Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

recovery: Fix the recovery state not being updated after backups are enabled via secret send #3623

Merged
merged 3 commits into from
Jul 1, 2024

Conversation

poljar
Copy link
Contributor

@poljar poljar commented Jun 28, 2024

A review commit by commit is the best way to go through this PR, please take a look at the commit message of the last commit for a full explanation on how the fix works.

A test for this was written in #3583, but sadly it doesn't reproduce the issue since the issue is only triggered if event handlers are run in the wrong order. This PR doesn't rely on the event handler for the backup state, so the order doesn't matter anymore.

This closes: #3445.

@poljar poljar requested a review from a team as a code owner June 28, 2024 14:21
@poljar poljar requested review from bnjbvr and removed request for a team June 28, 2024 14:21
@poljar poljar force-pushed the poljar/invalid-recovery-state-secret-send branch from 5ec246b to 56e4035 Compare June 28, 2024 14:34
Copy link

codecov bot commented Jun 28, 2024

Codecov Report

Attention: Patch coverage is 96.66667% with 1 line in your changes missing coverage. Please review.

Project coverage is 84.20%. Comparing base (2507a45) to head (44a4505).
Report is 4 commits behind head on main.

Files Patch % Lines
crates/matrix-sdk/src/encryption/recovery/mod.rs 93.75% 1 Missing ⚠️
Additional details and impacted files
@@           Coverage Diff           @@
##             main    #3623   +/-   ##
=======================================
  Coverage   84.19%   84.20%           
=======================================
  Files         256      256           
  Lines       26555    26576   +21     
=======================================
+ Hits        22358    22378   +20     
- Misses       4197     4198    +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Member

@bnjbvr bnjbvr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good at first sight, but:

  1. the commit message and the PR description mention an event handler being removed, and no event handler seems to be removed here. Should the commit message be updated?
  2. Can you explain the changes in the test, and confirm they're testing the new change in behavior, and if so, how/why, please?

@poljar
Copy link
Contributor Author

poljar commented Jul 1, 2024

Looks good at first sight, but:

  1. the commit message and the PR description mention an event handler being removed, and no event handler seems to be removed here. Should the commit message be updated?

Oh, removal might be the bad word for this. Previously we relied on the m.secret.send event handler to update our backup state, but that turned out to be flaky because of the ordering issue explained in the commit. We still need the event handler for other secret types, i.e. the cross-signing keys, we can't remove it. What changed is, we don't rely on event handler for the backup state update.

  1. Can you explain the changes in the test, and confirm they're testing the new change in behavior, and if so, how/why, please?

The tests now allow some requests to be done more times, i.e. now we're updating the state when:

  1. The secret send event handler is run, due to point no. 1
  2. The backup state actually changes

Copy link
Member

@bnjbvr bnjbvr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks; please tweak the commit message to make it clear the event handler is not removed, but that we stop relying on it to update the recovery state. Then let's use a PR name according to our guidelines, and we're good to go 👍

@poljar poljar changed the title Fix the recovery state not being updated after backups are enabled via secret send recovery: Fix the recovery state not being updated after backups are enabled via secret send Jul 1, 2024
poljar added 3 commits July 1, 2024 14:24
This patch switches the way we update the recovery state upon changes in
the backup state. Previously two places updated the recovery state after
the backup state changed:

    1. A method living in the recovery subsystem that the backup
       subsystem itself calls.
    2. An event handler which is called when we receive a m.secret.send
       event.

The first method is a hack because it introduces a circular dependency
between the recovery and backup subsystems.

More importantly, the second method can miss updates, because the backup
subsystem has a similar event handler which then processes the secret we
received and if the secret was a backup recovery key, enables backups.

Depending on the order these event handlers are called, the recovery
subsystem might update the recovery state before the secret has been
handled.

The backup subsystem provides an async stream which broadcasts updates
to the backup state, letting the recovery subsystem listen to this
stream and update its state if we notice such updates fixes both
problems we listed above. The method in the first bullet point was
completely removed, the event handler is kept for other secret types but
we don't rely on it for the backup state anymore.
@poljar poljar force-pushed the poljar/invalid-recovery-state-secret-send branch from 56e4035 to 44a4505 Compare July 1, 2024 12:24
@poljar poljar enabled auto-merge (rebase) July 1, 2024 12:37
@poljar poljar merged commit a34e196 into main Jul 1, 2024
39 checks passed
@poljar poljar deleted the poljar/invalid-recovery-state-secret-send branch July 1, 2024 12:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Receiving backup keys from secret send doesn't update the recovery state
2 participants