crypto(feat): Key distribution errors for pin violations

[BillCarsonFr]

Part of invisible crypto, follow up of #3639

Fixes #3565

Following support for key pinning, we have now to manage pinning violation when encrypting olm messages (room key distribution).

The new encryption errors:

/// Depending on the sharing strategy for room keys, the distribution of the
/// room key could fail.
#[derive(Error, Debug)]
pub enum RoomKeyDistributionError {
    /// When encrypting using the IdentityBased strategy.
    /// Will be thrown when sharing room keys when there is a new identity for a
    /// user that has not been confirmed by the user.
    /// Application should display identity changes to the user as soon as
    /// possible to avoid hitting this case. If it happens the app might
    /// just retry automatically after the identity change has been
    /// notified, or offer option to cancel.
    #[error("Encryption failed because there are key pinning violation, please re-pin or verify the problematic users")]
    KeyPinningViolation(Vec<OwnedUserId>),

    /// Cross-signing is required for encryption with invisible crypto
    #[error("Encryption failed: Setup cross-signing on your account")]
    CrossSigningNotSetup,
    /// The current device needs to be verified when encrypting using the
    /// IdentityBased strategy. Apps should prevent sending in the UI to
    /// avoid hitting this case.
    #[error("Encryption failed: Verify your device to send encrypted messages")]
    SendingFromUnverifiedDevice,
}

• Public API changes documented in changelogs (optional)

Signed-off-by:

[codecov]

Codecov Report

Attention: Patch coverage is 91.93548% with 5 lines in your changes missing coverage. Please review.

Project coverage is 84.18%. Comparing base (70f46d4) to head (afda06a).
Report is 2 commits behind head on main.

Files	Patch %	Lines
...c/session_manager/group_sessions/share_strategy.rs	91.93%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3662      +/-   ##
==========================================
+ Coverage   84.12%   84.18%   +0.05%     
==========================================
  Files         263      263              
  Lines       27584    27621      +37     
==========================================
+ Hits        23205    23252      +47     
+ Misses       4379     4369      -10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jmartinesp]

I can't say much about the crypto logic, but the code LGTM and the docs and comments made it a bit easier to understand, thanks. I have a couple of comments, but feel free to ignore them.

[jmartinesp]

Do we need to collect it twice?

[richvdh]

+1. I fixed another copy of this code recently in 1e58c03

[richvdh]

Per #3565 (comment): this needs an update so that an error is not thrown if a TOFU-trusted user has rotated their identity.

[richvdh]

A few comments. Also, needs a changelog entry.

[richvdh]

#3810 added a "SessionRecipientCollectionError" which I think we should be using here, rather than adding a new error type.

[richvdh]

no need to .clone() here. Could just inline strategy

[richvdh]

#3823 removed response_from_file

[richvdh]

could you give all these methods a doc-comment explaining what they mean?

[richvdh]

it would be good to add a doc-comment for each of these tests explaining what they are testing.

[richvdh]

this is normally spelt .unwrap()

[richvdh]

dead code?

[richvdh]

as well as a all the cleanups suggested for the other test, this test could do with some comments to explain what's going on.

[richvdh]

not sure that moving this declaration is helpful?

[richvdh]

This feels like a big refactor, combined with behavioural changes. Please could we have the refactor and the behavioral change as separate commits?

[richvdh]

I think some of these .other().unwrap() calls become unnecessary with #3847

[uhoreg]

I "merged" main into here (by which, I mean that I rewrote the changes on top of current main, plus #3884), and tried to use the new has_identity_verification_violation function that was introduced to make it error when we had a previously-verified user under the device-based strategy. But I noticed that that function doesn't take identity pinning into account, which I guess is fine for the device-based strategy. But with the fact that we are no longer erroring on TOFU user rotations, I'm wondering if we even need pinning any more.

[richvdh]

@uhoreg what is the state of this PR? Can it be closed, in favour of #3896?

[uhoreg]

Obsoleted by #3896