github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/teams/rotate_test.go (about) 1 package teams 2 3 import ( 4 "context" 5 "encoding/hex" 6 "strings" 7 "testing" 8 "time" 9 10 "github.com/keybase/client/go/kbtest" 11 "github.com/keybase/client/go/libkb" 12 "github.com/keybase/client/go/protocol/keybase1" 13 "github.com/stretchr/testify/require" 14 ) 15 16 func TestRotate(t *testing.T) { 17 tc, owner, other, _, name := memberSetupMultiple(t) 18 defer tc.Cleanup() 19 20 if err := SetRoleWriter(context.TODO(), tc.G, name, other.Username); err != nil { 21 t.Fatal(err) 22 } 23 24 team, err := GetForTestByStringName(context.TODO(), tc.G, name) 25 if err != nil { 26 t.Fatal(err) 27 } 28 if team.Generation() != 1 { 29 t.Fatalf("initial team generation: %d, expected 1", team.Generation()) 30 } 31 secretBefore := team.Data.PerTeamKeySeedsUnverified[team.Generation()].Seed.ToBytes() 32 keys1, err := team.AllApplicationKeys(context.TODO(), keybase1.TeamApplication_CHAT) 33 if err != nil { 34 t.Fatal(err) 35 } 36 require.Equal(t, len(keys1), 1) 37 require.Equal(t, keys1[0].KeyGeneration, keybase1.PerTeamKeyGeneration(1)) 38 39 if err := team.Rotate(context.TODO(), keybase1.RotationType_VISIBLE); err != nil { 40 t.Fatal(err) 41 } 42 43 after, err := GetForTestByStringName(context.TODO(), tc.G, name) 44 if err != nil { 45 t.Fatal(err) 46 } 47 if after.Generation() != 2 { 48 t.Fatalf("rotated team generation: %d, expected 2", after.Generation()) 49 } 50 secretAfter := after.Data.PerTeamKeySeedsUnverified[after.Generation()].Seed.ToBytes() 51 if libkb.SecureByteArrayEq(secretAfter, secretBefore) { 52 t.Fatal("TeamBox.Ctext did not change when rotated") 53 } 54 55 assertRole(tc, name, owner.Username, keybase1.TeamRole_OWNER) 56 assertRole(tc, name, other.Username, keybase1.TeamRole_WRITER) 57 58 keys2, err := after.AllApplicationKeys(context.TODO(), keybase1.TeamApplication_CHAT) 59 require.NoError(t, err) 60 require.Equal(t, len(keys2), 2) 61 require.Equal(t, keys2[0].KeyGeneration, keybase1.PerTeamKeyGeneration(1)) 62 require.Equal(t, keys1[0].Key, keys2[0].Key) 63 } 64 65 func TestRotateWithBots(t *testing.T) { 66 tc, owner, otherA, otherB, name := memberSetupMultiple(t) 67 defer tc.Cleanup() 68 69 err := SetRoleBot(context.TODO(), tc.G, name, otherA.Username) 70 require.NoError(t, err) 71 72 err = SetRoleRestrictedBot(context.TODO(), tc.G, name, otherB.Username, keybase1.TeamBotSettings{}) 73 require.NoError(t, err) 74 75 err = tc.Logout() 76 require.NoError(t, err) 77 require.NoError(t, otherA.Login(tc.G)) 78 team, err := GetForTestByStringName(context.TODO(), tc.G, name) 79 require.NoError(t, err) 80 require.EqualValues(t, 1, team.Generation()) 81 require.Len(t, team.Data.PerTeamKeySeedsUnverified, 1) 82 _, err = team.AllApplicationKeys(context.TODO(), keybase1.TeamApplication_CHAT) 83 require.NoError(t, err) 84 85 // Regular bots cannot rotate 86 err = team.Rotate(context.TODO(), keybase1.RotationType_VISIBLE) 87 require.Error(t, err) 88 89 err = tc.Logout() 90 require.NoError(t, err) 91 require.NoError(t, otherB.Login(tc.G)) 92 team, err = GetForTestByStringName(context.TODO(), tc.G, name) 93 require.NoError(t, err) 94 require.EqualValues(t, 1, team.Generation()) 95 require.Zero(t, len(team.Data.PerTeamKeySeedsUnverified)) 96 _, err = team.AllApplicationKeys(context.TODO(), keybase1.TeamApplication_CHAT) 97 require.Error(t, err) 98 require.IsType(t, libkb.NotFoundError{}, err) 99 100 // Restricted bots cannot rotate 101 err = team.Rotate(context.TODO(), keybase1.RotationType_VISIBLE) 102 require.IsType(t, libkb.NotFoundError{}, err) 103 104 err = tc.Logout() 105 require.NoError(t, err) 106 require.NoError(t, owner.Login(tc.G)) 107 team, err = GetForTestByStringName(context.TODO(), tc.G, name) 108 require.NoError(t, err) 109 err = team.Rotate(context.TODO(), keybase1.RotationType_VISIBLE) 110 require.NoError(t, err) 111 112 // otherA has 2 seeds 113 err = tc.Logout() 114 require.NoError(t, err) 115 require.NoError(t, otherA.Login(tc.G)) 116 after, err := GetForTestByStringName(context.TODO(), tc.G, name) 117 require.NoError(t, err) 118 require.EqualValues(t, 2, after.Generation()) 119 require.Len(t, after.Data.PerTeamKeySeedsUnverified, 2) 120 121 // otherB has none 122 err = tc.Logout() 123 require.NoError(t, err) 124 require.NoError(t, otherB.Login(tc.G)) 125 after, err = GetForTestByStringName(context.TODO(), tc.G, name) 126 require.NoError(t, err) 127 require.EqualValues(t, 2, after.Generation()) 128 require.Zero(t, len(after.Data.PerTeamKeySeedsUnverified)) 129 _, err = after.AllApplicationKeys(context.TODO(), keybase1.TeamApplication_CHAT) 130 require.Error(t, err) 131 require.IsType(t, libkb.NotFoundError{}, err) 132 133 assertRole(tc, name, owner.Username, keybase1.TeamRole_OWNER) 134 assertRole(tc, name, otherA.Username, keybase1.TeamRole_BOT) 135 assertRole(tc, name, otherB.Username, keybase1.TeamRole_RESTRICTEDBOT) 136 } 137 138 func setupRotateTest(t *testing.T, implicit bool, public bool) (tc libkb.TestContext, owner, other *kbtest.FakeUser, teamID keybase1.TeamID, teamName keybase1.TeamName) { 139 tc = SetupTest(t, "team", 1) 140 141 var usernames []string 142 143 other, err := kbtest.CreateAndSignupFakeUser("team", tc.G) 144 require.NoError(t, err) 145 usernames = append(usernames, other.Username) 146 err = tc.Logout() 147 require.NoError(t, err) 148 149 owner, err = kbtest.CreateAndSignupFakeUser("team", tc.G) 150 require.NoError(t, err) 151 usernames = append(usernames, owner.Username) 152 153 if implicit { 154 t.Logf("creating implicit team") 155 displayName := strings.Join(usernames, ",") 156 var team *Team 157 team, teamName, _, err = LookupOrCreateImplicitTeam(context.TODO(), tc.G, displayName, public) 158 require.NoError(t, err) 159 160 return tc, owner, other, team.ID, teamName 161 } 162 if public { 163 t.Fatalf("public teams not supported") 164 } 165 166 t.Logf("creating team") 167 teamName, teamID = createTeam2(tc) 168 169 t.Logf("adding writer") 170 err = SetRoleWriter(context.TODO(), tc.G, teamName.String(), other.Username) 171 require.NoError(t, err) 172 173 return tc, owner, other, teamID, teamName 174 } 175 176 func TestHandleRotateRequestOldGeneration(t *testing.T) { 177 runMany(t, func(implicit, public bool) { 178 tc, owner, other, teamID, _ := setupRotateTest(t, implicit, public) 179 defer tc.Cleanup() 180 181 team, err := GetForTestByID(context.TODO(), tc.G, teamID) 182 require.NoError(t, err) 183 184 // rotate to bump the generation 185 err = team.Rotate(context.TODO(), keybase1.RotationType_VISIBLE) 186 require.NoError(t, err) 187 188 team, err = GetForTestByID(context.TODO(), tc.G, teamID) 189 require.NoError(t, err) 190 if team.Generation() != 2 { 191 t.Fatalf("team generation: %d, expected 2", team.Generation()) 192 } 193 secretBefore := team.Data.PerTeamKeySeedsUnverified[team.Generation()].Seed.ToBytes() 194 195 // this shouldn't do anything 196 err = HandleRotateRequest(context.TODO(), tc.G, keybase1.TeamCLKRMsg{ 197 TeamID: team.ID, 198 Generation: 1, 199 ResetUsersUntrusted: nil, 200 }) 201 require.NoError(t, err) 202 203 after, err := GetForTestByID(context.TODO(), tc.G, teamID) 204 require.NoError(t, err) 205 if after.Generation() != 2 { 206 t.Fatalf("HandleRotateRequest with old generation changed team generation: %d, expected 2", after.Generation()) 207 } 208 secretAfter := after.Data.PerTeamKeySeedsUnverified[after.Generation()].Seed.ToBytes() 209 require.True(t, libkb.SecureByteArrayEq(secretAfter, secretBefore), "team secret changed after HandleRotateRequest with old generation") 210 211 if implicit { 212 assertRole2(tc, teamID, owner.Username, keybase1.TeamRole_OWNER) 213 assertRole2(tc, teamID, other.Username, keybase1.TeamRole_OWNER) 214 } else { 215 assertRole2(tc, teamID, owner.Username, keybase1.TeamRole_OWNER) 216 assertRole2(tc, teamID, other.Username, keybase1.TeamRole_WRITER) 217 } 218 }) 219 } 220 221 func TestHandleRotateRequest(t *testing.T) { 222 runMany(t, func(implicit, public bool) { 223 tc, owner, other, teamID, _ := setupRotateTest(t, implicit, public) 224 defer tc.Cleanup() 225 226 team, err := GetForTestByID(context.TODO(), tc.G, teamID) 227 require.NoError(t, err) 228 if team.Generation() != 1 { 229 t.Fatalf("initial team generation: %d, expected 1", team.Generation()) 230 } 231 secretBefore := team.Data.PerTeamKeySeedsUnverified[team.Generation()].Seed.ToBytes() 232 233 err = HandleRotateRequest(context.TODO(), tc.G, keybase1.TeamCLKRMsg{ 234 TeamID: team.ID, 235 Generation: team.Generation(), 236 ResetUsersUntrusted: nil, 237 }) 238 require.NoError(t, err) 239 240 after, err := GetForTestByID(context.TODO(), tc.G, teamID) 241 require.NoError(t, err) 242 if after.Generation() != 2 { 243 t.Fatalf("rotated team generation: %d, expected 2", after.Generation()) 244 } 245 secretAfter := after.Data.PerTeamKeySeedsUnverified[after.Generation()].Seed.ToBytes() 246 require.False(t, libkb.SecureByteArrayEq(secretAfter, secretBefore), "team secret should change when rotated") 247 248 if implicit { 249 assertRole2(tc, teamID, owner.Username, keybase1.TeamRole_OWNER) 250 assertRole2(tc, teamID, other.Username, keybase1.TeamRole_OWNER) 251 } else { 252 assertRole2(tc, teamID, owner.Username, keybase1.TeamRole_OWNER) 253 assertRole2(tc, teamID, other.Username, keybase1.TeamRole_WRITER) 254 } 255 }) 256 } 257 258 func TestImplicitAdminAfterRotateRequest(t *testing.T) { 259 tc, owner, otherA, otherB, root, sub := memberSetupSubteam(t) 260 defer tc.Cleanup() 261 262 team, err := GetForTestByStringName(context.TODO(), tc.G, sub) 263 require.NoError(t, err) 264 require.EqualValues(t, 1, team.Generation()) 265 secretBefore := team.Data.PerTeamKeySeedsUnverified[team.Generation()].Seed.ToBytes() 266 267 params := keybase1.TeamCLKRMsg{ 268 TeamID: team.ID, 269 Generation: team.Generation(), 270 ResetUsersUntrusted: nil, 271 } 272 require.NoError(t, HandleRotateRequest(context.TODO(), tc.G, params)) 273 274 after, err := GetForTestByStringName(context.TODO(), tc.G, sub) 275 require.NoError(t, err) 276 277 require.EqualValues(t, 2, after.Generation()) 278 secretAfter := after.Data.PerTeamKeySeedsUnverified[after.Generation()].Seed.ToBytes() 279 require.False(t, libkb.SecureByteArrayEq(secretAfter, secretBefore)) 280 281 // make sure the roles are ok after rotate 282 assertRole(tc, root, owner.Username, keybase1.TeamRole_OWNER) 283 assertRole(tc, root, otherA.Username, keybase1.TeamRole_ADMIN) 284 assertRole(tc, root, otherB.Username, keybase1.TeamRole_NONE) 285 assertRole(tc, sub, owner.Username, keybase1.TeamRole_NONE) 286 assertRole(tc, sub, otherA.Username, keybase1.TeamRole_NONE) 287 assertRole(tc, sub, otherB.Username, keybase1.TeamRole_NONE) 288 289 // otherA (an implicit admin of sub) should be able to add otherB to sub 290 // after the rotate 291 292 // switch to `otherA` user 293 err = tc.Logout() 294 require.NoError(t, err) 295 require.NoError(t, otherA.Login(tc.G)) 296 297 // otherA has the power to add otherB to the subteam 298 res, err := AddMember(context.TODO(), tc.G, sub, otherB.Username, keybase1.TeamRole_WRITER, nil) 299 require.NoError(t, err) 300 require.Equal(t, res.User.Username, otherB.Username) 301 // otherB should now be a writer 302 assertRole(tc, sub, otherB.Username, keybase1.TeamRole_WRITER) 303 304 // owner, otherA should still be non-members 305 assertRole(tc, sub, owner.Username, keybase1.TeamRole_NONE) 306 assertRole(tc, sub, otherA.Username, keybase1.TeamRole_NONE) 307 } 308 309 // Test multiple rotations racing to post chain links to the same team. 310 // The expected behavior is that they each either succeed or run out of attempts. 311 func TestRotateRace(t *testing.T) { 312 _, tcs, cleanup := setupNTests(t, 1) 313 defer cleanup() 314 315 t.Logf("U0 creates A") 316 _, rootID := createTeam2(*tcs[0]) 317 318 rotate := func(userIndexOperator int) <-chan error { 319 errCh := make(chan error) 320 go func() { 321 params := keybase1.TeamCLKRMsg{ 322 TeamID: rootID, 323 Generation: keybase1.PerTeamKeyGeneration(100), 324 ResetUsersUntrusted: nil, 325 } 326 err := HandleRotateRequest(context.TODO(), tcs[userIndexOperator].G, params) 327 errCh <- err 328 }() 329 return errCh 330 } 331 332 assertNoErr := func(errCh <-chan error, msgAndArgs ...interface{}) { 333 select { 334 case err := <-errCh: 335 require.NoError(t, err, msgAndArgs...) 336 case <-time.After(20 * time.Second): 337 require.FailNow(t, "timeout waiting for return channel") 338 } 339 } 340 341 for i := 0; i < 10; i++ { 342 t.Logf("round %v", i) 343 344 errCh1 := rotate(0) 345 errCh2 := rotate(0) 346 assertNoErr(errCh1, "round %v", i) 347 assertNoErr(errCh2, "round %v", i) 348 } 349 } 350 351 func testRotateTeamSweeping(t *testing.T, open bool) { 352 tc, owner, otherA, otherB, name := memberSetupMultiple(t) 353 defer tc.Cleanup() 354 355 otherC, err := kbtest.CreateAndSignupFakeUser("team", tc.G) 356 require.NoError(t, err) 357 err = tc.Logout() 358 require.NoError(t, err) 359 360 t.Logf("Created team %q", name) 361 require.NoError(t, owner.Login(tc.G)) 362 363 require.NoError(t, SetRoleWriter(context.Background(), tc.G, name, otherA.Username)) 364 require.NoError(t, SetRoleAdmin(context.Background(), tc.G, name, otherB.Username)) 365 require.NoError(t, SetRoleWriter(context.Background(), tc.G, name, otherC.Username)) 366 367 if open { 368 err = ChangeTeamSettings(context.Background(), tc.G, name, keybase1.TeamSettings{ 369 Open: true, 370 JoinAs: keybase1.TeamRole_READER, 371 }) 372 require.NoError(t, err) 373 } 374 375 team, err := GetForTestByStringName(context.Background(), tc.G, name) 376 require.NoError(t, err) 377 378 allMembers, err := team.UsersWithRoleOrAbove(keybase1.TeamRole_READER) 379 require.NoError(t, err) 380 require.Len(t, allMembers, 4) 381 382 // Rotate and reload team while members are not reset yet. Member 383 // set should not change. 384 err = HandleRotateRequest(context.Background(), tc.G, keybase1.TeamCLKRMsg{ 385 TeamID: team.ID, 386 Generation: team.Generation(), 387 ResetUsersUntrusted: nil, 388 }) 389 require.NoError(t, err) 390 team, err = GetForTestByStringName(context.Background(), tc.G, name) 391 require.NoError(t, err) 392 393 members, err := team.Members() 394 require.NoError(t, err) 395 require.Len(t, members.AllUIDs(), 4) 396 397 // Reset otherA (writer) and otherB (admin). otherA should be 398 // removed if the team is open. 399 for _, u := range []*kbtest.FakeUser{otherA, otherB} { 400 err := tc.Logout() 401 require.NoError(t, err) 402 require.NoError(t, u.Login(tc.G)) 403 404 kbtest.ResetAccount(tc, u) 405 } 406 407 err = tc.Logout() 408 require.NoError(t, err) 409 err = owner.Login(tc.G) 410 require.NoError(t, err) 411 412 // Rotate - should trigger sweeping path if the team is open. 413 params := keybase1.TeamCLKRMsg{ 414 TeamID: team.ID, 415 Generation: team.Generation(), 416 } 417 if open { 418 // If the team is not open, team_rekeyd will not tell us about 419 // reset people. 420 params.ResetUsersUntrusted = []keybase1.TeamCLKRResetUser{ 421 { 422 Uid: otherA.User.GetUID(), 423 UserEldestSeqno: keybase1.Seqno(0), 424 MemberEldestSeqno: keybase1.Seqno(1), 425 }} 426 } 427 err = HandleRotateRequest(context.Background(), tc.G, params) 428 require.NoError(t, err) 429 430 // Reload team and check results. 431 team, err = GetForTestByStringName(context.Background(), tc.G, name) 432 require.NoError(t, err) 433 434 members2, err := team.Members() 435 require.NoError(t, err) 436 if open { 437 allUids := members2.AllUIDs() 438 require.Len(t, allUids, 3) 439 440 require.Contains(t, allUids, owner.User.GetUID()) 441 require.Contains(t, allUids, otherB.User.GetUID()) 442 require.Contains(t, allUids, otherC.User.GetUID()) 443 444 require.NotContains(t, allUids, otherA.User.GetUID()) 445 } else { 446 require.ElementsMatch(t, members2.AllUserVersions(), members.AllUserVersions()) 447 } 448 449 require.Equal(t, keybase1.PerTeamKeyGeneration(3), team.Generation()) 450 } 451 452 func TestRotateTeamSweeping(t *testing.T) { 453 // Tests that when a key rotation is requested, reset members are 454 // removed from open team but not closed team. 455 testRotateTeamSweeping(t, false /* open */) 456 testRotateTeamSweeping(t, true /* open */) 457 } 458 459 func TestRotateWithBadUIDs(t *testing.T) { 460 // Try the rotate key + remove reset members machinery, but 461 // simulate server giving us one bad UID (for a person that has 462 // not reset at all), and UID of an admin, who has reset. Neither 463 // of the users should be removed from the team. 464 465 tc, owner, otherA, otherB, name := memberSetupMultiple(t) 466 defer tc.Cleanup() 467 468 t.Logf("Created team %q", name) 469 470 err := ChangeTeamSettings(context.Background(), tc.G, name, keybase1.TeamSettings{ 471 Open: true, 472 JoinAs: keybase1.TeamRole_WRITER, 473 }) 474 require.NoError(t, err) 475 476 require.NoError(t, SetRoleWriter(context.Background(), tc.G, name, otherA.Username)) 477 require.NoError(t, SetRoleAdmin(context.Background(), tc.G, name, otherB.Username)) 478 479 // Logout and reset (admin member). 480 err = tc.Logout() 481 require.NoError(t, err) 482 require.NoError(t, otherB.Login(tc.G)) 483 kbtest.ResetAccount(tc, otherB) 484 485 // Re-login as owner, simulate CLKR message. 486 err = tc.Logout() 487 require.NoError(t, err) 488 err = owner.Login(tc.G) 489 require.NoError(t, err) 490 491 team, err := GetForTestByStringName(context.Background(), tc.G, name) 492 require.NoError(t, err) 493 494 params := keybase1.TeamCLKRMsg{ 495 TeamID: team.ID, 496 Generation: team.Generation(), 497 } 498 for _, u := range []*kbtest.FakeUser{otherA, otherB} { 499 // otherA has not reset at all, but assume it ended up in the 500 // message. otherB has really reset, but is an admin. 501 params.ResetUsersUntrusted = append(params.ResetUsersUntrusted, 502 keybase1.TeamCLKRResetUser{ 503 Uid: u.User.GetUID(), 504 UserEldestSeqno: keybase1.Seqno(0), 505 MemberEldestSeqno: keybase1.Seqno(1), 506 }) 507 } 508 509 err = HandleRotateRequest(context.Background(), tc.G, params) 510 require.NoError(t, err) 511 512 // Check that no one has been removed, and team generation has 513 // changed. 514 team, err = GetForTestByStringName(context.Background(), tc.G, name) 515 require.NoError(t, err) 516 517 members, err := team.Members() 518 require.NoError(t, err) 519 require.Len(t, members.AllUserVersions(), 3) 520 allUids := members.AllUIDs() 521 require.Contains(t, allUids, owner.User.GetUID()) 522 require.Contains(t, allUids, otherA.User.GetUID()) 523 require.Contains(t, allUids, otherB.User.GetUID()) 524 525 require.Equal(t, keybase1.PerTeamKeyGeneration(2), team.Generation()) 526 } 527 528 func TestRotateResetMultipleUsers(t *testing.T) { 529 // Same reset test but with multiple users being removed at once. 530 tc, owner, otherA, otherB, name := memberSetupMultiple(t) 531 defer tc.Cleanup() 532 533 otherC, err := kbtest.CreateAndSignupFakeUser("team", tc.G) 534 require.NoError(t, err) 535 err = tc.Logout() 536 require.NoError(t, err) 537 require.NoError(t, owner.Login(tc.G)) 538 539 err = ChangeTeamSettings(context.Background(), tc.G, name, keybase1.TeamSettings{ 540 Open: true, 541 JoinAs: keybase1.TeamRole_WRITER, 542 }) 543 require.NoError(t, err) 544 545 require.NoError(t, SetRoleWriter(context.Background(), tc.G, name, otherA.Username)) 546 require.NoError(t, SetRoleWriter(context.Background(), tc.G, name, otherB.Username)) 547 require.NoError(t, SetRoleWriter(context.Background(), tc.G, name, otherC.Username)) 548 549 team, err := GetForTestByStringName(context.Background(), tc.G, name) 550 require.NoError(t, err) 551 552 params := keybase1.TeamCLKRMsg{ 553 TeamID: team.ID, 554 Generation: team.Generation(), 555 } 556 557 for _, u := range []*kbtest.FakeUser{otherA, otherB, otherC} { 558 err := tc.Logout() 559 require.NoError(t, err) 560 require.NoError(t, u.Login(tc.G)) 561 562 if u != otherC { 563 kbtest.ResetAccount(tc, u) 564 } else { 565 kbtest.DeleteAccount(tc, u) 566 } 567 568 params.ResetUsersUntrusted = append(params.ResetUsersUntrusted, 569 keybase1.TeamCLKRResetUser{ 570 Uid: u.User.GetUID(), 571 UserEldestSeqno: keybase1.Seqno(0), 572 MemberEldestSeqno: keybase1.Seqno(1), 573 }) 574 } 575 576 err = tc.Logout() 577 require.NoError(t, err) 578 err = owner.Login(tc.G) 579 require.NoError(t, err) 580 581 err = HandleRotateRequest(context.Background(), tc.G, params) 582 require.NoError(t, err) 583 584 // Check that everyone has been removed and team generation changed. 585 team, err = GetForTestByStringName(context.Background(), tc.G, name) 586 require.NoError(t, err) 587 588 members, err := team.Members() 589 require.NoError(t, err) 590 allUVs := members.AllUserVersions() 591 require.Len(t, allUVs, 1) 592 require.Contains(t, allUVs, keybase1.NewUserVersion(owner.User.GetUID(), owner.EldestSeqno)) 593 } 594 595 func TestRotateResetSweepWithWriter(t *testing.T) { 596 // Scenario where CLKR with ResetUsersUntrusted is sent to a 597 // writer. They can't remove reset people, but they should rotate 598 // anyway. 599 600 tc, _, otherA, otherB, name := memberSetupMultiple(t) 601 defer tc.Cleanup() 602 603 err := ChangeTeamSettings(context.Background(), tc.G, name, keybase1.TeamSettings{ 604 Open: true, 605 JoinAs: keybase1.TeamRole_WRITER, 606 }) 607 require.NoError(t, err) 608 609 require.NoError(t, SetRoleWriter(context.Background(), tc.G, name, otherA.Username)) 610 require.NoError(t, SetRoleWriter(context.Background(), tc.G, name, otherB.Username)) 611 612 // Login as otherB, reset account. 613 err = tc.Logout() 614 require.NoError(t, err) 615 require.NoError(t, otherB.Login(tc.G)) 616 kbtest.ResetAccount(tc, otherB) 617 618 // Login as otherA (writer), simulate CLKR with info about reset 619 // otherB. 620 err = tc.Logout() 621 require.NoError(t, err) 622 require.NoError(t, otherA.Login(tc.G)) 623 624 team, err := GetForTestByStringName(context.Background(), tc.G, name) 625 require.NoError(t, err) 626 627 params := keybase1.TeamCLKRMsg{ 628 TeamID: team.ID, 629 Generation: team.Generation(), 630 ResetUsersUntrusted: []keybase1.TeamCLKRResetUser{ 631 { 632 Uid: otherB.User.GetUID(), 633 UserEldestSeqno: keybase1.Seqno(0), 634 MemberEldestSeqno: keybase1.Seqno(1), 635 }}, 636 } 637 err = HandleRotateRequest(context.Background(), tc.G, params) 638 require.NoError(t, err) 639 640 team, err = GetForTestByStringName(context.Background(), tc.G, name) 641 require.NoError(t, err) 642 require.EqualValues(t, 2, team.Generation()) 643 } 644 645 func TestRemoveWithoutRotation(t *testing.T) { 646 tc, _, otherA, otherB, name := memberSetupMultiple(t) 647 defer tc.Cleanup() 648 649 require.NoError(t, SetRoleWriter(context.Background(), tc.G, name, otherA.Username)) 650 651 team, err := GetForTestByStringName(context.Background(), tc.G, name) 652 require.NoError(t, err) 653 654 req := keybase1.TeamChangeReq{ 655 Writers: []keybase1.UserVersion{ 656 keybase1.NewUserVersion(otherB.User.GetUID(), otherB.EldestSeqno), 657 }, 658 None: []keybase1.UserVersion{ 659 keybase1.NewUserVersion(otherA.User.GetUID(), otherA.EldestSeqno), 660 }, 661 } 662 663 opts := ChangeMembershipOptions{ 664 SkipKeyRotation: true, 665 } 666 err = team.ChangeMembershipWithOptions(context.Background(), req, opts) 667 require.NoError(t, err) 668 669 require.EqualValues(t, 1, team.Generation()) 670 671 team, err = GetForTestByStringName(context.Background(), tc.G, name) 672 require.NoError(t, err) 673 // Generation should still be one, ChangeMembership should not 674 // have posted new key. 675 require.EqualValues(t, 1, team.Generation()) 676 } 677 678 func TestRotateAsSubteamWriter(t *testing.T) { 679 // subteam has a single writer who is not part of the parent team. 680 // scenario manifested itself in CORE-8681 681 tc, _, _, otherB, _, sub := memberSetupSubteam(t) 682 defer tc.Cleanup() 683 684 team, err := GetForTestByStringName(context.TODO(), tc.G, sub) 685 require.NoError(t, err) 686 oldGeneration := team.Generation() 687 688 res, err := AddMember(context.TODO(), tc.G, sub, otherB.Username, keybase1.TeamRole_WRITER, nil) 689 require.NoError(t, err) 690 require.Equal(t, res.User.Username, otherB.Username) 691 // otherB should now be a writer 692 assertRole(tc, sub, otherB.Username, keybase1.TeamRole_WRITER) 693 694 err = tc.Logout() 695 require.NoError(t, err) 696 require.NoError(t, otherB.Login(tc.G)) 697 698 params := keybase1.TeamCLKRMsg{ 699 TeamID: team.ID, 700 Generation: oldGeneration, 701 ResetUsersUntrusted: nil, 702 } 703 err = HandleRotateRequest(context.Background(), tc.G, params) 704 require.NoError(t, err) 705 706 teamAfter, err := GetForTestByStringName(context.Background(), tc.G, sub) 707 require.NoError(t, err) 708 require.EqualValues(t, oldGeneration+1, teamAfter.Generation()) 709 } 710 711 func TestDowngradeImplicitAdminAfterReset(t *testing.T) { 712 tc, owner, otherA, otherB, root, sub := memberSetupSubteam(t) 713 defer tc.Cleanup() 714 715 _, err := AddMember(context.TODO(), tc.G, sub, otherA.Username, keybase1.TeamRole_ADMIN, nil) 716 require.NoError(t, err) 717 718 // Reset and reprovision implicit admin 719 err = tc.Logout() 720 require.NoError(t, err) 721 require.NoError(t, otherA.Login(tc.G)) 722 kbtest.ResetAccount(tc, otherA) 723 require.NoError(t, otherA.Login(tc.G)) 724 725 err = tc.Logout() 726 require.NoError(t, err) 727 require.NoError(t, owner.Login(tc.G)) 728 729 _, err = GetForTestByStringName(context.Background(), tc.G, root) 730 require.NoError(t, err) 731 732 _, err = AddMember(context.TODO(), tc.G, root, otherA.Username, keybase1.TeamRole_ADMIN, nil) 733 require.NoError(t, err) 734 735 err = EditMember(context.TODO(), tc.G, root, otherA.Username, keybase1.TeamRole_WRITER, nil) 736 require.NoError(t, err) 737 738 // This fails if a box incorrectly remains live for otherA after the downgrade due 739 // to bad team key coverage. 740 _, err = AddMember(context.TODO(), tc.G, sub, otherB.Username, keybase1.TeamRole_ADMIN, nil) 741 require.NoError(t, err) 742 } 743 744 func TestRotationWhenClosingOpenTeam(t *testing.T) { 745 tc := SetupTest(t, "team", 1) 746 defer tc.Cleanup() 747 748 _, err := kbtest.CreateAndSignupFakeUser("team", tc.G) 749 require.NoError(t, err) 750 751 tryCloseTeam := func(rotateWithSettings bool) { 752 t.Logf("tryCloseTeam(rotateWithSettings=%t)", rotateWithSettings) 753 754 b, err := libkb.RandBytes(4) 755 require.NoError(tc.T, err) 756 757 teamName := hex.EncodeToString(b) 758 _, err = CreateRootTeam(context.Background(), tc.G, teamName, keybase1.TeamSettings{ 759 Open: true, 760 JoinAs: keybase1.TeamRole_WRITER, 761 }) 762 require.NoError(tc.T, err) 763 764 teamObj, err := GetForTestByStringName(context.Background(), tc.G, teamName) 765 require.NoError(t, err) 766 767 currentGen := teamObj.Generation() 768 if rotateWithSettings { 769 err = ChangeTeamSettings(context.Background(), tc.G, teamName, keybase1.TeamSettings{ 770 Open: false, 771 }) 772 require.NoError(t, err) 773 } else { 774 err = teamObj.PostTeamSettings(context.Background(), keybase1.TeamSettings{ 775 Open: false, 776 }, false /* rotate */) 777 require.NoError(t, err) 778 err = RotateKey(context.Background(), tc.G, keybase1.TeamRotateKeyArg{ 779 TeamID: teamObj.ID, 780 Rt: keybase1.RotationType_VISIBLE, 781 }) 782 require.NoError(t, err) 783 } 784 785 teamObj, err = GetForTestByStringName(context.Background(), tc.G, teamName) 786 require.NoError(t, err) // ensures team settings link did not break loading 787 require.Equal(t, currentGen+1, teamObj.Generation()) // and we got new per team key 788 if rotateWithSettings { 789 // Make sure we only posted one link to close. 790 require.EqualValues(t, 2, teamObj.CurrentSeqno()) 791 } else { 792 // This one should have posted two links. 793 require.EqualValues(t, 3, teamObj.CurrentSeqno()) 794 } 795 } 796 797 // Close team using ChangeTeamSettings service_helper API, which is the 798 // default used by RPC handler, and closes team by using PostTeamSettings 799 // with rotate=true. This should close team and rotate in one sigchain 800 // link. 801 tryCloseTeam(true) 802 803 // Try to close team "manually" using PostTeamSettings(rotate=false) and 804 // then calling RotateKey. Team will be closed and rotated in two links. 805 // This is what clients used to do prior to 2019-10-02. 806 tryCloseTeam(false) 807 } 808 809 func TestRemoveFromOpenTeam(t *testing.T) { 810 // Removals from open teams should not cause rotation. 811 tc, _, otherA, _, name := memberSetupMultiple(t) 812 defer tc.Cleanup() 813 814 err := ChangeTeamSettings(context.Background(), tc.G, name, keybase1.TeamSettings{ 815 Open: true, 816 JoinAs: keybase1.TeamRole_WRITER, 817 }) 818 require.NoError(t, err) 819 820 teamObj, err := GetForTestByStringName(context.Background(), tc.G, name) 821 require.NoError(t, err) 822 823 currentGen := teamObj.Generation() 824 err = SetRoleWriter(context.Background(), tc.G, name, otherA.Username) 825 require.NoError(t, err) 826 827 err = RemoveMember(context.Background(), tc.G, name, otherA.Username) 828 require.NoError(t, err) 829 830 // Expecting generation to stay the same after removal. 831 teamObj, err = GetForTestByStringName(context.Background(), tc.G, name) 832 require.NoError(t, err) 833 require.Equal(t, currentGen, teamObj.Generation()) 834 } 835 836 func TestOpenSweepHandler(t *testing.T) { 837 tc, owner, otherA, otherB, name := memberSetupMultiple(t) 838 defer tc.Cleanup() 839 840 require.NoError(t, SetRoleWriter(context.Background(), tc.G, name, otherA.Username)) 841 require.NoError(t, SetRoleWriter(context.Background(), tc.G, name, otherB.Username)) 842 843 otherBUV := otherB.User.ToUserVersion() 844 845 // Login as otherB, reset account. 846 err := tc.Logout() 847 require.NoError(t, err) 848 require.NoError(t, otherB.Login(tc.G)) 849 kbtest.ResetAccount(tc, otherB) 850 851 // Login as owner, try to simulate OPENSWEEP, should fail because it's a 852 // closed team. 853 err = tc.Logout() 854 require.NoError(t, err) 855 require.NoError(t, owner.Login(tc.G)) 856 857 team, err := GetForTestByStringName(context.Background(), tc.G, name) 858 require.NoError(t, err) 859 860 // Make sure we have the right UV that we are going to check later if it's 861 // sweeped out. 862 require.True(t, team.IsMember(context.TODO(), otherBUV)) 863 864 params := keybase1.TeamOpenSweepMsg{ 865 TeamID: team.ID, 866 ResetUsersUntrusted: []keybase1.TeamCLKRResetUser{ 867 { 868 Uid: otherB.User.GetUID(), 869 UserEldestSeqno: keybase1.Seqno(0), 870 MemberEldestSeqno: otherBUV.EldestSeqno, 871 }}, 872 } 873 err = HandleOpenTeamSweepRequest(context.Background(), tc.G, params) 874 require.Error(t, err) 875 876 // Change settings to open team. 877 err = ChangeTeamSettings(context.Background(), tc.G, name, keybase1.TeamSettings{ 878 Open: true, 879 JoinAs: keybase1.TeamRole_WRITER, 880 }) 881 require.NoError(t, err) 882 883 // Login as otherA (writer), simulate OPENSWEEP, should fail 884 // because it only works with admins. 885 err = tc.Logout() 886 require.NoError(t, err) 887 require.NoError(t, otherA.Login(tc.G)) 888 889 err = HandleOpenTeamSweepRequest(context.Background(), tc.G, params) 890 require.Error(t, err) 891 892 // Back to owner, should work now. 893 err = tc.Logout() 894 require.NoError(t, err) 895 require.NoError(t, owner.Login(tc.G)) 896 897 err = HandleOpenTeamSweepRequest(context.Background(), tc.G, params) 898 require.NoError(t, err) 899 900 team, err = GetForTestByStringName(context.Background(), tc.G, name) 901 require.NoError(t, err) 902 // Generation should not have advanced after OPENSWEEP. 903 require.EqualValues(t, 1, team.Generation()) 904 // OtherB should not be a member anymore. 905 require.False(t, team.IsMember(context.TODO(), otherBUV)) 906 // This leaves two remaining members. 907 members, err := team.Members() 908 require.NoError(t, err) 909 require.Len(t, members.AllUserVersions(), 2) 910 911 curSeqno := team.CurrentSeqno() 912 913 // Repeating the same request should be a no-op, not post any links, etc. 914 err = HandleOpenTeamSweepRequest(context.Background(), tc.G, params) 915 require.NoError(t, err) 916 917 team, err = GetForTestByStringName(context.Background(), tc.G, name) 918 require.NoError(t, err) 919 require.Equal(t, curSeqno, team.CurrentSeqno()) 920 require.EqualValues(t, 1, team.Generation()) 921 } 922 923 func TestTeamSettings(t *testing.T) { 924 tc, _, _, _, name := memberSetupMultiple(t) 925 defer tc.Cleanup() 926 927 // Change settings to open team. 928 err := ChangeTeamSettings(context.Background(), tc.G, name, keybase1.TeamSettings{ 929 Open: true, 930 JoinAs: keybase1.TeamRole_WRITER, 931 }) 932 require.NoError(t, err) 933 934 team, err := GetForTestByStringName(context.Background(), tc.G, name) 935 require.NoError(t, err) 936 settings := team.Settings() 937 require.Equal(t, settings.Open, true) 938 require.Equal(t, settings.JoinAs, keybase1.TeamRole_WRITER) 939 }