refactor: remove Idetities::ensure_distinct()

SimonThormeyer · SimonThormeyer · commit d5d6bab96bf6 · 2025-12-15T09:41:32.000+01:00
Because credentials are now always distinct.
diff --git a/crypto/src/mls/session/credential.rs b/crypto/src/mls/session/credential.rs
@@ -60,38 +60,12 @@ impl Session {
         &self,
         mut credential: Credential,
     ) -> Result<Arc<Credential>> {
-        let credential_ref = credential
+        let _credential_ref = credential
             .save(&self.crypto_provider.keystore())
             .await
             .map_err(RecursiveError::mls_credential("saving credential"))?;
 
         let guard = self.inner.upgradable_read().await;
-        let inner = guard.as_ref().ok_or(Error::MlsNotInitialized)?;
-
-        // failfast before loading the cache if we know already that this credential ref can't be added to the identity
-        // set
-        let distinct_result = inner.identities.ensure_distinct(
-            credential_ref.signature_scheme(),
-            credential_ref.r#type(),
-            credential_ref.earliest_validity(),
-        );
-        if let Err(err) = distinct_result {
-            // first clean up by removing the credential we just saved
-            // otherwise, we'll have nondeterministic results when we load
-            //
-            // TODO this depends for correctness that no two added credentials have the same keypair;
-            // if this happens for a keypair which was removed, we'll remove the (old, used) keypair
-            // and forever after be unable to mls_init on that DB due to a missing keypair for the given credential
-            // this is pointlessly difficult to check right now, but we should do a uniqueness check
-            // after WPB-20844
-            credential
-                .delete(&self.crypto_provider.keystore())
-                .await
-                .map_err(RecursiveError::mls_credential(
-                    "deleting nondistinct credential from keystore",
-                ))?;
-            return Err(err);
-        }
 
         // only upgrade to a write guard here in order to minimize the amount of time the unique lock is held
         let mut guard = async_lock::RwLockUpgradableReadGuard::upgrade(guard).await;
diff --git a/crypto/src/mls/session/identities.rs b/crypto/src/mls/session/identities.rs
@@ -94,39 +94,6 @@ impl Identities {
         self.index(signature_scheme, credential_type)?.last().cloned()
     }
 
-    /// Raise an error if the database cannot handle adding a credential with these details.
-    pub(crate) fn ensure_distinct(
-        &self,
-        signature_scheme: SignatureScheme,
-        credential_type: CredentialType,
-        earliest_validity: u64,
-    ) -> Result<()> {
-        let Some(credentials) = self.index(signature_scheme, credential_type) else {
-            return Ok(());
-        };
-
-        debug_assert!(
-            credentials.is_sorted_by_key(|credential| credential.earliest_validity),
-            "can't binary search if credentials are not sorted by validity"
-        );
-        debug_assert_eq!(
-            credentials
-                .iter()
-                .map(|credential| credential.earliest_validity)
-                .collect::<std::collections::HashSet<_>>()
-                .len(),
-            credentials.len(),
-            "credentials must be distinct by earliest validity"
-        );
-
-        match credentials.binary_search_by_key(&earliest_validity, |credential| credential.earliest_validity) {
-            // found a matching key i.e. not distinct
-            Ok(_) => Err(Error::CredentialConflict),
-            // no match i.e. distinct
-            Err(_) => Ok(()),
-        }
-    }
-
     /// Add this credential to the identities.
     ///
     /// If there already exists a credential whose signature scheme, credential type, and timestamp of creation
