Merge pull request cryptomator#318 from cryptomator/feature/non-null-licensekey

non-null license keys

Author: overheadhunter

backend/src/main/java/org/cryptomator/hub/Main.java

@@ -0,0 +1,30 @@
+package org.cryptomator.hub;
+
+import io.quarkus.runtime.Quarkus;
+import io.quarkus.runtime.QuarkusApplication;
+import io.quarkus.runtime.annotations.QuarkusMain;
+import jakarta.inject.Inject;
+import org.cryptomator.hub.license.LicenseHolder;
+import org.jboss.logging.Logger;
+
+@QuarkusMain
+public class Main implements QuarkusApplication {
+
+	private static final Logger LOG = Logger.getLogger(Main.class);
+
+	@Inject
+	LicenseHolder license;
+
+	@Override
+	public int run(String... args) throws Exception {
+		try {
+			license.ensureLicenseExists();
+		} catch (RuntimeException e) {
+			LOG.error("Failed to validate license, shutting down...", e);
+			return 1;
+		}
+		Quarkus.waitForExit();
+		return 0;
+	}
+
+}

backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java

@@ -68,14 +68,17 @@ public class AuditLogResource {
 	@APIResponse(responseCode = "402", description = "Community license used or license expired")
 	@APIResponse(responseCode = "403", description = "requesting user does not have admin role")
 	public List<AuditEventDto> getAllEvents(@QueryParam("startDate") Instant startDate, @QueryParam("endDate") Instant endDate, @QueryParam("type") List<String> type, @QueryParam("paginationId") Long paginationId, @QueryParam("order") @DefaultValue("desc") String order, @QueryParam("pageSize") @DefaultValue("20") int pageSize) {
-		if (!license.isSet() || license.isExpired()) {
+		if (license.getEntitlements().auditLogRetentionDays() == 0 || license.isExpired()) {
 			throw new PaymentRequiredException("Community license used or license expired");
 		}
+		Instant retentionThreshold = license.getEntitlements().auditLogRetentionThreshold();
 
 		if (startDate == null || endDate == null) {
 			throw new BadRequestException("startDate and endDate must be specified");
 		} else if (startDate.isAfter(endDate)) {
 			throw new BadRequestException("startDate must be before endDate");
+		} else if (endDate.isBefore(retentionThreshold)) {
+			throw new PaymentRequiredException("queried date range predates audit log retention period");
 		} else if (!(order.equals("desc") || order.equals("asc"))) {
 			throw new BadRequestException("order must be either 'asc' or 'desc'");
 		} else if (pageSize < 1 || pageSize > 100) {
@@ -92,6 +95,9 @@ public List<AuditEventDto> getAllEvents(@QueryParam("startDate") Instant startDa
 			}
 		}
 
+		// cut off startDate at retention threshold
+		startDate = startDate.isBefore(retentionThreshold) ? retentionThreshold : startDate;
+
 		return auditEventRepo.findAllInPeriod(startDate, endDate, type, paginationId, order.equals("asc"), pageSize).map(AuditEventDto::fromEntity).toList();
 	}
 

backend/src/main/java/org/cryptomator/hub/api/BillingResource.java

@@ -46,12 +46,8 @@ public class BillingResource {
 	public BillingDto get() {
 		int usedSeats = (int) effectiveVaultAccessRepo.countSeatOccupyingUsers();
 		boolean isManaged = licenseHolder.isManagedInstance();
-		return Optional.ofNullable(licenseHolder.get())
-				.map(jwt -> BillingDto.fromDecodedJwt(jwt, usedSeats, isManaged))
-				.orElseGet(() -> {
-					var hubId = settingsRepo.get().getHubId();
-					return BillingDto.create(hubId, (int) licenseHolder.getSeats(), usedSeats, isManaged);
-				});
+		var licenseToken = licenseHolder.get();
+		return BillingDto.fromDecodedJwt(licenseToken, usedSeats, isManaged);
 	}
 
 	@PUT
@@ -71,21 +67,17 @@ public Response setToken(@NotNull @ValidJWS String token) {
 		}
 	}
 
-	public record BillingDto(@JsonProperty("hubId") String hubId, @JsonProperty("hasLicense") Boolean hasLicense, @JsonProperty("email") String email,
+	public record BillingDto(@JsonProperty("hubId") String hubId, @JsonProperty("email") String email,
 							 @JsonProperty("licensedSeats") Integer licensedSeats, @JsonProperty("usedSeats") Integer usedSeats,
 							 @JsonProperty("issuedAt") Instant issuedAt, @JsonProperty("expiresAt") Instant expiresAt, @JsonProperty("managedInstance") Boolean managedInstance) {
 
-		public static BillingDto create(String hubId, int noLicenseSeatCount, int usedSeats, boolean isManaged) {
-			return new BillingDto(hubId, false, null, noLicenseSeatCount, usedSeats, null, null, isManaged);
-		}
-
 		public static BillingDto fromDecodedJwt(DecodedJWT jwt, int usedSeats, boolean isManaged) {
 			var id = jwt.getId();
 			var email = jwt.getSubject();
-			var licensedSeats = jwt.getClaim("seats").asInt();
+			var licensedSeats = jwt.getClaim("seats").asInt(); // TODO eventually replace with "org.cryptomator.hub.entitlements"."seats", see https://github.com/cryptomator/hub/issues/391
 			var issuedAt = jwt.getIssuedAt().toInstant();
 			var expiresAt = jwt.getExpiresAt().toInstant();
-			return new BillingDto(id, true, email, licensedSeats, usedSeats, issuedAt, expiresAt, isManaged);
+			return new BillingDto(id, email, licensedSeats, usedSeats, issuedAt, expiresAt, isManaged);
 		}
 
 	}

backend/src/main/java/org/cryptomator/hub/api/ConfigResource.java

@@ -8,6 +8,8 @@
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.Produces;
 import jakarta.ws.rs.core.MediaType;
+import org.cryptomator.hub.license.HubLicenseEntitlements;
+import org.cryptomator.hub.license.LicenseHolder;
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 
 import java.time.Instant;
@@ -39,6 +41,8 @@ public class ConfigResource {
 	@Inject
 	OidcConfigurationMetadata oidcConfData;
 
+	@Inject
+	LicenseHolder license;
 
 	@PermitAll
 	@GET
@@ -49,7 +53,7 @@ public ConfigDto getConfig() {
 		var authUri = replacePrefix(oidcConfData.getAuthorizationUri(), trimTrailingSlash(internalRealmUrl), publicRealmUri);
 		var tokenUri = replacePrefix(oidcConfData.getTokenUri(), trimTrailingSlash(internalRealmUrl), publicRealmUri);
 
-		return new ConfigDto(keycloakPublicUrl, keycloakRealm, keycloakClientIdHub, keycloakClientIdCryptomator, authUri, tokenUri, Instant.now().truncatedTo(ChronoUnit.MILLIS), 4);
+		return new ConfigDto(keycloakPublicUrl, keycloakRealm, keycloakClientIdHub, keycloakClientIdCryptomator, authUri, tokenUri, Instant.now().truncatedTo(ChronoUnit.MILLIS), 4, license.getEntitlements());
 	}
 
 	//visible for testing
@@ -75,7 +79,8 @@ String trimTrailingSlash(String str) {
 	public record ConfigDto(@JsonProperty("keycloakUrl") String keycloakUrl, @JsonProperty("keycloakRealm") String keycloakRealm,
 							@JsonProperty("keycloakClientIdHub") String keycloakClientIdHub, @JsonProperty("keycloakClientIdCryptomator") String keycloakClientIdCryptomator,
 							@JsonProperty("keycloakAuthEndpoint") String authEndpoint, @JsonProperty("keycloakTokenEndpoint") String tokenEndpoint,
-							@JsonProperty("serverTime") Instant serverTime, @JsonProperty("apiLevel") Integer apiLevel) {
+							@JsonProperty("serverTime") Instant serverTime, @JsonProperty("apiLevel") Integer apiLevel,
+							@JsonProperty("entitlements") HubLicenseEntitlements entitlements) {
 	}
 
 }

backend/src/main/java/org/cryptomator/hub/api/LicenseResource.java

@@ -1,6 +1,5 @@
 package org.cryptomator.hub.api;
 
-import com.auth0.jwt.interfaces.DecodedJWT;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import jakarta.annotation.security.RolesAllowed;
 import jakarta.inject.Inject;
@@ -14,7 +13,6 @@
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
 
 import java.time.Instant;
-import java.util.Optional;
 
 @Path("/license")
 public class LicenseResource {
@@ -41,8 +39,8 @@ public record LicenseUserInfoDto(@JsonProperty("licensedSeats") Integer licensed
 									 @JsonProperty("expiresAt") Instant expiresAt) {
 
 		public static LicenseUserInfoDto create(LicenseHolder licenseHolder, int usedSeats) {
-			var licensedSeats = (int) licenseHolder.getSeats();
-			var expiresAt = Optional.ofNullable(licenseHolder.get()).map(DecodedJWT::getExpiresAtAsInstant).orElse(null);
+			var licensedSeats = (int) licenseHolder.getEntitlements().seats();
+			var expiresAt = licenseHolder.get().getExpiresAtAsInstant();
 			return new LicenseUserInfoDto(licensedSeats, usedSeats, expiresAt);
 		}
 

backend/src/main/java/org/cryptomator/hub/api/VaultResource.java

@@ -179,7 +179,7 @@ public Response addUser(@PathParam("vaultId") UUID vaultId, @PathParam("userId")
 		var vault = vaultRepo.findById(vaultId); // should always be found, since @VaultRole filter would have triggered
 		var user = userRepo.findByIdOptional(userId).orElseThrow(NotFoundException::new);
 		var usedSeats = effectiveVaultAccessRepo.countSeatOccupyingUsers();
-		if (usedSeats < license.getSeats() // free seats available
+		if (usedSeats < license.getEntitlements().seats() // free seats available
 				|| effectiveVaultAccessRepo.isUserOccupyingSeat(userId)) { // or user already sitting
 			return addAuthority(vault, user, role);
 		} else {
@@ -206,7 +206,7 @@ public Response addGroup(@PathParam("vaultId") UUID vaultId, @PathParam("groupId
 		var group = groupRepo.findByIdOptional(groupId).orElseThrow(NotFoundException::new);
 
 		//usersInGroup - usersInGroupAndPartOfAtLeastOneVault + usersOfAtLeastOneVault
-		if (userRepo.countEffectiveGroupUsers(groupId) - effectiveVaultAccessRepo.countSeatOccupyingUsersOfGroup(groupId) + effectiveVaultAccessRepo.countSeatOccupyingUsers() > license.getSeats()) {
+		if (userRepo.countEffectiveGroupUsers(groupId) - effectiveVaultAccessRepo.countSeatOccupyingUsersOfGroup(groupId) + effectiveVaultAccessRepo.countSeatOccupyingUsers() > license.getEntitlements().seats()) {
 			throw new PaymentRequiredException("Adding this group would exceed available license seats.");
 		}
 
@@ -286,16 +286,24 @@ public Response legacyUnlock(@PathParam("vaultId") UUID vaultId, @PathParam("dev
 		}
 
 		var accessTokenSeats = effectiveVaultAccessRepo.countSeatOccupyingUsersWithAccessToken();
-		if (accessTokenSeats > license.getSeats()) {
+		if (accessTokenSeats > license.getEntitlements().seats()) {
 			throw new PaymentRequiredException("Number of effective vault users exceeds available license seats");
 		}
 		var ipAddress = request.remoteAddress().hostAddress();
 		try {
 			var access = legacyAccessTokenRepo.unlock(vaultId, deviceId, jwt.getSubject());
 			eventLogger.logVaultKeyRetrieved(jwt.getSubject(), vaultId, VaultKeyRetrievedEvent.Result.SUCCESS, ipAddress, deviceId);
-			var subscriptionStateHeaderName = "Hub-Subscription-State";
-			var subscriptionStateHeaderValue = license.isSet() ? "ACTIVE" : "INACTIVE"; // license expiration is not checked here, because it is checked in the ActiveLicense filter
-			return Response.ok(access.getJwe()).header(subscriptionStateHeaderName, subscriptionStateHeaderValue).build();
+			var response = Response.ok(access.getJwe());
+			var iosLicense = license.getEntitlements().iosLicense();
+			var androidLicense = license.getEntitlements().androidLicense();
+			if (iosLicense != null) {
+				response = response.header("Hub-Subscription-State", "ACTIVE"); // license expiration is not checked here, because it is checked in the ActiveLicense filter
+				response = response.header("Hub-iOS-License", iosLicense);
+			}
+			if (androidLicense != null) {
+				response = response.header("Hub-Android-License", androidLicense);
+			}
+			return response.build();
 		} catch (NoResultException e) {
 			eventLogger.logVaultKeyRetrieved(jwt.getSubject(), vaultId, VaultKeyRetrievedEvent.Result.UNAUTHORIZED, ipAddress, deviceId);
 			throw new ForbiddenException("Access to this device not granted.");
@@ -322,7 +330,7 @@ public Response unlock(@PathParam("vaultId") UUID vaultId, @QueryParam("evenIfAr
 		}
 
 		var accessTokenSeats = effectiveVaultAccessRepo.countSeatOccupyingUsersWithAccessToken();
-		if (accessTokenSeats > license.getSeats()) {
+		if (accessTokenSeats > license.getEntitlements().seats()) {
 			throw new PaymentRequiredException("Number of effective vault users exceeds available license seats");
 		}
 
@@ -335,9 +343,17 @@ public Response unlock(@PathParam("vaultId") UUID vaultId, @QueryParam("evenIfAr
 		var access = accessTokenRepo.unlock(vaultId, jwt.getSubject());
 		if (access != null) {
 			eventLogger.logVaultKeyRetrieved(jwt.getSubject(), vaultId, VaultKeyRetrievedEvent.Result.SUCCESS, ipAddress, deviceId);
-			var subscriptionStateHeaderName = "Hub-Subscription-State";
-			var subscriptionStateHeaderValue = license.isSet() ? "ACTIVE" : "INACTIVE"; // license expiration is not checked here, because it is checked in the ActiveLicense filter
-			return Response.ok(access.getVaultKey(), MediaType.TEXT_PLAIN_TYPE).header(subscriptionStateHeaderName, subscriptionStateHeaderValue).build();
+			var response = Response.ok(access.getVaultKey(), MediaType.TEXT_PLAIN_TYPE);
+			var iosLicense = license.getEntitlements().iosLicense();
+			var androidLicense = license.getEntitlements().androidLicense();
+			if (iosLicense != null) {
+				response = response.header("Hub-Subscription-State", "ACTIVE"); // license expiration is not checked here, because it is checked in the ActiveLicense filter
+				response = response.header("Hub-iOS-License", iosLicense);
+			}
+			if (androidLicense != null) {
+				response = response.header("Hub-Android-License", androidLicense);
+			}
+			return response.build();
 		} else if (vaultRepo.findById(vaultId) == null) {
 			throw new NotFoundException("No such vault.");
 		} else {
@@ -364,7 +380,7 @@ public Response grantAccess(@PathParam("vaultId") UUID vaultId, @NotEmpty Map<St
 		long occupiedSeats = effectiveVaultAccessRepo.countSeatOccupyingUsers();
 		long usersWithoutSeat = tokens.size() - effectiveVaultAccessRepo.countSeatsOccupiedByUsers(tokens.keySet().stream().toList());
 
-		if (occupiedSeats + usersWithoutSeat > license.getSeats()) {
+		if (occupiedSeats + usersWithoutSeat > license.getEntitlements().seats()) {
 			throw new PaymentRequiredException("Number of effective vault users greater than or equal to the available license seats");
 		}
 
@@ -419,7 +435,7 @@ public Response createOrUpdate(@PathParam("vaultId") UUID vaultId, @Valid @NotNu
 		} else {
 			//if license is exceeded block vault creation, independent if the user is already sitting
 			var usedSeats = effectiveVaultAccessRepo.countSeatOccupyingUsers();
-			if (usedSeats > license.getSeats()) {
+			if (usedSeats > license.getEntitlements().seats()) {
 				throw new PaymentRequiredException("Number of effective vault users exceeds available license seats");
 			}
 			// create new vault:

backend/src/main/java/org/cryptomator/hub/license/HubLicenseEntitlements.java

@@ -0,0 +1,56 @@
+package org.cryptomator.hub.license;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import io.quarkus.runtime.annotations.RegisterForReflection;
+
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+
+@RegisterForReflection
+@JsonIgnoreProperties(ignoreUnknown = true)
+public record HubLicenseEntitlements(@JsonProperty("seats") long seats,
+									 @JsonProperty("showTrialHint") boolean showTrialHint,
+									 @JsonProperty("auditLogRetentionDays") long auditLogRetentionDays,
+									 @JsonProperty("iosLicense") String iosLicense,
+									 @JsonProperty("androidLicense") String androidLicense) {
+	/**
+	 * Calculates the earliest point of time for audit log entries to still be retained.
+	 * @return {@link #auditLogRetentionDays} days in the past from now
+	 */
+	public Instant auditLogRetentionThreshold() {
+		try {
+			return Instant.now().minus(auditLogRetentionDays(), ChronoUnit.DAYS).truncatedTo(ChronoUnit.DAYS);
+		} catch (ArithmeticException e) {
+			return Instant.MIN;
+		}
+	}
+
+	// region Factory + Withers (should only be used in tests)
+
+	public static HubLicenseEntitlements create() {
+		return new HubLicenseEntitlements(0, false, 0, null, null);
+	}
+
+	public HubLicenseEntitlements withSeats(long seats) {
+		return new HubLicenseEntitlements(seats, this.showTrialHint, this.auditLogRetentionDays, this.iosLicense, this.androidLicense);
+	}
+
+	public HubLicenseEntitlements withShowTrialHint(boolean showTrialHint) {
+		return new HubLicenseEntitlements(this.seats, showTrialHint, this.auditLogRetentionDays, this.iosLicense, this.androidLicense);
+	}
+
+	public HubLicenseEntitlements withAuditLogRetentionDays(long auditLogRetentionDays) {
+		return new HubLicenseEntitlements(this.seats, this.showTrialHint, auditLogRetentionDays, this.iosLicense, this.androidLicense);
+	}
+
+	public HubLicenseEntitlements withIosLicense(String iosLicense) {
+		return new HubLicenseEntitlements(this.seats, this.showTrialHint, this.auditLogRetentionDays, iosLicense, this.androidLicense);
+	}
+
+	public HubLicenseEntitlements withAndroidLicense(String androidLicense) {
+		return new HubLicenseEntitlements(this.seats, this.showTrialHint, this.auditLogRetentionDays, this.iosLicense, androidLicense);
+	}
+
+	// endregion
+}

backend/src/main/java/org/cryptomator/hub/license/LicenseApi.java

@@ -0,0 +1,64 @@
+package org.cryptomator.hub.license;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.FormParam;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.core.MediaType;
+import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.util.Base64;
+
+@RegisterRestClient(configKey = "license-api")
+public interface LicenseApi {
+
+	@GET
+	@Path("/hub/challenge")
+	@Produces(MediaType.APPLICATION_JSON)
+	Challenge generateTrialChallenge();
+
+	@POST
+	@Path("/hub/trial")
+	@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+	@Produces(MediaType.APPLICATION_JSON)
+	TrialLicenseResponse generateTrialLicense(@FormParam("captcha") String captcha);
+
+	record Challenge(@JsonProperty("algorithm") String algorithm,
+							@JsonProperty("challenge") String challenge,
+							@JsonProperty("maxnumber") int maxnumber,
+							@JsonProperty("salt") String salt,
+							@JsonProperty("signature") String signature) {
+		public Solution solve(int number, long took) {
+			return new Solution(algorithm, challenge, number, salt, signature, took);
+		}
+	}
+
+	record Solution(@JsonProperty("algorithm") String algorithm,
+						   @JsonProperty("challenge") String challenge,
+						   @JsonProperty("number") int number,
+						   @JsonProperty("salt") String salt,
+						   @JsonProperty("signature") String signature,
+						   @JsonProperty("took") long took) {
+		private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
+		public String toCaptcha() {
+			try {
+				var serialized = OBJECT_MAPPER.writer().writeValueAsBytes(this);
+				return Base64.getEncoder().encodeToString(serialized);
+			} catch (IOException e) {
+				throw new UncheckedIOException("Failed to encode captcha", e);
+			}
+		}
+	}
+
+	record TrialLicenseResponse(@JsonProperty("hubId") String hubId,
+								@JsonProperty("licenseKey") String licenseKey) {}
+
+
+}