Page MenuHomePhabricator

Significant refactor of notification encryption code
ClosedPublic

Authored by marcin on Aug 1 2023, 6:52 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Jan 1, 9:10 AM
Unknown Object (File)
Wed, Jan 1, 9:10 AM
Unknown Object (File)
Wed, Jan 1, 9:10 AM
Unknown Object (File)
Wed, Jan 1, 9:10 AM
Unknown Object (File)
Wed, Jan 1, 9:10 AM
Unknown Object (File)
Wed, Jan 1, 9:10 AM
Unknown Object (File)
Wed, Jan 1, 9:10 AM
Unknown Object (File)
Wed, Jan 1, 9:06 AM
Subscribers

Details

Summary

This differential does two important things:

  1. Changes notification encryption API so that we must pass device tokens along with cookieIDs and encrypted notifications carry thos device token and cookieIDs. This enables us to use thos methods with ease without need to handle independent arrays

ordering which is a brittle design.

  1. It uses the ability to conditionally skip olm session database update. Previously we used to encrypt two notifications: with and without messageInfos. Then we decided which one is going to be delivered. As a result the client hand to keep skipped olm

key for the notif that wasn't delivered. Now it is ensured it is not happening.

Test Plan
  1. Test that encrypted notifications/ rescinds and badge-only notifications work correctly.
  2. Ensure that each notification advances keyserver olm session version by one. It can be done by executing select * from olm_sessions;. This means that only one encryption is persisted to the db and it is the one that encrypts notification delivered to

the client.

Diff Detail

Repository
rCOMM Comm
Branch
marcin/significant-notif-crypto-refactor
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

Rebase to update commit message

marcin requested review of this revision.Aug 1 2023, 8:23 AM

(Preemptively adding @ashoat as reviewer)

Don't have a ton of context here

Not sure I need to be added here... maybe somebody else can give it a first stab, and add me if they feel it's necessary? The last several of @marcin's notifs diffs have been reviewed by @tomek / @bartek and I think things have generally gone well (outside of a few strange issues, but we haven't really identified any code / code review problems as causing those)

keyserver/src/push/crypto.js
19 ↗(On Diff #29436)

Are you going to replace the violated with exceeded later in the stack?

143 ↗(On Diff #29436)

Shouldn't we check resultPayload?

keyserver/src/push/rescind.js
244–247 ↗(On Diff #29436)

Shouldn't we map to an object that contains cookieID?

keyserver/src/push/send.js
671 ↗(On Diff #29436)

Are you sure that we should use this version?

keyserver/src/push/crypto.js
19 ↗(On Diff #29436)

It will be replaced - I just wanted to done refactoring is smaller parts.

143 ↗(On Diff #29436)

We should. We might run into a case when notification size exceeds limits exactly after encryptionFailed: 1 field is added.

keyserver/src/push/rescind.js
244–247 ↗(On Diff #29436)

Once we return from this function rescinds are directly passed to apnPush/fcmPush where cookieID is not necessary. There is not code that would make use of this field.

keyserver/src/push/send.js
671 ↗(On Diff #29436)

Encrypted notifications were introduced since codeVersion 223. This differential does not introduce changes that break this functionality.

  1. Pass resultPayload to pauloadSizeValidator instead of unencryptedPayload.
  2. Rename payloadSizeViolated to payloadSizeExceeded and devicesWithSizeViolation to devicesWithExcessiveSize
tomek added inline comments.
keyserver/src/push/crypto.js
97 ↗(On Diff #29482)

Does it need to be optional?

107–109 ↗(On Diff #29482)

You can consider using a shorthand

19 ↗(On Diff #29436)

Thanks for replacing it! But there are still some usages of violated in this diff.

keyserver/src/push/send.js
735–737 ↗(On Diff #29482)

Do we need to map?

This revision is now accepted and ready to land.Aug 4 2023, 4:47 AM
keyserver/src/push/crypto.js
97 ↗(On Diff #29482)

The encryptAndroidNotificationPayload function is used for visible notifs, badge only notifs and rescinds. Only visible notifs may exceed push services limits so we don't want to bother including this parameter when encryption rescinds and badge only notifs.

19 ↗(On Diff #29436)

Those usages are dbPersistConditionViolated variables which are fields of the object returned from encryptAndUpdateOlmSession . In encryptAndUpdateOlmSession we can pass any condition that might prevent us from updating olm session in the database not necessarily related to payload size so I use generic violated. So those usages should stay this way.

keyserver/src/push/send.js
735–737 ↗(On Diff #29482)

Without map objects in resulting array contain more data than just deviceToken and cookieIDs so flow will complain since this array is further passed to function that expects only deviceToken and cookieIDs to be present.