From ed7af4fc8253be7af251f3faa32fb982b5e16010 Mon Sep 17 00:00:00 2001 From: Evan Carlin Date: Wed, 8 Jan 2025 17:53:29 +0000 Subject: [PATCH 1/9] Fix #7424: make all of Sirepo moderated A trial is now required to access all of Sirepo. Every new user is moderated. All existing users will be give 30 days access. After that a paid plan will be required. 30 days after this is deployed (after all non-paid users are expired) we can remove moderating for Jupyterhub. Just the moderation for Sirepo will be enough. --- etc/run.sh | 1 - sirepo/api_auth.py | 5 +- sirepo/api_perm.py | 4 +- sirepo/auth/__init__.py | 25 ++++++--- sirepo/auth_db/user.py | 38 ++++++++----- sirepo/auth_role.py | 8 ++- sirepo/auth_role_moderation.py | 56 +++++++++++++++---- sirepo/db_upgrade.py | 22 ++++++++ sirepo/feature_config.py | 1 + sirepo/job_api.py | 24 ++++---- .../auth_role_moderation/approve_email.jinja | 3 +- .../auth_role_moderation/clarify_email.jinja | 1 - .../moderation_email.jinja | 1 + .../static/html/http-plan-required.html | 8 +++ .../static/js/sirepo-components.js | 21 +++++-- sirepo/package_data/static/js/sirepo.js | 7 +-- .../static/json/schema-common.json | 12 ++++ sirepo/pkcli/roles.py | 41 ++++++++++++-- sirepo/reply.py | 9 ++- sirepo/server.py | 43 ++++++++------ sirepo/sim_api/jupyterhublogin.py | 4 +- sirepo/sim_data/__init__.py | 2 +- sirepo/sim_oauth/flash.py | 2 +- sirepo/uri_router.py | 7 +-- sirepo/util.py | 6 ++ tests/plan_trial_test.py | 49 ++++++++++++++++ 26 files changed, 303 insertions(+), 97 deletions(-) create mode 100644 sirepo/package_data/static/html/http-plan-required.html create mode 100644 tests/plan_trial_test.py diff --git a/etc/run.sh b/etc/run.sh index bf2bb67d48..bfb1e8940a 100644 --- a/etc/run.sh +++ b/etc/run.sh @@ -26,7 +26,6 @@ _env_mail_smtp() { _env_moderate() { declare sim_type=$1 export SIREPO_FEATURE_CONFIG_MODERATED_SIM_TYPES=$sim_type - export SIREPO_AUTH_ROLE_MODERATION_MODERATOR_EMAIL=$USER+moderator@localhost.localdomain _msg "Moderated sim_type=$sim_type" _setup_smtp _env_common diff --git a/sirepo/api_auth.py b/sirepo/api_auth.py index ab484d77d9..d8f83f8dbf 100644 --- a/sirepo/api_auth.py +++ b/sirepo/api_auth.py @@ -32,12 +32,15 @@ def check_api_call(qcall, func): a.ALLOW_SIM_TYPELESS_REQUIRE_EMAIL_USER, a.REQUIRE_COOKIE_SENTINEL, a.REQUIRE_USER, + a.REQUIRE_PLAN, a.REQUIRE_ADM, a.REQUIRE_PREMIUM, ): if not qcall.cookie.has_sentinel(): raise sirepo.util.SRException("missingCookies", None) - if expect == a.REQUIRE_USER: + if expect == a.REQUIRE_PLAN: + qcall.auth.require_plan() + elif expect == a.REQUIRE_USER: qcall.auth.require_user() elif expect == a.ALLOW_SIM_TYPELESS_REQUIRE_EMAIL_USER: qcall.auth.require_email_user() diff --git a/sirepo/api_perm.py b/sirepo/api_perm.py index 1c28eb750b..9a932a6c59 100644 --- a/sirepo/api_perm.py +++ b/sirepo/api_perm.py @@ -32,7 +32,9 @@ class APIPerm(aenum.Flag): REQUIRE_USER = aenum.auto() #: only usable on internal test systems INTERNAL_TEST = aenum.auto() - #: a user with a a premium subscription is required + #: a user with an active plan (any type) is required + REQUIRE_PLAN = aenum.auto() + #: a user with a a premium plan is required REQUIRE_PREMIUM = aenum.auto() diff --git a/sirepo/auth/__init__.py b/sirepo/auth/__init__.py index ffb7877963..dffeb6dc78 100644 --- a/sirepo/auth/__init__.py +++ b/sirepo/auth/__init__.py @@ -172,11 +172,9 @@ def check_sim_type_role(self, sim_type, force_sim_type_required_for_api=False): return u = self.logged_in_user() r = sirepo.auth_role.for_sim_type(t) - if self.qcall.auth_db.model("UserRole").has_role( - role=r - ) and not self.qcall.auth_db.model("UserRole").is_expired(role=r): + if self.qcall.auth_db.model("UserRole").has_active_role(role=r): return - elif r in sirepo.auth_role.for_proprietary_oauth_sim_types(): + if r in sirepo.auth_role.for_proprietary_oauth_sim_types(): oauth.raise_authorize_redirect(self.qcall, sirepo.auth_role.sim_type(r)) if r in sirepo.auth_role.for_moderated_sim_types(): auth_role_moderation.raise_control_for_user(self.qcall, u, r) @@ -184,7 +182,7 @@ def check_sim_type_role(self, sim_type, force_sim_type_required_for_api=False): def _assert_role_user(self): u = self.logged_in_user() - if not self.qcall.auth_db.model("UserRole").has_role( + if not self.qcall.auth_db.model("UserRole").has_active_role( role=sirepo.auth_role.ROLE_USER, ): raise sirepo.util.Forbidden( @@ -274,7 +272,7 @@ def is_logged_in(self, state=None): return s in (_STATE_COMPLETE_REGISTRATION, _STATE_LOGGED_IN) def is_premium_user(self): - return self.qcall.auth_db.model("UserRole").has_role( + return self.qcall.auth_db.model("UserRole").has_active_role( role=sirepo.auth_role.ROLE_PAYMENT_PLAN_PREMIUM, ) @@ -493,7 +491,7 @@ def parse_display_name(self, value): def require_adm(self): u = self.require_user() - if not self.qcall.auth_db.model("UserRole").has_role( + if not self.qcall.auth_db.model("UserRole").has_active_role( role=sirepo.auth_role.ROLE_ADM, ): raise sirepo.util.Forbidden( @@ -515,9 +513,20 @@ def require_email_user(self): if m != METHOD_EMAIL: raise sirepo.util.Forbidden(f"method={m} is not email for uid={i}") + def require_plan(self): + from sirepo import auth_role_moderation + + u = self.require_user() + for r in sirepo.auth_role.for_plans(): + if self.qcall.auth_db.model("UserRole").has_active_role(r): + return + auth_role_moderation.raise_control_for_user( + self.qcall, u, sirepo.auth_role.ROLE_TRIAL + ) + def require_premium(self): if not self.is_premium_user(): - raise sirepo.util.Forbidden(f"not premium user") + raise sirepo.util.Forbidden("not premium user") def require_user(self): """Asserts whether user is logged in diff --git a/sirepo/auth_db/user.py b/sirepo/auth_db/user.py index 15c16b357c..d5347c38dd 100644 --- a/sirepo/auth_db/user.py +++ b/sirepo/auth_db/user.py @@ -36,9 +36,9 @@ def add_roles(self, roles, expiration=None): u = self.logged_in_user() for r in roles: try: - # Check here, because sqlite doesn't through IntegrityErrors + # Check here, because sqlite doesn't throw IntegrityErrors # at the point of the new() operation. - if not self.has_role(r, uid=u): + if not self._has_role(r, uid=u): self.new(uid=u, role=r, expiration=expiration).save() except sqlalchemy.exc.IntegrityError: # role already exists @@ -46,7 +46,7 @@ def add_roles(self, roles, expiration=None): sim_data.audit_proprietary_lib_files(qcall=self.auth_db.qcall) def add_role_or_update_expiration(self, role, expiration): - if not self.has_role(role): + if not self._has_role(role): self.add_roles(roles=[role], expiration=expiration) return r = self.search_by(uid=self.logged_in_user(), role=role) @@ -71,19 +71,19 @@ def delete_roles(self, roles, uid=None): def get_roles(self): return self.search_all_for_column("role", uid=self.logged_in_user()) - def has_role(self, role, uid=None): - return bool( - self.unchecked_search_by(uid=uid or self.logged_in_user(), role=role) - ) + def get_roles_and_expiration(self): + return [ + PKDict(role=r.role, expiration=r.expiration) + for r in self.query().filter_by(uid=self.logged_in_user()) + ] - def is_expired(self, role): - u = self.logged_in_user() - assert self.has_role(role=role), f"No role for uid={u} and role={role}" - r = self.search_by(uid=u, role=role) - if not r.expiration: - # Roles with no expiration can't expire - return False - return r.expiration < sirepo.srtime.utc_now() + def has_active_role(self, role, uid=None): + r = self._has_role(role, uid=uid) + return r and not self._is_expired_role(r) + + def has_expired_role(self, role): + r = self._has_role(role) + return r and self._is_expired_role(r) def uids_of_paid_users(self): return self.uids_with_roles(sirepo.auth_role.PAID_USER_ROLES) @@ -103,6 +103,14 @@ def uids_with_roles(self, roles): .all() ] + def _has_role(self, role, uid=None): + return self.unchecked_search_by(uid=uid or self.logged_in_user(), role=role) + + def _is_expired_role(self, role_record): + return ( + role_record.expiration and role_record.expiration < sirepo.srtime.utc_now() + ) + class UserRoleModeration(sirepo.auth_db.UserDbBase): __tablename__ = "user_role_moderation_t" diff --git a/sirepo/auth_role.py b/sirepo/auth_role.py index 5750e2f7d3..deca602980 100644 --- a/sirepo/auth_role.py +++ b/sirepo/auth_role.py @@ -10,8 +10,9 @@ import sirepo.feature_config ROLE_ADM = "adm" -ROLE_USER = "user" ROLE_PAYMENT_PLAN_PREMIUM = "premium" +ROLE_TRIAL = "trial" +ROLE_USER = "user" PAID_USER_ROLES = (ROLE_PAYMENT_PLAN_PREMIUM,) _SIM_TYPE_ROLE_PREFIX = "sim_type_" @@ -49,6 +50,10 @@ def for_proprietary_oauth_sim_types(): ] +def for_plans(): + return {ROLE_TRIAL, *PAID_USER_ROLES} + + def for_sim_type(sim_type): return _SIM_TYPE_ROLE_PREFIX + sim_type @@ -59,6 +64,7 @@ def get_all(): ] + [ ROLE_ADM, ROLE_PAYMENT_PLAN_PREMIUM, + ROLE_TRIAL, ROLE_USER, ] diff --git a/sirepo/auth_role_moderation.py b/sirepo/auth_role_moderation.py index f10399dfdd..0845380c56 100644 --- a/sirepo/auth_role_moderation.py +++ b/sirepo/auth_role_moderation.py @@ -5,18 +5,20 @@ :license: http://www.apache.org/licenses/LICENSE-2.0.html """ from pykern import pkconfig -from pykern.pkdebug import pkdexc, pkdp, pkdlog -from pykern.pkcollections import PKDict from pykern import pkjinja +from pykern.pkcollections import PKDict +from pykern.pkdebug import pkdexc, pkdp, pkdlog import datetime -import sirepo.quest +import getpass import sirepo.auth_role import sirepo.feature_config +import sirepo.quest import sirepo.simulation_db import sirepo.smtp import sirepo.uri import sirepo.uri_router import sqlalchemy +import sqlalchemy.exc _STATUS_TO_SUBJECT = PKDict( approve="Access Request Approved", @@ -45,11 +47,13 @@ async def api_admModerate(self): def _send_moderation_status_email(info): sirepo.smtp.send( recipient=info.user_name, - subject=f"Sirepo {info.app_name}: {_STATUS_TO_SUBJECT[info.status]}", + subject=f"Sirepo {info.role_friendly_name}: {_STATUS_TO_SUBJECT[info.status]}", body=pkjinja.render_resource( f"auth_role_moderation/{info.status}_email", PKDict( + additional_text=info.get("additional_text"), app_name=info.app_name, + role_friendly_name=info.role_friendly_name, display_name=info.display_name, link=self.absolute_uri( self.uri_for_app_root( @@ -62,7 +66,9 @@ def _send_moderation_status_email(info): def _set_moderation_status(info): if info.status == "approve": - self.auth_db.model("UserRole").add_roles(roles=[info.role]) + self.auth_db.model("UserRole").add_roles( + roles=[info.role], expiration=info.get("expiration") + ) self.auth_db.model("UserRoleModeration").set_status( role=info.role, status=info.status, @@ -88,9 +94,20 @@ def _set_moderation_status(info): req.req_data.role, ) p = PKDict( - app_name=sirepo.simulation_db.SCHEMA_COMMON.appInfo[ + role_friendly_name="Trial", + app_name="Sirepo", + expiration=datetime.datetime.now() + + datetime.timedelta( + days=sirepo.feature_config.cfg().trial_expiration_days + ), + additional_text=f"Your trial is active for {sirepo.feature_config.cfg().trial_expiration_days} days.", + ) + if not i.role == sirepo.auth_role.ROLE_TRIAL: + a = sirepo.simulation_db.SCHEMA_COMMON.appInfo[ sirepo.auth_role.sim_type(i.role) - ].longName, + ].longName + p = PKDict(role_friendly_name=a, app_name=a) + p.pkupdate( role=i.role, status=req.req_data.status, moderator_uid=self.auth.logged_in_user(), @@ -153,9 +170,18 @@ def _send_request_email(info): req = self.parse_post() u = self.auth.logged_in_user() - r = sirepo.auth_role.for_sim_type(req.type) - if self.auth_db.model("UserRole").has_role(role=r): + r = sirepo.auth_role.ROLE_TRIAL + # SECURITY: type has been validated to be a known sim type. If it is + # not in moderated_sim_types then we know the user is just requesting + # access to start using Sirepo (ROLE_TRIAL). + if req.type in sirepo.feature_config.cfg().moderated_sim_types: + r = sirepo.auth_role.for_sim_type(req.type) + if self.auth_db.model("UserRole").has_active_role(role=r): raise sirepo.util.Redirect(sirepo.uri.local_route(req.type)) + if self.auth_db.model("UserRole").has_expired_role(role=r): + raise AssertionError( + f"uid={u} trying to request moderation for expired role={r}" + ) try: self.auth_db.model( "UserRoleModeration", @@ -183,7 +209,7 @@ def _send_request_email(info): email_addr=self.auth.logged_in_user_name(), link=l, reason=req.req_data.reason, - role=sirepo.auth_role.for_sim_type(req.type), + role=r, sim_type=req.type, uid=u, ).pkupdate(self.user_agent_headers()) @@ -200,6 +226,10 @@ def _datetime_to_str(rows): def raise_control_for_user(qcall, uid, role): + if qcall.auth_db.model("UserRole").has_expired_role(role): + if role == sirepo.auth_role.ROLE_TRIAL: + raise sirepo.util.PlanRequired(f"uid={uid} role={role} expired") + raise sirepo.util.Forbidden(f"uid={uid} role={role} expired") s = qcall.auth_db.model("UserRoleModeration").get_status(uid=uid, role=role) if s in _ACTIVE: raise sirepo.util.SRException("moderationPending", None) @@ -214,8 +244,10 @@ def init_apis(*args, **kwargs): global _cfg _cfg = pkconfig.init( - moderator_email=pkconfig.Required( - str, "The email address to send moderation emails to" + moderator_email=pkconfig.RequiredUnlessDev( + f"{getpass.getuser()}+moderator@localhost.localdomain", + str, + "The email address to send moderation emails to", ), ) x = frozenset(_STATUS_TO_SUBJECT.keys()) diff --git a/sirepo/db_upgrade.py b/sirepo/db_upgrade.py index a7e3917b00..275a2b51ad 100644 --- a/sirepo/db_upgrade.py +++ b/sirepo/db_upgrade.py @@ -8,9 +8,11 @@ from pykern.pkcollections import PKDict from pykern.pkdebug import pkdp, pkdlog, pkdexc import contextlib +import datetime import shutil import sirepo.auth_db import sirepo.auth_role +import sirepo.feature_config import sirepo.file_lock import sirepo.job import sirepo.quest @@ -102,6 +104,26 @@ def _20240524_add_role_user(qcall): ) +def _20250114_add_role_trial(qcall): + """Give all existing users a trial with expiration""" + import sirepo.pkcli.roles + import sirepo.auth_role + + for u in qcall.auth_db.all_uids(): + sirepo.pkcli.roles.add( + u, + sirepo.auth_role.ROLE_TRIAL, + expiration=int( + ( + datetime.datetime.now() + + datetime.timedelta( + days=sirepo.feature_config.cfg().trial_expiration_days + ) + ).timestamp() + ), + ) + + @contextlib.contextmanager def _backup_db_and_prevent_upgrade_on_error(): b = sirepo.auth_db.db_filename() + ".bak" diff --git a/sirepo/feature_config.py b/sirepo/feature_config.py index 8d1bd4f9f6..e7f38230f7 100644 --- a/sirepo/feature_config.py +++ b/sirepo/feature_config.py @@ -216,6 +216,7 @@ def _test(msg): show_open_shadow=_test('Show "Open as a New Shadow Simulation" menu item'), show_rsopt_ml=_test('Show "Export ML Script" menu item'), ), + trial_expiration_days=(30, int, "number of days a sirepo trial is active"), trust_sh_env=( False, bool, diff --git a/sirepo/job_api.py b/sirepo/job_api.py index f103f3441e..e163176b60 100644 --- a/sirepo/job_api.py +++ b/sirepo/job_api.py @@ -54,12 +54,12 @@ async def api_admJobs(self): _request_content=self._parse_post_just_data(), ) - @sirepo.quest.Spec("require_user") + @sirepo.quest.Spec("require_plan") async def api_analysisJob(self): # TODO(robnagler): computeJobHash has to be checked return await self._request_api() - @sirepo.quest.Spec("require_user") + @sirepo.quest.Spec("require_plan") async def api_beginSession(self): """Starts beginSession request asynchronously @@ -72,7 +72,7 @@ async def api_beginSession(self): ) @sirepo.quest.Spec( - "require_user", + "require_plan", sid="SimId", model="AnalysisModel", frame="DataFileIndex", @@ -87,7 +87,7 @@ async def api_downloadDataFile( ) @sirepo.quest.Spec( - "require_user", + "require_plan", sid="SimId", model="AnalysisModel", frame="DataFileIndex", @@ -148,7 +148,7 @@ def _content_too_large(req): f"frame={frame} not found sid={req.id} sim_type={req.type}", ) - @sirepo.quest.Spec("require_user") + @sirepo.quest.Spec("require_plan") async def api_globalResources(self): assert ( sirepo.feature_config.cfg().enable_global_resources @@ -184,13 +184,13 @@ async def api_jobSupervisorPing(self): e = "unexpected exception" return PKDict(state="error", error=e) - @sirepo.quest.Spec("require_user") + @sirepo.quest.Spec("require_plan") async def api_ownJobs(self): return await self._request_api( _request_content=self._parse_post_just_data(), ) - @sirepo.quest.Spec("require_user") + @sirepo.quest.Spec("require_plan") async def api_runCancel(self): try: return await self._request_api() @@ -199,14 +199,14 @@ async def api_runCancel(self): # Always true from the client's perspective return self.reply_dict({"state": "canceled"}) - @sirepo.quest.Spec("require_user") + @sirepo.quest.Spec("require_plan") async def api_runSimulation(self): r = self._request_content(PKDict()) if r.isParallel: r.isPremiumUser = self.auth.is_premium_user() return await self._request_api(_request_content=r) - @sirepo.quest.Spec("require_user") + @sirepo.quest.Spec("require_plan") async def api_runStatus(self): # runStatus receives models when an animation status if first queried return await self._request_api(_request_content=self._request_content(PKDict())) @@ -229,7 +229,7 @@ async def api_sbatchLoginStatus(self): ) ) - @sirepo.quest.Spec("require_user", frame_id="SimFrameId") + @sirepo.quest.Spec("require_plan", frame_id="SimFrameId") async def api_simulationFrame(self, frame_id): return await template_common.sim_frame( frame_id, @@ -243,11 +243,11 @@ async def api_simulationFrame(self, frame_id): self, ) - @sirepo.quest.Spec("require_user") + @sirepo.quest.Spec("require_plan") async def api_statefulCompute(self): return await self._request_compute(op_key="stful") - @sirepo.quest.Spec("require_user") + @sirepo.quest.Spec("require_plan") async def api_statelessCompute(self): return await self._request_compute(op_key="stlss") diff --git a/sirepo/package_data/auth_role_moderation/approve_email.jinja b/sirepo/package_data/auth_role_moderation/approve_email.jinja index b993859404..216ceb21c9 100644 --- a/sirepo/package_data/auth_role_moderation/approve_email.jinja +++ b/sirepo/package_data/auth_role_moderation/approve_email.jinja @@ -1,3 +1,4 @@ -Your request for {{ app_name }} access has been approved. +Your request for Sirepo {{ role_friendly_name }} access has been approved. {{ link }} +{{ additional_text }} diff --git a/sirepo/package_data/auth_role_moderation/clarify_email.jinja b/sirepo/package_data/auth_role_moderation/clarify_email.jinja index 65d7f66ec2..6033ac4ae2 100644 --- a/sirepo/package_data/auth_role_moderation/clarify_email.jinja +++ b/sirepo/package_data/auth_role_moderation/clarify_email.jinja @@ -13,4 +13,3 @@ Thank you for your understanding. Sincerely, Sirepo Support - diff --git a/sirepo/package_data/auth_role_moderation/moderation_email.jinja b/sirepo/package_data/auth_role_moderation/moderation_email.jinja index 8c8a579cb4..39fa75fbea 100644 --- a/sirepo/package_data/auth_role_moderation/moderation_email.jinja +++ b/sirepo/package_data/auth_role_moderation/moderation_email.jinja @@ -1,5 +1,6 @@ Name: {{ display_name }} Simulation Type: {{ sim_type }} +Role: {{ role }} Reason: {{ reason }} Email: {{ email_addr }} DNS: {{ domain_name }} diff --git a/sirepo/package_data/static/html/http-plan-required.html b/sirepo/package_data/static/html/http-plan-required.html new file mode 100644 index 0000000000..c93086ff2a --- /dev/null +++ b/sirepo/package_data/static/html/http-plan-required.html @@ -0,0 +1,8 @@ +
+
+
+

Plan Required

+

An is required to use Sirepo.

+
+
+
diff --git a/sirepo/package_data/static/js/sirepo-components.js b/sirepo/package_data/static/js/sirepo-components.js index 34886dfbf2..450289d1a7 100644 --- a/sirepo/package_data/static/js/sirepo-components.js +++ b/sirepo/package_data/static/js/sirepo-components.js @@ -398,11 +398,11 @@ SIREPO.app.directive('canceledDueToTimeoutAlert', function(authState) { template: ` `, controller: function($scope, appState) { - $scope.authState = authState; + $scope.upgradeToLink = `please upgrade to a ${authState.upgradeToPlan} plan`; $scope.getTime = function() { return appState.formatTime($scope.simState.getCanceledAfterSecs()); @@ -1792,6 +1792,20 @@ SIREPO.app.directive('pendingLinkToSimulations', function() { }; }); + +SIREPO.app.directive('plansLink', function() { + return { + restrict: 'A', + scope: { + linkText: '@', + }, + template: '{{ linkText }}', + controller: function($scope) { + $scope.plansUrl = SIREPO.APP_SCHEMA.constants.plansUrl; + }, + }; +}); + SIREPO.app.directive('safePath', function() { // keep in sync with sirepo.srschem.py _NAME_ILLEGALS @@ -4765,7 +4779,7 @@ SIREPO.app.directive('sbatchLoginModal', function() {
{{ warning }}
@@ -4803,7 +4817,6 @@ SIREPO.app.directive('sbatchLoginModal', function() { _resetLoginFormText(); $scope.authState = authState; - $scope.plansUrl = SIREPO.APP_SCHEMA.constants.plansUrl; $scope.sbatchLoginService = sbatchLoginService; $scope.cancel = () => { diff --git a/sirepo/package_data/static/js/sirepo.js b/sirepo/package_data/static/js/sirepo.js index 522682401e..604f9a7d24 100644 --- a/sirepo/package_data/static/js/sirepo.js +++ b/sirepo/package_data/static/js/sirepo.js @@ -2,6 +2,7 @@ // needs to be here so test.sh doesn't see it SIREPO.srlog = (...args) => {console.log( (new Date().toISOString()).substring(11, 19), + (new Error()).stack.split("\n")[2].match(/\(([^)]+)\)/)?.[1] || "unknown location", ...args, );}; SIREPO.srdbg = SIREPO.srlog; @@ -323,12 +324,6 @@ SIREPO.app.factory('authState', function(appDataService, appState, errorService, self.sbatchHostIsNersc = self.sbatchHostDisplayName ? self.sbatchHostDisplayName.toLowerCase().indexOf('nersc') >= 0 : false; - self.upgradePlanLink = function() { - return '' + - SIREPO.APP_SCHEMA.constants.paymentPlans[self.upgradeToPlan] + ''; - }; - return self; }); diff --git a/sirepo/package_data/static/json/schema-common.json b/sirepo/package_data/static/json/schema-common.json index 0849c6298c..8211642f6a 100644 --- a/sirepo/package_data/static/json/schema-common.json +++ b/sirepo/package_data/static/json/schema-common.json @@ -160,6 +160,7 @@ "listSimulations": "/simulation-list", "newSimulation": "/new-simulation", "ownJobs": "/own-jobs", + "planRequired": "/plan-required", "proxyError": "/proxy-error", "pythonSource": "/python-source///?/?", "redirectJupyterHub": "/redirect-jupyterhub", @@ -453,6 +454,12 @@ "templateUrl": "/static/html/copy-session.html" } }, + "planRequired": { + "route": "/plan-required", + "config": { + "templateUrl": "/static/html/http-plan-required.html" + } + }, "proxyError": { "route": "/proxy-error", "config": { @@ -557,6 +564,11 @@ } }, "customErrors": { + "402": { + "url": "http-plan-required.html", + "msg": "Plan Required", + "route": "planRequired" + }, "403": { "url": "http-forbidden.html", "msg": "Forbidden", diff --git a/sirepo/pkcli/roles.py b/sirepo/pkcli/roles.py index 839c25c697..0da98d8421 100644 --- a/sirepo/pkcli/roles.py +++ b/sirepo/pkcli/roles.py @@ -8,20 +8,37 @@ from pykern.pkdebug import pkdc, pkdexc, pkdlog, pkdp from sirepo.pkcli import admin import contextlib +import datetime import pykern.pkcli import sirepo.auth_role import sirepo.quest -def add(uid_or_email, *roles): - """Assign roles to a user +def add(uid_or_email, *roles, expiration=None): + """Assign roles to a user. Args: uid_or_email (str): Uid or email of the user - *roles: The roles to assign to the user + *roles (str): The roles to assign to the user + expiration (None|POSIX Timestamp): The expiration date for the roles """ + with _parse_args(uid_or_email, roles) as qcall: + qcall.auth_db.model("UserRole").add_roles( + roles, expiration=_parse_expiration(expiration) + ) + +def add_or_update(uid_or_email, *roles, expiration=None): + """Add roles or update expirations to existing roles for user. + Args: + uid_or_email (str): Uid or email of the user + *roles (str): The roles to assign to the user + expiration (None|POSIX Timestamp): The expiration date for the roles + """ with _parse_args(uid_or_email, roles) as qcall: - qcall.auth_db.model("UserRole").add_roles(roles) + for r in roles: + qcall.auth_db.model("UserRole").add_role_or_update_expiration( + r, _parse_expiration(expiration) + ) def add_roles(*args): @@ -72,6 +89,16 @@ def list(uid_or_email): return qcall.auth_db.model("UserRole").get_roles() +def list_with_expiration(uid_or_email): + """List all roles assigned to a user with their expiration. + Args: + uid_or_email (str): Uid or email of the user + """ + + with _parse_args(uid_or_email) as qcall: + return qcall.auth_db.model("UserRole").get_roles_and_expiration() + + def list_roles(*args): """DEPRECATED: Use list""" return list(*args) @@ -102,3 +129,9 @@ def _parse_args(uid_or_email, roles=None): ), "roles={} not a subset of all_roles={}".format(roles, a) with qcall.auth.logged_in_user_set(u): yield qcall + + +def _parse_expiration(expiration): + return ( + None if expiration is None else datetime.datetime.fromtimestamp(int(expiration)) + ) diff --git a/sirepo/reply.py b/sirepo/reply.py index 98ce953109..36aa44a1cc 100644 --- a/sirepo/reply.py +++ b/sirepo/reply.py @@ -569,12 +569,12 @@ def _gen_exception_reply_ContentTooLarge(self, args): def _gen_exception_reply_Error(self, args): return self.from_kwargs(content=_Error(args)) - def _gen_exception_reply_Forbidden(self, args): - return self._gen_http_exception(403) - def _gen_exception_reply_NotFound(self, args): return self._gen_http_exception(404) + def _gen_exception_reply_PlanRequired(self, args): + return self._gen_http_exception(402) + def _gen_exception_reply_Redirect(self, args): return self.gen_redirect(args.uri) @@ -597,6 +597,9 @@ def _gen_exception_reply_SRException(self, args): args.pksetdefault(sim_type=lambda: self.qcall.sim_type_uget()) return self.from_kwargs(content=_SRException(args)) + def _gen_exception_reply_Forbidden(self, args): + return self._gen_http_exception(403) + def _gen_exception_reply_Unauthorized(self, args): return self._gen_http_exception(401) diff --git a/sirepo/server.py b/sirepo/server.py index b5b09510d0..132f3eaf3f 100644 --- a/sirepo/server.py +++ b/sirepo/server.py @@ -40,7 +40,7 @@ class API(sirepo.quest.API): - @sirepo.quest.Spec("require_user", sid="SimId") + @sirepo.quest.Spec("require_plan", sid="SimId") async def api_copyNonSessionSimulation(self): req = self.parse_post(id=True, template=True) src = pkio.py_path( @@ -70,7 +70,10 @@ async def api_copyNonSessionSimulation(self): return self._save_with_related(req, data) @sirepo.quest.Spec( - "require_user", sid="SimId", folder="SimFolderName", name="SimName" + "require_plan", + sid="SimId", + folder="SimFolderName", + name="SimName", ) async def api_copySimulation(self): """Takes the specified simulation and returns a newly named copy with the suffix ( X)""" @@ -84,12 +87,12 @@ async def api_copySimulation(self): ) return self._save_new_and_reply(req, d) - @sirepo.quest.Spec("require_user", filename="SimFileName", file_type="SimFileType") + @sirepo.quest.Spec("require_plan", filename="SimFileName", file_type="SimFileType") async def api_deleteFile(self): """Deprecated - use `api_deleteLibFile`""" return await self.api_deleteLibFile() - @sirepo.quest.Spec("require_user", filename="SimFileName", file_type="SimFileType") + @sirepo.quest.Spec("require_plan", filename="SimFileName", file_type="SimFileType") async def api_deleteLibFile(self): req = self.parse_post(filename=True, file_type=True) e = _simulations_using_file(req) @@ -107,18 +110,18 @@ async def api_deleteLibFile(self): pkio.unchecked_remove(_lib_file_write_path(req)) return self.reply_ok() - @sirepo.quest.Spec("require_user", sid="SimId") + @sirepo.quest.Spec("require_plan", sid="SimId") async def api_deleteSimulation(self): req = self.parse_post(id=True) simulation_db.delete_simulation(req.type, req.id, qcall=self) return self.reply_ok() - @sirepo.quest.Spec("require_user", filename="SimFileName") + @sirepo.quest.Spec("require_plan", filename="SimFileName") async def api_downloadFile(self, simulation_type, simulation_id, filename): """Deprecated - use `api_downloadLibFile`""" return await self.api_downloadLibFile(simulation_type, filename) - @sirepo.quest.Spec("require_user", filename="SimFileName") + @sirepo.quest.Spec("require_plan", filename="SimFileName") async def api_downloadLibFile(self, simulation_type, filename): req = self.parse_params(type=simulation_type, filename=filename) return self.reply_attachment( @@ -174,7 +177,7 @@ async def api_forbidden(self): raise sirepo.util.Forbidden("app forced forbidden") @sirepo.quest.Spec( - "require_user", + "require_plan", file_type="LibFileType", ) async def api_listFiles(self): @@ -198,7 +201,9 @@ async def api_findByName(self, simulation_type, application_mode, simulation_nam ) @sirepo.quest.Spec( - "require_user", application_mode="AppMode", simulation_name="SimName" + "require_plan", + application_mode="AppMode", + simulation_name="SimName", ) async def api_findByNameWithAuth( self, simulation_type, application_mode, simulation_name @@ -249,7 +254,7 @@ async def api_findByNameWithAuth( ) @sirepo.quest.Spec( - "require_user", + "require_plan", file="ImportFile", folder="SimFolderPath", sid="SimId", @@ -349,7 +354,7 @@ async def api_homePage(self, path_info=None): "staticFile", kwargs=PKDict(path_info="en/" + (path_info or "landing.html")) ) - @sirepo.quest.Spec("require_user", folder="FolderName", name="SimName") + @sirepo.quest.Spec("require_plan", folder="FolderName", name="SimName") async def api_newSimulation(self): req = self.parse_post(template=True, folder=True, name=True) d = simulation_db.default_data(req.type) @@ -422,7 +427,7 @@ async def api_root(self, path_info=None): return self.reply_redirect(u) raise sirepo.util.NotFound(f"unknown path={path_info}") - @sirepo.quest.Spec("require_user", sid="SimId", data="SimData all_input") + @sirepo.quest.Spec("require_plan", sid="SimId", data="SimData all_input") async def api_saveSimulationData(self): # do not fixup_old_data yet req = self.parse_post(id=True, template=True) @@ -449,7 +454,10 @@ async def api_securityTxt(self): ) @sirepo.quest.Spec( - "require_user", simulation_id="SimId", pretty="Bool optional", section="Section" + "require_plan", + simulation_id="SimId", + pretty="Bool optional", + section="Section", ) async def api_simulationData( self, simulation_type, simulation_id, pretty=False, section=None @@ -505,7 +513,7 @@ async def api_listSimulations(self): ) ) - @sirepo.quest.Spec("require_user") + @sirepo.quest.Spec("require_plan") async def api_simulationRedirect(self, simulation_type, local_route, simulation_id): return self.reply_redirect_for_local_route( sim_type=simulation_type, @@ -544,7 +552,7 @@ async def api_staticFile(self, path_info=None): return self.reply_html(p) return self.reply_file(p) - @sirepo.quest.Spec("require_user", oldName="SimFolderPath", newName="SimFolderPath") + @sirepo.quest.Spec("require_plan", oldName="SimFolderPath", newName="SimFolderPath") async def api_updateFolder(self): # TODO(robnagler) Folder should have a serial, or should it be on data req = self.parse_post() @@ -569,7 +577,6 @@ async def api_updateFolder(self): qcall=self, ): f = r.models.simulation.folder - l = o.lower() if f.lower() == o.lower(): r.models.simulation.folder = n elif f.lower().startswith(o.lower() + "/"): @@ -580,7 +587,7 @@ async def api_updateFolder(self): return self.reply_ok() @sirepo.quest.Spec( - "require_user", + "require_plan", file="LibFile", file_type="LibFileType", simulation_id="SimId", @@ -591,7 +598,7 @@ async def api_uploadFile(self, simulation_type, simulation_id, file_type): return await self.api_uploadLibFile(simulation_type, simulation_id, file_type) @sirepo.quest.Spec( - "require_user", + "require_plan", file="LibFile", file_type="LibFileType", simulation_id="SimId", diff --git a/sirepo/sim_api/jupyterhublogin.py b/sirepo/sim_api/jupyterhublogin.py index c16a2e4458..6f28981be8 100644 --- a/sirepo/sim_api/jupyterhublogin.py +++ b/sirepo/sim_api/jupyterhublogin.py @@ -31,7 +31,7 @@ class API(sirepo.quest.API): - @sirepo.quest.Spec("require_user", sim_type=f"SimType const={_SIM_TYPE}") + @sirepo.quest.Spec("require_plan", sim_type=f"SimType const={_SIM_TYPE}") async def api_checkAuthJupyterHub(self): # TODO(rorour) do this role check at a higher level # (see https://github.com/radiasoft/sirepo/issues/7026) @@ -44,7 +44,7 @@ async def api_checkAuthJupyterHub(self): u = create_user(self) return self.reply_ok(PKDict(username=u)) - @sirepo.quest.Spec("require_user", sim_type=f"SimType const={_SIM_TYPE}") + @sirepo.quest.Spec("require_plan", sim_type=f"SimType const={_SIM_TYPE}") async def api_redirectJupyterHub(self): # TODO(rorour) do this role check at a higher level # (see https://github.com/radiasoft/sirepo/issues/7026) diff --git a/sirepo/sim_data/__init__.py b/sirepo/sim_data/__init__.py index 154bf86edf..89b7329fe5 100644 --- a/sirepo/sim_data/__init__.py +++ b/sirepo/sim_data/__init__.py @@ -105,7 +105,7 @@ def _add(proprietary_code_dir, sim_type, cls): assert d.exists(), f"{d} proprietary_code_dir must exist" + ( "; run: sirepo setup_dev" if pkconfig.in_dev_mode() else "" ) - r = qcall.auth_db.model("UserRole").has_role( + r = qcall.auth_db.model("UserRole").has_active_role( role=sirepo.auth_role.for_sim_type(t), ) if r: diff --git a/sirepo/sim_oauth/flash.py b/sirepo/sim_oauth/flash.py index f7085bf419..9ab456eda2 100644 --- a/sirepo/sim_oauth/flash.py +++ b/sirepo/sim_oauth/flash.py @@ -20,7 +20,7 @@ class API(sirepo.quest.API): - @sirepo.quest.Spec("require_user") + @sirepo.quest.Spec("require_plan") async def api_simOauthFlashAuthorized(self): o, _ = sirepo.oauth.check_authorized_callback(self) i = PKDict(o.get(cfg.info_url).json()) diff --git a/sirepo/uri_router.py b/sirepo/uri_router.py index 7d90090b50..aa5410e3e9 100644 --- a/sirepo/uri_router.py +++ b/sirepo/uri_router.py @@ -27,7 +27,7 @@ _FUNC_PREFIX = "api_" #: modules that must be initialized -_REQUIRED_MODULES = ("auth_api", "job_api", "server", "srtime") +_REQUIRED_MODULES = ("auth_api", "job_api", "server", "srtime", "auth_role_moderation") #: uri for default dispatches _ROUTE_URI_DEFAULT = "" @@ -83,13 +83,10 @@ def init_module(want_apis, **imports): global _uri_to_route def _api_modules(): - m = ( + return ( *_REQUIRED_MODULES, *sorted(sirepo.feature_config.cfg().api_modules), ) - if sirepo.feature_config.cfg().moderated_sim_types: - return m + ("auth_role_moderation",) - return m if _uri_to_route is not None: return diff --git a/sirepo/util.py b/sirepo/util.py index da24d8e619..50fbe05af4 100644 --- a/sirepo/util.py +++ b/sirepo/util.py @@ -113,6 +113,12 @@ class NotFound(ReplyExc): pass +class PlanRequired(ReplyExc): + """API requires and active plan""" + + pass + + class Redirect(OKReplyExc): """Raised to redirect diff --git a/tests/plan_trial_test.py b/tests/plan_trial_test.py new file mode 100644 index 0000000000..2bc4dbb93b --- /dev/null +++ b/tests/plan_trial_test.py @@ -0,0 +1,49 @@ +"""test Sirepo Trial plan + +:copyright: Copyright (c) 2025 RadiaSoft LLC. All Rights Reserved. +:license: http://www.apache.org/licenses/LICENSE-2.0.html +""" + +_EXPIRATION_DAYS = 2 + + +def test_guest_trial_no_expiration(auth_fc): + from pykern import pkunit + from sirepo.pkcli import roles + + u = auth_fc.sr_login_as_guest() + l = roles.list_with_expiration(u) + for r in l: + if r.role == "trial" and r.expiration is None: + return + pkunit.pkfail(f"no trial with no expiration in roles={l}") + + +def test_expired_trial_no_run_sim(auth_fc): + from pykern.pkcollections import PKDict + from sirepo.pkcli import roles + import datetime + + u = auth_fc.sr_email_login("e@e.e") + roles.add_or_update( + u, + "trial", + expiration=int( + ( + datetime.datetime.now() + datetime.timedelta(days=_EXPIRATION_DAYS) + ).timestamp() + ), + ) + d = auth_fc.sr_sim_data() + auth_fc.sr_run_sim(d, "heightWeightReport") + with auth_fc.sr_adjust_time(_EXPIRATION_DAYS + 1): + auth_fc.sr_post( + "runSimulation", + PKDict( + models=d.models, + report="heightWeightReport", + simulationId=d.models.simulation.simulationId, + simulationType=d.simulationType, + ), + raw_response=True, + ).assert_http_status(402) From baf2334b55ca2d85f7230c4d518e62e8b640148c Mon Sep 17 00:00:00 2001 From: Evan Carlin <evan@carlin.com> Date: Mon, 20 Jan 2025 16:38:35 +0000 Subject: [PATCH 2/9] fix tests --- sirepo/db_upgrade.py | 22 +++++---------------- sirepo/srunit.py | 6 ++++++ tests/adm_and_own_jobs_test.py | 5 +++++ tests/auth_role_moderation_test.py | 29 ++++++++++++++++++---------- tests/db_upgrade_data/auth.txt | 1 + tests/parse_error_log_test.py | 7 +++++-- tests/pkcli/admin_data/db/auth.db | Bin 114688 -> 114688 bytes tests/proprietary_sim_types_test.py | 1 + 8 files changed, 42 insertions(+), 29 deletions(-) diff --git a/sirepo/db_upgrade.py b/sirepo/db_upgrade.py index 275a2b51ad..8638a458f7 100644 --- a/sirepo/db_upgrade.py +++ b/sirepo/db_upgrade.py @@ -99,29 +99,17 @@ def _20240524_add_role_user(qcall): ) qcall.auth_db.drop_table("user_role_invite_t") qcall.auth_db.execute_sql( - f"INSERT INTO user_role_t (uid, role, expiration)" + "INSERT INTO user_role_t (uid, role, expiration)" + f'SELECT uid, "{sirepo.auth_role.ROLE_USER}", NULL from user_registration_t' ) def _20250114_add_role_trial(qcall): """Give all existing users a trial with expiration""" - import sirepo.pkcli.roles - import sirepo.auth_role - - for u in qcall.auth_db.all_uids(): - sirepo.pkcli.roles.add( - u, - sirepo.auth_role.ROLE_TRIAL, - expiration=int( - ( - datetime.datetime.now() - + datetime.timedelta( - days=sirepo.feature_config.cfg().trial_expiration_days - ) - ).timestamp() - ), - ) + qcall.auth_db.execute_sql( + "INSERT INTO user_role_t (uid, role, expiration)" + + f'SELECT uid, "{sirepo.auth_role.ROLE_TRIAL}", NULL from user_registration_t' + ) @contextlib.contextmanager diff --git a/sirepo/srunit.py b/sirepo/srunit.py index b835748329..3618c08309 100644 --- a/sirepo/srunit.py +++ b/sirepo/srunit.py @@ -153,6 +153,12 @@ def __init__(self, env, job_run_mode, port): if feature_config.cfg().ui_websocket: self._websocket = _WebSocket(self) + def add_plan_trial_role(self): + from sirepo.pkcli import roles + from sirepo import auth_role + + roles.add(self.sr_uid, auth_role.ROLE_TRIAL) + def assert_post_will_redirect(self, expect_re, *args, **kwargs): rv = self.sr_post(*args, **kwargs) rv.assert_http_redirect(expect_re) diff --git a/tests/adm_and_own_jobs_test.py b/tests/adm_and_own_jobs_test.py index 603785cd1b..b757b14f35 100644 --- a/tests/adm_and_own_jobs_test.py +++ b/tests/adm_and_own_jobs_test.py @@ -125,11 +125,16 @@ def _make_user_adm(uid): pkunit.pkeq(r[0], uid, "Expected same uid as user") def _register_both_users(): + from sirepo.pkcli import roles + import sirepo.auth_role + fc.sr_email_login(adm_user, sim_type=t) + roles.add(adm_user, auth_role.ROLE_TRIAL) u = fc.sr_uid fc.sr_logout() _make_user_adm(u) fc.sr_email_login(non_adm_user, sim_type=t) + roles.add(non_adm_user, auth_role.ROLE_TRIAL) fc = auth_fc t = "srw" diff --git a/tests/auth_role_moderation_test.py b/tests/auth_role_moderation_test.py index 80e207c4ab..9a20a8ae69 100644 --- a/tests/auth_role_moderation_test.py +++ b/tests/auth_role_moderation_test.py @@ -7,6 +7,7 @@ from pykern.pkcollections import PKDict _MODERATED_SIM_TYPE = "myapp" +_NON_MODERATED_SIM_TYPE = "elegant" def setup_module(module): @@ -45,7 +46,14 @@ def test_moderation(auth_fc): "saveModerationReason", PKDict( simulationType=auth_fc.sr_sim_type, - reason="reason for needing moderation", + reason="moderation for moderated sim type", + ), + ) + auth_fc.sr_post( + "saveModerationReason", + PKDict( + simulationType=_NON_MODERATED_SIM_TYPE, + reason="moderation for sirepo trial access", ), ) r = auth_fc.sr_post( @@ -60,15 +68,16 @@ def test_moderation(auth_fc): r = auth_fc.sr_get("admModerateRedirect") r.assert_http_status(200) r = auth_fc.sr_post("getModerationRequestRows", PKDict()) - pkunit.pkeq(len(r.rows), 1) - auth_fc.sr_post( - "admModerate", - PKDict( - uid=r.rows[0].uid, - role=r.rows[0].role, - status="approve", - ), - ) + pkunit.pkeq(len(r.rows), 2) + for r in r.rows: + auth_fc.sr_post( + "admModerate", + PKDict( + uid=r.uid, + role=r.role, + status="approve", + ), + ) auth_fc.sr_logout() auth_fc.sr_email_login(a, sim_type=_MODERATED_SIM_TYPE) r = auth_fc.sr_sim_data() diff --git a/tests/db_upgrade_data/auth.txt b/tests/db_upgrade_data/auth.txt index ac8fdfb7d3..021e6ce510 100644 --- a/tests/db_upgrade_data/auth.txt +++ b/tests/db_upgrade_data/auth.txt @@ -10,6 +10,7 @@ INSERT INTO db_upgrade_t VALUES('_20231120_deploy_flash_update',''); INSERT INTO db_upgrade_t VALUES('_20240322_remove_github_auth',''); INSERT INTO db_upgrade_t VALUES('_20240507_cloudmc_to_openmc',''); INSERT INTO db_upgrade_t VALUES('_20240524_add_role_user',''); +INSERT INTO db_upgrade_t VALUES('_20250114_add_role_trial',''); CREATE TABLE auth_email_user_t ( unverified_email VARCHAR(255) NOT NULL, uid VARCHAR(8), diff --git a/tests/parse_error_log_test.py b/tests/parse_error_log_test.py index fc79ccf990..2d4600de4f 100644 --- a/tests/parse_error_log_test.py +++ b/tests/parse_error_log_test.py @@ -4,6 +4,7 @@ :license: http://www.apache.org/licenses/LICENSE-2.0.html """ +import getpass import os @@ -14,6 +15,8 @@ def setup_module(module): # Need to set these manually when in non-dev-mode SIREPO_COOKIE_IS_SECURE="0", SIREPO_COOKIE_PRIVATE_KEY="MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=", + SIREPO_AUTH_ROLE_MODERATION_MODERATOR_EMAIL=getpass.getuser() + + "@localhost.localdomain", # Avoids srw/predefined.json check SIREPO_FEATURE_CONFIG_SIM_TYPES="myapp", SIREPO_SMTP_PASSWORD="dev", @@ -47,6 +50,7 @@ def test_runError(fc): from pykern.pkdebug import pkdc, pkdp, pkdlog import time + fc.add_plan_trial_role() # Need to add explicitly when not in dev d = fc.sr_sim_data() d.models.simulation.name = "srunit_error_run" d = fc.sr_post( @@ -65,5 +69,4 @@ def test_runError(fc): return time.sleep(1) d = fc.sr_post("runStatus", d.nextRequest) - else: - pkunit.pkfail("Error never returned d={}", d) + pkunit.pkfail("Error never returned d={}", d) diff --git a/tests/pkcli/admin_data/db/auth.db b/tests/pkcli/admin_data/db/auth.db index 6743ee6d5308ee8ecae97579dd6896fab7d6e581..07fc3000100569676460d4d0f8106ab4f9b119b6 100644 GIT binary patch delta 290 zcmZo@U~gz(pCB!$%)r1P1H=+Q%nZcB6LpNalo|Ab6L^^d86+lVstYlDvZ*kNvR-Fe zz?8|l1q3G-vJ`I?Wwc>rVMzw6aTH-Pm7Sc(rZM>d8xOZ=qnZr6xUw>1lkntdCTV#Q z=O9<d5Lbl|M<*Xw1*OvB)S~#J{G8PI5+yDTuF}c#m?fEk{K>LBQj<S0iAXDO1q6Be zItE25c)La_Xq0BA=qP~HYjSCB_GFf3WR7Pn*{mo~z&QCjYX=K&IO9<u?;vBd3deR8 z4#qp`T)aSUF!JAG;J>w5(BT3<(D5v?whWse#48AFXEb1B6WA_b!1$eiVgMH>6Huu* X5Q~8%KJZW4z_OX8;E(*W1&j&+qE<%E delta 368 zcmZo@U~gz(pCBzL&%nSS1H__0%ml;&6LpNa<QepW6L^`;7$hfVstYj%vQ1-)XZB=M zVH9P(4uX>lS&BD{GTJb5H71F&iz_QLHgiv2#U#xrHaU<{oU?>WgG&JjN+-`_7N0zs zQI)kMKRY#VG9$BuWNJl0W>I2EW`3T6i(`muh^Mcs4p{MI17>ke2s6~rGceRuK?AHy zlS`8&nL!xnG-R;ZlUbUP`7C3}=0dgt#>v-NJD5zxCucKh@EesDrxwK*<>#cvmq?h3 z0mV#M#d*US!#5YQ1T!|PaBNrMV7#NgoiTusU4WGlXs8H?{e^$h1~!&s4E)D73mWX< zXR}~rk+n6Q{2*RIMAyjN!ob|f%*4#lz{1GL#LURlU{Qj=qy#pW7YzI_HVZo3<ChR; PHs!>sus~ti0!9S@$AMM- diff --git a/tests/proprietary_sim_types_test.py b/tests/proprietary_sim_types_test.py index 308ee2292f..0b6686966d 100644 --- a/tests/proprietary_sim_types_test.py +++ b/tests/proprietary_sim_types_test.py @@ -32,6 +32,7 @@ def test_myapp(auth_fc): fc.sr_sim_data() fc.sr_logout() fc.sr_email_login("a@b.c") + fc.add_plan_trial_role() r = fc.sr_post( "listSimulations", {"simulationType": fc.sr_sim_type}, raw_response=True ) From cc6924d61ef35d98962ca7671c3ea6ecf4f5e673 Mon Sep 17 00:00:00 2001 From: Evan Carlin <evan@carlin.com> Date: Mon, 20 Jan 2025 20:17:33 +0000 Subject: [PATCH 3/9] more test fixes --- tests/supervisor_purge_free_sims_test.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/supervisor_purge_free_sims_test.py b/tests/supervisor_purge_free_sims_test.py index abba3d1323..e76106f8a9 100644 --- a/tests/supervisor_purge_free_sims_test.py +++ b/tests/supervisor_purge_free_sims_test.py @@ -70,6 +70,7 @@ def _run_sim(data): user_free = "free@b.c" user_premium = "premium@x.y" fc.sr_email_login(user_free) + fc.add_plan_trial_role() fc.sr_email_login(user_premium) _make_user_premium(fc.sr_uid) _make_invalid_job() @@ -95,6 +96,7 @@ def test_elegant_no_frame_after_purge(auth_fc): fc = auth_fc user_free = "free@b.c" fc.sr_email_login(user_free) + fc.add_plan_trial_role() d = fc.sr_sim_data(sim_name="Compact Storage Ring", sim_type="elegant") r = fc.sr_run_sim(d, "animation") with fc.sr_adjust_time(_PURGE_FREE_AFTER_DAYS + 1): From b1f5dad21faa815c4bd620ea8d2d2e46821f6842 Mon Sep 17 00:00:00 2001 From: Evan Carlin <evan@carlin.com> Date: Wed, 22 Jan 2025 17:47:53 +0000 Subject: [PATCH 4/9] pr comments --- sirepo/api_perm.py | 2 +- sirepo/auth/__init__.py | 10 +++--- sirepo/auth_db/__init__.py | 7 ++-- sirepo/auth_db/user.py | 2 +- sirepo/auth_role.py | 15 ++++----- sirepo/auth_role_moderation.py | 58 ++++++++++++++++++---------------- sirepo/const.py | 2 ++ sirepo/db_upgrade.py | 15 ++++++--- sirepo/feature_config.py | 6 +++- sirepo/job_driver/docker.py | 4 +-- sirepo/reply.py | 2 +- sirepo/srunit.py | 2 +- sirepo/util.py | 2 +- 13 files changed, 72 insertions(+), 55 deletions(-) diff --git a/sirepo/api_perm.py b/sirepo/api_perm.py index 9a932a6c59..36f6f3af96 100644 --- a/sirepo/api_perm.py +++ b/sirepo/api_perm.py @@ -34,7 +34,7 @@ class APIPerm(aenum.Flag): INTERNAL_TEST = aenum.auto() #: a user with an active plan (any type) is required REQUIRE_PLAN = aenum.auto() - #: a user with a a premium plan is required + #: a user with a premium plan is required REQUIRE_PREMIUM = aenum.auto() diff --git a/sirepo/auth/__init__.py b/sirepo/auth/__init__.py index dffeb6dc78..dbbbb810b6 100644 --- a/sirepo/auth/__init__.py +++ b/sirepo/auth/__init__.py @@ -48,7 +48,7 @@ _GUEST_USER_DISPLAY_NAME = "Guest User" _PAYMENT_PLAN_BASIC = "basic" -_PAYMENT_PLAN_PREMIUM = sirepo.auth_role.ROLE_PAYMENT_PLAN_PREMIUM +_PAYMENT_PLAN_PREMIUM = sirepo.auth_role.ROLE_PLAN_PREMIUM _ALL_PAYMENT_PLANS = ( _PAYMENT_PLAN_BASIC, _PAYMENT_PLAN_PREMIUM, @@ -273,7 +273,7 @@ def is_logged_in(self, state=None): def is_premium_user(self): return self.qcall.auth_db.model("UserRole").has_active_role( - role=sirepo.auth_role.ROLE_PAYMENT_PLAN_PREMIUM, + role=sirepo.auth_role.ROLE_PLAN_PREMIUM, ) def logged_in_user(self, check_path=True): @@ -517,11 +517,11 @@ def require_plan(self): from sirepo import auth_role_moderation u = self.require_user() - for r in sirepo.auth_role.for_plans(): + for r in sirepo.auth_role.PLAN_ROLES: if self.qcall.auth_db.model("UserRole").has_active_role(r): return auth_role_moderation.raise_control_for_user( - self.qcall, u, sirepo.auth_role.ROLE_TRIAL + self.qcall, u, sirepo.auth_role.ROLE_PLAN_TRIAL ) def require_premium(self): @@ -772,7 +772,7 @@ def _method_user_model(self, module, uid): def _plan(self, data): r = data.roles - if sirepo.auth_role.ROLE_PAYMENT_PLAN_PREMIUM in r: + if sirepo.auth_role.ROLE_PLAN_PREMIUM in r: data.paymentPlan = _PAYMENT_PLAN_PREMIUM data.upgradeToPlan = None else: diff --git a/sirepo/auth_db/__init__.py b/sirepo/auth_db/__init__.py index 85ad2dec52..1547573755 100644 --- a/sirepo/auth_db/__init__.py +++ b/sirepo/auth_db/__init__.py @@ -188,8 +188,11 @@ def execute(self, statement): statement.execution_options(synchronize_session="fetch") ) - def execute_sql(self, text): - return self.execute(sqlalchemy.text(text + ";")) + def execute_sql(self, text, params=None): + q = sqlalchemy.text(text + ";") + if params: + q = q.bindparams(**params) + return self.execute(q) def metadata(self): return UserDbBase.metadata diff --git a/sirepo/auth_db/user.py b/sirepo/auth_db/user.py index d5347c38dd..f67fd7d328 100644 --- a/sirepo/auth_db/user.py +++ b/sirepo/auth_db/user.py @@ -86,7 +86,7 @@ def has_expired_role(self, role): return r and self._is_expired_role(r) def uids_of_paid_users(self): - return self.uids_with_roles(sirepo.auth_role.PAID_USER_ROLES) + return self.uids_with_roles(sirepo.auth_role.PLAN_ROLES_PAID) def uids_with_roles(self, roles): a = sirepo.auth_role.get_all() diff --git a/sirepo/auth_role.py b/sirepo/auth_role.py index deca602980..a3166a9746 100644 --- a/sirepo/auth_role.py +++ b/sirepo/auth_role.py @@ -10,10 +10,11 @@ import sirepo.feature_config ROLE_ADM = "adm" -ROLE_PAYMENT_PLAN_PREMIUM = "premium" -ROLE_TRIAL = "trial" +ROLE_PLAN_PREMIUM = "premium" +ROLE_PLAN_TRIAL = "trial" ROLE_USER = "user" -PAID_USER_ROLES = (ROLE_PAYMENT_PLAN_PREMIUM,) +PLAN_ROLES_PAID = frozenset((ROLE_PLAN_PREMIUM,)) +PLAN_ROLES = PLAN_ROLES_PAID.union((ROLE_PLAN_TRIAL,)) _SIM_TYPE_ROLE_PREFIX = "sim_type_" @@ -50,10 +51,6 @@ def for_proprietary_oauth_sim_types(): ] -def for_plans(): - return {ROLE_TRIAL, *PAID_USER_ROLES} - - def for_sim_type(sim_type): return _SIM_TYPE_ROLE_PREFIX + sim_type @@ -63,8 +60,8 @@ def get_all(): for_sim_type(t) for t in sirepo.feature_config.auth_controlled_sim_types() ] + [ ROLE_ADM, - ROLE_PAYMENT_PLAN_PREMIUM, - ROLE_TRIAL, + ROLE_PLAN_PREMIUM, + ROLE_PLAN_TRIAL, ROLE_USER, ] diff --git a/sirepo/auth_role_moderation.py b/sirepo/auth_role_moderation.py index 0845380c56..1f61724fc3 100644 --- a/sirepo/auth_role_moderation.py +++ b/sirepo/auth_role_moderation.py @@ -1,9 +1,9 @@ -# -*- coding: utf-8 -*- """Moderate user roles :copyright: Copyright (c) 2022 RadiaSoft LLC. All Rights Reserved. :license: http://www.apache.org/licenses/LICENSE-2.0.html """ + from pykern import pkconfig from pykern import pkjinja from pykern.pkcollections import PKDict @@ -11,6 +11,7 @@ import datetime import getpass import sirepo.auth_role +import sirepo.const import sirepo.feature_config import sirepo.quest import sirepo.simulation_db @@ -44,16 +45,37 @@ class API(sirepo.quest.API): "require_adm", uid="Str", role="Str", status="AuthModerationStatus" ) async def api_admModerate(self): + def _role_info(role, status): + res = PKDict( + role=role, + status=status, + moderator_uid=self.auth.logged_in_user(), + ) + if role == sirepo.auth_role.ROLE_PLAN_TRIAL: + return res.pkupdate( + role_display_name="Trial", + app_name="Sirepo", + expiration=datetime.datetime.now() + + datetime.timedelta( + days=sirepo.feature_config.cfg().trial_expiration_days + ), + additional_text=f"Your trial is active for {sirepo.feature_config.cfg().trial_expiration_days} days.", + ) + a = sirepo.simulation_db.SCHEMA_COMMON.appInfo[ + sirepo.auth_role.sim_type(role) + ].longName + return res.pkupdate(role_display_name=a, app_name=a) + def _send_moderation_status_email(info): sirepo.smtp.send( recipient=info.user_name, - subject=f"Sirepo {info.role_friendly_name}: {_STATUS_TO_SUBJECT[info.status]}", + subject=f"Sirepo {info.role_display_name}: {_STATUS_TO_SUBJECT[info.status]}", body=pkjinja.render_resource( f"auth_role_moderation/{info.status}_email", PKDict( additional_text=info.get("additional_text"), app_name=info.app_name, - role_friendly_name=info.role_friendly_name, + role_display_name=info.role_display_name, display_name=info.display_name, link=self.absolute_uri( self.uri_for_app_root( @@ -93,25 +115,7 @@ def _set_moderation_status(info): req.req_data.uid, req.req_data.role, ) - p = PKDict( - role_friendly_name="Trial", - app_name="Sirepo", - expiration=datetime.datetime.now() - + datetime.timedelta( - days=sirepo.feature_config.cfg().trial_expiration_days - ), - additional_text=f"Your trial is active for {sirepo.feature_config.cfg().trial_expiration_days} days.", - ) - if not i.role == sirepo.auth_role.ROLE_TRIAL: - a = sirepo.simulation_db.SCHEMA_COMMON.appInfo[ - sirepo.auth_role.sim_type(i.role) - ].longName - p = PKDict(role_friendly_name=a, app_name=a) - p.pkupdate( - role=i.role, - status=req.req_data.status, - moderator_uid=self.auth.logged_in_user(), - ) + p = _role_info(i.role, req.req_data.status) pkdlog("status={} uid={} role={}", p.status, i.uid, i.role) # Force METHOD_EMAIL. We are sending them an email so we will # need an email for them. We only have emails for METHOD_EMAIL @@ -170,10 +174,10 @@ def _send_request_email(info): req = self.parse_post() u = self.auth.logged_in_user() - r = sirepo.auth_role.ROLE_TRIAL + r = sirepo.auth_role.ROLE_PLAN_TRIAL # SECURITY: type has been validated to be a known sim type. If it is # not in moderated_sim_types then we know the user is just requesting - # access to start using Sirepo (ROLE_TRIAL). + # access to start using Sirepo (ROLE_PLAN_TRIAL). if req.type in sirepo.feature_config.cfg().moderated_sim_types: r = sirepo.auth_role.for_sim_type(req.type) if self.auth_db.model("UserRole").has_active_role(role=r): @@ -227,8 +231,8 @@ def _datetime_to_str(rows): def raise_control_for_user(qcall, uid, role): if qcall.auth_db.model("UserRole").has_expired_role(role): - if role == sirepo.auth_role.ROLE_TRIAL: - raise sirepo.util.PlanRequired(f"uid={uid} role={role} expired") + if role == sirepo.auth_role.ROLE_PLAN_TRIAL: + raise sirepo.util.PlanExpired(f"uid={uid} role={role} expired") raise sirepo.util.Forbidden(f"uid={uid} role={role} expired") s = qcall.auth_db.model("UserRoleModeration").get_status(uid=uid, role=role) if s in _ACTIVE: @@ -245,7 +249,7 @@ def init_apis(*args, **kwargs): _cfg = pkconfig.init( moderator_email=pkconfig.RequiredUnlessDev( - f"{getpass.getuser()}+moderator@localhost.localdomain", + f"{getpass.getuser()}+moderator@{sirepo.const.LOCALHOST_FQDN}", str, "The email address to send moderation emails to", ), diff --git a/sirepo/const.py b/sirepo/const.py index 54c362dc4d..afde1f433b 100644 --- a/sirepo/const.py +++ b/sirepo/const.py @@ -16,6 +16,8 @@ #: where template resources and template non-sim user files live LIB_DIR = "lib" +LOCALHOST_FQDN = "localhost.localdomain" + # matches requirements for uid and isn't actually put in the db MOCK_UID = "someuser" diff --git a/sirepo/db_upgrade.py b/sirepo/db_upgrade.py index 8638a458f7..2fac23b6e9 100644 --- a/sirepo/db_upgrade.py +++ b/sirepo/db_upgrade.py @@ -104,11 +104,18 @@ def _20240524_add_role_user(qcall): ) -def _20250114_add_role_trial(qcall): - """Give all existing users a trial with expiration""" +def _20250114_add_role_plan_trial(qcall): + """Give all existing users a trial plan with expiration""" qcall.auth_db.execute_sql( - "INSERT INTO user_role_t (uid, role, expiration)" - + f'SELECT uid, "{sirepo.auth_role.ROLE_TRIAL}", NULL from user_registration_t' + """INSERT INTO user_role_t (uid, role, expiration) + SELECT uid, :role, :expiration FROM user_registration_t""", + PKDict( + role=sirepo.auth_role.ROLE_PLAN_TRIAL, + expiration=datetime.datetime.utcnow() + + datetime.timedelta( + days=sirepo.feature_config.cfg().trial_expiration_days + ), + ), ) diff --git a/sirepo/feature_config.py b/sirepo/feature_config.py index e7f38230f7..7c064d84e7 100644 --- a/sirepo/feature_config.py +++ b/sirepo/feature_config.py @@ -216,7 +216,11 @@ def _test(msg): show_open_shadow=_test('Show "Open as a New Shadow Simulation" menu item'), show_rsopt_ml=_test('Show "Export ML Script" menu item'), ), - trial_expiration_days=(30, int, "number of days a sirepo trial is active"), + trial_expiration_days=( + 30, + pkconfig.parse_positive_int, + "number of days a sirepo trial is active", + ), trust_sh_env=( False, bool, diff --git a/sirepo/job_driver/docker.py b/sirepo/job_driver/docker.py index 08c302d88c..15281f2690 100644 --- a/sirepo/job_driver/docker.py +++ b/sirepo/job_driver/docker.py @@ -4,7 +4,6 @@ :license: http://www.apache.org/licenses/LICENSE-2.0.html """ -from __future__ import absolute_import, division, print_function from pykern import pkconfig, pkio from pykern.pkcollections import PKDict from pykern.pkdebug import pkdp, pkdlog, pkdexc, pkdc @@ -13,6 +12,7 @@ import io import os import re +import sirepo.const import sirepo.util import subprocess import tornado.ioloop @@ -246,7 +246,7 @@ def _init_dev_hosts(cls): ), "neither cfg.tls_dir and cfg.hosts nor must be set to get auto-config" # dev mode only; see _cfg_tls_dir and _cfg_hosts cls.cfg.tls_dir = srdb.root().join("docker_tls") - cls.cfg.hosts = ("localhost.localdomain",) + cls.cfg.hosts = (sirepo.const.LOCALHOST_FQDN,) d = cls.cfg.tls_dir.join(cls.cfg.hosts[0]) if d.check(dir=True): return diff --git a/sirepo/reply.py b/sirepo/reply.py index 36aa44a1cc..58ce086802 100644 --- a/sirepo/reply.py +++ b/sirepo/reply.py @@ -572,7 +572,7 @@ def _gen_exception_reply_Error(self, args): def _gen_exception_reply_NotFound(self, args): return self._gen_http_exception(404) - def _gen_exception_reply_PlanRequired(self, args): + def _gen_exception_reply_PlanExpired(self, args): return self._gen_http_exception(402) def _gen_exception_reply_Redirect(self, args): diff --git a/sirepo/srunit.py b/sirepo/srunit.py index 3618c08309..a0198658f0 100644 --- a/sirepo/srunit.py +++ b/sirepo/srunit.py @@ -157,7 +157,7 @@ def add_plan_trial_role(self): from sirepo.pkcli import roles from sirepo import auth_role - roles.add(self.sr_uid, auth_role.ROLE_TRIAL) + roles.add(self.sr_uid, auth_role.ROLE_PLAN_TRIAL) def assert_post_will_redirect(self, expect_re, *args, **kwargs): rv = self.sr_post(*args, **kwargs) diff --git a/sirepo/util.py b/sirepo/util.py index 50fbe05af4..83ac34b865 100644 --- a/sirepo/util.py +++ b/sirepo/util.py @@ -113,7 +113,7 @@ class NotFound(ReplyExc): pass -class PlanRequired(ReplyExc): +class PlanExpired(ReplyExc): """API requires and active plan""" pass From 16a70f3859c65dbe7c12fbb9ac0863a5044dd6f9 Mon Sep 17 00:00:00 2001 From: Evan Carlin <evan@carlin.com> Date: Wed, 22 Jan 2025 21:55:56 +0000 Subject: [PATCH 5/9] better name --- sirepo/auth_role_moderation.py | 6 +++--- .../package_data/auth_role_moderation/clarify_email.jinja | 6 +++--- sirepo/package_data/auth_role_moderation/deny_email.jinja | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/sirepo/auth_role_moderation.py b/sirepo/auth_role_moderation.py index 1f61724fc3..9d3befa8b8 100644 --- a/sirepo/auth_role_moderation.py +++ b/sirepo/auth_role_moderation.py @@ -54,7 +54,7 @@ def _role_info(role, status): if role == sirepo.auth_role.ROLE_PLAN_TRIAL: return res.pkupdate( role_display_name="Trial", - app_name="Sirepo", + product_name="Sirepo", expiration=datetime.datetime.now() + datetime.timedelta( days=sirepo.feature_config.cfg().trial_expiration_days @@ -64,7 +64,7 @@ def _role_info(role, status): a = sirepo.simulation_db.SCHEMA_COMMON.appInfo[ sirepo.auth_role.sim_type(role) ].longName - return res.pkupdate(role_display_name=a, app_name=a) + return res.pkupdate(role_display_name=a, product_name=a) def _send_moderation_status_email(info): sirepo.smtp.send( @@ -74,7 +74,7 @@ def _send_moderation_status_email(info): f"auth_role_moderation/{info.status}_email", PKDict( additional_text=info.get("additional_text"), - app_name=info.app_name, + product_name=info.product_name, role_display_name=info.role_display_name, display_name=info.display_name, link=self.absolute_uri( diff --git a/sirepo/package_data/auth_role_moderation/clarify_email.jinja b/sirepo/package_data/auth_role_moderation/clarify_email.jinja index 6033ac4ae2..4ca448a9f1 100644 --- a/sirepo/package_data/auth_role_moderation/clarify_email.jinja +++ b/sirepo/package_data/auth_role_moderation/clarify_email.jinja @@ -1,10 +1,10 @@ Dear {{ display_name }}, -You recently tried to login to {{ app_name }}. We need some more information in order to process your login request. +You recently tried to login to {{ product_name }}. We need some more information in order to process your login request. -Would you please let us know how you heard about {{ app_name }}? +Would you please let us know how you heard about {{ product_name }}? -How do you intend to use {{ app_name }}? +How do you intend to use {{ product_name }}? We need this information to prevent abuse of our servers. diff --git a/sirepo/package_data/auth_role_moderation/deny_email.jinja b/sirepo/package_data/auth_role_moderation/deny_email.jinja index 7fddfe0a60..a967d1fa88 100644 --- a/sirepo/package_data/auth_role_moderation/deny_email.jinja +++ b/sirepo/package_data/auth_role_moderation/deny_email.jinja @@ -1 +1 @@ -Your request for {{ app_name }} access has been denied. Community access requires an email address associated with a university, company or research institution. Access is not allowed from countries of particular concern, as designated by the U.S. Department of State, https://www.state.gov/countries-of-particular-concern-special-watch-list-countries-entities-of-particular-concern/ +Your request for {{ product_name }} access has been denied. Community access requires an email address associated with a university, company or research institution. Access is not allowed from countries of particular concern, as designated by the U.S. Department of State, https://www.state.gov/countries-of-particular-concern-special-watch-list-countries-entities-of-particular-concern/ From c8372f3e92452ad5f3377b5f4ca6566406d2bd1f Mon Sep 17 00:00:00 2001 From: Evan Carlin <evan@carlin.com> Date: Wed, 22 Jan 2025 22:04:39 +0000 Subject: [PATCH 6/9] fix test --- tests/adm_and_own_jobs_test.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/adm_and_own_jobs_test.py b/tests/adm_and_own_jobs_test.py index b757b14f35..d09c12d4dd 100644 --- a/tests/adm_and_own_jobs_test.py +++ b/tests/adm_and_own_jobs_test.py @@ -129,12 +129,12 @@ def _register_both_users(): import sirepo.auth_role fc.sr_email_login(adm_user, sim_type=t) - roles.add(adm_user, auth_role.ROLE_TRIAL) + fc.add_plan_trial_role() u = fc.sr_uid fc.sr_logout() _make_user_adm(u) fc.sr_email_login(non_adm_user, sim_type=t) - roles.add(non_adm_user, auth_role.ROLE_TRIAL) + fc.add_plan_trial_role() fc = auth_fc t = "srw" From 1c6bf58103c28d669eb91be7cf90699ffcb50535 Mon Sep 17 00:00:00 2001 From: Evan Carlin <evan@carlin.com> Date: Wed, 22 Jan 2025 23:02:25 +0000 Subject: [PATCH 7/9] more test fixes --- tests/db_upgrade_data/auth.txt | 2 +- tests/supervisor_purge_free_sims_test.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/db_upgrade_data/auth.txt b/tests/db_upgrade_data/auth.txt index 021e6ce510..a854741b68 100644 --- a/tests/db_upgrade_data/auth.txt +++ b/tests/db_upgrade_data/auth.txt @@ -10,7 +10,7 @@ INSERT INTO db_upgrade_t VALUES('_20231120_deploy_flash_update',''); INSERT INTO db_upgrade_t VALUES('_20240322_remove_github_auth',''); INSERT INTO db_upgrade_t VALUES('_20240507_cloudmc_to_openmc',''); INSERT INTO db_upgrade_t VALUES('_20240524_add_role_user',''); -INSERT INTO db_upgrade_t VALUES('_20250114_add_role_trial',''); +INSERT INTO db_upgrade_t VALUES('_20250114_add_role_plan_trial',''); CREATE TABLE auth_email_user_t ( unverified_email VARCHAR(255) NOT NULL, uid VARCHAR(8), diff --git a/tests/supervisor_purge_free_sims_test.py b/tests/supervisor_purge_free_sims_test.py index e76106f8a9..c74c7d456a 100644 --- a/tests/supervisor_purge_free_sims_test.py +++ b/tests/supervisor_purge_free_sims_test.py @@ -51,11 +51,11 @@ def _make_user_premium(uid): roles.add( uid, - auth_role.ROLE_PAYMENT_PLAN_PREMIUM, + auth_role.ROLE_PLAN_PREMIUM, ) with srunit.quest_start() as qcall: r = qcall.auth_db.model("UserRole").search_all_for_column( - "uid", role=auth_role.ROLE_PAYMENT_PLAN_PREMIUM + "uid", role=auth_role.ROLE_PLAN_PREMIUM ) pkunit.pkeq([uid], r, "expecting one premium user with same id") From 9cc17bb41f3e6b7193909f04689bdedd1176aed4 Mon Sep 17 00:00:00 2001 From: Evan Carlin <evan@carlin.com> Date: Tue, 28 Jan 2025 01:30:45 +0000 Subject: [PATCH 8/9] pr comments --- sirepo/auth_role_moderation.py | 4 ++-- sirepo/db_upgrade.py | 4 ++-- sirepo/job_api.py | 4 ++-- sirepo/package_data/static/js/sirepo-components.js | 14 +++++++------- sirepo/package_data/static/js/sirepo.js | 8 ++------ sirepo/package_data/static/json/schema-common.json | 2 +- sirepo/pkcli/roles.py | 8 +++++--- tests/plan_trial_test.py | 10 +--------- 8 files changed, 22 insertions(+), 32 deletions(-) diff --git a/sirepo/auth_role_moderation.py b/sirepo/auth_role_moderation.py index 9d3befa8b8..3462ffea3c 100644 --- a/sirepo/auth_role_moderation.py +++ b/sirepo/auth_role_moderation.py @@ -55,7 +55,7 @@ def _role_info(role, status): return res.pkupdate( role_display_name="Trial", product_name="Sirepo", - expiration=datetime.datetime.now() + expiration=datetime.datetime.utcnow() + datetime.timedelta( days=sirepo.feature_config.cfg().trial_expiration_days ), @@ -241,7 +241,7 @@ def raise_control_for_user(qcall, uid, role): raise sirepo.util.Forbidden(f"uid={uid} role={role} already denied") assert s is None, f"Unexpected status={s} for uid={uid} and role={role}" qcall.auth.require_email_user() - raise sirepo.util.SRException("moderationRequest", None) + raise sirepo.util.SRException("moderationRequest", PKDict(role=role)) def init_apis(*args, **kwargs): diff --git a/sirepo/db_upgrade.py b/sirepo/db_upgrade.py index 2fac23b6e9..8d1fbae76d 100644 --- a/sirepo/db_upgrade.py +++ b/sirepo/db_upgrade.py @@ -99,8 +99,8 @@ def _20240524_add_role_user(qcall): ) qcall.auth_db.drop_table("user_role_invite_t") qcall.auth_db.execute_sql( - "INSERT INTO user_role_t (uid, role, expiration)" - + f'SELECT uid, "{sirepo.auth_role.ROLE_USER}", NULL from user_registration_t' + f"""INSERT INTO user_role_t (uid, role, expiration) + SELECT uid, '{sirepo.auth_role.ROLE_USER}', NULL from user_registration_t""" ) diff --git a/sirepo/job_api.py b/sirepo/job_api.py index e163176b60..4728438901 100644 --- a/sirepo/job_api.py +++ b/sirepo/job_api.py @@ -211,7 +211,7 @@ async def api_runStatus(self): # runStatus receives models when an animation status if first queried return await self._request_api(_request_content=self._request_content(PKDict())) - @sirepo.quest.Spec("require_premium") + @sirepo.quest.Spec("require_plan") async def api_sbatchLogin(self): r = self._request_content( PKDict(computeJobHash="unused", jobRunMode=sirepo.job.SBATCH), @@ -221,7 +221,7 @@ async def api_sbatchLogin(self): r.pkdel("data") return await self._request_api(_request_content=r) - @sirepo.quest.Spec("require_premium") + @sirepo.quest.Spec("require_plan") async def api_sbatchLoginStatus(self): return await self._request_api( _request_content=self._request_content( diff --git a/sirepo/package_data/static/js/sirepo-components.js b/sirepo/package_data/static/js/sirepo-components.js index 450289d1a7..c798e1fcef 100644 --- a/sirepo/package_data/static/js/sirepo-components.js +++ b/sirepo/package_data/static/js/sirepo-components.js @@ -3591,6 +3591,7 @@ SIREPO.app.directive('emailLogin', function(requestSender, errorService) { <div data-disable-after-click=""> <button data-ng-click="login()" class="btn btn-primary">Continue</button> </div> + <p class="help-block">Your email address must be associated with a university, company, or research institution.</p> <p class="help-block">By signing up for Sirepo you agree to Sirepo's <a href="en/privacy.html">privacy policy</a> and <a href="en/terms.html">terms and conditions</a>, and to receive informational and marketing communications from RadiaSoft. You may unsubscribe at any time.</p> </div> </div> @@ -4361,17 +4362,20 @@ SIREPO.app.directive('moderationRequest', function(appState, errorService, panel template: ` <form> <div class="form-group"> - <label for="requestAccessExplanation">Please describe your reason for requesting access:</label> + <label for="requestAccessExplanation">{{ moderationRequestReason }}:</label> <textarea data-ng-show="!submitted" data-ng-model="data.reason" id="requestAccessExplanation" class="form-control" rows="4" cols="50" required></textarea> </div> <button data-ng-disabled="disableSubmit" data-ng-show="!submitted" type="submit" class="btn btn-primary" data-ng-click="submitRequest()">Submit</button> </form> <div data-ng-show="submitted">Response submitted.</div> `, - controller: function(requestSender, $scope) { + controller: function(requestSender, $route, $scope) { $scope.data = {}; $scope.submitted = false; $scope.disableSubmit = true; + $scope.moderationRequestReason = { + trial: `To prevent abuse of our systems all new users must supply a reason for requesting access to ${SIREPO.APP_SCHEMA.productInfo.shortName}. In a few sentences please describe how you plan to use ${SIREPO.APP_SCHEMA.productInfo.shortName}` + }[$route.current.params.role] ?? 'Please describe your reason for requesting access'; $scope.submitRequest = function () { const handleResponse = (data) => { if (data.state === 'error') { @@ -4777,11 +4781,7 @@ SIREPO.app.directive('sbatchLoginModal', function() { <button data-ng-click="cancel()" type="button" class="close" data-ng-disabled="! sbatchLoginService.query('showLogin')"><span>×</span></button> </div> <div class="modal-body"> - <div data-ng-show="! authState.isPremiumUser()" class="alert alert-warning" role="alert"> - <h4 class="alert-heading"><b>Please upgrade</b></h4> - <p>Supercomputer and HPC services are only available with <span data-plans-link="" link-text="one of our paid plans"></span>.</p> - </div> - <form name="sbatchLoginModalForm" data-ng-show="authState.isPremiumUser()"> + <form name="sbatchLoginModalForm"> <div class="sr-input-warning">{{ warning }}</div> <div class="form-group"> <input type="text" class="form-control" name="username" placeholder="username" autocomplete="username" data-ng-model="username" /> diff --git a/sirepo/package_data/static/js/sirepo.js b/sirepo/package_data/static/js/sirepo.js index 604f9a7d24..8741619e8d 100644 --- a/sirepo/package_data/static/js/sirepo.js +++ b/sirepo/package_data/static/js/sirepo.js @@ -2,7 +2,7 @@ // needs to be here so test.sh doesn't see it SIREPO.srlog = (...args) => {console.log( (new Date().toISOString()).substring(11, 19), - (new Error()).stack.split("\n")[2].match(/\(([^)]+)\)/)?.[1] || "unknown location", + (new Error()).stack.split("\n")[2].match(/\(([^)]+)\)/)?.[1] || "[unknown line number]", ...args, );}; SIREPO.srdbg = SIREPO.srlog; @@ -311,11 +311,6 @@ SIREPO.app.factory('authState', function(appDataService, appState, errorService, `; }; - self.isPremiumUser = function() { - // positive test (vs just testing 'basic') - return self.paymentPlan == 'premium'; - }; - self.paymentPlanName = function() { return SIREPO.APP_SCHEMA.constants.paymentPlans[self.paymentPlan]; }; @@ -4615,6 +4610,7 @@ SIREPO.app.controller('LoginWithController', function (authState, errorService, } }); + SIREPO.app.controller('LoginConfirmController', function (authState, requestSender, $route) { var self = this; var p = $route.current.params; diff --git a/sirepo/package_data/static/json/schema-common.json b/sirepo/package_data/static/json/schema-common.json index 8211642f6a..1d612a484a 100644 --- a/sirepo/package_data/static/json/schema-common.json +++ b/sirepo/package_data/static/json/schema-common.json @@ -428,7 +428,7 @@ } }, "moderationRequest": { - "route": "/moderation-request", + "route": "/moderation-request/:role", "config": { "sirepoNoLoginRedirect": true, "templateUrl": "/static/html/moderation-request.html" diff --git a/sirepo/pkcli/roles.py b/sirepo/pkcli/roles.py index 0da98d8421..b3c2f74dfc 100644 --- a/sirepo/pkcli/roles.py +++ b/sirepo/pkcli/roles.py @@ -19,7 +19,7 @@ def add(uid_or_email, *roles, expiration=None): Args: uid_or_email (str): Uid or email of the user *roles (str): The roles to assign to the user - expiration (None|POSIX Timestamp): The expiration date for the roles + expiration (int): Days until expiration """ with _parse_args(uid_or_email, roles) as qcall: qcall.auth_db.model("UserRole").add_roles( @@ -32,7 +32,7 @@ def add_or_update(uid_or_email, *roles, expiration=None): Args: uid_or_email (str): Uid or email of the user *roles (str): The roles to assign to the user - expiration (None|POSIX Timestamp): The expiration date for the roles + expiration (int): Days until expiration """ with _parse_args(uid_or_email, roles) as qcall: for r in roles: @@ -133,5 +133,7 @@ def _parse_args(uid_or_email, roles=None): def _parse_expiration(expiration): return ( - None if expiration is None else datetime.datetime.fromtimestamp(int(expiration)) + None + if expiration is None + else (datetime.datetime.utcnow() + datetime.timedelta(days=int(expiration))) ) diff --git a/tests/plan_trial_test.py b/tests/plan_trial_test.py index 2bc4dbb93b..a65cc4d95f 100644 --- a/tests/plan_trial_test.py +++ b/tests/plan_trial_test.py @@ -25,15 +25,7 @@ def test_expired_trial_no_run_sim(auth_fc): import datetime u = auth_fc.sr_email_login("e@e.e") - roles.add_or_update( - u, - "trial", - expiration=int( - ( - datetime.datetime.now() + datetime.timedelta(days=_EXPIRATION_DAYS) - ).timestamp() - ), - ) + roles.add_or_update(u, "trial", expiration=_EXPIRATION_DAYS) d = auth_fc.sr_sim_data() auth_fc.sr_run_sim(d, "heightWeightReport") with auth_fc.sr_adjust_time(_EXPIRATION_DAYS + 1): From 06d6d7a6b98a7185d7bec18c1d0f40e4ab5847b9 Mon Sep 17 00:00:00 2001 From: Evan Carlin <evan@carlin.com> Date: Tue, 28 Jan 2025 17:00:30 +0000 Subject: [PATCH 9/9] pr comments --- sirepo/auth_role_moderation.py | 11 ++++++----- .../auth_role_moderation/approve_email.jinja | 2 +- .../auth_role_moderation/deny_email.jinja | 2 +- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/sirepo/auth_role_moderation.py b/sirepo/auth_role_moderation.py index 3462ffea3c..77e0447ab6 100644 --- a/sirepo/auth_role_moderation.py +++ b/sirepo/auth_role_moderation.py @@ -50,21 +50,22 @@ def _role_info(role, status): role=role, status=status, moderator_uid=self.auth.logged_in_user(), + product_name=sirepo.simulation_db.SCHEMA_COMMON.productInfo.shortName, ) if role == sirepo.auth_role.ROLE_PLAN_TRIAL: return res.pkupdate( role_display_name="Trial", - product_name="Sirepo", expiration=datetime.datetime.utcnow() + datetime.timedelta( days=sirepo.feature_config.cfg().trial_expiration_days ), additional_text=f"Your trial is active for {sirepo.feature_config.cfg().trial_expiration_days} days.", ) - a = sirepo.simulation_db.SCHEMA_COMMON.appInfo[ - sirepo.auth_role.sim_type(role) - ].longName - return res.pkupdate(role_display_name=a, product_name=a) + return res.pkupdate( + role_display_name=sirepo.simulation_db.SCHEMA_COMMON.appInfo[ + sirepo.auth_role.sim_type(role) + ].longName + ) def _send_moderation_status_email(info): sirepo.smtp.send( diff --git a/sirepo/package_data/auth_role_moderation/approve_email.jinja b/sirepo/package_data/auth_role_moderation/approve_email.jinja index 216ceb21c9..09b52945f5 100644 --- a/sirepo/package_data/auth_role_moderation/approve_email.jinja +++ b/sirepo/package_data/auth_role_moderation/approve_email.jinja @@ -1,4 +1,4 @@ -Your request for Sirepo {{ role_friendly_name }} access has been approved. +Your request for Sirepo {{ role_display_name }} access has been approved. {{ link }} {{ additional_text }} diff --git a/sirepo/package_data/auth_role_moderation/deny_email.jinja b/sirepo/package_data/auth_role_moderation/deny_email.jinja index a967d1fa88..f8a44b90ec 100644 --- a/sirepo/package_data/auth_role_moderation/deny_email.jinja +++ b/sirepo/package_data/auth_role_moderation/deny_email.jinja @@ -1 +1 @@ -Your request for {{ product_name }} access has been denied. Community access requires an email address associated with a university, company or research institution. Access is not allowed from countries of particular concern, as designated by the U.S. Department of State, https://www.state.gov/countries-of-particular-concern-special-watch-list-countries-entities-of-particular-concern/ +Your request for {{ product_name }} {{ role_display_name }} access has been denied. Community access requires an email address associated with a university, company or research institution. Access is not allowed from countries of particular concern, as designated by the U.S. Department of State, https://www.state.gov/countries-of-particular-concern-special-watch-list-countries-entities-of-particular-concern/