[identity] Forbid RestoreUser RPC for authoritative keyserver owner
ClosedPublic
Actions

Authored by bartek on Feb 14 2025, 3:20 PM.

Details

Reviewers

kamil
tomek

Commits

rCOMMa00551671a8f: [identity] Forbid RestoreUser RPC for authoritative keyserver owner

Summary

Something mentioned in this comment.
Authoritative keyserver owner shouldn't call this RPC. Otherwise, the primary-device-issued device list will be a singleton that doesn't contain the keyserver.

Test Plan

Mocked my user ID to be authoritative keyserver owner. Confirmed that the RPC fails.

Diff Detail

Repository

rCOMM Comm

Lint

No Lint Coverage

Unit

No Test Coverage

Event Timeline

bartek created this revision.Feb 14 2025, 3:20 PM

bartek held this revision as a draft.

Herald added a subscriber: ashoat. · View Herald TranscriptFeb 14 2025, 3:20 PM

bartek published this revision for review.Feb 14 2025, 3:36 PM

Harbormaster completed remote builds in B33518: Diff 47108.Feb 14 2025, 3:56 PM

What RPC should the authoritative keyserver owner's primary device call instead? I suppose we should be calling a "v1" RPC instead of a v2 one, and the fact that the wrong one was called is a client issue?

In D14367#399274, @ashoat wrote:

What RPC should the authoritative keyserver owner's primary device call instead? I suppose we should be calling a "v1" RPC instead of a v2 one, and the fact that the wrong one was called is a client issue?

It's 3. from this Linear comment. For authoritative keyserver owner, v1 fallback should be triggered.

Ashoat tries restore flow. Backup exists, so it doesn't fall back to v1. RestoreUser RPC is called, which likely fails with use_v1_flow due to unsigned device list. The "Unknown error" is displayed.

Thankfully it failed, otherwise primary-device-issued device list update would be a singleton without authoritative keyserver device present. I'm going to handle this case separately to prevent it from happening.

kamil mentioned this in D14369: [identity] Improve logging verbosity for login/logout RPCs.Feb 17 2025, 11:31 AM

Worth adding that this is a temporary improvement for now to allow @ashoat to log out safely without affecting the prod keyserver. In a long-term solution, where the device list is not a singleton but a tuple [primaryDeviceID, keyserverID] this code should removed. I made a comment in ENG-10009.

This revision is now accepted and ready to land.Feb 17 2025, 11:47 AM

bartek added a child revision: D14369: [identity] Improve logging verbosity for login/logout RPCs.Feb 17 2025, 1:13 PM

Closed by commit rCOMMa00551671a8f: [identity] Forbid RestoreUser RPC for authoritative keyserver owner. · Explain WhyFeb 17 2025, 1:57 PM

This revision was automatically updated to reflect the committed changes.

bartek added a commit: rCOMMa00551671a8f: [identity] Forbid RestoreUser RPC for authoritative keyserver owner.