[Server v3] What to do when unsharing with a revoked user?

[vxgmichel]

There is no status RealmUnshareStoreBadOutcome.RECIPIENT_REVOKED, is that on purpose?

parsec-cloud/server/parsec/components/postgresql/realm.py

Lines 838 to 844 in f1ccaa5

	match await self.user._check_user(conn, organization_id, certif.user_id):
	case CheckUserBadOutcome.USER_NOT_FOUND:
	return RealmUnshareStoreBadOutcome.RECIPIENT_NOT_FOUND
	case CheckUserBadOutcome.USER_REVOKED:
	pass # TODO: Is that OK to pass here?
	case (UserProfile(), DateTime()):
	pass

The memory does not check for this case:

parsec-cloud/server/parsec/components/memory/realm.py

Lines 327 to 328 in f1ccaa5

	if certif.user_id not in org.users:
	return RealmUnshareStoreBadOutcome.RECIPIENT_NOT_FOUND

[touilleMan]

There is no status RealmUnshareStoreBadOutcome.RECIPIENT_REVOKED, is that on purpose?

No, we should add a RECIPIENT_REVOKED status, good catch 👍

Note the situation is different with unshare command, where the client is allowed to unshare with a revoked user

EDIT: I've misread, realm share is obviously not allowed with a revoked user, however realm unshare is allowed.
This way, the realm key rotation should only deal with realm unshare certificates (instead of ream unshare + user revoke)

So we have (considering Alice OWNER of wksp1):

• wksp1 unshared with Bob -> Alice does a key rotation of wksp1
• Bob revoked by Mallory -> ALice unshare wksp1 with Bob -> Alice does a key rotation wksp1