github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/systests/team_implicit_reset_test.go (about)

     1  package systests
     2  
     3  import (
     4  	"strings"
     5  	"testing"
     6  
     7  	"golang.org/x/net/context"
     8  
     9  	libkb "github.com/keybase/client/go/libkb"
    10  	keybase1 "github.com/keybase/client/go/protocol/keybase1"
    11  	teams "github.com/keybase/client/go/teams"
    12  	"github.com/stretchr/testify/require"
    13  )
    14  
    15  // bob resets, implicit team lookup should still work for ann
    16  func TestImplicitTeamReset(t *testing.T) {
    17  	tt := newTeamTester(t)
    18  	defer tt.cleanup()
    19  
    20  	ann := tt.addUser("ann")
    21  	t.Logf("Signed up ann (%s)", ann.username)
    22  
    23  	bob := tt.addUser("bob")
    24  	t.Logf("Signed up bob (%s)", bob.username)
    25  
    26  	displayName := strings.Join([]string{ann.username, bob.username}, ",")
    27  	iteam, err := ann.lookupImplicitTeam(true /*create*/, displayName, false /*isPublic*/)
    28  	require.NoError(t, err)
    29  	t.Logf("team created (%s)", iteam)
    30  
    31  	iteam2, err := ann.lookupImplicitTeam(false /*create*/, displayName, false /*isPublic*/)
    32  	require.NoError(t, err)
    33  	require.Equal(t, iteam, iteam2, "second lookup should return same team")
    34  	t.Logf("team looked up before reset")
    35  
    36  	bob.reset()
    37  	t.Logf("Reset bob (%s)", bob.username)
    38  
    39  	iteam3, err := ann.lookupImplicitTeam(false /*create*/, displayName, false /*isPublic*/)
    40  	require.NoError(t, err)
    41  	require.Equal(t, iteam, iteam3, "lookup after reset should return same team")
    42  	t.Logf("team looked up before reset")
    43  }
    44  
    45  func TestImplicitTeamUserReset(t *testing.T) {
    46  	ctx := newSMUContext(t)
    47  	defer ctx.cleanup()
    48  
    49  	// Sign up two users, bob and alice.
    50  	alice := ctx.installKeybaseForUser("alice", 10)
    51  	alice.signup()
    52  	divDebug(ctx, "Signed up alice (%s)", alice.username)
    53  	bob := ctx.installKeybaseForUser("bob", 10)
    54  	bob.signup()
    55  	divDebug(ctx, "Signed up bob (%s)", bob.username)
    56  
    57  	displayName := strings.Join([]string{alice.username, bob.username}, ",")
    58  	team := alice.lookupImplicitTeam(true /*create*/, displayName, false /*isPublic*/)
    59  
    60  	divDebug(ctx, "Created implicit team %s\n", team.ID)
    61  
    62  	// Reset bob and reprovision.
    63  	bob.reset()
    64  	divDebug(ctx, "Reset bob (%s)", bob.username)
    65  
    66  	bob.loginAfterReset(10)
    67  	divDebug(ctx, "Bob logged in after reset")
    68  
    69  	// Setup team loader on alice
    70  	G := alice.getPrimaryGlobalContext()
    71  	teams.NewTeamLoaderAndInstall(G)
    72  
    73  	tryLoad := func(teamID keybase1.TeamID) (res *teams.Team) {
    74  		res, err := teams.Load(context.TODO(), G, keybase1.LoadTeamArg{
    75  			ID:          teamID,
    76  			Public:      teamID.IsPublic(),
    77  			ForceRepoll: true,
    78  		})
    79  		require.NoError(t, err)
    80  		return res
    81  	}
    82  
    83  	tryLoad(team.ID)
    84  
    85  	getRole := func(username string) keybase1.TeamRole {
    86  		g := G
    87  		loadUserArg := libkb.NewLoadUserArg(g).
    88  			WithNetContext(context.TODO()).
    89  			WithName(username).
    90  			WithPublicKeyOptional().
    91  			WithForcePoll(true)
    92  		upak, _, err := g.GetUPAKLoader().LoadV2(loadUserArg)
    93  		require.NoError(t, err)
    94  
    95  		team, err := teams.GetForTeamManagementByTeamID(context.TODO(), g, team.ID, false)
    96  		require.NoError(t, err)
    97  		role, err := team.MemberRole(context.TODO(), upak.Current.ToUserVersion())
    98  		require.NoError(t, err)
    99  		return role
   100  	}
   101  
   102  	// Bob's role should be NONE since he's still reset.
   103  	role := getRole(bob.username)
   104  	require.Equal(t, role, keybase1.TeamRole_NONE)
   105  
   106  	// Alice re-adds bob.
   107  	alice.reAddUserAfterReset(team, bob)
   108  	divDebug(ctx, "Re-Added bob as an owner")
   109  
   110  	// Check if sigchain still plays back correctly
   111  	tryLoad(team.ID)
   112  
   113  	// Check if bob is back as OWNER.
   114  	role = getRole(bob.username)
   115  	require.Equal(t, role, keybase1.TeamRole_OWNER)
   116  
   117  	// Reset and re-provision bob again.
   118  	bob.reset()
   119  	divDebug(ctx, "Reset bob again (%s) (poor bob)", bob.username)
   120  
   121  	bob.loginAfterReset(10)
   122  	divDebug(ctx, "Bob logged in after reset")
   123  
   124  	// Check if sigchain plays correctly, check if role is NONE.
   125  	tryLoad(team.ID)
   126  
   127  	role = getRole(bob.username)
   128  	require.Equal(t, role, keybase1.TeamRole_NONE)
   129  
   130  	// Alice re-adds bob, again.
   131  	alice.reAddUserAfterReset(team, bob)
   132  	divDebug(ctx, "Re-Added bob as an owner again")
   133  
   134  	// Check if sigchain plays correctly, at this point there are two
   135  	// sigs similar to:
   136  	//   "change_membership: { owner: ['xxxx%6'], none: ['xxxx%3'] }"
   137  	// with uids and eldest from before and after reset.
   138  	tryLoad(team.ID)
   139  
   140  	role = getRole(bob.username)
   141  	require.Equal(t, role, keybase1.TeamRole_OWNER)
   142  }
   143  
   144  // ann and bob both reset
   145  func TestImplicitTeamResetAll(t *testing.T) {
   146  	ctx := newSMUContext(t)
   147  	defer ctx.cleanup()
   148  
   149  	ann := ctx.installKeybaseForUser("ann", 10)
   150  	ann.signup()
   151  	ann.registerForNotifications()
   152  	divDebug(ctx, "Signed up ann (%s)", ann.username)
   153  
   154  	bob := ctx.installKeybaseForUser("bob", 10)
   155  	bob.signup()
   156  	bob.registerForNotifications()
   157  	divDebug(ctx, "Signed up bob (%s)", bob.username)
   158  
   159  	displayName := strings.Join([]string{ann.username, bob.username}, ",")
   160  	iteam := ann.lookupImplicitTeam(true /*create*/, displayName, false /*isPublic*/)
   161  	divDebug(ctx, "team created (%s)", iteam.ID)
   162  
   163  	iteam2 := ann.lookupImplicitTeam(false /*create*/, displayName, false /*isPublic*/)
   164  	require.Equal(t, iteam.ID, iteam2.ID, "second lookup should return same team")
   165  	divDebug(ctx, "team looked up before reset")
   166  
   167  	bob.reset()
   168  	divDebug(ctx, "Reset bob (%s)", bob.username)
   169  
   170  	ann.reset()
   171  	divDebug(ctx, "Reset ann (%s)", ann.username)
   172  
   173  	ann.loginAfterReset(10)
   174  	divDebug(ctx, "Ann logged in after reset")
   175  
   176  	ann.waitForTeamAbandoned(iteam.ID)
   177  
   178  	iteam3 := ann.lookupImplicitTeam(true /*create*/, displayName, false /*isPublic*/)
   179  	require.NotEqual(t, iteam.ID, iteam3.ID, "lookup after resets should return different team")
   180  	divDebug(ctx, "team looked up after resets")
   181  }
   182  
   183  func TestImplicitTeamResetAndSBSBringback(t *testing.T) {
   184  	// 1. ann and bob (both PUKful) make imp team
   185  	// 2. bob resets
   186  	// 3. bob doesn't get a PUK
   187  	// 4. ann re-adds bob (this just adds invite link, doesn't remove old PUKful bob)
   188  	// 5. bob gets a PUK
   189  	// 6. he should be automatically brought back as crypto member by alice
   190  	tt := newTeamTester(t)
   191  	defer tt.cleanup()
   192  
   193  	ann := tt.addUser("ann")
   194  	t.Logf("Signed up ann (%s)", ann.username)
   195  
   196  	bob := tt.addUser("bob")
   197  	t.Logf("Signed up bob (%s)", bob.username)
   198  
   199  	// (1)
   200  	displayName := strings.Join([]string{ann.username, bob.username}, ",")
   201  	iteam, err := ann.lookupImplicitTeam(true /* create */, displayName, false /* isPublic */)
   202  	require.NoError(t, err)
   203  	t.Logf("impteam created for %q (id: %s)", displayName, iteam)
   204  
   205  	bob.kickTeamRekeyd()
   206  	bob.reset()                  // (2)
   207  	bob.loginAfterResetPukless() // (3)
   208  
   209  	ann.reAddUserAfterReset(iteam, bob) // (4)
   210  
   211  	teamObj := ann.loadTeamByID(iteam, true)
   212  	nextSeqno := teamObj.NextSeqno()
   213  
   214  	bob.perUserKeyUpgrade() // (5)
   215  
   216  	t.Logf("Bob upgraded puk, polling for seqno %d", nextSeqno)
   217  	ann.pollForTeamSeqnoLinkWithLoadArgs(keybase1.LoadTeamArg{ID: iteam}, nextSeqno) // (6)
   218  
   219  	pollForTrue(t, ann.tc.G, func(i int) bool {
   220  		teamObj = ann.loadTeamByID(iteam, true)
   221  		role, err := teamObj.MemberRole(context.Background(), bob.userVersion())
   222  		require.NoError(t, err)
   223  		return role == keybase1.TeamRole_OWNER
   224  	})
   225  
   226  	invites := teamObj.GetActiveAndObsoleteInvites()
   227  	require.Equal(t, 0, len(invites), "leftover invite")
   228  }
   229  
   230  func testImplicitResetParameterized(t *testing.T, startPUK, getPUKAfter bool) {
   231  	tt := newTeamTester(t)
   232  	defer tt.cleanup()
   233  
   234  	ann := tt.addUser("ann")
   235  	t.Logf("Signed up ann (%s)", ann.username)
   236  
   237  	var bob *userPlusDevice
   238  	if startPUK {
   239  		bob = tt.addUser("bob")
   240  		t.Logf("Signed up bob (%s)", bob.username)
   241  	} else {
   242  		bob = tt.addPuklessUser("bob")
   243  		t.Logf("Signed up PUKless bob (%s)", bob.username)
   244  	}
   245  
   246  	displayName := strings.Join([]string{ann.username, bob.username}, ",")
   247  	iteam, err := ann.lookupImplicitTeam(true /* create */, displayName, false /* isPublic */)
   248  	require.NoError(t, err)
   249  	t.Logf("impteam created for %q (id: %s)", displayName, iteam)
   250  
   251  	ann.kickTeamRekeyd()
   252  	bob.reset()
   253  	if getPUKAfter {
   254  		// Bob resets and gets a PUK afterwards
   255  		bob.loginAfterReset()
   256  	} else {
   257  		// Bob resets and does not get a PUK.
   258  		bob.loginAfterResetPukless()
   259  	}
   260  
   261  	iteam2, err := ann.lookupImplicitTeam(false /* create */, displayName, false /* isPublic */)
   262  	require.NoError(t, err)
   263  	require.Equal(t, iteam, iteam2)
   264  
   265  	if startPUK {
   266  		// Wait for rotation after bob resets.
   267  		ann.waitForAnyRotateByID(iteam2, keybase1.Seqno(1), keybase1.Seqno(1))
   268  	}
   269  	ann.reAddUserAfterReset(iteam, bob)
   270  
   271  	if !getPUKAfter {
   272  		teamObj := ann.loadTeamByID(iteam, true)
   273  
   274  		// Bob is not a crypto member so no "real" role
   275  		role, err := teamObj.MemberRole(context.Background(), bob.userVersion())
   276  		require.NoError(t, err)
   277  		require.Equal(t, keybase1.TeamRole_NONE, role)
   278  
   279  		// but should have active invite
   280  		invite, uv, found := teamObj.FindActiveKeybaseInvite(bob.uid)
   281  		require.True(t, found)
   282  		require.EqualValues(t, bob.userVersion(), uv)
   283  		require.Equal(t, keybase1.TeamRole_OWNER, invite.Role)
   284  
   285  		// bob upgrades PUK
   286  		bob.kickTeamRekeyd()
   287  		bob.perUserKeyUpgrade()
   288  
   289  		// Wait for SBS
   290  		expectedSeqno := keybase1.Seqno(3)
   291  		ann.pollForTeamSeqnoLinkWithLoadArgs(keybase1.LoadTeamArg{ID: iteam}, expectedSeqno)
   292  	}
   293  
   294  	teamObj := ann.loadTeamByID(iteam, true)
   295  
   296  	// Bob is now a real crypto member!
   297  	role, err := teamObj.MemberRole(context.Background(), bob.userVersion())
   298  	require.NoError(t, err)
   299  	require.Equal(t, keybase1.TeamRole_OWNER, role)
   300  
   301  	// Make sure we are still getting the same team.
   302  	iteam3, err := ann.lookupImplicitTeam(false /* create */, displayName, false /* isPublic */)
   303  	require.Equal(t, iteam, iteam3)
   304  	require.NoError(t, err)
   305  }
   306  
   307  func TestImplicitTeamResetNoPUKtoNoPUK(t *testing.T) {
   308  	testImplicitResetParameterized(t, false /* startPUK */, false /* getPUKAfter */)
   309  }
   310  
   311  func TestImplicitTeamResetNoPUKtoPUK(t *testing.T) {
   312  	testImplicitResetParameterized(t, false /* startPUK */, true /* getPUKAfter */)
   313  }
   314  
   315  func TestImplicitTeamResetPUKtoNoPUK(t *testing.T) {
   316  	// We are lucky this case even works, it breaks the rules a little
   317  	// bit: there is no way to post removeMember+addInvite in one
   318  	// link, so when PUKful bob resets and ann re-adds him as PUKless,
   319  	// only invite link is posted. So technically there are 3 active
   320  	// people in the team at the time:
   321  	//   ann, PUKful bob, PUKless (invited) bob.
   322  
   323  	testImplicitResetParameterized(t, true /* startPUK */, false /* getPUKAfter */)
   324  }
   325  
   326  func TestImplicitTeamResetNoPukEncore(t *testing.T) {
   327  	// 1. ann and bob (both PUKful) make imp team
   328  	// 2. bob resets
   329  	// 3. bob doesn't get a PUK
   330  	// 4. ann re-adds bob (this just adds invite link, doesn't remove old PUKful bob)
   331  	// (up to this point, this case is tested in
   332  	// TestImplicitResetPUKtoNoPUK and TestChatSrvUserReset)
   333  	// 5. now bob resets again, but this time gets a PUK
   334  	// 6. when they are re-added, old PUKful bob is removed to make
   335  	//    room for new PUK-ful bob, and old invite is also sweeped
   336  	//    (completed).
   337  	tt := newTeamTester(t)
   338  	defer tt.cleanup()
   339  
   340  	ann := tt.addUser("ann")
   341  	t.Logf("Signed up ann (%s)", ann.username)
   342  
   343  	bob := tt.addUser("bob")
   344  	t.Logf("Signed up bob (%s)", bob.username)
   345  
   346  	// (1)
   347  	displayName := strings.Join([]string{ann.username, bob.username}, ",")
   348  	iteam, err := ann.lookupImplicitTeam(true /* create */, displayName, false /* isPublic */)
   349  	require.NoError(t, err)
   350  	t.Logf("impteam created for %q (id: %s)", displayName, iteam)
   351  
   352  	bob.reset()                  // (2)
   353  	bob.loginAfterResetPukless() // (3)
   354  
   355  	ann.reAddUserAfterReset(iteam, bob) // (4)
   356  
   357  	bob.reset() // (5)
   358  	bob.loginAfterReset()
   359  
   360  	ann.reAddUserAfterReset(iteam, bob) // (6)
   361  
   362  	teamObj := ann.loadTeamByID(iteam, true)
   363  	role, err := teamObj.MemberRole(context.Background(), bob.userVersion())
   364  	require.NoError(t, err)
   365  	require.Equal(t, keybase1.TeamRole_OWNER, role)
   366  
   367  	invites := teamObj.GetActiveAndObsoleteInvites()
   368  	require.Equal(t, 0, len(invites), "leftover invite")
   369  }
   370  
   371  func TestImplicitTeamResetBadReadds(t *testing.T) {
   372  	// Check if we can't ruin implicit team state by bad re-adds.
   373  	tt := newTeamTester(t)
   374  	defer tt.cleanup()
   375  
   376  	ann := tt.addUser("ann")
   377  	bob := tt.addUser("bob")
   378  	pam := tt.addPuklessUser("pam")
   379  
   380  	displayName := strings.Join([]string{ann.username, bob.username, pam.username}, ",")
   381  	iteam, err := ann.lookupImplicitTeam(true /* create */, displayName, false /* isPublic */)
   382  	require.NoError(t, err)
   383  	t.Logf("impteam created for %q (id: %s)", displayName, iteam)
   384  
   385  	bob.reset()
   386  	bob.loginAfterResetPukless()
   387  	t.Logf("%s reset and is now PUKless", bob.username)
   388  
   389  	teamObj := ann.loadTeamByID(iteam, true /* admin */)
   390  	_, err = teamObj.InviteMember(context.Background(), bob.username, keybase1.TeamRole_READER, libkb.NewNormalizedUsername(bob.username), bob.userVersion())
   391  	require.Error(t, err)
   392  	t.Logf("Error of InviteMember(bob, READER) is: %v", err)
   393  
   394  	pam.reset()
   395  	pam.loginAfterResetPukless()
   396  	t.Logf("%s reset and is now PUKless again", pam.username)
   397  
   398  	_, err = teamObj.InviteMember(context.Background(), pam.username, keybase1.TeamRole_READER, libkb.NewNormalizedUsername(pam.username), pam.userVersion())
   399  	require.Error(t, err)
   400  	t.Logf("Error of InviteMember(pam, READER) is: %v", err)
   401  }