Support session-based license refresh, revert #/?

Author: overheadhunter

backend/src/main/java/org/cryptomator/hub/api/LicenseResource.java

@@ -3,6 +3,8 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import jakarta.annotation.security.RolesAllowed;
 import jakarta.inject.Inject;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.FormParam;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.InternalServerErrorException;
 import jakarta.ws.rs.POST;
@@ -14,9 +16,10 @@
 import org.cryptomator.hub.license.LicenseHolder;
 import org.eclipse.microprofile.openapi.annotations.Operation;
 import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
+import org.jspecify.annotations.Nullable;
 
-import java.io.IOException;
 import java.time.Instant;
+import java.util.UUID;
 
 @Path("/license")
 public class LicenseResource {
@@ -55,18 +58,23 @@ public static LicenseUserInfoDto create(LicenseHolder licenseHolder, int usedSea
 
 	@POST
 	@Path("/refresh")
+	@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
 	@RolesAllowed("admin")
 	@Operation(summary = "Refresh license information", description = "Refreshes the license information from the license server.")
 	@APIResponse(responseCode = "204", description = "License information refreshed")
+	@APIResponse(responseCode = "404", description = "Session not found")
 	@APIResponse(responseCode = "500", description = "License refresh failed")
-	public Response refresh() {
+	public Response refresh(@FormParam("session") @Nullable UUID session) {
 		try {
-			licenseHolder.refreshLicense();
-		} catch (IOException e) {
+			if (session == null) {
+				licenseHolder.refreshLicense();
+			} else {
+				licenseHolder.refreshLicense(session);
+			}
+		} catch (LicenseHolder.LicenseRefreshFailedException e) {
 			throw new InternalServerErrorException("License refresh failed", e);
 		}
 		return Response.noContent().build();
 	}
 
-
 }

backend/src/main/java/org/cryptomator/hub/license/ExceptionMapper.java

@@ -0,0 +1,21 @@
+package org.cryptomator.hub.license;
+
+import jakarta.ws.rs.NotFoundException;
+import jakarta.ws.rs.ServerErrorException;
+import jakarta.ws.rs.WebApplicationException;
+import jakarta.ws.rs.core.Response;
+import org.eclipse.microprofile.rest.client.ext.ResponseExceptionMapper;
+
+/**
+ * Translates certain http status codes to specific exception types.
+ */
+public class ExceptionMapper implements ResponseExceptionMapper<WebApplicationException> {
+
+	@Override
+	public WebApplicationException toThrowable(Response response) {
+		return switch (response.getStatus()) {
+			case 404 -> new NotFoundException();
+			default -> new ServerErrorException("Received unexpected http status code: " + response.getStatus(), Response.Status.BAD_GATEWAY);
+		};
+	}
+}

backend/src/main/java/org/cryptomator/hub/license/LicenseApi.java

@@ -9,14 +9,18 @@
 import jakarta.ws.rs.POST;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
 import jakarta.ws.rs.core.MediaType;
+import org.eclipse.microprofile.rest.client.annotation.RegisterProvider;
 import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
 
 import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.util.Base64;
+import java.util.UUID;
 
 @RegisterRestClient(configKey = "license-api")
+@RegisterProvider(ExceptionMapper.class)
 public interface LicenseApi {
 
 	@GET
@@ -41,6 +45,11 @@ public interface LicenseApi {
 	@Produces(MediaType.TEXT_PLAIN)
 	String refreshLicense(@FormParam("token") String licenseKey, @FormParam("captcha") String captcha);
 
+	@GET
+	@Path("/hub")
+	@Produces(MediaType.TEXT_PLAIN)
+	String getLicense(@QueryParam("session") UUID sessionId);
+
 	record Challenge(@JsonProperty("algorithm") String algorithm,
 					 @JsonProperty("challenge") String challenge,
 					 @JsonProperty("maxnumber") int maxnumber,

backend/src/main/java/org/cryptomator/hub/license/LicenseHolder.java

@@ -33,6 +33,7 @@
 import java.util.Base64;
 import java.util.HexFormat;
 import java.util.Optional;
+import java.util.UUID;
 
 @ApplicationScoped
 public class LicenseHolder {
@@ -83,7 +84,7 @@ void init() {
 			LOG.debug("License was issued more than 5 minutes ago. Attempting a refresh to ensure we have the latest license information from the license server.");
 			try {
 				refreshLicense();
-			} catch (IOException e) {
+			} catch (LicenseRefreshFailedException e) {
 				LOG.error("Failed to refresh license during startup.", e);
 			}
 		}
@@ -210,31 +211,31 @@ void scheduleLicenseRefresh() {
 		try {
 			randomSleeper.sleep(0, 59, ChronoUnit.MINUTES); // add random sleep to reduce infrastructure load
 			refreshLicense();
-		} catch (IOException e) {
+		} catch (LicenseRefreshFailedException e) {
 			LOG.error("Scheduled license refresh failed.", e);
 		} catch (InterruptedException e) {
 			Thread.currentThread().interrupt();
 			LOG.warn("Scheduled license refresh was interrupted.", e);
 		}
 	}
 
-	public void refreshLicense() throws IOException {
+	public void refreshLicense(UUID session) throws LicenseRefreshFailedException, WebApplicationException {
+		var refreshedLicense = licenseApi.getLicense(session);
+		validateAndSet(refreshedLicense);
+	}
+
+	public void refreshLicense() throws LicenseRefreshFailedException {
 		var refreshUrl = getLicenseRefreshUri();
-		final String refreshedLicense;
-		try {
-			refreshedLicense = requestLicenseRefresh(refreshUrl, get().getToken());
-		} catch (LicenseRefreshFailedException e) {
-			LOG.errorv("Failed to refresh license token. Request to {0} was answered with response code {1,number,integer}", refreshUrl, e.statusCode);
-			throw new IOException("Failed to refresh license token.", e);
-		} catch (InterruptedException _) {
-			Thread.currentThread().interrupt();
-			throw new InterruptedIOException("License refresh was interrupted");
-		}
+		var refreshedLicense = requestLicenseRefresh(refreshUrl, get().getToken());
+		validateAndSet(refreshedLicense);
+	}
+
+	private void validateAndSet(String refreshedLicense) throws LicenseRefreshFailedException {
 		try {
 			set(refreshedLicense);
 		} catch (JWTVerificationException e) {
 			LOG.errorv(e, "Failed to refresh license token. Refreshed token is invalid: {0}", refreshedLicense);
-			throw new IOException("Invalid new license token.", e);
+			throw new LicenseRefreshFailedException("Invalid new license token.", e);
 		}
 	}
 
@@ -251,8 +252,14 @@ private URI getLicenseRefreshUri() {
 	}
 
 	//visible for testing
-	String requestLicenseRefresh(URI refreshUrl, String licenseToken) throws InterruptedException, IOException, LicenseRefreshFailedException {
+	String requestLicenseRefresh(URI refreshUrl, String licenseToken) throws LicenseRefreshFailedException {
 		var solution = solveChallenge();
+		// TODO: do we eventually want to migrate away from refreshUrl and use hard-coded api? using it in other places already anyway.
+//		try {
+//			return licenseApi.refreshLicense(licenseToken, solution.toCaptcha());
+//		} catch (WebApplicationException e) {
+//			throw new LicenseRefreshFailedException(e.getResponse().getStatus());
+//		}
 		try (var client = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NORMAL).build()) {
 			var body = "token=" + URLEncoder.encode(licenseToken, StandardCharsets.UTF_8)
 					+ "&captcha=" + URLEncoder.encode(solution.toCaptcha(), StandardCharsets.UTF_8);
@@ -266,8 +273,13 @@ String requestLicenseRefresh(URI refreshUrl, String licenseToken) throws Interru
 			if (response.statusCode() == 200 && !response.body().isEmpty()) {
 				return response.body();
 			} else {
-				throw new LicenseRefreshFailedException(response.statusCode(), body);
+				throw new LicenseRefreshFailedException("License endpoint responded with status code " + response.statusCode());
 			}
+		} catch (IOException e) {
+			throw new LicenseRefreshFailedException("I/O error", e);
+		} catch (InterruptedException e) {
+			Thread.currentThread().interrupt();
+			throw new LicenseRefreshFailedException("License refresh was interrupted", e);
 		}
 	}
 
@@ -306,13 +318,18 @@ public boolean isManagedInstance() {
 		return managedInstance;
 	}
 
-	static class LicenseRefreshFailedException extends RuntimeException {
-		final int statusCode;
-		final String body;
+	public static class LicenseRefreshFailedException extends Exception {
+
+		LicenseRefreshFailedException(String message, Throwable cause) {
+			super(message, cause);
+		}
+
+		LicenseRefreshFailedException(String message) {
+			super(message);
+		}
 
-		LicenseRefreshFailedException(int statusCode, String body) {
-			this.statusCode = statusCode;
-			this.body = body;
+		LicenseRefreshFailedException(Throwable cause) {
+			super(cause);
 		}
 	}
 

backend/src/test/java/org/cryptomator/hub/api/LicenseResourceTest.java

@@ -0,0 +1,134 @@
+package org.cryptomator.hub.api;
+
+import io.quarkus.test.InjectMock;
+import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.security.TestSecurity;
+import io.quarkus.test.security.oidc.Claim;
+import io.quarkus.test.security.oidc.OidcSecurity;
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+import org.cryptomator.hub.entities.EffectiveVaultAccess;
+import org.cryptomator.hub.license.LicenseHolder;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
+
+import java.util.UUID;
+
+import static io.restassured.RestAssured.given;
+import static io.restassured.RestAssured.when;
+
+@QuarkusTest
+@DisplayName("Resource /license")
+class LicenseResourceTest {
+
+	private static final UUID SESSION = UUID.fromString("11111111-2222-3333-4444-555555555555");
+
+	@InjectMock
+	LicenseHolder licenseHolder;
+
+	@InjectMock
+	EffectiveVaultAccess.Repository effectiveVaultAccessRepo;
+
+	@BeforeAll
+	static void beforeAll() {
+		RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
+	}
+
+	@Nested
+	@DisplayName("As admin")
+	@TestSecurity(user = "Admin", roles = {"admin"})
+	@OidcSecurity(claims = {
+			@Claim(key = "sub", value = "admin")
+	})
+	class AsAdmin {
+
+		@Test
+		@DisplayName("POST /license/refresh returns 204 and refreshes from the refreshUrl")
+		void testRefresh() throws LicenseHolder.LicenseRefreshFailedException {
+			when().post("/license/refresh")
+					.then().statusCode(204);
+
+			Mockito.verify(licenseHolder).refreshLicense();
+		}
+
+		@Test
+		@DisplayName("POST /license/refresh returns 500 if the refresh fails")
+		void testRefreshFailure() throws LicenseHolder.LicenseRefreshFailedException {
+			Mockito.doThrow(LicenseHolder.LicenseRefreshFailedException.class).when(licenseHolder).refreshLicense();
+
+			when().post("/license/refresh")
+					.then().statusCode(500);
+		}
+
+		@Test
+		@DisplayName("POST /license/refresh with session returns 204 and refreshes for that session")
+		void testRefreshSession() throws LicenseHolder.LicenseRefreshFailedException {
+			given().contentType(ContentType.URLENC).formParam("session", SESSION.toString())
+					.when().post("/license/refresh")
+					.then().statusCode(204);
+
+			Mockito.verify(licenseHolder).refreshLicense(SESSION);
+		}
+
+		@Test
+		@DisplayName("POST /license/refresh with session returns 500 if the refresh fails")
+		void testRefreshSessionFailure() throws LicenseHolder.LicenseRefreshFailedException {
+			Mockito.doThrow(LicenseHolder.LicenseRefreshFailedException.class).when(licenseHolder).refreshLicense(SESSION);
+
+			given().contentType(ContentType.URLENC).formParam("session", SESSION.toString())
+					.when().post("/license/refresh")
+					.then().statusCode(500);
+		}
+
+	}
+
+	@Nested
+	@DisplayName("As any other role")
+	@TestSecurity(user = "User Name 1", roles = {"user"})
+	@OidcSecurity(claims = {
+			@Claim(key = "sub", value = "user1")
+	})
+	class AsAnyOtherRole {
+
+		@Test
+		@DisplayName("POST /license/refresh returns 403 Forbidden")
+		void testRefresh() {
+			when().post("/license/refresh")
+					.then().statusCode(403);
+		}
+
+		@Test
+		@DisplayName("POST /license/refresh with session returns 403 Forbidden")
+		void testRefreshSession() {
+			given().contentType(ContentType.URLENC).formParam("session", SESSION.toString())
+					.when().post("/license/refresh")
+					.then().statusCode(403);
+		}
+
+	}
+
+	@Nested
+	@DisplayName("As unauthenticated user")
+	class AsAnonymous {
+
+		@Test
+		@DisplayName("POST /license/refresh returns 401 Unauthorized")
+		void testRefresh() {
+			when().post("/license/refresh")
+					.then().statusCode(401);
+		}
+
+		@Test
+		@DisplayName("POST /license/refresh with session returns 401 Unauthorized")
+		void testRefreshSession() {
+			given().contentType(ContentType.URLENC).formParam("session", SESSION.toString())
+					.when().post("/license/refresh")
+					.then().statusCode(401);
+		}
+
+	}
+
+}