make team links look like per_user_key links (#66)

* make team links look like per_user_key links - have encryption and signing kids in the per_team_key section - no more boxes - reverse sigs: yes! - checks and tests for those checks * fix broken test
keybase · May 9, 2017 · 138d6c9 · 138d6c9
1 parent dbb2010
commit 138d6c9
Show file tree

Hide file tree

Showing 5 changed files with 263 additions and 18 deletions.
diff --git a/lib/subkey.js b/lib/subkey.js
diff --git a/lib/team.js b/lib/team.js
diff --git a/src/subkey.iced b/src/subkey.iced
@@ -83,7 +83,7 @@ exports.SubkeyBase = class SubkeyBase extends Base
         err = new Error "Sibkey KID mismatch: #{a} != #{b}"
       else
         @reverse_sig_kid = rsk
-    else if @need_reverse_sig()
+    else if @need_reverse_sig json
       err = new Error "Need a reverse sig, but didn't find one"
     cb err
 

diff --git a/src/team.iced b/src/team.iced
@@ -4,17 +4,62 @@
 {make_esc} = require 'iced-error'
 pgp_utils = require('pgp-utils')
 {json_stringify_sorted,unix_time,streq_secure} = pgp_utils.util
+{SubkeyBase} = require './subkey'
+{EncKeyManager,KeyManager} = require('kbpgp').kb
 
 #==========================================================================
 
-class TeamBase extends Base
+class TeamBase extends SubkeyBase
 
   constructor : (obj) ->
     @team = obj.team
+    @kms = obj.kms
     super obj
 
   _required_sections : () -> super().concat [ "team" ]
-  _v_customize_json : (ret) -> ret.body.team = @team
+  _v_customize_json : (ret) ->
+    ret.body.team = @team
+    if @per_team_key?
+      ret.body.team.per_team_key = @per_team_key
+
+  _v_generate : (opts, cb) ->
+    err = null
+    if @kms?
+      await super opts, defer err
+    cb err
+
+  get_field : () -> "per_team_key"
+  get_new_key_section : () -> @per_team_key
+  set_new_key_section : (m) ->
+    m.generation = @kms.generation
+    m.encryption_kid = @kms.encryption.get_ekid().toString('hex')
+    @per_team_key = m
+  get_new_km : () -> @kms?.signing # use the signing KM
+  sibkid_slot : () -> "signing_kid"
+  need_reverse_sig : (json) -> json?.body?.per_team_key?
+
+  _v_include_pgp_details : () -> false
+
+  _find_fields : ({json}) ->
+    if (typeof(v = json?.generation) isnt 'number') or (parseInt(v) <= 0)
+      new Error "Need per_team_key.generation to be an integer > 0 (got #{v})"
+    else if not json?.signing_kid?
+      new Error "need a signing kid"
+    else if not json?.encryption_kid?
+      new Error "need an encryption kid"
+    else null
+
+  _v_check : ({json}, cb) ->
+    esc = make_esc cb, "_v_check"
+    err = null
+    if (o = json?.body?.team?.per_team_key)?
+      err = @_find_fields { json : o}
+      if not err?
+        await KeyManager.import_public { hex : o.signing_kid }, esc defer()
+        await EncKeyManager.import_public { hex : o.encryption_kid }, esc defer()
+    unless err?
+      await super { json }, esc defer()
+    cb err
 
 #--------------
 

diff --git a/test/files/team.iced b/test/files/team.iced
@@ -1,22 +1,52 @@
 {alloc,team} = require '../../'
-{KeyManager} = require('kbpgp').kb
+{EncKeyManager,KeyManager} = require('kbpgp').kb
 {make_esc} = require 'iced-error'
 {new_sig_arg} = require './util'
 
+test_klass = ({T,arg, klass, keys}, cb) ->
+  esc = make_esc cb, "test_klass"
+  delete arg.kms
+  delete arg.team.per_team_key
+  if keys
+    arg.kms = {}
+    await EncKeyManager.generate {}, esc defer arg.kms.encryption
+    await KeyManager.generate {}, esc defer arg.kms.signing
+    arg.kms.generation = 10
+  obj = new klass arg
+  await obj.generate_v2 esc defer out
+  typ = out.inner.obj.body.type
+  obj2 = alloc typ, arg
+  varg = { armored : out.armored, skip_ids : true, make_ids : true, inner : out.inner.str }
+  await obj2.verify_v2 varg, esc defer()
+  T.waypoint "checked #{typ} #{if keys then 'with' else 'without'} keys"
+  cb null
+
 exports.test_all_classes = (T,cb) ->
   esc = make_esc cb, "test_all_classes"
   klasses = [team.Index, team.Root, team.ChangeMembership, team.RotateKey, team.NewSubteam, team.Leave, team.SubteamHead, team.RenameSubteam ]
   await KeyManager.generate {}, esc defer km
   arg = new_sig_arg { km }
-  arg.team = "test"
-
+  arg.team = { members : { admin : ["a"] } }
   for klass in klasses
-    obj = new klass arg
-    await obj.generate_v2 esc defer out
-    typ = out.inner.obj.body.type
-    obj2 = alloc typ, arg
-    varg = { armored : out.armored, skip_ids : true, make_ids : true, inner : out.inner.str }
-    await obj2.verify_v2 varg, esc defer()
-    T.waypoint "checked #{typ}"
-
+    await test_klass { T, arg, klass, keys : true }, esc defer()
+    await test_klass { T, arg, klass, keys : false }, esc defer()
   cb()
+
+exports.test_bad_key_section = (T,cb) ->
+  esc = make_esc cb, "test_bad_key_section"
+  await KeyManager.generate {}, esc defer km
+  arg = new_sig_arg { km }
+  arg.team = { members : { admin : ["a"] } }
+  arg.kms = {}
+  await EncKeyManager.generate {}, esc defer arg.kms.encryption
+  await KeyManager.generate {}, esc defer arg.kms.signing
+  obj = new team.RotateKey arg
+  await obj.generate_v2 esc defer out
+  typ = out.inner.obj.body.type
+  obj2 = alloc typ, arg
+  varg = { armored : out.armored, skip_ids : true, make_ids : true, inner : out.inner.str }
+  await obj2.verify_v2 varg, defer err
+  T.assert err?, "we got an error back"
+  T.equal err.message, "Need per_team_key.generation to be an integer > 0 (got undefined)", "right message"
+  cb null
+