crypto: add context to IsDeviceTrusted and deprecate ResolveTrust

bridge/crypto.go

@@ -193,7 +193,7 @@ func (helper *CryptoHelper) allowKeyShare(ctx context.Context, device *id.Device
 		return &crypto.KeyShareRejectNoResponse
 	} else if device.Trust == id.TrustStateBlacklisted {
 		return &crypto.KeyShareRejectBlacklisted
-	} else if trustState := helper.mach.ResolveTrust(device); trustState >= cfg.VerificationLevels.Share {
+	} else if trustState, _ := helper.mach.ResolveTrustContext(ctx, device); trustState >= cfg.VerificationLevels.Share {
 		portal := helper.bridge.Child.GetIPortal(info.RoomID)
 		if portal == nil {
 			zerolog.Ctx(ctx).Debug().Msg("Rejecting key request: room is not a portal")

bridgev2/matrix/crypto.go

@@ -199,7 +199,7 @@ func (helper *CryptoHelper) allowKeyShare(ctx context.Context, device *id.Device
 		return &crypto.KeyShareRejectNoResponse
 	} else if device.Trust == id.TrustStateBlacklisted {
 		return &crypto.KeyShareRejectBlacklisted
-	} else if trustState := helper.mach.ResolveTrust(device); trustState >= cfg.VerificationLevels.Share {
+	} else if trustState, _ := helper.mach.ResolveTrustContext(ctx, device); trustState >= cfg.VerificationLevels.Share {
 		portal, err := helper.bridge.Bridge.GetPortalByMXID(ctx, info.RoomID)
 		if err != nil {
 			zerolog.Ctx(ctx).Err(err).Msg("Failed to get portal to handle key request")

crypto/cross_sign_test.go

@@ -66,7 +66,7 @@ func TestTrustOwnDevice(t *testing.T) {
 		DeviceID:   "device",
 		SigningKey: id.Ed25519("deviceKey"),
 	}
-	if m.IsDeviceTrusted(ownDevice) {
+	if m.IsDeviceTrusted(context.TODO(), ownDevice) {
 		t.Error("Own device trusted while it shouldn't be")
 	}
 
@@ -78,7 +78,7 @@ func TestTrustOwnDevice(t *testing.T) {
 	if trusted, _ := m.IsUserTrusted(context.TODO(), ownDevice.UserID); !trusted {
 		t.Error("Own user not trusted while they should be")
 	}
-	if !m.IsDeviceTrusted(ownDevice) {
+	if !m.IsDeviceTrusted(context.TODO(), ownDevice) {
 		t.Error("Own device not trusted while it should be")
 	}
 }
@@ -123,7 +123,7 @@ func TestTrustOtherDevice(t *testing.T) {
 	if trusted, _ := m.IsUserTrusted(context.TODO(), otherUser); trusted {
 		t.Error("Other user trusted while they shouldn't be")
 	}
-	if m.IsDeviceTrusted(theirDevice) {
+	if m.IsDeviceTrusted(context.TODO(), theirDevice) {
 		t.Error("Other device trusted while it shouldn't be")
 	}
 
@@ -144,14 +144,14 @@ func TestTrustOtherDevice(t *testing.T) {
 	m.CryptoStore.PutSignature(context.TODO(), otherUser, theirSSK.PublicKey(),
 		otherUser, theirMasterKey.PublicKey(), "sig3")
 
-	if m.IsDeviceTrusted(theirDevice) {
+	if m.IsDeviceTrusted(context.TODO(), theirDevice) {
 		t.Error("Other device trusted before it has been signed with user's SSK")
 	}
 
 	m.CryptoStore.PutSignature(context.TODO(), otherUser, theirDevice.SigningKey,
 		otherUser, theirSSK.PublicKey(), "sig4")
 
-	if !m.IsDeviceTrusted(theirDevice) {
+	if !m.IsDeviceTrusted(context.TODO(), theirDevice) {
 		t.Error("Other device not trusted while it should be")
 	}
 }

crypto/cross_sign_validation.go

@@ -13,6 +13,9 @@ import (
 	"maunium.net/go/mautrix/id"
 )
 
+// ResolveTrust resolves the trust state of the device from cross-signing.
+//
+// Deprecated: This method doesn't take a context. Use [OlmMachine.ResolveTrustContext] instead.
 func (mach *OlmMachine) ResolveTrust(device *id.Device) id.TrustState {
 	state, _ := mach.ResolveTrustContext(context.Background(), device)
 	return state
@@ -77,8 +80,12 @@ func (mach *OlmMachine) ResolveTrustContext(ctx context.Context, device *id.Devi
 }
 
 // IsDeviceTrusted returns whether a device has been determined to be trusted either through verification or cross-signing.
-func (mach *OlmMachine) IsDeviceTrusted(device *id.Device) bool {
-	switch mach.ResolveTrust(device) {
+//
+// Note: this will return false if resolving the trust state fails due to database errors.
+// Use [OlmMachine.ResolveTrustContext] if special error handling is required.
+func (mach *OlmMachine) IsDeviceTrusted(ctx context.Context, device *id.Device) bool {
+	trust, _ := mach.ResolveTrustContext(ctx, device)
+	switch trust {
 	case id.TrustStateVerified, id.TrustStateCrossSignedTOFU, id.TrustStateCrossSignedVerified:
 		return true
 	default:

crypto/encryptmegolm.go

@@ -417,7 +417,7 @@ func (mach *OlmMachine) findOlmSessionsForUser(ctx context.Context, session *Out
 				Reason:    "Device is blacklisted",
 			}}
 			session.Users[userKey] = OGSIgnored
-		} else if trustState := mach.ResolveTrust(device); trustState < mach.SendKeysMinTrust {
+		} else if trustState, _ := mach.ResolveTrustContext(ctx, device); trustState < mach.SendKeysMinTrust {
 			log.Debug().
 				Str("min_trust", mach.SendKeysMinTrust.String()).
 				Str("device_trust", trustState.String()).

crypto/keybackup.go

@@ -86,7 +86,7 @@ func (mach *OlmMachine) GetAndVerifyLatestKeyBackupVersion(ctx context.Context,
 		} else if device == nil {
 			log.Warn().Err(err).Msg("Device does not exist, ignoring signature")
 			continue
-		} else if !mach.IsDeviceTrusted(device) {
+		} else if !mach.IsDeviceTrusted(ctx, device) {
 			log.Warn().Err(err).Msg("Device is not trusted")
 			continue
 		} else {

crypto/keysharing.go

@@ -275,7 +275,7 @@ func (mach *OlmMachine) defaultAllowKeyShare(ctx context.Context, device *id.Dev
 	} else if device.Trust == id.TrustStateBlacklisted {
 		log.Debug().Msg("Rejecting key request from blacklisted device")
 		return &KeyShareRejectBlacklisted
-	} else if trustState := mach.ResolveTrust(device); trustState >= mach.ShareKeysMinTrust {
+	} else if trustState, _ := mach.ResolveTrustContext(ctx, device); trustState >= mach.ShareKeysMinTrust {
 		log.Debug().
 			Str("min_trust", mach.SendKeysMinTrust.String()).
 			Str("device_trust", trustState.String()).