github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/libkb/logout.go (about)

     1  package libkb
     2  
     3  import (
     4  	"fmt"
     5  	"time"
     6  
     7  	"github.com/keybase/client/go/protocol/keybase1"
     8  )
     9  
    10  func (mctx MetaContext) LogoutKillSecrets() (err error) {
    11  	return mctx.LogoutWithOptions(LogoutOptions{KeepSecrets: false})
    12  }
    13  
    14  func (mctx MetaContext) LogoutKeepSecrets() (err error) {
    15  	return mctx.LogoutWithOptions(LogoutOptions{KeepSecrets: true})
    16  }
    17  
    18  type LogoutOptions struct {
    19  	KeepSecrets bool
    20  	Force       bool
    21  }
    22  
    23  func (mctx MetaContext) LogoutWithOptions(options LogoutOptions) (err error) {
    24  	username := mctx.ActiveDevice().Username(mctx)
    25  	return mctx.LogoutUsernameWithOptions(username, options)
    26  }
    27  
    28  func (mctx MetaContext) LogoutUsernameWithOptions(username NormalizedUsername, options LogoutOptions) (err error) {
    29  	mctx = mctx.WithLogTag("LOGOUT")
    30  	defer mctx.Trace(fmt.Sprintf("MetaContext#LogoutWithOptions(%#v)", options), &err)()
    31  
    32  	g := mctx.G()
    33  	defer g.switchUserMu.Acquire(mctx, "Logout")()
    34  
    35  	mctx.Debug("MetaContext#logoutWithSecretKill: after switchUserMu acquisition (username: %s, options: %#v)",
    36  		username, options)
    37  
    38  	if !options.Force && !options.KeepSecrets {
    39  		mctx.Debug("force=%t; keepSecrets=%t, so check if we're allowed to log out", options.Force, options.KeepSecrets)
    40  		mctx.Debug("MetaContext#logoutWithSecretKill: checking if CanLogout")
    41  		canLogoutRes := CanLogout(mctx)
    42  		mctx.Debug("MetaContext#logoutWithSecretKill: CanLogout res: %#v", canLogoutRes)
    43  		if !canLogoutRes.CanLogout {
    44  			return fmt.Errorf("Cannot log out: %s", canLogoutRes.Reason)
    45  		}
    46  	} else {
    47  		mctx.Debug("not checking if we are allowed to logout (force=%t, keepSecrets=%t)",
    48  			options.Force, options.KeepSecrets)
    49  	}
    50  
    51  	var keychainMode KeychainMode
    52  	keychainMode, err = g.ActiveDevice.ClearGetKeychainMode()
    53  	if err != nil {
    54  		return err
    55  	}
    56  
    57  	g.LocalSigchainGuard().Clear(mctx.Ctx(), "Logout")
    58  
    59  	mctx.Debug("+ MetaContext#logoutWithSecretKill: calling logout hooks")
    60  	g.CallLogoutHooks(mctx)
    61  	mctx.Debug("- MetaContext#logoutWithSecretKill: called logout hooks")
    62  
    63  	g.ClearPerUserKeyring()
    64  
    65  	// NB: This will acquire and release the cacheMu lock, so we have to make
    66  	// sure nothing holding a cacheMu ever looks for the switchUserMu lock.
    67  	g.FlushCaches()
    68  
    69  	if keychainMode == KeychainModeOS {
    70  		mctx.logoutSecretStore(username, options.KeepSecrets)
    71  	} else {
    72  		mctx.Debug("Not clearing secret store in mode %d", keychainMode)
    73  	}
    74  
    75  	// reload config to clear anything in memory
    76  	if err := g.ConfigReload(); err != nil {
    77  		mctx.Debug("Logout ConfigReload error: %s", err)
    78  	}
    79  
    80  	// send logout notification
    81  	g.NotifyRouter.HandleLogout(mctx.Ctx())
    82  
    83  	g.FeatureFlags.Clear()
    84  
    85  	g.IdentifyDispatch.OnLogout()
    86  
    87  	g.Identify3State.OnLogout()
    88  
    89  	err = g.GetUPAKLoader().OnLogout()
    90  	if err != nil {
    91  		return err
    92  	}
    93  
    94  	g.Pegboard.OnLogout(mctx)
    95  
    96  	return nil
    97  }
    98  
    99  func (mctx MetaContext) logoutSecretStore(username NormalizedUsername, keepSecrets bool) {
   100  
   101  	g := mctx.G()
   102  	g.secretStoreMu.Lock()
   103  	defer g.secretStoreMu.Unlock()
   104  
   105  	if g.secretStore == nil || username.IsNil() {
   106  		return
   107  	}
   108  
   109  	if keepSecrets {
   110  		g.switchedUsers[username] = true
   111  		return
   112  	}
   113  
   114  	if err := g.secretStore.ClearSecret(mctx, username); err != nil {
   115  		mctx.Debug("clear stored secret error: %s", err)
   116  		return
   117  	}
   118  
   119  	// If this user had previously switched into his account and wound up in the
   120  	// g.switchedUsers map (see just above), then now it's fine to delete them,
   121  	// since they are deleted from the secret store successfully.
   122  	delete(g.switchedUsers, username)
   123  }
   124  
   125  // LogoutSelfCheck checks with the API server to see if this uid+device pair should
   126  // logout.
   127  func (mctx MetaContext) LogoutSelfCheck() error {
   128  	g := mctx.G()
   129  	uid := g.ActiveDevice.UID()
   130  	if uid.IsNil() {
   131  		mctx.Debug("LogoutSelfCheck: no uid")
   132  		return nil
   133  	}
   134  	deviceID := g.ActiveDevice.DeviceID()
   135  	if deviceID.IsNil() {
   136  		mctx.Debug("LogoutSelfCheck: no device id")
   137  		return nil
   138  	}
   139  
   140  	arg := APIArg{
   141  		Endpoint: "selfcheck",
   142  		Args: HTTPArgs{
   143  			"uid":       S{Val: uid.String()},
   144  			"device_id": S{Val: deviceID.String()},
   145  		},
   146  		SessionType: APISessionTypeREQUIRED,
   147  	}
   148  	res, err := g.API.Post(mctx, arg)
   149  	if err != nil {
   150  		return err
   151  	}
   152  
   153  	logout, err := res.Body.AtKey("logout").GetBool()
   154  	if err != nil {
   155  		return err
   156  	}
   157  
   158  	mctx.Debug("LogoutSelfCheck: should log out? %v", logout)
   159  	if logout {
   160  		mctx.Debug("LogoutSelfCheck: logging out...")
   161  		return mctx.LogoutKillSecrets()
   162  	}
   163  
   164  	return nil
   165  }
   166  
   167  func CanLogout(mctx MetaContext) (res keybase1.CanLogoutRes) {
   168  	if !mctx.G().ActiveDevice.Valid() {
   169  		mctx.Debug("CanLogout: looks like user is not logged in")
   170  		res.CanLogout = true
   171  		return res
   172  	}
   173  
   174  	if mctx.G().ActiveDevice.KeychainMode() == KeychainModeNone {
   175  		mctx.Debug("CanLogout: ok to logout since the key used doesn't user the keychain")
   176  		res.CanLogout = true
   177  		return res
   178  	}
   179  
   180  	mctx, cancel := mctx.WithTimeout(5 * time.Second)
   181  	defer cancel()
   182  	if err := CheckCurrentUIDDeviceID(mctx); err != nil {
   183  		switch err.(type) {
   184  		case DeviceNotFoundError, UserNotFoundError,
   185  			KeyRevokedError, NoDeviceError, NoUIDError:
   186  			mctx.Debug("CanLogout: allowing logout because of CheckCurrentUIDDeviceID returning: %s", err.Error())
   187  			return keybase1.CanLogoutRes{CanLogout: true}
   188  		default:
   189  			// Unexpected error like network connectivity issue, fall through.
   190  			// Even if we are offline here, we may be able to get cached value
   191  			// `keybase1.PassphraseState_KNOWN` from LoadPassphraseState and be allowed to log out.
   192  			mctx.Debug("CanLogout: CheckCurrentUIDDeviceID returned: %q, falling through", err.Error())
   193  		}
   194  	}
   195  
   196  	passphraseState, err := LoadPassphraseStateWithForceRepoll(mctx)
   197  
   198  	if err != nil {
   199  		return keybase1.CanLogoutRes{
   200  			CanLogout: false,
   201  			Reason:    fmt.Sprintf("We couldn't ensure that your account has a passphrase: %s", err.Error()),
   202  		}
   203  	}
   204  
   205  	if passphraseState == keybase1.PassphraseState_RANDOM {
   206  		return keybase1.CanLogoutRes{
   207  			CanLogout: false,
   208  			Reason:    "You signed up without a password and need to set a password first",
   209  		}
   210  	}
   211  
   212  	res.CanLogout = true
   213  	return res
   214  }