@unwanted/matrix-sdk-mini 34.12.0-2 → 34.12.0-3

package/src/rust-crypto/CrossSigningIdentity.ts

@@ -1,183 +0,0 @@
-/*
-Copyright 2023 The Matrix.org Foundation C.I.C.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-import { OlmMachine, CrossSigningStatus, CrossSigningBootstrapRequests } from "@matrix-org/matrix-sdk-crypto-wasm";
-import * as RustSdkCryptoJs from "@matrix-org/matrix-sdk-crypto-wasm";
-
-import { BootstrapCrossSigningOpts } from "../crypto-api/index.ts";
-import { logger } from "../logger.ts";
-import { OutgoingRequestProcessor } from "./OutgoingRequestProcessor.ts";
-import { UIAuthCallback } from "../interactive-auth.ts";
-import { ServerSideSecretStorage } from "../secret-storage.ts";
-
-/** Manages the cross-signing keys for our own user.
- *
- * @internal
- */
-export class CrossSigningIdentity {
-    public constructor(
-        private readonly olmMachine: OlmMachine,
-        private readonly outgoingRequestProcessor: OutgoingRequestProcessor,
-        private readonly secretStorage: ServerSideSecretStorage,
-    ) {}
-
-    /**
-     * Initialise our cross-signing keys by creating new keys if they do not exist, and uploading to the server
-     */
-    public async bootstrapCrossSigning(opts: BootstrapCrossSigningOpts): Promise<void> {
-        if (opts.setupNewCrossSigning) {
-            await this.resetCrossSigning(opts.authUploadDeviceSigningKeys);
-            return;
-        }
-
-        const olmDeviceStatus: CrossSigningStatus = await this.olmMachine.crossSigningStatus();
-
-        // Try to fetch cross signing keys from the secret storage
-        const masterKeyFromSecretStorage = await this.secretStorage.get("m.cross_signing.master");
-        const selfSigningKeyFromSecretStorage = await this.secretStorage.get("m.cross_signing.self_signing");
-        const userSigningKeyFromSecretStorage = await this.secretStorage.get("m.cross_signing.user_signing");
-        const privateKeysInSecretStorage = Boolean(
-            masterKeyFromSecretStorage && selfSigningKeyFromSecretStorage && userSigningKeyFromSecretStorage,
-        );
-
-        const olmDeviceHasKeys =
-            olmDeviceStatus.hasMaster && olmDeviceStatus.hasUserSigning && olmDeviceStatus.hasSelfSigning;
-
-        // Log all relevant state for easier parsing of debug logs.
-        logger.log("bootstrapCrossSigning: starting", {
-            setupNewCrossSigning: opts.setupNewCrossSigning,
-            olmDeviceHasMaster: olmDeviceStatus.hasMaster,
-            olmDeviceHasUserSigning: olmDeviceStatus.hasUserSigning,
-            olmDeviceHasSelfSigning: olmDeviceStatus.hasSelfSigning,
-            privateKeysInSecretStorage,
-        });
-
-        if (olmDeviceHasKeys) {
-            if (!(await this.secretStorage.hasKey())) {
-                logger.warn(
-                    "bootstrapCrossSigning: Olm device has private keys, but secret storage is not yet set up; doing nothing for now.",
-                );
-                // the keys should get uploaded to 4S once that is set up.
-            } else if (!privateKeysInSecretStorage) {
-                // the device has the keys but they are not in 4S, so update it
-                logger.log("bootstrapCrossSigning: Olm device has private keys: exporting to secret storage");
-                await this.exportCrossSigningKeysToStorage();
-            } else {
-                logger.log(
-                    "bootstrapCrossSigning: Olm device has private keys and they are saved in secret storage; doing nothing",
-                );
-            }
-        } /* (!olmDeviceHasKeys) */ else {
-            if (privateKeysInSecretStorage) {
-                // they are in 4S, so import from there
-                logger.log(
-                    "bootstrapCrossSigning: Cross-signing private keys not found locally, but they are available " +
-                        "in secret storage, reading storage and caching locally",
-                );
-                await this.olmMachine.importCrossSigningKeys(
-                    masterKeyFromSecretStorage,
-                    selfSigningKeyFromSecretStorage,
-                    userSigningKeyFromSecretStorage,
-                );
-
-                // Get the current device
-                const device: RustSdkCryptoJs.Device = await this.olmMachine.getDevice(
-                    this.olmMachine.userId,
-                    this.olmMachine.deviceId,
-                );
-                try {
-                    // Sign the device with our cross-signing key and upload the signature
-                    const request: RustSdkCryptoJs.SignatureUploadRequest = await device.verify();
-                    await this.outgoingRequestProcessor.makeOutgoingRequest(request);
-                } finally {
-                    device.free();
-                }
-            } else {
-                logger.log(
-                    "bootstrapCrossSigning: Cross-signing private keys not found locally or in secret storage, creating new keys",
-                );
-                await this.resetCrossSigning(opts.authUploadDeviceSigningKeys);
-            }
-        }
-
-        // TODO: we might previously have bootstrapped cross-signing but not completed uploading the keys to the
-        //   server -- in which case we should call OlmDevice.bootstrap_cross_signing. How do we know?
-        logger.log("bootstrapCrossSigning: complete");
-    }
-
-    /** Reset our cross-signing keys
-     *
-     * This method will:
-     *   * Tell the OlmMachine to create new keys
-     *   * Upload the new public keys and the device signature to the server
-     *   * Upload the private keys to SSSS, if it is set up
-     */
-    private async resetCrossSigning(authUploadDeviceSigningKeys?: UIAuthCallback<void>): Promise<void> {
-        // XXX: We must find a way to make this atomic, currently if the user does not remember his account password
-        // or 4S passphrase/key the process will fail in a bad state, with keys rotated but not uploaded or saved in 4S.
-        const outgoingRequests: CrossSigningBootstrapRequests = await this.olmMachine.bootstrapCrossSigning(true);
-
-        // If 4S is configured we need to update it.
-        if (!(await this.secretStorage.hasKey())) {
-            logger.warn(
-                "resetCrossSigning: Secret storage is not yet set up; not exporting keys to secret storage yet.",
-            );
-            // the keys should get uploaded to 4S once that is set up.
-        } else {
-            // Update 4S before uploading cross-signing keys, to stay consistent with legacy that asks
-            // 4S passphrase before asking for account password.
-            // Ultimately should be made atomic and resistant to forgotten password/passphrase.
-            logger.log("resetCrossSigning: exporting private keys to secret storage");
-            await this.exportCrossSigningKeysToStorage();
-        }
-
-        logger.log("resetCrossSigning: publishing public keys to server");
-        for (const req of [
-            outgoingRequests.uploadKeysRequest,
-            outgoingRequests.uploadSigningKeysRequest,
-            outgoingRequests.uploadSignaturesRequest,
-        ]) {
-            if (req) {
-                await this.outgoingRequestProcessor.makeOutgoingRequest(req, authUploadDeviceSigningKeys);
-            }
-        }
-    }
-
-    /**
-     * Extract the cross-signing keys from the olm machine and save them to secret storage, if it is configured
-     *
-     * (If secret storage is *not* configured, we assume that the export will happen when it is set up)
-     */
-    private async exportCrossSigningKeysToStorage(): Promise<void> {
-        const exported: RustSdkCryptoJs.CrossSigningKeyExport | null = await this.olmMachine.exportCrossSigningKeys();
-        /* istanbul ignore else (this function is only called when we know the olm machine has keys) */
-        if (exported?.masterKey) {
-            await this.secretStorage.store("m.cross_signing.master", exported.masterKey);
-        } else {
-            logger.error(`Cannot export MSK to secret storage, private key unknown`);
-        }
-        if (exported?.self_signing_key) {
-            await this.secretStorage.store("m.cross_signing.self_signing", exported.self_signing_key);
-        } else {
-            logger.error(`Cannot export SSK to secret storage, private key unknown`);
-        }
-        if (exported?.userSigningKey) {
-            await this.secretStorage.store("m.cross_signing.user_signing", exported.userSigningKey);
-        } else {
-            logger.error(`Cannot export USK to secret storage, private key unknown`);
-        }
-    }
-}

package/src/rust-crypto/DehydratedDeviceManager.ts

@@ -1,306 +0,0 @@
-/*
-Copyright 2024 The Matrix.org Foundation C.I.C.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-import * as RustSdkCryptoJs from "@matrix-org/matrix-sdk-crypto-wasm";
-
-import { OutgoingRequestProcessor } from "./OutgoingRequestProcessor.ts";
-import { encodeUri } from "../utils.ts";
-import { IHttpOpts, MatrixError, MatrixHttpApi, Method } from "../http-api/index.ts";
-import { IToDeviceEvent } from "../sync-accumulator.ts";
-import { ServerSideSecretStorage } from "../secret-storage.ts";
-import { decodeBase64, encodeUnpaddedBase64 } from "../base64.ts";
-import { Logger } from "../logger.ts";
-
-/**
- * The response body of `GET /_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device`.
- */
-interface DehydratedDeviceResp {
-    device_id: string;
-    device_data: {
-        algorithm: string;
-    };
-}
-/**
- * The response body of `POST /_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device/events`.
- */
-interface DehydratedDeviceEventsResp {
-    events: IToDeviceEvent[];
-    next_batch: string;
-}
-
-/**
- * The unstable URL prefix for dehydrated device endpoints
- */
-export const UnstablePrefix = "/_matrix/client/unstable/org.matrix.msc3814.v1";
-/**
- * The name used for the dehydration key in Secret Storage
- */
-const SECRET_STORAGE_NAME = "org.matrix.msc3814";
-
-/**
- * The interval between creating dehydrated devices. (one week)
- */
-const DEHYDRATION_INTERVAL = 7 * 24 * 60 * 60 * 1000;
-
-/**
- * Manages dehydrated devices
- *
- * We have one of these per `RustCrypto`.  It's responsible for
- *
- * * determining server support for dehydrated devices
- * * creating new dehydrated devices when requested, including periodically
- *   replacing the dehydrated device with a new one
- * * rehydrating a device when requested, and when present
- *
- * @internal
- */
-export class DehydratedDeviceManager {
-    /** the secret key used for dehydrating and rehydrating */
-    private key?: Uint8Array;
-    /** the ID of the interval for periodically replacing the dehydrated device */
-    private intervalId?: ReturnType<typeof setInterval>;
-
-    public constructor(
-        private readonly logger: Logger,
-        private readonly olmMachine: RustSdkCryptoJs.OlmMachine,
-        private readonly http: MatrixHttpApi<IHttpOpts & { onlyData: true }>,
-        private readonly outgoingRequestProcessor: OutgoingRequestProcessor,
-        private readonly secretStorage: ServerSideSecretStorage,
-    ) {}
-
-    /**
-     * Return whether the server supports dehydrated devices.
-     */
-    public async isSupported(): Promise<boolean> {
-        // call the endpoint to get a dehydrated device.  If it returns an
-        // M_UNRECOGNIZED error, then dehydration is unsupported.  If it returns
-        // a successful response, or an M_NOT_FOUND, then dehydration is supported.
-        // Any other exceptions are passed through.
-        try {
-            await this.http.authedRequest<DehydratedDeviceResp>(
-                Method.Get,
-                "/dehydrated_device",
-                undefined,
-                undefined,
-                {
-                    prefix: UnstablePrefix,
-                },
-            );
-        } catch (error) {
-            const err = error as MatrixError;
-            if (err.errcode === "M_UNRECOGNIZED") {
-                return false;
-            } else if (err.errcode === "M_NOT_FOUND") {
-                return true;
-            }
-            throw error;
-        }
-        return true;
-    }
-
-    /**
-     * Start using device dehydration.
-     *
-     * - Rehydrates a dehydrated device, if one is available.
-     * - Creates a new dehydration key, if necessary, and stores it in Secret
-     *   Storage.
-     *   - If `createNewKey` is set to true, always creates a new key.
-     *   - If a dehydration key is not available, creates a new one.
-     * - Creates a new dehydrated device, and schedules periodically creating
-     *   new dehydrated devices.
-     *
-     * @param createNewKey - whether to force creation of a new dehydration key.
-     *   This can be used, for example, if Secret Storage is being reset.
-     */
-    public async start(createNewKey?: boolean): Promise<void> {
-        this.stop();
-        try {
-            await this.rehydrateDeviceIfAvailable();
-        } catch (e) {
-            // If rehydration fails, there isn't much we can do about it.  Log
-            // the error, and create a new device.
-            this.logger.info("dehydration: Error rehydrating device:", e);
-        }
-        if (createNewKey) {
-            await this.resetKey();
-        }
-        await this.scheduleDeviceDehydration();
-    }
-
-    /**
-     * Return whether the dehydration key is stored in Secret Storage.
-     */
-    public async isKeyStored(): Promise<boolean> {
-        return Boolean(await this.secretStorage.isStored(SECRET_STORAGE_NAME));
-    }
-
-    /**
-     * Reset the dehydration key.
-     *
-     * Creates a new key and stores it in secret storage.
-     */
-    public async resetKey(): Promise<void> {
-        const key = new Uint8Array(32);
-        globalThis.crypto.getRandomValues(key);
-        await this.secretStorage.store(SECRET_STORAGE_NAME, encodeUnpaddedBase64(key));
-        this.key = key;
-    }
-
-    /**
-     * Get and cache the encryption key from secret storage.
-     *
-     * If `create` is `true`, creates a new key if no existing key is present.
-     *
-     * @returns the key, if available, or `null` if no key is available
-     */
-    private async getKey(create: boolean): Promise<Uint8Array | null> {
-        if (this.key === undefined) {
-            const keyB64 = await this.secretStorage.get(SECRET_STORAGE_NAME);
-            if (keyB64 === undefined) {
-                if (!create) {
-                    return null;
-                }
-                await this.resetKey();
-            } else {
-                this.key = decodeBase64(keyB64);
-            }
-        }
-        return this.key!;
-    }
-
-    /**
-     * Rehydrate the dehydrated device stored on the server.
-     *
-     * Checks if there is a dehydrated device on the server.  If so, rehydrates
-     * the device and processes the to-device events.
-     *
-     * Returns whether or not a dehydrated device was found.
-     */
-    public async rehydrateDeviceIfAvailable(): Promise<boolean> {
-        const key = await this.getKey(false);
-        if (!key) {
-            return false;
-        }
-
-        let dehydratedDeviceResp;
-        try {
-            dehydratedDeviceResp = await this.http.authedRequest<DehydratedDeviceResp>(
-                Method.Get,
-                "/dehydrated_device",
-                undefined,
-                undefined,
-                {
-                    prefix: UnstablePrefix,
-                },
-            );
-        } catch (error) {
-            const err = error as MatrixError;
-            // We ignore M_NOT_FOUND (there is no dehydrated device, so nothing
-            // us to do) and M_UNRECOGNIZED (the server does not understand the
-            // endpoint).  We pass through any other errors.
-            if (err.errcode === "M_NOT_FOUND" || err.errcode === "M_UNRECOGNIZED") {
-                this.logger.info("dehydration: No dehydrated device");
-                return false;
-            }
-            throw err;
-        }
-
-        this.logger.info("dehydration: dehydrated device found");
-
-        const rehydratedDevice = await this.olmMachine
-            .dehydratedDevices()
-            .rehydrate(
-                key,
-                new RustSdkCryptoJs.DeviceId(dehydratedDeviceResp.device_id),
-                JSON.stringify(dehydratedDeviceResp.device_data),
-            );
-
-        this.logger.info("dehydration: device rehydrated");
-
-        let nextBatch: string | undefined = undefined;
-        let toDeviceCount = 0;
-        let roomKeyCount = 0;
-        const path = encodeUri("/dehydrated_device/$device_id/events", {
-            $device_id: dehydratedDeviceResp.device_id,
-        });
-        // eslint-disable-next-line no-constant-condition
-        while (true) {
-            const eventResp: DehydratedDeviceEventsResp = await this.http.authedRequest<DehydratedDeviceEventsResp>(
-                Method.Post,
-                path,
-                undefined,
-                nextBatch ? { next_batch: nextBatch } : {},
-                {
-                    prefix: UnstablePrefix,
-                },
-            );
-
-            if (eventResp.events.length === 0) {
-                break;
-            }
-            toDeviceCount += eventResp.events.length;
-            nextBatch = eventResp.next_batch;
-            const roomKeyInfos = await rehydratedDevice.receiveEvents(JSON.stringify(eventResp.events));
-            roomKeyCount += roomKeyInfos.length;
-        }
-        this.logger.info(`dehydration: received ${roomKeyCount} room keys from ${toDeviceCount} to-device events`);
-
-        return true;
-    }
-
-    /**
-     * Creates and uploads a new dehydrated device.
-     *
-     * Creates and stores a new key in secret storage if none is available.
-     */
-    public async createAndUploadDehydratedDevice(): Promise<void> {
-        const key = (await this.getKey(true))!;
-
-        const dehydratedDevice = await this.olmMachine.dehydratedDevices().create();
-        const request = await dehydratedDevice.keysForUpload("Dehydrated device", key);
-
-        await this.outgoingRequestProcessor.makeOutgoingRequest(request);
-
-        this.logger.info("dehydration: uploaded device");
-    }
-
-    /**
-     * Schedule periodic creation of dehydrated devices.
-     */
-    public async scheduleDeviceDehydration(): Promise<void> {
-        // cancel any previously-scheduled tasks
-        this.stop();
-
-        await this.createAndUploadDehydratedDevice();
-        this.intervalId = setInterval(() => {
-            this.createAndUploadDehydratedDevice().catch((error) => {
-                this.logger.error("Error creating dehydrated device:", error);
-            });
-        }, DEHYDRATION_INTERVAL);
-    }
-
-    /**
-     * Stop the dehydrated device manager.
-     *
-     * Cancels any scheduled dehydration tasks.
-     */
-    public stop(): void {
-        if (this.intervalId) {
-            clearInterval(this.intervalId);
-            this.intervalId = undefined;
-        }
-    }
-}

package/src/rust-crypto/KeyClaimManager.ts

@@ -1,86 +0,0 @@
-/*
-Copyright 2023 The Matrix.org Foundation C.I.C.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-import { OlmMachine, UserId } from "@matrix-org/matrix-sdk-crypto-wasm";
-
-import { OutgoingRequestProcessor } from "./OutgoingRequestProcessor.ts";
-import { LogSpan } from "../logger.ts";
-
-/**
- * KeyClaimManager: linearises calls to OlmMachine.getMissingSessions to avoid races
- *
- * We have one of these per `RustCrypto` (and hence per `MatrixClient`).
- *
- * @internal
- */
-export class KeyClaimManager {
-    private currentClaimPromise: Promise<void>;
-    private stopped = false;
-
-    public constructor(
-        private readonly olmMachine: OlmMachine,
-        private readonly outgoingRequestProcessor: OutgoingRequestProcessor,
-    ) {
-        this.currentClaimPromise = Promise.resolve();
-    }
-
-    /**
-     * Tell the KeyClaimManager to immediately stop processing requests.
-     *
-     * Any further calls, and any still in the queue, will fail with an error.
-     */
-    public stop(): void {
-        this.stopped = true;
-    }
-
-    /**
-     * Given a list of users, attempt to ensure that we have Olm Sessions active with each of their devices
-     *
-     * If we don't have an active olm session, we will claim a one-time key and start one.
-     * @param logger - logger to use
-     * @param userList - list of userIDs to claim
-     */
-    public ensureSessionsForUsers(logger: LogSpan, userList: Array<UserId>): Promise<void> {
-        // The Rust-SDK requires that we only have one getMissingSessions process in flight at once. This little dance
-        // ensures that, by only having one call to ensureSessionsForUsersInner active at once (and making them
-        // queue up in order).
-        const prom = this.currentClaimPromise
-            .catch(() => {
-                // any errors in the previous claim will have been reported already, so there is nothing to do here.
-                // we just throw away the error and start anew.
-            })
-            .then(() => this.ensureSessionsForUsersInner(logger, userList));
-        this.currentClaimPromise = prom;
-        return prom;
-    }
-
-    private async ensureSessionsForUsersInner(logger: LogSpan, userList: Array<UserId>): Promise<void> {
-        // bail out quickly if we've been stopped.
-        if (this.stopped) {
-            throw new Error(`Cannot ensure Olm sessions: shutting down`);
-        }
-        logger.info("Checking for missing Olm sessions");
-        // By passing the userId array to rust we transfer ownership of the items to rust, causing
-        // them to be invalidated on the JS side as soon as the method is called.
-        // As we haven't created the `userList` let's clone the users, to not break the caller from re-using it.
-        const claimRequest = await this.olmMachine.getMissingSessions(userList.map((u) => u.clone()));
-        if (claimRequest) {
-            logger.info("Making /keys/claim request");
-            await this.outgoingRequestProcessor.makeOutgoingRequest(claimRequest);
-        }
-        logger.info("Olm sessions prepared");
-    }
-}