mirror of
https://github.com/bitwarden/server.git
synced 2025-07-03 00:52:49 -05:00
user premium validation job
This commit is contained in:
Kyle Spearrin
228
src/Core/Services/Implementations/LicensingService.cs
Normal file
228
src/Core/Services/Implementations/LicensingService.cs
Normal file
@ -0,0 +1,228 @@
|
||||
using Bit.Core.Models.Business;
|
||||
using Bit.Core.Models.Table;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Utilities;
|
||||
using Microsoft.AspNetCore.Hosting;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using Newtonsoft.Json;
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using System.Linq;
|
||||
using System.Security.Cryptography.X509Certificates;
|
||||
using System.Text;
|
||||
using System.Threading.Tasks;
|
||||
|
||||
namespace Bit.Core.Services
|
||||
{
|
||||
public class LicensingService : ILicensingService
|
||||
{
|
||||
private readonly X509Certificate2 _certificate;
|
||||
private readonly GlobalSettings _globalSettings;
|
||||
private readonly IUserRepository _userRepository;
|
||||
private readonly IOrganizationRepository _organizationRepository;
|
||||
private readonly IOrganizationUserRepository _organizationUserRepository;
|
||||
private readonly ILogger<LicensingService> _logger;
|
||||
|
||||
private IDictionary<Guid, DateTime> _userCheckCache = new Dictionary<Guid, DateTime>();
|
||||
|
||||
public LicensingService(
|
||||
IUserRepository userRepository,
|
||||
IOrganizationRepository organizationRepository,
|
||||
IOrganizationUserRepository organizationUserRepository,
|
||||
IHostingEnvironment environment,
|
||||
ILogger<LicensingService> logger,
|
||||
GlobalSettings globalSettings)
|
||||
{
|
||||
_userRepository = userRepository;
|
||||
_organizationRepository = organizationRepository;
|
||||
_organizationUserRepository = organizationUserRepository;
|
||||
_logger = logger;
|
||||
|
||||
var certThumbprint = "207e64a231e8aa32aaf68a61037c075ebebd553f";
|
||||
_globalSettings = globalSettings;
|
||||
_certificate = !_globalSettings.SelfHosted ? CoreHelpers.GetCertificate(certThumbprint)
|
||||
: CoreHelpers.GetEmbeddedCertificate("licensing.cer", null);
|
||||
if(_certificate == null || !_certificate.Thumbprint.Equals(CoreHelpers.CleanCertificateThumbprint(certThumbprint),
|
||||
StringComparison.InvariantCultureIgnoreCase))
|
||||
{
|
||||
throw new Exception("Invalid licensing certificate.");
|
||||
}
|
||||
|
||||
if(!CoreHelpers.SettingHasValue(_globalSettings.LicenseDirectory))
|
||||
{
|
||||
throw new InvalidOperationException("No license directory.");
|
||||
}
|
||||
}
|
||||
|
||||
public async Task ValidateOrganizationsAsync()
|
||||
{
|
||||
if(!_globalSettings.SelfHosted)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
var orgs = await _organizationRepository.GetManyByEnabledAsync();
|
||||
_logger.LogInformation("Validating licenses for {0} organizations.", orgs.Count);
|
||||
|
||||
foreach(var org in orgs)
|
||||
{
|
||||
var license = ReadOrganiztionLicense(org);
|
||||
if(license == null || !license.VerifyData(org, _globalSettings) || !license.VerifySignature(_certificate))
|
||||
{
|
||||
_logger.LogInformation("Organization {0}({1}) has an invalid license and is being disabled.",
|
||||
org.Id, org.Name);
|
||||
|
||||
org.Enabled = false;
|
||||
org.ExpirationDate = license.Expires;
|
||||
org.RevisionDate = DateTime.UtcNow;
|
||||
await _organizationRepository.ReplaceAsync(org);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public async Task ValidateUsersAsync()
|
||||
{
|
||||
if(!_globalSettings.SelfHosted)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
var premiumUsers = await _userRepository.GetManyByPremiumAsync(true);
|
||||
_logger.LogInformation("Validating premium for {0} users.", premiumUsers.Count);
|
||||
|
||||
foreach(var user in premiumUsers)
|
||||
{
|
||||
await ProcessUserValidationAsync(user);
|
||||
}
|
||||
|
||||
var nonPremiumUsers = await _userRepository.GetManyByPremiumAsync(false);
|
||||
_logger.LogInformation("Checking to restore premium for {0} users.", nonPremiumUsers.Count);
|
||||
|
||||
foreach(var user in nonPremiumUsers)
|
||||
{
|
||||
var details = await _organizationUserRepository.GetManyDetailsByUserAsync(user.Id);
|
||||
if(details.Any(d => d.Enabled))
|
||||
{
|
||||
_logger.LogInformation("Granting premium to user {0}({1}) because they are in an active organization.",
|
||||
user.Id, user.Email);
|
||||
|
||||
user.Premium = true;
|
||||
user.MaxStorageGb = 10240; // 10 TB
|
||||
user.RevisionDate = DateTime.UtcNow;
|
||||
user.PremiumExpirationDate = null;
|
||||
user.LicenseKey = null;
|
||||
await _userRepository.ReplaceAsync(user);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public async Task<bool> ValidateUserPremiumAsync(User user)
|
||||
{
|
||||
if(!_globalSettings.SelfHosted)
|
||||
{
|
||||
return user.Premium;
|
||||
}
|
||||
|
||||
if(!user.Premium)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
// Only check once per day
|
||||
var now = DateTime.UtcNow;
|
||||
if(_userCheckCache.ContainsKey(user.Id))
|
||||
{
|
||||
var lastCheck = _userCheckCache[user.Id];
|
||||
if(lastCheck < now && now - lastCheck < TimeSpan.FromDays(1))
|
||||
{
|
||||
return user.Premium;
|
||||
}
|
||||
else
|
||||
{
|
||||
_userCheckCache[user.Id] = now;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
_userCheckCache.Add(user.Id, now);
|
||||
}
|
||||
|
||||
_logger.LogInformation("Validating premium license for user {0}({1}).", user.Id, user.Email);
|
||||
return await ProcessUserValidationAsync(user);
|
||||
}
|
||||
|
||||
private async Task<bool> ProcessUserValidationAsync(User user)
|
||||
{
|
||||
var license = ReadUserLicense(user);
|
||||
var valid = license != null && license.VerifyData(user) && license.VerifySignature(_certificate);
|
||||
|
||||
if(!valid)
|
||||
{
|
||||
var details = await _organizationUserRepository.GetManyDetailsByUserAsync(user.Id);
|
||||
valid = details.Any(d => d.Enabled);
|
||||
|
||||
if(valid && (!string.IsNullOrWhiteSpace(user.LicenseKey) || user.PremiumExpirationDate.HasValue))
|
||||
{
|
||||
// user used to be on a license but is now part of a organization that gives them premium.
|
||||
// update the record.
|
||||
user.PremiumExpirationDate = null;
|
||||
user.LicenseKey = null;
|
||||
await _userRepository.ReplaceAsync(user);
|
||||
}
|
||||
}
|
||||
|
||||
if(!valid)
|
||||
{
|
||||
_logger.LogInformation("User {0}({1}) has an invalid license and premium is being disabled.",
|
||||
user.Id, user.Email);
|
||||
|
||||
user.Premium = false;
|
||||
user.PremiumExpirationDate = license.Expires;
|
||||
user.RevisionDate = DateTime.UtcNow;
|
||||
await _userRepository.ReplaceAsync(user);
|
||||
}
|
||||
|
||||
return valid;
|
||||
}
|
||||
|
||||
public bool VerifyLicense(ILicense license)
|
||||
{
|
||||
return license.VerifySignature(_certificate);
|
||||
}
|
||||
|
||||
public byte[] SignLicense(ILicense license)
|
||||
{
|
||||
if(_globalSettings.SelfHosted || !_certificate.HasPrivateKey)
|
||||
{
|
||||
throw new InvalidOperationException("Cannot sign licenses.");
|
||||
}
|
||||
|
||||
return license.Sign(_certificate);
|
||||
}
|
||||
|
||||
private UserLicense ReadUserLicense(User user)
|
||||
{
|
||||
var filePath = $"{_globalSettings.LicenseDirectory}/user/{user.Id}.json";
|
||||
if(!File.Exists(filePath))
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
var data = File.ReadAllText(filePath, Encoding.UTF8);
|
||||
return JsonConvert.DeserializeObject<UserLicense>(data);
|
||||
}
|
||||
|
||||
private OrganizationLicense ReadOrganiztionLicense(Organization organization)
|
||||
{
|
||||
var filePath = $"{_globalSettings.LicenseDirectory}/organization/{organization.Id}.json";
|
||||
if(!File.Exists(filePath))
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
var data = File.ReadAllText(filePath, Encoding.UTF8);
|
||||
return JsonConvert.DeserializeObject<OrganizationLicense>(data);
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user