Merge branch '1.3' into 1.3.1

docs/orchestrating-elastic-stack-applications/beat.asciidoc

@@ -188,7 +188,7 @@ stringData:
       hosts: ["quickstart-es-http.default.svc:9200"]
 ----
 
-For more details, see the link:https://https://www.elastic.co/guide/en/beats/libbeat/current/config-file-format.html[Beats configuration] section.
+For more details, see the link:https://www.elastic.co/guide/en/beats/libbeat/current/config-file-format.html[Beats configuration] section.
 
 [id="{p}-beat-deploy-elastic-beat"]
 === Deploy a Beat

pkg/controller/common/license/testdata/externally-generated-lic.json

@@ -0,0 +1 @@
+{"license":{"uid":"F983C1D2-1676-4427-8B6A-EF954AEEC174","type":"enterprise","issue_date_in_millis":1606262400000,"start_date_in_millis":1606262400000,"expiry_date_in_millis":1640995199999,"max_resource_units":100,"issued_to":"ECK Unit & test <>","issuer":"ECK Unit tests","signature":"AAAABAAAAA2BVF3v7DTBA3aIN5VKAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxakxlZzM5QU1HeFFJV3Jic1lDa1c0SU4wWHlKTHVGY1lNNm1GWCszenRqckZkSmVwcTRERjdnZk8yUlhtczJ4QS9pYUEwOFo3TUdVYVhpTEN6bkgwQ0FWV1luQ0dWeVRGSXVFZTAzQXJXc2N3YXBpaTgxMC81R0FYR0FLYkJZZ2Y5LzA4NktBSWtxS3RHSFJTdkNFbFl0VTZlSTlmMVYxQWVXeXIzWXg4cHM2TW9OdDNnSzVNV2NUeWE3cTVSTitWSlorMjJ4ZjFxRHJVNG1UdHN5MXN5a3l1TjZLM2RsSWNqL0FRakY4SFdSdVk3MkR3ZUdXdXpRcG5PMmRnYmI2UUNxanU5NHQ0WC9Ud2poTTE3V1JVMTdYVzNVeTUrbUpwZCtrYWRDcDVmTHo1Q2pwVkw3ZVRaYXZWRUxkRk04VDdmK0ExS044NXBOeFRVZ0tTa3JJcXFZUDlpeVhLaGgyUmxhOWJTdy82eTVBV2c9PQAAAQBfAHdLIIy8BuD0eWZVh2lO4WG7Ck3LaN1Trid8Z0ZhdhN2AQY7TuTCe6VGQA7SfjtJ5RHZvQ223CZicoplCc8mSqblV1ZhbmqfFMvHqmuTJxjMW4abINcVSExBLWe4R/8nx6vKNdslt7qJuwO9KBc3Aqcv3V5UJRS59rXao4c/N5BwxhweCy0uQbLlnvTIbjjERgFC7L+k7TC55atdjUkYlV9yIik3w7mBvcQzNYoeTcYom/TyGQe8maYOYLbojyZ2B8NLKgxGCIzoVxEB9vxcz9wtNDiBpU7M8Ep6282COy0qHstJrmOult0rGZbGIdhk4GDVtCEPbi+S0jfvCM0n"}}

pkg/controller/common/license/verifier.go

@@ -216,7 +216,7 @@ type licenseSpec struct {
 }
 
 func (l EnterpriseLicense) SignableContentBytes() ([]byte, error) {
-	return json.Marshal(licenseSpec{
+	return unescapedJSONMarshal(licenseSpec{
 		UID:                l.License.UID,
 		LicenseType:        string(l.License.Type),
 		IssueDateInMillis:  l.License.IssueDateInMillis,
@@ -229,6 +229,22 @@ func (l EnterpriseLicense) SignableContentBytes() ([]byte, error) {
 	})
 }
 
+// unescapedJSONMarshal is a custom JSON encoder that turns off Go json's default behaviour of escaping > < and &
+// which is problematic and would lead to failed signature checks as our license signing does not escape those characters.
+func unescapedJSONMarshal(t interface{}) ([]byte, error) {
+	buffer := &bytes.Buffer{}
+	encoder := json.NewEncoder(buffer)
+	encoder.SetEscapeHTML(false)
+	err := encoder.Encode(t)
+	if err != nil {
+		return nil, err
+	}
+	marshaledBytes := buffer.Bytes()
+	// json.Encoder adds an additional newline between objects which we do not want here
+	// as it is not part of the signature. That's we we are trimming it here.
+	return bytes.TrimRight(marshaledBytes, "\n"), err
+}
+
 func (l EnterpriseLicense) Version() int {
 	return l.License.Version
 }

pkg/controller/common/license/verifier_test.go

@@ -9,6 +9,8 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/json"
+	"io/ioutil"
 	"reflect"
 	"testing"
 	"time"
@@ -145,6 +147,19 @@ func TestNewLicenseVerifier(t *testing.T) {
 				require.NoError(t, v.ValidSignature(withSignature(licenseFixtureV3, bytes)))
 			},
 		},
+		{
+			name: "Can verify license signed by external tooling",
+			want: func(v *Verifier) {
+				// license attributes contain <> and & which json.Marshal escapes by default leading to a signature
+				// mismatch unless handled explicitly
+				bytes, err := ioutil.ReadFile("testdata/externally-generated-lic.json")
+				require.NoError(t, err)
+				var lic EnterpriseLicense
+				err = json.Unmarshal(bytes, &lic)
+				require.NoError(t, err)
+				require.NoError(t, v.ValidSignature(lic))
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {