mirrors/SchildiChat-android
1
0
Fork 0
mirror of https://github.com/SchildiChat/SchildiChat-android.git synced 2024-11-21 08:55:42 +03:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #8933 from element-hq/feature/bca/fix_previously_verified_users

Browse source 
feat(crypto): Add support for verification violation warnings
This commit is contained in:
Benoit Marty 2024-11-12 16:39:24 +01:00 committed by GitHub
commit 7051c0c46e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 287 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/post-pr.yml vendored
View file

@ -54,7 +54,7 @@ jobs:
with: with:
cache-read-only: ${{ github.ref != 'refs/heads/develop' }} cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
- name: Start synapse server - name: Start synapse server
uses: michaelkaye/setup-matrix-synapse@v1.0.4 uses: michaelkaye/setup-matrix-synapse@v1.0.5
with: with:
uploadLogs: true uploadLogs: true
httpPort: 8080 httpPort: 8080

2
.github/workflows/tests.yml vendored
View file

@ -55,7 +55,7 @@ jobs:
- uses: actions/setup-python@v4 - uses: actions/setup-python@v4
with: with:
python-version: 3.8 python-version: 3.8
- uses: michaelkaye/setup-matrix-synapse@v1.0.4 - uses: michaelkaye/setup-matrix-synapse@v1.0.5
with: with:
uploadLogs: true uploadLogs: true
httpPort: 8080 httpPort: 8080

1
changelog.d/8933.bugfix Normal file
View file

@ -0,0 +1 @@
Show a notice when a previously verified user is not anymore

2
matrix-sdk-android/build.gradle
View file

@ -221,7 +221,7 @@ dependencies {
implementation libs.google.phonenumber implementation libs.google.phonenumber
implementation("org.matrix.rustcomponents:crypto-android:0.4.3") implementation("org.matrix.rustcomponents:crypto-android:0.5.0")
// api project(":library:rustCrypto") // api project(":library:rustCrypto")
testImplementation libs.tests.junit testImplementation libs.tests.junit

262
matrix-sdk-android/src/androidTest/java/org/matrix/android/sdk/internal/crypto/ComputeShieldForGroupUseCaseTest.kt Normal file
View file

@ -0,0 +1,262 @@
/*
* Copyright 2024 The Matrix.org Foundation C.I.C.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.matrix.android.sdk.internal.crypto
import io.mockk.coEvery
import io.mockk.every
import io.mockk.mockk
import kotlinx.coroutines.test.runTest
import org.amshove.kluent.shouldBeEqualTo
import org.junit.Test
import org.matrix.android.sdk.api.session.crypto.crosssigning.DeviceTrustLevel
import org.matrix.android.sdk.api.session.crypto.crosssigning.MXCrossSigningInfo
import org.matrix.android.sdk.api.session.crypto.model.CryptoDeviceInfo
import org.matrix.android.sdk.api.session.crypto.model.RoomEncryptionTrustLevel
class ComputeShieldForGroupUseCaseTest {
@Test
fun shouldReturnDefaultShieldWhenNoOneIsVerified() = runTest {
val mockMachine = mockk<OlmMachine> {
coEvery {
getIdentity("@me:localhost")
} returns mockk<UserIdentities>(relaxed = true)
coEvery {
getIdentity("@alice:localhost")
} returns fakeIdentity(isVerified = false, hasVerificationViolation = false)
coEvery {
getUserDevices("@alice:localhost")
} returns listOf(fakeDevice("@alice:localhost", "A0", false))
coEvery {
getIdentity("@bob:localhost")
} returns fakeIdentity(isVerified = false, hasVerificationViolation = false)
coEvery {
getUserDevices("@bob:localhost")
} returns listOf(fakeDevice("@bob:localhost", "B0", false))
coEvery {
getIdentity("@charly:localhost")
} returns fakeIdentity(isVerified = false, hasVerificationViolation = false)
coEvery {
getUserDevices("@charly:localhost")
} returns listOf(fakeDevice("@charly:localhost", "C0", false))
}
val computeShieldOp = ComputeShieldForGroupUseCase("@me:localhost")
val shield = computeShieldOp.invoke(mockMachine, listOf("@alice:localhost", "@bob:localhost", "@charly:localhost"))
shield shouldBeEqualTo RoomEncryptionTrustLevel.Default
}
@Test
fun shouldReturnDefaultShieldWhenVerifiedUsersHaveSecureDevices() = runTest {
val mockMachine = mockk<OlmMachine> {
coEvery {
getIdentity("@me:localhost")
} returns mockk<UserIdentities>(relaxed = true)
// Alice is verified
coEvery {
getIdentity("@alice:localhost")
} returns fakeIdentity(isVerified = true, hasVerificationViolation = false)
coEvery {
getUserDevices("@alice:localhost")
} returns listOf(
fakeDevice("@alice:localhost", "A0", true),
fakeDevice("@alice:localhost", "A1", true)
)
coEvery {
getIdentity("@bob:localhost")
} returns fakeIdentity(isVerified = false, hasVerificationViolation = false)
coEvery {
getUserDevices("@bob:localhost")
} returns listOf(fakeDevice("@bob:localhost", "B0", false))
coEvery {
getIdentity("@charly:localhost")
} returns fakeIdentity(isVerified = false, hasVerificationViolation = false)
coEvery {
getUserDevices("@charly:localhost")
} returns listOf(fakeDevice("@charly:localhost", "C0", false))
}
val computeShieldOp = ComputeShieldForGroupUseCase("@me:localhost")
val shield = computeShieldOp.invoke(mockMachine, listOf("@alice:localhost", "@bob:localhost", "@charly:localhost"))
shield shouldBeEqualTo RoomEncryptionTrustLevel.Default
}
@Test
fun shouldReturnWarningShieldWhenPreviouslyVerifiedUsersHaveInSecureDevices() = runTest {
val mockMachine = mockk<OlmMachine> {
coEvery {
getIdentity("@me:localhost")
} returns mockk<UserIdentities>(relaxed = true)
// Alice is verified
coEvery {
getIdentity("@alice:localhost")
} returns fakeIdentity(isVerified = false, hasVerificationViolation = true)
coEvery {
getUserDevices("@alice:localhost")
} returns listOf(
fakeDevice("@alice:localhost", "A0", false),
fakeDevice("@alice:localhost", "A1", false)
)
coEvery {
getIdentity("@bob:localhost")
} returns fakeIdentity(isVerified = false, hasVerificationViolation = false)
coEvery {
getUserDevices("@bob:localhost")
} returns listOf(fakeDevice("@bob:localhost", "B0", false))
coEvery {
getIdentity("@charly:localhost")
} returns fakeIdentity(isVerified = false, hasVerificationViolation = false)
coEvery {
getUserDevices("@charly:localhost")
} returns listOf(fakeDevice("@charly:localhost", "C0", false))
}
val computeShieldOp = ComputeShieldForGroupUseCase("@me:localhost")
val shield = computeShieldOp.invoke(mockMachine, listOf("@alice:localhost", "@bob:localhost", "@charly:localhost"))
shield shouldBeEqualTo RoomEncryptionTrustLevel.Warning
}
@Test
fun shouldReturnRedShieldWhenVerifiedUserHaveInsecureDevices() = runTest {
val mockMachine = mockk<OlmMachine> {
coEvery {
getIdentity("@me:localhost")
} returns mockk<UserIdentities>(relaxed = true)
// Alice is verified
coEvery {
getIdentity("@alice:localhost")
} returns fakeIdentity(isVerified = true, hasVerificationViolation = false)
// And has an insecure device
coEvery {
getUserDevices("@alice:localhost")
} returns listOf(
fakeDevice("@alice:localhost", "A0", true),
fakeDevice("@alice:localhost", "A1", false)
)
coEvery {
getIdentity("@bob:localhost")
} returns fakeIdentity(isVerified = false, hasVerificationViolation = false)
coEvery {
getUserDevices("@bob:localhost")
} returns listOf(fakeDevice("@bob:localhost", "B0", false))
coEvery {
getIdentity("@charly:localhost")
} returns fakeIdentity(isVerified = false, hasVerificationViolation = false)
coEvery {
getUserDevices("@charly:localhost")
} returns listOf(fakeDevice("@charly:localhost", "C0", false))
}
val computeShieldOp = ComputeShieldForGroupUseCase("@me:localhost")
val shield = computeShieldOp.invoke(mockMachine, listOf("@alice:localhost", "@bob:localhost", "@charly:localhost"))
shield shouldBeEqualTo RoomEncryptionTrustLevel.Warning
}
@Test
fun shouldReturnGreenShieldWhenAllUsersAreVerifiedAndHaveSecuredDevices() = runTest {
val mockMachine = mockk<OlmMachine> {
coEvery {
getIdentity("@me:localhost")
} returns mockk<UserIdentities>(relaxed = true)
// Alice is verified
coEvery {
getIdentity("@alice:localhost")
} returns fakeIdentity(isVerified = true, hasVerificationViolation = false)
coEvery {
getUserDevices("@alice:localhost")
} returns listOf(
fakeDevice("@alice:localhost", "A0", true),
fakeDevice("@alice:localhost", "A1", false)
)
coEvery {
getIdentity("@bob:localhost")
} returns fakeIdentity(isVerified = true, hasVerificationViolation = false)
coEvery {
getUserDevices("@bob:localhost")
} returns listOf(fakeDevice("@bob:localhost", "B0", true))
coEvery {
getIdentity("@charly:localhost")
} returns fakeIdentity(isVerified = true, hasVerificationViolation = false)
coEvery {
getUserDevices("@charly:localhost")
} returns listOf(fakeDevice("@charly:localhost", "C0", true))
}
val computeShieldOp = ComputeShieldForGroupUseCase("@me:localhost")
val shield = computeShieldOp.invoke(mockMachine, listOf("@alice:localhost", "@bob:localhost", "@charly:localhost"))
shield shouldBeEqualTo RoomEncryptionTrustLevel.Warning
}
companion object {
internal fun fakeDevice(userId: String, deviceId: String, isSecure: Boolean) = mockk<Device>(relaxed = true) {
every { toCryptoDeviceInfo() } returns CryptoDeviceInfo(
deviceId = deviceId,
userId = userId,
trustLevel = DeviceTrustLevel(
crossSigningVerified = isSecure, locallyVerified = null
)
)
}
internal fun fakeIdentity(isVerified: Boolean, hasVerificationViolation: Boolean) = mockk<UserIdentities>(relaxed = true) {
coEvery { toMxCrossSigningInfo() } returns mockk<MXCrossSigningInfo> {
every { wasTrustedOnce } returns hasVerificationViolation
every { isTrusted() } returns isVerified
}
}
}
}

4
matrix-sdk-android/src/androidTest/java/org/matrix/android/sdk/internal/crypto/crosssigning/XSigningTest.kt
View file

@ -24,7 +24,6 @@ import org.junit.Assert.assertNotNull
import org.junit.Assert.assertNull import org.junit.Assert.assertNull
import org.junit.Assert.assertTrue import org.junit.Assert.assertTrue
import org.junit.Assert.fail import org.junit.Assert.fail
import org.junit.Assume
import org.junit.FixMethodOrder import org.junit.FixMethodOrder
import org.junit.Test import org.junit.Test
import org.junit.runner.RunWith import org.junit.runner.RunWith
@ -202,9 +201,6 @@ class XSigningTest : InstrumentedTest {
val aliceSession = cryptoTestData.firstSession val aliceSession = cryptoTestData.firstSession
val bobSession = cryptoTestData.secondSession val bobSession = cryptoTestData.secondSession
// Remove when https://github.com/matrix-org/matrix-rust-sdk/issues/1129
Assume.assumeTrue("Not yet supported by rust", aliceSession.cryptoService().name() != "rust-sdk")
val aliceAuthParams = UserPasswordAuth( val aliceAuthParams = UserPasswordAuth(
user = aliceSession.myUserId, user = aliceSession.myUserId,
password = TestConstants.PASSWORD password = TestConstants.PASSWORD

5
matrix-sdk-android/src/main/java/org/matrix/android/sdk/internal/crypto/ComputeShieldForGroupUseCase.kt
View file

@ -29,7 +29,10 @@ internal class ComputeShieldForGroupUseCase @Inject constructor(
val myIdentity = olmMachine.getIdentity(myUserId) val myIdentity = olmMachine.getIdentity(myUserId)
val allTrustedUserIds = userIds val allTrustedUserIds = userIds
.filter { userId -> .filter { userId ->
olmMachine.getIdentity(userId)?.verified() == true val identity = olmMachine.getIdentity(userId)?.toMxCrossSigningInfo()
identity?.isTrusted() == true ||
// Always take into account users that was previously verified but are not anymore
identity?.wasTrustedOnce == true
} }
return if (allTrustedUserIds.isEmpty()) { return if (allTrustedUserIds.isEmpty()) {

6
matrix-sdk-android/src/main/java/org/matrix/android/sdk/internal/crypto/GetUserIdentityUseCase.kt
View file

@ -66,7 +66,8 @@ internal class GetUserIdentityUseCase @Inject constructor(
innerMachine = innerMachine, innerMachine = innerMachine,
requestSender = requestSender, requestSender = requestSender,
coroutineDispatchers = coroutineDispatchers, coroutineDispatchers = coroutineDispatchers,
verificationRequestFactory = verificationRequestFactory verificationRequestFactory = verificationRequestFactory,
hasVerificationViolation = identity.hasVerificationViolation
) )
} }
is InnerUserIdentity.Own -> { is InnerUserIdentity.Own -> {
@ -89,7 +90,8 @@ internal class GetUserIdentityUseCase @Inject constructor(
innerMachine = innerMachine, innerMachine = innerMachine,
requestSender = requestSender, requestSender = requestSender,
coroutineDispatchers = coroutineDispatchers, coroutineDispatchers = coroutineDispatchers,
verificationRequestFactory = verificationRequestFactory verificationRequestFactory = verificationRequestFactory,
hasVerificationViolation = identity.hasVerificationViolation
) )
} }
null -> null null -> null

9
matrix-sdk-android/src/main/java/org/matrix/android/sdk/internal/crypto/OlmMachine.kt
View file

@ -84,7 +84,9 @@ import org.matrix.rustcomponents.sdk.crypto.ShieldState
import org.matrix.rustcomponents.sdk.crypto.SignatureVerification import org.matrix.rustcomponents.sdk.crypto.SignatureVerification
import org.matrix.rustcomponents.sdk.crypto.setLogger import org.matrix.rustcomponents.sdk.crypto.setLogger
import timber.log.Timber import timber.log.Timber
import uniffi.matrix_sdk_crypto.DecryptionSettings
import uniffi.matrix_sdk_crypto.LocalTrust import uniffi.matrix_sdk_crypto.LocalTrust
import uniffi.matrix_sdk_crypto.TrustRequirement
import java.io.File import java.io.File
import java.nio.charset.Charset import java.nio.charset.Charset
import javax.inject.Inject import javax.inject.Inject
@ -450,7 +452,12 @@ internal class OlmMachine @Inject constructor(
} }
val serializedEvent = adapter.toJson(event) val serializedEvent = adapter.toJson(event)
val decrypted = inner.decryptRoomEvent(serializedEvent, event.roomId, false, false) val decrypted = inner.decryptRoomEvent(
serializedEvent, event.roomId,
handleVerificationEvents = false,
strictShields = false,
decryptionSettings = DecryptionSettings(TrustRequirement.UNTRUSTED)
)
val deserializationAdapter = val deserializationAdapter =
moshi.adapter<JsonDict>(Map::class.java) moshi.adapter<JsonDict>(Map::class.java)

2
matrix-sdk-android/src/main/java/org/matrix/android/sdk/internal/crypto/RustCrossSigningService.kt
View file

@ -58,7 +58,7 @@ internal class RustCrossSigningService @Inject constructor(
* Checks that my trusted user key has signed the other user UserKey * Checks that my trusted user key has signed the other user UserKey
*/ */
override suspend fun checkUserTrust(otherUserId: String): UserTrustResult { override suspend fun checkUserTrust(otherUserId: String): UserTrustResult {
val identity = olmMachine.getIdentity(olmMachine.userId()) val identity = olmMachine.getIdentity(otherUserId)
// While UserTrustResult has many different states, they are by the callers // While UserTrustResult has many different states, they are by the callers
// converted to a boolean value immediately, thus we don't need to support // converted to a boolean value immediately, thus we don't need to support

8
matrix-sdk-android/src/main/java/org/matrix/android/sdk/internal/crypto/UserIdentities.kt
View file

@ -85,6 +85,7 @@ internal class OwnUserIdentity(
private val requestSender: RequestSender, private val requestSender: RequestSender,
private val coroutineDispatchers: MatrixCoroutineDispatchers, private val coroutineDispatchers: MatrixCoroutineDispatchers,
private val verificationRequestFactory: VerificationRequest.Factory, private val verificationRequestFactory: VerificationRequest.Factory,
private val hasVerificationViolation: Boolean
) : UserIdentities() { ) : UserIdentities() {
/** /**
* Our own user id. * Our own user id.
@ -157,8 +158,7 @@ internal class OwnUserIdentity(
userSigningKey.trustLevel = trustLevel userSigningKey.trustLevel = trustLevel
val crossSigningKeys = listOf(masterKey, selfSigningKey, userSigningKey) val crossSigningKeys = listOf(masterKey, selfSigningKey, userSigningKey)
// TODO https://github.com/matrix-org/matrix-rust-sdk/issues/1129 return MXCrossSigningInfo(userId, crossSigningKeys, hasVerificationViolation)
return MXCrossSigningInfo(userId, crossSigningKeys, false)
} }
} }
@ -175,6 +175,7 @@ internal class UserIdentity(
private val requestSender: RequestSender, private val requestSender: RequestSender,
private val coroutineDispatchers: MatrixCoroutineDispatchers, private val coroutineDispatchers: MatrixCoroutineDispatchers,
private val verificationRequestFactory: VerificationRequest.Factory, private val verificationRequestFactory: VerificationRequest.Factory,
private val hasVerificationViolation: Boolean
) : UserIdentities() { ) : UserIdentities() {
/** /**
* The unique ID of the user that this identity belongs to. * The unique ID of the user that this identity belongs to.
@ -256,8 +257,7 @@ internal class UserIdentity(
masterKey.also { it.trustLevel = trustLevel }, masterKey.also { it.trustLevel = trustLevel },
selfSigningKey.also { it.trustLevel = trustLevel }, selfSigningKey.also { it.trustLevel = trustLevel },
), ),
// TODO https://github.com/matrix-org/matrix-rust-sdk/issues/1129 wasTrustedOnce = hasVerificationViolation
wasTrustedOnce = false
) )
} }
} }