github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/teams/teams.go (about) 1 package teams 2 3 import ( 4 "crypto/rand" 5 "crypto/sha256" 6 "encoding/base64" 7 "encoding/json" 8 "errors" 9 "fmt" 10 "sort" 11 "time" 12 13 "github.com/keybase/go-codec/codec" 14 15 "golang.org/x/crypto/nacl/secretbox" 16 "golang.org/x/net/context" 17 18 "github.com/keybase/client/go/libkb" 19 "github.com/keybase/client/go/protocol/gregor1" 20 "github.com/keybase/client/go/protocol/keybase1" 21 "github.com/keybase/client/go/sig3" 22 hidden "github.com/keybase/client/go/teams/hidden" 23 jsonw "github.com/keybase/go-jsonw" 24 ) 25 26 // Teamer is an interface that can fit a materialized Team (just below) or intermediary temporary products 27 // that are available during the team load process. It has access to both the main and hidden chain data 28 // so that we can ask questions like "what is the maximal on-chain PTK generation." 29 type Teamer interface { 30 MainChain() *keybase1.TeamData 31 HiddenChain() *keybase1.HiddenTeamChain 32 } 33 34 // A snapshot of a team's state. 35 // Not threadsafe. 36 type Team struct { 37 libkb.Contextified 38 39 ID keybase1.TeamID 40 Data *keybase1.TeamData 41 Hidden *keybase1.HiddenTeamChain 42 43 keyManager *TeamKeyManager 44 45 // rotated is set by rotateBoxes after rotating team key. 46 rotated bool 47 } 48 49 // Used to order multiple signatures to post 50 type teamSectionWithLinkType struct { 51 linkType libkb.LinkType 52 section SCTeamSection 53 } 54 55 func (t *Team) MainChain() *keybase1.TeamData { return t.Data } 56 func (t *Team) HiddenChain() *keybase1.HiddenTeamChain { return t.Hidden } 57 58 var _ Teamer = (*Team)(nil) 59 60 func NewTeam(ctx context.Context, g *libkb.GlobalContext, teamData *keybase1.TeamData, hidden *keybase1.HiddenTeamChain) *Team { 61 return &Team{ 62 Contextified: libkb.NewContextified(g), 63 64 ID: teamData.ID(), 65 Data: teamData, 66 Hidden: hidden, 67 } 68 } 69 70 func (t *Team) CanSkipKeyRotation() bool { 71 // Only applies for >=200 member teams. 72 const MinTeamSize = 200 73 // Aim for one rotation every 24h. 74 const KeyRotateInterval = time.Duration(24) * time.Hour 75 76 if t.IsImplicit() { 77 // Do not do this optimization for implicit teams. 78 return false 79 } 80 81 if t.IsOpen() { 82 // Skip all rotations in open teams. 83 return true 84 } 85 86 // If cannot decide because of an error, return default false. 87 members, err := t.UsersWithRoleOrAbove(keybase1.TeamRole_BOT) 88 if err != nil { 89 return false 90 } 91 if len(members) < MinTeamSize { 92 // Not a big team 93 return false 94 } 95 96 now := t.G().Clock().Now() 97 duration := now.Sub(time.Unix(int64(t.chain().GetLatestPerTeamKeyCTime()), 0)) 98 if duration > KeyRotateInterval { //nolint 99 // Last key rotation was more than predefined interval. 100 return false 101 } 102 // Team is big and key was rotated recently - can skip rotation. 103 return true 104 } 105 106 func (t *Team) calculateAndCacheMemberCount(ctx context.Context) (int, error) { 107 m := libkb.NewMetaContext(ctx, t.G()) 108 members, err := t.Members() 109 if err != nil { 110 m.Debug("| Failed to get Members() for team %q: %v", t.ID, err) 111 return 0, err 112 } 113 114 memberUIDs := make(map[keybase1.UID]bool) 115 for _, uv := range members.AllUserVersions() { 116 memberUIDs[uv.Uid] = true 117 } 118 119 inviteMDs := t.chain().ActiveInvites() 120 for _, inviteMD := range inviteMDs { 121 invite := inviteMD.Invite 122 invID := invite.Id 123 category, err := invite.Type.C() 124 if err != nil { 125 m.Debug("| Failed parsing invite %q in team %q: %v", invID, t.ID, err) 126 return 0, err 127 } 128 129 if category == keybase1.TeamInviteCategory_KEYBASE { 130 uv, err := invite.KeybaseUserVersion() 131 if err != nil { 132 m.Debug("| Failed parsing invite %q in team %q: %v", invID, t.ID, err) 133 return 0, err 134 } 135 136 memberUIDs[uv.Uid] = true 137 } 138 139 } 140 count := len(memberUIDs) - len(members.Bots) - len(members.RestrictedBots) 141 t.G().TeamMemberCountCache.Set(t.ID, count) 142 return count, nil 143 } 144 145 func (t *Team) chain() *TeamSigChainState { 146 return &TeamSigChainState{inner: t.Data.Chain, hidden: t.Hidden} 147 } 148 149 func (t *Team) Name() keybase1.TeamName { 150 return t.Data.Name 151 } 152 153 func (t *Team) Generation() keybase1.PerTeamKeyGeneration { 154 return t.chain().GetLatestGeneration() 155 } 156 157 func (t *Team) IsPublic() bool { 158 return t.chain().IsPublic() 159 } 160 161 func (t *Team) IsImplicit() bool { 162 return t.chain().IsImplicit() 163 } 164 165 func (t *Team) IsSubteam() bool { 166 return t.chain().IsSubteam() 167 } 168 169 func (t *Team) IsOpen() bool { 170 return t.chain().IsOpen() 171 } 172 173 func (t *Team) OpenTeamJoinAs() keybase1.TeamRole { 174 return t.chain().inner.OpenTeamJoinAs 175 } 176 177 func (t *Team) KBFSTLFIDs() []keybase1.TLFID { 178 return t.chain().inner.TlfIDs 179 } 180 181 func (t *Team) LatestKBFSTLFID() (res keybase1.TLFID) { 182 ids := t.KBFSTLFIDs() 183 if len(ids) > 0 { 184 res = ids[len(ids)-1] 185 } 186 return res 187 } 188 189 func (t *Team) KBFSCryptKeys(ctx context.Context, appType keybase1.TeamApplication) []keybase1.CryptKey { 190 return t.Data.TlfCryptKeys[appType] 191 } 192 193 func (t *Team) getKeyManager(ctx context.Context) (km *TeamKeyManager, err error) { 194 if t.keyManager == nil { 195 gen := t.chain().GetLatestGeneration() 196 item, err := GetAndVerifyPerTeamKey(t.MetaContext(ctx), t, gen) 197 if err != nil { 198 return nil, err 199 } 200 t.keyManager, err = NewTeamKeyManagerWithSeedItem(t.ID, item) 201 if err != nil { 202 return nil, err 203 } 204 } 205 return t.keyManager, nil 206 } 207 208 func (t *Team) SharedSecret(ctx context.Context) (ret keybase1.PerTeamKeySeed, err error) { 209 defer t.G().CTrace(ctx, "Team#SharedSecret", &err)() 210 km, err := t.getKeyManager(ctx) 211 if err != nil { 212 return ret, err 213 } 214 return km.SharedSecret(), nil 215 } 216 217 func (t *Team) KBFSKey(ctx context.Context) (keybase1.TeamApplicationKey, error) { 218 return t.ApplicationKey(ctx, keybase1.TeamApplication_KBFS) 219 } 220 221 func (t *Team) ChatKey(ctx context.Context) (keybase1.TeamApplicationKey, error) { 222 return t.ApplicationKey(ctx, keybase1.TeamApplication_CHAT) 223 } 224 225 func (t *Team) GitMetadataKey(ctx context.Context) (keybase1.TeamApplicationKey, error) { 226 return t.ApplicationKey(ctx, keybase1.TeamApplication_GIT_METADATA) 227 } 228 229 func (t *Team) SeitanInviteTokenKeyLatest(ctx context.Context) (keybase1.TeamApplicationKey, error) { 230 return t.ApplicationKey(ctx, keybase1.TeamApplication_SEITAN_INVITE_TOKEN) 231 } 232 233 func (t *Team) SaltpackEncryptionKeyLatest(ctx context.Context) (keybase1.TeamApplicationKey, error) { 234 return t.ApplicationKey(ctx, keybase1.TeamApplication_SALTPACK) 235 } 236 237 func (t *Team) ChatKeyAtGeneration(ctx context.Context, generation keybase1.PerTeamKeyGeneration) (keybase1.TeamApplicationKey, error) { 238 return t.ApplicationKeyAtGeneration(ctx, keybase1.TeamApplication_CHAT, generation) 239 } 240 241 func (t *Team) SaltpackEncryptionKeyAtGeneration(ctx context.Context, generation keybase1.PerTeamKeyGeneration) (keybase1.TeamApplicationKey, error) { 242 return t.ApplicationKeyAtGeneration(ctx, keybase1.TeamApplication_SALTPACK, generation) 243 } 244 245 func (t *Team) SeitanInviteTokenKeyAtGeneration(ctx context.Context, generation keybase1.PerTeamKeyGeneration) (keybase1.TeamApplicationKey, error) { 246 return t.ApplicationKeyAtGeneration(ctx, keybase1.TeamApplication_SEITAN_INVITE_TOKEN, generation) 247 } 248 249 func (t *Team) SigningKID(ctx context.Context) (kid keybase1.KID, err error) { 250 gen := t.chain().GetLatestGeneration() 251 chainKey, err := newTeamSigChainState(t).GetPerTeamKeyAtGeneration(gen) 252 if err != nil { 253 return kid, err 254 } 255 return chainKey.SigKID, nil 256 } 257 258 func (t *Team) SigningKey(ctx context.Context) (key libkb.NaclSigningKeyPair, err error) { 259 km, err := t.getKeyManager(ctx) 260 if err != nil { 261 return key, err 262 } 263 return km.SigningKey() 264 } 265 266 func (t *Team) EncryptionKey(ctx context.Context) (key libkb.NaclDHKeyPair, err error) { 267 km, err := t.getKeyManager(ctx) 268 if err != nil { 269 return key, err 270 } 271 return km.EncryptionKey() 272 } 273 274 func (t *Team) encryptionKeyAtGen(ctx context.Context, gen keybase1.PerTeamKeyGeneration) (key libkb.NaclDHKeyPair, err error) { 275 item, err := GetAndVerifyPerTeamKey(libkb.NewMetaContext(ctx, t.G()), t, gen) 276 if err != nil { 277 return key, err 278 } 279 keyManager, err := NewTeamKeyManagerWithSeedItem(t.ID, item) 280 if err != nil { 281 return key, err 282 } 283 return keyManager.EncryptionKey() 284 } 285 286 func (t *Team) IsMember(ctx context.Context, uv keybase1.UserVersion) bool { 287 role, err := t.MemberRole(ctx, uv) 288 if err != nil { 289 t.G().Log.CDebugf(ctx, "error getting user role: %s", err) 290 return false 291 } 292 return role != keybase1.TeamRole_NONE 293 } 294 295 func (t *Team) MemberCtime(ctx context.Context, uv keybase1.UserVersion) *keybase1.Time { 296 return t.chain().MemberCtime(uv) 297 } 298 299 func (t *Team) MemberRole(ctx context.Context, uv keybase1.UserVersion) (keybase1.TeamRole, error) { 300 return t.chain().GetUserRole(uv) 301 } 302 303 func (t *Team) WasMostRecentlyAddedByInvitelink(uv keybase1.UserVersion) bool { 304 chain := t.chain().inner 305 logPoints, ok := chain.UserLog[uv] 306 if !ok { 307 return false 308 } 309 latestLogPointAddedAtIdx := len(logPoints) - 1 310 for _, inviteMD := range chain.InviteMetadatas { 311 for _, usedInvite := range inviteMD.UsedInvites { 312 if usedInvite.Uv == uv { 313 invitelinkLogPointAddedAtIdx := usedInvite.LogPoint 314 if invitelinkLogPointAddedAtIdx == latestLogPointAddedAtIdx { 315 return true 316 } 317 // don't exit early otherwise, since there might be a newer invite 318 } 319 } 320 } 321 return false 322 } 323 324 func (t *Team) myRole(ctx context.Context) (keybase1.TeamRole, error) { 325 uv, err := t.currentUserUV(ctx) 326 if err != nil { 327 return keybase1.TeamRole_NONE, err 328 } 329 role, err := t.MemberRole(ctx, uv) 330 return role, err 331 } 332 333 func (t *Team) UserVersionByUID(ctx context.Context, uid keybase1.UID) (keybase1.UserVersion, error) { 334 return t.chain().GetLatestUVWithUID(uid) 335 } 336 337 func (t *Team) AllUserVersionsByUID(ctx context.Context, uid keybase1.UID) []keybase1.UserVersion { 338 return t.chain().GetAllUVsWithUID(uid) 339 } 340 341 func (t *Team) AllUserVersions(ctx context.Context) []keybase1.UserVersion { 342 return t.chain().GetAllUVs() 343 } 344 345 func (t *Team) UsersWithRole(role keybase1.TeamRole) ([]keybase1.UserVersion, error) { 346 return t.chain().GetUsersWithRole(role) 347 } 348 349 func (t *Team) UsersWithRoleOrAbove(role keybase1.TeamRole) ([]keybase1.UserVersion, error) { 350 return t.chain().GetUsersWithRoleOrAbove(role) 351 } 352 353 func (t *Team) UserLastJoinTime(u keybase1.UserVersion) (time keybase1.Time, err error) { 354 return t.chain().GetUserLastJoinTime(u) 355 } 356 357 // UserLastRoleChangeTime returns the time of the last role change for user 358 // in team. If the user left the team as a last change, the time of such leave 359 // event is returned. If the user was never in the team, then this function 360 // returns time=0 and wasMember=false. 361 func (t *Team) UserLastRoleChangeTime(u keybase1.UserVersion) (time keybase1.Time, wasMember bool) { 362 return t.chain().GetUserLastRoleChangeTime(u) 363 } 364 365 func (t *Team) Settings() keybase1.TeamSettings { 366 return keybase1.TeamSettings{ 367 Open: t.IsOpen(), 368 JoinAs: t.chain().inner.OpenTeamJoinAs, 369 } 370 } 371 372 func (t *Team) Members() (keybase1.TeamMembers, error) { 373 var members keybase1.TeamMembers 374 375 x, err := t.UsersWithRole(keybase1.TeamRole_OWNER) 376 if err != nil { 377 return keybase1.TeamMembers{}, err 378 } 379 members.Owners = x 380 381 x, err = t.UsersWithRole(keybase1.TeamRole_ADMIN) 382 if err != nil { 383 return keybase1.TeamMembers{}, err 384 } 385 members.Admins = x 386 387 x, err = t.UsersWithRole(keybase1.TeamRole_WRITER) 388 if err != nil { 389 return keybase1.TeamMembers{}, err 390 } 391 members.Writers = x 392 393 x, err = t.UsersWithRole(keybase1.TeamRole_READER) 394 if err != nil { 395 return keybase1.TeamMembers{}, err 396 } 397 members.Readers = x 398 399 x, err = t.UsersWithRole(keybase1.TeamRole_BOT) 400 if err != nil { 401 return keybase1.TeamMembers{}, err 402 } 403 members.Bots = x 404 405 x, err = t.UsersWithRole(keybase1.TeamRole_RESTRICTEDBOT) 406 if err != nil { 407 return keybase1.TeamMembers{}, err 408 } 409 members.RestrictedBots = x 410 411 return members, nil 412 } 413 414 func (t *Team) ImplicitTeamDisplayName(ctx context.Context) (res keybase1.ImplicitTeamDisplayName, err error) { 415 return t.implicitTeamDisplayName(ctx, false) 416 } 417 418 func (t *Team) ImplicitTeamDisplayNameNoConflicts(ctx context.Context) (res keybase1.ImplicitTeamDisplayName, err error) { 419 return t.implicitTeamDisplayName(ctx, true) 420 } 421 422 func (t *Team) implicitTeamDisplayName(ctx context.Context, skipConflicts bool) (res keybase1.ImplicitTeamDisplayName, err error) { 423 defer t.G().CTrace(ctx, "Team.ImplicitTeamDisplayName", &err)() 424 425 impName := keybase1.ImplicitTeamDisplayName{ 426 IsPublic: t.IsPublic(), 427 ConflictInfo: nil, // TODO should we know this here? 428 } 429 430 seenKBUsers := make(map[string]bool) 431 members, err := t.Members() 432 if err != nil { 433 return res, err 434 } 435 // Add the keybase owners 436 for _, member := range members.Owners { 437 name, err := t.G().GetUPAKLoader().LookupUsername(ctx, member.Uid) 438 if err != nil { 439 return res, err 440 } 441 impName.Writers.KeybaseUsers = append(impName.Writers.KeybaseUsers, name.String()) 442 } 443 // Add the keybase readers 444 for _, member := range members.Readers { 445 name, err := t.G().GetUPAKLoader().LookupUsername(ctx, member.Uid) 446 if err != nil { 447 return res, err 448 } 449 impName.Readers.KeybaseUsers = append(impName.Readers.KeybaseUsers, name.String()) 450 } 451 // Mark all the usernames we know about 452 for _, name := range append(impName.Writers.KeybaseUsers, impName.Readers.KeybaseUsers...) { 453 seenKBUsers[name] = true 454 } 455 456 // Add the invites 457 isFullyResolved := true 458 459 inviteMDs := t.chain().ActiveInvites() 460 for _, inviteMD := range inviteMDs { 461 invite := inviteMD.Invite 462 invtyp, err := invite.Type.C() 463 if err != nil { 464 t.G().Log.CDebugf(ctx, "ImplicitTeamDisplayName: failed to compute type of invite: %s", err.Error()) 465 continue 466 } 467 switch invtyp { 468 case keybase1.TeamInviteCategory_SBS: 469 sa := keybase1.SocialAssertion{ 470 User: string(invite.Name), 471 Service: keybase1.SocialAssertionService(string(invite.Type.Sbs())), 472 } 473 switch invite.Role { 474 case keybase1.TeamRole_OWNER: 475 impName.Writers.UnresolvedUsers = append(impName.Writers.UnresolvedUsers, sa) 476 case keybase1.TeamRole_READER: 477 impName.Readers.UnresolvedUsers = append(impName.Readers.UnresolvedUsers, sa) 478 default: 479 return res, fmt.Errorf("implicit team contains invite to role: %v (%v)", invite.Role, invite.Id) 480 } 481 isFullyResolved = false 482 case keybase1.TeamInviteCategory_KEYBASE: 483 // Check to make sure we don't already have the user in the name 484 uv, err := invite.KeybaseUserVersion() 485 if err != nil { 486 return res, err 487 } 488 normalizedUsername, err := t.G().GetUPAKLoader().LookupUsername(ctx, uv.Uid) 489 if err != nil { 490 return res, err 491 } 492 username := normalizedUsername.String() 493 494 if seenKBUsers[username] { 495 continue 496 } 497 seenKBUsers[username] = true 498 switch invite.Role { 499 case keybase1.TeamRole_OWNER: 500 impName.Writers.KeybaseUsers = append(impName.Writers.KeybaseUsers, username) 501 case keybase1.TeamRole_READER: 502 impName.Readers.KeybaseUsers = append(impName.Readers.KeybaseUsers, username) 503 default: 504 return res, fmt.Errorf("implicit team contains invite to role: %v (%v)", invite.Role, 505 invite.Id) 506 } 507 case keybase1.TeamInviteCategory_PHONE, keybase1.TeamInviteCategory_EMAIL: 508 typ, err := invite.Type.String() 509 if err != nil { 510 return res, fmt.Errorf("Failed to handle invite type %v: %s", invtyp, err) 511 } 512 sa := keybase1.SocialAssertion{ 513 User: string(invite.Name), 514 Service: keybase1.SocialAssertionService(typ), 515 } 516 switch invite.Role { 517 case keybase1.TeamRole_OWNER: 518 impName.Writers.UnresolvedUsers = append(impName.Writers.UnresolvedUsers, sa) 519 case keybase1.TeamRole_READER: 520 impName.Readers.UnresolvedUsers = append(impName.Readers.UnresolvedUsers, sa) 521 default: 522 return res, fmt.Errorf("implicit team contains invite to role: %v (%v)", invite.Role, invite.Id) 523 } 524 isFullyResolved = false 525 case keybase1.TeamInviteCategory_UNKNOWN: 526 return res, fmt.Errorf("unknown invite type in implicit team: %q", invite.Type.Unknown()) 527 default: 528 return res, fmt.Errorf("unrecognized invite type in implicit team: %v", invtyp) 529 } 530 } 531 if !skipConflicts { 532 impName, err = GetConflictInfo(ctx, t.G(), t.ID, isFullyResolved, impName) 533 if err != nil { 534 return res, err 535 } 536 } 537 return impName, nil 538 } 539 540 func (t *Team) ImplicitTeamDisplayNameString(ctx context.Context) (string, error) { 541 impName, err := t.ImplicitTeamDisplayName(ctx) 542 if err != nil { 543 return "", err 544 } 545 return FormatImplicitTeamDisplayName(ctx, t.G(), impName) 546 } 547 548 func (t *Team) NextSeqno() keybase1.Seqno { 549 return t.CurrentSeqno() + 1 550 } 551 552 func (t *Team) CurrentSeqno() keybase1.Seqno { 553 return t.chain().GetLatestSeqno() 554 } 555 556 func (t *Team) AllApplicationKeys(ctx context.Context, application keybase1.TeamApplication) (res []keybase1.TeamApplicationKey, err error) { 557 return AllApplicationKeys(t.MetaContext(ctx), t, application, t.chain().GetLatestGeneration()) 558 } 559 560 func (t *Team) AllApplicationKeysWithKBFS(ctx context.Context, application keybase1.TeamApplication) (res []keybase1.TeamApplicationKey, err error) { 561 return AllApplicationKeysWithKBFS(t.MetaContext(ctx), t, application, 562 t.chain().GetLatestGeneration()) 563 } 564 565 // ApplicationKey returns the most recent key for an application. 566 func (t *Team) ApplicationKey(ctx context.Context, application keybase1.TeamApplication) (keybase1.TeamApplicationKey, error) { 567 latestGen := t.chain().GetLatestGeneration() 568 return t.ApplicationKeyAtGeneration(ctx, application, latestGen) 569 } 570 571 func (t *Team) ApplicationKeyAtGeneration(ctx context.Context, 572 application keybase1.TeamApplication, generation keybase1.PerTeamKeyGeneration) (res keybase1.TeamApplicationKey, err error) { 573 return ApplicationKeyAtGeneration(t.MetaContext(ctx), t, application, generation) 574 } 575 576 func (t *Team) ApplicationKeyAtGenerationWithKBFS(ctx context.Context, 577 application keybase1.TeamApplication, generation keybase1.PerTeamKeyGeneration) (res keybase1.TeamApplicationKey, err error) { 578 return ApplicationKeyAtGenerationWithKBFS(t.MetaContext(ctx), t, application, generation) 579 } 580 581 func (t *Team) TeamBotSettings() (map[keybase1.UserVersion]keybase1.TeamBotSettings, error) { 582 botSettings := t.chain().TeamBotSettings() 583 // It's possible that we added a RESTRICTEDBOT member without posting any 584 // settings for them. Fill in default values (no access) for those members 585 restrictedBots, err := t.UsersWithRole(keybase1.TeamRole_RESTRICTEDBOT) 586 if err != nil { 587 return nil, err 588 } 589 for _, uv := range restrictedBots { 590 if _, ok := botSettings[uv]; !ok { 591 botSettings[uv] = keybase1.TeamBotSettings{} 592 } 593 } 594 return botSettings, nil 595 } 596 597 func addSummaryHash(section *SCTeamSection, boxes *PerTeamSharedSecretBoxes) error { 598 if boxes == nil { 599 return nil 600 } 601 bps := boxes.boxPublicSummary 602 if bps == nil || bps.IsEmpty() { 603 return nil 604 } 605 bsh := SCTeamBoxSummaryHash(bps.HashHexEncoded()) 606 section.BoxSummaryHash = &bsh 607 return nil 608 } 609 610 func (t *Team) Rotate(ctx context.Context, rt keybase1.RotationType) (err error) { 611 return t.rotate(ctx, rt) 612 } 613 614 func (t *Team) rotate(ctx context.Context, rt keybase1.RotationType) (err error) { 615 mctx := t.MetaContext(ctx).WithLogTag("ROT") 616 defer mctx.Trace(fmt.Sprintf("Team#rotate(%s,%s)", t.ID, rt), &err)() 617 618 rt, err = hidden.CheckFeatureGateForSupportWithRotationType(mctx, t.ID, rt) 619 if err != nil { 620 return err 621 } 622 623 // initialize key manager 624 if _, err := t.SharedSecret(mctx.Ctx()); err != nil { 625 return err 626 } 627 628 mr, err := t.G().MerkleClient.FetchRootFromServer(mctx, libkb.TeamMerkleFreshnessForAdmin) 629 if err != nil { 630 return err 631 } 632 633 // load an empty member set (no membership changes) 634 memSet := newMemberSet() 635 636 // Try to get the admin perms if they are available, if not, proceed anyway 637 var admin *SCTeamAdmin 638 admin, err = t.getAdminPermission(mctx.Ctx()) 639 if err != nil { 640 mctx.Debug("Rotate: unable to get admin permission: %v, attempting without admin section", err) 641 admin = nil 642 } 643 644 if err := t.ForceMerkleRootUpdate(mctx.Ctx()); err != nil { 645 return err 646 } 647 648 section := SCTeamSection{ 649 ID: SCTeamID(t.ID), 650 Admin: admin, 651 Implicit: t.IsImplicit(), 652 Public: t.IsPublic(), 653 } 654 655 // create the team section of the signature 656 section.Members, err = memSet.Section() 657 if err != nil { 658 return err 659 } 660 661 // rotate the team key for all current members 662 secretBoxes, perTeamKeySection, teamEKPayload, err := t.rotateBoxes(mctx.Ctx(), memSet) 663 if err != nil { 664 return err 665 } 666 section.PerTeamKey = perTeamKeySection 667 668 err = addSummaryHash(§ion, secretBoxes) 669 if err != nil { 670 return err 671 } 672 673 // post the change to the server 674 payloadArgs := sigPayloadArgs{ 675 secretBoxes: secretBoxes, 676 teamEKPayload: teamEKPayload, 677 } 678 679 if rt == keybase1.RotationType_VISIBLE { 680 err = t.rotatePostVisible(mctx.Ctx(), section, mr, payloadArgs) 681 } else { 682 err = t.rotatePostHidden(mctx.Ctx(), section, mr, payloadArgs) 683 } 684 if err != nil { 685 return err 686 } 687 688 t.storeTeamEKPayload(mctx.Ctx(), teamEKPayload) 689 createTeambotKeys(t.G(), t.ID, memSet.restrictedBotRecipientUids()) 690 691 return nil 692 } 693 694 func (t *Team) rotatePostVisible(ctx context.Context, section SCTeamSection, mr *libkb.MerkleRoot, payloadArgs sigPayloadArgs) error { 695 ratchet, err := t.makeRatchet(ctx) 696 if err != nil { 697 return err 698 } 699 section.Ratchets = ratchet.ToTeamSection() 700 payloadArgs.ratchetBlindingKeys = ratchet.ToSigPayload() 701 702 latestSeqno, err := t.postChangeItem(ctx, section, libkb.LinkTypeRotateKey, mr, payloadArgs) 703 if err != nil { 704 return err 705 } 706 return t.notify(ctx, keybase1.TeamChangeSet{KeyRotated: true}, latestSeqno) 707 } 708 709 func (t *Team) rotatePostHidden(ctx context.Context, section SCTeamSection, mr *libkb.MerkleRoot, payloadArgs sigPayloadArgs) error { 710 mctx := libkb.NewMetaContext(ctx, t.G()) 711 712 // Generate a "sig multi item" that we POST up to the API endpoint 713 smi, ratchet, err := t.rotateHiddenGenerateSigMultiItem(mctx, section, mr) 714 if err != nil { 715 return err 716 } 717 718 links := []libkb.SigMultiItem{*smi} 719 720 err = t.precheckLinksToPost(ctx, links) 721 if err != nil { 722 return err 723 } 724 725 // Combine the "sig multi item" above with the various off-chain items, like boxes. 726 payload := t.sigPayload(links, payloadArgs) 727 728 // Post the changes up to the server 729 err = t.postMulti(mctx, payload) 730 if err != nil { 731 return err 732 } 733 734 // Inform local caching that we've ratcheted forward the hidden chain with a change 735 // that we made. 736 tmp := mctx.G().GetHiddenTeamChainManager().Ratchet(mctx, t.ID, *ratchet) 737 if tmp != nil { 738 mctx.Warning("Failed to ratchet forward team chain: %s", tmp.Error()) 739 } 740 741 // We rotated the key but didn't change the visibile chain. 742 // TODO: We should be able to send a local notification here with 743 // new hidden chain seqno. 744 return t.notifyNoChainChange(ctx, keybase1.TeamChangeSet{KeyRotated: true}) 745 } 746 747 func teamAdminToSig3ChainLocation(admin *SCTeamAdmin) (*sig3.ChainLocation, error) { 748 if admin == nil { 749 return nil, nil 750 } 751 id, err := admin.TeamID.ToTeamID() 752 if err != nil { 753 return nil, err 754 } 755 s3id, err := sig3.ImportTeamID(id) 756 if err != nil { 757 return nil, err 758 } 759 return &sig3.ChainLocation{ 760 TeamID: *s3id, 761 Seqno: admin.Seqno, 762 ChainType: admin.SeqType, 763 }, nil 764 765 } 766 767 func (t *Team) rotateHiddenGenerateSigMultiItem(mctx libkb.MetaContext, section SCTeamSection, mr *libkb.MerkleRoot) (ret *libkb.SigMultiItem, ratchets *keybase1.HiddenTeamChainRatchetSet, err error) { 768 769 currentSeqno := t.CurrentSeqno() 770 lastLinkID := t.chain().GetLatestLinkID() 771 772 mainChainPrev := keybase1.LinkTriple{ 773 Seqno: currentSeqno, 774 SeqType: keybase1.SeqType_SEMIPRIVATE, 775 LinkID: lastLinkID, 776 } 777 778 me, err := loadMeForSignatures(mctx.Ctx(), mctx.G()) 779 if err != nil { 780 return nil, nil, err 781 } 782 deviceSigningKey, err := t.G().ActiveDevice.SigningKey() 783 if err != nil { 784 return nil, nil, err 785 } 786 hiddenPrev, err := t.G().GetHiddenTeamChainManager().Tail(mctx, t.ID) 787 if err != nil { 788 return nil, nil, err 789 } 790 791 sk, err := t.keyManager.SigningKey() 792 if err != nil { 793 return nil, nil, err 794 } 795 796 ek, err := t.keyManager.EncryptionKey() 797 if err != nil { 798 return nil, nil, err 799 } 800 801 admin, err := teamAdminToSig3ChainLocation(section.Admin) 802 if err != nil { 803 return nil, nil, err 804 } 805 806 ret, ratchets, err = hidden.GenerateKeyRotation(mctx, hidden.GenerateKeyRotationParams{ 807 TeamID: t.ID, 808 IsPublic: t.IsPublic(), 809 IsImplicit: t.IsImplicit(), 810 MerkleRoot: mr, 811 Me: me, 812 SigningKey: deviceSigningKey, 813 MainPrev: mainChainPrev, 814 HiddenPrev: hiddenPrev, 815 Gen: t.keyManager.Generation(), 816 NewSigningKey: sk, 817 NewEncryptionKey: ek, 818 Check: t.keyManager.Check(), 819 Admin: admin, 820 }) 821 822 return ret, ratchets, err 823 } 824 825 func (t *Team) isAdminOrOwner(m keybase1.UserVersion) (res bool, err error) { 826 role, err := t.chain().GetUserRole(m) 827 if err != nil { 828 return false, err 829 } 830 if role.IsAdminOrAbove() { 831 res = true 832 } 833 return res, nil 834 } 835 836 func (t *Team) getDowngradedUsers(ctx context.Context, ms *memberSet) (uids []keybase1.UID, err error) { 837 838 for _, member := range ms.None { 839 // Load member first to check if their eldest_seqno has not changed. 840 // If it did, the member was nuked and we do not need to lease. 841 _, err := loadMember(ctx, t.G(), member.version, true) 842 switch err.(type) { 843 case nil: 844 case libkb.AccountResetError: 845 continue 846 default: 847 return nil, err 848 } 849 850 uids = append(uids, member.version.Uid) 851 } 852 853 for _, member := range ms.nonAdmins() { 854 admin, err := t.isAdminOrOwner(member.version) 855 if err != nil { 856 return nil, err 857 } 858 if admin { 859 uids = append(uids, member.version.Uid) 860 } 861 } 862 863 return uids, nil 864 } 865 866 type ChangeMembershipOptions struct { 867 // Pass "permanent" flag, user will not be able to request access 868 // to the team again, admin will have to add them back. 869 Permanent bool 870 871 // Do not rotate team key, even on member removals. Server will 872 // queue CLKR if client sends removals without rotation. 873 SkipKeyRotation bool 874 } 875 876 func (t *Team) ChangeMembershipWithOptions(ctx context.Context, req keybase1.TeamChangeReq, opts ChangeMembershipOptions) (err error) { 877 defer t.G().CTrace(ctx, "Team.ChangeMembershipWithOptions", &err)() 878 879 if t.IsSubteam() && len(req.Owners) > 0 { 880 return NewSubteamOwnersError() 881 } 882 883 // create the change membership section + secretBoxes 884 section, secretBoxes, implicitAdminBoxes, teamEKPayload, memberSet, ratchet, err := t.changeMembershipSection(ctx, req, opts.SkipKeyRotation) 885 if err != nil { 886 return err 887 } 888 889 if err := t.ForceMerkleRootUpdate(ctx); err != nil { 890 return err 891 } 892 893 var merkleRoot *libkb.MerkleRoot 894 var lease *libkb.Lease 895 896 downgrades, err := t.getDowngradedUsers(ctx, memberSet) 897 if err != nil { 898 return err 899 } 900 901 if len(downgrades) != 0 { 902 lease, merkleRoot, err = libkb.RequestDowngradeLeaseByTeam(ctx, t.G(), t.ID, downgrades) 903 if err != nil { 904 return err 905 } 906 defer func() { 907 // We must cancel in the case of an error in postMulti, but it's safe to cancel 908 // if everything worked. So we always cancel the lease on the way out of this function. 909 // See CORE-6473 for a case in which this was needed. And also the test 910 // `TestOnlyOwnerLeaveThenUpgradeFriend`. 911 err := libkb.CancelDowngradeLease(ctx, t.G(), lease.LeaseID) 912 if err != nil { 913 t.G().Log.CWarningf(ctx, "Failed to cancel downgrade lease: %s", err.Error()) 914 } 915 }() 916 } 917 // post the change to the server 918 sigPayloadArgs := sigPayloadArgs{ 919 secretBoxes: secretBoxes, 920 implicitAdminBoxes: implicitAdminBoxes, 921 lease: lease, 922 teamEKPayload: teamEKPayload, 923 ratchetBlindingKeys: ratchet.ToSigPayload(), 924 } 925 926 if opts.Permanent { 927 sigPayloadArgs.prePayload = libkb.JSONPayload{"permanent": true} 928 } 929 930 // Add a ChangeMembership section and possibly a BotSettings section. 931 sections := []teamSectionWithLinkType{ 932 { 933 linkType: libkb.LinkTypeChangeMembership, 934 section: section, 935 }, 936 } 937 938 // If we are adding any restricted bots add a bot_settings link 939 if len(req.RestrictedBots) > 0 { 940 section, _, err := t.botSettingsSection(ctx, req.RestrictedBots, ratchet, merkleRoot) 941 if err != nil { 942 return err 943 } 944 sections = append(sections, teamSectionWithLinkType{ 945 linkType: libkb.LinkTypeTeamBotSettings, 946 section: section, 947 }) 948 } 949 950 payload, latestSeqno, err := t.changeItemsPayload(ctx, sections, merkleRoot, sigPayloadArgs) 951 if err != nil { 952 return err 953 } 954 955 var recipients, botRecipients []keybase1.UserVersion 956 for uv := range memberSet.recipients { 957 recipients = append(recipients, uv) 958 } 959 for uv := range memberSet.restrictedBotRecipients { 960 botRecipients = append(botRecipients, uv) 961 } 962 newMemSet := newMemberSet() 963 _, err = newMemSet.loadGroup(ctx, t.G(), recipients, storeMemberKindRecipient, true) 964 if err != nil { 965 return err 966 } 967 _, err = newMemSet.loadGroup(ctx, t.G(), botRecipients, storeMemberKindRestrictedBotRecipient, true) 968 if err != nil { 969 return err 970 } 971 if !memberSet.recipients.Eq(newMemSet.recipients) { 972 return BoxRaceError{inner: fmt.Errorf("team box summary changed during sig creation; retry required")} 973 } 974 975 err = t.postMulti(libkb.NewMetaContext(ctx, t.G()), payload) 976 if err != nil { 977 return err 978 } 979 980 err = t.notify(ctx, keybase1.TeamChangeSet{MembershipChanged: true}, latestSeqno) 981 if err != nil { 982 return err 983 } 984 t.storeTeamEKPayload(ctx, teamEKPayload) 985 createTeambotKeys(t.G(), t.ID, memberSet.restrictedBotRecipientUids()) 986 987 return nil 988 } 989 990 func (t *Team) ChangeMembership(ctx context.Context, req keybase1.TeamChangeReq) error { 991 return t.ChangeMembershipWithOptions(ctx, req, ChangeMembershipOptions{}) 992 } 993 994 func (t *Team) downgradeIfOwnerOrAdmin(ctx context.Context) (needsReload bool, err error) { 995 defer t.G().CTrace(ctx, "Team#downgradeIfOwnerOrAdmin", &err)() 996 997 uv, err := t.currentUserUV(ctx) 998 if err != nil { 999 return false, err 1000 } 1001 1002 role, err := t.MemberRole(ctx, uv) 1003 if err != nil { 1004 return false, err 1005 } 1006 1007 if role.IsAdminOrAbove() { 1008 reqs := keybase1.TeamChangeReq{Writers: []keybase1.UserVersion{uv}} 1009 if err := t.ChangeMembership(ctx, reqs); err != nil { 1010 return false, err 1011 } 1012 1013 return true, nil 1014 } 1015 1016 return false, nil 1017 } 1018 1019 func (t *Team) makeRatchet(ctx context.Context) (ret *hidden.Ratchet, err error) { 1020 return t.chain().makeHiddenRatchet(libkb.NewMetaContext(ctx, t.G())) 1021 } 1022 1023 func (t *Team) Leave(ctx context.Context, permanent bool) error { 1024 // If we are owner or admin, we have to downgrade ourselves first. 1025 needsReload, err := t.downgradeIfOwnerOrAdmin(ctx) 1026 if err != nil { 1027 return err 1028 } 1029 if needsReload { 1030 t, err = Load(ctx, t.G(), keybase1.LoadTeamArg{ 1031 ID: t.ID, 1032 Public: t.IsPublic(), 1033 ForceRepoll: true, 1034 }) 1035 if err != nil { 1036 return err 1037 } 1038 } 1039 1040 // Check if we are an implicit admin with no explicit membership 1041 // in order to give a nice error. 1042 role, err := t.myRole(ctx) 1043 if err != nil { 1044 role = keybase1.TeamRole_NONE 1045 } 1046 if role == keybase1.TeamRole_NONE { 1047 _, err := t.getAdminPermission(ctx) 1048 switch err.(type) { 1049 case nil, *AdminPermissionRequiredError: 1050 return NewImplicitAdminCannotLeaveError() 1051 } 1052 } 1053 1054 ratchet, err := t.makeRatchet(ctx) 1055 if err != nil { 1056 return err 1057 } 1058 1059 section := SCTeamSection{ 1060 ID: SCTeamID(t.ID), 1061 Implicit: t.IsImplicit(), 1062 Public: t.IsPublic(), 1063 Ratchets: ratchet.ToTeamSection(), 1064 } 1065 1066 sigPayloadArgs := sigPayloadArgs{ 1067 prePayload: libkb.JSONPayload{"permanent": permanent}, 1068 ratchetBlindingKeys: ratchet.ToSigPayload(), 1069 } 1070 latestSeqno, err := t.postChangeItem(ctx, section, libkb.LinkTypeLeave, nil, sigPayloadArgs) 1071 if err != nil { 1072 return err 1073 } 1074 1075 return t.notify(ctx, keybase1.TeamChangeSet{MembershipChanged: true}, latestSeqno) 1076 } 1077 1078 func (t *Team) deleteRoot(ctx context.Context) error { 1079 m := t.MetaContext(ctx) 1080 uv, err := t.currentUserUV(ctx) 1081 if err != nil { 1082 return err 1083 } 1084 1085 role, err := t.MemberRole(ctx, uv) 1086 if err != nil { 1087 return err 1088 } 1089 1090 if role != keybase1.TeamRole_OWNER { 1091 return libkb.AppStatusError{ 1092 Code: int(keybase1.StatusCode_SCTeamSelfNotOwner), 1093 Name: "SELF_NOT_OWNER", 1094 Desc: "You must be an owner to delete a team", 1095 } 1096 } 1097 1098 ratchet, err := t.makeRatchet(ctx) 1099 if err != nil { 1100 return err 1101 } 1102 1103 teamSection := SCTeamSection{ 1104 ID: SCTeamID(t.ID), 1105 Implicit: t.IsImplicit(), 1106 Public: t.IsPublic(), 1107 Ratchets: ratchet.ToTeamSection(), 1108 } 1109 1110 mr, err := t.G().MerkleClient.FetchRootFromServer(t.MetaContext(ctx), libkb.TeamMerkleFreshnessForAdmin) 1111 if err != nil { 1112 return err 1113 } 1114 if mr == nil { 1115 return errors.New("No merkle root available for team delete root") 1116 } 1117 1118 sigMultiItem, latestSeqno, err := t.sigTeamItem(ctx, teamSection, libkb.LinkTypeDeleteRoot, mr) 1119 if err != nil { 1120 return err 1121 } 1122 1123 sigPayloadArgs := sigPayloadArgs{ 1124 ratchetBlindingKeys: ratchet.ToSigPayload(), 1125 } 1126 payload := t.sigPayload([]libkb.SigMultiItem{sigMultiItem}, sigPayloadArgs) 1127 err = t.postMulti(m, payload) 1128 if err != nil { 1129 return err 1130 } 1131 return t.HintLatestSeqno(m, latestSeqno) 1132 } 1133 1134 func (t *Team) deleteSubteam(ctx context.Context) error { 1135 m := t.MetaContext(ctx) 1136 1137 // subteam delete consists of two links: 1138 // 1. delete_subteam in parent chain 1139 // 2. delete_up_pointer in subteam chain 1140 1141 if t.IsImplicit() { 1142 return fmt.Errorf("unsupported delete of implicit subteam") 1143 } 1144 1145 parentID := t.chain().GetParentID() 1146 parentTeam, err := Load(ctx, t.G(), keybase1.LoadTeamArg{ 1147 ID: *parentID, 1148 Public: t.IsPublic(), 1149 ForceRepoll: true, 1150 }) 1151 switch { 1152 case err == nil: 1153 case IsTeamReadError(err): 1154 return fmt.Errorf("failed to load parent team; you must be an admin of a parent team to delete a subteam: %w", err) 1155 default: 1156 return fmt.Errorf("failed to load parent team: %w", err) 1157 } 1158 1159 admin, err := parentTeam.getAdminPermission(ctx) 1160 switch err.(type) { 1161 case nil: 1162 case *AdminPermissionRequiredError: 1163 return fmt.Errorf("failed to get admin permission from parent team; you must be an admin of a parent team to delete a subteam: %w", err) 1164 default: 1165 return fmt.Errorf("failed to get admin permission from parent team: %w", err) 1166 } 1167 1168 subteamName := SCTeamName(t.Data.Name.String()) 1169 1170 entropy, err := makeSCTeamEntropy() 1171 if err != nil { 1172 return err 1173 } 1174 parentRatchet, err := parentTeam.makeRatchet(ctx) 1175 if err != nil { 1176 return err 1177 } 1178 parentSection := SCTeamSection{ 1179 ID: SCTeamID(parentTeam.ID), 1180 Subteam: &SCSubteam{ 1181 ID: SCTeamID(t.ID), 1182 Name: subteamName, // weird this is required 1183 }, 1184 Admin: admin, 1185 Public: t.IsPublic(), 1186 Entropy: entropy, 1187 Ratchets: parentRatchet.ToTeamSection(), 1188 } 1189 1190 mr, err := t.G().MerkleClient.FetchRootFromServer(t.MetaContext(ctx), libkb.TeamMerkleFreshnessForAdmin) 1191 if err != nil { 1192 return err 1193 } 1194 if mr == nil { 1195 return errors.New("No merkle root available for team delete subteam") 1196 } 1197 1198 sigParent, _, err := parentTeam.sigTeamItem(ctx, parentSection, libkb.LinkTypeDeleteSubteam, mr) 1199 if err != nil { 1200 return err 1201 } 1202 1203 subRatchet, err := t.makeRatchet(ctx) 1204 if err != nil { 1205 return err 1206 } 1207 subSection := SCTeamSection{ 1208 ID: SCTeamID(t.ID), 1209 Name: &subteamName, // weird this is required 1210 Parent: &SCTeamParent{ 1211 ID: SCTeamID(parentTeam.ID), 1212 Seqno: parentTeam.chain().GetLatestSeqno() + 1, // the seqno of the *new* parent link 1213 SeqType: seqTypeForTeamPublicness(parentTeam.IsPublic()), 1214 }, 1215 Public: t.IsPublic(), 1216 Admin: admin, 1217 Ratchets: subRatchet.ToTeamSection(), 1218 } 1219 sigSub, latestSeqno, err := t.sigTeamItem(ctx, subSection, libkb.LinkTypeDeleteUpPointer, mr) 1220 if err != nil { 1221 return err 1222 } 1223 1224 payload := make(libkb.JSONPayload) 1225 payload["sigs"] = []interface{}{sigParent, sigSub} 1226 1227 var ratchetSet hidden.RatchetBlindingKeySet 1228 if parentRatchet != nil { 1229 ratchetSet.Add(*parentRatchet) 1230 } 1231 if subRatchet != nil { 1232 ratchetSet.Add(*subRatchet) 1233 } 1234 err = ratchetSet.AddToJSONPayload(payload) 1235 if err != nil { 1236 return err 1237 } 1238 1239 err = t.postMulti(m, payload) 1240 if err != nil { 1241 return err 1242 } 1243 return t.HintLatestSeqno(m, latestSeqno) 1244 } 1245 1246 func (t *Team) NumActiveInvites() int { 1247 return t.chain().NumActiveInvites() 1248 } 1249 1250 func (t *Team) HasActiveInvite(mctx libkb.MetaContext, name keybase1.TeamInviteName, typ string) (bool, error) { 1251 it, err := TeamInviteTypeFromString(mctx, typ) 1252 if err != nil { 1253 return false, err 1254 } 1255 return t.chain().HasActiveInvite(name, it) 1256 } 1257 1258 func (t *Team) FindActiveKeybaseInvite(uid keybase1.UID) (keybase1.TeamInvite, keybase1.UserVersion, bool) { 1259 return t.chain().FindActiveKeybaseInvite(uid) 1260 } 1261 1262 func (t *Team) GetActiveAndObsoleteInvites() (ret map[keybase1.TeamInviteID]keybase1.TeamInvite) { 1263 ret = make(map[keybase1.TeamInviteID]keybase1.TeamInvite) 1264 for inviteID, inviteMD := range t.chain().inner.InviteMetadatas { 1265 code, err := inviteMD.Status.Code() 1266 if err != nil { 1267 continue 1268 } 1269 switch code { 1270 case keybase1.TeamInviteMetadataStatusCode_ACTIVE, keybase1.TeamInviteMetadataStatusCode_OBSOLETE: 1271 ret[inviteID] = inviteMD.Invite 1272 } 1273 } 1274 return ret 1275 } 1276 1277 // If uv.Uid is set, then username is ignored. 1278 // Otherwise resolvedUsername and uv are ignored. 1279 func (t *Team) InviteMember(ctx context.Context, username string, role keybase1.TeamRole, resolvedUsername libkb.NormalizedUsername, uv keybase1.UserVersion) (keybase1.TeamAddMemberResult, error) { 1280 // if a user version was previously loaded, then there is a keybase user for username, but 1281 // without a PUK or without any keys. 1282 if uv.Uid.Exists() { 1283 return t.inviteKeybaseMember(libkb.NewMetaContext(ctx, t.G()), uv, role, resolvedUsername) 1284 } 1285 1286 // If a social, or email, or other type of invite, assert it's not an owner. 1287 if role.IsOrAbove(keybase1.TeamRole_OWNER) { 1288 return keybase1.TeamAddMemberResult{}, errors.New("You cannot invite an owner to a team.") 1289 } 1290 1291 return t.inviteSBSMember(ctx, username, role) 1292 } 1293 1294 func (t *Team) InviteEmailPhoneMember(ctx context.Context, name string, role keybase1.TeamRole, typ string) error { 1295 t.G().Log.CDebugf(ctx, "team %s invite %s member %s", t.Name(), typ, name) 1296 1297 if role == keybase1.TeamRole_OWNER { 1298 return errors.New("You cannot invite an owner to a team over email.") 1299 } 1300 1301 invite := SCTeamInvite{ 1302 Type: typ, 1303 Name: keybase1.TeamInviteName(name), 1304 ID: NewInviteID(), 1305 } 1306 return t.postInvite(ctx, invite, role) 1307 } 1308 1309 func (t *Team) inviteKeybaseMember(mctx libkb.MetaContext, uv keybase1.UserVersion, role keybase1.TeamRole, resolvedUsername libkb.NormalizedUsername) (res keybase1.TeamAddMemberResult, err error) { 1310 mctx.Debug("team %s invite keybase member %s", t.Name(), uv) 1311 1312 invite := SCTeamInvite{ 1313 Type: "keybase", 1314 Name: uv.TeamInviteName(), 1315 ID: NewInviteID(), 1316 } 1317 1318 existing, err := t.HasActiveInvite(mctx, invite.Name, invite.Type) 1319 if err != nil { 1320 return res, err 1321 } 1322 1323 if existing { 1324 return res, libkb.ExistsError{Msg: "An invite for this user already exists."} 1325 } 1326 1327 if t.IsSubteam() && role == keybase1.TeamRole_OWNER { 1328 return res, NewSubteamOwnersError() 1329 } 1330 1331 invList := []SCTeamInvite{invite} 1332 cancelList := []SCTeamInviteID{} 1333 1334 var invites SCTeamInvites 1335 switch role { 1336 case keybase1.TeamRole_ADMIN: 1337 invites.Admins = &invList 1338 case keybase1.TeamRole_WRITER: 1339 invites.Writers = &invList 1340 case keybase1.TeamRole_READER: 1341 invites.Readers = &invList 1342 case keybase1.TeamRole_OWNER: 1343 invites.Owners = &invList 1344 } 1345 1346 // Inviting keybase PUKless member has to remove old invites for that 1347 // uid first, or it will bounce off the server with an error. There is 1348 // no hard limit in team player to disallow multiple keybase invites 1349 // for the same UID, but there is a soft serverside check when 1350 // signature is posted. 1351 for inviteID, existingInvite := range t.GetActiveAndObsoleteInvites() { 1352 // KeybaseUserVersion checks if invite is KEYBASE and errors 1353 // if not, we can blindly call it for all invites, and continue 1354 // to next one if we get an error. 1355 existingUV, err := existingInvite.KeybaseUserVersion() 1356 if err != nil { 1357 continue 1358 } 1359 1360 if existingUV.Uid != uv.Uid { 1361 continue 1362 } 1363 1364 if uv.EldestSeqno != 0 && existingUV.EldestSeqno > uv.EldestSeqno { 1365 // We probably know invitee by their outdated EldestSeqno. There 1366 // is also a server check for this case. 1367 return res, libkb.ExistsError{ 1368 Msg: fmt.Sprintf("An invite for this user already exists, with higher EldestSeqno (%d > %d)", existingUV.EldestSeqno, uv.EldestSeqno), 1369 } 1370 } 1371 1372 mctx.Debug("Canceling old Keybase invite: %+v", existingInvite) 1373 cancelList = append(cancelList, SCTeamInviteID(inviteID)) 1374 } 1375 1376 if len(cancelList) != 0 { 1377 mctx.Debug("Total %d old invites will be canceled.", len(cancelList)) 1378 invites.Cancel = &cancelList 1379 } 1380 1381 mctx.Debug("Adding invite: %+v", invite) 1382 if err := t.postTeamInvites(mctx.Ctx(), invites); err != nil { 1383 return res, err 1384 } 1385 return keybase1.TeamAddMemberResult{Invited: true, User: &keybase1.User{Uid: uv.Uid, Username: resolvedUsername.String()}}, nil 1386 } 1387 1388 func (t *Team) inviteSBSMember(ctx context.Context, username string, role keybase1.TeamRole) (keybase1.TeamAddMemberResult, error) { 1389 // parse username to get social 1390 typ, name, err := parseSocialAssertion(libkb.NewMetaContext(ctx, t.G()), username) 1391 if err != nil { 1392 return keybase1.TeamAddMemberResult{}, err 1393 } 1394 t.G().Log.CDebugf(ctx, "team %s invite sbs member %s/%s", t.Name(), typ, name) 1395 1396 invite := SCTeamInvite{ 1397 Type: typ, 1398 Name: keybase1.TeamInviteName(name), 1399 ID: NewInviteID(), 1400 } 1401 1402 if err := t.postInvite(ctx, invite, role); err != nil { 1403 return keybase1.TeamAddMemberResult{}, err 1404 } 1405 1406 return keybase1.TeamAddMemberResult{Invited: true}, nil 1407 } 1408 1409 func (t *Team) InviteSeitan(ctx context.Context, role keybase1.TeamRole, label keybase1.SeitanKeyLabel) (ikey SeitanIKey, err error) { 1410 defer t.G().CTrace(ctx, fmt.Sprintf("InviteSeitan: team: %v, role: %v", t.Name(), role), &err)() 1411 1412 ikey, err = GenerateIKey() 1413 if err != nil { 1414 return ikey, err 1415 } 1416 1417 sikey, err := ikey.GenerateSIKey() 1418 if err != nil { 1419 return ikey, err 1420 } 1421 1422 inviteID, err := sikey.GenerateTeamInviteID() 1423 if err != nil { 1424 return ikey, err 1425 } 1426 1427 _, encoded, err := ikey.GeneratePackedEncryptedKey(ctx, t, label) 1428 if err != nil { 1429 return ikey, err 1430 } 1431 1432 invite := SCTeamInvite{ 1433 Type: "seitan_invite_token", 1434 Name: keybase1.TeamInviteName(encoded), 1435 ID: inviteID, 1436 } 1437 1438 if err := t.postInvite(ctx, invite, role); err != nil { 1439 return ikey, err 1440 } 1441 1442 return ikey, err 1443 } 1444 1445 func (t *Team) InviteSeitanV2(ctx context.Context, role keybase1.TeamRole, label keybase1.SeitanKeyLabel) (ikey SeitanIKeyV2, err error) { 1446 defer t.G().CTrace(ctx, fmt.Sprintf("InviteSeitanV2: team: %v, role: %v", t.Name(), role), &err)() 1447 1448 ikey, err = GenerateIKeyV2() 1449 if err != nil { 1450 return ikey, err 1451 } 1452 1453 sikey, err := ikey.GenerateSIKey() 1454 if err != nil { 1455 return ikey, err 1456 } 1457 1458 inviteID, err := sikey.GenerateTeamInviteID() 1459 if err != nil { 1460 return ikey, err 1461 } 1462 1463 _, encoded, err := sikey.GeneratePackedEncryptedKey(ctx, t, label) 1464 if err != nil { 1465 return ikey, err 1466 } 1467 1468 invite := SCTeamInvite{ 1469 Type: "seitan_invite_token", 1470 Name: keybase1.TeamInviteName(encoded), 1471 ID: inviteID, 1472 } 1473 1474 if err := t.postInvite(ctx, invite, role); err != nil { 1475 return ikey, err 1476 } 1477 1478 return ikey, err 1479 } 1480 1481 func (t *Team) InviteInvitelink( 1482 ctx context.Context, 1483 role keybase1.TeamRole, 1484 maxUses keybase1.TeamInviteMaxUses, 1485 etime *keybase1.UnixTime, 1486 ) (ikey keybase1.SeitanIKeyInvitelink, inviteID SCTeamInviteID, err error) { 1487 defer t.G().CTrace(ctx, fmt.Sprintf("InviteInviteLink: team: %v, role: %v, etime: %v, maxUses: %v", t.Name(), role, etime, maxUses), &err)() 1488 1489 if role.IsAdminOrAbove() { 1490 return ikey, inviteID, fmt.Errorf("cannot create invitelink to add as %v", role) 1491 } 1492 1493 ikey, err = GenerateSeitanIKeyInvitelink() 1494 if err != nil { 1495 return ikey, inviteID, err 1496 } 1497 1498 sikey, err := GenerateSIKeyInvitelink(ikey) 1499 if err != nil { 1500 return ikey, inviteID, err 1501 } 1502 1503 inviteID, err = sikey.GenerateTeamInviteID() 1504 if err != nil { 1505 return ikey, inviteID, err 1506 } 1507 1508 // label is hardcoded for now, but could change in the future 1509 label := keybase1.NewSeitanKeyLabelWithGeneric(keybase1.SeitanKeyLabelGeneric{L: "link"}) 1510 1511 _, encoded, err := GeneratePackedEncryptedKeyInvitelink(ctx, ikey, t, label) 1512 if err != nil { 1513 return ikey, inviteID, err 1514 } 1515 1516 invite := SCTeamInvite{ 1517 Type: "invitelink", 1518 Name: keybase1.TeamInviteName(encoded), 1519 ID: inviteID, 1520 Etime: etime, 1521 MaxUses: &maxUses, 1522 } 1523 1524 if err := t.postInvite(ctx, invite, role); err != nil { 1525 return ikey, inviteID, err 1526 } 1527 1528 return ikey, inviteID, err 1529 } 1530 1531 func (t *Team) postInvite(ctx context.Context, invite SCTeamInvite, role keybase1.TeamRole) error { 1532 existing, err := t.HasActiveInvite(t.MetaContext(ctx), invite.Name, invite.Type) 1533 if err != nil { 1534 return err 1535 } 1536 if existing { 1537 return libkb.ExistsError{Msg: "An invite for this user already exists."} 1538 } 1539 1540 if t.IsSubteam() && role == keybase1.TeamRole_OWNER { 1541 return NewSubteamOwnersError() 1542 } 1543 1544 invList := []SCTeamInvite{invite} 1545 var invites SCTeamInvites 1546 switch role { 1547 case keybase1.TeamRole_RESTRICTEDBOT, keybase1.TeamRole_BOT: 1548 return fmt.Errorf("bot roles disallowed for invites") 1549 case keybase1.TeamRole_READER: 1550 invites.Readers = &invList 1551 case keybase1.TeamRole_WRITER: 1552 invites.Writers = &invList 1553 case keybase1.TeamRole_ADMIN: 1554 invites.Admins = &invList 1555 case keybase1.TeamRole_OWNER: 1556 invites.Owners = &invList 1557 } 1558 if invites.Len() == 0 { 1559 return fmt.Errorf("invalid invite, 0 members invited") 1560 } 1561 1562 return t.postTeamInvites(ctx, invites) 1563 } 1564 1565 func (t *Team) postTeamInvites(ctx context.Context, invites SCTeamInvites) error { 1566 m := t.MetaContext(ctx) 1567 1568 admin, err := t.getAdminPermission(ctx) 1569 if err != nil { 1570 return err 1571 } 1572 1573 if t.IsSubteam() && invites.Owners != nil && len(*invites.Owners) > 0 { 1574 return NewSubteamOwnersError() 1575 } 1576 1577 entropy, err := makeSCTeamEntropy() 1578 if err != nil { 1579 return err 1580 } 1581 1582 ratchet, err := t.makeRatchet(ctx) 1583 if err != nil { 1584 return err 1585 } 1586 1587 teamSection := SCTeamSection{ 1588 ID: SCTeamID(t.ID), 1589 Admin: admin, 1590 Invites: &invites, 1591 Implicit: t.IsImplicit(), 1592 Public: t.IsPublic(), 1593 Entropy: entropy, 1594 Ratchets: ratchet.ToTeamSection(), 1595 } 1596 1597 mr, err := t.G().MerkleClient.FetchRootFromServer(t.MetaContext(ctx), libkb.TeamMerkleFreshnessForAdmin) 1598 if err != nil { 1599 return err 1600 } 1601 if mr == nil { 1602 return errors.New("No merkle root available for team invite") 1603 } 1604 1605 sigMultiItem, latestSeqno, err := t.sigTeamItem(ctx, teamSection, libkb.LinkTypeInvite, mr) 1606 if err != nil { 1607 return err 1608 } 1609 1610 sigMulti := []libkb.SigMultiItem{sigMultiItem} 1611 err = t.precheckLinksToPost(ctx, sigMulti) 1612 if err != nil { 1613 return err 1614 } 1615 1616 sigPayloadArgs := sigPayloadArgs{ 1617 ratchetBlindingKeys: ratchet.ToSigPayload(), 1618 } 1619 1620 payload := t.sigPayload(sigMulti, sigPayloadArgs) 1621 err = t.postMulti(m, payload) 1622 if err != nil { 1623 return err 1624 } 1625 1626 return t.notify(ctx, keybase1.TeamChangeSet{MembershipChanged: true}, latestSeqno) 1627 } 1628 1629 // NOTE since this function uses `Load` and not `load2`, readSubteamID cannot 1630 // be passed through, this call will fail if a user is not a member of the 1631 // parent team (or child of the parent team) for which the validator validates 1632 func (t *Team) traverseUpUntil(ctx context.Context, validator func(t *Team) bool) (targetTeam *Team, err error) { 1633 targetTeam = t 1634 for { 1635 if validator(targetTeam) { 1636 return targetTeam, nil 1637 } 1638 parentID := targetTeam.chain().GetParentID() 1639 if parentID == nil { 1640 return nil, nil 1641 } 1642 targetTeam, err = Load(ctx, t.G(), keybase1.LoadTeamArg{ 1643 ID: *parentID, 1644 Public: parentID.IsPublic(), 1645 // This is in a cold path anyway, so might as well trade reliability 1646 // at the expense of speed. 1647 ForceRepoll: true, 1648 }) 1649 if err != nil { 1650 return nil, err 1651 } 1652 } 1653 } 1654 1655 func (t *Team) getAdminPermission(ctx context.Context) (admin *SCTeamAdmin, err error) { 1656 uv, err := t.currentUserUV(ctx) 1657 if err != nil { 1658 return nil, err 1659 } 1660 1661 targetTeam, err := t.traverseUpUntil(ctx, func(s *Team) bool { 1662 return s.chain().GetAdminUserLogPoint(uv) != nil 1663 }) 1664 if err != nil { 1665 return nil, err 1666 } 1667 if targetTeam == nil { 1668 return nil, NewAdminPermissionRequiredError() 1669 } 1670 1671 logPoint := targetTeam.chain().GetAdminUserLogPoint(uv) 1672 ret := SCTeamAdmin{ 1673 TeamID: SCTeamID(targetTeam.ID), 1674 Seqno: logPoint.SigMeta.SigChainLocation.Seqno, 1675 SeqType: logPoint.SigMeta.SigChainLocation.SeqType, 1676 } 1677 return &ret, nil 1678 } 1679 1680 func (t *Team) changeMembershipSection(ctx context.Context, req keybase1.TeamChangeReq, skipKeyRotation bool) (SCTeamSection, *PerTeamSharedSecretBoxes, map[keybase1.TeamID]*PerTeamSharedSecretBoxes, *teamEKPayload, *memberSet, *hidden.Ratchet, error) { 1681 // initialize key manager 1682 if _, err := t.SharedSecret(ctx); err != nil { 1683 return SCTeamSection{}, nil, nil, nil, nil, nil, err 1684 } 1685 1686 admin, err := t.getAdminPermission(ctx) 1687 if err != nil { 1688 return SCTeamSection{}, nil, nil, nil, nil, nil, err 1689 } 1690 1691 if t.IsSubteam() && len(req.Owners) > 0 { 1692 return SCTeamSection{}, nil, nil, nil, nil, nil, NewSubteamOwnersError() 1693 } 1694 1695 // load the member set specified in req 1696 memSet, err := newMemberSetChange(ctx, t.G(), req) 1697 if err != nil { 1698 return SCTeamSection{}, nil, nil, nil, nil, nil, err 1699 } 1700 1701 ratchet, err := t.makeRatchet(ctx) 1702 if err != nil { 1703 return SCTeamSection{}, nil, nil, nil, nil, nil, err 1704 } 1705 1706 section := SCTeamSection{ 1707 ID: SCTeamID(t.ID), 1708 Admin: admin, 1709 Implicit: t.IsImplicit(), 1710 Public: t.IsPublic(), 1711 Ratchets: ratchet.ToTeamSection(), 1712 } 1713 1714 section.Members, err = memSet.Section() 1715 if err != nil { 1716 return SCTeamSection{}, nil, nil, nil, nil, nil, err 1717 } 1718 1719 // create secret boxes for recipients, possibly rotating the key 1720 secretBoxes, implicitAdminBoxes, perTeamKeySection, teamEKPayload, err := t.recipientBoxes(ctx, memSet, skipKeyRotation) 1721 if err != nil { 1722 return SCTeamSection{}, nil, nil, nil, nil, nil, err 1723 } 1724 1725 section.PerTeamKey = perTeamKeySection 1726 1727 err = addSummaryHash(§ion, secretBoxes) 1728 if err != nil { 1729 return SCTeamSection{}, nil, nil, nil, nil, nil, err 1730 } 1731 1732 section.CompletedInvites = req.CompletedInvites 1733 section.UsedInvites = makeSCMapInviteIDUVMap(req.UsedInvites) 1734 1735 section.Implicit = t.IsImplicit() 1736 section.Public = t.IsPublic() 1737 1738 if len(section.CompletedInvites) > 0 && section.Members == nil { 1739 // Just mooted invites is fine - if TeamChangeReq is empty, 1740 // changeMembershipSection returned nil members. But we need 1741 // empty Members in order to have a valid link. 1742 section.Members = &SCTeamMembers{} 1743 } 1744 1745 return section, secretBoxes, implicitAdminBoxes, teamEKPayload, memSet, ratchet, nil 1746 } 1747 1748 func (t *Team) changeItemsPayload(ctx context.Context, sections []teamSectionWithLinkType, 1749 merkleRoot *libkb.MerkleRoot, sigPayloadArgs sigPayloadArgs) (libkb.JSONPayload, keybase1.Seqno, error) { 1750 1751 var readySigs []libkb.SigMultiItem 1752 nextSeqno := t.NextSeqno() 1753 latestLinkID := t.chain().GetLatestLinkID() 1754 1755 for _, section := range sections { 1756 sigMultiItem, linkID, err := t.sigTeamItemRaw(ctx, section.section, 1757 section.linkType, nextSeqno, latestLinkID, merkleRoot) 1758 if err != nil { 1759 return nil, keybase1.Seqno(0), err 1760 } 1761 nextSeqno++ 1762 latestLinkID = linkID 1763 readySigs = append(readySigs, sigMultiItem) 1764 } 1765 1766 if err := t.precheckLinksToPost(ctx, readySigs); err != nil { 1767 return nil, keybase1.Seqno(0), err 1768 } 1769 1770 payload := t.sigPayload(readySigs, sigPayloadArgs) 1771 return payload, nextSeqno - 1, nil 1772 } 1773 1774 func (t *Team) changeItemPayload(ctx context.Context, section SCTeamSection, linkType libkb.LinkType, 1775 merkleRoot *libkb.MerkleRoot, sigPayloadArgs sigPayloadArgs) (libkb.JSONPayload, keybase1.Seqno, error) { 1776 // create the change item 1777 sigMultiItem, latestSeqno, err := t.sigTeamItem(ctx, section, linkType, merkleRoot) 1778 if err != nil { 1779 return nil, keybase1.Seqno(0), err 1780 } 1781 1782 sigMulti := []libkb.SigMultiItem{sigMultiItem} 1783 err = t.precheckLinksToPost(ctx, sigMulti) 1784 if err != nil { 1785 return nil, keybase1.Seqno(0), err 1786 } 1787 1788 // make the payload 1789 payload := t.sigPayload(sigMulti, sigPayloadArgs) 1790 return payload, latestSeqno, nil 1791 } 1792 1793 func (t *Team) postChangeItem(ctx context.Context, section SCTeamSection, linkType libkb.LinkType, merkleRoot *libkb.MerkleRoot, sigPayloadArgs sigPayloadArgs) (keybase1.Seqno, error) { 1794 payload, latestSeqno, err := t.changeItemPayload(ctx, section, linkType, merkleRoot, sigPayloadArgs) 1795 if err != nil { 1796 return keybase1.Seqno(0), err 1797 } 1798 // send it to the server 1799 err = t.postMulti(libkb.NewMetaContext(ctx, t.G()), payload) 1800 if err != nil { 1801 return keybase1.Seqno(0), err 1802 } 1803 return latestSeqno, nil 1804 } 1805 1806 func (t *Team) currentUserUV(ctx context.Context) (keybase1.UserVersion, error) { 1807 return t.G().GetMeUV(ctx) 1808 } 1809 1810 func loadMeForSignatures(ctx context.Context, g *libkb.GlobalContext) (libkb.UserForSignatures, error) { 1811 return libkb.LoadSelfForTeamSignatures(ctx, g) 1812 } 1813 1814 func usesPerTeamKeys(linkType libkb.LinkType) bool { 1815 switch linkType { 1816 case libkb.LinkTypeLeave: 1817 return false 1818 case libkb.LinkTypeInvite: 1819 return false 1820 case libkb.LinkTypeDeleteRoot: 1821 return false 1822 case libkb.LinkTypeDeleteSubteam: 1823 return false 1824 case libkb.LinkTypeDeleteUpPointer: 1825 return false 1826 case libkb.LinkTypeKBFSSettings: 1827 return false 1828 } 1829 1830 return true 1831 } 1832 1833 func (t *Team) sigTeamItem(ctx context.Context, section SCTeamSection, linkType libkb.LinkType, merkleRoot *libkb.MerkleRoot) (libkb.SigMultiItem, keybase1.Seqno, error) { 1834 nextSeqno := t.NextSeqno() 1835 lastLinkID := t.chain().GetLatestLinkID() 1836 1837 sig, _, err := t.sigTeamItemRaw(ctx, section, linkType, nextSeqno, lastLinkID, merkleRoot) 1838 return sig, nextSeqno, err 1839 } 1840 1841 func (t *Team) sigTeamItemRaw(ctx context.Context, section SCTeamSection, linkType libkb.LinkType, nextSeqno keybase1.Seqno, lastLinkID keybase1.LinkID, merkleRoot *libkb.MerkleRoot) (libkb.SigMultiItem, keybase1.LinkID, error) { 1842 me, err := loadMeForSignatures(ctx, t.G()) 1843 if err != nil { 1844 return libkb.SigMultiItem{}, "", err 1845 } 1846 deviceSigningKey, err := t.G().ActiveDevice.SigningKey() 1847 if err != nil { 1848 return libkb.SigMultiItem{}, "", err 1849 } 1850 latestLinkID, err := libkb.ImportLinkID(lastLinkID) 1851 if err != nil { 1852 return libkb.SigMultiItem{}, "", err 1853 } 1854 1855 sig, err := ChangeSig(t.G(), me, latestLinkID, nextSeqno, deviceSigningKey, section, linkType, merkleRoot) 1856 if err != nil { 1857 return libkb.SigMultiItem{}, "", err 1858 } 1859 1860 var signingKey libkb.NaclSigningKeyPair 1861 var encryptionKey libkb.NaclDHKeyPair 1862 if usesPerTeamKeys(linkType) { 1863 signingKey, err = t.keyManager.SigningKey() 1864 if err != nil { 1865 return libkb.SigMultiItem{}, "", err 1866 } 1867 encryptionKey, err = t.keyManager.EncryptionKey() 1868 if err != nil { 1869 return libkb.SigMultiItem{}, "", err 1870 } 1871 if section.PerTeamKey != nil { 1872 // need a reverse sig 1873 1874 // set a nil value (not empty) for reverse_sig (fails without this) 1875 err := sig.SetValueAtPath("body.team.per_team_key.reverse_sig", jsonw.NewNil()) 1876 if err != nil { 1877 return libkb.SigMultiItem{}, "", err 1878 } 1879 reverseSig, _, _, err := libkb.SignJSON(sig, signingKey) 1880 if err != nil { 1881 return libkb.SigMultiItem{}, "", err 1882 } 1883 err = sig.SetValueAtPath("body.team.per_team_key.reverse_sig", jsonw.NewString(reverseSig)) 1884 if err != nil { 1885 return libkb.SigMultiItem{}, "", err 1886 } 1887 } 1888 } 1889 1890 seqType := seqTypeForTeamPublicness(t.IsPublic()) 1891 1892 sigJSON, err := sig.Marshal() 1893 if err != nil { 1894 return libkb.SigMultiItem{}, "", err 1895 } 1896 v2Sig, _, newLinkID, err := libkb.MakeSigchainV2OuterSig( 1897 t.MetaContext(ctx), 1898 deviceSigningKey, 1899 linkType, 1900 nextSeqno, 1901 sigJSON, 1902 latestLinkID, 1903 libkb.SigHasRevokes(false), 1904 seqType, 1905 libkb.SigIgnoreIfUnsupported(false), 1906 nil, 1907 ) 1908 if err != nil { 1909 return libkb.SigMultiItem{}, "", err 1910 } 1911 1912 sigMultiItem := libkb.SigMultiItem{ 1913 Sig: v2Sig, 1914 SigningKID: deviceSigningKey.GetKID(), 1915 Type: string(linkType), 1916 SeqType: seqType, 1917 SigInner: string(sigJSON), 1918 TeamID: t.ID, 1919 } 1920 if usesPerTeamKeys(linkType) { 1921 sigMultiItem.PublicKeys = &libkb.SigMultiItemPublicKeys{ 1922 Encryption: encryptionKey.GetKID(), 1923 Signing: signingKey.GetKID(), 1924 } 1925 } 1926 1927 return sigMultiItem, keybase1.LinkID(newLinkID.String()), nil 1928 } 1929 1930 func (t *Team) recipientBoxes(ctx context.Context, memSet *memberSet, skipKeyRotation bool) ( 1931 *PerTeamSharedSecretBoxes, map[keybase1.TeamID]*PerTeamSharedSecretBoxes, 1932 *SCPerTeamKey, *teamEKPayload, error) { 1933 1934 // get device key 1935 deviceEncryptionKey, err := t.G().ActiveDevice.EncryptionKey() 1936 if err != nil { 1937 return nil, nil, nil, nil, err 1938 } 1939 1940 // First create all the subteam per-team-key boxes for new implicit admins. 1941 // We'll return these whether or not we're doing a rotation below. 1942 // TODO: Should we no-op this if the admins+owners aren't actually new? 1943 var implicitAdminBoxes map[keybase1.TeamID]*PerTeamSharedSecretBoxes 1944 adminAndOwnerRecipients := memSet.adminAndOwnerRecipients() 1945 if len(adminAndOwnerRecipients) > 0 { 1946 implicitAdminBoxes = map[keybase1.TeamID]*PerTeamSharedSecretBoxes{} 1947 subteams, err := t.loadAllTransitiveSubteams(ctx, true /*forceRepoll*/) 1948 if err != nil { 1949 return nil, nil, nil, nil, err 1950 } 1951 for _, subteam := range subteams { 1952 subteamBoxes, err := subteam.keyManager.SharedSecretBoxes(t.MetaContext(ctx), deviceEncryptionKey, adminAndOwnerRecipients) 1953 if err != nil { 1954 return nil, nil, nil, nil, err 1955 } 1956 implicitAdminBoxes[subteam.ID] = subteamBoxes 1957 } 1958 } 1959 1960 // if there are any removals happening, need to rotate the 1961 // team key, and recipients will be all the users in the team 1962 // after the removal. 1963 if memSet.HasRemoval() { 1964 if !skipKeyRotation { 1965 // key is rotating, so recipients needs to be all the remaining members 1966 // of the team after the removal (and including any new members in this 1967 // change) 1968 t.G().Log.CDebugf(ctx, "recipientBoxes: Team change request contains removal, rotating team key") 1969 boxes, perTeamKey, teamEKPayload, err := t.rotateBoxes(ctx, memSet) 1970 return boxes, implicitAdminBoxes, perTeamKey, teamEKPayload, err 1971 } 1972 1973 // If we don't rotate key, continue with the usual boxing. 1974 t.G().Log.CDebugf(ctx, "recipientBoxes: Skipping key rotation") 1975 } 1976 1977 // don't need keys for existing or restricted bot members, so remove them from the set 1978 memSet.removeExistingMembers(ctx, t) 1979 t.G().Log.CDebugf(ctx, "team change request: %d new members", len(memSet.recipients)) 1980 if len(memSet.recipients) == 0 { 1981 return nil, implicitAdminBoxes, nil, nil, nil 1982 } 1983 1984 boxes, err := t.keyManager.SharedSecretBoxes(t.MetaContext(ctx), deviceEncryptionKey, memSet.recipients) 1985 if err != nil { 1986 return nil, nil, nil, nil, err 1987 } 1988 // No SCPerTeamKey section or teamEKPayload when the key isn't rotated 1989 return boxes, implicitAdminBoxes, nil, nil, err 1990 } 1991 1992 func (t *Team) rotateBoxes(ctx context.Context, memSet *memberSet) (*PerTeamSharedSecretBoxes, *SCPerTeamKey, *teamEKPayload, error) { 1993 // get device key 1994 deviceEncryptionKey, err := t.G().ActiveDevice.EncryptionKey() 1995 if err != nil { 1996 return nil, nil, nil, err 1997 } 1998 1999 // rotate the team key for all current members except restricted bots. 2000 existing, err := t.Members() 2001 if err != nil { 2002 return nil, nil, nil, err 2003 } 2004 if err := memSet.AddRemainingRecipients(ctx, t.G(), existing); err != nil { 2005 return nil, nil, nil, err 2006 } 2007 2008 // Without adding extra admins, get get the recipients for the new teamEK 2009 recipients := memSet.recipientUids() 2010 2011 if t.IsSubteam() { 2012 // rotate needs to be keyed for all admins above it 2013 allParentAdmins, err := t.G().GetTeamLoader().ImplicitAdmins(ctx, t.ID) 2014 if err != nil { 2015 return nil, nil, nil, err 2016 } 2017 _, err = memSet.loadGroup(ctx, t.G(), allParentAdmins, storeMemberKindRecipient, true) 2018 if err != nil { 2019 return nil, nil, nil, err 2020 } 2021 } 2022 2023 t.rotated = true 2024 2025 boxes, key, err := t.keyManager.RotateSharedSecretBoxes(t.MetaContext(ctx), deviceEncryptionKey, memSet.recipients) 2026 if err != nil { 2027 return nil, nil, nil, err 2028 } 2029 2030 // Once we have the new PTK, let's make the new teamEK 2031 teamEKPayload, err := t.teamEKPayload(ctx, recipients) 2032 return boxes, key, teamEKPayload, err 2033 } 2034 2035 type teamEKPayload struct { 2036 sig string 2037 boxes *[]keybase1.TeamEkBoxMetadata 2038 metadata keybase1.TeamEkMetadata 2039 box *keybase1.TeamEkBoxed 2040 } 2041 2042 func (t *Team) teamEKPayload(ctx context.Context, recipients []keybase1.UID) (*teamEKPayload, error) { 2043 ekLib := t.G().GetEKLib() 2044 if ekLib == nil || len(recipients) == 0 { 2045 return nil, nil 2046 } 2047 2048 sigKey, err := t.SigningKey(ctx) 2049 if err != nil { 2050 return nil, err 2051 } 2052 mctx := libkb.NewMetaContext(ctx, t.G()) 2053 sig, boxes, metadata, box, err := ekLib.PrepareNewTeamEK(mctx, t.ID, sigKey, recipients) 2054 if err != nil { 2055 return nil, err 2056 } 2057 2058 return &teamEKPayload{ 2059 sig: sig, 2060 boxes: boxes, 2061 metadata: metadata, 2062 box: box, 2063 }, nil 2064 } 2065 2066 func (t *Team) storeTeamEKPayload(ctx context.Context, teamEKPayload *teamEKPayload) { 2067 // Add the new teamEK box to local storage, if it was created above. 2068 if teamEKPayload != nil && teamEKPayload.box != nil { 2069 mctx := libkb.NewMetaContext(ctx, t.G()) 2070 boxed := keybase1.NewTeamEphemeralKeyBoxedWithTeam(*teamEKPayload.box) 2071 if err := t.G().GetTeamEKBoxStorage().Put(mctx, t.ID, teamEKPayload.metadata.Generation, boxed); err != nil { 2072 t.G().Log.CErrorf(ctx, "error while saving teamEK box: %s", err) 2073 } 2074 } 2075 } 2076 2077 // createTeambotKeys generates teambotKeys and teambotEKs for the given bot 2078 // member list. Runs in the background on member addition or team rotation. 2079 func createTeambotKeys(g *libkb.GlobalContext, teamID keybase1.TeamID, bots []keybase1.UID) { 2080 mctx := libkb.NewMetaContextBackground(g) 2081 go func() { 2082 var err error 2083 defer mctx.Trace(fmt.Sprintf("createTeambotKeys: %d bot members", len(bots)), &err)() 2084 if len(bots) == 0 { 2085 return 2086 } 2087 2088 // Load the team in case we need to grab the latest PTK generation after a rotation. 2089 team, err := Load(mctx.Ctx(), g, keybase1.LoadTeamArg{ 2090 ID: teamID, 2091 }) 2092 if err != nil { 2093 return 2094 } 2095 2096 ekLib := mctx.G().GetEKLib() 2097 keyer := mctx.G().GetTeambotMemberKeyer() 2098 makeChatKey, makeKVStoreKey := true, true 2099 chatKey, err := team.ChatKey(mctx.Ctx()) 2100 if err != nil { 2101 mctx.Debug("unable to get teamApplication key %v, aborting TeambotKey appkey creation", err) 2102 makeChatKey = false 2103 } 2104 kvStoreKey, err := team.ApplicationKey(mctx.Ctx(), keybase1.TeamApplication_KVSTORE) 2105 if err != nil { 2106 mctx.Debug("unable to get teamApplication key %v, aborting TeambotKey creation", err) 2107 makeKVStoreKey = false 2108 } 2109 2110 for _, uid := range bots { 2111 guid := gregor1.UID(uid.ToBytes()) 2112 if ekLib != nil { 2113 if teambotEK, created, err := ekLib.GetOrCreateLatestTeambotEK(mctx, teamID, guid); err != nil { 2114 mctx.Debug("unable to GetOrCreateLatestTeambotEK for %v, %v", guid, err) 2115 } else { 2116 mctx.Debug("published TeambotEK generation %d for %v, newly created: %v", teambotEK.Generation(), uid, created) 2117 } 2118 } 2119 if keyer != nil { 2120 if makeChatKey { 2121 if teambotKey, created, err := keyer.GetOrCreateTeambotKey(mctx, teamID, guid, chatKey); err != nil { 2122 mctx.Debug("unable to GetOrCreateTeambotKey application %v, uid: %v, %v", 2123 keybase1.TeamApplication_CHAT, guid, err) 2124 } else { 2125 mctx.Debug("published TeambotKey app: %v generation %d for %v, newly created: %v", 2126 keybase1.TeamApplication_CHAT, teambotKey.Generation(), uid, created) 2127 } 2128 } 2129 if makeKVStoreKey { 2130 if teambotKey, created, err := keyer.GetOrCreateTeambotKey(mctx, teamID, guid, kvStoreKey); err != nil { 2131 mctx.Debug("unable to GetOrCreateTeambotKey application %v, uid: %v, %v", 2132 keybase1.TeamApplication_KVSTORE, guid, err) 2133 } else { 2134 mctx.Debug("published TeambotKey app: %v generation %d for %v, newly created: %v", 2135 keybase1.TeamApplication_KVSTORE, teambotKey.Generation(), uid, created) 2136 } 2137 } 2138 } 2139 } 2140 }() 2141 } 2142 2143 type sigPayloadArgs struct { 2144 secretBoxes *PerTeamSharedSecretBoxes 2145 implicitAdminBoxes map[keybase1.TeamID]*PerTeamSharedSecretBoxes 2146 lease *libkb.Lease 2147 prePayload libkb.JSONPayload 2148 legacyTLFUpgrade *keybase1.TeamGetLegacyTLFUpgrade 2149 teamEKBoxes *[]keybase1.TeamEkBoxMetadata 2150 teamEKPayload *teamEKPayload 2151 ratchetBlindingKeys hidden.EncodedRatchetBlindingKeySet 2152 } 2153 2154 func (t *Team) sigPayload(sigMulti []libkb.SigMultiItem, args sigPayloadArgs) libkb.JSONPayload { 2155 payload := libkb.JSONPayload{} 2156 // copy the prepayload so we don't mutate it 2157 for k, v := range args.prePayload { 2158 payload[k] = v 2159 } 2160 payload["sigs"] = sigMulti 2161 if args.secretBoxes != nil { 2162 payload["per_team_key"] = args.secretBoxes 2163 } 2164 if args.implicitAdminBoxes != nil { 2165 payload["implicit_team_keys"] = args.implicitAdminBoxes 2166 } 2167 if args.lease != nil { 2168 payload["downgrade_lease_id"] = args.lease.LeaseID 2169 } 2170 if args.legacyTLFUpgrade != nil { 2171 payload["legacy_tlf_upgrade"] = args.legacyTLFUpgrade 2172 } 2173 args.ratchetBlindingKeys.AddToJSONPayload(payload) 2174 if args.teamEKBoxes != nil && len(*args.teamEKBoxes) > 0 { 2175 payload["team_ek_rebox"] = libkb.JSONPayload{ 2176 "boxes": args.teamEKBoxes, 2177 "team_id": t.ID, 2178 } 2179 } else if args.teamEKPayload != nil { 2180 if args.teamEKPayload.boxes != nil && len(*args.teamEKPayload.boxes) > 0 { 2181 payload["team_ek"] = libkb.JSONPayload{ 2182 "sig": args.teamEKPayload.sig, 2183 "boxes": args.teamEKPayload.boxes, 2184 "team_id": t.ID, 2185 } 2186 } 2187 } 2188 2189 if t.G().VDL.DumpPayload() { 2190 pretty, err := json.MarshalIndent(payload, "", "\t") 2191 if err != nil { 2192 t.G().Log.Info("json marshal error: %s", err) 2193 } else { 2194 t.G().Log.Info("payload: %s", pretty) 2195 } 2196 } 2197 2198 return payload 2199 } 2200 2201 func (t *Team) postMulti(mctx libkb.MetaContext, payload libkb.JSONPayload) error { 2202 _, err := t.G().API.PostJSON(mctx, libkb.APIArg{ 2203 Endpoint: "sig/multi", 2204 SessionType: libkb.APISessionTypeREQUIRED, 2205 JSONPayload: payload, 2206 }) 2207 return err 2208 } 2209 2210 // ForceMerkleRootUpdate will call LookupTeam on MerkleClient to 2211 // update cached merkle root to include latest team sigs. Needed if 2212 // client wants to create a signature that refers to an adminship, 2213 // signature's merkle_root has to be more fresh than adminship's. 2214 func (t *Team) ForceMerkleRootUpdate(ctx context.Context) error { 2215 return ForceMerkleRootUpdateByTeamID(t.MetaContext(ctx), t.ID) 2216 } 2217 2218 func ForceMerkleRootUpdateByTeamID(mctx libkb.MetaContext, teamID keybase1.TeamID) error { 2219 _, err := mctx.G().GetMerkleClient().LookupTeam(mctx, teamID) 2220 return err 2221 } 2222 2223 // All admins, owners, and implicit admins of this team. 2224 func (t *Team) AllAdmins(ctx context.Context) ([]keybase1.UserVersion, error) { 2225 set := make(map[keybase1.UserVersion]bool) 2226 2227 owners, err := t.UsersWithRole(keybase1.TeamRole_OWNER) 2228 if err != nil { 2229 return nil, err 2230 } 2231 for _, m := range owners { 2232 set[m] = true 2233 } 2234 2235 admins, err := t.UsersWithRole(keybase1.TeamRole_ADMIN) 2236 if err != nil { 2237 return nil, err 2238 } 2239 for _, m := range admins { 2240 set[m] = true 2241 } 2242 2243 if t.IsSubteam() { 2244 imp, err := t.G().GetTeamLoader().ImplicitAdmins(ctx, t.ID) 2245 if err != nil { 2246 return nil, err 2247 } 2248 for _, m := range imp { 2249 set[m] = true 2250 } 2251 } 2252 2253 var all []keybase1.UserVersion 2254 for uv := range set { 2255 all = append(all, uv) 2256 } 2257 return all, nil 2258 } 2259 2260 // Restriction inherited from ListSubteams: 2261 // Only call this on a Team that has been loaded with NeedAdmin. 2262 // Otherwise, you might get incoherent answers due to links that 2263 // were stubbed over the life of the cached object. 2264 func (t *Team) loadAllTransitiveSubteams(ctx context.Context, forceRepoll bool) ([]*Team, error) { 2265 subteams := []*Team{} 2266 for _, idAndName := range t.chain().ListSubteams() { 2267 // Load each subteam... 2268 subteam, err := Load(ctx, t.G(), keybase1.LoadTeamArg{ 2269 ID: idAndName.Id, 2270 Public: t.IsPublic(), 2271 NeedAdmin: true, 2272 ForceRepoll: true, 2273 }) 2274 if err != nil { 2275 return nil, err 2276 } 2277 2278 // Force loading the key manager. 2279 // TODO: Should this be the default, so that we don't need to do it here? 2280 _, err = subteam.SharedSecret(ctx) 2281 if err != nil { 2282 return nil, err 2283 } 2284 2285 subteams = append(subteams, subteam) 2286 2287 // ...and then recursively load each subteam's children. 2288 recursiveSubteams, err := subteam.loadAllTransitiveSubteams(ctx, forceRepoll) 2289 if err != nil { 2290 return nil, err 2291 } 2292 subteams = append(subteams, recursiveSubteams...) 2293 } 2294 return subteams, nil 2295 } 2296 2297 func (t *Team) PostTeamSettings(ctx context.Context, settings keybase1.TeamSettings, rotate bool) error { 2298 if _, err := t.SharedSecret(ctx); err != nil { 2299 return err 2300 } 2301 2302 admin, err := t.getAdminPermission(ctx) 2303 if err != nil { 2304 return err 2305 } 2306 2307 mr, err := t.G().MerkleClient.FetchRootFromServer(t.MetaContext(ctx), libkb.TeamMerkleFreshnessForAdmin) 2308 if err != nil { 2309 return err 2310 } 2311 2312 scSettings, err := CreateTeamSettings(settings.Open, settings.JoinAs) 2313 if err != nil { 2314 return err 2315 } 2316 2317 ratchet, err := t.makeRatchet(ctx) 2318 if err != nil { 2319 return err 2320 } 2321 2322 section := SCTeamSection{ 2323 ID: SCTeamID(t.ID), 2324 Admin: admin, 2325 Settings: &scSettings, 2326 Implicit: t.IsImplicit(), 2327 Public: t.IsPublic(), 2328 Ratchets: ratchet.ToTeamSection(), 2329 } 2330 2331 payloadArgs := sigPayloadArgs{ 2332 ratchetBlindingKeys: ratchet.ToSigPayload(), 2333 } 2334 var maybeEKPayload *teamEKPayload 2335 var botMembers []keybase1.UID 2336 if rotate { 2337 // Create empty Members section. We are not changing memberships, but 2338 // it's needed for key rotation. 2339 memSet := newMemberSet() 2340 section.Members, err = memSet.Section() 2341 if err != nil { 2342 return err 2343 } 2344 secretBoxes, perTeamKeySection, teamEKPayload, err := t.rotateBoxes(ctx, memSet) 2345 if err != nil { 2346 return err 2347 } 2348 section.PerTeamKey = perTeamKeySection 2349 payloadArgs.secretBoxes = secretBoxes 2350 payloadArgs.teamEKPayload = teamEKPayload 2351 maybeEKPayload = teamEKPayload // for storeTeamEKPayload, after post succeeds 2352 botMembers = memSet.restrictedBotRecipientUids() 2353 } 2354 latestSeqno, err := t.postChangeItem(ctx, section, libkb.LinkTypeSettings, mr, payloadArgs) 2355 if err != nil { 2356 return err 2357 } 2358 2359 if rotate { 2360 err := t.notify(ctx, keybase1.TeamChangeSet{KeyRotated: true, Misc: true}, latestSeqno) 2361 if err != nil { 2362 return err 2363 } 2364 t.storeTeamEKPayload(ctx, maybeEKPayload) 2365 createTeambotKeys(t.G(), t.ID, botMembers) 2366 } else { 2367 err := t.notify(ctx, keybase1.TeamChangeSet{Misc: true}, latestSeqno) 2368 if err != nil { 2369 return err 2370 } 2371 } 2372 return nil 2373 } 2374 2375 func (t *Team) botSettingsSection(ctx context.Context, bots map[keybase1.UserVersion]keybase1.TeamBotSettings, 2376 ratchet *hidden.Ratchet, merkleRoot *libkb.MerkleRoot) (SCTeamSection, *hidden.Ratchet, error) { 2377 if _, err := t.SharedSecret(ctx); err != nil { 2378 return SCTeamSection{}, nil, err 2379 } 2380 2381 admin, err := t.getAdminPermission(ctx) 2382 if err != nil { 2383 return SCTeamSection{}, nil, err 2384 } 2385 2386 scBotSettings, err := CreateTeamBotSettings(bots) 2387 if err != nil { 2388 return SCTeamSection{}, nil, err 2389 } 2390 if ratchet == nil { 2391 ratchet, err = t.makeRatchet(ctx) 2392 if err != nil { 2393 return SCTeamSection{}, nil, err 2394 } 2395 } 2396 2397 section := SCTeamSection{ 2398 ID: SCTeamID(t.ID), 2399 Implicit: t.IsImplicit(), 2400 Public: t.IsPublic(), 2401 Admin: admin, 2402 BotSettings: &scBotSettings, 2403 Ratchets: ratchet.ToTeamSection(), 2404 } 2405 return section, ratchet, nil 2406 } 2407 2408 func (t *Team) PostTeamBotSettings(ctx context.Context, bots map[keybase1.UserVersion]keybase1.TeamBotSettings) error { 2409 2410 mr, err := t.G().MerkleClient.FetchRootFromServer(t.MetaContext(ctx), libkb.TeamMerkleFreshnessForAdmin) 2411 if err != nil { 2412 return err 2413 } 2414 2415 section, ratchet, err := t.botSettingsSection(ctx, bots, nil, mr) 2416 if err != nil { 2417 return err 2418 } 2419 2420 payloadArgs := sigPayloadArgs{ 2421 ratchetBlindingKeys: ratchet.ToSigPayload(), 2422 } 2423 _, err = t.postChangeItem(ctx, section, libkb.LinkTypeTeamBotSettings, mr, payloadArgs) 2424 return err 2425 } 2426 2427 func (t *Team) precheckLinksToPost(ctx context.Context, sigMultiItems []libkb.SigMultiItem) (err error) { 2428 uv, err := t.currentUserUV(ctx) 2429 if err != nil { 2430 return err 2431 } 2432 return precheckLinksToPost(ctx, t.G(), sigMultiItems, t.chain(), uv) 2433 } 2434 2435 // Try to run `post` (expected to post new team sigchain links). 2436 // Retry it several times if it fails due to being behind the latest team sigchain state or due to other retryable errors. 2437 // Passes the attempt number (initially 0) to `post`. 2438 func RetryIfPossible(ctx context.Context, g *libkb.GlobalContext, post func(ctx context.Context, attempt int) error) (err error) { 2439 mctx := libkb.NewMetaContext(ctx, g) 2440 defer mctx.Trace("RetryIfPossible", &err)() 2441 const nRetries = 3 2442 for i := 0; i < nRetries; i++ { 2443 mctx.Debug("| RetryIfPossible(%v)", i) 2444 err = post(mctx.Ctx(), i) 2445 switch { 2446 case isSigOldSeqnoError(err): 2447 mctx.Debug("| retrying due to SigOldSeqnoError %d", i) 2448 case isStaleBoxError(err): 2449 mctx.Debug("| retrying due to StaleBoxError %d", i) 2450 case isTeamBadGenerationError(err): 2451 mctx.Debug("| retrying due to Bad Generation Error (%s) %d", err, i) 2452 case isSigBadTotalOrder(err): 2453 mctx.Debug("| retrying since update would violate total ordering for team %d", i) 2454 case isSigMissingRatchet(err): 2455 mctx.Debug("| retrying since the server wanted a ratchet and we didn't provide one %d", i) 2456 case isHiddenAppendPrecheckError(err): 2457 mctx.Debug("| retrying since we hit a hidden append precheck error") 2458 case libkb.IsEphemeralRetryableError(err): 2459 mctx.Debug("| retrying since we hit a retryable ephemeral error %v, attempt %d", err, i) 2460 default: 2461 return err 2462 } 2463 } 2464 mctx.Debug("| RetryIfPossible exhausted attempts") 2465 if err == nil { 2466 // Should never happen 2467 return fmt.Errorf("failed retryable team operation") 2468 } 2469 // Return the error from the final round 2470 return err 2471 } 2472 2473 func isHiddenAppendPrecheckError(err error) bool { 2474 perr, ok := err.(PrecheckAppendError) 2475 if !ok { 2476 return false 2477 } 2478 _, ok = perr.Inner.(hidden.LoaderError) 2479 return ok 2480 } 2481 2482 func isSigOldSeqnoError(err error) bool { 2483 return libkb.IsAppStatusCode(err, keybase1.StatusCode_SCSigOldSeqno) 2484 } 2485 2486 func isSigBadTotalOrder(err error) bool { 2487 return libkb.IsAppStatusCode(err, keybase1.StatusCode_SCSigBadTotalOrder) 2488 } 2489 2490 func isSigMissingRatchet(err error) bool { 2491 return libkb.IsAppStatusCode(err, keybase1.StatusCode_SCSigMissingRatchet) 2492 } 2493 2494 func isTeamBadGenerationError(err error) bool { 2495 return libkb.IsAppStatusCode(err, keybase1.StatusCode_SCTeamBadGeneration) 2496 } 2497 2498 func (t *Team) marshal(incoming interface{}) ([]byte, error) { 2499 var data []byte 2500 mh := codec.MsgpackHandle{WriteExt: true} 2501 enc := codec.NewEncoderBytes(&data, &mh) 2502 if err := enc.Encode(incoming); err != nil { 2503 return nil, err 2504 } 2505 return data, nil 2506 } 2507 2508 func (t *Team) boxKBFSCryptKeys(ctx context.Context, key keybase1.TeamApplicationKey, 2509 kbfsKeys []keybase1.CryptKey) (string, keybase1.TeamEncryptedKBFSKeysetHash, error) { 2510 2511 marshaledKeys, err := t.marshal(kbfsKeys) 2512 if err != nil { 2513 return "", "", err 2514 } 2515 2516 var nonce [libkb.NaclDHNonceSize]byte 2517 if _, err := rand.Read(nonce[:]); err != nil { 2518 return "", "", err 2519 } 2520 2521 var encKey [libkb.NaclSecretBoxKeySize]byte = key.Material() 2522 sealed := secretbox.Seal(nil, marshaledKeys, &nonce, &encKey) 2523 dat := keybase1.TeamEncryptedKBFSKeyset{ 2524 V: 1, 2525 N: nonce[:], 2526 E: sealed, 2527 } 2528 2529 marshaledSealedDat, err := t.marshal(dat) 2530 if err != nil { 2531 return "", "", err 2532 } 2533 2534 encStr := base64.StdEncoding.EncodeToString(marshaledSealedDat) 2535 sbytes := sha256.Sum256([]byte(encStr)) 2536 return encStr, keybase1.TeamEncryptedKBFSKeysetHashFromBytes(sbytes[:]), nil 2537 } 2538 2539 func (t *Team) AssociateWithTLFKeyset(ctx context.Context, tlfID keybase1.TLFID, 2540 cryptKeys []keybase1.CryptKey, appType keybase1.TeamApplication) (err error) { 2541 m := t.MetaContext(ctx) 2542 defer m.Trace("Team.AssociateWithTLFKeyset", &err)() 2543 2544 // If we get no crypt keys, just associate TLF ID and bail 2545 if len(cryptKeys) == 0 { 2546 m.Debug("AssociateWithTLFKeyset: no crypt keys given, aborting") 2547 return nil 2548 } 2549 2550 // Sort crypt keys by generation (just in case they aren't naturally) 2551 sort.Slice(cryptKeys, func(i, j int) bool { 2552 return cryptKeys[i].KeyGeneration < cryptKeys[j].KeyGeneration 2553 }) 2554 2555 latestKey, err := t.ApplicationKey(ctx, appType) 2556 if err != nil { 2557 return err 2558 } 2559 encStr, hash, err := t.boxKBFSCryptKeys(ctx, latestKey, cryptKeys) 2560 if err != nil { 2561 return err 2562 } 2563 2564 ratchet, err := t.makeRatchet(ctx) 2565 if err != nil { 2566 return err 2567 } 2568 2569 upgrade := SCTeamKBFSLegacyUpgrade{ 2570 AppType: appType, 2571 KeysetHash: hash, 2572 LegacyGeneration: cryptKeys[len(cryptKeys)-1].Generation(), 2573 TeamGeneration: latestKey.KeyGeneration, 2574 } 2575 teamSection := SCTeamSection{ 2576 ID: SCTeamID(t.ID), 2577 Implicit: t.IsImplicit(), 2578 Public: t.IsPublic(), 2579 KBFS: &SCTeamKBFS{ 2580 Keyset: &upgrade, 2581 }, 2582 Ratchets: ratchet.ToTeamSection(), 2583 } 2584 2585 mr, err := m.G().MerkleClient.FetchRootFromServer(m, libkb.TeamMerkleFreshnessForAdmin) 2586 if err != nil { 2587 return err 2588 } 2589 if mr == nil { 2590 return errors.New("No merkle root available for KBFS settings update") 2591 } 2592 2593 sigMultiItem, latestSeqno, err := t.sigTeamItem(ctx, teamSection, libkb.LinkTypeKBFSSettings, mr) 2594 if err != nil { 2595 return err 2596 } 2597 2598 payload := t.sigPayload([]libkb.SigMultiItem{sigMultiItem}, sigPayloadArgs{ 2599 legacyTLFUpgrade: &keybase1.TeamGetLegacyTLFUpgrade{ 2600 EncryptedKeyset: encStr, 2601 LegacyGeneration: cryptKeys[len(cryptKeys)-1].Generation(), 2602 TeamGeneration: latestKey.KeyGeneration, 2603 AppType: appType, 2604 }, 2605 ratchetBlindingKeys: ratchet.ToSigPayload(), 2606 }) 2607 2608 err = t.postMulti(m, payload) 2609 if err != nil { 2610 return err 2611 } 2612 2613 return t.HintLatestSeqno(m, latestSeqno) 2614 } 2615 2616 func (t *Team) AssociateWithTLFID(ctx context.Context, tlfID keybase1.TLFID) (err error) { 2617 m := t.MetaContext(ctx) 2618 defer m.Trace("Team.AssociateWithTLFID", &err)() 2619 2620 if tlfID.Eq(t.LatestKBFSTLFID()) { 2621 m.Debug("No updated needed, TLFID already set to %s", tlfID) 2622 return nil 2623 } 2624 2625 ratchet, err := t.makeRatchet(ctx) 2626 if err != nil { 2627 return err 2628 } 2629 2630 teamSection := SCTeamSection{ 2631 ID: SCTeamID(t.ID), 2632 Implicit: t.IsImplicit(), 2633 Public: t.IsPublic(), 2634 KBFS: &SCTeamKBFS{ 2635 TLF: &SCTeamKBFSTLF{ 2636 ID: tlfID, 2637 }, 2638 }, 2639 Ratchets: ratchet.ToTeamSection(), 2640 } 2641 2642 mr, err := m.G().MerkleClient.FetchRootFromServer(m, libkb.TeamMerkleFreshnessForAdmin) 2643 if err != nil { 2644 return err 2645 } 2646 if mr == nil { 2647 return errors.New("No merkle root available for KBFS settings update") 2648 } 2649 2650 sigMultiItem, latestSeqno, err := t.sigTeamItem(ctx, teamSection, libkb.LinkTypeKBFSSettings, mr) 2651 if err != nil { 2652 return err 2653 } 2654 2655 sigPayloadArgs := sigPayloadArgs{ 2656 ratchetBlindingKeys: ratchet.ToSigPayload(), 2657 } 2658 payload := t.sigPayload([]libkb.SigMultiItem{sigMultiItem}, sigPayloadArgs) 2659 err = t.postMulti(libkb.NewMetaContext(ctx, t.G()), payload) 2660 if err != nil { 2661 return err 2662 } 2663 return t.HintLatestSeqno(m, latestSeqno) 2664 } 2665 2666 func (t *Team) notifyNoChainChange(ctx context.Context, changes keybase1.TeamChangeSet) error { 2667 return t.notify(ctx, changes, t.CurrentSeqno()) 2668 } 2669 2670 // Send notifyrouter messages. 2671 // Modifies `changes` 2672 // Update to the latest seqno that we're passing though, don't make any assumptions about number of sigs. 2673 // Note that we're probably going to be getting this same notification a second time, since it will 2674 // bounce off a gregor and back to us. But they are idempotent, so it should be fine to be double-notified. 2675 func (t *Team) notify(ctx context.Context, changes keybase1.TeamChangeSet, latestSeqno keybase1.Seqno) error { 2676 changes.KeyRotated = changes.KeyRotated || t.rotated 2677 m := libkb.NewMetaContext(ctx, t.G()) 2678 var err error 2679 if latestSeqno > 0 { 2680 err = HintLatestSeqno(m, t.ID, latestSeqno) 2681 } 2682 t.G().NotifyRouter.HandleTeamChangedByBothKeys(ctx, t.ID, t.Name().String(), latestSeqno, t.IsImplicit(), 2683 changes, keybase1.Seqno(0) /* hiddenSeqno */, keybase1.Seqno(0) /* offchainSeqno */, keybase1.TeamChangedSource_LOCAL) 2684 return err 2685 } 2686 2687 func (t *Team) HintLatestSeqno(m libkb.MetaContext, n keybase1.Seqno) error { 2688 return HintLatestSeqno(m, t.ID, n) 2689 } 2690 2691 func HintLatestSeqno(m libkb.MetaContext, id keybase1.TeamID, n keybase1.Seqno) error { 2692 err := m.G().GetTeamLoader().HintLatestSeqno(m.Ctx(), id, n) 2693 if err != nil { 2694 m.Warning("error in TeamLoader#HintLatestSeqno: %v", err) 2695 } 2696 e2 := m.G().GetFastTeamLoader().HintLatestSeqno(m, id, n) 2697 if e2 != nil { 2698 m.Warning("error in FastTeamLoader#HintLatestSeqno: %v", err) 2699 } 2700 if err != nil { 2701 return err 2702 } 2703 return e2 2704 } 2705 2706 func HintLatestHiddenSeqno(m libkb.MetaContext, id keybase1.TeamID, n keybase1.Seqno) error { 2707 err := m.G().GetHiddenTeamChainManager().HintLatestSeqno(m, id, n) 2708 if err != nil { 2709 m.Warning("error in HintLatestHiddenSeqno: %v", err) 2710 } 2711 return err 2712 } 2713 2714 func (t *Team) refreshUIDMapper(ctx context.Context, g *libkb.GlobalContext) { 2715 for uv := range t.chain().inner.UserLog { 2716 _, err := g.UIDMapper.InformOfEldestSeqno(ctx, g, uv) 2717 if err != nil { 2718 g.Log.CDebugf(ctx, "Error informing eldest seqno: %+v", err.Error()) 2719 } 2720 } 2721 for _, inviteMD := range t.chain().ActiveInvites() { 2722 invite := inviteMD.Invite 2723 invtype, err := invite.Type.C() 2724 if err != nil { 2725 g.Log.CDebugf(ctx, "Error in invite %s: %s", invite.Id, err.Error()) 2726 continue 2727 } 2728 if invtype == keybase1.TeamInviteCategory_KEYBASE { 2729 uv, err := invite.KeybaseUserVersion() 2730 if err != nil { 2731 g.Log.CDebugf(ctx, "Error in parsing invite %s: %s", invite.Id, err.Error()) 2732 } 2733 _, err = g.UIDMapper.InformOfEldestSeqno(ctx, g, uv) 2734 if err != nil { 2735 g.Log.CDebugf(ctx, "Error informing eldest seqno: %+v", err.Error()) 2736 } 2737 } 2738 } 2739 } 2740 2741 func UpgradeTLFIDToImpteam(ctx context.Context, g *libkb.GlobalContext, tlfName string, tlfID keybase1.TLFID, 2742 public bool, appType keybase1.TeamApplication, cryptKeys []keybase1.CryptKey) (err error) { 2743 defer g.CTrace(ctx, fmt.Sprintf("UpgradeTLFIDToImpteam(%s)", tlfID), &err)() 2744 2745 var team *Team 2746 if team, _, _, err = LookupOrCreateImplicitTeam(ctx, g, tlfName, public); err != nil { 2747 return err 2748 } 2749 2750 // Associate the imp team with the TLF ID 2751 if team.LatestKBFSTLFID().IsNil() { 2752 if err = team.AssociateWithTLFID(ctx, tlfID); err != nil { 2753 return err 2754 } 2755 } else { 2756 if team.LatestKBFSTLFID().String() != tlfID.String() { 2757 return fmt.Errorf("implicit team already associated with different TLF ID: teamID: %s tlfID: %s", 2758 team.ID, tlfID) 2759 } 2760 } 2761 2762 // Reload the team 2763 if team, err = Load(ctx, g, keybase1.LoadTeamArg{ 2764 ID: team.ID, 2765 Public: public, 2766 ForceRepoll: true, 2767 }); err != nil { 2768 return err 2769 } 2770 2771 // Post the crypt keys 2772 return team.AssociateWithTLFKeyset(ctx, tlfID, cryptKeys, appType) 2773 } 2774 2775 func TeamInviteTypeFromString(mctx libkb.MetaContext, inviteTypeStr string) (keybase1.TeamInviteType, error) { 2776 switch inviteTypeStr { 2777 case "keybase": 2778 return keybase1.NewTeamInviteTypeDefault(keybase1.TeamInviteCategory_KEYBASE), nil 2779 case "email": 2780 return keybase1.NewTeamInviteTypeDefault(keybase1.TeamInviteCategory_EMAIL), nil 2781 case "seitan_invite_token": 2782 return keybase1.NewTeamInviteTypeDefault(keybase1.TeamInviteCategory_SEITAN), nil 2783 case "phone": 2784 return keybase1.NewTeamInviteTypeDefault(keybase1.TeamInviteCategory_PHONE), nil 2785 case "invitelink": 2786 return keybase1.NewTeamInviteTypeDefault(keybase1.TeamInviteCategory_INVITELINK), nil 2787 case "twitter", "github", "facebook", "reddit", "hackernews", "pgp", "http", "https", "dns": 2788 return keybase1.NewTeamInviteTypeWithSbs(keybase1.TeamInviteSocialNetwork(inviteTypeStr)), nil 2789 default: 2790 if mctx.G().GetProofServices().GetServiceType(mctx.Ctx(), inviteTypeStr) != nil { 2791 return keybase1.NewTeamInviteTypeWithSbs(keybase1.TeamInviteSocialNetwork(inviteTypeStr)), nil 2792 } 2793 2794 isDev := mctx.G().Env.GetRunMode() == libkb.DevelRunMode 2795 if isDev && inviteTypeStr == "rooter" { 2796 return keybase1.NewTeamInviteTypeWithSbs(keybase1.TeamInviteSocialNetwork(inviteTypeStr)), nil 2797 } 2798 // Don't want to break existing clients if we see an unknown invite type. 2799 return keybase1.NewTeamInviteTypeWithUnknown(inviteTypeStr), nil 2800 } 2801 } 2802 2803 func FreezeTeam(mctx libkb.MetaContext, teamID keybase1.TeamID) error { 2804 err3 := mctx.G().GetHiddenTeamChainManager().Freeze(mctx, teamID) 2805 if err3 != nil { 2806 mctx.Debug("error freezing in hidden team chain manager: %v", err3) 2807 } 2808 err1 := mctx.G().GetTeamLoader().Freeze(mctx.Ctx(), teamID) 2809 if err1 != nil { 2810 mctx.Debug("error freezing in team cache: %v", err1) 2811 } 2812 err2 := mctx.G().GetFastTeamLoader().Freeze(mctx, teamID) 2813 if err2 != nil { 2814 mctx.Debug("error freezing in fast team cache: %v", err2) 2815 } 2816 return libkb.CombineErrors(err1, err2, err3) 2817 } 2818 2819 func TombstoneTeam(mctx libkb.MetaContext, teamID keybase1.TeamID) error { 2820 err3 := mctx.G().GetHiddenTeamChainManager().Tombstone(mctx, teamID) 2821 if err3 != nil { 2822 mctx.Debug("error tombstoning in hidden team chain manager: %v", err3) 2823 if _, ok := err3.(hidden.TombstonedError); ok { 2824 err3 = nil 2825 } 2826 } 2827 err1 := mctx.G().GetTeamLoader().Tombstone(mctx.Ctx(), teamID) 2828 if err1 != nil { 2829 mctx.Debug("error tombstoning in team cache: %v", err1) 2830 if _, ok := err1.(TeamTombstonedError); ok { 2831 err1 = nil 2832 } 2833 } 2834 err2 := mctx.G().GetFastTeamLoader().Tombstone(mctx, teamID) 2835 if err2 != nil { 2836 mctx.Debug("error tombstoning in fast team cache: %v", err2) 2837 if _, ok := err2.(TeamTombstonedError); ok { 2838 err2 = nil 2839 } 2840 } 2841 return libkb.CombineErrors(err1, err2, err3) 2842 } 2843 2844 type TeamShim struct { 2845 Data *keybase1.TeamData 2846 Hidden *keybase1.HiddenTeamChain 2847 } 2848 2849 func (t *TeamShim) MainChain() *keybase1.TeamData { return t.Data } 2850 func (t *TeamShim) HiddenChain() *keybase1.HiddenTeamChain { return t.Hidden } 2851 2852 var _ Teamer = (*TeamShim)(nil) 2853 2854 func KeySummary(t Teamer) string { 2855 if t == nil { 2856 return "Ø" 2857 } 2858 return fmt.Sprintf("{main:%s, hidden:%s}", t.MainChain().KeySummary(), t.HiddenChain().KeySummary()) 2859 } 2860 2861 type TeamInfo struct { 2862 libkb.AppStatusEmbed 2863 Name string 2864 InTeam bool `json:"in_team"` 2865 Open bool 2866 Description string 2867 PublicAdmins []string `json:"public_admins"` 2868 NumMembers int `json:"num_members"` 2869 PublicMembers []struct { 2870 Role keybase1.TeamRole 2871 UID keybase1.UID 2872 Username string 2873 FullName string `json:"full_name"` 2874 } `json:"public_members"` 2875 } 2876 2877 func GetUntrustedTeamInfo(mctx libkb.MetaContext, name keybase1.TeamName) (info keybase1.UntrustedTeamInfo, err error) { 2878 arg := libkb.APIArg{ 2879 Endpoint: "team/mentiondesc", 2880 SessionType: libkb.APISessionTypeREQUIRED, 2881 Args: libkb.HTTPArgs{ 2882 "name": libkb.S{Val: name.String()}, 2883 "include_all_members": libkb.B{Val: true}, // refers to members who showcased the team on their profile only 2884 }, 2885 } 2886 2887 var resp TeamInfo 2888 if err = mctx.G().API.GetDecode(mctx, arg, &resp); err != nil { 2889 mctx.Debug("GetUntrustedTeamInfo: failed to get team info: %s", err) 2890 } 2891 if err != nil { 2892 return info, err 2893 } 2894 2895 teamName, err := keybase1.TeamNameFromString(resp.Name) 2896 if err != nil { 2897 return info, err 2898 } 2899 2900 teamInfo := keybase1.UntrustedTeamInfo{ 2901 Name: teamName, 2902 Description: resp.Description, 2903 InTeam: resp.InTeam, 2904 NumMembers: resp.NumMembers, 2905 Open: resp.Open, 2906 PublicAdmins: resp.PublicAdmins, 2907 } 2908 2909 for _, mem := range resp.PublicMembers { 2910 teamInfo.PublicMembers = append(teamInfo.PublicMembers, keybase1.TeamMemberRole{ 2911 Uid: mem.UID, 2912 FullName: keybase1.FullName(mem.FullName), 2913 Role: mem.Role, 2914 Username: mem.Username, 2915 }) 2916 } 2917 2918 return teamInfo, nil 2919 } 2920 2921 func GetUntrustedTeamExists(mctx libkb.MetaContext, name keybase1.TeamName) (teamExistsResult keybase1.UntrustedTeamExistsResult, err error) { 2922 type resType struct { 2923 libkb.AppStatusEmbed 2924 Exists bool `json:"exists"` 2925 Sc keybase1.StatusCode `json:"sc"` 2926 } 2927 var res resType 2928 err = mctx.G().API.GetDecode(mctx, libkb.APIArg{ 2929 Endpoint: "team/exists", 2930 SessionType: libkb.APISessionTypeREQUIRED, 2931 Args: libkb.HTTPArgs{ 2932 "teamName": libkb.S{Val: name.String()}, 2933 }, 2934 }, &res) 2935 if err != nil { 2936 mctx.Debug("GetUntrustedTeamInfo: failed to get team info: %s", err) 2937 return teamExistsResult, err 2938 } 2939 2940 return keybase1.UntrustedTeamExistsResult{ 2941 Exists: res.Exists, 2942 Status: res.Sc, 2943 }, nil 2944 }