crypto: Add configuration flag to enable invisible crypto (#3247)

2025-03-10 21:39:12 +00:00 · 2024-09-18 17:30:45 +02:00 · 2024-09-18 17:30:45 +02:00 · f7d878bac6
commit f7d878bac6
parent 5acfb5dd87
10 changed files with 44 additions and 27 deletions
--- a/ElementX.xcodeproj/project.pbxproj
+++ b/ElementX.xcodeproj/project.pbxproj
@ -473,7 +473,6 @@
 		6A54F52443EC52AC5CD772C0 /* JoinRoomScreen.swift in Sources */ = {isa = PBXBuildFile; fileRef = 869A8A4632E511351BFE2EC4 /* JoinRoomScreen.swift */; };
 		6AD722DD92E465E56D2885AB /* BugReportScreen.swift in Sources */ = {isa = PBXBuildFile; fileRef = BA919F521E9F0EE3638AFC85 /* BugReportScreen.swift */; };
 		6AEB650311F694A5702255C9 /* UserProfileScreenCoordinator.swift in Sources */ = {isa = PBXBuildFile; fileRef = D5B4932E4EFBC8FAC10972CD /* UserProfileScreenCoordinator.swift */; };
-		6AECC84BE14A13440120FED8 /* NSESettingsProtocol.swift in Sources */ = {isa = PBXBuildFile; fileRef = 9FB4F169D653296023ED65E6 /* NSESettingsProtocol.swift */; };
 		6B31508C6334C617360C2EAB /* RoomMemberDetailsViewModelTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = EC589E641AE46EFB2962534D /* RoomMemberDetailsViewModelTests.swift */; };
 		6BAD956B909A6E29F6CC6E7C /* ButtonStyle.swift in Sources */ = {isa = PBXBuildFile; fileRef = 8CC23C63849452BC86EA2852 /* ButtonStyle.swift */; };
 		6BB6944443C421C722ED1E7D /* portrait_test_video.mp4 in Resources */ = {isa = PBXBuildFile; fileRef = F2D513D2477B57F90E98EEC0 /* portrait_test_video.mp4 */; };
@ -1874,7 +1873,6 @@
 		9F1DF3FFFE5ED2B8133F43A7 /* MessageComposer.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MessageComposer.swift; sourceTree = "<group>"; };
 		9F40FB0A43DAECEC27C73722 /* bg */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = bg; path = bg.lproj/SAS.strings; sourceTree = "<group>"; };
 		9F85164F9475FF2867F71AAA /* RoomTimelineController.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = RoomTimelineController.swift; sourceTree = "<group>"; };
-		9FB4F169D653296023ED65E6 /* NSESettingsProtocol.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = NSESettingsProtocol.swift; sourceTree = "<group>"; };
 		A00C7A331B72C0F05C00392F /* RoomScreenViewModelProtocol.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = RoomScreenViewModelProtocol.swift; sourceTree = "<group>"; };
 		A010B8EAD1A9F6B4686DF2F4 /* BlockedUsersScreenViewModel.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = BlockedUsersScreenViewModel.swift; sourceTree = "<group>"; };
 		A019A12C866D64CF072024B9 /* AppLockSetupPINScreenViewModel.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AppLockSetupPINScreenViewModel.swift; sourceTree = "<group>"; };
@ -3467,7 +3465,6 @@
 			children = (
 				4959CECEC984B3995616F427 /* DataProtectionManager.swift */,
 				D3D455BC2423D911A62ACFB2 /* NSELogger.swift */,
-				9FB4F169D653296023ED65E6 /* NSESettingsProtocol.swift */,
 				EEAA2832D93EC7D2608703FB /* NSEUserSession.swift */,
 				49E751D7EDB6043238111D90 /* UNNotificationRequest.swift */,
 			);
@ -6021,7 +6018,6 @@
 				E2DB696117BAEABAD5718023 /* MediaSourceProxy.swift in Sources */,
 				4FC085B1E5D1EB804495E2F4 /* MockMediaProvider.swift in Sources */,
 				5455147CAC63F71E48F7D699 /* NSELogger.swift in Sources */,
-				6AECC84BE14A13440120FED8 /* NSESettingsProtocol.swift in Sources */,
 				30CC4F796B27BE8B1DFDBF5A /* NSEUserSession.swift in Sources */,
 				1D5DC685CED904386C89B7DA /* NSRegularExpresion.swift in Sources */,
 				94F0B78928E952689ACDB271 /* NetworkMonitor.swift in Sources */,
--- a/ElementX/Sources/Application/AppSettings.swift
+++ b/ElementX/Sources/Application/AppSettings.swift
@ -8,6 +8,12 @@
 import Foundation
 import SwiftUI

+// Common settings between app and NSE
+protocol CommonSettingsProtocol {
+    var logLevel: TracingConfiguration.LogLevel { get }
+    var invisibleCryptoEnabled: Bool { get }
+}
+
 /// Store Element specific app settings.
 final class AppSettings {
    private enum UserDefaultsKeys: String {
@ -37,6 +43,7 @@ final class AppSettings {
        case publicSearchEnabled
        case fuzzyRoomListSearchEnabled
        case pinningEnabled
+        case invisibleCryptoEnabled
    }
    
    private static var suiteName: String = InfoPlistReader.main.appGroupIdentifier
@ -277,4 +284,10 @@ final class AppSettings {
        
    @UserPreference(key: UserDefaultsKeys.logLevel, defaultValue: TracingConfiguration.LogLevel.info, storageType: .userDefaults(store))
    var logLevel
+    
+    /// Configuration to enable invisible crypto. In this mode only devices signed by their owner will be considered in e2ee rooms.
+    @UserPreference(key: UserDefaultsKeys.invisibleCryptoEnabled, defaultValue: false, storageType: .userDefaults(store))
+    var invisibleCryptoEnabled
 }
+
+extension AppSettings: CommonSettingsProtocol { }
--- a/ElementX/Sources/Other/Extensions/ClientBuilder.swift
+++ b/ElementX/Sources/Other/Extensions/ClientBuilder.swift
@ -14,12 +14,12 @@ extension ClientBuilder {
                            httpProxy: String? = nil,
                            slidingSync: ClientBuilderSlidingSync,
                            sessionDelegate: ClientSessionDelegate,
-                            appHooks: AppHooks) -> ClientBuilder {
+                            appHooks: AppHooks,
+                            invisibleCryptoEnabled: Bool) -> ClientBuilder {
        var builder = ClientBuilder()
            .enableCrossProcessRefreshLock(processId: InfoPlistReader.main.bundleIdentifier, sessionDelegate: sessionDelegate)
            .userAgent(userAgent: UserAgentBuilder.makeASCIIUserAgent())
            .requestConfig(config: .init(retryLimit: 0, timeout: 30000, maxConcurrentRequests: nil, retryTimeout: nil))
-            .roomKeyRecipientStrategy(strategy: .deviceBasedStrategy(onlyAllowTrustedDevices: false, errorOnVerifiedUserProblem: true))
        
        builder = switch slidingSync {
        case .restored: builder
@ -33,6 +33,12 @@ extension ClientBuilder {
                .autoEnableCrossSigning(autoEnableCrossSigning: true)
                .backupDownloadStrategy(backupDownloadStrategy: .afterDecryptionFailure)
                .autoEnableBackups(autoEnableBackups: true)
+                
+            if invisibleCryptoEnabled {
+                builder = builder.roomKeyRecipientStrategy(strategy: CollectStrategy.identityBasedStrategy)
+            } else {
+                builder = builder.roomKeyRecipientStrategy(strategy: .deviceBasedStrategy(onlyAllowTrustedDevices: false, errorOnVerifiedUserProblem: true))
+            }
        }
        
        if let httpProxy {
--- a/ElementX/Sources/Screens/Settings/DeveloperOptionsScreen/DeveloperOptionsScreenModels.swift
+++ b/ElementX/Sources/Screens/Settings/DeveloperOptionsScreen/DeveloperOptionsScreenModels.swift
@ -47,6 +47,7 @@ protocol DeveloperOptionsProtocol: AnyObject {
    var elementCallBaseURLOverride: URL? { get set }
    var fuzzyRoomListSearchEnabled: Bool { get set }
    var pinningEnabled: Bool { get set }
+    var invisibleCryptoEnabled: Bool { get set }
 }

 extension AppSettings: DeveloperOptionsProtocol { }
--- a/ElementX/Sources/Screens/Settings/DeveloperOptionsScreen/View/DeveloperOptionsScreen.swift
+++ b/ElementX/Sources/Screens/Settings/DeveloperOptionsScreen/View/DeveloperOptionsScreen.swift
@ -52,6 +52,17 @@ struct DeveloperOptionsScreen: View {
                }
            }
            
+            Section {
+                Toggle(isOn: $context.invisibleCryptoEnabled) {
+                    Text("Enabled Invisible Crypto")
+                    Text("Requires app reboot")
+                }
+            } header: {
+                Text("Trust and Decoration")
+            } footer: {
+                Text("This setting controls how end-to-end encryption (E2EE) keys are shared. Enabling it will prevent the inclusion of devices that have not been explicitly verified by their owners.")
+            }
+
            Section {
                TextField(context.viewState.elementCallBaseURL.absoluteString, text: $elementCallURLOverrideString)
                    .autocorrectionDisabled(true)
--- a/ElementX/Sources/Services/Authentication/AuthenticationClientBuilder.swift
+++ b/ElementX/Sources/Services/Authentication/AuthenticationClientBuilder.swift
@ -69,7 +69,8 @@ struct AuthenticationClientBuilder {
            .baseBuilder(httpProxy: appSettings.websiteURL.globalProxy,
                         slidingSync: slidingSync,
                         sessionDelegate: clientSessionDelegate,
-                         appHooks: appHooks)
+                         appHooks: appHooks,
+                         invisibleCryptoEnabled: appSettings.invisibleCryptoEnabled)
            .sessionPaths(dataPath: sessionDirectories.dataPath,
                          cachePath: sessionDirectories.cachePath)
            .passphrase(passphrase: passphrase)
--- a/ElementX/Sources/Services/UserSession/UserSessionStore.swift
+++ b/ElementX/Sources/Services/UserSession/UserSessionStore.swift
@ -124,7 +124,8 @@ class UserSessionStore: UserSessionStoreProtocol {
            .baseBuilder(httpProxy: URL(string: homeserverURL)?.globalProxy,
                         slidingSync: .restored,
                         sessionDelegate: keychainController,
-                         appHooks: appHooks)
+                         appHooks: appHooks,
+                         invisibleCryptoEnabled: appSettings.enableNotifications)
            .sessionPaths(dataPath: credentials.restorationToken.sessionDirectories.dataPath,
                          cachePath: credentials.restorationToken.sessionDirectories.cachePath)
            .username(username: credentials.userID)
--- a/NSE/Sources/NotificationServiceExtension.swift
+++ b/NSE/Sources/NotificationServiceExtension.swift
@ -32,7 +32,7 @@ import UserNotifications
 // We keep a global `environment` singleton to ensure that our app context,
 // database, logging, etc. are only ever setup once per *process*

-private let settings: NSESettingsProtocol = AppSettings()
+private let settings: CommonSettingsProtocol = AppSettings()
 private let notificationContentBuilder = NotificationContentBuilder(messageEventStringBuilder: RoomMessageEventStringBuilder(attributedStringBuilder: AttributedStringBuilder(mentionBuilder: PlainMentionBuilder()), prefix: .none))
 private let keychainController = KeychainController(service: .sessions,
                                                    accessGroup: InfoPlistReader.main.keychainAccessGroupIdentifier)
@ -81,7 +81,8 @@ class NotificationServiceExtension: UNNotificationServiceExtension {
                    do {
                        Self.userSession = try await NSEUserSession(credentials: credentials,
                                                                    clientSessionDelegate: keychainController,
-                                                                    appHooks: appHooks)
+                                                                    appHooks: appHooks,
+                                                                    appSettings: settings)
                    } catch {
                        MXLog.error("Failed creating user session with error: \(error)")
                    }
--- a/NSE/Sources/Other/NSESettingsProtocol.swift
+++ b/NSE/Sources/Other/NSESettingsProtocol.swift
@ -1,14 +0,0 @@
-//
-// Copyright 2023, 2024 New Vector Ltd.
-//
-// SPDX-License-Identifier: AGPL-3.0-only
-// Please see LICENSE in the repository root for full details.
-//
-
-import Foundation
-
-protocol NSESettingsProtocol {
-    var logLevel: TracingConfiguration.LogLevel { get }
-}
-
-extension AppSettings: NSESettingsProtocol { }
--- a/NSE/Sources/Other/NSEUserSession.swift
+++ b/NSE/Sources/Other/NSEUserSession.swift
@ -19,7 +19,7 @@ final class NSEUserSession {
                                                                               networkMonitor: nil)
    private let delegateHandle: TaskHandle?

-    init(credentials: KeychainCredentials, clientSessionDelegate: ClientSessionDelegate, appHooks: AppHooks) async throws {
+    init(credentials: KeychainCredentials, clientSessionDelegate: ClientSessionDelegate, appHooks: AppHooks, appSettings: CommonSettingsProtocol) async throws {
        sessionDirectories = credentials.restorationToken.sessionDirectories
        
        userID = credentials.userID
@ -33,7 +33,8 @@ final class NSEUserSession {
                         httpProxy: URL(string: homeserverURL)?.globalProxy,
                         slidingSync: .restored,
                         sessionDelegate: clientSessionDelegate,
-                         appHooks: appHooks)
+                         appHooks: appHooks,
+                         invisibleCryptoEnabled: appSettings.invisibleCryptoEnabled)
            .sessionPaths(dataPath: credentials.restorationToken.sessionDirectories.dataPath,
                          cachePath: credentials.restorationToken.sessionDirectories.cachePath)
            .username(username: credentials.userID)