fix: use GAF network stack for license downloads with retry and caching

Author: danskmt

.circleci/config.yml

@@ -186,7 +186,8 @@ commands:
                 command: |
                   # load Windows $Env:Path values of tools necessary to execute the build (like Go)
                   if [ -f "/c/tools-cache/<< pipeline.parameters.windows_bash_env_script >>" ]; then source "/c/tools-cache/<< pipeline.parameters.windows_bash_env_script >>"; fi
-                  make << parameters.make_target >> GOOS=<< parameters.go_target_os >> GOARCH=<< parameters.go_arch >> STATIC_NODE_BINARY=true CGO_ENABLED=0
+                  LICENSE_CACHE_DIR="" && [ -d "cliv2/internal/embedded/_data/licenses" ] && LICENSE_CACHE_DIR="$(pwd)/cliv2/internal/embedded/_data/licenses"
+                  make << parameters.make_target >> GOOS=<< parameters.go_target_os >> GOARCH=<< parameters.go_arch >> STATIC_NODE_BINARY=true CGO_ENABLED=0 LICENSE_CACHE_DIR="$LICENSE_CACHE_DIR"
       - unless:
           condition: << parameters.static >>
           steps:
@@ -199,7 +200,8 @@ commands:
                 command: |
                   # load Windows $Env:Path values of tools necessary to execute the build (like Go)
                   if [ -f "/c/tools-cache/<< pipeline.parameters.windows_bash_env_script >>" ]; then source "/c/tools-cache/<< pipeline.parameters.windows_bash_env_script >>"; fi
-                  make << parameters.make_target >> GOOS=<< parameters.go_target_os >> GOARCH=<< parameters.go_arch >> STATIC_NODE_BINARY=false CGO_ENABLED=1
+                  LICENSE_CACHE_DIR="" && [ -d "cliv2/internal/embedded/_data/licenses" ] && LICENSE_CACHE_DIR="$(pwd)/cliv2/internal/embedded/_data/licenses"
+                  make << parameters.make_target >> GOOS=<< parameters.go_target_os >> GOARCH=<< parameters.go_arch >> STATIC_NODE_BINARY=false CGO_ENABLED=1 LICENSE_CACHE_DIR="$LICENSE_CACHE_DIR"
   install-go:
     parameters:
       go_os:
@@ -603,6 +605,12 @@ workflows:
           requires:
             - prepare-build
 
+      - prepare-licenses:
+          name: prepare-licenses
+          context: devex_cli_docker_hub
+          requires:
+            - prepare-build
+
       - build-artifact:
           name: build linux amd64
           context:
@@ -615,7 +623,7 @@ workflows:
           go_download_base_url: << pipeline.parameters.go_download_base_url >>
           executor: docker-amd64-xl
           requires:
-            - prepare-build
+            - prepare-licenses
 
       - build-artifact:
           name: build linux static amd64
@@ -630,7 +638,7 @@ workflows:
           make_target: build-experimental
           executor: docker-amd64-xl
           requires:
-            - prepare-build
+            - prepare-licenses
 
       - build-artifact:
           name: build linux fips amd64
@@ -644,7 +652,7 @@ workflows:
           make_target: build-fips
           executor: docker-amd64-xl
           requires:
-            - prepare-build
+            - prepare-licenses
 
       - build-artifact:
           name: build linux arm64
@@ -658,7 +666,7 @@ workflows:
           go_download_base_url: << pipeline.parameters.go_download_base_url >>
           executor: docker-arm64-xl
           requires:
-            - prepare-build
+            - prepare-licenses
 
       - build-artifact:
           name: build linux static arm64
@@ -673,7 +681,7 @@ workflows:
           make_target: build-experimental
           executor: docker-arm64-xl
           requires:
-            - prepare-build
+            - prepare-licenses
 
       - build-artifact:
           name: build linux fips arm64
@@ -687,7 +695,7 @@ workflows:
           make_target: build-fips
           executor: docker-arm64-xl
           requires:
-            - prepare-build
+            - prepare-licenses
 
       - build-artifact:
           name: build alpine amd64
@@ -701,7 +709,7 @@ workflows:
           executor: docker-amd64-xl
           c_compiler: /usr/bin/musl-gcc
           requires:
-            - prepare-build
+            - prepare-licenses
 
       - build-artifact:
           name: build alpine arm64
@@ -715,7 +723,7 @@ workflows:
           executor: docker-arm64-xl
           c_compiler: /usr/bin/musl-gcc
           requires:
-            - prepare-build
+            - prepare-licenses
 
       - build-artifact:
           name: build macOS amd64
@@ -729,7 +737,7 @@ workflows:
             - snyk-macos-signing
             - iac-cli
           requires:
-            - prepare-build
+            - prepare-licenses
 
       - build-artifact:
           name: build macOS arm64
@@ -743,7 +751,7 @@ workflows:
             - snyk-macos-signing
             - iac-cli
           requires:
-            - prepare-build
+            - prepare-licenses
 
       - build-artifact:
           name: build windows amd64
@@ -759,7 +767,7 @@ workflows:
             - snyk-windows-signing
             - iac-cli
           requires:
-            - prepare-build
+            - prepare-licenses
 
       - acceptance-tests:
           name: acceptance-tests linux static arm64
@@ -1487,6 +1495,35 @@ jobs:
             - binary-releases/snyk-fix.tgz
             - binary-releases/snyk-protect.tgz
 
+  prepare-licenses:
+    executor: docker-amd64
+    steps:
+      - prepare-workspace
+      - install-go:
+          go_os: linux
+          go_target_os: linux
+          go_arch: amd64
+          base_url: << pipeline.parameters.go_download_base_url >>
+          extraction_path: '.'
+      - restore_cache:
+          name: Restoring license cache
+          keys:
+            - license-cache-v1-{{ checksum "cliv2/go.sum" }}
+      - run:
+          name: Prepare 3rd party licenses
+          working_directory: ./cliv2
+          command: |
+            GOOS=linux GOARCH=amd64 go run scripts/prepare_licenses.go
+      - save_cache:
+          name: Saving license cache
+          key: license-cache-v1-{{ checksum "cliv2/go.sum" }}
+          paths:
+            - cliv2/internal/embedded/_data/licenses
+      - persist_to_workspace:
+          root: .
+          paths:
+            - cliv2/internal/embedded/_data/licenses
+
   build-artifact:
     parameters:
       go_os:

cliv2/Makefile

@@ -34,6 +34,7 @@ bindir = $(exec_prefix)/bin
 WORKING_DIR = $(CURDIR)
 BUILD_DIR = $(WORKING_DIR)/_bin
 CACHE_DIR = $(WORKING_DIR)/_cache
+LICENSE_CACHE_DIR ?=
 SRCS = $(shell find $(WORKING_DIR) -type f -name '*.go')
 
 # load cached variables if available
@@ -198,7 +199,7 @@ $(WORKING_DIR)/internal/httpauth/generated/spnego_generated_mock.go:
 
 $(CACHE_DIR)/prepare-3rd-party-licenses:
 	@echo "$(LOG_PREFIX) Preparing 3rd Party Licenses"
-	@GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) $(GOCMD) run scripts/prepare_licenses.go > $(CACHE_DIR)/prepare-3rd-party-licenses 2> $(CACHE_DIR)/prepare-3rd-party-licenses.log \
+	@GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) LICENSE_CACHE_DIR=$(LICENSE_CACHE_DIR) $(GOCMD) run scripts/prepare_licenses.go > $(CACHE_DIR)/prepare-3rd-party-licenses 2> $(CACHE_DIR)/prepare-3rd-party-licenses.log \
 		|| (cat $(CACHE_DIR)/prepare-3rd-party-licenses.log && exit 1)
 	@echo "$(LOG_PREFIX) 3rd party licenses: ok"
 

cliv2/scripts/prepare_licenses.go

@@ -8,19 +8,47 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strings"
-	"time"
+
+	"github.com/snyk/go-application-framework/pkg/configuration"
+	"github.com/snyk/go-application-framework/pkg/networking"
+	"github.com/snyk/go-application-framework/pkg/networking/middleware"
 )
 
 // licensesEmbeddedDir is the cliv2-relative tree where go-licenses and manual downloads write.
 var licensesEmbeddedDir = filepath.Join(".", "internal", "embedded", "_data", "licenses")
 
+const maxDownloadAttempts = 5
+
 func log(msg string) {
 	fmt.Fprintln(os.Stderr, msg)
 }
 
+var newHTTPClient = func() *http.Client {
+	cfg := configuration.NewWithOpts(configuration.WithAutomaticEnv())
+	cfg.Set(middleware.ConfigurationKeyRequestAttempts, maxDownloadAttempts)
+
+	na := networking.NewNetworkAccess(cfg)
+	na.AddHeaderField("User-Agent", "Snyk-CLI-Build/1.0")
+
+	if token := os.Getenv("GITHUB_TOKEN"); token != "" {
+		na.AddHeaderField("Authorization", "Bearer "+token)
+	}
+
+	return na.GetUnauthorizedHttpClient()
+}
+
 func main() {
 	log("Preparing 3rd party licenses...")
 
+	if src := os.Getenv("LICENSE_CACHE_DIR"); src != "" {
+		if err := copyLicenseCache(src, licensesEmbeddedDir); err != nil {
+			log(fmt.Sprintf("Error restoring cached licenses: %v", err))
+			os.Exit(1)
+		}
+		log("Restored licenses from cache, skipping downloads.")
+		return
+	}
+
 	goBinPath := filepath.Join(mustGetwd(), "_cache")
 	if err := os.Setenv("GOBIN", goBinPath); err != nil {
 		log(fmt.Sprintf("Error setting GOBIN: %v", err))
@@ -50,6 +78,8 @@ func main() {
 		os.Exit(1)
 	}
 
+	client := newHTTPClient()
+
 	log("Downloading manual licenses...")
 	manualLicenses := []struct{ url, pkg string }{
 		{"https://raw.githubusercontent.com/davecgh/go-spew/master/LICENSE", "github.com/davecgh/go-spew"},
@@ -58,7 +88,7 @@ func main() {
 		{"https://go.dev/LICENSE?m=text", "go.dev"},
 	}
 	for _, lic := range manualLicenses {
-		if err := manualLicenseDownload(lic.url, lic.pkg); err != nil {
+		if err := manualLicenseDownload(client, lic.url, lic.pkg); err != nil {
 			log(fmt.Sprintf("Error downloading license: %v", err))
 			os.Exit(1)
 		}
@@ -72,7 +102,28 @@ func main() {
 	log("Done preparing 3rd party licenses.")
 }
 
-func manualLicenseDownload(url, packageName string) error {
+func copyLicenseCache(src, dst string) error {
+	return filepath.Walk(src, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		rel, err := filepath.Rel(src, path)
+		if err != nil {
+			return err
+		}
+		target := filepath.Join(dst, rel)
+		if info.IsDir() {
+			return os.MkdirAll(target, 0o755)
+		}
+		data, err := os.ReadFile(path)
+		if err != nil {
+			return err
+		}
+		return os.WriteFile(target, data, info.Mode())
+	})
+}
+
+func manualLicenseDownload(client *http.Client, url, packageName string) error {
 	folderPath := filepath.Join(licensesEmbeddedDir, packageName)
 	licenseFile := filepath.Join(folderPath, "LICENSE")
 
@@ -86,14 +137,7 @@ func manualLicenseDownload(url, packageName string) error {
 		return fmt.Errorf("creating directory for %s: %w", packageName, err)
 	}
 
-	req, err := http.NewRequest(http.MethodGet, url, nil)
-	if err != nil {
-		return fmt.Errorf("creating request for %s: %w", packageName, err)
-	}
-	req.Header.Set("User-Agent", "Snyk-CLI-Build/1.0")
-
-	client := &http.Client{Timeout: 30 * time.Second}
-	resp, err := client.Do(req)
+	resp, err := client.Get(url)
 	if err != nil {
 		return fmt.Errorf("downloading license for %s: %w", packageName, err)
 	}