github.com/keybase/client/go@v0.0.0-20240309051027-028f7c731f8b/systests/team_invite_test.go (about) 1 package systests 2 3 import ( 4 "fmt" 5 "strings" 6 "testing" 7 "time" 8 9 "golang.org/x/net/context" 10 11 "github.com/keybase/client/go/engine" 12 "github.com/keybase/client/go/jsonhelpers" 13 libkb "github.com/keybase/client/go/libkb" 14 keybase1 "github.com/keybase/client/go/protocol/keybase1" 15 "github.com/keybase/client/go/teams" 16 "github.com/stretchr/testify/assert" 17 "github.com/stretchr/testify/require" 18 ) 19 20 func TestTeamInviteRooter(t *testing.T) { 21 tt := newTeamTester(t) 22 defer tt.cleanup() 23 24 tt.addUser("own") 25 tt.addUser("roo") 26 27 // user 0 creates a team 28 teamID, teamName := tt.users[0].createTeam2() 29 30 // user 0 adds a rooter assertion before the rooter user has proved their 31 // keybase account 32 rooterUser := tt.users[1].username + "@rooter" 33 tt.users[0].addTeamMember(teamName.String(), rooterUser, keybase1.TeamRole_WRITER) 34 35 // user 1 proves rooter, kicking rekeyd so it notices the proof 36 // beforehand so user 0 can notice proof faster. 37 tt.users[1].kickTeamRekeyd() 38 tt.users[1].proveRooter() 39 40 // user 0 should get gregor notification that the team changed 41 tt.users[0].waitForTeamChangedGregor(teamID, keybase1.Seqno(3)) 42 43 // user 1 should also get gregor notification that the team changed 44 tt.users[1].waitForTeamChangedGregor(teamID, keybase1.Seqno(3)) 45 46 // the team should have user 1 in it now as a writer 47 t0, err := teams.GetTeamByNameForTest(context.TODO(), tt.users[0].tc.G, teamName.String(), false, true) 48 if err != nil { 49 t.Fatal(err) 50 } 51 writers, err := t0.UsersWithRole(keybase1.TeamRole_WRITER) 52 if err != nil { 53 t.Fatal(err) 54 } 55 if len(writers) != 1 { 56 t.Fatalf("num writers: %d, expected 1", len(writers)) 57 } 58 if !writers[0].Uid.Equal(tt.users[1].uid) { 59 t.Errorf("writer uid: %s, expected %s", writers[0].Uid, tt.users[1].uid) 60 } 61 62 // the invite should not be in the active invite map 63 exists, err := t0.HasActiveInvite(tt.users[0].tc.MetaContext(), keybase1.TeamInviteName(tt.users[1].username), "rooter") 64 require.NoError(t, err) 65 require.False(t, exists) 66 require.Equal(t, 0, t0.NumActiveInvites()) 67 require.Equal(t, 0, len(t0.GetActiveAndObsoleteInvites())) 68 } 69 70 func TestTeamInviteGenericSocial(t *testing.T) { 71 tt := newTeamTester(t) 72 defer tt.cleanup() 73 74 tt.addUser("own") 75 tt.addUser("roo") 76 77 // user 0 creates a team 78 teamID, teamName := tt.users[0].createTeam2() 79 80 // user 0 adds an unresolved assertion to the team 81 assertion := tt.users[1].username + "@gubble.social" 82 tt.users[0].addTeamMember(teamName.String(), assertion, keybase1.TeamRole_WRITER) 83 84 // user 1 proves the assertion, kicking rekeyd so it notices the proof 85 // beforehand so user 0 can notice proof faster. 86 tt.users[1].kickTeamRekeyd() 87 tt.users[1].proveGubbleSocial() 88 89 // user 0 should get gregor notification that the team changed 90 tt.users[0].waitForTeamChangedGregor(teamID, keybase1.Seqno(3)) 91 92 // user 1 should also get gregor notification that the team changed 93 tt.users[1].waitForTeamChangedGregor(teamID, keybase1.Seqno(3)) 94 95 // the team should have user 1 in it now as a writer 96 t0, err := teams.GetTeamByNameForTest(context.TODO(), tt.users[0].tc.G, teamName.String(), false, true) 97 if err != nil { 98 t.Fatal(err) 99 } 100 writers, err := t0.UsersWithRole(keybase1.TeamRole_WRITER) 101 if err != nil { 102 t.Fatal(err) 103 } 104 if len(writers) != 1 { 105 t.Fatalf("num writers: %d, expected 1", len(writers)) 106 } 107 if !writers[0].Uid.Equal(tt.users[1].uid) { 108 t.Errorf("writer uid: %s, expected %s", writers[0].Uid, tt.users[1].uid) 109 } 110 111 // the invite should not be in the active invite map 112 exists, err := t0.HasActiveInvite(tt.users[0].tc.MetaContext(), keybase1.TeamInviteName(tt.users[1].username), "gubble.social") 113 require.NoError(t, err) 114 require.False(t, exists) 115 require.Equal(t, 0, t0.NumActiveInvites()) 116 require.Equal(t, 0, len(t0.GetActiveAndObsoleteInvites())) 117 } 118 119 func TestTeamInviteEmail(t *testing.T) { 120 tt := newTeamTester(t) 121 defer tt.cleanup() 122 123 tt.addUser("own") 124 tt.addUser("eml") 125 126 // user 0 creates a team 127 teamID, teamName := tt.users[0].createTeam2() 128 129 // user 0 adds a user by email 130 email := tt.users[1].username + "@keybase.io" 131 tt.users[0].addTeamMemberEmail(teamName.String(), email, keybase1.TeamRole_WRITER) 132 133 // user 1 gets the email 134 tokens := tt.users[1].readInviteEmails(email) 135 136 // user 1 accepts all invitations 137 tt.users[1].kickTeamRekeyd() 138 for _, token := range tokens { 139 tt.users[1].acceptEmailInvite(token) 140 } 141 142 // user 0 should get gregor notification that the team changed 143 tt.users[0].waitForTeamChangedGregor(teamID, keybase1.Seqno(3)) 144 145 // user 1 should also get gregor notification that the team changed 146 tt.users[1].waitForTeamChangedGregor(teamID, keybase1.Seqno(3)) 147 148 // the team should have user 1 in it now as a writer 149 t0, err := teams.GetTeamByNameForTest(context.TODO(), tt.users[0].tc.G, teamName.String(), false, true) 150 if err != nil { 151 t.Fatal(err) 152 } 153 writers, err := t0.UsersWithRole(keybase1.TeamRole_WRITER) 154 if err != nil { 155 t.Fatal(err) 156 } 157 if len(writers) != 1 { 158 t.Fatalf("num writers: %d, expected 1", len(writers)) 159 } 160 if !writers[0].Uid.Equal(tt.users[1].uid) { 161 t.Errorf("writer uid: %s, expected %s", writers[0].Uid, tt.users[1].uid) 162 } 163 164 // the invite should not be in the active invite map 165 exists, err := t0.HasActiveInvite(tt.users[0].tc.MetaContext(), keybase1.TeamInviteName(email), "email") 166 if err != nil { 167 t.Fatal(err) 168 } 169 if exists { 170 t.Error("after accepting invite, active invite still exists") 171 } 172 } 173 174 func TestTeamInviteAcceptOrRequest(t *testing.T) { 175 tt := newTeamTester(t) 176 defer tt.cleanup() 177 178 tt.addUser("own") 179 tt.addUser("eml") 180 181 // user 0 creates a team 182 teamID, teamName := tt.users[0].createTeam2() 183 184 // user 1 requests access 185 ret := tt.users[1].acceptInviteOrRequestAccess(teamName.String()) 186 require.EqualValues(t, ret, keybase1.TeamAcceptOrRequestResult{WasTeamName: true}) 187 188 // user 0 adds a user by email 189 email := tt.users[1].username + "@keybase.io" 190 tt.users[0].addTeamMemberEmail(teamName.String(), email, keybase1.TeamRole_WRITER) 191 192 // user 1 gets the email 193 tokens := tt.users[1].readInviteEmails(email) 194 require.Len(t, tokens, 1) 195 196 // user 1 accepts the invitation 197 tt.users[1].kickTeamRekeyd() 198 ret = tt.users[1].acceptInviteOrRequestAccess(tokens[0]) 199 require.EqualValues(t, ret, keybase1.TeamAcceptOrRequestResult{WasToken: true}) 200 201 // user 0 should get gregor notification that the team changed 202 tt.users[0].waitForTeamChangedGregor(teamID, keybase1.Seqno(3)) 203 204 // user 1 should also get gregor notification that the team changed 205 tt.users[1].waitForTeamChangedGregor(teamID, keybase1.Seqno(3)) 206 207 // the team should have user 1 in it now as a writer 208 t0, err := teams.GetTeamByNameForTest(context.TODO(), tt.users[0].tc.G, teamName.String(), false, true) 209 require.NoError(t, err) 210 writers, err := t0.UsersWithRole(keybase1.TeamRole_WRITER) 211 require.NoError(t, err) 212 require.Len(t, writers, 1) 213 if !writers[0].Uid.Equal(tt.users[1].uid) { 214 t.Errorf("writer uid: %s, expected %s", writers[0].Uid, tt.users[1].uid) 215 } 216 } 217 218 // bob resets and added to team with no keys, logs in and invite should 219 // be processed. 220 func TestTeamInviteResetNoKeys(t *testing.T) { 221 ctx := newSMUContext(t) 222 defer ctx.cleanup() 223 tt := newTeamTester(t) 224 defer tt.cleanup() 225 226 tt.addUser("own") 227 228 // user 0 creates a team 229 teamID, teamName := tt.users[0].createTeam2() 230 231 // user 0 should get gregor notification that the team changed and rotated key 232 tt.users[0].waitForTeamChangedAndRotated(teamID, keybase1.Seqno(1)) 233 234 bob := ctx.installKeybaseForUser("bob", 10) 235 bob.signup() 236 divDebug(ctx, "Signed up bob (%s)", bob.username) 237 bob.reset() 238 divDebug(ctx, "Reset bob (%s)", bob.username) 239 240 tt.users[0].addTeamMember(teamName.String(), bob.username, keybase1.TeamRole_WRITER) 241 divDebug(ctx, "Added bob as a writer") 242 243 // user 0 kicks rekeyd so it notices the puk 244 tt.users[0].kickTeamRekeyd() 245 246 bob.loginAfterReset(10) 247 divDebug(ctx, "Bob logged in after reset") 248 249 // user 0 should get gregor notification that the team changed 250 tt.users[0].waitForTeamChangedGregor(teamID, keybase1.Seqno(3)) 251 } 252 253 // See if we can re-invite user after they reset and thus make their 254 // first invitation obsolete. 255 func TestTeamReInviteAfterReset(t *testing.T) { 256 ctx := newSMUContext(t) 257 defer ctx.cleanup() 258 tt := newTeamTester(t) 259 defer tt.cleanup() 260 261 ann := tt.addUser("ann") 262 263 // Ann creates a team. 264 teamID, teamName := ann.createTeam2() 265 t.Logf("Created team %q", teamName.String()) 266 267 bob := ctx.installKeybaseForUserNoPUK("bob", 10) 268 bob.signupNoPUK() 269 divDebug(ctx, "Signed up bob (%s)", bob.username) 270 271 // Try to add bob to team, should add an invitation because bob is PUK-less. 272 ann.addTeamMember(teamName.String(), bob.username, keybase1.TeamRole_WRITER) // Invitation 1 273 274 // Reset, invalidates invitation 1. 275 bob.reset() 276 bob.loginAfterResetNoPUK(10) 277 278 // Try to add again (bob still doesn't have a PUK). Adding this 279 // invitation should automatically cancel first invitation. 280 ann.addTeamMember(teamName.String(), bob.username, keybase1.TeamRole_ADMIN) // Invitation 2 281 282 // Load team, see if we really have just one invite. 283 teamObj := ann.loadTeamByID(teamID, true /* admin */) 284 invites := teamObj.GetActiveAndObsoleteInvites() 285 require.Len(t, invites, 1) 286 for _, invite := range invites { 287 require.Equal(t, keybase1.TeamRole_ADMIN, invite.Role) 288 require.EqualValues(t, bob.userVersion().PercentForm(), invite.Name) 289 typ, err := invite.Type.C() 290 require.NoError(t, err) 291 require.Equal(t, keybase1.TeamInviteCategory_KEYBASE, typ) 292 break // check the first (and only) invite 293 } 294 295 t.Logf("Trying to get a PUK") 296 297 bob.primaryDevice().tctx.Tp.DisableUpgradePerUserKey = false 298 299 ann.kickTeamRekeyd() 300 err := bob.perUserKeyUpgrade() 301 require.NoError(t, err) 302 303 t.Logf("Bob got a PUK, now let's see if Ann's client adds him to team") 304 305 ann.waitForTeamChangedGregor(teamID, keybase1.Seqno(4)) 306 307 details, err := ann.teamsClient.TeamGet(context.TODO(), keybase1.TeamGetArg{Name: teamName.String()}) 308 require.NoError(t, err) 309 310 // Bob should have become an admin, because the second invitations 311 // should have been used, not the first one. 312 require.Equal(t, len(details.Members.Admins), 1) 313 require.Equal(t, details.Members.Admins[0].Username, bob.username) 314 } 315 316 func testImpTeamWithRooterParameterized(t *testing.T, public bool) { 317 t.Logf("testImpTeamWithRooterParameterized(public=%t)", public) 318 319 tt := newTeamTester(t) 320 defer tt.cleanup() 321 322 alice := tt.addUser("alice") 323 bob := tt.addUser("bob") 324 tt.logUserNames() 325 326 rooterUser := bob.username + "@rooter" 327 displayName := strings.Join([]string{alice.username, rooterUser}, ",") 328 329 team, err := alice.lookupImplicitTeam(true /*create*/, displayName, public) 330 require.NoError(t, err) 331 332 t.Logf("Created implicit team %v\n", team) 333 334 // TODO: Test chats, but it might be hard since implicit team tlf 335 // name resolution for chat commands needs KBFS running. 336 bob.kickTeamRekeyd() 337 bob.proveRooter() 338 339 alice.waitForTeamChangedGregor(team, keybase1.Seqno(2)) 340 341 // Poll for new team name, without the "@rooter" 342 newDisplayName := strings.Join([]string{alice.username, bob.username}, ",") 343 344 lookupAs := func(u *userPlusDevice) { 345 team2, err := u.lookupImplicitTeam(false /*create*/, newDisplayName, public) 346 require.NoError(t, err) 347 require.Equal(t, team, team2) 348 349 // Lookup by old name should get the same result 350 team2, err = u.lookupImplicitTeam(false /*create*/, displayName, public) 351 require.NoError(t, err) 352 require.Equal(t, team, team2) 353 354 // Test resolver 355 _, err = teams.ResolveIDToName(context.Background(), u.tc.G, team) 356 require.NoError(t, err) 357 } 358 359 lookupAs(alice) 360 lookupAs(bob) 361 362 if public { 363 doug := tt.addUser("doug") 364 t.Logf("Signed up %s (%s) to test public access", doug.username, doug.uid) 365 366 lookupAs(doug) 367 } 368 } 369 370 func TestImpTeamWithRooter(t *testing.T) { 371 testImpTeamWithRooterParameterized(t, false /* public */) 372 testImpTeamWithRooterParameterized(t, true /* public */) 373 } 374 375 func TestImpTeamWithRooterConflict(t *testing.T) { 376 tt := newTeamTester(t) 377 defer tt.cleanup() 378 379 alice := tt.addUser("alice") 380 bob := tt.addUser("bob") 381 382 displayNameRooter := strings.Join([]string{alice.username, bob.username + "@rooter"}, ",") 383 384 team, err := alice.lookupImplicitTeam(true /*create*/, displayNameRooter, false /*isPublic*/) 385 require.NoError(t, err) 386 387 t.Logf("Created implicit team %q -> %s\n", displayNameRooter, team) 388 389 // Bob has not proven rooter yet, so this will create a new, separate team. 390 displayNameKeybase := strings.Join([]string{alice.username, bob.username}, ",") 391 team2, err := alice.lookupImplicitTeam(true /*create*/, displayNameKeybase, false /*isPublic*/) 392 require.NoError(t, err) 393 require.NotEqual(t, team, team2) 394 395 t.Logf("Created implicit team %q -> %s\n", displayNameKeybase, team2) 396 397 bob.kickTeamRekeyd() 398 bob.proveRooter() 399 400 alice.waitForTeamChangedGregor(team, keybase1.Seqno(2)) 401 402 // Display name with rooter name now points to the conflict winner. 403 team3, err := alice.lookupImplicitTeam(false /*create*/, displayNameRooter, false /*isPublic*/) 404 require.NoError(t, err) 405 require.Equal(t, team2, team3) 406 407 // "LookupOrCreate" rooter name should work as well. 408 team3, err = alice.lookupImplicitTeam(true /*create*/, displayNameRooter, false /*isPublic*/) 409 require.NoError(t, err) 410 require.Equal(t, team2, team3) 411 412 // The original name works as well. 413 _, err = alice.lookupImplicitTeam(false /*create*/, displayNameKeybase, false /*isPublic*/) 414 require.NoError(t, err) 415 } 416 417 func TestImpTeamWithMultipleRooters(t *testing.T) { 418 tt := newTeamTester(t) 419 defer tt.cleanup() 420 421 alice := tt.addUser("ali") 422 bob := tt.addUser("bob") 423 charlie := tt.addUser("cha") 424 425 // Both teams include social assertions, so there is no definitive conflict winner. 426 displayNameRooter1 := strings.Join([]string{alice.username, bob.username, charlie.username + "@rooter"}, ",") 427 displayNameRooter2 := strings.Join([]string{alice.username, bob.username + "@rooter", charlie.username}, ",") 428 429 team1, err := alice.lookupImplicitTeam(true /*create*/, displayNameRooter1, false /*isPublic*/) 430 require.NoError(t, err) 431 432 team2, err := alice.lookupImplicitTeam(true /*create*/, displayNameRooter2, false /*isPublic*/) 433 require.NoError(t, err) 434 435 require.NotEqual(t, team1, team2) 436 437 alice.kickTeamRekeyd() 438 bob.proveRooter() 439 charlie.proveRooter() 440 441 toSeqno := keybase1.Seqno(2) 442 var found bool 443 for i := 0; (i < 10) && !found; i++ { 444 select { 445 case arg := <-alice.notifications.changeCh: 446 t.Logf("membership change received: %+v", arg) 447 if (arg.TeamID.Eq(team1) || arg.TeamID.Eq(team2)) && arg.Changes.MembershipChanged && !arg.Changes.KeyRotated && !arg.Changes.Renamed && arg.LatestSeqno == toSeqno { 448 t.Logf("change matched with %q", arg.TeamID) 449 found = true 450 } 451 case <-time.After(1 * time.Second): 452 } 453 } 454 455 require.True(t, found) // Expect "winning team" to be found. 456 457 displayName := strings.Join([]string{alice.username, bob.username, charlie.username}, ",") 458 teamFinal, err := alice.lookupImplicitTeam(false /*create*/, displayName, false /*isPublic*/) 459 require.NoError(t, err) 460 require.True(t, teamFinal == team1 || teamFinal == team2) 461 462 tid, err := alice.lookupImplicitTeam(false /*create*/, displayNameRooter1, false /*isPublic*/) 463 t.Logf("looking up team %s gives %v %v", displayNameRooter1, tid, err) 464 require.NoError(t, err) 465 require.Equal(t, teamFinal, tid) 466 467 tid, err = alice.lookupImplicitTeam(false /*create*/, displayNameRooter2, false /*isPublic*/) 468 require.NoError(t, err) 469 require.Equal(t, teamFinal, tid) 470 t.Logf("looking up team %s gives %v %v", displayNameRooter2, tid, err) 471 } 472 473 func TestClearSocialInvitesOnAdd(t *testing.T) { 474 tt := newTeamTester(t) 475 defer tt.cleanup() 476 477 // Disable gregor in this test so Ann does not immediately add Bob 478 // through SBS handler when bob proves Rooter. 479 ann := makeUserStandalone(t, tt, "ann", standaloneUserArgs{ 480 disableGregor: true, 481 suppressTeamChatAnnounce: true, 482 }) 483 484 tracer := ann.tc.G.CTimeTracer(context.Background(), "test-tracer", true) 485 defer tracer.Finish() 486 487 tracer.Stage("bob") 488 bob := tt.addUser("bob") 489 490 tracer.Stage("team") 491 team := ann.createTeam() 492 493 t.Logf("Ann created team %q", team) 494 495 bobBadRooter := "other" + bob.username 496 497 tracer.Stage("add 1") 498 ann.addTeamMember(team, bob.username+"@rooter", keybase1.TeamRole_WRITER) 499 tracer.Stage("add 2") 500 ann.addTeamMember(team, bobBadRooter+"@rooter", keybase1.TeamRole_WRITER) 501 502 tracer.Stage("prove rooter") 503 bob.proveRooter() 504 505 // Because bob@rooter is now proven by bob, this will add bob as a 506 // member instead of making an invitation. 507 tracer.Stage("add 3") 508 ann.addTeamMember(team, bob.username+"@rooter", keybase1.TeamRole_WRITER) 509 510 tracer.Stage("get team") 511 t0, err := teams.GetTeamByNameForTest(context.TODO(), ann.tc.G, team, false, true) 512 require.NoError(t, err) 513 514 tracer.Stage("assertions") 515 writers, err := t0.UsersWithRole(keybase1.TeamRole_WRITER) 516 require.NoError(t, err) 517 require.Equal(t, len(writers), 1) 518 require.True(t, writers[0].Uid.Equal(bob.uid)) 519 520 hasInv, err := t0.HasActiveInvite(ann.tc.MetaContext(), keybase1.TeamInviteName(bob.username), "rooter") 521 require.NoError(t, err) 522 require.False(t, hasInv, "Adding should have cleared bob...@rooter") 523 524 hasInv, err = t0.HasActiveInvite(ann.tc.MetaContext(), keybase1.TeamInviteName(bobBadRooter), "rooter") 525 require.NoError(t, err) 526 require.True(t, hasInv, "But should not have cleared otherbob...@rooter") 527 } 528 529 func TestSweepObsoleteKeybaseInvites(t *testing.T) { 530 tt := newTeamTester(t) 531 defer tt.cleanup() 532 533 // Disable gregor in this test so Ann does not immediately add Bob 534 // through SBS handler when bob gets PUK. 535 ann := makeUserStandalone(t, tt, "ann", standaloneUserArgs{ 536 disableGregor: true, 537 suppressTeamChatAnnounce: true, 538 }) 539 540 // Get UIDMapper caching out of the equation - assume in real 541 // life, tested actions are spread out in time and caching is not 542 // an issue. 543 ann.tc.G.UIDMapper.SetTestingNoCachingMode(true) 544 545 bob := tt.addPuklessUser("bob") 546 t.Logf("Signed up PUK-less user bob (%s)", bob.username) 547 548 team := ann.createTeam() 549 t.Logf("Team created (%s)", team) 550 551 ann.addTeamMember(team, bob.username, keybase1.TeamRole_WRITER) 552 553 bob.perUserKeyUpgrade() 554 t.Logf("Bob (%s) gets PUK", bob.username) 555 556 teamObj, err := teams.Load(context.Background(), ann.tc.G, keybase1.LoadTeamArg{ 557 Name: team, 558 ForceRepoll: true, 559 NeedAdmin: true, 560 }) 561 require.NoError(t, err) 562 563 // Use ChangeMembership to add bob without sweeping his keybase 564 // invite. 565 err = teamObj.ChangeMembership(context.Background(), keybase1.TeamChangeReq{ 566 Writers: []keybase1.UserVersion{bob.userVersion()}, 567 }) 568 require.NoError(t, err) 569 570 // Bob then leaves team. 571 bob.leave(team) 572 573 teamObj, err = teams.Load(context.Background(), ann.tc.G, keybase1.LoadTeamArg{ 574 Name: team, 575 ForceRepoll: true, 576 }) 577 require.NoError(t, err) 578 579 // Invite should be obsolete, so there are 0 active invites... 580 require.Equal(t, 0, teamObj.NumActiveInvites()) 581 582 // ...but one in "all invites". 583 allInvites := teamObj.GetActiveAndObsoleteInvites() 584 require.Equal(t, 1, len(allInvites)) 585 586 var invite keybase1.TeamInvite 587 for _, invite = range allInvites { 588 break // get the only invite returned 589 } 590 require.Equal(t, bob.userVersion().TeamInviteName(), invite.Name) 591 592 // Simulate SBS message to Ann trying to re-add Bob. 593 sbsMsg := keybase1.TeamSBSMsg{ 594 TeamID: teamObj.ID, 595 Score: 0, 596 Invitees: []keybase1.TeamInvitee{ 597 { 598 InviteID: invite.Id, 599 Uid: bob.uid, 600 EldestSeqno: 1, 601 Role: keybase1.TeamRole_WRITER, 602 }, 603 }, 604 } 605 606 err = teams.HandleSBSRequest(context.Background(), ann.tc.G, sbsMsg) 607 require.Error(t, err) 608 require.IsType(t, libkb.NotFoundError{}, err) 609 610 teamObj, err = teams.Load(context.Background(), ann.tc.G, keybase1.LoadTeamArg{ 611 Name: team, 612 ForceRepoll: true, 613 }) 614 require.NoError(t, err) 615 616 // Bob should still be out of the team. 617 role, err := teamObj.MemberRole(context.Background(), bob.userVersion()) 618 require.NoError(t, err) 619 require.Equal(t, keybase1.TeamRole_NONE, role) 620 } 621 622 func teamInviteRemoveIfHigherRole(t *testing.T, waitForRekeyd bool) { 623 t.Logf("teamInviteRemoveIfHigherRole(waitForRekeyd=%t)", waitForRekeyd) 624 625 tt := newTeamTester(t) 626 defer tt.cleanup() 627 628 userParams := standaloneUserArgs{ 629 disableGregor: true, 630 suppressTeamChatAnnounce: true, 631 } 632 633 var own *userPlusDevice 634 if waitForRekeyd { 635 own = tt.addUser("own") 636 } else { 637 own = makeUserStandalone(t, tt, "own", userParams) 638 } 639 roo := makeUserStandalone(t, tt, "roo", userParams) 640 tt.logUserNames() 641 642 teamID, teamName := own.createTeam2() 643 own.addTeamMember(teamName.String(), roo.username, keybase1.TeamRole_ADMIN) 644 own.addTeamMember(teamName.String(), roo.username+"@rooter", keybase1.TeamRole_WRITER) 645 646 t.Logf("Created team %s", teamName.String()) 647 648 if waitForRekeyd { 649 own.kickTeamRekeyd() 650 } 651 roo.proveRooter() 652 653 if waitForRekeyd { 654 // 3 links at this point: root, change_membership (add "roo"), 655 // invite (add "roo@rooter"). Waiting for 4th link: invite 656 // (cancel "roo@rooter"). 657 own.pollForTeamSeqnoLink(teamName.String(), keybase1.Seqno(4)) 658 } else { 659 teamObj := own.loadTeamByID(teamID, true /* admin */) 660 var invite keybase1.TeamInvite 661 invites := teamObj.GetActiveAndObsoleteInvites() 662 require.Len(t, invites, 1) 663 for _, invite = range invites { 664 // Get the (only) invite from the map to local variable 665 } 666 667 rooUv := roo.userVersion() 668 669 err := teams.HandleSBSRequest(context.Background(), own.tc.G, keybase1.TeamSBSMsg{ 670 TeamID: teamID, 671 Score: 0, 672 Invitees: []keybase1.TeamInvitee{ 673 { 674 InviteID: invite.Id, 675 Uid: rooUv.Uid, 676 EldestSeqno: rooUv.EldestSeqno, 677 }, 678 }, 679 }) 680 require.NoError(t, err) 681 } 682 683 // SBS handler should have canceled the invite after discovering roo is 684 // already a member with higher role. 685 teamObj := own.loadTeamByID(teamID, true /* admin */) 686 require.Len(t, teamObj.GetActiveAndObsoleteInvites(), 0) 687 role, err := teamObj.MemberRole(context.Background(), roo.userVersion()) 688 require.NoError(t, err) 689 require.Equal(t, keybase1.TeamRole_ADMIN, role) 690 } 691 692 func TestTeamInviteRemoveIfHigherRole(t *testing.T) { 693 // This test is parameterized. waitForRekeyd=true will wait for 694 // real rekeyd notification, waitForRekeyd=false will call SBS 695 // handler manually. 696 teamInviteRemoveIfHigherRole(t, true /* waitForRekeyd */) 697 teamInviteRemoveIfHigherRole(t, false /* waitForRekeyd */) 698 } 699 700 func testTeamInviteSweepOldMembers(t *testing.T, startPUKless bool) { 701 t.Logf(":: testTeamInviteSweepOldMembers(startPUKless: %t)", startPUKless) 702 703 tt := newTeamTester(t) 704 defer tt.cleanup() 705 706 own := tt.addUser("own") 707 var roo *userPlusDevice 708 if startPUKless { 709 roo = tt.addPuklessUser("roo") 710 } else { 711 roo = tt.addUser("roo") 712 } 713 tt.logUserNames() 714 715 teamID, teamName := own.createTeam2() 716 own.addTeamMember(teamName.String(), roo.username, keybase1.TeamRole_WRITER) 717 own.addTeamMember(teamName.String(), roo.username+"@rooter", keybase1.TeamRole_ADMIN) 718 719 t.Logf("Created team %s", teamName.String()) 720 721 roo.kickTeamRekeyd() 722 roo.reset() 723 roo.loginAfterReset() 724 725 roo.proveRooter() 726 727 // 3 links to created team, add roo, and add roo@rooter. 728 // + 1 links (rotate, change_membership) to add roo in startPUKless=false case; 729 // or +2 links (change_membersip, cancel invite) to add roo in startPUKless=true case. 730 n := keybase1.Seqno(4) 731 if startPUKless { 732 n = keybase1.Seqno(5) 733 } 734 own.pollForTeamSeqnoLink(teamName.String(), n) 735 736 teamObj := own.loadTeamByID(teamID, true /* admin */) 737 // 0 total invites: rooter invite was completed, and keybase invite was sweeped 738 require.Len(t, teamObj.GetActiveAndObsoleteInvites(), 0) 739 role, err := teamObj.MemberRole(context.Background(), roo.userVersion()) 740 require.NoError(t, err) 741 require.Equal(t, keybase1.TeamRole_ADMIN, role) 742 743 members, err := teamObj.Members() 744 require.NoError(t, err) 745 require.Len(t, members.Owners, 1) 746 require.Len(t, members.Admins, 1) 747 } 748 749 func TestTeamInviteSweepOldMembers(t *testing.T) { 750 testTeamInviteSweepOldMembers(t, false /* startPUKless */) 751 testTeamInviteSweepOldMembers(t, true /* startPUKless */) 752 } 753 754 func TestSBSInviteReuse(t *testing.T) { 755 // Test if server can reuse TOFU invites. 756 tt := newTeamTester(t) 757 defer tt.cleanup() 758 759 makeUser := func(name string) *userPlusDevice { 760 user := makeUserStandalone(t, tt, name, standaloneUserArgs{ 761 disableGregor: true, 762 suppressTeamChatAnnounce: true, 763 }) 764 return user 765 } 766 767 ann := makeUser("ann") 768 bob := makeUser("bob") 769 joe := makeUser("joe") 770 771 teamID, teamName := ann.createTeam2() 772 t.Logf("Team created (%s)", teamID) 773 774 // Use sbs_test.go code to verify email. 775 sbsEmail := &userSBSEmail{} 776 sbsEmail.SetUser(bob) 777 778 email := bob.userInfo.email 779 ann.addTeamMemberEmail(teamName.String(), email, keybase1.TeamRole_WRITER) 780 781 sbsEmail.Verify() 782 783 // Get first invite ID, will be the one we've just added. 784 teamObj := ann.loadTeamByID(teamID, true /* admin */) 785 allInvites := teamObj.GetActiveAndObsoleteInvites() 786 require.Len(t, allInvites, 1) 787 var inviteID keybase1.TeamInviteID 788 for _, invite := range allInvites { 789 inviteID = invite.Id 790 require.True(t, invite.Type.Eq(keybase1.NewTeamInviteTypeDefault(keybase1.TeamInviteCategory_EMAIL))) 791 } 792 793 // Create a SBS message payload that we will be using to give directly to 794 // the SBS handler function for given user. So it will appear as if it 795 // comes from gregor. 796 sbsMsg := keybase1.TeamSBSMsg{ 797 TeamID: teamID, 798 Invitees: []keybase1.TeamInvitee{ 799 { 800 InviteID: inviteID, 801 Uid: bob.uid, 802 EldestSeqno: 1, 803 // Role can be whatever - client should not trust it. 804 Role: keybase1.TeamRole_ADMIN, 805 }, 806 }, 807 } 808 809 err := teams.HandleSBSRequest(context.Background(), ann.tc.G, sbsMsg) 810 require.NoError(t, err) 811 812 // Invite should have been completed. 813 teamObj = ann.loadTeamByID(teamID, true /* admin */) 814 require.Len(t, teamObj.GetActiveAndObsoleteInvites(), 0) 815 816 // Try to send the same message but with different UID. 817 sbsMsg.Invitees[0].Uid = joe.uid 818 err = teams.HandleSBSRequest(context.Background(), ann.tc.G, sbsMsg) 819 require.Error(t, err) 820 require.IsType(t, libkb.NotFoundError{}, err) 821 require.Contains(t, err.Error(), "Invite not found") 822 } 823 824 func proveGubbleUniverse(tc *libkb.TestContext, serviceName, endpoint string, username string, secretUI libkb.SecretUI) keybase1.SigID { 825 tc.T.Logf("proof for %s", serviceName) 826 g := tc.G 827 proofService := g.GetProofServices().GetServiceType(context.Background(), serviceName) 828 require.NotNil(tc.T, proofService) 829 830 // Post a proof to the testing generic social service 831 arg := keybase1.StartProofArg{ 832 Service: proofService.GetTypeName(), 833 Username: username, 834 Force: false, 835 PromptPosted: true, 836 } 837 eng := engine.NewProve(g, &arg) 838 839 // Post the proof to the gubble network and verify the sig hash 840 outputInstructionsHook := func(ctx context.Context, _ keybase1.OutputInstructionsArg) error { 841 sigID := eng.SigID() 842 require.False(tc.T, sigID.IsNil()) 843 mctx := libkb.NewMetaContext(ctx, g) 844 845 apiArg := libkb.APIArg{ 846 Endpoint: fmt.Sprintf("gubble_universe/%s", endpoint), 847 SessionType: libkb.APISessionTypeREQUIRED, 848 Args: libkb.HTTPArgs{ 849 "sig_hash": libkb.S{Val: sigID.String()}, 850 "username": libkb.S{Val: username}, 851 "kb_username": libkb.S{Val: username}, 852 "kb_ua": libkb.S{Val: libkb.UserAgent}, 853 "json_redirect": libkb.B{Val: true}, 854 }, 855 } 856 _, err := g.API.Post(libkb.NewMetaContext(ctx, g), apiArg) 857 require.NoError(tc.T, err) 858 859 apiArg = libkb.APIArg{ 860 Endpoint: fmt.Sprintf("gubble_universe/%s/%s/proofs", endpoint, username), 861 SessionType: libkb.APISessionTypeNONE, 862 } 863 res, err := g.GetAPI().Get(mctx, apiArg) 864 require.NoError(tc.T, err) 865 objects, err := jsonhelpers.AtSelectorPath(res.Body, []keybase1.SelectorEntry{ 866 { 867 IsKey: true, 868 Key: "res", 869 }, 870 { 871 IsKey: true, 872 Key: "keybase_proofs", 873 }, 874 }, tc.T.Logf, libkb.NewInvalidPVLSelectorError) 875 require.NoError(tc.T, err) 876 require.Len(tc.T, objects, 1) 877 878 var proofs []keybase1.ParamProofJSON 879 err = objects[0].UnmarshalAgain(&proofs) 880 require.NoError(tc.T, err) 881 require.True(tc.T, len(proofs) >= 1) 882 for _, proof := range proofs { 883 if proof.KbUsername == username && sigID.Eq(proof.SigHash) { 884 return nil 885 } 886 } 887 assert.Fail(tc.T, "proof not found") 888 return nil 889 } 890 891 proveUI := &ProveUIMock{outputInstructionsHook: outputInstructionsHook} 892 uis := libkb.UIs{ 893 LogUI: g.Log, 894 SecretUI: secretUI, 895 ProveUI: proveUI, 896 } 897 m := libkb.NewMetaContextTODO(g).WithUIs(uis) 898 err := engine.RunEngine2(m, eng) 899 checkFailed(tc.T.(testing.TB)) 900 require.NoError(tc.T, err) 901 require.False(tc.T, proveUI.overwrite) 902 require.False(tc.T, proveUI.warning) 903 require.False(tc.T, proveUI.recheck) 904 require.True(tc.T, proveUI.checked) 905 return eng.SigID() 906 } 907 908 type ProveUIMock struct { 909 username, recheck, overwrite, warning, checked bool 910 postID string 911 outputInstructionsHook func(context.Context, keybase1.OutputInstructionsArg) error 912 okToCheckHook func(context.Context, keybase1.OkToCheckArg) (bool, string, error) 913 checkingHook func(context.Context, keybase1.CheckingArg) error 914 } 915 916 func (p *ProveUIMock) PromptOverwrite(_ context.Context, arg keybase1.PromptOverwriteArg) (bool, error) { 917 p.overwrite = true 918 return true, nil 919 } 920 921 func (p *ProveUIMock) PromptUsername(_ context.Context, arg keybase1.PromptUsernameArg) (string, error) { 922 p.username = true 923 return "", nil 924 } 925 926 func (p *ProveUIMock) OutputPrechecks(_ context.Context, arg keybase1.OutputPrechecksArg) error { 927 return nil 928 } 929 930 func (p *ProveUIMock) PreProofWarning(_ context.Context, arg keybase1.PreProofWarningArg) (bool, error) { 931 p.warning = true 932 return true, nil 933 } 934 935 func (p *ProveUIMock) OutputInstructions(ctx context.Context, arg keybase1.OutputInstructionsArg) error { 936 if p.outputInstructionsHook != nil { 937 return p.outputInstructionsHook(ctx, arg) 938 } 939 return nil 940 } 941 942 func (p *ProveUIMock) OkToCheck(ctx context.Context, arg keybase1.OkToCheckArg) (bool, error) { 943 if !p.checked { 944 p.checked = true 945 ok, postID, err := p.okToCheckHook(ctx, arg) 946 p.postID = postID 947 return ok, err 948 } 949 return false, fmt.Errorf("Check should have worked the first time!") 950 } 951 952 func (p *ProveUIMock) Checking(ctx context.Context, arg keybase1.CheckingArg) (err error) { 953 if p.checkingHook != nil { 954 err = p.checkingHook(ctx, arg) 955 } 956 p.checked = true 957 return err 958 } 959 960 func (p *ProveUIMock) ContinueChecking(ctx context.Context, _ int) (bool, error) { 961 return true, nil 962 } 963 964 func (p *ProveUIMock) DisplayRecheckWarning(_ context.Context, arg keybase1.DisplayRecheckWarningArg) error { 965 p.recheck = true 966 return nil 967 } 968 969 func checkFailed(t testing.TB) { 970 if t.Failed() { 971 // The test failed. Possibly in anothe goroutine. Look earlier in the logs for the real failure. 972 require.FailNow(t, "test already failed") 973 } 974 }