feat(license): require licenseId + tenantId in validator

Spec §2.1 — both fields are required and the validator rejects a token whose tenantId does not match the server's configured tenant (CAMELEER_SERVER_TENANT_ID). Self-hosted customers cannot strip tenantId because the field is in the signed payload. LicenseBeanConfig and LicenseAdminController updated to pass the expected tenant to the validator constructor. The transient placeholder/TODO from Task 2 is removed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 10:40:04 +02:00
parent 2ebe4989bb
commit cf84d80de7
4 changed files with 118 additions and 25 deletions
--- a/cameleer-server-app/src/main/java/com/cameleer/server/app/config/LicenseBeanConfig.java
+++ b/cameleer-server-app/src/main/java/com/cameleer/server/app/config/LicenseBeanConfig.java
@@ -26,6 +26,9 @@ public class LicenseBeanConfig {
    @Value("${cameleer.server.license.publickey:}")
    private String licensePublicKey;

+    @Value("${cameleer.server.tenant.id:default}")
+    private String tenantId;
+
    @Bean
    public LicenseGate licenseGate() {
        LicenseGate gate = new LicenseGate();
@@ -42,7 +45,7 @@ public class LicenseBeanConfig {
        }

        try {
-            LicenseValidator validator = new LicenseValidator(licensePublicKey);
+            LicenseValidator validator = new LicenseValidator(licensePublicKey, tenantId);
            LicenseInfo info = validator.validate(token);
            gate.load(info);
        } catch (Exception e) {
--- a/cameleer-server-app/src/main/java/com/cameleer/server/app/controller/LicenseAdminController.java
+++ b/cameleer-server-app/src/main/java/com/cameleer/server/app/controller/LicenseAdminController.java
@@ -20,11 +20,14 @@ public class LicenseAdminController {

    private final LicenseGate licenseGate;
    private final String licensePublicKey;
+    private final String tenantId;

    public LicenseAdminController(LicenseGate licenseGate,
-                                   @Value("${cameleer.server.license.publickey:}") String licensePublicKey) {
+                                   @Value("${cameleer.server.license.publickey:}") String licensePublicKey,
+                                   @Value("${cameleer.server.tenant.id:default}") String tenantId) {
        this.licenseGate = licenseGate;
        this.licensePublicKey = licensePublicKey;
+        this.tenantId = tenantId;
    }

    @GetMapping
@@ -42,7 +45,7 @@ public class LicenseAdminController {
            return ResponseEntity.badRequest().body(Map.of("error", "No license public key configured"));
        }
        try {
-            LicenseValidator validator = new LicenseValidator(licensePublicKey);
+            LicenseValidator validator = new LicenseValidator(licensePublicKey, tenantId);
            LicenseInfo info = validator.validate(request.token());
            licenseGate.load(info);
            return ResponseEntity.ok(info);
--- a/cameleer-server-app/src/test/java/com/cameleer/server/core/license/LicenseValidatorTest.java
+++ b/cameleer-server-app/src/test/java/com/cameleer/server/core/license/LicenseValidatorTest.java
@@ -2,11 +2,14 @@ package com.cameleer.server.core.license;

 import org.junit.jupiter.api.Test;

-import java.security.*;
-import java.security.spec.NamedParameterSpec;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.Signature;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.Base64;
+import java.util.UUID;

 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
@@ -29,12 +32,12 @@ class LicenseValidatorTest {
    void validate_validLicense_returnsLicenseInfo() throws Exception {
        KeyPair kp = generateKeyPair();
        String publicKeyBase64 = Base64.getEncoder().encodeToString(kp.getPublic().getEncoded());
-        LicenseValidator validator = new LicenseValidator(publicKeyBase64);
+        LicenseValidator validator = new LicenseValidator(publicKeyBase64, "acme");

        Instant expires = Instant.now().plus(365, ChronoUnit.DAYS);
        String payload = """
-                {"tier":"HIGH","limits":{"max_agents":50,"retention_days":90},"iat":%d,"exp":%d}
-                """.formatted(Instant.now().getEpochSecond(), expires.getEpochSecond()).trim();
+                {"licenseId":"%s","tenantId":"acme","label":"HIGH","tier":"HIGH","limits":{"max_agents":50,"retention_days":90},"iat":%d,"exp":%d,"gracePeriodDays":7}
+                """.formatted(UUID.randomUUID(), Instant.now().getEpochSecond(), expires.getEpochSecond()).trim();
        String signature = sign(kp.getPrivate(), payload);
        String token = Base64.getEncoder().encodeToString(payload.getBytes()) + "." + signature;

@@ -43,18 +46,20 @@ class LicenseValidatorTest {
        assertThat(info.label()).isEqualTo("HIGH");
        assertThat(info.getLimit("max_agents", 0)).isEqualTo(50);
        assertThat(info.isExpired()).isFalse();
+        assertThat(info.tenantId()).isEqualTo("acme");
+        assertThat(info.gracePeriodDays()).isEqualTo(7);
    }

    @Test
    void validate_expiredLicense_throwsException() throws Exception {
        KeyPair kp = generateKeyPair();
        String publicKeyBase64 = Base64.getEncoder().encodeToString(kp.getPublic().getEncoded());
-        LicenseValidator validator = new LicenseValidator(publicKeyBase64);
+        LicenseValidator validator = new LicenseValidator(publicKeyBase64, "acme");

        Instant past = Instant.now().minus(1, ChronoUnit.DAYS);
        String payload = """
-                {"tier":"LOW","limits":{},"iat":%d,"exp":%d}
-                """.formatted(past.minus(30, ChronoUnit.DAYS).getEpochSecond(), past.getEpochSecond()).trim();
+                {"licenseId":"%s","tenantId":"acme","tier":"LOW","limits":{},"iat":%d,"exp":%d}
+                """.formatted(UUID.randomUUID(), past.minus(30, ChronoUnit.DAYS).getEpochSecond(), past.getEpochSecond()).trim();
        String signature = sign(kp.getPrivate(), payload);
        String token = Base64.getEncoder().encodeToString(payload.getBytes()) + "." + signature;

@@ -67,11 +72,11 @@ class LicenseValidatorTest {
    void validate_tamperedPayload_throwsException() throws Exception {
        KeyPair kp = generateKeyPair();
        String publicKeyBase64 = Base64.getEncoder().encodeToString(kp.getPublic().getEncoded());
-        LicenseValidator validator = new LicenseValidator(publicKeyBase64);
+        LicenseValidator validator = new LicenseValidator(publicKeyBase64, "acme");

        String payload = """
-                {"tier":"LOW","limits":{},"iat":0,"exp":9999999999}
-                """.trim();
+                {"licenseId":"%s","tenantId":"acme","tier":"LOW","limits":{},"iat":0,"exp":9999999999}
+                """.formatted(UUID.randomUUID()).trim();
        String signature = sign(kp.getPrivate(), payload);

        // Tamper with payload
@@ -82,4 +87,55 @@ class LicenseValidatorTest {
                .isInstanceOf(SecurityException.class)
                .hasMessageContaining("signature");
    }
+
+    @Test
+    void validate_missingTenantId_throws() throws Exception {
+        KeyPair kp = generateKeyPair();
+        String publicKeyBase64 = Base64.getEncoder().encodeToString(kp.getPublic().getEncoded());
+        LicenseValidator validator = new LicenseValidator(publicKeyBase64, "acme");
+
+        Instant exp = Instant.now().plus(30, ChronoUnit.DAYS);
+        String payload = """
+                {"licenseId":"%s","tier":"X","limits":{},"iat":%d,"exp":%d}
+                """.formatted(UUID.randomUUID(), Instant.now().getEpochSecond(), exp.getEpochSecond()).trim();
+        String token = Base64.getEncoder().encodeToString(payload.getBytes()) + "." + sign(kp.getPrivate(), payload);
+
+        assertThatThrownBy(() -> validator.validate(token))
+                .isInstanceOf(IllegalArgumentException.class)
+                .hasMessageContaining("tenantId");
+    }
+
+    @Test
+    void validate_tenantIdMismatch_throws() throws Exception {
+        KeyPair kp = generateKeyPair();
+        String publicKeyBase64 = Base64.getEncoder().encodeToString(kp.getPublic().getEncoded());
+        LicenseValidator validator = new LicenseValidator(publicKeyBase64, "beta");
+
+        Instant exp = Instant.now().plus(30, ChronoUnit.DAYS);
+        String payload = """
+                {"licenseId":"%s","tenantId":"acme","tier":"X","limits":{},"iat":%d,"exp":%d}
+                """.formatted(UUID.randomUUID(), Instant.now().getEpochSecond(), exp.getEpochSecond()).trim();
+        String token = Base64.getEncoder().encodeToString(payload.getBytes()) + "." + sign(kp.getPrivate(), payload);
+
+        assertThatThrownBy(() -> validator.validate(token))
+                .isInstanceOf(IllegalArgumentException.class)
+                .hasMessageContaining("tenantId");
+    }
+
+    @Test
+    void validate_missingLicenseId_throws() throws Exception {
+        KeyPair kp = generateKeyPair();
+        String publicKeyBase64 = Base64.getEncoder().encodeToString(kp.getPublic().getEncoded());
+        LicenseValidator validator = new LicenseValidator(publicKeyBase64, "acme");
+
+        Instant exp = Instant.now().plus(30, ChronoUnit.DAYS);
+        String payload = """
+                {"tenantId":"acme","tier":"X","limits":{},"iat":%d,"exp":%d}
+                """.formatted(Instant.now().getEpochSecond(), exp.getEpochSecond()).trim();
+        String token = Base64.getEncoder().encodeToString(payload.getBytes()) + "." + sign(kp.getPrivate(), payload);
+
+        assertThatThrownBy(() -> validator.validate(token))
+                .isInstanceOf(IllegalArgumentException.class)
+                .hasMessageContaining("licenseId");
+    }
 }