search

WebOfTrust / keria

KERI Agent in the cloud
https://keria.readthedocs.io/en/latest/
Apache License 2.0
18 stars 29 forks source link

Incorrect members returned by multisig AID members endpoint when more than one group in an agent #189

Closed lenkan closed 7 months ago

lenkan commented 7 months ago

See reproduction script here: https://github.com/lenkan/signify-ts/commit/7261f972112a2159f4db0589068687eaa5212615

Steps to reproduce:

  1. Create two signify clients with AID member1 and member2, respectively.
  2. Create a multisig group multisig1 with participating members member1 and member2.
  3. Call GET /identifiers/multisig1/members
  4. Verify that the number and ids of the returned signing and rotating members are correct.
  5. Create another multisig group multisig2 with same participating members member1 and member2, add a witness or change the signing thresholds so a new prefix is generated.
  6. Call GET /identifiers/multisig2/members

Expected result

The signing and rotating members should only contain member1 and member2:

    {
      signing: [
        {
          aid: 'member1',
          ends: [Object]
        },
        {
          aid: 'member2'
          ends: [Object]
        },
      ],
      rotation: [
        {
          aid: 'member1',
          ends: [Object]
        },
        {
          aid: 'member2'
          ends: [Object]
        },
      ]
    }

Actual result

The signing and rotating members of group multisig2 contains member1, member2 AND two entries of the group multisig1: (Note: multisig1, not multisig2). Like this:

    {
      signing: [
        {
          aid: 'member1',
          ends: [Object]
        },
        {
          aid: 'multisig1',
          ends: [Object]
        },
        {
          aid: 'member2'
          ends: [Object]
        },
        {
          aid: 'multisig1'
          ends: [Object]
        }
      ],
      rotation: [
        {
          aid: 'member1',
          ends: [Object]
        },
        {
          aid: 'multisig1',
          ends: [Object]
        },
        {
          aid: 'member2'
          ends: [Object]
        },
        {
          aid: 'multisig1'
          ends: [Object]
        }
      ]
    }
psteniusubi commented 7 months ago

I believe support for this is not currently implemented. See here https://github.com/WebOfTrust/keria/issues/165

lenkan commented 7 months ago

I believe support for this is not currently implemented. See here #165

I believe that is a different issue. That one describes the issue of creating a multisig AID with two members from the same agent. Notice in the repro that we create one client, i.e. keria agent, for each of the participants.

psteniusubi commented 7 months ago

Yes you're right. It looks like it's problematic if you have local or remote multisig identifiers with overlapping public key members.

lenkan commented 7 months ago

@pfeairheller I did some digging today and found that this is originating from keripy basing. I tried to create a reproduction unit test for it here: https://github.com/WebOfTrust/keripy/commit/62348bdc2e7df267518d452f1642994224122c43.

I.e, creating multiple groups in the same hab yields unexpected results.

pfeairheller commented 7 months ago

Sorry, @lenkan I already know the cause and we are working on a much more comprehensive solution inside of KERIpy.

pfeairheller commented 7 months ago

Actually, closing this because it is not a KERIA issue. you can track progress here:

https://github.com/WebOfTrust/keripy/issues/694