entity);
auditService.log(actorId, null, tenant.getId(),
AuditAction.LICENSE_GENERATE, saved.getId().toString(),
null, null, "SUCCESS", null);
return saved;
}
public Optional<LicenseEntity> getActiveLicense(UUID tenantId) {
return licenseRepository.findFirstByTenantIdAndRevokedAtIsNullOrderByCreatedAtDesc(tenantId);
}
public Optional<Map<String, Object>> verifyLicenseToken(String token) {
try {
String[] parts = token.split("\\.");
if (parts.length != 3) return Optional.empty();
String signingInput = parts[0] + "." + parts[1];
byte[] signatureBytes = Base64.getUrlDecoder().decode(parts[2]);
Signature sig = Signature.getInstance("Ed25519");
sig.initVerify(jwtConfig.getPublicKey());
sig.update(signingInput.getBytes(java.nio.charset.StandardCharsets.UTF_8));
if (!sig.verify(signatureBytes)) return Optional.empty();
byte[] payloadBytes = Base64.getUrlDecoder().decode(parts[1]);
Map<String, Object> payload = objectMapper.readValue(payloadBytes, new TypeReference<>() {});
long exp = ((Number) payload.get("exp")).longValue();
if (Instant.now().getEpochSecond() >= exp) return Optional.empty();
return Optional.of(payload);
} catch (Exception e) {
return Optional.empty();
}
}
private String signLicenseJwt(UUID tenantId, String tier, Map<String, Object> features,
Map<String, Object> limits, Instant issuedAt, Instant expiresAt) {
try {
String header = base64UrlEncode(objectMapper.writeValueAsBytes(
Map.of("alg", "EdDSA", "typ", "JWT", "kid", "license")));
Map<String, Object> payload = new LinkedHashMap<>();
payload.put("tenant_id", tenantId.toString());
payload.put("tier", tier);
payload.put("features", features);
payload.put("limits", limits);
payload.put("iat", issuedAt.getEpochSecond());
payload.put("exp", expiresAt.getEpochSecond());
String payloadEncoded = base64UrlEncode(objectMapper.writeValueAsBytes(payload));
String signingInput = header + "." + payloadEncoded;
Signature sig = Signature.getInstance("Ed25519");
sig.initSign(jwtConfig.getPrivateKey());
sig.update(signingInput.getBytes(java.nio.charset.StandardCharsets.UTF_8));
String signature = base64UrlEncode(sig.sign());
return signingInput + "." + signature;
} catch (Exception e) {
throw new RuntimeException("Failed to sign license JWT", e);
}
}
private String base64UrlEncode(byte[] data) {
return Base64.getUrlEncoder().withoutPadding().encodeToString(data);
}
}