Reset cross-signing before backup when resetting both (#28402)

* reset cross-signing before backup when resetting both * add test for AccessSecretStorageDialog * fix unit test
2024-11-18 22:17:24 -05:00 · 2024-11-18 22:17:24 -05:00 · 0ae74a9e1f
commit 0ae74a9e1f
parent ed9795137b
10 changed files with 127 additions and 84 deletions
--- a/src/SecurityManager.ts
+++ b/src/SecurityManager.ts
@ -186,6 +186,15 @@ export async function withSecretStorageKeyCache<T>(func: () => Promise<T>): Prom
    }
 }

+export interface AccessSecretStorageOpts {
+    /** Reset secret storage even if it's already set up. */
+    forceReset?: boolean;
+    /** Create new cross-signing keys. Only applicable if `forceReset` is `true`. */
+    resetCrossSigning?: boolean;
+    /** The cached account password, if available. */
+    accountPassword?: string;
+}
+
 /**
 * This helper should be used whenever you need to access secret storage. It
 * ensures that secret storage (and also cross-signing since they each depend on
@ -205,14 +214,17 @@ export async function withSecretStorageKeyCache<T>(func: () => Promise<T>): Prom
 *
 * @param {Function} [func] An operation to perform once secret storage has been
 * bootstrapped. Optional.
- * @param {bool} [forceReset] Reset secret storage even if it's already set up
+ * @param [opts] The options to use when accessing secret storage.
 */
-export async function accessSecretStorage(func = async (): Promise<void> => {}, forceReset = false): Promise<void> {
-    await withSecretStorageKeyCache(() => doAccessSecretStorage(func, forceReset));
+export async function accessSecretStorage(
+    func = async (): Promise<void> => {},
+    opts: AccessSecretStorageOpts = {},
+): Promise<void> {
+    await withSecretStorageKeyCache(() => doAccessSecretStorage(func, opts));
 }

 /** Helper for {@link #accessSecretStorage} */
-async function doAccessSecretStorage(func: () => Promise<void>, forceReset: boolean): Promise<void> {
+async function doAccessSecretStorage(func: () => Promise<void>, opts: AccessSecretStorageOpts): Promise<void> {
    try {
        const cli = MatrixClientPeg.safeGet();
        const crypto = cli.getCrypto();
@ -221,7 +233,7 @@ async function doAccessSecretStorage(func: () => Promise<void>, forceReset: bool
        }

        let createNew = false;
-        if (forceReset) {
+        if (opts.forceReset) {
            logger.debug("accessSecretStorage: resetting 4S");
            createNew = true;
        } else if (!(await cli.secretStorage.hasKey())) {
@ -234,9 +246,7 @@ async function doAccessSecretStorage(func: () => Promise<void>, forceReset: bool
            // passphrase creation.
            const { finished } = Modal.createDialog(
                lazy(() => import("./async-components/views/dialogs/security/CreateSecretStorageDialog")),
-                {
-                    forceReset,
-                },
+                opts,
                undefined,
                /* priority = */ false,
                /* static = */ true,
--- a/src/async-components/views/dialogs/security/CreateSecretStorageDialog.tsx
+++ b/src/async-components/views/dialogs/security/CreateSecretStorageDialog.tsx
@ -58,6 +58,7 @@ interface IProps {
    hasCancel?: boolean;
    accountPassword?: string;
    forceReset?: boolean;
+    resetCrossSigning?: boolean;
    onFinished(ok?: boolean): void;
 }

@ -91,6 +92,7 @@ export default class CreateSecretStorageDialog extends React.PureComponent<IProp
    public static defaultProps: Partial<IProps> = {
        hasCancel: true,
        forceReset: false,
+        resetCrossSigning: false,
    };
    private recoveryKey?: GeneratedSecretStorageKey;
    private recoveryKeyNode = createRef<HTMLElement>();
@ -270,7 +272,7 @@ export default class CreateSecretStorageDialog extends React.PureComponent<IProp
    private bootstrapSecretStorage = async (): Promise<void> => {
        const cli = MatrixClientPeg.safeGet();
        const crypto = cli.getCrypto()!;
-        const { forceReset } = this.props;
+        const { forceReset, resetCrossSigning } = this.props;

        let backupInfo;
        // First, unless we know we want to do a reset, we see if there is an existing key backup
@ -292,12 +294,28 @@ export default class CreateSecretStorageDialog extends React.PureComponent<IProp

        try {
            if (forceReset) {
+                /* Resetting cross-signing requires secret storage to be reset
+                 * (otherwise it will try to store the cross-signing keys in the
+                 * old secret storage, and may prompt for the old key, which is
+                 * probably not available), and resetting key backup requires
+                 * cross-signing to be reset (so that the new backup can be
+                 * signed by the new cross-signing key).  So we reset secret
+                 * storage first, then cross-signing, then key backup.
+                 */
                logger.log("Forcing secret storage reset");
                await crypto.bootstrapSecretStorage({
                    createSecretStorageKey: async () => this.recoveryKey!,
-                    setupNewKeyBackup: true,
                    setupNewSecretStorage: true,
                });
+                if (resetCrossSigning) {
+                    logger.log("Resetting cross signing");
+                    await crypto.bootstrapCrossSigning({
+                        authUploadDeviceSigningKeys: this.doBootstrapUIAuth,
+                        setupNewCrossSigning: true,
+                    });
+                }
+                logger.log("Resetting key backup");
+                await crypto.resetKeyBackup();
            } else {
                // For password authentication users after 2020-09, this cross-signing
                // step will be a no-op since it is now setup during registration or login
--- a/src/components/views/dialogs/security/AccessSecretStorageDialog.tsx
+++ b/src/components/views/dialogs/security/AccessSecretStorageDialog.tsx
@ -19,7 +19,6 @@ import AccessibleButton, { ButtonEvent } from "../../elements/AccessibleButton";
 import { _t } from "../../../../languageHandler";
 import { accessSecretStorage } from "../../../../SecurityManager";
 import Modal from "../../../../Modal";
-import InteractiveAuthDialog from "../InteractiveAuthDialog";
 import DialogButtons from "../../elements/DialogButtons";
 import BaseDialog from "../BaseDialog";
 import { chromeFileInputFix } from "../../../../utils/BrowserWorkarounds";
@ -226,28 +225,14 @@ export default class AccessSecretStorageDialog extends React.PureComponent<IProp

        try {
            // Force reset secret storage (which resets the key backup)
-            await accessSecretStorage(async (): Promise<void> => {
-                // Now reset cross-signing so everything Just Works™ again.
-                const cli = MatrixClientPeg.safeGet();
-                await cli.getCrypto()?.bootstrapCrossSigning({
-                    authUploadDeviceSigningKeys: async (makeRequest): Promise<void> => {
-                        const { finished } = Modal.createDialog(InteractiveAuthDialog, {
-                            title: _t("encryption|bootstrap_title"),
-                            matrixClient: cli,
-                            makeRequest,
-                        });
-                        const [confirmed] = await finished;
-                        if (!confirmed) {
-                            throw new Error("Cross-signing key upload auth canceled");
-                        }
-                    },
-                    setupNewCrossSigning: true,
-                });
-
-                // Now we can indicate that the user is done pressing buttons, finally.
-                // Upstream flows will detect the new secret storage, key backup, etc and use it.
-                this.props.onFinished({});
-            }, true);
+            await accessSecretStorage(
+                async (): Promise<void> => {
+                    // Now we can indicate that the user is done pressing buttons, finally.
+                    // Upstream flows will detect the new secret storage, key backup, etc and use it.
+                    this.props.onFinished({});
+                },
+                { forceReset: true, resetCrossSigning: true },
+            );
        } catch (e) {
            logger.error(e);
            this.props.onFinished(false);
--- a/src/components/views/dialogs/security/RestoreKeyBackupDialog.tsx
+++ b/src/components/views/dialogs/security/RestoreKeyBackupDialog.tsx
@ -109,7 +109,7 @@ export default class RestoreKeyBackupDialog extends React.PureComponent<IProps,

    private onResetRecoveryClick = (): void => {
        this.props.onFinished(false);
-        accessSecretStorage(async (): Promise<void> => {}, /* forceReset = */ true);
+        accessSecretStorage(async (): Promise<void> => {}, { forceReset: true });
    };

    /**
--- a/src/components/views/settings/SecureBackupPanel.tsx
+++ b/src/components/views/settings/SecureBackupPanel.tsx
@ -209,7 +209,7 @@ export default class SecureBackupPanel extends React.PureComponent<{}, IState> {
    private resetSecretStorage = async (): Promise<void> => {
        this.setState({ error: false });
        try {
-            await accessSecretStorage(async (): Promise<void> => {}, /* forceReset = */ true);
+            await accessSecretStorage(async (): Promise<void> => {}, { forceReset: true });
        } catch (e) {
            logger.error("Error resetting secret storage", e);
            if (this.unmounted) return;
--- a/src/stores/SetupEncryptionStore.ts
+++ b/src/stores/SetupEncryptionStore.ts
@ -19,9 +19,6 @@ import { Device, SecretStorage } from "matrix-js-sdk/src/matrix";

 import { MatrixClientPeg } from "../MatrixClientPeg";
 import { AccessCancelledError, accessSecretStorage } from "../SecurityManager";
-import Modal from "../Modal";
-import InteractiveAuthDialog from "../components/views/dialogs/InteractiveAuthDialog";
-import { _t } from "../languageHandler";
 import { SdkContextClass } from "../contexts/SDKContext";
 import { asyncSome } from "../utils/arrays";
 import { initialiseDehydration } from "../utils/device/dehydration";
@ -230,42 +227,16 @@ export class SetupEncryptionStore extends EventEmitter {
            // secret storage key if they had one. Start by resetting
            // secret storage and setting up a new recovery key, then
            // create new cross-signing keys once that succeeds.
-            await accessSecretStorage(async (): Promise<void> => {
-                const cli = MatrixClientPeg.safeGet();
-                await cli.getCrypto()?.bootstrapCrossSigning({
-                    authUploadDeviceSigningKeys: async (makeRequest): Promise<void> => {
-                        const cachedPassword = SdkContextClass.instance.accountPasswordStore.getPassword();
-
-                        if (cachedPassword) {
-                            await makeRequest({
-                                type: "m.login.password",
-                                identifier: {
-                                    type: "m.id.user",
-                                    user: cli.getSafeUserId(),
-                                },
-                                user: cli.getSafeUserId(),
-                                password: cachedPassword,
-                            });
-                            return;
-                        }
-
-                        const { finished } = Modal.createDialog(InteractiveAuthDialog, {
-                            title: _t("encryption|bootstrap_title"),
-                            matrixClient: cli,
-                            makeRequest,
-                        });
-                        const [confirmed] = await finished;
-                        if (!confirmed) {
-                            throw new Error("Cross-signing key upload auth canceled");
-                        }
-                    },
-                    setupNewCrossSigning: true,
-                });
-
-                await initialiseDehydration(true);
-
-                this.phase = Phase.Finished;
-            }, true);
+            await accessSecretStorage(
+                async (): Promise<void> => {
+                    this.phase = Phase.Finished;
+                },
+                {
+                    forceReset: true,
+                    resetCrossSigning: true,
+                    accountPassword: SdkContextClass.instance.accountPasswordStore.getPassword(),
+                },
+            );
        } catch (e) {
            logger.error("Error resetting cross-signing", e);
            this.phase = Phase.Intro;