test(crypto): Regresion test for #5613

Add a test to ensure that history-sharing still works when "exclude insecure
devices" is enabled.

Author: richvdh

crates/matrix-sdk/src/room/shared_room_history.rs

@@ -132,6 +132,9 @@ pub(crate) async fn maybe_accept_key_bundle(room: &Room, inviter: &UserId) -> Re
 
     // Ensure that we get a fresh list of devices for the inviter, in case we need
     // to recalculate the `SenderData`.
+    // XXX: is this necessary, given (with exclude-insecure-devices), we should have
+    // checked that the inviter device was cross-signed when we received the
+    // to-device message?
     let (req_id, request) =
         olm_machine.query_keys_for_users(iter::once(bundle_info.sender_user.as_ref()));
 

testing/matrix-sdk-integration-testing/src/helpers.rs

@@ -12,6 +12,7 @@ use assign::assign;
 use matrix_sdk::{
     Client, ClientBuilder, Room,
     config::{RequestConfig, SyncSettings},
+    crypto::{CollectStrategy, DecryptionSettings},
     encryption::EncryptionSettings,
     ruma::{
         RoomId,
@@ -22,6 +23,7 @@ use matrix_sdk::{
     sync::SyncResponse,
     timeout::ElapsedError,
 };
+use matrix_sdk_base::crypto::TrustRequirement;
 use once_cell::sync::Lazy;
 use rand::Rng as _;
 use tempfile::{TempDir, tempdir};
@@ -39,6 +41,8 @@ enum SqlitePath {
 pub struct TestClientBuilder {
     username: String,
     use_sqlite_dir: Option<SqlitePath>,
+    decryption_settings: Option<DecryptionSettings>,
+    room_key_recipient_strategy: CollectStrategy,
     encryption_settings: EncryptionSettings,
     enable_share_history_on_invite: bool,
     http_proxy: Option<String>,
@@ -56,7 +60,9 @@ impl TestClientBuilder {
         Self {
             username,
             use_sqlite_dir: None,
+            decryption_settings: None,
             encryption_settings: Default::default(),
+            room_key_recipient_strategy: Default::default(),
             enable_share_history_on_invite: false,
             http_proxy: None,
             cross_process_store_locks_holder_name: None,
@@ -87,6 +93,21 @@ impl TestClientBuilder {
         self
     }
 
+    /// Simulate the behaviour of the clients when the "exclude insecure
+    /// devices" (MSC4153) labs flag is enabled.
+    pub fn exclude_insecure_devices(mut self, exclude_insecure_devices: bool) -> Self {
+        let (sender_device_trust_requirement, room_key_recipient_strategy) =
+            if exclude_insecure_devices {
+                (TrustRequirement::CrossSignedOrLegacy, CollectStrategy::IdentityBasedStrategy)
+            } else {
+                (TrustRequirement::Untrusted, CollectStrategy::AllDevices)
+            };
+        self.decryption_settings = Some(DecryptionSettings { sender_device_trust_requirement });
+        self.room_key_recipient_strategy = room_key_recipient_strategy;
+
+        self
+    }
+
     pub fn http_proxy(mut self, url: String) -> Self {
         self.http_proxy = Some(url);
         self
@@ -106,9 +127,14 @@ impl TestClientBuilder {
             .homeserver_url(homeserver_url)
             .sliding_sync_version_builder(VersionBuilder::Native)
             .with_encryption_settings(self.encryption_settings)
+            .with_room_key_recipient_strategy(self.room_key_recipient_strategy.clone())
             .with_enable_share_history_on_invite(self.enable_share_history_on_invite)
             .request_config(RequestConfig::short_retry());
 
+        if let Some(decryption_settings) = &self.decryption_settings {
+            client_builder = client_builder.with_decryption_settings(decryption_settings.clone())
+        }
+
         if let Some(holder_name) = &self.cross_process_store_locks_holder_name {
             client_builder =
                 client_builder.cross_process_store_locks_holder_name(holder_name.clone());

testing/matrix-sdk-integration-testing/src/tests/e2ee/shared_history.rs

@@ -26,8 +26,26 @@ use crate::helpers::{SyncTokenAwareClient, TestClientBuilder, wait_for_room};
 
 /// When we invite another user to a room with "joined" history visibility, we
 /// share the encryption history.
+///
+/// Pre-"exclude insecure devices" test variant.
 #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
 async fn test_history_share_on_invite() -> Result<()> {
+    test_history_share_on_invite_helper(false).await
+}
+
+/// When we invite another user to a room with "joined" history visibility, we
+/// share the encryption history, even when "exclude insecure devices" is
+/// enabled.
+///
+/// Regression test for https://github.com/matrix-org/matrix-rust-sdk/issues/5613
+#[tokio::test(flavor = "multi_thread", worker_threads = 4)]
+async fn test_history_share_on_invite_exclude_insecure_devices() -> Result<()> {
+    test_history_share_on_invite_helper(true).await
+}
+
+/// Common implementation for [`test_history_share_on_invite`] and
+/// [`test_history_share_on_invite_exclude_insecure_devices].
+async fn test_history_share_on_invite_helper(exclude_insecure_devices: bool) -> Result<()> {
     let alice_span = tracing::info_span!("alice");
     let bob_span = tracing::info_span!("bob");
 
@@ -38,6 +56,7 @@ async fn test_history_share_on_invite() -> Result<()> {
         .use_sqlite()
         .encryption_settings(encryption_settings)
         .enable_share_history_on_invite(true)
+        .exclude_insecure_devices(exclude_insecure_devices)
         .build()
         .await?;
 
@@ -55,6 +74,7 @@ async fn test_history_share_on_invite() -> Result<()> {
         TestClientBuilder::new("bob")
             .encryption_settings(encryption_settings)
             .enable_share_history_on_invite(true)
+            .exclude_insecure_devices(exclude_insecure_devices)
             .build()
             .await?,
     );
@@ -86,8 +106,18 @@ async fn test_history_share_on_invite() -> Result<()> {
     alice_room.invite_user_by_id(bob.user_id().unwrap()).await?;
 
     // Alice is done. Bob has been invited and the room key bundle should have been
-    // sent out. Let's stop syncing so the logs contain less noise.
+    // sent out. Let's log her out, so we know that this feature works even when the
+    // sender device has been deleted (and to reduce the amount of noise in the
+    // logs).
     alice_sync_service.stop().await;
+    alice.logout().instrument(alice_span.clone()).await?;
+
+    // Workaround for https://github.com/matrix-org/matrix-rust-sdk/issues/5770: Bob needs a copy of
+    // Alice's identity.
+    bob.encryption()
+        .request_user_identity(alice.user_id().unwrap())
+        .instrument(bob_span.clone())
+        .await?;
 
     let bob_response = bob.sync_once().instrument(bob_span.clone()).await?;