github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/engine/signup_test.go (about) 1 // Copyright 2015 Keybase, Inc. All rights reserved. Use of 2 // this source code is governed by the included BSD license. 3 4 package engine 5 6 import ( 7 "fmt" 8 "os" 9 "path/filepath" 10 "runtime" 11 "testing" 12 13 "encoding/base64" 14 "github.com/keybase/client/go/bot" 15 "github.com/keybase/client/go/libkb" 16 keybase1 "github.com/keybase/client/go/protocol/keybase1" 17 "github.com/stretchr/testify/require" 18 ) 19 20 func AssertDeviceID(g *libkb.GlobalContext) (err error) { 21 if g.Env.GetDeviceID().IsNil() { 22 err = fmt.Errorf("Device ID should not have been reset!") 23 } 24 return 25 } 26 27 func TestSignupEngine(t *testing.T) { 28 subTestSignupEngine(t, false) 29 } 30 31 func subTestSignupEngine(t *testing.T, upgradePerUserKey bool) { 32 tc := SetupEngineTest(t, "signup") 33 defer tc.Cleanup() 34 var err error 35 36 tc.Tp.DisableUpgradePerUserKey = !upgradePerUserKey 37 38 fu := CreateAndSignupFakeUser(tc, "se") 39 40 if err = AssertLoggedIn(tc); err != nil { 41 t.Fatal(err) 42 } 43 44 if err = AssertDeviceID(tc.G); err != nil { 45 t.Fatal(err) 46 } 47 48 me, err := libkb.LoadMe(libkb.NewLoadUserArg(tc.G)) 49 if err != nil { 50 t.Fatal(err) 51 } 52 if me.GetEldestKID().IsNil() { 53 t.Fatal("after signup, eldest kid is nil") 54 } 55 56 // Now try to logout and log back in 57 Logout(tc) 58 59 if err = AssertDeviceID(tc.G); err != nil { 60 t.Fatal(err) 61 } 62 63 if err := AssertLoggedOut(tc); err != nil { 64 t.Fatal(err) 65 } 66 67 fu.LoginOrBust(tc) 68 69 if err = AssertDeviceID(tc.G); err != nil { 70 t.Fatal(err) 71 } 72 73 if err = AssertLoggedIn(tc); err != nil { 74 t.Fatal(err) 75 } 76 77 if err = AssertDeviceID(tc.G); err != nil { 78 t.Fatal(err) 79 } 80 81 // Now try to logout and log back in 82 Logout(tc) 83 84 if err := AssertLoggedOut(tc); err != nil { 85 t.Fatal(err) 86 } 87 88 secretUI := fu.NewSecretUI() 89 err = fu.LoginWithSecretUI(secretUI, tc.G) 90 if err != nil { 91 t.Fatal(err) 92 } 93 94 if !secretUI.CalledGetPassphrase { 95 t.Errorf("secretUI.GetKeybasePassphrase() not called") 96 } 97 98 if err = AssertDeviceID(tc.G); err != nil { 99 t.Fatal(err) 100 } 101 102 if err = AssertLoggedIn(tc); err != nil { 103 t.Fatal(err) 104 } 105 106 // Now try to logout to make sure we logged out OK 107 Logout(tc) 108 109 if err = AssertDeviceID(tc.G); err != nil { 110 t.Fatal(err) 111 } 112 113 if err = AssertLoggedOut(tc); err != nil { 114 t.Fatal(err) 115 } 116 } 117 118 // Test that after signing up the used User object has their first per-user-key 119 // locall delegated. 120 func TestSignupLocalDelegatePerUserKey(t *testing.T) { 121 tc := SetupEngineTest(t, "signup") 122 defer tc.Cleanup() 123 124 _, signupEngine := CreateAndSignupFakeUser2(tc, "se") 125 126 u := signupEngine.GetMe() 127 require.NotNil(t, u, "no user from signup engine") 128 puk := u.GetComputedKeyFamily().GetLatestPerUserKey() 129 require.NotNil(t, puk, "no local per-user-key") 130 require.Equal(t, 1, puk.Gen) 131 } 132 133 func TestSignupWithGPG(t *testing.T) { 134 tc := SetupEngineTest(t, "signupWithGPG") 135 defer tc.Cleanup() 136 137 fu := NewFakeUserOrBust(t, "se") 138 if err := tc.GenerateGPGKeyring(fu.Email); err != nil { 139 t.Fatal(err) 140 } 141 arg := MakeTestSignupEngineRunArg(fu) 142 arg.SkipGPG = false 143 s := NewSignupEngine(tc.G, &arg) 144 uis := libkb.UIs{ 145 LogUI: tc.G.UI.GetLogUI(), 146 GPGUI: &gpgtestui{}, 147 SecretUI: fu.NewSecretUI(), 148 LoginUI: &libkb.TestLoginUI{Username: fu.Username}, 149 } 150 if err := RunEngine2(NewMetaContextForTest(tc).WithUIs(uis), s); err != nil { 151 t.Fatal(err) 152 } 153 } 154 155 func TestLocalKeySecurity(t *testing.T) { 156 tc := SetupEngineTest(t, "signup") 157 defer tc.Cleanup() 158 fu := NewFakeUserOrBust(t, "se") 159 arg := MakeTestSignupEngineRunArg(fu) 160 s := NewSignupEngine(tc.G, &arg) 161 uis := libkb.UIs{ 162 LogUI: tc.G.UI.GetLogUI(), 163 GPGUI: &gpgtestui{}, 164 SecretUI: fu.NewSecretUI(), 165 LoginUI: &libkb.TestLoginUI{Username: fu.Username}, 166 } 167 if err := RunEngine2(NewMetaContextForTest(tc).WithUIs(uis), s); err != nil { 168 t.Fatal(err) 169 } 170 171 m := NewMetaContextForTest(tc) 172 lks := libkb.NewLKSec(s.ppStream, s.uid) 173 if err := lks.Load(m); err != nil { 174 t.Fatal(err) 175 } 176 177 text := "the people on the bus go up and down, up and down, up and down" 178 enc, err := lks.Encrypt(m, []byte(text)) 179 if err != nil { 180 t.Fatal(err) 181 } 182 183 dec, _, _, err := lks.Decrypt(m, enc) 184 if err != nil { 185 t.Fatal(err) 186 } 187 if string(dec) != text { 188 t.Errorf("decrypt: %q, expected %q", string(dec), text) 189 } 190 } 191 192 // Test that the signup engine stores the secret correctly when 193 // StoreSecret is set. 194 func TestLocalKeySecurityStoreSecret(t *testing.T) { 195 tc := SetupEngineTest(t, "signup") 196 defer tc.Cleanup() 197 fu := NewFakeUserOrBust(t, "se") 198 mctx := tc.MetaContext() 199 200 secretStore := libkb.NewSecretStore(mctx, fu.NormalizedUsername()) 201 if secretStore == nil { 202 t.Skip("No SecretStore on this platform") 203 } 204 205 _, err := secretStore.RetrieveSecret(NewMetaContextForTest(tc)) 206 if err == nil { 207 t.Fatal("User unexpectedly has secret") 208 } 209 210 arg := MakeTestSignupEngineRunArg(fu) 211 arg.StoreSecret = true 212 s := SignupFakeUserWithArg(tc, fu, arg) 213 214 secret, err := s.lks.GetSecret(mctx) 215 if err != nil { 216 t.Fatal(err) 217 } 218 219 storedSecret, err := secretStore.RetrieveSecret(NewMetaContextForTest(tc)) 220 if err != nil { 221 t.Error(err) 222 } 223 224 if !secret.Equal(storedSecret) { 225 t.Errorf("Expected %v, got %v", secret, storedSecret) 226 } 227 228 err = tc.G.SecretStore().ClearSecret(NewMetaContextForTest(tc), fu.NormalizedUsername()) 229 if err != nil { 230 t.Error(err) 231 } 232 } 233 234 func TestIssue280(t *testing.T) { 235 tc := SetupEngineTest(t, "login") 236 defer tc.Cleanup() 237 238 // Initialize state with user U1 239 u1 := CreateAndSignupFakeUser(tc, "login") 240 Logout(tc) 241 u1.LoginOrBust(tc) 242 Logout(tc) 243 244 // Now try to sign in as user U2, and do something 245 // that needs access to a locked local secret key. 246 // Delegating to a new PGP key seems good enough. 247 u2 := CreateAndSignupFakeUser(tc, "login") 248 249 secui := u2.NewSecretUI() 250 arg := PGPKeyImportEngineArg{ 251 Gen: &libkb.PGPGenArg{ 252 PrimaryBits: 768, 253 SubkeyBits: 768, 254 }, 255 } 256 err := arg.Gen.MakeAllIds(tc.G) 257 require.NoError(t, err) 258 uis := libkb.UIs{ 259 LogUI: tc.G.UI.GetLogUI(), 260 SecretUI: secui, 261 } 262 eng := NewPGPKeyImportEngine(tc.G, arg) 263 m := NewMetaContextForTest(tc).WithUIs(uis) 264 err = RunEngine2(m, eng) 265 if err != nil { 266 t.Fatal(err) 267 } 268 } 269 270 func TestSignupGeneratesPaperKey(t *testing.T) { 271 tc := SetupEngineTest(t, "signup") 272 defer tc.Cleanup() 273 274 fu := CreateAndSignupFakeUserPaper(tc, "se") 275 hasOnePaperDev(tc, fu) 276 } 277 278 func TestSignupPassphrases(t *testing.T) { 279 tc := SetupEngineTest(t, "signup") 280 defer tc.Cleanup() 281 CreateAndSignupFakeUserWithPassphrase(tc, "pass", "123456789012") 282 CreateAndSignupFakeUserWithPassphrase(tc, "pass", "12345678") 283 } 284 285 func TestSignupShortPassphrase(t *testing.T) { 286 tc := SetupEngineTest(t, "signup") 287 defer tc.Cleanup() 288 289 fu := NewFakeUserOrBust(t, "sup") 290 fu.Passphrase = "1234567" 291 uis := libkb.UIs{ 292 LogUI: tc.G.UI.GetLogUI(), 293 GPGUI: &gpgtestui{}, 294 SecretUI: fu.NewSecretUI(), 295 LoginUI: &libkb.TestLoginUI{Username: fu.Username}, 296 } 297 arg := MakeTestSignupEngineRunArg(fu) 298 t.Logf("signup arg: %+v", arg) 299 s := NewSignupEngine(tc.G, &arg) 300 err := RunEngine2(NewMetaContextForTest(tc).WithUIs(uis), s) 301 if err == nil { 302 t.Fatal("signup worked with short passphrase") 303 } 304 if _, ok := err.(libkb.PassphraseError); !ok { 305 t.Fatalf("error type: %T, expected libkb.PassphraseError", err) 306 } 307 } 308 309 func TestSignupNonAsciiDeviceName(t *testing.T) { 310 tc := SetupEngineTest(t, "signup") 311 defer tc.Cleanup() 312 313 testValues := []struct { 314 deviceName string 315 err error 316 }{ 317 {"perfectly-reasonable", nil}, 318 {"definitely🙃not🐉ascii", libkb.DeviceBadNameError{}}, 319 } 320 321 for _, testVal := range testValues { 322 fu, _ := NewFakeUser("sup") 323 arg := MakeTestSignupEngineRunArg(fu) 324 arg.DeviceName = testVal.deviceName 325 _, err := CreateAndSignupFakeUserSafeWithArg(tc.G, fu, arg) 326 require.IsType(t, err, testVal.err) 327 } 328 } 329 330 func TestSignupNOPWBadParams(t *testing.T) { 331 tc := SetupEngineTest(t, "signup_nopw") 332 defer tc.Cleanup() 333 334 fu, _ := NewFakeUser("sup") 335 arg := MakeTestSignupEngineRunArg(fu) 336 arg.StoreSecret = false 337 arg.GenerateRandomPassphrase = true 338 arg.Passphrase = "" 339 _, err := CreateAndSignupFakeUserSafeWithArg(tc.G, fu, arg) 340 require.Error(t, err) 341 342 // Make sure user has not signed up - the engine should fail before running 343 // signup_join. 344 loadArg := libkb.NewLoadUserByNameArg(tc.G, fu.Username).WithPublicKeyOptional() 345 _, err = libkb.LoadUser(loadArg) 346 require.Error(t, err) 347 require.IsType(t, libkb.NotFoundError{}, err) 348 } 349 350 func TestSignupWithoutSecretStore(t *testing.T) { 351 tc := SetupEngineTest(t, "signup_nopw") 352 defer tc.Cleanup() 353 354 // Setup memory-only secret store. 355 libkb.ReplaceSecretStoreForTests(tc, "" /* dataDir */) 356 357 fu, _ := NewFakeUser("sup") 358 arg := MakeTestSignupEngineRunArg(fu) 359 arg.StoreSecret = true 360 arg.GenerateRandomPassphrase = true 361 arg.Passphrase = "" 362 _, err := CreateAndSignupFakeUserSafeWithArg(tc.G, fu, arg) 363 require.Error(t, err) 364 require.Contains(t, err.Error(), "persistent secret store is required") 365 366 // Make sure user has not signed up - the engine should fail before running 367 // signup_join. 368 loadArg := libkb.NewLoadUserByNameArg(tc.G, fu.Username).WithPublicKeyOptional() 369 _, err = libkb.LoadUser(loadArg) 370 require.Error(t, err) 371 require.IsType(t, libkb.NotFoundError{}, err) 372 } 373 374 func TestSignupWithBadSecretStore(t *testing.T) { 375 if runtime.GOOS == "windows" { 376 t.Skip("this test uses chmod, skipping on Windows") 377 } 378 379 tc := SetupEngineTest(t, "signup_nopw") 380 defer tc.Cleanup() 381 tc.G.Env.Test.SecretStorePrimingDisabled = false 382 383 // Create a secret store that's read only - even though 384 // secret store exists, secrets cannot be stored. 385 td, cleanup := libkb.CreateReadOnlySecretStoreDir(tc) 386 defer cleanup() 387 libkb.ReplaceSecretStoreForTests(tc, td) 388 389 fu, _ := NewFakeUser("sup") 390 arg := MakeTestSignupEngineRunArg(fu) 391 arg.StoreSecret = true 392 arg.GenerateRandomPassphrase = true 393 arg.Passphrase = "" 394 _, err := CreateAndSignupFakeUserSafeWithArg(tc.G, fu, arg) 395 require.Error(t, err) 396 require.IsType(t, SecretStoreNotFunctionalError{}, err) 397 require.Contains(t, err.Error(), "permission denied") 398 399 // Make sure user has not signed up - the engine should fail before running 400 // signup_join. 401 loadArg := libkb.NewLoadUserByNameArg(tc.G, fu.Username).WithPublicKeyOptional() 402 _, err = libkb.LoadUser(loadArg) 403 require.Error(t, err) 404 require.IsType(t, libkb.NotFoundError{}, err) 405 } 406 407 func assertNoFiles(t *testing.T, dir string, files []string) { 408 err := filepath.Walk(dir, 409 func(path string, info os.FileInfo, err error) error { 410 if err != nil { 411 return err 412 } 413 for _, f := range files { 414 require.NotEqual(t, f, filepath.Base(path)) 415 416 } 417 return nil 418 }, 419 ) 420 require.NoError(t, err) 421 } 422 423 func TestBotSignup(t *testing.T) { 424 tc := SetupEngineTest(t, "signup_bot") 425 defer tc.Cleanup() 426 _ = CreateAndSignupFakeUser(tc, "own") 427 428 mctx := NewMetaContextForTest(tc) 429 botToken, err := bot.CreateToken(mctx) 430 require.NoError(t, err) 431 432 fuBot, err := NewFakeUser("bot") 433 require.NoError(t, err) 434 botName := fuBot.Username 435 436 // Signup tc2 in Bot mode 437 tc2 := SetupEngineTest(t, "signup_bot") 438 defer tc2.Cleanup() 439 440 twiddle := func(tok keybase1.BotToken) keybase1.BotToken { 441 b, err := base64.URLEncoding.DecodeString(string(tok)) 442 require.NoError(t, err) 443 b[0] ^= 0x1 444 return keybase1.BotToken(base64.URLEncoding.EncodeToString(b)) 445 } 446 447 arg := SignupEngineRunArg{ 448 Username: botName, 449 InviteCode: libkb.TestInvitationCode, 450 StoreSecret: false, 451 GenerateRandomPassphrase: true, 452 SkipGPG: true, 453 SkipMail: true, 454 SkipPaper: true, 455 BotToken: twiddle(botToken), 456 } 457 458 uis := libkb.UIs{ 459 LogUI: tc.G.UI.GetLogUI(), 460 } 461 462 // First fail the signup since we put up a bad bot Token 463 signupEng := NewSignupEngine(tc2.G, &arg) 464 m := NewMetaContextForTest(tc2).WithUIs(uis) 465 err = RunEngine2(m, signupEng) 466 require.Error(t, err) 467 appErr, ok := err.(SignupJoinEngineRunRes).Err.(libkb.AppStatusError) 468 require.True(t, ok) 469 require.Equal(t, appErr.Code, int(keybase1.StatusCode_SCBotSignupTokenNotFound)) 470 471 // Next success since we have a good bot token 472 arg.BotToken = botToken 473 signupEng = NewSignupEngine(tc2.G, &arg) 474 err = RunEngine2(m, signupEng) 475 require.NoError(tc2.T, err) 476 pk := signupEng.PaperKey() 477 478 // Check that it worked to sign in 479 testSign(t, tc2) 480 trackAlice(tc2, fuBot, 2) 481 err = m.LogoutAndDeprovisionIfRevoked() 482 require.NoError(t, err) 483 484 // Check that we didn't write a config.json or anything 485 assertNoDurableFiles := func() { 486 assertNoFiles(t, tc2.G.Env.GetConfigDir(), 487 []string{ 488 "config.json", 489 filepath.Base(tc2.G.SKBFilenameForUser(libkb.NewNormalizedUsername(botName))), 490 }) 491 } 492 assertNoDurableFiles() 493 494 Logout(tc2) 495 496 // Now check that we can log back in via oneshot 497 oneshotEng := NewLoginOneshot(tc2.G, keybase1.LoginOneshotArg{ 498 Username: botName, 499 PaperKey: pk.String(), 500 }) 501 m = NewMetaContextForTest(tc2) 502 err = RunEngine2(m, oneshotEng) 503 require.NoError(t, err) 504 err = AssertProvisioned(tc2) 505 require.NoError(t, err) 506 testSign(t, tc2) 507 untrackAlice(tc2, fuBot, 2) 508 err = m.LogoutAndDeprovisionIfRevoked() 509 require.NoError(t, err) 510 assertNoDurableFiles() 511 }