github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/systests/team_tx_test.go (about) 1 package systests 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/stretchr/testify/require" 8 "golang.org/x/net/context" 9 10 "github.com/keybase/client/go/libkb" 11 keybase1 "github.com/keybase/client/go/protocol/keybase1" 12 "github.com/keybase/client/go/teams" 13 ) 14 15 func testTeamTx1(t *testing.T, byUV bool) { 16 tt := newTeamTester(t) 17 defer tt.cleanup() 18 19 ann := makeUserStandalone(t, tt, "ann", standaloneUserArgs{ 20 disableGregor: true, 21 suppressTeamChatAnnounce: true, 22 }) 23 t.Logf("Signed up ann (%s)", ann.username) 24 25 bob := tt.addPuklessUser("bob") 26 t.Logf("Signed up PUK-less user bob (%s)", bob.username) 27 28 tracy := tt.addUser("trc") 29 t.Logf("Signed up PUK-ful user trc (%s)", tracy.username) 30 31 botua := tt.addUser("ua") 32 t.Logf("Signed up user ua (%s) to be a bot", tracy.username) 33 34 restrictedBotua := tt.addUser("r_ua") 35 t.Logf("Signed up user ua (%s) to be a restricted bot", tracy.username) 36 37 team := ann.createTeam() 38 t.Logf("Team created (%s)", team) 39 40 // TRANSACTION 1 - add bob (keybase-type invite) and tracy (crypto member) 41 42 teamObj := ann.loadTeam(team, true /* admin */) 43 44 var err error 45 tx := teams.CreateAddMemberTx(teamObj) 46 tx.AllowPUKless = true 47 if byUV { 48 err = tx.AddMemberByUV(context.Background(), bob.userVersion(), keybase1.TeamRole_WRITER, nil) 49 require.NoError(t, err) 50 err = tx.AddMemberByUV(context.Background(), tracy.userVersion(), keybase1.TeamRole_READER, nil) 51 require.NoError(t, err) 52 err = tx.AddMemberByUV(context.Background(), botua.userVersion(), keybase1.TeamRole_BOT, nil) 53 require.NoError(t, err) 54 err = tx.AddMemberByUV(context.Background(), restrictedBotua.userVersion(), keybase1.TeamRole_RESTRICTEDBOT, &keybase1.TeamBotSettings{}) 55 require.NoError(t, err) 56 } else { 57 err = tx.AddMemberByUsername(context.Background(), bob.username, keybase1.TeamRole_WRITER, nil) 58 require.NoError(t, err) 59 err = tx.AddMemberByUsername(context.Background(), tracy.username, keybase1.TeamRole_READER, nil) 60 require.NoError(t, err) 61 err = tx.AddMemberByUsername(context.Background(), botua.username, keybase1.TeamRole_BOT, nil) 62 require.NoError(t, err) 63 err = tx.AddMemberByUsername(context.Background(), restrictedBotua.username, keybase1.TeamRole_RESTRICTEDBOT, &keybase1.TeamBotSettings{}) 64 require.NoError(t, err) 65 } 66 67 err = tx.Post(libkb.NewMetaContextForTest(*ann.tc)) 68 require.NoError(t, err) 69 70 teamObj = ann.loadTeam(team, true /* admin */) 71 require.Equal(t, 1, teamObj.NumActiveInvites()) 72 invites := teamObj.GetActiveAndObsoleteInvites() 73 require.Equal(t, 1, len(invites)) 74 for _, invite := range teamObj.GetActiveAndObsoleteInvites() { 75 uv, err := invite.KeybaseUserVersion() 76 require.NoError(t, err) 77 require.EqualValues(t, bob.userVersion(), uv) 78 } 79 80 members, err := teamObj.Members() 81 require.NoError(t, err) 82 require.Equal(t, 1, len(members.Owners)) 83 require.Equal(t, 0, len(members.Admins)) 84 require.Equal(t, 0, len(members.Writers)) 85 require.Equal(t, 1, len(members.Readers)) 86 require.EqualValues(t, tracy.userVersion(), members.Readers[0]) 87 require.Equal(t, 1, len(members.Bots)) 88 require.EqualValues(t, botua.userVersion(), members.Bots[0]) 89 require.Equal(t, 1, len(members.RestrictedBots)) 90 require.EqualValues(t, restrictedBotua.userVersion(), members.RestrictedBots[0]) 91 92 // TRANSACTION 2 - bob gets puk, add bob but not through SBS - we 93 // expect the invite to be sweeped away by this transaction. 94 95 bob.perUserKeyUpgrade() 96 97 teamObj = ann.loadTeam(team, true /* admin */) 98 tx = teams.CreateAddMemberTx(teamObj) 99 err = tx.AddMemberByUsername(context.Background(), bob.username, keybase1.TeamRole_WRITER, nil) 100 require.NoError(t, err) 101 102 err = tx.Post(libkb.NewMetaContextForTest(*ann.tc)) 103 require.NoError(t, err) 104 105 teamObj = ann.loadTeam(team, true /* admin */) 106 members, err = teamObj.Members() 107 require.NoError(t, err) 108 require.Equal(t, 1, len(members.Owners)) 109 require.Equal(t, 0, len(members.Admins)) 110 require.Equal(t, 1, len(members.Writers)) 111 require.EqualValues(t, bob.userVersion(), members.Writers[0]) 112 require.Equal(t, 0, len(teamObj.GetActiveAndObsoleteInvites())) 113 require.Equal(t, 1, len(members.Readers)) 114 require.EqualValues(t, tracy.userVersion(), members.Readers[0]) 115 require.Equal(t, 1, len(members.Bots)) 116 require.EqualValues(t, botua.userVersion(), members.Bots[0]) 117 require.Equal(t, 1, len(members.RestrictedBots)) 118 require.EqualValues(t, restrictedBotua.userVersion(), members.RestrictedBots[0]) 119 } 120 121 func TestTeamTxAddByUsername(t *testing.T) { 122 testTeamTx1(t, false /* byUV */) 123 } 124 125 func TestTeamTxAddByUV(t *testing.T) { 126 testTeamTx1(t, true /* byUV */) 127 } 128 129 func TestTeamTxDependency(t *testing.T) { 130 tt := newTeamTester(t) 131 defer tt.cleanup() 132 133 ann := makeUserStandalone(t, tt, "ann", standaloneUserArgs{ 134 disableGregor: true, 135 suppressTeamChatAnnounce: true, 136 }) 137 t.Logf("Signed up ann (%s)", ann.username) 138 139 bob := tt.addPuklessUser("bob") 140 t.Logf("Signed up PUK-less user bob (%s)", bob.username) 141 142 tracy := tt.addUser("trc") 143 t.Logf("Signed up PUK-ful user trc (%s)", tracy.username) 144 145 team := ann.createTeam() 146 t.Logf("Team created (%s)", team) 147 148 ann.addTeamMember(team, bob.username, keybase1.TeamRole_WRITER) 149 150 teamObj := ann.loadTeam(team, true /* admin */) 151 members, err := teamObj.Members() 152 require.NoError(t, err) 153 require.Equal(t, 1, len(members.Owners)) 154 require.Equal(t, 0, len(members.Admins)+len(members.Writers)+len(members.Readers)+len(members.Bots)+len(members.RestrictedBots)) 155 require.EqualValues(t, ann.userVersion(), members.Owners[0]) 156 require.Equal(t, 1, teamObj.NumActiveInvites()) 157 158 bob.perUserKeyUpgrade() 159 160 // Transaction time! 161 162 // The transaction will try to achieve the following: 163 // 1) Add Tracy as crypto member, 164 // 2) sweep old bob@keybase invite (pukless member), 165 // 3) add bob as crypto member. 166 167 // The catch is that (3) depends on (2), so signature that does 168 // (3) has to happen after (2). Signatures in flight after (2) are 169 // as follows: 170 // 1. change_membership (adds: trc) 171 // 2. invite (cancel: bob@keybase) 172 173 // Adding bob as a crypto member should not mutate change_membership 1., 174 // but instead create new change_membership. 175 176 teamObj = ann.loadTeam(team, true /* admin */) 177 178 tx := teams.CreateAddMemberTx(teamObj) 179 err = tx.AddMemberByUsername(context.Background(), tracy.username, keybase1.TeamRole_READER, nil) 180 require.NoError(t, err) 181 err = tx.AddMemberByUsername(context.Background(), bob.username, keybase1.TeamRole_WRITER, nil) 182 require.NoError(t, err) 183 184 payloads := tx.DebugPayloads() 185 require.Equal(t, 3, len(payloads)) 186 187 err = tx.Post(libkb.NewMetaContextForTest(*ann.tc)) 188 require.NoError(t, err) 189 190 // State is still fine even without ordering, because nor server 191 // neither team player cares about that. 192 193 teamObj = ann.loadTeam(team, true /* admin */) 194 members, err = teamObj.Members() 195 require.NoError(t, err) 196 require.Equal(t, 1, len(members.Owners)) 197 require.EqualValues(t, ann.userVersion(), members.Owners[0]) 198 require.Equal(t, 0, len(members.Admins)) 199 require.Equal(t, 1, len(members.Writers)) 200 require.EqualValues(t, bob.userVersion(), members.Writers[0]) 201 require.Equal(t, 1, len(members.Readers)) 202 require.EqualValues(t, tracy.userVersion(), members.Readers[0]) 203 require.Equal(t, 0, teamObj.NumActiveInvites()) 204 require.Equal(t, 0, len(teamObj.GetActiveAndObsoleteInvites())) 205 require.Equal(t, 0, len(members.Bots)) 206 require.Equal(t, 0, len(members.RestrictedBots)) 207 208 // Try the opposite logic: reset bob, and try to re-add them as 209 // pukless. The `invite` link should happen after crypto member 210 // sweeping `change_membership`. 211 bob.reset() 212 bob.loginAfterResetPukless() 213 214 tx = teams.CreateAddMemberTx(teamObj) 215 tx.AllowPUKless = true 216 _, _, _, err = tx.AddOrInviteMemberByAssertion(context.Background(), fmt.Sprintf("%s@rooter", tracy.username), keybase1.TeamRole_WRITER, nil) 217 require.NoError(t, err) 218 err = tx.AddMemberByUsername(context.Background(), bob.username, keybase1.TeamRole_WRITER, nil) 219 require.NoError(t, err) 220 221 payloads = tx.DebugPayloads() 222 require.Equal(t, 3, len(payloads)) 223 224 err = tx.Post(libkb.NewMetaContextForTest(*ann.tc)) 225 require.NoError(t, err) 226 } 227 228 func TestTeamTxSweepMembers(t *testing.T) { 229 tt := newTeamTester(t) 230 defer tt.cleanup() 231 232 ann := tt.addUser("ann") 233 t.Logf("Signed up user ann (%s)", ann.username) 234 235 bob := tt.addUser("bob") 236 t.Logf("Signed up user bob (%s)", bob.username) 237 238 pat := tt.addPuklessUser("pat") 239 t.Logf("Signed up PUKless user pat (%s)", pat.username) 240 241 team := ann.createTeam() 242 t.Logf("Team created (%s)", team) 243 244 ann.addTeamMember(team, bob.username, keybase1.TeamRole_WRITER) 245 246 bob.reset() 247 bob.loginAfterReset() 248 249 t.Logf("Bob (%s) resets and reprovisions, he is now: %v", bob.username, bob.userVersion()) 250 251 // Wait for CLKR and RotateKey link. 252 teamID := ann.loadTeam(team, false /* admin */).ID 253 ann.waitForAnyRotateByID(teamID, keybase1.Seqno(2) /* toSeqno */, keybase1.Seqno(1) /* toHiddenSeqno */) 254 255 teamObj := ann.loadTeam(team, true /* admin */) 256 tx := teams.CreateAddMemberTx(teamObj) 257 err := tx.AddMemberByUsername(context.Background(), bob.username, keybase1.TeamRole_READER, nil) 258 require.NoError(t, err) 259 err = tx.Post(libkb.NewMetaContextForTest(*ann.tc)) 260 require.NoError(t, err) 261 262 teamObj = ann.loadTeam(team, true /* admin */) 263 members, err := teamObj.Members() 264 require.NoError(t, err) 265 require.Equal(t, 1, len(members.Owners)) 266 require.Equal(t, 1, len(members.Readers)) 267 require.Equal(t, 0, len(members.Admins)+len(members.Writers)+len(members.Bots)+len(members.RestrictedBots)) 268 require.EqualValues(t, ann.userVersion(), members.Owners[0]) 269 require.EqualValues(t, bob.userVersion(), members.Readers[0]) 270 require.Equal(t, 0, len(teamObj.GetActiveAndObsoleteInvites())) 271 } 272 273 func TestTeamTxMultipleMembers(t *testing.T) { 274 tt := newTeamTester(t) 275 defer tt.cleanup() 276 277 ann := tt.addUser("ann") 278 t.Logf("Signed up user ann (%s)", ann.username) 279 280 // user 0 - ann, team owner 281 // user 1,2,3 - zzz, normal user 282 // user 4,5,6 - yyy, pukless user 283 284 for i := 0; i < 3; i++ { 285 user := tt.addUser("zzz") 286 t.Logf("Signed up normal user %d (%s, %v)", i, user.username, user.userVersion()) 287 } 288 289 for i := 0; i < 3; i++ { 290 user := tt.addPuklessUser("yyy") 291 t.Logf("Signed up pukless user %d (%s, %v)", i, user.username, user.userVersion()) 292 } 293 294 team := ann.createTeam() 295 t.Logf("Team created (%s)", team) 296 297 teamObj := ann.loadTeam(team, true /* admin */) 298 tx := teams.CreateAddMemberTx(teamObj) 299 tx.AllowPUKless = true 300 for i := 1; i < 7; i++ { 301 err := tx.AddMemberByUsername(context.Background(), tt.users[i].username, keybase1.TeamRole_WRITER, nil) 302 require.NoError(t, err) 303 } 304 err := tx.Post(libkb.NewMetaContextForTest(*ann.tc)) 305 require.NoError(t, err) 306 307 for i := 4; i <= 5; i++ { 308 user := tt.users[i] 309 user.reset() 310 user.loginAfterReset() 311 t.Logf("Reset pukless user %d (%s, %v)", i, user.username, user.userVersion()) 312 } 313 314 teamObj = ann.loadTeam(team, true /* admin */) 315 tx = teams.CreateAddMemberTx(teamObj) 316 for i := 4; i <= 5; i++ { 317 err := tx.AddMemberByUsername(context.Background(), tt.users[i].username, keybase1.TeamRole_WRITER, nil) 318 require.NoError(t, err) 319 } 320 err = tx.Post(libkb.NewMetaContextForTest(*ann.tc)) 321 require.NoError(t, err) 322 323 teamObj = ann.loadTeam(team, true /* admin */) 324 members, err := teamObj.Members() 325 require.NoError(t, err) 326 require.Equal(t, 1, len(members.Owners)) 327 require.Equal(t, 5, len(members.Writers)) 328 require.Equal(t, 0, len(members.Readers)+len(members.Admins)+len(members.Bots)+len(members.RestrictedBots)) 329 330 invites := teamObj.GetActiveAndObsoleteInvites() 331 require.Equal(t, 1, len(invites)) 332 for _, invite := range invites { 333 uv, err := invite.KeybaseUserVersion() 334 require.NoError(t, err) 335 require.Equal(t, tt.users[6].userVersion(), uv) 336 } 337 } 338 339 func TestTeamTxSubteamAdmins(t *testing.T) { 340 // Test if AddMemberTx properly keys implicit admins to teams 341 // through the use of 'implicit_team_keys'. 342 343 tt := newTeamTester(t) 344 defer tt.cleanup() 345 346 ann := tt.addUser("ann") 347 t.Logf("Signed up user ann (%s)", ann.username) 348 349 bob := tt.addUser("bob") 350 t.Logf("Signed up user bob (%s)", bob.username) 351 352 team := ann.createTeam() 353 t.Logf("Team created (%s)", team) 354 355 teamName, err := keybase1.TeamNameFromString(team) 356 require.NoError(t, err) 357 _, err = teams.CreateSubteam(context.Background(), ann.tc.G, "golfers", teamName, keybase1.TeamRole_NONE /* addSelfAs */) 358 require.NoError(t, err) 359 _, err = teams.CreateSubteam(context.Background(), ann.tc.G, "pokerpals", teamName, keybase1.TeamRole_NONE /* addSelfAs */) 360 require.NoError(t, err) 361 362 teamObj := ann.loadTeam(team, true /* admin */) 363 tx := teams.CreateAddMemberTx(teamObj) 364 err = tx.AddMemberByUsername(context.Background(), bob.username, keybase1.TeamRole_ADMIN, nil) 365 require.NoError(t, err) 366 err = tx.Post(libkb.NewMetaContextForTest(*ann.tc)) 367 require.NoError(t, err) 368 } 369 370 func TestTeamTxBadAdds(t *testing.T) { 371 tt := newTeamTester(t) 372 defer tt.cleanup() 373 374 ann := tt.addUser("ann") 375 t.Logf("Signed up user ann (%s)", ann.username) 376 377 bob := tt.addUser("bob") 378 t.Logf("Signed up user bob (%s)", bob.username) 379 380 bobUV := bob.userVersion() 381 bob.reset() 382 383 team := ann.createTeam() 384 t.Logf("Team created (%s)", team) 385 386 teamObj := ann.loadTeam(team, true /* admin */) 387 tx := teams.CreateAddMemberTx(teamObj) 388 389 // Tring to add bob using old UV (from before reset) 390 err := tx.AddMemberByUV(context.Background(), bobUV, keybase1.TeamRole_WRITER, nil) 391 require.Error(t, err) 392 require.True(t, tx.IsEmpty()) 393 394 bob.loginAfterReset() 395 bobUV = bob.userVersion() 396 397 bob.delete() 398 399 // Trying to add deleted bob. 400 err = tx.AddMemberByUV(context.Background(), bobUV, keybase1.TeamRole_WRITER, nil) 401 require.Error(t, err) 402 require.IsType(t, libkb.UserDeletedError{}, err) 403 require.True(t, tx.IsEmpty()) 404 }