github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/kbfs/libkbfs/kbpki_client.go (about) 1 // Copyright 2016 Keybase Inc. All rights reserved. 2 // Use of this source code is governed by a BSD 3 // license that can be found in the LICENSE file. 4 5 package libkbfs 6 7 import ( 8 "context" 9 "fmt" 10 "time" 11 12 lru "github.com/hashicorp/golang-lru" 13 "github.com/keybase/client/go/kbfs/idutil" 14 "github.com/keybase/client/go/kbfs/kbfscrypto" 15 "github.com/keybase/client/go/kbfs/kbfsmd" 16 "github.com/keybase/client/go/kbfs/tlf" 17 kbname "github.com/keybase/client/go/kbun" 18 "github.com/keybase/client/go/libkb" 19 "github.com/keybase/client/go/logger" 20 "github.com/keybase/client/go/protocol/keybase1" 21 ) 22 23 const ( 24 idToUserCacheSize = 50 25 ) 26 27 // keybaseServiceOwner is a wrapper around a KeybaseService, to allow 28 // switching the underlying service at runtime. It is usually 29 // implemented by Config. 30 type keybaseServiceOwner interface { 31 KeybaseService() KeybaseService 32 } 33 34 // KBPKIClient uses a KeybaseService. 35 type KBPKIClient struct { 36 serviceOwner keybaseServiceOwner 37 log logger.Logger 38 idToUserCache *lru.Cache 39 } 40 41 var _ KBPKI = (*KBPKIClient)(nil) 42 43 // NewKBPKIClient returns a new KBPKIClient with the given service. 44 func NewKBPKIClient( 45 serviceOwner keybaseServiceOwner, log logger.Logger) *KBPKIClient { 46 cache, err := lru.New(idToUserCacheSize) 47 if err != nil { 48 cache = nil 49 log.CDebugf(context.TODO(), "Error creating LRU cache: %+v", err) 50 } 51 52 return &KBPKIClient{serviceOwner, log, cache} 53 } 54 55 // GetCurrentSession implements the KBPKI interface for KBPKIClient. 56 func (k *KBPKIClient) GetCurrentSession(ctx context.Context) ( 57 idutil.SessionInfo, error) { 58 const sessionID = 0 59 return k.serviceOwner.KeybaseService().CurrentSession(ctx, sessionID) 60 } 61 62 // Resolve implements the KBPKI interface for KBPKIClient. 63 func (k *KBPKIClient) Resolve( 64 ctx context.Context, assertion string, 65 offline keybase1.OfflineAvailability) ( 66 kbname.NormalizedUsername, keybase1.UserOrTeamID, error) { 67 return k.serviceOwner.KeybaseService().Resolve(ctx, assertion, offline) 68 } 69 70 // Identify implements the KBPKI interface for KBPKIClient. 71 func (k *KBPKIClient) Identify( 72 ctx context.Context, assertion, reason string, 73 offline keybase1.OfflineAvailability) ( 74 kbname.NormalizedUsername, keybase1.UserOrTeamID, error) { 75 return k.serviceOwner.KeybaseService().Identify( 76 ctx, assertion, reason, offline) 77 } 78 79 // NormalizeSocialAssertion implements the KBPKI interface for KBPKIClient. 80 func (k *KBPKIClient) NormalizeSocialAssertion( 81 ctx context.Context, assertion string) (keybase1.SocialAssertion, error) { 82 return k.serviceOwner.KeybaseService().NormalizeSocialAssertion(ctx, assertion) 83 } 84 85 // ResolveImplicitTeam implements the KBPKI interface for KBPKIClient. 86 func (k *KBPKIClient) ResolveImplicitTeam( 87 ctx context.Context, assertions, suffix string, tlfType tlf.Type, 88 offline keybase1.OfflineAvailability) ( 89 idutil.ImplicitTeamInfo, error) { 90 return k.serviceOwner.KeybaseService().ResolveIdentifyImplicitTeam( 91 ctx, assertions, suffix, tlfType, false, "", offline) 92 } 93 94 // ResolveImplicitTeamByID implements the KBPKI interface for KBPKIClient. 95 func (k *KBPKIClient) ResolveImplicitTeamByID( 96 ctx context.Context, teamID keybase1.TeamID, tlfType tlf.Type, 97 offline keybase1.OfflineAvailability) ( 98 idutil.ImplicitTeamInfo, error) { 99 name, err := k.serviceOwner.KeybaseService().ResolveImplicitTeamByID( 100 ctx, teamID) 101 if err != nil { 102 return idutil.ImplicitTeamInfo{}, err 103 } 104 105 assertions, suffix, err := tlf.SplitExtension(name) 106 if err != nil { 107 return idutil.ImplicitTeamInfo{}, err 108 } 109 110 return k.serviceOwner.KeybaseService().ResolveIdentifyImplicitTeam( 111 ctx, assertions, suffix, tlfType, false, "", offline) 112 } 113 114 // ResolveTeamTLFID implements the KBPKI interface for KBPKIClient. 115 func (k *KBPKIClient) ResolveTeamTLFID( 116 ctx context.Context, teamID keybase1.TeamID, 117 offline keybase1.OfflineAvailability) (tlf.ID, error) { 118 settings, err := k.serviceOwner.KeybaseService().GetTeamSettings( 119 ctx, teamID, offline) 120 if err != nil { 121 return tlf.NullID, err 122 } 123 if settings.TlfID.IsNil() { 124 return tlf.NullID, err 125 } 126 tlfID, err := tlf.ParseID(settings.TlfID.String()) 127 if err != nil { 128 return tlf.NullID, err 129 } 130 return tlfID, nil 131 } 132 133 // IdentifyImplicitTeam identifies (and creates if necessary) the 134 // given implicit team. 135 func (k *KBPKIClient) IdentifyImplicitTeam( 136 ctx context.Context, assertions, suffix string, tlfType tlf.Type, 137 reason string, offline keybase1.OfflineAvailability) ( 138 idutil.ImplicitTeamInfo, error) { 139 return k.serviceOwner.KeybaseService().ResolveIdentifyImplicitTeam( 140 ctx, assertions, suffix, tlfType, true, reason, offline) 141 } 142 143 // GetNormalizedUsername implements the KBPKI interface for 144 // KBPKIClient. 145 func (k *KBPKIClient) GetNormalizedUsername( 146 ctx context.Context, id keybase1.UserOrTeamID, 147 offline keybase1.OfflineAvailability) ( 148 username kbname.NormalizedUsername, err error) { 149 if k.idToUserCache != nil { 150 tmp, ok := k.idToUserCache.Get(id) 151 if ok { 152 username, ok = tmp.(kbname.NormalizedUsername) 153 if ok { 154 return username, nil 155 } 156 } 157 } 158 159 var assertion string 160 if id.IsUser() { 161 assertion = fmt.Sprintf("uid:%s", id) 162 } else { 163 assertion = fmt.Sprintf("tid:%s", id) 164 } 165 username, _, err = k.Resolve(ctx, assertion, offline) 166 if err != nil { 167 return kbname.NormalizedUsername(""), err 168 } 169 k.idToUserCache.Add(id, username) 170 return username, nil 171 } 172 173 func (k *KBPKIClient) hasVerifyingKey( 174 ctx context.Context, uid keybase1.UID, verifyingKey kbfscrypto.VerifyingKey, 175 atServerTime time.Time, offline keybase1.OfflineAvailability) ( 176 bool, error) { 177 userInfo, err := k.loadUserPlusKeys(ctx, uid, verifyingKey.KID(), offline) 178 if err != nil { 179 return false, err 180 } 181 182 for _, key := range userInfo.VerifyingKeys { 183 if verifyingKey.KID().Equal(key.KID()) { 184 return true, nil 185 } 186 } 187 188 info, ok := userInfo.RevokedVerifyingKeys[verifyingKey] 189 if !ok { 190 return false, nil 191 } 192 193 // We add some slack to the revoke time, because the MD server 194 // won't instanteneously find out about the revoke -- it might 195 // keep accepting writes from the revoked device for a short 196 // period of time until it learns about the revoke. 197 const revokeSlack = 1 * time.Minute 198 revokedTime := keybase1.FromTime(info.Time) 199 // Check the server times -- if the key was valid at the given 200 // time, the caller can proceed with their merkle checking if 201 // desired. 202 if atServerTime.Before(revokedTime.Add(revokeSlack)) { 203 k.log.CDebugf(ctx, "Revoked verifying key %s for user %s passes time "+ 204 "check (revoked time: %v vs. server time %v, slack=%s)", 205 verifyingKey.KID(), uid, revokedTime, atServerTime, revokeSlack) 206 return false, RevokedDeviceVerificationError{info} 207 } 208 k.log.CDebugf(ctx, "Not trusting revoked verifying key %s for "+ 209 "user %s (revoked time: %v vs. server time %v, slack=%s)", 210 verifyingKey.KID(), uid, revokedTime, atServerTime, revokeSlack) 211 return false, nil 212 } 213 214 // HasVerifyingKey implements the KBPKI interface for KBPKIClient. 215 func (k *KBPKIClient) HasVerifyingKey( 216 ctx context.Context, uid keybase1.UID, verifyingKey kbfscrypto.VerifyingKey, 217 atServerTime time.Time, offline keybase1.OfflineAvailability) error { 218 ok, err := k.hasVerifyingKey(ctx, uid, verifyingKey, atServerTime, offline) 219 if err != nil { 220 return err 221 } 222 if ok { 223 return nil 224 } 225 226 // If the first attempt couldn't find the key, try again after 227 // clearing our local cache. We might have stale info if the 228 // service hasn't learned of the users' new key yet. 229 k.serviceOwner.KeybaseService().FlushUserFromLocalCache(ctx, uid) 230 231 ok, err = k.hasVerifyingKey(ctx, uid, verifyingKey, atServerTime, offline) 232 if err != nil { 233 return err 234 } 235 if !ok { 236 return VerifyingKeyNotFoundError{verifyingKey} 237 } 238 return nil 239 } 240 241 func (k *KBPKIClient) loadUserPlusKeys(ctx context.Context, 242 uid keybase1.UID, pollForKID keybase1.KID, 243 offline keybase1.OfflineAvailability) (idutil.UserInfo, error) { 244 return k.serviceOwner.KeybaseService().LoadUserPlusKeys( 245 ctx, uid, pollForKID, offline) 246 } 247 248 // GetCryptPublicKeys implements the KBPKI interface for KBPKIClient. 249 func (k *KBPKIClient) GetCryptPublicKeys( 250 ctx context.Context, uid keybase1.UID, 251 offline keybase1.OfflineAvailability) ( 252 keys []kbfscrypto.CryptPublicKey, err error) { 253 userInfo, err := k.loadUserPlusKeys(ctx, uid, "", offline) 254 if err != nil { 255 return nil, err 256 } 257 return userInfo.CryptPublicKeys, nil 258 } 259 260 // GetTeamTLFCryptKeys implements the KBPKI interface for KBPKIClient. 261 func (k *KBPKIClient) GetTeamTLFCryptKeys( 262 ctx context.Context, tid keybase1.TeamID, desiredKeyGen kbfsmd.KeyGen, 263 offline keybase1.OfflineAvailability) ( 264 map[kbfsmd.KeyGen]kbfscrypto.TLFCryptKey, kbfsmd.KeyGen, error) { 265 teamInfo, err := k.serviceOwner.KeybaseService().LoadTeamPlusKeys( 266 ctx, tid, tlf.Unknown, desiredKeyGen, keybase1.UserVersion{}, 267 kbfscrypto.VerifyingKey{}, keybase1.TeamRole_NONE, offline) 268 if err != nil { 269 return nil, 0, err 270 } 271 return teamInfo.CryptKeys, teamInfo.LatestKeyGen, nil 272 } 273 274 // GetCurrentMerkleRoot implements the KBPKI interface for KBPKIClient. 275 func (k *KBPKIClient) GetCurrentMerkleRoot(ctx context.Context) ( 276 keybase1.MerkleRootV2, time.Time, error) { 277 return k.serviceOwner.KeybaseService().GetCurrentMerkleRoot(ctx) 278 } 279 280 // VerifyMerkleRoot implements the KBPKI interface for KBPKIClient. 281 func (k *KBPKIClient) VerifyMerkleRoot( 282 ctx context.Context, root keybase1.MerkleRootV2, 283 kbfsRoot keybase1.KBFSRoot) error { 284 return k.serviceOwner.KeybaseService().VerifyMerkleRoot( 285 ctx, root, kbfsRoot) 286 } 287 288 // IsTeamWriter implements the KBPKI interface for KBPKIClient. 289 func (k *KBPKIClient) IsTeamWriter( 290 ctx context.Context, tid keybase1.TeamID, uid keybase1.UID, 291 verifyingKey kbfscrypto.VerifyingKey, 292 offline keybase1.OfflineAvailability) (bool, error) { 293 if uid.IsNil() || verifyingKey.IsNil() { 294 // A sessionless user can never be a writer. 295 return false, nil 296 } 297 298 // Use the verifying key to find out the eldest seqno of the user. 299 userInfo, err := k.loadUserPlusKeys(ctx, uid, verifyingKey.KID(), offline) 300 if err != nil { 301 return false, err 302 } 303 304 found := false 305 for _, key := range userInfo.VerifyingKeys { 306 if verifyingKey.KID().Equal(key.KID()) { 307 found = true 308 break 309 } 310 } 311 if !found { 312 // For the purposes of finding the eldest seqno, we need to 313 // check the verified key against the list of revoked keys as 314 // well. (The caller should use `HasVerifyingKey` later to 315 // check whether the revoked key was valid at the time of the 316 // update or not.) 317 _, found = userInfo.RevokedVerifyingKeys[verifyingKey] 318 } 319 if !found { 320 // The user doesn't currently have this KID, therefore they 321 // shouldn't be treated as a writer. The caller should check 322 // historical device records and team membership. 323 k.log.CDebugf(ctx, "User %s doesn't currently have verifying key %s", 324 uid, verifyingKey.KID()) 325 return false, nil 326 } 327 328 desiredUser := keybase1.UserVersion{ 329 Uid: uid, 330 EldestSeqno: userInfo.EldestSeqno, 331 } 332 teamInfo, err := k.serviceOwner.KeybaseService().LoadTeamPlusKeys( 333 ctx, tid, tlf.Unknown, kbfsmd.UnspecifiedKeyGen, desiredUser, 334 kbfscrypto.VerifyingKey{}, keybase1.TeamRole_WRITER, offline) 335 if err != nil { 336 if tid.IsPublic() { 337 if _, notFound := err.(libkb.NotFoundError); notFound { 338 // We are probably just not a writer of this public team. 339 k.log.CDebugf(ctx, 340 "Ignoring not found error for public team: %+v", err) 341 return false, nil 342 } 343 } 344 return false, err 345 } 346 return teamInfo.Writers[uid], nil 347 } 348 349 // NoLongerTeamWriter implements the KBPKI interface for KBPKIClient. 350 func (k *KBPKIClient) NoLongerTeamWriter( 351 ctx context.Context, tid keybase1.TeamID, tlfType tlf.Type, 352 uid keybase1.UID, verifyingKey kbfscrypto.VerifyingKey, 353 offline keybase1.OfflineAvailability) (keybase1.MerkleRootV2, error) { 354 if uid.IsNil() || verifyingKey.IsNil() { 355 // A sessionless user can never be a writer. 356 return keybase1.MerkleRootV2{}, nil 357 } 358 359 // We don't need the eldest seqno when we look up an older writer, 360 // the service takes care of that for us. 361 desiredUser := keybase1.UserVersion{ 362 Uid: uid, 363 } 364 365 teamInfo, err := k.serviceOwner.KeybaseService().LoadTeamPlusKeys( 366 ctx, tid, tlfType, kbfsmd.UnspecifiedKeyGen, desiredUser, 367 verifyingKey, keybase1.TeamRole_WRITER, offline) 368 if err != nil { 369 return keybase1.MerkleRootV2{}, err 370 } 371 return teamInfo.LastWriters[verifyingKey], nil 372 } 373 374 // IsTeamReader implements the KBPKI interface for KBPKIClient. 375 func (k *KBPKIClient) IsTeamReader( 376 ctx context.Context, tid keybase1.TeamID, uid keybase1.UID, 377 offline keybase1.OfflineAvailability) (bool, error) { 378 desiredUser := keybase1.UserVersion{Uid: uid} 379 teamInfo, err := k.serviceOwner.KeybaseService().LoadTeamPlusKeys( 380 ctx, tid, tlf.Unknown, kbfsmd.UnspecifiedKeyGen, desiredUser, 381 kbfscrypto.VerifyingKey{}, keybase1.TeamRole_READER, offline) 382 if err != nil { 383 return false, err 384 } 385 return tid.IsPublic() || teamInfo.Writers[uid] || teamInfo.Readers[uid], nil 386 } 387 388 // GetTeamRootID implements the KBPKI interface for KBPKIClient. 389 func (k *KBPKIClient) GetTeamRootID( 390 ctx context.Context, tid keybase1.TeamID, 391 offline keybase1.OfflineAvailability) (keybase1.TeamID, error) { 392 if !tid.IsSubTeam() { 393 return tid, nil 394 } 395 396 teamInfo, err := k.serviceOwner.KeybaseService().LoadTeamPlusKeys( 397 ctx, tid, tlf.Unknown, kbfsmd.UnspecifiedKeyGen, keybase1.UserVersion{}, 398 kbfscrypto.VerifyingKey{}, keybase1.TeamRole_NONE, offline) 399 if err != nil { 400 return keybase1.TeamID(""), err 401 } 402 return teamInfo.RootID, nil 403 } 404 405 // CreateTeamTLF implements the KBPKI interface for KBPKIClient. 406 func (k *KBPKIClient) CreateTeamTLF( 407 ctx context.Context, teamID keybase1.TeamID, tlfID tlf.ID) error { 408 return k.serviceOwner.KeybaseService().CreateTeamTLF(ctx, teamID, tlfID) 409 } 410 411 // FavoriteAdd implements the KBPKI interface for KBPKIClient. 412 func (k *KBPKIClient) FavoriteAdd(ctx context.Context, folder keybase1.FolderHandle) error { 413 return k.serviceOwner.KeybaseService().FavoriteAdd(ctx, folder) 414 } 415 416 // FavoriteDelete implements the KBPKI interface for KBPKIClient. 417 func (k *KBPKIClient) FavoriteDelete(ctx context.Context, folder keybase1.FolderHandle) error { 418 return k.serviceOwner.KeybaseService().FavoriteDelete(ctx, folder) 419 } 420 421 // FavoriteList implements the KBPKI interface for KBPKIClient. 422 func (k *KBPKIClient) FavoriteList(ctx context.Context) ( 423 keybase1.FavoritesResult, error) { 424 const sessionID = 0 425 return k.serviceOwner.KeybaseService().FavoriteList(ctx, sessionID) 426 } 427 428 // Notify implements the KBPKI interface for KBPKIClient. 429 func (k *KBPKIClient) Notify(ctx context.Context, notification *keybase1.FSNotification) error { 430 return k.serviceOwner.KeybaseService().Notify(ctx, notification) 431 } 432 433 // NotifyPathUpdated implements the KBPKI interface for KBPKIClient. 434 func (k *KBPKIClient) NotifyPathUpdated( 435 ctx context.Context, path string) error { 436 return k.serviceOwner.KeybaseService().NotifyPathUpdated(ctx, path) 437 } 438 439 // PutGitMetadata implements the KBPKI interface for KBPKIClient. 440 func (k *KBPKIClient) PutGitMetadata( 441 ctx context.Context, folder keybase1.FolderHandle, repoID keybase1.RepoID, 442 metadata keybase1.GitLocalMetadata) error { 443 return k.serviceOwner.KeybaseService().PutGitMetadata( 444 ctx, folder, repoID, metadata) 445 } 446 447 // InvalidateTeamCacheForID implements the KBPKI interface for KBPKIClient. 448 func (k *KBPKIClient) InvalidateTeamCacheForID(tid keybase1.TeamID) { 449 k.idToUserCache.Remove(tid.AsUserOrTeam()) 450 }