refactor(usage): move license selection logic into tallymansdk.New

deansheather · deansheather · commit 196c18836d7c · 2025-12-11T16:35:09.000Z
- Move getBestLicenseJWT logic from publisher.go to tallymansdk.New()
- Add NewOptions struct for tallymansdk client creation
- Export ErrNoLicenseSupportsPublishing for reuse in other contexts
- Simplify publisher.publishOnce by delegating license selection to SDK
diff --git a/enterprise/coderd/usage/publisher.go b/enterprise/coderd/usage/publisher.go
@@ -19,7 +19,6 @@ import (
 	"github.com/coder/coder/v2/coderd/pproflabel"
 	"github.com/coder/coder/v2/coderd/usage/usagetypes"
 	"github.com/coder/coder/v2/cryptorand"
-	"github.com/coder/coder/v2/enterprise/coderd/license"
 	"github.com/coder/coder/v2/enterprise/coderd/usage/tallymansdk"
 	"github.com/coder/quartz"
 )
@@ -33,8 +32,6 @@ const (
 	tallymanPublishBatchSize = 100
 )
 
-var errUsagePublishingDisabled = xerrors.New("usage publishing is not enabled by any license")
-
 // Publisher publishes usage events ***somewhere***.
 type Publisher interface {
 	// Close closes the publisher and waits for it to finish.
@@ -203,11 +200,17 @@ func (p *tallymanPublisher) publish(ctx context.Context, deploymentID uuid.UUID)
 // publishOnce publishes up to tallymanPublishBatchSize usage events to
 // tallyman. It returns the number of successfully published events.
 func (p *tallymanPublisher) publishOnce(ctx context.Context, deploymentID uuid.UUID) (int, error) {
-	licenseJwt, err := p.getBestLicenseJWT(ctx)
-	if xerrors.Is(err, errUsagePublishingDisabled) {
+	sdkClient, err := tallymansdk.New(ctx, tallymansdk.NewOptions{
+		DB:           p.db,
+		DeploymentID: deploymentID,
+		LicenseKeys:  p.licenseKeys,
+		BaseURL:      p.baseURL,
+		HTTPClient:   p.httpClient,
+	})
+	if xerrors.Is(err, tallymansdk.ErrNoLicenseSupportsPublishing) {
 		return 0, nil
 	} else if err != nil {
-		return 0, xerrors.Errorf("find usage publishing license: %w", err)
+		return 0, xerrors.Errorf("create tallyman client: %w", err)
 	}
 
 	events, err := p.db.SelectUsageEventsForPublishing(ctx, dbtime.Time(p.clock.Now()))
@@ -246,7 +249,7 @@ func (p *tallymanPublisher) publishOnce(ctx context.Context, deploymentID uuid.U
 		return 0, xerrors.Errorf("duplicate event IDs found in events for publishing")
 	}
 
-	resp, err := p.sendPublishRequest(ctx, deploymentID, licenseJwt, tallymanReq)
+	resp, err := p.sendPublishRequest(ctx, sdkClient, tallymanReq)
 	allFailed := err != nil
 	if err != nil {
 		p.log.Warn(ctx, "failed to send publish request to tallyman", slog.F("count", len(events)), slog.Error(err))
@@ -336,72 +339,7 @@ func (p *tallymanPublisher) publishOnce(ctx context.Context, deploymentID uuid.U
 	return len(resp.AcceptedEvents), returnErr
 }
 
-// getBestLicenseJWT returns the best license JWT to use for the request. The
-// criteria is as follows:
-// - The license must be valid and active (after nbf, before exp)
-// - The license must have usage publishing enabled
-// The most recently issued (iat) license is chosen.
-//
-// If no licenses are found or none have usage publishing enabled,
-// errUsagePublishingDisabled is returned.
-func (p *tallymanPublisher) getBestLicenseJWT(ctx context.Context) (string, error) {
-	licenses, err := p.db.GetUnexpiredLicenses(ctx)
-	if err != nil {
-		return "", xerrors.Errorf("get unexpired licenses: %w", err)
-	}
-	if len(licenses) == 0 {
-		return "", errUsagePublishingDisabled
-	}
-
-	type licenseJWTWithClaims struct {
-		Claims *license.Claims
-		Raw    string
-	}
-
-	var bestLicense licenseJWTWithClaims
-	for _, dbLicense := range licenses {
-		claims, err := license.ParseClaims(dbLicense.JWT, p.licenseKeys)
-		if err != nil {
-			p.log.Warn(ctx, "failed to parse license claims", slog.F("license_id", dbLicense.ID), slog.Error(err))
-			continue
-		}
-		if claims.AccountType != license.AccountTypeSalesforce {
-			// Non-Salesforce accounts cannot be tracked as they do not have a
-			// trusted Salesforce opportunity ID encoded in the license.
-			continue
-		}
-		if !claims.PublishUsageData {
-			// Publishing is disabled.
-			continue
-		}
-
-		// Otherwise, if it's issued more recently, it's the best license.
-		// IssuedAt is verified to be non-nil in license.ParseClaims.
-		if bestLicense.Claims == nil || claims.IssuedAt.Time.After(bestLicense.Claims.IssuedAt.Time) {
-			bestLicense = licenseJWTWithClaims{
-				Claims: claims,
-				Raw:    dbLicense.JWT,
-			}
-		}
-	}
-
-	if bestLicense.Raw == "" {
-		return "", errUsagePublishingDisabled
-	}
-
-	return bestLicense.Raw, nil
-}
-
-func (p *tallymanPublisher) sendPublishRequest(ctx context.Context, deploymentID uuid.UUID, licenseJwt string, req usagetypes.TallymanV1IngestRequest) (usagetypes.TallymanV1IngestResponse, error) {
-	// Create a new SDK client for this request.
-	// We create it per-request since the license key may change.
-	sdkClient := tallymansdk.New(
-		p.baseURL,
-		licenseJwt,
-		deploymentID,
-		tallymansdk.WithHTTPClient(p.httpClient),
-	)
-
+func (*tallymanPublisher) sendPublishRequest(ctx context.Context, sdkClient *tallymansdk.Client, req usagetypes.TallymanV1IngestRequest) (usagetypes.TallymanV1IngestResponse, error) {
 	return sdkClient.PublishUsageEvents(ctx, req)
 }
 
diff --git a/enterprise/coderd/usage/tallymansdk/client.go b/enterprise/coderd/usage/tallymansdk/client.go
@@ -3,6 +3,7 @@ package tallymansdk
 import (
 	"bytes"
 	"context"
+	"crypto/ed25519"
 	"encoding/json"
 	"io"
 	"net/http"
@@ -12,14 +13,32 @@ import (
 	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/v2/buildinfo"
+	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/usage/usagetypes"
+	"github.com/coder/coder/v2/enterprise/coderd/license"
 )
 
 const (
 	// DefaultURL is the default URL for the Tallyman API.
 	DefaultURL = "https://tallyman-prod.coder.com"
 )
 
+var ErrNoLicenseSupportsPublishing = xerrors.New("usage publishing is not enabled by any license")
+
+// NewOptions contains options for creating a new Tallyman client.
+type NewOptions struct {
+	// DB is the database store for querying licenses and deployment ID.
+	DB database.Store
+	// DeploymentID is the deployment ID. If uuid.Nil, it will be fetched from the database.
+	DeploymentID uuid.UUID
+	// LicenseKeys is a map of license keys for verifying license JWTs.
+	LicenseKeys map[string]ed25519.PublicKey
+	// BaseURL is the base URL for the Tallyman API. If nil, DefaultURL is used.
+	BaseURL *url.URL
+	// HTTPClient is the HTTP client to use for requests. If nil, http.DefaultClient is used.
+	HTTPClient *http.Client
+}
+
 // Client is a client for the Tallyman API.
 type Client struct {
 	// URL is the base URL for the Tallyman API.
@@ -35,8 +54,8 @@ type Client struct {
 // ClientOption is a functional option for configuring the Client.
 type ClientOption func(*Client)
 
-// New creates a new Tallyman API client.
-func New(baseURL *url.URL, licenseKey string, deploymentID uuid.UUID, opts ...ClientOption) *Client {
+// NewWithAuth creates a new Tallyman API client with explicit authentication.
+func NewWithAuth(baseURL *url.URL, licenseKey string, deploymentID uuid.UUID, opts ...ClientOption) *Client {
 	if baseURL == nil {
 		baseURL, _ = url.Parse(DefaultURL)
 	}
@@ -64,6 +83,80 @@ func WithHTTPClient(httpClient *http.Client) ClientOption {
 	}
 }
 
+// New creates a new Tallyman API client by looking up the best license from the database.
+// It selects the most recently issued license that:
+// - Is unexpired
+// - Has AccountType == AccountTypeSalesforce
+// - Has PublishUsageData enabled
+//
+// If opts.DeploymentID is uuid.Nil, it will be fetched from the database.
+// If no suitable license is found, it returns ErrNoLicenseSupportsPublishing.
+func New(ctx context.Context, opts NewOptions) (*Client, error) {
+	// Fetch deployment ID if not provided
+	deploymentID := opts.DeploymentID
+	if deploymentID == uuid.Nil {
+		deploymentIDStr, err := opts.DB.GetDeploymentID(ctx)
+		if err != nil {
+			return nil, xerrors.Errorf("get deployment ID: %w", err)
+		}
+		deploymentID, err = uuid.Parse(deploymentIDStr)
+		if err != nil {
+			return nil, xerrors.Errorf("parse deployment ID %q: %w", deploymentIDStr, err)
+		}
+	}
+
+	licenses, err := opts.DB.GetUnexpiredLicenses(ctx)
+	if err != nil {
+		return nil, xerrors.Errorf("get unexpired licenses: %w", err)
+	}
+	if len(licenses) == 0 {
+		return nil, ErrNoLicenseSupportsPublishing
+	}
+
+	type licenseJWTWithClaims struct {
+		Claims *license.Claims
+		Raw    string
+	}
+
+	var bestLicense licenseJWTWithClaims
+	for _, dbLicense := range licenses {
+		claims, err := license.ParseClaims(dbLicense.JWT, opts.LicenseKeys)
+		if err != nil {
+			// Skip licenses that can't be parsed
+			continue
+		}
+		if claims.AccountType != license.AccountTypeSalesforce {
+			// Non-Salesforce accounts cannot be tracked
+			continue
+		}
+		if !claims.PublishUsageData {
+			// Publishing is disabled
+			continue
+		}
+
+		// Select the most recently issued license
+		// IssuedAt is verified to be non-nil in license.ParseClaims
+		if bestLicense.Claims == nil || claims.IssuedAt.Time.After(bestLicense.Claims.IssuedAt.Time) {
+			bestLicense = licenseJWTWithClaims{
+				Claims: claims,
+				Raw:    dbLicense.JWT,
+			}
+		}
+	}
+
+	if bestLicense.Raw == "" {
+		return nil, ErrNoLicenseSupportsPublishing
+	}
+
+	// Set default HTTP client if not provided
+	httpClient := opts.HTTPClient
+	if httpClient == nil {
+		httpClient = http.DefaultClient
+	}
+
+	return NewWithAuth(opts.BaseURL, bestLicense.Raw, deploymentID, WithHTTPClient(httpClient)), nil
+}
+
 // Request makes an HTTP request to the Tallyman API.
 // It sets the authentication headers and User-Agent automatically.
 func (c *Client) Request(ctx context.Context, method, path string, body interface{}) (*http.Response, error) {
