From 967e626d80049b3412addc2dfff5de9dfb08a7ae Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Wed, 7 Jun 2023 12:28:27 -0700
Subject: [PATCH] Support multiple license keys in development or test

https://gitlab.com/gitlab-org/gitlab-development-kit/-/merge_requests/3170
was merged recently to set `GITLAB_LICENSE_MODE` to `test` by default
in the GitLab Development. GitLab IT has been moving towards
generating licenses from the staging customer portal for development
(https://gitlab.com/gitlab-org/gitlab-development-kit/-/issues/1824). However,
developers who had licenses generated with the production portal had
to configure `GITLAB_LICENSE_MODE` correctly with `prod` or EE
features would quietly stop working.

To avoid this, we take advantage of a new feature in gitlab-license to
support multiple decryption keys. We always load the production key as
the main key, but if we're in a non-production environment or if
`GITLAB_LICENSE_MODE` is set to `test`, use the test decryption key as
a fallback.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/414723

Changelog: added
---
 Gemfile                          |  2 +-
 Gemfile.checksum                 |  2 +-
 Gemfile.lock                     |  4 ++--
 config/initializers/0_license.rb | 23 +++++++++++++++++------
 4 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/Gemfile b/Gemfile
index e04a506a2cc8c..b6297d42a81b2 100644
--- a/Gemfile
+++ b/Gemfile
@@ -322,7 +322,7 @@ gem 'gon', '~> 6.4.0'
 gem 'request_store', '~> 1.5.1'
 gem 'base32', '~> 0.3.0'
 
-gem 'gitlab-license', '~> 2.2.1'
+gem 'gitlab-license', '~> 2.3'
 
 # Protect against bruteforcing
 gem 'rack-attack', '~> 6.6.1'
diff --git a/Gemfile.checksum b/Gemfile.checksum
index fb11e5ca0d925..1f50f662d619b 100644
--- a/Gemfile.checksum
+++ b/Gemfile.checksum
@@ -214,7 +214,7 @@
 {"name":"gitlab-experiment","version":"0.7.1","platform":"ruby","checksum":"166dddb3aa83428bcaa93c35684ed01dc4d61f321fd2ae40b020806dc54a7824"},
 {"name":"gitlab-fog-azure-rm","version":"1.7.0","platform":"ruby","checksum":"969c67943c54ad4c259a6acd040493f13922fbdf2211bb4eca00e71505263dc2"},
 {"name":"gitlab-labkit","version":"0.33.0","platform":"ruby","checksum":"d1fba8d30fde314a3f5dee1921ac31860bed4fecd8aa98ac6671f2627479e05b"},
-{"name":"gitlab-license","version":"2.2.2","platform":"ruby","checksum":"2ccbc763828d013524b0b3b9ee671e58d5277693e5ffb2e5463cbac87e8aed1e"},
+{"name":"gitlab-license","version":"2.3.0","platform":"ruby","checksum":"60cae3871c46607dde58994faf761c6755adc61133a92e5ab59ab26a8b9b4157"},
 {"name":"gitlab-mail_room","version":"0.0.23","platform":"ruby","checksum":"23564fa4dab24ec5011d4c64a801fc0228301d5b0f046a26a1d8e96e36c19997"},
 {"name":"gitlab-markup","version":"1.9.0","platform":"ruby","checksum":"7eda045a08ec2d110084252fa13a8c9eac8bdac0e302035ca7db4b82bcbd7ed4"},
 {"name":"gitlab-net-dns","version":"0.9.2","platform":"ruby","checksum":"f726d978479d43810819f12a45c0906d775a07e34df111bbe693fffbbef3059d"},
diff --git a/Gemfile.lock b/Gemfile.lock
index c060d1739beff..42466e18f00a5 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -610,7 +610,7 @@ GEM
       opentracing (~> 0.4)
       pg_query (~> 4.2.1)
       redis (> 3.0.0, < 6.0.0)
-    gitlab-license (2.2.2)
+    gitlab-license (2.3.0)
     gitlab-mail_room (0.0.23)
       jwt (>= 2.0)
       net-imap (>= 0.2.1)
@@ -1748,7 +1748,7 @@ DEPENDENCIES
   gitlab-experiment (~> 0.7.1)
   gitlab-fog-azure-rm (~> 1.7.0)
   gitlab-labkit (~> 0.33.0)
-  gitlab-license (~> 2.2.1)
+  gitlab-license (~> 2.3)
   gitlab-mail_room (~> 0.0.23)
   gitlab-markup (~> 1.9.0)
   gitlab-net-dns (~> 0.9.2)
diff --git a/config/initializers/0_license.rb b/config/initializers/0_license.rb
index c1a2048b28dc7..c6a09a2f76977 100644
--- a/config/initializers/0_license.rb
+++ b/config/initializers/0_license.rb
@@ -1,12 +1,23 @@
 # frozen_string_literal: true
 
 load_license = lambda do |dir:, license_name:|
-  prefix = ENV['GITLAB_LICENSE_MODE'] == 'test' ? 'test_' : ''
-  public_key_file = File.read(Rails.root.join(dir, ".#{prefix}license_encryption_key.pub"))
-  public_key = OpenSSL::PKey::RSA.new(public_key_file)
-  Gitlab::License.encryption_key = public_key
-rescue StandardError
-  warn "WARNING: No valid #{license_name} encryption key provided."
+  begin
+    public_key_file = File.read(Rails.root.join(dir, ".license_encryption_key.pub"))
+    public_key = OpenSSL::PKey::RSA.new(public_key_file)
+    Gitlab::License.encryption_key = public_key
+  rescue StandardError
+    warn "WARNING: No valid #{license_name} encryption key provided."
+  end
+
+  begin
+    if Rails.env.development? || Rails.env.test? || ENV['GITLAB_LICENSE_MODE'] == 'test'
+      fallback_key_file = File.read(Rails.root.join(dir, ".test_license_encryption_key.pub"))
+      fallback_key = OpenSSL::PKey::RSA.new(fallback_key_file)
+      Gitlab::License.fallback_decryption_keys = [fallback_key]
+    end
+  rescue StandardError
+    warn "WARNING: No fallback #{license_name} decryption key provided."
+  end
 end
 
 Gitlab.ee do
-- 
GitLab