github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/teams/create.go (about) 1 package teams 2 3 import ( 4 "errors" 5 "fmt" 6 7 "golang.org/x/net/context" 8 9 "github.com/keybase/client/go/engine" 10 "github.com/keybase/client/go/libkb" 11 "github.com/keybase/client/go/protocol/keybase1" 12 "github.com/keybase/client/go/teams/hidden" 13 jsonw "github.com/keybase/go-jsonw" 14 ) 15 16 func CreateImplicitTeam(ctx context.Context, g *libkb.GlobalContext, impTeam keybase1.ImplicitTeamDisplayName) (res keybase1.TeamID, teamName keybase1.TeamName, err error) { 17 defer g.CTrace(ctx, "CreateImplicitTeam", &err)() 18 19 teamName, err = NewImplicitTeamName() 20 if err != nil { 21 return res, teamName, err 22 } 23 teamID := teamName.ToTeamID(impTeam.IsPublic) 24 25 merkleRoot, err := g.MerkleClient.FetchRootFromServer(libkb.NewMetaContext(ctx, g), libkb.TeamMerkleFreshnessForAdmin) 26 if err != nil { 27 return res, teamName, err 28 } 29 30 perUserKeyUpgradeSoft(ctx, g, "create-implicit-team") 31 32 me, err := loadMeForSignatures(ctx, g) 33 if err != nil { 34 return res, teamName, err 35 } 36 37 // Load all the Keybase users 38 loadUsernameList := func(usernames []string) (res []*keybase1.UserPlusKeysV2, err error) { 39 for _, username := range usernames { 40 arg := libkb.NewLoadUserArg(g).WithName(username).WithNetContext(ctx).WithPublicKeyOptional() 41 upak, _, err := g.GetUPAKLoader().LoadV2(arg) 42 if err != nil { 43 g.Log.CDebugf(ctx, "CreateImplicitTeam: failed to load user: %s msg: %s", username, err) 44 return res, err 45 } 46 res = append(res, &upak.Current) 47 } 48 return res, nil 49 } 50 51 ownerUPAKs, err := loadUsernameList(impTeam.Writers.KeybaseUsers) 52 if err != nil { 53 return res, teamName, err 54 } 55 readerUPAKs, err := loadUsernameList(impTeam.Readers.KeybaseUsers) 56 if err != nil { 57 return res, teamName, err 58 } 59 60 var owners []SCTeamMember 61 var readers []SCTeamMember 62 var ownerInvites []SCTeamInvite 63 var readerInvites []SCTeamInvite 64 65 // Form secret boxes and make invites for KB users with no PUKs 66 secretboxRecipients := make(map[keybase1.UserVersion]keybase1.PerUserKey) 67 68 // Form secret boxes for KB users with PUKs, and invites for those without 69 for _, upak := range ownerUPAKs { 70 uv := upak.ToUserVersion() 71 puk := upak.GetLatestPerUserKey() 72 if puk == nil { 73 // Add this person as an invite if they do not have a puk 74 ownerInvites = append(ownerInvites, SCTeamInvite{ 75 Type: "keybase", 76 Name: uv.TeamInviteName(), 77 ID: NewInviteID(), 78 }) 79 } else { 80 secretboxRecipients[uv] = *puk 81 owners = append(owners, SCTeamMember(uv)) 82 } 83 } 84 for _, upak := range readerUPAKs { 85 uv := upak.ToUserVersion() 86 puk := upak.GetLatestPerUserKey() 87 if puk == nil { 88 // Add this person as an invite if they do not have a puk 89 readerInvites = append(readerInvites, SCTeamInvite{ 90 Type: "keybase", 91 Name: uv.TeamInviteName(), 92 ID: NewInviteID(), 93 }) 94 } else { 95 secretboxRecipients[uv] = *puk 96 readers = append(readers, SCTeamMember(uv)) 97 } 98 } 99 100 members := SCTeamMembers{ 101 Owners: &[]SCTeamMember{}, 102 Admins: &[]SCTeamMember{}, 103 Writers: &[]SCTeamMember{}, 104 Readers: &[]SCTeamMember{}, 105 Bots: &[]SCTeamMember{}, 106 RestrictedBots: &[]SCTeamMember{}, 107 } 108 if len(owners) > 0 { 109 members.Owners = &owners 110 } 111 if len(readers) > 0 { 112 members.Readers = &readers 113 } 114 115 // Add invites for assertions 116 for _, assertion := range impTeam.Writers.UnresolvedUsers { 117 ownerInvites = append(ownerInvites, SCTeamInvite{ 118 Type: assertion.TeamInviteType(), 119 Name: assertion.TeamInviteName(), 120 ID: NewInviteID(), 121 }) 122 } 123 124 for _, assertion := range impTeam.Readers.UnresolvedUsers { 125 readerInvites = append(readerInvites, SCTeamInvite{ 126 Type: assertion.TeamInviteType(), 127 Name: assertion.TeamInviteName(), 128 ID: NewInviteID(), 129 }) 130 } 131 132 invites := &SCTeamInvites{ 133 Owners: nil, 134 Admins: nil, 135 Writers: nil, 136 Readers: nil, 137 } 138 if len(ownerInvites) > 0 { 139 invites.Owners = &ownerInvites 140 } 141 if len(readerInvites) > 0 { 142 invites.Readers = &readerInvites 143 } 144 145 // Post the team 146 return teamID, teamName, 147 makeSigAndPostRootTeam(ctx, g, me, members, invites, secretboxRecipients, teamName.String(), 148 teamID, impTeam.IsPublic, true, nil, *merkleRoot) 149 } 150 151 func makeSigAndPostRootTeam(ctx context.Context, g *libkb.GlobalContext, me libkb.UserForSignatures, members SCTeamMembers, 152 invites *SCTeamInvites, secretboxRecipients map[keybase1.UserVersion]keybase1.PerUserKey, name string, 153 teamID keybase1.TeamID, public, implicit bool, settings *SCTeamSettings, merkleRoot libkb.MerkleRoot) (err error) { 154 mctx := libkb.NewMetaContext(ctx, g) 155 defer g.Trace("makeSigAndPostRootTeam", &err)() 156 mctx.Debug("makeSigAndPostRootTeam get device keys") 157 deviceSigningKey, err := mctx.G().ActiveDevice.SigningKey() 158 if err != nil { 159 return err 160 } 161 deviceEncryptionKey, err := mctx.G().ActiveDevice.EncryptionKey() 162 if err != nil { 163 return err 164 } 165 166 // These boxes will get posted along with the sig below. 167 m, err := NewTeamKeyManager(mctx.G(), teamID) 168 if err != nil { 169 return err 170 } 171 secretboxes, err := m.SharedSecretBoxes(mctx, deviceEncryptionKey, secretboxRecipients) 172 if err != nil { 173 return err 174 } 175 176 perTeamSigningKey, err := m.SigningKey() 177 if err != nil { 178 return err 179 } 180 perTeamEncryptionKey, err := m.EncryptionKey() 181 if err != nil { 182 return err 183 } 184 185 mctx.Debug("makeSigAndPostRootTeam make sigs") 186 teamSection, err := makeRootTeamSection(name, teamID, members, invites, perTeamSigningKey.GetKID(), 187 perTeamEncryptionKey.GetKID(), public, implicit, settings) 188 if err != nil { 189 return err 190 } 191 192 err = addSummaryHash(&teamSection, secretboxes) 193 if err != nil { 194 return err 195 } 196 197 // At this point the team section has every field filled out except the 198 // reverse sig. Now we'll wrap it into a full sig, marshal it to JSON, and 199 // sign it, *twice*. The first time with the per-team signing key, to 200 // produce the reverse sig, and the second time with the device signing 201 // key, after the reverse sig has been written in. 202 sigBodyBeforeReverse, err := TeamRootSig(g, me, deviceSigningKey, teamSection, merkleRoot) 203 if err != nil { 204 return err 205 } 206 207 // Note that this (sigchain-v1-style) reverse sig is made with the derived *per-team* signing key. 208 reverseSig, _, _, err := libkb.SignJSON(sigBodyBeforeReverse, perTeamSigningKey) 209 if err != nil { 210 return err 211 } 212 213 // Update the team section to include the reverse sig, sign it again, and 214 // make a sigchain-v2-style sig out of it. Doing it this way, instead of 215 // generating it twice with different parameters, makes it less likely to 216 // accidentally capture different global state (like ctime and merkle 217 // seqno). 218 sigBodyAfterReverse := sigBodyBeforeReverse 219 err = sigBodyAfterReverse.SetValueAtPath("body.team.per_team_key.reverse_sig", jsonw.NewString(reverseSig)) 220 if err != nil { 221 return err 222 } 223 224 sigJSONAfterReverse, err := sigBodyAfterReverse.Marshal() 225 if err != nil { 226 return err 227 } 228 seqType := seqTypeForTeamPublicness(public) 229 v2Sig, _, _, err := libkb.MakeSigchainV2OuterSig( 230 mctx, 231 deviceSigningKey, 232 libkb.LinkTypeTeamRoot, 233 1, /* seqno */ 234 sigJSONAfterReverse, 235 nil, /* prevLinkID */ 236 libkb.SigHasRevokes(false), 237 seqType, 238 libkb.SigIgnoreIfUnsupported(false), 239 nil, 240 ) 241 if err != nil { 242 return err 243 } 244 245 sigMultiItem := libkb.SigMultiItem{ 246 Sig: v2Sig, 247 SigningKID: deviceSigningKey.GetKID(), 248 Type: string(libkb.LinkTypeTeamRoot), 249 SeqType: seqType, 250 SigInner: string(sigJSONAfterReverse), 251 TeamID: teamID, 252 PublicKeys: &libkb.SigMultiItemPublicKeys{ 253 Encryption: perTeamEncryptionKey.GetKID(), 254 Signing: perTeamSigningKey.GetKID(), 255 }, 256 Version: libkb.KeybaseSignatureV2, 257 } 258 259 err = precheckLinkToPost(ctx, g, sigMultiItem, nil, me.ToUserVersion()) 260 if err != nil { 261 mctx.Debug("cannot post link (precheck): %v", err) 262 return err 263 } 264 265 mctx.Debug("makeSigAndPostRootTeam post sigs") 266 payload := make(libkb.JSONPayload) 267 payload["sigs"] = []interface{}{sigMultiItem} 268 payload["per_team_key"] = secretboxes 269 270 _, err = mctx.G().API.PostJSON(mctx, libkb.APIArg{ 271 Endpoint: "sig/multi", 272 SessionType: libkb.APISessionTypeREQUIRED, 273 JSONPayload: payload, 274 }) 275 if err != nil { 276 return err 277 } 278 mctx.Debug("makeSigAndPostRootTeam created team: %v", teamID) 279 return nil 280 } 281 282 func CreateRootTeam(ctx context.Context, g *libkb.GlobalContext, nameString string, settings keybase1.TeamSettings) (res *keybase1.TeamID, err error) { 283 defer g.CTrace(ctx, "CreateRootTeam", &err)() 284 285 perUserKeyUpgradeSoft(ctx, g, "create-root-team") 286 287 name, err := keybase1.TeamNameFromString(nameString) 288 if err != nil { 289 return nil, err 290 } 291 if !name.IsRootTeam() { 292 return nil, fmt.Errorf("cannot create root team with subteam name: %v", nameString) 293 } 294 295 merkleRoot, err := g.MerkleClient.FetchRootFromServer(libkb.NewMetaContext(ctx, g), libkb.TeamMerkleFreshnessForAdmin) 296 if err != nil { 297 return nil, err 298 } 299 300 g.Log.CDebugf(ctx, "CreateRootTeam load me") 301 me, err := loadMeForSignatures(ctx, g) 302 if err != nil { 303 return nil, err 304 } 305 306 ownerLatest := me.GetLatestPerUserKey() 307 if ownerLatest == nil { 308 return nil, errors.New("can't create a new team without having provisioned a per-user key") 309 } 310 secretboxRecipients := map[keybase1.UserVersion]keybase1.PerUserKey{ 311 me.ToUserVersion(): *ownerLatest, 312 } 313 314 members := SCTeamMembers{ 315 Owners: &[]SCTeamMember{SCTeamMember(me.ToUserVersion())}, 316 Admins: &[]SCTeamMember{}, 317 Writers: &[]SCTeamMember{}, 318 Readers: &[]SCTeamMember{}, 319 Bots: &[]SCTeamMember{}, 320 RestrictedBots: &[]SCTeamMember{}, 321 } 322 323 var scSettings *SCTeamSettings 324 if settings.Open { 325 settingsTemp, err := CreateTeamSettings(settings.Open, settings.JoinAs) 326 if err != nil { 327 return nil, err 328 } 329 scSettings = &settingsTemp 330 } 331 332 teamID := name.ToPrivateTeamID() 333 334 err = makeSigAndPostRootTeam(ctx, g, me, members, nil, 335 secretboxRecipients, name.String(), teamID, false, false, scSettings, *merkleRoot) 336 return &teamID, err 337 } 338 339 func CreateSubteam(ctx context.Context, g *libkb.GlobalContext, subteamBasename string, 340 parentName keybase1.TeamName, addSelfAs keybase1.TeamRole) (ret *keybase1.TeamID, err error) { 341 defer g.CTrace(ctx, "CreateSubteam", &err)() 342 mctx := libkb.NewMetaContext(ctx, g) 343 344 subteamName, err := parentName.Append(subteamBasename) 345 if err != nil { 346 return nil, err 347 } 348 349 // Assume private 350 public := false 351 subteamID := NewSubteamID(public) 352 353 err = ForceMerkleRootUpdateByTeamID(mctx, parentName.ToPrivateTeamID()) 354 if err != nil { 355 return nil, err 356 } 357 merkleRoot, err := g.MerkleClient.FetchRootFromServer(libkb.NewMetaContext(ctx, g), libkb.TeamMerkleFreshnessForAdmin) 358 if err != nil { 359 return nil, err 360 } 361 362 perUserKeyUpgradeSoft(ctx, mctx.G(), "create-subteam") 363 364 me, err := loadMeForSignatures(ctx, mctx.G()) 365 if err != nil { 366 return nil, err 367 } 368 369 deviceSigningKey, err := mctx.G().ActiveDevice.SigningKey() 370 if err != nil { 371 return nil, err 372 } 373 374 parentTeam, err := GetForTeamManagementByStringName(ctx, g, parentName.String(), true) 375 if err != nil { 376 return nil, err 377 } 378 379 admin, err := parentTeam.getAdminPermission(ctx) 380 if err != nil { 381 return nil, err 382 } 383 384 if err := parentTeam.ForceMerkleRootUpdate(ctx); err != nil { 385 return nil, err 386 } 387 388 // Subteam creation involves two links, one in the parent team's chain, and 389 // one to start the new subteam chain. The start of the new subteam chain 390 // (type "team.subteam_head") is very similar to the "team.root" sig that 391 // starts a root team, and so making that link is very similar to what the 392 // CreateTeamEngine does. 393 394 newSubteamSig, ratchet, err := generateNewSubteamSigForParentChain(mctx, me, deviceSigningKey, parentTeam.chain(), subteamName, subteamID, admin) 395 if err != nil { 396 return nil, err 397 } 398 399 // subteam needs to be keyed for all admins above it 400 allParentAdmins, err := parentTeam.AllAdmins(ctx) 401 if err != nil { 402 return nil, err 403 } 404 405 subteamHeadSig, secretboxes, err := generateHeadSigForSubteamChain(ctx, g, me, 406 deviceSigningKey, parentTeam.chain(), subteamName, subteamID, admin, 407 allParentAdmins, addSelfAs, *merkleRoot) 408 if err != nil { 409 return nil, err 410 } 411 412 err = precheckLinkToPost(ctx, g, *newSubteamSig, parentTeam.chain(), me.ToUserVersion()) 413 if err != nil { 414 return nil, fmt.Errorf("cannot post link (precheck new subteam): %v", err) 415 } 416 417 err = precheckLinkToPost(ctx, g, *subteamHeadSig, nil, me.ToUserVersion()) 418 if err != nil { 419 return nil, fmt.Errorf("cannot post link (precheck subteam head): %v", err) 420 } 421 422 payload := make(libkb.JSONPayload) 423 payload["sigs"] = []interface{}{newSubteamSig, subteamHeadSig} 424 payload["per_team_key"] = secretboxes 425 ratchet.AddToJSONPayload(payload) 426 427 _, err = g.API.PostJSON(mctx, libkb.APIArg{ 428 Endpoint: "sig/multi", 429 SessionType: libkb.APISessionTypeREQUIRED, 430 JSONPayload: payload, 431 }) 432 if err != nil { 433 return nil, err 434 } 435 436 return &subteamID, nil 437 } 438 439 func makeRootTeamSection(teamName string, teamID keybase1.TeamID, members SCTeamMembers, invites *SCTeamInvites, 440 perTeamSigningKID keybase1.KID, perTeamEncryptionKID keybase1.KID, public bool, implicit bool, settings *SCTeamSettings) (SCTeamSection, error) { 441 teamSection := SCTeamSection{ 442 Name: (*SCTeamName)(&teamName), 443 ID: (SCTeamID)(teamID), 444 Public: public, 445 Implicit: implicit, 446 PerTeamKey: &SCPerTeamKey{ 447 Generation: 1, 448 SigKID: perTeamSigningKID, 449 EncKID: perTeamEncryptionKID, 450 }, 451 Members: &members, 452 Invites: invites, 453 } 454 455 teamSection.Settings = settings 456 457 // At this point the team section has every field filled out except the 458 // reverse sig. Now we'll wrap it into a full sig, marshal it to JSON, and 459 // sign it, *twice*. The first time with the per-team signing key, to 460 // produce the reverse sig, and the second time with the device signing 461 // key, after the reverse sig has been written in. 462 463 return teamSection, nil 464 } 465 466 func generateNewSubteamSigForParentChain(m libkb.MetaContext, me libkb.UserForSignatures, signingKey libkb.GenericKey, parentTeam *TeamSigChainState, subteamName keybase1.TeamName, subteamID keybase1.TeamID, admin *SCTeamAdmin) (item *libkb.SigMultiItem, r *hidden.Ratchet, err error) { 467 newSubteamSigBody, ratchet, err := NewSubteamSig(m, me, signingKey, parentTeam, subteamName, subteamID, admin) 468 if err != nil { 469 return nil, nil, err 470 } 471 newSubteamSigJSON, err := newSubteamSigBody.Marshal() 472 if err != nil { 473 return nil, nil, err 474 } 475 476 prevLinkID, err := libkb.ImportLinkID(parentTeam.GetLatestLinkID()) 477 if err != nil { 478 return nil, nil, err 479 } 480 seqType := seqTypeForTeamPublicness(parentTeam.IsPublic()) 481 482 v2Sig, _, _, err := libkb.MakeSigchainV2OuterSig( 483 m, 484 signingKey, 485 libkb.LinkTypeNewSubteam, 486 parentTeam.GetLatestSeqno()+1, 487 newSubteamSigJSON, 488 prevLinkID, 489 libkb.SigHasRevokes(false), 490 seqType, 491 libkb.SigIgnoreIfUnsupported(false), 492 nil, 493 ) 494 if err != nil { 495 return nil, nil, err 496 } 497 498 item = &libkb.SigMultiItem{ 499 Sig: v2Sig, 500 SigningKID: signingKey.GetKID(), 501 Type: string(libkb.LinkTypeNewSubteam), 502 SeqType: seqType, 503 SigInner: string(newSubteamSigJSON), 504 TeamID: parentTeam.GetID(), 505 Version: libkb.KeybaseSignatureV2, 506 } 507 return item, ratchet, nil 508 } 509 510 func generateHeadSigForSubteamChain(ctx context.Context, g *libkb.GlobalContext, me libkb.UserForSignatures, 511 signingKey libkb.GenericKey, parentTeam *TeamSigChainState, subteamName keybase1.TeamName, 512 subteamID keybase1.TeamID, admin *SCTeamAdmin, allParentAdmins []keybase1.UserVersion, 513 addSelfAs keybase1.TeamRole, merkleRoot libkb.MerkleRoot) (item *libkb.SigMultiItem, boxes *PerTeamSharedSecretBoxes, err error) { 514 deviceEncryptionKey, err := g.ActiveDevice.EncryptionKey() 515 if err != nil { 516 return 517 } 518 519 members := SCTeamMembers{ 520 Owners: &[]SCTeamMember{}, 521 Admins: &[]SCTeamMember{}, 522 Writers: &[]SCTeamMember{}, 523 Readers: &[]SCTeamMember{}, 524 Bots: &[]SCTeamMember{}, 525 RestrictedBots: &[]SCTeamMember{}, 526 } 527 528 memSet := newMemberSet() 529 _, err = memSet.loadGroup(ctx, g, allParentAdmins, storeMemberKindRecipient, true /* force poll */) 530 if err != nil { 531 return nil, nil, err 532 } 533 534 if addSelfAs != keybase1.TeamRole_NONE { 535 meUV := me.ToUserVersion() 536 memList := []SCTeamMember{SCTeamMember(meUV)} 537 switch addSelfAs { 538 case keybase1.TeamRole_BOT: 539 members.Bots = &memList 540 case keybase1.TeamRole_READER: 541 members.Readers = &memList 542 case keybase1.TeamRole_WRITER: 543 members.Writers = &memList 544 case keybase1.TeamRole_ADMIN: 545 members.Admins = &memList 546 case keybase1.TeamRole_OWNER: 547 return nil, nil, errors.New("Cannot add self as owner to a subteam") 548 case keybase1.TeamRole_RESTRICTEDBOT: 549 return nil, nil, errors.New("Cannot add self as restricted bot to a subteam") 550 } 551 _, err := memSet.addMember(ctx, g, meUV, storeMemberKindRecipient, false /* force poll */) 552 if err != nil { 553 return nil, nil, err 554 } 555 } 556 557 // These boxes will get posted along with the sig below. 558 m, err := NewTeamKeyManager(g, subteamID) 559 if err != nil { 560 return nil, nil, err 561 } 562 boxes, err = m.SharedSecretBoxes(libkb.NewMetaContext(ctx, g), deviceEncryptionKey, memSet.recipients) 563 if err != nil { 564 return nil, nil, err 565 } 566 567 perTeamSigningKey, err := m.SigningKey() 568 if err != nil { 569 return nil, nil, err 570 } 571 perTeamEncryptionKey, err := m.EncryptionKey() 572 if err != nil { 573 return nil, nil, err 574 } 575 576 // The "team" section of a subchain head link is similar to that of a 577 // "team.root" link, with the addition of the "parent" subsection. 578 teamSection, err := makeSubteamTeamSection(subteamName, subteamID, parentTeam, members, perTeamSigningKey.GetKID(), perTeamEncryptionKey.GetKID(), admin) 579 if err != nil { 580 return 581 } 582 583 err = addSummaryHash(&teamSection, boxes) 584 if err != nil { 585 return nil, nil, err 586 } 587 588 subteamHeadSigBodyBeforeReverse, err := SubteamHeadSig(g, me, signingKey, teamSection, merkleRoot) 589 if err != nil { 590 return 591 } 592 593 // Now generate the reverse sig and edit it into the JSON. Note that this 594 // (sigchain-v1-style) reverse sig is made with the derived *per-team* 595 // signing key. 596 reverseSig, _, _, err := libkb.SignJSON(subteamHeadSigBodyBeforeReverse, perTeamSigningKey) 597 if err != nil { 598 return 599 } 600 601 // Update the team section to include the reverse sig, sign it again, and 602 // make a sigchain-v2-style sig out of it. Doing it this way, instead of 603 // generating it twice with different parameters, makes it less likely to 604 // accidentally capture different global state (like ctime and merkle 605 // seqno). 606 subteamHeadSigBodyAfterReverse := subteamHeadSigBodyBeforeReverse 607 err = subteamHeadSigBodyAfterReverse.SetValueAtPath("body.team.per_team_key.reverse_sig", jsonw.NewString(reverseSig)) 608 if err != nil { 609 return nil, nil, err 610 } 611 612 subteamHeadSigJSON, err := subteamHeadSigBodyAfterReverse.Marshal() 613 if err != nil { 614 return 615 } 616 617 seqType := seqTypeForTeamPublicness(parentTeam.IsPublic()) 618 v2Sig, _, _, err := libkb.MakeSigchainV2OuterSig( 619 libkb.NewMetaContext(ctx, g), 620 signingKey, 621 libkb.LinkTypeSubteamHead, 622 1, /* seqno */ 623 subteamHeadSigJSON, 624 nil, /* prevLinkID */ 625 libkb.SigHasRevokes(false), 626 seqType, 627 libkb.SigIgnoreIfUnsupported(false), 628 nil, 629 ) 630 if err != nil { 631 return 632 } 633 634 item = &libkb.SigMultiItem{ 635 Sig: v2Sig, 636 SigningKID: signingKey.GetKID(), 637 Type: string(libkb.LinkTypeSubteamHead), 638 SeqType: seqType, 639 SigInner: string(subteamHeadSigJSON), 640 TeamID: subteamID, 641 PublicKeys: &libkb.SigMultiItemPublicKeys{ 642 Encryption: perTeamEncryptionKey.GetKID(), 643 Signing: perTeamSigningKey.GetKID(), 644 }, 645 } 646 return 647 } 648 649 func makeSubteamTeamSection(subteamName keybase1.TeamName, subteamID keybase1.TeamID, 650 parentTeam *TeamSigChainState, members SCTeamMembers, perTeamSigningKID keybase1.KID, 651 perTeamEncryptionKID keybase1.KID, admin *SCTeamAdmin) (SCTeamSection, error) { 652 653 subteamName2 := subteamName.String() 654 teamSection := SCTeamSection{ 655 Name: (*SCTeamName)(&subteamName2), 656 ID: (SCTeamID)(subteamID), 657 Parent: &SCTeamParent{ 658 ID: SCTeamID(parentTeam.GetID()), 659 Seqno: parentTeam.GetLatestSeqno() + 1, // the seqno of the *new* parent link 660 SeqType: seqTypeForTeamPublicness(parentTeam.IsPublic()), 661 }, 662 PerTeamKey: &SCPerTeamKey{ 663 Generation: 1, 664 SigKID: perTeamSigningKID, 665 EncKID: perTeamEncryptionKID, 666 }, 667 Members: &members, 668 Admin: admin, 669 } 670 671 // At this point the team section has every field filled out except the 672 // reverse sig. Next we'll wrap it into a full sig body, marshal it to 673 // JSON, and sign it, *twice*. The first time with the per-team signing 674 // key, to produce the reverse sig, and the second time with the device 675 // signing key, after the reverse sig has been written in. 676 677 return teamSection, nil 678 } 679 680 // Get a per-user key. 681 // Wait for attempt but only warn on error. 682 func perUserKeyUpgradeSoft(ctx context.Context, g *libkb.GlobalContext, reason string) { 683 m := libkb.NewMetaContext(ctx, g) 684 arg := &engine.PerUserKeyUpgradeArgs{} 685 eng := engine.NewPerUserKeyUpgrade(g, arg) 686 err := engine.RunEngine2(m, eng) 687 if err != nil { 688 m.Debug("PerUserKeyUpgrade failed (%s): %v", reason, err) 689 } 690 }