feat(sdk): condition encryption on room settings

kaylendog · kaylendog · commit 42bada04e9dc · 2025-08-04T12:41:53.000+01:00
Signed-off-by: Skye Elliot &lt;actuallyori@gmail.com&gt;
diff --git a/crates/matrix-sdk-crypto/src/machine/mod.rs b/crates/matrix-sdk-crypto/src/machine/mod.rs
@@ -45,6 +45,7 @@ use ruma::{
     },
     assign,
     events::{
+        room::encrypted::unstable_state::StateRoomEncryptedEventContent,
         secret::request::SecretName, AnyMessageLikeEvent, AnyMessageLikeEventContent,
         AnyStateEventContent, AnyToDeviceEvent, MessageLikeEventContent, StateEventContent,
     },
@@ -1117,7 +1118,7 @@ impl OlmMachine {
         room_id: &RoomId,
         content: C,
         state_key: K,
-    ) -> MegolmResult<Raw<RoomEncryptedEventContent>>
+    ) -> MegolmResult<Raw<StateRoomEncryptedEventContent>>
     where
         C: StateEventContent,
         C::StateKey: Borrow<K>,
@@ -1149,7 +1150,7 @@ impl OlmMachine {
         event_type: &str,
         state_key: &str,
         content: &Raw<AnyStateEventContent>,
-    ) -> MegolmResult<Raw<RoomEncryptedEventContent>> {
+    ) -> MegolmResult<Raw<StateRoomEncryptedEventContent>> {
         self.inner
             .group_session_manager
             .encrypt_state(room_id, event_type, state_key, content)
diff --git a/crates/matrix-sdk-crypto/src/machine/tests/room_settings.rs b/crates/matrix-sdk-crypto/src/machine/tests/room_settings.rs
@@ -23,6 +23,7 @@ async fn test_stores_and_returns_room_settings() {
 
     let settings = RoomSettings {
         algorithm: EventEncryptionAlgorithm::MegolmV1AesSha2,
+        encrypt_state_events: false,
         only_allow_trusted_devices: true,
         session_rotation_period: Some(Duration::from_secs(10)),
         session_rotation_period_messages: Some(1234),
diff --git a/crates/matrix-sdk-crypto/src/olm/group_sessions/outbound.rs b/crates/matrix-sdk-crypto/src/olm/group_sessions/outbound.rs
@@ -27,7 +27,10 @@ use std::{
 use matrix_sdk_common::{deserialized_responses::WithheldCode, locks::RwLock as StdRwLock};
 use ruma::{
     events::{
-        room::{encryption::RoomEncryptionEventContent, history_visibility::HistoryVisibility},
+        room::{
+            encrypted::unstable_state::StateRoomEncryptedEventContent,
+            encryption::RoomEncryptionEventContent, history_visibility::HistoryVisibility,
+        },
         AnyMessageLikeEventContent, AnyStateEventContent,
     },
     serde::Raw,
@@ -543,7 +546,7 @@ impl OutboundGroupSession {
         event_type: &str,
         state_key: &str,
         content: &Raw<AnyStateEventContent>,
-    ) -> Raw<RoomEncryptedEventContent> {
+    ) -> Raw<StateRoomEncryptedEventContent> {
         #[derive(Serialize)]
         struct Payload<'a> {
             #[serde(rename = "type")]
@@ -557,10 +560,6 @@ impl OutboundGroupSession {
         let payload_json =
             serde_json::to_string(&payload).expect("payload serialization never fails");
 
-        let relates_to = content
-            .get_field::<serde_json::Value>("m.relates_to")
-            .expect("serde_json::Value deserialization with valid JSON input never fails");
-
         let ciphertext = self.encrypt_helper(payload_json).await;
         let scheme: RoomEventEncryptionScheme = match self.settings.algorithm {
             EventEncryptionAlgorithm::MegolmV1AesSha2 => MegolmV1AesSha2Content {
@@ -580,9 +579,12 @@ impl OutboundGroupSession {
             ),
         };
 
-        let content = RoomEncryptedEventContent { scheme, relates_to, other: Default::default() };
+        let content =
+            RoomEncryptedEventContent { scheme, relates_to: None, other: Default::default() };
 
-        Raw::new(&content).expect("m.room.encrypted event content can always be serialized")
+        Raw::new(&content)
+            .expect("m.room.encrypted event content can always be serialized")
+            .cast_unchecked()
     }
 
     fn elapsed(&self) -> bool {
diff --git a/crates/matrix-sdk-crypto/src/session_manager/group_sessions/mod.rs b/crates/matrix-sdk-crypto/src/session_manager/group_sessions/mod.rs
@@ -29,6 +29,7 @@ use matrix_sdk_common::{
 };
 use ruma::{
     events::{
+        room::encrypted::unstable_state::StateRoomEncryptedEventContent,
         AnyMessageLikeEventContent, AnyStateEventContent, AnyToDeviceEventContent,
         ToDeviceEventType,
     },
@@ -233,7 +234,7 @@ impl GroupSessionManager {
         event_type: &str,
         state_key: &str,
         content: &Raw<AnyStateEventContent>,
-    ) -> MegolmResult<Raw<RoomEncryptedEventContent>> {
+    ) -> MegolmResult<Raw<StateRoomEncryptedEventContent>> {
         let session =
             self.sessions.get_or_load(room_id).await.expect("Session wasn't created nor shared");
 
diff --git a/crates/matrix-sdk-crypto/src/store/integration_tests.rs b/crates/matrix-sdk-crypto/src/store/integration_tests.rs
@@ -1163,6 +1163,7 @@ macro_rules! cryptostore_integration_tests {
                 let room_1 = room_id!("!test_1:localhost");
                 let settings_1 = RoomSettings {
                     algorithm: EventEncryptionAlgorithm::MegolmV1AesSha2,
+                    encrypt_state_events: true,
                     only_allow_trusted_devices: true,
                     session_rotation_period: Some(Duration::from_secs(10)),
                     session_rotation_period_messages: Some(123),
diff --git a/crates/matrix-sdk-crypto/src/store/types.rs b/crates/matrix-sdk-crypto/src/store/types.rs
@@ -411,6 +411,9 @@ pub struct RoomSettings {
     /// The encryption algorithm that should be used in the room.
     pub algorithm: EventEncryptionAlgorithm,
 
+    /// Whether this room supports encrypted state events.
+    pub encrypt_state_events: bool,
+
     /// Should untrusted devices receive the room key, or should they be
     /// excluded from the conversation.
     pub only_allow_trusted_devices: bool,
@@ -428,6 +431,7 @@ impl Default for RoomSettings {
     fn default() -> Self {
         Self {
             algorithm: EventEncryptionAlgorithm::MegolmV1AesSha2,
+            encrypt_state_events: false,
             only_allow_trusted_devices: false,
             session_rotation_period: None,
             session_rotation_period_messages: None,
diff --git a/crates/matrix-sdk/src/room/futures.rs b/crates/matrix-sdk/src/room/futures.rs
@@ -405,6 +405,41 @@ impl<'a> SendStateEventRaw<'a> {
         self.request_config = Some(request_config);
         self
     }
+
+    /// Returns `true` if the inner event should be encrypted.
+    async fn should_encrypt(room: &Room, event_type: &str) -> bool {
+        let olm = room.client.olm_machine().await;
+        let olm = olm.as_ref().expect("Olm machine was not started.");
+
+        // Lookup room settings and check encryptiong state.
+        let Ok(Some(settings)) = olm.room_settings(room.room_id()).await else {
+            trace!("Sending plaintext event as the room is NOT encrypted.");
+            return false;
+        };
+        if !settings.encrypt_state_events {
+            trace!("Sending plaintext event as the room does NOT support encrypted state events.");
+            return false;
+        }
+
+        // Check the event is not critical.
+        if matches!(
+            event_type,
+            "m.room.create"
+                | "m.room.member"
+                | "m.room.join_rules"
+                | "m.room.power_levels"
+                | "m.room.third_party_invite"
+                | "m.room.history_visibility"
+                | "m.room.guest_access"
+                | "m.room.encryption"
+                | "m.space.child"
+                | "m.space.parent"
+        ) {
+            return false;
+        }
+
+        true
+    }
 }
 
 impl<'a> IntoFuture for SendStateEventRaw<'a> {
@@ -420,47 +455,32 @@ impl<'a> IntoFuture for SendStateEventRaw<'a> {
             let mut state_key = state_key.to_owned();
 
             #[cfg(feature = "e2e-encryption")]
-            if room.latest_encryption_state().await?.is_state_encrypted() {
-                if matches!(
-                    event_type,
-                    "m.room.create"
-                        | "m.room.member"
-                        | "m.room.join_rules"
-                        | "m.room.power_levels"
-                        | "m.room.third_party_invite"
-                        | "m.room.history_visibility"
-                        | "m.room.guest_access"
-                        | "m.room.encryption"
-                        | "m.space.child"
-                        | "m.space.parent"
-                ) {
-                    trace!("Sending plaintext event because of the event type.");
-                } else {
-                    trace!(
-                        room_id = ?room.room_id(),
-                        "Sending encrypted event because the room is encrypted.",
-                    );
+            if Self::should_encrypt(room, event_type).await {
+                Span::current().record("is_room_encrypted", true);
+                trace!(
+                    room_id = ?room.room_id(),
+                    "Sending encrypted event because the room is encrypted.",
+                );
 
-                    if !room.are_members_synced() {
-                        room.sync_members().await?;
-                    }
+                if !room.are_members_synced() {
+                    room.sync_members().await?;
+                }
 
-                    room.query_keys_for_untracked_or_dirty_users().await?;
-                    room.preshare_room_key().await?;
+                room.query_keys_for_untracked_or_dirty_users().await?;
+                room.preshare_room_key().await?;
 
-                    let olm = room.client.olm_machine().await;
-                    let olm = olm.as_ref().expect("Olm machine wasn't started");
+                let olm = room.client.olm_machine().await;
+                let olm = olm.as_ref().expect("Olm machine wasn't started");
 
-                    content = olm
-                        .encrypt_state_event_raw(room.room_id(), event_type, &state_key, &content)
-                        .await?
-                        .cast_unchecked();
-                    state_key = format!("{event_type}:{state_key}");
-                    event_type = "m.room.encrypted";
-                }
+                content = olm
+                    .encrypt_state_event_raw(room.room_id(), event_type, &state_key, &content)
+                    .await?
+                    .cast_unchecked();
+
+                state_key = format!("{event_type}:{state_key}");
+                event_type = "m.room.encrypted";
             } else {
                 Span::current().record("is_room_encrypted", false);
-                trace!("Sending plaintext event because the room is NOT encrypted.");
             }
 
             let request = send_state_event::v3::Request::new_raw(
