feat: Implemenet lab for encrypted state events (MSC3414)

Signed-off-by: Skye Elliot <[email protected]>

feat: use correct key for enabling state encryption

feat: add lab to element web

feat: add EncryptedStateSettingsController

chore: update lockfile

Author: kaylendog

src/MatrixClientPeg.ts

@@ -437,6 +437,7 @@ class MatrixClientPegClass implements IMatrixClientPeg {
             // These are always installed regardless of the labs flag so that cross-signing features
             // can toggle on without reloading and also be accessed immediately after login.
             cryptoCallbacks: { ...crossSigningCallbacks },
+            enableEncryptedStateEvents: SettingsStore.getValue("feature_msc3414_encrypted_state_events"),
             roomNameGenerator: (_: string, state: RoomNameState) => {
                 switch (state.type) {
                     case RoomNameType.Generated:

src/components/views/dialogs/CreateRoomDialog.tsx

@@ -34,6 +34,7 @@ interface IProps {
     defaultName?: string;
     parentSpace?: Room;
     defaultEncrypted?: boolean;
+    defaultStateEncrypted?: boolean;
     onFinished(proceed?: false): void;
     onFinished(proceed: true, opts: IOpts): void;
 }
@@ -52,6 +53,10 @@ interface IState {
      * Indicates whether end-to-end encryption is enabled for the room.
      */
     isEncrypted: boolean;
+    /**
+     * Indicates whether end-to-end state encryption is enabled for this room.
+     */
+    isStateEncrypted: boolean;
     /**
      * The room name.
      */
@@ -111,6 +116,7 @@ export default class CreateRoomDialog extends React.Component<IProps, IState> {
         this.state = {
             isPublicKnockRoom: defaultPublic || false,
             isEncrypted: this.props.defaultEncrypted ?? privateShouldBeEncrypted(cli),
+            isStateEncrypted: this.props.defaultStateEncrypted ?? false,
             joinRule,
             name: this.props.defaultName || "",
             topic: "",
@@ -136,6 +142,7 @@ export default class CreateRoomDialog extends React.Component<IProps, IState> {
             createOpts.room_alias_name = alias.substring(1, alias.indexOf(":"));
         } else {
             opts.encryption = this.state.isEncrypted;
+            opts.stateEncryption = this.state.isStateEncrypted;
         }
 
         if (this.state.topic) {
@@ -230,6 +237,10 @@ export default class CreateRoomDialog extends React.Component<IProps, IState> {
         this.setState({ isEncrypted });
     };
 
+    private onStateEncryptedChange = (isStateEncrypted: boolean): void => {
+        this.setState({ isStateEncrypted });
+    };
+
     private onAliasChange = (alias: string): void => {
         this.setState({ alias });
     };
@@ -373,6 +384,37 @@ export default class CreateRoomDialog extends React.Component<IProps, IState> {
             );
         }
 
+        let e2eeStateSection: JSX.Element | undefined;
+        if (
+            SettingsStore.getValue("feature_msc3414_encrypted_state_events", null, false) &&
+            this.state.joinRule !== JoinRule.Public
+        ) {
+            let microcopy: string;
+            if (privateShouldBeEncrypted(MatrixClientPeg.safeGet())) {
+                if (this.state.canChangeEncryption) {
+                    microcopy = isVideoRoom
+                        ? _t("create_room|encrypted_video_room_warning")
+                        : _t("create_room|state_encrypted_warning");
+                } else {
+                    microcopy = _t("create_room|encryption_forced");
+                }
+            } else {
+                microcopy = _t("settings|security|e2ee_default_disabled_warning");
+            }
+            e2eeStateSection = (
+                <React.Fragment>
+                    <LabelledToggleSwitch
+                        label={_t("create_room|state_encryption_label")}
+                        onChange={this.onStateEncryptedChange}
+                        value={this.state.isStateEncrypted}
+                        className="mx_CreateRoomDialog_e2eSwitch" // for end-to-end tests
+                        disabled={!this.state.canChangeEncryption}
+                    />
+                    <p>{microcopy}</p>
+                </React.Fragment>
+            );
+        }
+
         let federateLabel = _t("create_room|unfederated_label_default_off");
         if (SdkConfig.get().default_federate === false) {
             // We only change the label if the default setting is different to avoid jarring text changes to the
@@ -433,6 +475,7 @@ export default class CreateRoomDialog extends React.Component<IProps, IState> {
                         {publicPrivateLabel}
                         {visibilitySection}
                         {e2eeSection}
+                        {e2eeStateSection}
                         {aliasField}
                         {this.advancedSettingsEnabled && (
                             <details onToggle={this.onDetailsToggled} className="mx_CreateRoomDialog_details">

src/components/views/messages/EncryptionEvent.tsx

@@ -49,12 +49,19 @@ const EncryptionEvent = ({ mxEvent, timestamp, ref }: IProps): ReactNode => {
             subtitle = _t("timeline|m.room.encryption|enabled_local");
         } else {
             subtitle = _t("timeline|m.room.encryption|enabled");
+            if (content["io.element.msc3414.encrypt_state_events"]) {
+                subtitle += " " + _t("timeline|m.room.encryption|state_enabled");
+            }
         }
 
         return (
             <EventTileBubble
                 className="mx_cryptoEvent mx_cryptoEvent_icon"
-                title={_t("common|encryption_enabled")}
+                title={
+                    content["io.element.msc3414.encrypt_state_events"]
+                        ? _t("common|state_encryption_enabled")
+                        : _t("common|encryption_enabled")
+                }
                 subtitle={subtitle}
                 timestamp={timestamp}
             />

src/components/views/settings/tabs/room/SecurityRoomSettingsTab.tsx

@@ -175,7 +175,8 @@ export default class SecurityRoomSettingsTab extends React.Component<IProps, ISt
             this.setState({ encrypted: true });
             this.context
                 .sendStateEvent(this.props.room.roomId, EventType.RoomEncryption, {
-                    algorithm: MEGOLM_ENCRYPTION_ALGORITHM,
+                    "algorithm": MEGOLM_ENCRYPTION_ALGORITHM,
+                    "io.element.msc3414.encrypt_state_events": false,
                 })
                 .catch((e) => {
                     logger.error(e);

src/createRoom.ts

@@ -53,6 +53,7 @@ export interface IOpts {
     spinner?: boolean;
     guestAccess?: boolean;
     encryption?: boolean;
+    stateEncryption?: boolean;
     inlineErrors?: boolean;
     andView?: boolean;
     avatar?: File | string; // will upload if given file, else mxcUrl is needed
@@ -100,6 +101,7 @@ export default async function createRoom(client: MatrixClient, opts: IOpts): Pro
     if (opts.spinner === undefined) opts.spinner = true;
     if (opts.guestAccess === undefined) opts.guestAccess = true;
     if (opts.encryption === undefined) opts.encryption = false;
+    if (opts.stateEncryption === undefined) opts.stateEncryption = false;
 
     if (client.isGuest()) {
         dis.dispatch({ action: "require_registration" });
@@ -213,7 +215,8 @@ export default async function createRoom(client: MatrixClient, opts: IOpts): Pro
             type: "m.room.encryption",
             state_key: "",
             content: {
-                algorithm: MEGOLM_ENCRYPTION_ALGORITHM,
+                "algorithm": MEGOLM_ENCRYPTION_ALGORITHM,
+                "io.element.msc3414.encrypt_state_events": opts.stateEncryption,
             },
         });
     }

src/i18n/strings/en_EN.json

@@ -578,6 +578,7 @@
         "someone": "Someone",
         "space": "Space",
         "spaces": "Spaces",
+        "state_encryption_enabled": "Experimental state encryption enabled",
         "sticker": "Sticker",
         "stickerpack": "Stickerpack",
         "success": "Success",
@@ -673,6 +674,8 @@
         "encrypted_warning": "You can't disable this later. Bridges & most bots won't work yet.",
         "encryption_forced": "Your server requires encryption to be enabled in private rooms.",
         "encryption_label": "Enable end-to-end encryption",
+        "state_encrypted_warning": "WARNING: This is an experimental feature.",
+        "state_encryption_label": "Encrypt state events",
         "error_title": "Failure to create room",
         "generic_error": "Server may be unavailable, overloaded, or you hit a bug.",
         "join_rule_change_notice": "You can change this at any time from room settings.",
@@ -1494,6 +1497,8 @@
         "dynamic_room_predecessors": "Dynamic room predecessors",
         "dynamic_room_predecessors_description": "Enable MSC3946 (to support late-arriving room archives)",
         "element_call_video_rooms": "Element Call video rooms",
+        "encrypted_state_events": "Encrypted state events",
+        "encrypted_state_events_decsription": "Enables experimental support for encrypting state events, which hides metadata such as room names and topics from being visible to the server.",
         "exclude_insecure_devices": "Exclude insecure devices when sending/receiving messages",
         "exclude_insecure_devices_description": "When this mode is enabled, encrypted messages will not be shared with unverified devices, and messages from unverified devices will be shown as an error. Note that if you enable this mode, you may be unable to communicate with users who have not verified their devices.",
         "experimental_description": "Feeling experimental? Try out our latest ideas in development. These features are not finalised; they may be unstable, may change, or may be dropped altogether. <a>Learn more</a>.",
@@ -3525,6 +3530,7 @@
             "enabled": "Messages in this room are end-to-end encrypted. When people join, you can verify them in their profile, just tap on their profile picture.",
             "enabled_dm": "Messages here are end-to-end encrypted. Verify %(displayName)s in their profile - tap on their profile picture.",
             "enabled_local": "Messages in this chat will be end-to-end encrypted.",
+            "state_enabled": "State events in this room are end-to-end encrypted.",
             "parameters_changed": "Some encryption parameters have been changed.",
             "unsupported": "The encryption used by this room isn't supported."
         },

src/settings/Settings.tsx

@@ -50,6 +50,7 @@ import { SortingAlgorithm } from "../stores/room-list-v3/skip-list/sorters/index
 import MediaPreviewConfigController from "./controllers/MediaPreviewConfigController.ts";
 import InviteRulesConfigController from "./controllers/InviteRulesConfigController.ts";
 import { type ComputedInviteConfig } from "../@types/invite-rules.ts";
+import EncryptedStateEventsController from "./controllers/EncryptedStateEventsController.ts";
 
 export const defaultWatchManager = new WatchManager();
 
@@ -221,6 +222,7 @@ export interface Settings {
     "feature_new_room_list": IFeature;
     "feature_ask_to_join": IFeature;
     "feature_notifications": IFeature;
+    "feature_msc3414_encrypted_state_events": IFeature;
     // These are in the feature namespace but aren't actually features
     "feature_hidebold": IBaseSetting<boolean>;
 
@@ -783,6 +785,17 @@ export const SETTINGS: Settings = {
         supportedLevelsAreOrdered: true,
         default: false,
     },
+    "feature_msc3414_encrypted_state_events": {
+        isFeature: true,
+        labsGroup: LabGroup.Encryption,
+        controller: new EncryptedStateEventsController(),
+        displayName: _td("labs|encrypted_state_events"),
+        description: _td("labs|encrypted_state_events_decsription"),
+        supportedLevels: LEVELS_ROOM_SETTINGS,
+        supportedLevelsAreOrdered: true,
+        shouldWarn: true,
+        default: false,
+    },
     "useCompactLayout": {
         supportedLevels: LEVELS_DEVICE_ONLY_SETTINGS,
         displayName: _td("settings|preferences|compact_modern"),

src/settings/controllers/EncryptedStateEventsController.ts

@@ -0,0 +1,15 @@
+/*
+Copyright 2024 New Vector Ltd.
+
+SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial
+Please see LICENSE files in the repository root for full details.
+*/
+
+import PlatformPeg from "../../PlatformPeg";
+import SettingController from "./SettingController";
+
+export default class EncryptedStateEventsController extends SettingController {
+    public async onChange(): Promise<void> {
+        PlatformPeg.get()?.reload();
+    }
+}