(core) add minimal support for activation keys

Summary: For grist-ee, expect an activation key in environment variable `GRIST_ACTIVATION` or in a file pointed to by `GRIST_ACTIVATION_FILE`. In absence of key, start a 30-day trial, during which a banner is shown. Once trial expires, installation goes into document-read-only mode.

Test Plan: added a test

Reviewers: dsagal

Reviewed By: dsagal

Subscribers: jarek

Differential Revision: https://phab.getgrist.com/D3426
This commit is contained in:
Paul Fitzpatrick 2022-05-11 15:05:35 -04:00
parent f48d579f64
commit e4d47a2f3c
12 changed files with 153 additions and 8 deletions

View File

@ -518,6 +518,23 @@ export interface GristLoadConfig {
// Google Tag Manager id. Currently only used to load tag manager for reporting new sign-ups.
tagManagerId?: string;
activation?: ActivationState;
}
/**
* For a packaged version of Grist that requires activation, this
* summarizes the current state. Not applicable to grist-core.
*/
export interface ActivationState {
trial?: { // Present when installation has not yet been activated.
days: number; // Max number of days allowed prior to activation.
daysLeft: number; // Number of days left until Grist will get cranky.
}
needKey?: boolean; // Set when Grist is cranky and demanding activation.
key?: { // Set when Grist is activated.
daysLeft?: number; // Number of days until Grist will need reactivation.
}
}
// Acceptable org subdomains are alphanumeric (hyphen also allowed) and of

View File

@ -0,0 +1,17 @@
import {BaseEntity, Column, Entity, PrimaryColumn} from "typeorm";
@Entity({name: 'activations'})
export class Activation extends BaseEntity {
@PrimaryColumn()
public id: string;
@Column({name: 'key', type: 'text', nullable: true})
public key: string|null;
@Column({name: 'created_at', default: () => "CURRENT_TIMESTAMP"})
public createdAt: Date;
@Column({name: 'updated_at', default: () => "CURRENT_TIMESTAMP"})
public updatedAt: Date;
}

View File

@ -0,0 +1,28 @@
import { makeId } from 'app/server/lib/idUtils';
import { Activation } from 'app/gen-server/entity/Activation';
import { HomeDBManager } from 'app/gen-server/lib/HomeDBManager';
/**
* Manage activations. Not much to do currently, there is at most one
* activation. The activation singleton establishes an id and creation
* time for the installation.
*/
export class Activations {
constructor(private _db: HomeDBManager) {
}
// Get the current activation row, creating one if necessary.
// It will be created with an empty key column, which will get
// filled in once an activation key is presented.
public current(): Promise<Activation> {
return this._db.connection.manager.transaction(async manager => {
let activation = await manager.findOne(Activation);
if (!activation) {
activation = manager.create(Activation);
activation.id = makeId();
await activation.save();
}
return activation;
});
}
}

View File

@ -253,6 +253,8 @@ export class HomeDBManager extends EventEmitter {
// deployments on same subdomain.
private _docAuthCache = new MapWithTTL<string, Promise<DocAuthResult>>(DOC_AUTH_CACHE_TTL);
// In restricted mode, documents should be read-only.
private _restrictedMode: boolean = false;
public emit(event: NotifierEvent, ...args: any[]): boolean {
return super.emit(event, ...args);
@ -338,6 +340,10 @@ export class HomeDBManager extends EventEmitter {
this._idPrefix = prefix;
}
public setRestrictedMode(restricted: boolean) {
this._restrictedMode = restricted;
}
public async connect(): Promise<void> {
try {
// If multiple servers are started within the same process, we
@ -1104,7 +1110,7 @@ export class HomeDBManager extends EventEmitter {
if (docs.length > 1) { throw new ApiError('ambiguous document request', 400); }
doc = docs[0];
const features = doc.workspace.org.billingAccount.product.features;
if (features.readOnlyDocs) {
if (features.readOnlyDocs || this._restrictedMode) {
// Don't allow any access to docs that is stronger than "viewers".
doc.access = roles.getWeakestRole('viewers', doc.access);
}

View File

@ -0,0 +1,39 @@
import {MigrationInterface, QueryRunner, Table} from 'typeorm';
export class Activations1652273656610 implements MigrationInterface {
public async up(queryRunner: QueryRunner): Promise<any> {
// created_at and updated_at code is based on *-Initial.ts
const sqlite = queryRunner.connection.driver.options.type === 'sqlite';
const datetime = sqlite ? "datetime" : "timestamp with time zone";
const now = "now()";
await queryRunner.createTable(new Table({
name: 'activations',
columns: [
{
name: "id",
type: "varchar",
isPrimary: true,
},
{
name: "key",
type: "varchar",
isNullable: true,
},
{
name: "created_at",
type: datetime,
default: now
},
{
name: "updated_at",
type: datetime,
default: now
},
]}));
}
public async down(queryRunner: QueryRunner): Promise<any> {
await queryRunner.dropTable('activations');
}
}

View File

@ -1,6 +1,7 @@
import {ApiError} from 'app/common/ApiError';
import {OpenDocMode} from 'app/common/DocListAPI';
import {ErrorWithCode} from 'app/common/ErrorWithCode';
import {ActivationState} from 'app/common/gristUrls';
import {FullUser, UserProfile} from 'app/common/LoginSessionAPI';
import {canEdit, canView, getWeakestRole, Role} from 'app/common/roles';
import {UserOptions} from 'app/common/UserAPI';
@ -34,6 +35,7 @@ export interface RequestWithLogin extends Request {
docAuth?: DocAuthResult; // For doc requests, the docId and the user's access level.
specialPermit?: Permit;
altSessionId?: string; // a session id for use in trigger formulas and granular access rules
activation?: ActivationState;
}
/**

View File

@ -12,6 +12,7 @@ import {ApiServer} from 'app/gen-server/ApiServer';
import {Document} from "app/gen-server/entity/Document";
import {Organization} from "app/gen-server/entity/Organization";
import {Workspace} from 'app/gen-server/entity/Workspace';
import {Activations} from 'app/gen-server/lib/Activations';
import {DocApiForwarder} from 'app/gen-server/lib/DocApiForwarder';
import {getDocWorkerMap} from 'app/gen-server/lib/DocWorkerMap';
import {HomeDBManager} from 'app/gen-server/lib/HomeDBManager';
@ -470,6 +471,9 @@ export class FlexServer implements GristServer {
await this._dbManager.initializeSpecialIds();
// Report which database we are using, without sensitive credentials.
this.info.push(['database', getDatabaseUrl(this._dbManager.connection.options, false)]);
// If the installation appears to be new, give it an id and a creation date.
const activations = new Activations(this._dbManager);
await activations.current();
}
public addDocWorkerMap() {
@ -566,6 +570,12 @@ export class FlexServer implements GristServer {
this._billing.addEventHandlers();
}
public async addBillingMiddleware() {
if (this._check('activation', 'homedb')) { return; }
this._getBilling();
await this._billing.addMiddleware?.(this.app);
}
/**
* Add a /api/log endpoint that simply outputs client errors to our
* logs. This is a minimal placeholder for a special-purpose

View File

@ -4,4 +4,5 @@ export interface IBilling {
addEndpoints(app: express.Express): void;
addEventHandlers(): void;
addWebhooks(app: express.Express): void;
addMiddleware?(app: express.Express): Promise<void>;
}

View File

@ -9,6 +9,7 @@ import {INotifier} from 'app/server/lib/INotifier';
import {ISandbox, ISandboxCreationOptions} from 'app/server/lib/ISandbox';
import {IShell} from 'app/server/lib/IShell';
import {createSandbox} from 'app/server/lib/NSandbox';
import * as express from 'express';
export interface ICreate {
@ -48,13 +49,18 @@ export interface ICreateStorageOptions {
export function makeSimpleCreator(opts: {
sessionSecret?: string,
storage?: ICreateStorageOptions[],
activationMiddleware?: (db: HomeDBManager, app: express.Express) => Promise<void>,
}): ICreate {
return {
Billing() {
Billing(db) {
return {
addEndpoints() { /* do nothing */ },
addEventHandlers() { /* do nothing */ },
addWebhooks() { /* do nothing */ }
addWebhooks() { /* do nothing */ },
async addMiddleware(app) {
// add activation middleware, if needed.
return opts?.activationMiddleware?.(db, app);
}
};
},
Notifier() {

View File

@ -1,6 +1,6 @@
import {GristLoadConfig} from 'app/common/gristUrls';
import {getTagManagerSnippet} from 'app/common/tagManager';
import {isAnonymousUser} from 'app/server/lib/Authorizer';
import {isAnonymousUser, RequestWithLogin} from 'app/server/lib/Authorizer';
import {RequestWithOrg} from 'app/server/lib/extractOrg';
import {GristServer} from 'app/server/lib/GristServer';
import {getSupportedEngineChoices} from 'app/server/lib/serverUtils';
@ -49,6 +49,7 @@ export function makeGristConfig(homeUrl: string|null, extra: Partial<GristLoadCo
enableWidgetRepository: Boolean(process.env.GRIST_WIDGET_LIST_URL),
survey: Boolean(process.env.DOC_ID_NEW_USER_INFO),
tagManagerId: process.env.GOOGLE_TAG_MANAGER_ID,
activation: (mreq as RequestWithLogin|undefined)?.activation,
...extra,
};
}
@ -91,7 +92,22 @@ export function makeSendAppPage(opts: {
const staticOrigin = process.env.APP_STATIC_URL || "";
const staticBaseUrl = `${staticOrigin}/v/${options.tag || tag}/`;
const customHeadHtmlSnippet = server?.create.getExtraHeadHtml?.() ?? "";
const warning = testLogin ? "<div class=\"dev_warning\">Authentication is not enforced</div>" : "";
// TODO: Temporary changes until there is a handy banner to put this in.
let warning = testLogin ? "<div class=\"dev_warning\">Authentication is not enforced</div>" : "";
const activation = config.activation;
if (!warning && activation) {
if (activation.trial) {
warning = `Trial: ${activation.trial.daysLeft} day(s) left`;
} else if (activation.needKey) {
warning = 'Activation key needed. Documents in read-only mode.';
} else if (activation.key?.daysLeft && activation.key.daysLeft < 30) {
warning = `Need reactivation in ${activation.key.daysLeft} day(s)`;
}
if (warning) {
warning = `<div class="dev_warning activation-msg">${warning}</div>`;
}
}
// Temporary changes end.
const content = fileContent
.replace("<!-- INSERT WARNING -->", warning)
.replace("<!-- INSERT BASE -->", `<base href="${staticBaseUrl}">` + tagManagerSnippet)

View File

@ -98,6 +98,7 @@ export async function main(port: number, serverTypes: ServerType[],
server.addAccessMiddleware();
server.addApiMiddleware();
await server.addBillingMiddleware();
await server.start();

View File

@ -59,12 +59,13 @@ export async function main() {
await fse.mkdirp(process.env.GRIST_DATA_DIR!);
// Make a blank db if needed.
await updateDb();
const db = new HomeDBManager();
await db.connect();
await db.initializeSpecialIds({skipWorkspaces: true});
// If a team/organization is specified, make sure it exists.
const org = process.env.GRIST_SINGLE_ORG;
if (org && org !== 'docs') {
const db = new HomeDBManager();
await db.connect();
await db.initializeSpecialIds({skipWorkspaces: true});
try {
db.unwrapQueryResult(await db.getOrg({
userId: db.getPreviewerUserId(),
@ -94,6 +95,7 @@ export async function main() {
});
}
}
// Launch single-port, self-contained version of Grist.
const server = await mergedServerMain(G.port, ["home", "docs", "static"]);
if (process.env.GRIST_TESTING_SOCKET) {