test: clients triggering duplicate signature error when adding members

typfel · typfel · commit 528edabf3eaa · 2026-03-24T16:12:21.000+01:00
diff --git a/crypto/src/mls/conversation/commit.rs b/crypto/src/mls/conversation/commit.rs
@@ -110,6 +110,7 @@ mod tests {
         use std::sync::Arc;
 
         use super::*;
+        use crate::Credential;
 
         #[apply(all_cred_cipher)]
         async fn can_add_members_to_conversation(case: TestContext) {
@@ -158,6 +159,50 @@ mod tests {
             .await
         }
 
+        #[apply(all_cred_cipher)]
+        async fn should_fail_on_duplicate_signatures(case: TestContext) {
+            let [alice, bob, carol] = case.sessions().await;
+            Box::pin(async move {
+                let conversation = case.create_conversation([&alice]).await;
+                let id = conversation.id.clone();
+                let bob_keypackage = bob.new_keypackage(&case).await;
+                let signature_key_pair = bob
+                    .find_any_credential(case.ciphersuite(), case.credential_type)
+                    .await
+                    .signature_key_pair
+                    .clone();
+                let credential = Credential {
+                    ciphersuite: case.ciphersuite(),
+                    credential_type: CredentialType::Basic,
+                    mls_credential: openmls::credentials::Credential::new_basic(
+                        carol.get_client_id().await.into_inner(),
+                    ),
+                    signature_key_pair,
+                    earliest_validity: 0,
+                };
+                let cred_ref = carol.add_credential(credential).await.unwrap();
+                let carol_key_package = carol.new_keypackage_from_ref(cred_ref, None).await;
+                let _affected_clients = [(carol.get_client_id().await, bob.get_client_id().await)];
+
+                let error = alice
+                    .transaction
+                    .conversation(&id)
+                    .await
+                    .unwrap()
+                    .add_members(vec![bob_keypackage.clone().into(), carol_key_package.clone().into()])
+                    .await
+                    .unwrap_err();
+
+                assert!(matches!(
+                    error,
+                    Error::DuplicateSignature {
+                        affected_clients: _affected_clients
+                    }
+                ));
+            })
+            .await
+        }
+
         #[apply(all_cred_cipher)]
         async fn should_return_valid_welcome(case: TestContext) {
             let [alice, bob] = case.sessions().await;
diff --git a/crypto/src/test_utils/context.rs b/crypto/src/test_utils/context.rs
@@ -44,6 +44,17 @@ impl SessionContext {
             .unwrap()
     }
 
+    pub async fn new_keypackage_from_ref(
+        &self,
+        credential_ref: CredentialRef,
+        lifetime: Option<std::time::Duration>,
+    ) -> KeyPackage {
+        self.transaction
+            .generate_keypackage(&credential_ref, lifetime)
+            .await
+            .unwrap()
+    }
+
     pub async fn count_key_package(&self, cs: Ciphersuite, ct: Option<CredentialType>) -> usize {
         self.transaction
             .database()
@@ -125,6 +136,10 @@ impl SessionContext {
         self.session().await.find_credential_by_public_key(pk).await.ok()
     }
 
+    pub async fn add_credential(&self, credential: Credential) -> Option<CredentialRef> {
+        self.transaction.add_credential(credential).await.ok()
+    }
+
     pub async fn find_hpke_private_key_from_keystore(&self, skp: &HpkePublicKey) -> Option<StoredHpkePrivateKey> {
         self.transaction
             .database()
