Crypto: Return an error when sharing a room key to a verified user, who has an unverified device (optional encryption setting)

[BillCarsonFr]

Fixes #3792

Suggest review commit-by-commit.

• Public API changes documented in changelogs (optional)

[codecov]

Codecov Report

Attention: Patch coverage is 86.84211% with 10 lines in your changes missing coverage. Please review.

Project coverage is 84.09%. Comparing base (4ece38a) to head (5f24f8e).
Report is 13 commits behind head on main.

Files	Patch %	Lines
...c/session_manager/group_sessions/share_strategy.rs	85.71%	9 Missing ⚠️
crates/matrix-sdk-crypto/src/identities/device.rs	83.33%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3810      +/-   ##
==========================================
+ Coverage   84.07%   84.09%   +0.01%     
==========================================
  Files         262      262              
  Lines       27544    27581      +37     
==========================================
+ Hits        23158    23193      +35     
- Misses       4386     4388       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[BillCarsonFr]

The LocalTrust::Ignored actually is really Whitelist, as it says that the trust state should be ignored. Should it be renamed to Whitelisted? to be consistent with LocalTrust::BlackListed?

[richvdh]

yeahh, this feels pretty confusing to me, and could do with clean up.

That said: "whitelisted"/"blacklisted" are somewhat problematic terms, and we might take the opportunity to rename both.

[BillCarsonFr]

This if/else sequence is getting harder and harder to read with all the possible settings/outcome.
We might want to get rid of the partition/Either system.
Also the set of settings can create invalid configuration, like only_allow_trusted_devices + error_on_unsigned_device_of_verified_users doesn't really make sense.
Will get worse with more options

[richvdh]

Looks broadly good to me. Some initial thoughts, but nothing major -- except my question about checking own_identity.is_verified().

I'll take a closer look tomorrow.

[richvdh]

A few more, more nitpicky comments. I still need to take a closer look at the tests.

[richvdh]

is this persisted somewhere, that makes the default necessary?

[BillCarsonFr]

EncryptionSettings is persisted in the OutboundSession at least, and maybe some clients could persist the encryption settings? All the things we put as serializable could be persisted... (are we serializing things for other reasons? like for bindings to pass things back and forth?)
We really need to improve that part of the sdk, it's too easy to make a change that would break applications.
I thought about having tests with json exports of all the serializable things that are persisted, that just tries to load them back and see if it breaks. This would be minimum. Or we need to think about a specific trait for things that are expected to be serialized persisted, with a version of some form

[richvdh]

EncryptionSettings is persisted in the OutboundSession at least

Hrm... does that means that, once we enable the new behaviour, it won't work until megolm sessions are replaced?

[BillCarsonFr]

I don't think so. But there is something odd with the settings how they are now.

The settings persisted is used mainly (i think) in the code to detect if the session should be rotated.
I think that only part of the EncryptionSetting should be persisted (rotation_period, rotation_period_msgs, and history_visibility?).
The old only_allow_trusted_devices that was in the EncryptionSetting (replaced now by CollectStrategy) shouldn't be persisted. Because anyhow if a change on this setting change the set of devices that should receive it, then is_session_overshared_for_user will detect it and rotate the session.

history_visibility is different because you want to rotate if you decide that this session could be shared now as part of history sharing for example, event if it doesn't change right now who get the key

[richvdh]

I'm not really following all of this. It sounds like we shouldn't be persisting EncryptionSettings at all to me.

[BillCarsonFr]

If you change the rotation_period you would want the session to be rotated immediatly instead of having to wait for the old one to be rotated based on the old rotation period. Same for history_visibility, you want to make history sharable from the point you change to that setting and not make early history available?

[richvdh]

Both of those things sound like we should be taking notice of the current EncryptionSettings, not whatever was persisted to the store.

[richvdh]

yeahh, this feels pretty confusing to me, and could do with clean up.

That said: "whitelisted"/"blacklisted" are somewhat problematic terms, and we might take the opportunity to rename both.

[richvdh]

This is a slightly rubbish name; ultimately I want to use it for both unverified devices (#3792) and verified users that become unverified (#3793).

[bnjbvr]

On request, I've just skimmed the PR and looked at Rust idioms. I've got some small suggestions to improve readability of the code, which I think should be addressed; confusing a bool for another could be particularly bad in the context of crypto, IMO. LGTM otherwise!

[bnjbvr]

preexisting, and can be done in another PR: having is_device_signed return a Result when all the callers check for is_ok() makes me think it should just return a boolean instead of a Result 👀

[richvdh]

Agreed. Let's fix that in another PR.

[bnjbvr]

same here for is_identity_signed

[bnjbvr]

Super nice, thanks!