github.com/keybase/client/go@v0.0.0-20240309051027-028f7c731f8b/ephemeral/teambot_ek_test.go

github.com/keybase/client/go@v0.0.0-20240309051027-028f7c731f8b/ephemeral/teambot_ek_test.go (about)

     1  package ephemeral
     2  
     3  import (
     4  	"context"
     5  	"testing"
     6  
     7  	"github.com/keybase/client/go/kbtest"
     8  	"github.com/keybase/client/go/libkb"
     9  	"github.com/keybase/client/go/protocol/keybase1"
    10  	"github.com/keybase/client/go/teams"
    11  	"github.com/stretchr/testify/require"
    12  )
    13  
    14  func TestNewTeambotEK(t *testing.T) {
    15  	tc, mctx, _ := ephemeralKeyTestSetup(t)
    16  	defer tc.Cleanup()
    17  
    18  	tc2 := libkb.SetupTest(t, "NewTeambotEK", 2)
    19  	defer tc2.Cleanup()
    20  	mctx2 := libkb.NewMetaContextForTest(tc2)
    21  	NewEphemeralStorageAndInstall(mctx2)
    22  	teams.ServiceInit(mctx2.G())
    23  
    24  	teamID := createTeam(tc)
    25  	botua, err := kbtest.CreateAndSignupFakeUser("t", tc2.G)
    26  	require.NoError(t, err)
    27  	botuaUID := botua.GetUID()
    28  
    29  	team, err := teams.Load(mctx.Ctx(), mctx.G(), keybase1.LoadTeamArg{
    30  		ID:          teamID,
    31  		ForceRepoll: true,
    32  	})
    33  	require.NoError(t, err)
    34  	res, err := teams.AddMember(context.TODO(), mctx.G(), team.Name().String(),
    35  		botua.Username, keybase1.TeamRole_RESTRICTEDBOT, &keybase1.TeamBotSettings{})
    36  	require.NoError(t, err)
    37  	require.Equal(t, botua.Username, res.User.Username)
    38  
    39  	ek, _, err := mctx.G().GetEKLib().GetOrCreateLatestTeambotEK(mctx, teamID, botuaUID.ToBytes())
    40  	require.NoError(t, err)
    41  	typ, err := ek.KeyType()
    42  	require.NoError(t, err)
    43  	require.True(t, typ.IsTeambot())
    44  
    45  	metaPtr, wrongKID, err := fetchLatestTeambotEK(mctx2, teamID)
    46  	require.NoError(t, err)
    47  	require.NotNil(t, metaPtr)
    48  	require.False(t, wrongKID)
    49  	metadata := *metaPtr
    50  	require.Equal(t, ek.Teambot().Metadata, metadata)
    51  
    52  	ek, _, err = mctx.G().GetEKLib().GetOrCreateLatestTeamEK(mctx, teamID)
    53  	require.NoError(t, err)
    54  	typ, err = ek.KeyType()
    55  	require.NoError(t, err)
    56  	require.True(t, typ.IsTeam())
    57  
    58  	// bot users don't have access to team secrets so they can't get the teamEK
    59  	_, _, err = mctx2.G().GetEKLib().GetOrCreateLatestTeamEK(mctx2, teamID)
    60  	require.Error(t, err)
    61  
    62  	keyer := NewTeambotEphemeralKeyer()
    63  	teambotEKBoxed, err := keyer.Fetch(mctx2, teamID, metadata.Generation, nil)
    64  	require.NoError(t, err)
    65  	typ, err = teambotEKBoxed.KeyType()
    66  	require.NoError(t, err)
    67  	require.True(t, typ.IsTeambot())
    68  	require.Equal(t, metadata, teambotEKBoxed.Teambot().Metadata)
    69  
    70  	teambotEK, err := keyer.Unbox(mctx2, teambotEKBoxed, nil)
    71  	require.NoError(t, err)
    72  	typ, err = teambotEK.KeyType()
    73  	require.NoError(t, err)
    74  	require.True(t, typ.IsTeambot())
    75  
    76  	// this fails for the bot user
    77  	_, err = mctx2.G().GetEKLib().GetTeamEK(mctx2, teamID, teambotEK.Generation(), nil)
    78  	require.Error(t, err)
    79  
    80  	ek, err = mctx.G().GetEKLib().GetTeamEK(mctx, teamID, teambotEK.Generation(), nil)
    81  	require.NoError(t, err)
    82  	typ, err = ek.KeyType()
    83  	require.NoError(t, err)
    84  	require.True(t, typ.IsTeam())
    85  	teamEK := ek.Team()
    86  	require.NoError(t, err)
    87  	expectedSeed := deriveTeambotEKFromTeamEK(mctx, teamEK, botuaUID)
    88  	require.Equal(t, keybase1.Bytes32(expectedSeed), teambotEK.Teambot().Seed)
    89  
    90  	badSeed := deriveTeambotEKFromTeamEK(mctx, teamEK, "")
    91  	require.NotEqual(t, keybase1.Bytes32(badSeed), teambotEK.Teambot().Seed)
    92  }