core_crypto/mls/conversation/

mod.rs

//! MLS groups (aka conversation) are the actual entities cementing all the participants in a
//! conversation.
//!
//! This table summarizes what operations are permitted on a group depending its state:
//! *(PP=pending proposal, PC=pending commit)*
//!
//! | can I ?   | 0 PP / 0 PC | 1+ PP / 0 PC | 0 PP / 1 PC | 1+ PP / 1 PC |
//! |-----------|-------------|--------------|-------------|--------------|
//! | encrypt   | ✅           | ❌            | ❌           | ❌            |
//! | handshake | ✅           | ✅            | ❌           | ❌            |
//! | merge     | ❌           | ❌            | ✅           | ✅            |
//! | decrypt   | ✅           | ✅            | ✅           | ✅            |

pub(crate) mod commit;
mod commit_delay;
pub(crate) mod config;
pub(crate) mod conversation_guard;
mod credential;
mod duplicate;
#[cfg(test)]
mod durability;
mod error;
pub(crate) mod group_info;
mod id;
mod immutable_conversation;
pub(crate) mod merge;
mod orphan_welcome;
mod own_commit;
pub(crate) mod pending_conversation;
mod persistence;
pub(crate) mod proposal;
mod welcome;
mod wipe;

use std::{
    borrow::Borrow,
    collections::{HashMap, HashSet},
    ops::Deref,
    sync::Arc,
};

use core_crypto_keystore::Database;
use itertools::Itertools as _;
use log::trace;
use openmls::{
    group::{MlsGroup, QueuedProposal},
    prelude::{LeafNode, LeafNodeIndex, Proposal, Sender},
};
use openmls_traits::OpenMlsCryptoProvider;

use self::config::MlsConversationConfiguration;
pub use self::{
    conversation_guard::ConversationGuard,
    error::{Error, Result},
    id::{ConversationId, ConversationIdRef},
    immutable_conversation::ImmutableConversation,
    welcome::WelcomeMessage,
};
use super::credential::Credential;
use crate::{
    CipherSuite, ClientId, ClientIdRef, CredentialRef, CredentialType, E2eiConversationState, LeafError, MlsError,
    RecursiveError, UserId, WireIdentity, bytes_wrapper,
    mls::{HasSessionAndCrypto, Session, credential::ext::CredentialExt as _},
    mls_provider::MlsCryptoProvider,
};

bytes_wrapper!(
    /// A secret key derived from the group secret.
    ///
    /// This is intended to be used for AVS.
    #[derive(Clone)]
    SecretKey
);

bytes_wrapper!(
    /// The raw public key of an external sender.
    ///
    /// This can be used to initialize a subconversation.
    #[derive(Clone)]
    ExternalSenderKey
);

/// The base layer for [Conversation].
/// The trait is only exposed internally.
#[cfg_attr(target_os = "unknown", async_trait::async_trait(?Send))]
#[cfg_attr(not(target_os = "unknown"), async_trait::async_trait)]
pub(crate) trait ConversationWithMls<'a> {
    /// [`Session`] and [`TransactionContext`][crate::transaction_context::TransactionContext] both implement
    /// [`HasSessionAndCrypto`].
    type Context: HasSessionAndCrypto;

    type Conversation: Deref<Target = MlsConversation> + Send;

    async fn context(&self) -> Result<Self::Context>;

    async fn conversation(&'a self) -> Self::Conversation;

    async fn crypto_provider(&self) -> Result<MlsCryptoProvider> {
        self.context()
            .await?
            .crypto_provider()
            .await
            .map_err(RecursiveError::mls("getting mls provider"))
            .map_err(Into::into)
    }

    async fn session(&self) -> Result<Session<Database>> {
        self.context()
            .await?
            .session()
            .await
            .map_err(RecursiveError::mls("getting mls client"))
            .map_err(Into::into)
    }
}

/// The `Conversation` trait provides a set of operations that can be done on
/// an **immutable** conversation.
// We keep the super trait internal intentionally, as it is not meant to be used by the public API,
// hence #[expect(private_bounds)].
#[expect(private_bounds)]
#[cfg_attr(target_os = "unknown", async_trait::async_trait(?Send))]
#[cfg_attr(not(target_os = "unknown"), async_trait::async_trait)]
pub trait Conversation<'a>: ConversationWithMls<'a> {
    /// Returns the epoch of a given conversation
    async fn epoch(&'a self) -> u64 {
        self.conversation().await.group().epoch().as_u64()
    }

    /// Returns the ciphersuite of a given conversation
    async fn ciphersuite(&'a self) -> CipherSuite {
        self.conversation().await.ciphersuite()
    }

    /// Returns the credential ref to a credential of a given conversation
    async fn credential_ref(&'a self) -> Result<CredentialRef> {
        let inner = self.conversation().await;
        let session = self.session().await?;
        let credential = inner
            .find_current_credential(&session)
            .await
            .map_err(|_| Error::IdentityInitializationError)?;
        Ok(CredentialRef::from_credential(&credential))
    }

    /// Derives a new key from the one in the group, to be used elsewhere.
    ///
    /// # Arguments
    /// * `key_length` - the length of the key to be derived. If the value is higher than the bounds of `u16` or the
    ///   context hash * 255, an error will be returned
    ///
    /// # Errors
    /// OpenMls secret generation error
    async fn export_secret_key(&'a self, key_length: usize) -> Result<SecretKey> {
        const EXPORTER_LABEL: &str = "exporter";
        const EXPORTER_CONTEXT: &[u8] = &[];
        let backend = self.crypto_provider().await?;
        let inner = self.conversation().await;
        inner
            .group()
            .export_secret(&backend, EXPORTER_LABEL, EXPORTER_CONTEXT, key_length)
            .map(Into::into)
            .map_err(MlsError::wrap("exporting secret key"))
            .map_err(Into::into)
    }

    /// Exports the clients from a conversation
    ///
    /// # Arguments
    /// * `conversation_id` - the group/conversation id
    async fn get_client_ids(&'a self) -> Vec<ClientId> {
        let inner = self.conversation().await;
        inner
            .group()
            .members()
            .map(|kp| ClientId::from(kp.credential.identity().to_owned()))
            .collect()
    }

    /// Returns the raw public key of the single external sender present in this group.
    /// This should be used to initialize a subconversation
    async fn get_external_sender(&'a self) -> Result<ExternalSenderKey> {
        let inner = self.conversation().await;
        let ext_senders = inner
            .group()
            .group_context_extensions()
            .external_senders()
            .ok_or(Error::MissingExternalSenderExtension)?;
        let ext_sender = ext_senders.first().ok_or(Error::MissingExternalSenderExtension)?;
        let ext_sender_public_key = ext_sender.signature_key().as_slice().to_vec().into();
        Ok(ext_sender_public_key)
    }

    /// Indicates when to mark a conversation as not verified i.e. when not all its members have a X509
    /// Credential generated by Wire's end-to-end identity enrollment
    async fn e2ei_conversation_state(&'a self) -> Result<E2eiConversationState> {
        let backend = self.crypto_provider().await?;
        let authentication_service = backend.authentication_service();
        authentication_service.refresh_time_of_interest().await;
        let inner = self.conversation().await;
        let state = Session::<Database>::compute_conversation_state(
            inner.ciphersuite(),
            inner.group.members_credentials(),
            CredentialType::X509,
            authentication_service.borrow().await.as_ref(),
        )
        .await;
        Ok(state)
    }

    /// From a given conversation, get the identity of the members supplied. Identity is only present for
    /// members with a Certificate Credential (after turning on end-to-end identity).
    /// If no member has a x509 certificate, it will return an empty Vec
    async fn get_device_identities(
        &'a self,
        device_ids: &[impl Borrow<ClientIdRef> + Sync],
    ) -> Result<Vec<WireIdentity>> {
        if device_ids.is_empty() {
            return Err(Error::CallerError(
                "This function accepts a list of IDs as a parameter, but that list was empty.",
            ));
        }
        let mls_provider = self.crypto_provider().await?;
        let auth_service = mls_provider.authentication_service();
        auth_service.refresh_time_of_interest().await;
        let auth_service = auth_service.borrow().await;
        let env = auth_service.as_ref();
        let conversation = self.conversation().await;
        conversation
            .members_with_key()
            .into_iter()
            .filter(|(id, _)| device_ids.iter().any(|client_id| client_id.borrow() == id))
            .map(|(_, c)| {
                c.extract_identity(conversation.ciphersuite(), env)
                    .map_err(RecursiveError::mls_credential("extracting identity"))
            })
            .collect::<Result<Vec<_>, _>>()
            .map_err(Into::into)
    }

    /// From a given conversation, get the identity of the users (device holders) supplied.
    /// Identity is only present for devices with a Certificate Credential (after turning on end-to-end identity).
    /// If no member has a x509 certificate, it will return an empty Vec.
    ///
    /// Returns a Map with all the identities for a given users. Consumers are then recommended to
    /// reduce those identities to determine the actual status of a user.
    async fn get_user_identities(&'a self, user_ids: &[String]) -> Result<HashMap<String, Vec<WireIdentity>>> {
        if user_ids.is_empty() {
            return Err(Error::CallerError(
                "This function accepts a list of IDs as a parameter, but that list was empty.",
            ));
        }
        let mls_provider = self.crypto_provider().await?;
        let auth_service = mls_provider.authentication_service();
        auth_service.refresh_time_of_interest().await;
        let auth_service = auth_service.borrow().await;
        let env = auth_service.as_ref();
        let conversation = self.conversation().await;
        let user_ids = user_ids.iter().map(|uid| uid.as_bytes()).collect::<Vec<_>>();

        conversation
            .members_with_key()
            .iter()
            .filter_map(|(id, c)| UserId::try_from(id.as_slice()).ok().zip(Some(c)))
            .filter(|(uid, _)| user_ids.contains(uid))
            .map(|(uid, c)| {
                let uid = String::try_from(uid).map_err(RecursiveError::mls_client("getting user identities"))?;
                let identity = c
                    .extract_identity(conversation.ciphersuite(), env)
                    .map_err(RecursiveError::mls_credential("extracting identity"))?;
                Ok((uid, identity))
            })
            .process_results(|iter| iter.into_group_map())
    }

    /// Generate a new [`crate::HistorySecret`].
    ///
    /// This is useful when it's this client's turn to generate a new history client.
    ///
    /// The generated secret is cryptographically unrelated to the current CoreCrypto client.
    async fn generate_history_secret(&'a self) -> Result<crate::HistorySecret> {
        let ciphersuite = self.ciphersuite().await;
        crate::ephemeral::generate_history_secret(ciphersuite)
            .await
            .map_err(RecursiveError::root("generating history secret"))
            .map_err(Into::into)
    }

    /// Check if history sharing is enabled, i.e., if any of the conversation members have a [ClientId] starting
    /// with [crate::HISTORY_CLIENT_ID_PREFIX].
    async fn is_history_sharing_enabled(&'a self) -> bool {
        self.get_client_ids()
            .await
            .iter()
            .any(|client_id| client_id.starts_with(crate::ephemeral::HISTORY_CLIENT_ID_PREFIX.as_bytes()))
    }
}

impl<'a, T: ConversationWithMls<'a>> Conversation<'a> for T {}

/// This is a wrapper on top of the OpenMls's [MlsGroup], that provides Core Crypto specific functionality
///
/// This type will store the state of a group. With the [MlsGroup] it holds, it provides all
/// operations that can be done in a group, such as creating proposals and commits.
/// More information [here](https://messaginglayersecurity.rocks/mls-architecture/draft-ietf-mls-architecture.html#name-general-setting)
#[derive(Debug)]
pub struct MlsConversation {
    pub(crate) id: ConversationId,
    pub(crate) group: MlsGroup,
    configuration: MlsConversationConfiguration,
}

impl MlsConversation {
    /// Creates a new group/conversation
    pub async fn create(
        id: ConversationId,
        provider: &MlsCryptoProvider,
        database: &Database,
        credential_ref: &CredentialRef,
        configuration: MlsConversationConfiguration,
    ) -> Result<Self> {
        let credential = credential_ref
            .load(database)
            .await
            .map_err(RecursiveError::mls_credential_ref("getting credential"))?;

        let group = MlsGroup::new_with_group_id(
            provider,
            &credential.signature_key_pair,
            &configuration.as_openmls_default_configuration()?,
            openmls::prelude::GroupId::from_slice(id.as_ref()),
            credential.to_mls_credential_with_key(),
        )
        .await
        .map_err(MlsError::wrap("creating group with id"))?;

        let mut conversation = Self {
            id,
            group,
            configuration,
        };

        conversation.persist_group_when_changed(database, true).await?;

        Ok(conversation)
    }

    /// Internal API: create a group from an existing conversation. For example by external commit
    pub(crate) async fn from_mls_group(
        group: MlsGroup,
        configuration: MlsConversationConfiguration,
        database: &Database,
    ) -> Result<Self> {
        let id = ConversationId::from(group.group_id().as_slice());

        let mut conversation = Self {
            id,
            group,
            configuration,
        };

        conversation.persist_group_when_changed(database, true).await?;

        Ok(conversation)
    }

    /// Group/conversation id
    pub fn id(&self) -> &ConversationId {
        &self.id
    }

    pub(crate) fn group(&self) -> &MlsGroup {
        &self.group
    }

    /// Get actual group members and subtract pending remove proposals
    pub fn members_in_next_epoch(&self) -> Vec<ClientId> {
        let pending_removals = self.pending_removals();
        let existing_clients = self
            .group
            .members()
            .filter_map(|kp| {
                if !pending_removals.contains(&kp.index) {
                    Some(kp.credential.identity().to_owned().into())
                } else {
                    trace!(client_index:% = kp.index; "Client is pending removal");
                    None
                }
            })
            .collect::<HashSet<_>>();
        existing_clients.into_iter().collect()
    }

    /// Gather pending remove proposals
    fn pending_removals(&self) -> Vec<LeafNodeIndex> {
        self.group
            .pending_proposals()
            .filter_map(|proposal| match proposal.proposal() {
                Proposal::Remove(remove) => Some(remove.removed()),
                _ => None,
            })
            .collect::<Vec<_>>()
    }

    pub(crate) fn ciphersuite(&self) -> CipherSuite {
        self.configuration.ciphersuite
    }

    fn extract_own_updated_node_from_proposals<'a>(
        own_index: &LeafNodeIndex,
        pending_proposals: impl Iterator<Item = &'a QueuedProposal>,
    ) -> Option<&'a LeafNode> {
        pending_proposals
            .filter_map(|proposal| {
                if let Sender::Member(index) = proposal.sender()
                    && index == own_index
                    && let Proposal::Update(update_proposal) = proposal.proposal()
                {
                    return Some(update_proposal.leaf_node());
                }
                None
            })
            .last()
    }

    async fn find_credential_for_leaf_node(
        &self,
        session: &Session<Database>,
        leaf_node: &LeafNode,
    ) -> Result<Arc<Credential>> {
        let credential = session
            .find_credential_by_public_key(leaf_node.signature_key())
            .await
            .map_err(RecursiveError::mls_client("finding current credential"))?;
        Ok(credential)
    }

    pub(crate) async fn find_current_credential(&self, client: &Session<Database>) -> Result<Arc<Credential>> {
        // if the group has pending proposals one of which is an own update proposal, we should take the credential from
        // there.
        let own_leaf = Self::extract_own_updated_node_from_proposals(
            &self.group().own_leaf_index(),
            self.group().pending_proposals(),
        )
        .or_else(|| self.group.own_leaf())
        .ok_or(LeafError::InternalMlsError)?;
        self.find_credential_for_leaf_node(client, own_leaf).await
    }
}

#[cfg(test)]
pub mod test_utils {
    use openmls::prelude::SignaturePublicKey;

    use super::*;

    impl MlsConversation {
        pub fn signature_keys(&self) -> impl Iterator<Item = SignaturePublicKey> + '_ {
            self.group
                .members()
                .map(|m| m.signature_key)
                .map(|mpk| SignaturePublicKey::from(mpk.as_slice()))
        }

        pub fn encryption_keys(&self) -> impl Iterator<Item = Vec<u8>> + '_ {
            self.group.members().map(|m| m.encryption_key)
        }

        pub fn extensions(&self) -> &openmls::prelude::Extensions {
            self.group.export_group_context().extensions()
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::test_utils::*;

    #[apply(all_cred_cipher)]
    pub async fn create_self_conversation_should_succeed(case: TestContext) {
        let [alice] = case.sessions().await;
        Box::pin(async move {
            let conversation = case.create_conversation([&alice]).await;
            assert_eq!(1, conversation.member_count().await);
            let alice_can_send_message = conversation.guard().await.encrypt_message(b"me").await;
            assert!(alice_can_send_message.is_ok());
        })
        .await;
    }

    #[apply(all_cred_cipher)]
    pub async fn create_1_1_conversation_should_succeed(case: TestContext) {
        let [alice, bob] = case.sessions().await;
        Box::pin(async move {
            let conversation = case.create_conversation([&alice, &bob]).await;
            assert_eq!(2, conversation.member_count().await);
            assert!(conversation.is_functional_and_contains([&alice, &bob]).await);
        })
        .await;
    }

    #[apply(all_cred_cipher)]
    pub async fn create_many_people_conversation(case: TestContext) {
        const SIZE_PLUS_1: usize = GROUP_SAMPLE_SIZE + 1;
        let alice_and_friends = case.sessions::<SIZE_PLUS_1>().await;
        Box::pin(async move {
            let alice = &alice_and_friends[0];
            let conversation = case.create_conversation([alice]).await;

            let bob_and_friends = &alice_and_friends[1..];
            let conversation = conversation.invite_notify(bob_and_friends).await;

            assert_eq!(conversation.member_count().await, 1 + GROUP_SAMPLE_SIZE);
            assert!(conversation.is_functional_and_contains(&alice_and_friends).await);
        })
        .await;
    }

    mod wire_identity_getters {
        use super::Error;
        use crate::{
            ClientId, CredentialType, DeviceStatus, E2eiConversationState, mls::conversation::Conversation,
            test_utils::*,
        };

        async fn all_identities_check<'a, C, const N: usize>(
            conversation: &'a C,
            user_ids: &[String; N],
            expected_sizes: [usize; N],
        ) where
            C: Conversation<'a> + Sync,
        {
            let all_identities = conversation.get_user_identities(user_ids).await.unwrap();
            assert_eq!(all_identities.len(), N);
            for (expected_size, user_id) in expected_sizes.into_iter().zip(user_ids.iter()) {
                let alice_identities = all_identities.get(user_id).unwrap();
                assert_eq!(alice_identities.len(), expected_size);
            }
            // Not found
            let not_found = conversation
                .get_user_identities(&["aaaaaaaaaaaaa".to_string()])
                .await
                .unwrap();
            assert!(not_found.is_empty());

            // Invalid usage
            let invalid = conversation.get_user_identities(&[]).await;
            assert!(matches!(invalid.unwrap_err(), Error::CallerError(_)));
        }

        async fn check_identities_device_status<'a, C, const N: usize>(
            conversation: &'a C,
            client_ids: &[ClientId; N],
            name_status: &[(impl ToString, DeviceStatus); N],
        ) where
            C: Conversation<'a> + Sync,
        {
            let mut identities = conversation.get_device_identities(client_ids).await.unwrap();

            for (user_name, status) in name_status.iter() {
                let client_identity = identities.remove(
                    identities
                        .iter()
                        .position(|i| i.x509_identity.as_ref().unwrap().display_name == user_name.to_string())
                        .unwrap(),
                );
                assert_eq!(client_identity.status, *status);
            }
            assert!(identities.is_empty());

            assert_eq!(
                conversation.e2ei_conversation_state().await.unwrap(),
                E2eiConversationState::NotVerified
            );
        }

        #[macro_rules_attribute::apply(smol_macros::test)]
        async fn should_read_device_identities() {
            let case = TestContext::default_x509();

            let [alice_android, alice_ios] = case.sessions().await;
            Box::pin(async move {
                let conversation = case.create_conversation([&alice_android, &alice_ios]).await;

                let (android_id, ios_id) = (alice_android.get_client_id().await, alice_ios.get_client_id().await);

                let mut android_ids = conversation
                    .guard()
                    .await
                    .get_device_identities(&[android_id.clone(), ios_id.clone()])
                    .await
                    .unwrap();
                android_ids.sort_by(|a, b| a.client_id.cmp(&b.client_id));
                assert_eq!(android_ids.len(), 2);
                let mut ios_ids = conversation
                    .guard_of(&alice_ios)
                    .await
                    .get_device_identities(&[android_id.clone(), ios_id.clone()])
                    .await
                    .unwrap();
                ios_ids.sort_by(|a, b| a.client_id.cmp(&b.client_id));
                assert_eq!(ios_ids.len(), 2);

                assert_eq!(android_ids, ios_ids);

                let android_identities = conversation
                    .guard()
                    .await
                    .get_device_identities(&[android_id])
                    .await
                    .unwrap();
                let android_id = android_identities.first().unwrap();
                assert_eq!(
                    android_id.client_id.as_bytes(),
                    alice_android.transaction.client_id().await.unwrap().0.as_slice()
                );

                let ios_identities = conversation
                    .guard()
                    .await
                    .get_device_identities(&[ios_id])
                    .await
                    .unwrap();
                let ios_id = ios_identities.first().unwrap();
                assert_eq!(
                    ios_id.client_id.as_bytes(),
                    alice_ios.transaction.client_id().await.unwrap().0.as_slice()
                );

                let empty_slice: &[ClientId] = &[];
                let invalid = conversation.guard().await.get_device_identities(empty_slice).await;
                assert!(matches!(invalid.unwrap_err(), Error::CallerError(_)));
            })
            .await
        }

        // TODO: ignore this test for now, until we rework the test suite & CRL handling (WPB-19580).
        #[ignore]
        #[macro_rules_attribute::apply(smol_macros::test)]
        async fn should_read_revoked_device() {
            let case = TestContext::default_x509();
            let rupert_user_id = uuid::Uuid::new_v4();
            let bob_user_id = uuid::Uuid::new_v4();
            let alice_user_id = uuid::Uuid::new_v4();

            let [rupert_client_id] = case.x509_client_ids_for_user(&rupert_user_id);
            let [alice_client_id] = case.x509_client_ids_for_user(&alice_user_id);
            let [bob_client_id] = case.x509_client_ids_for_user(&bob_user_id);

            let sessions = case
                .sessions_x509_with_client_ids_and_revocation(
                    [alice_client_id.clone(), bob_client_id.clone(), rupert_client_id.clone()],
                    &[rupert_user_id.to_string()],
                )
                .await;

            Box::pin(async move {
                let [alice, bob, rupert] = &sessions;
                let conversation = case.create_conversation(&sessions).await;

                let (alice_id, bob_id, rupert_id) = (
                    alice.get_client_id().await,
                    bob.get_client_id().await,
                    rupert.get_client_id().await,
                );

                let client_ids = [alice_id, bob_id, rupert_id];
                let name_status = [
                    (alice_user_id, DeviceStatus::Valid),
                    (bob_user_id, DeviceStatus::Valid),
                    (rupert_user_id, DeviceStatus::Revoked),
                ];

                // Do it a multiple times to avoid WPB-6904 happening again
                for _ in 0..2 {
                    for session in sessions.iter() {
                        let conversation = conversation.guard_of(session).await;
                        check_identities_device_status(&conversation, &client_ids, &name_status).await;
                    }
                }
            })
            .await
        }

        #[macro_rules_attribute::apply(smol_macros::test)]
        async fn should_not_fail_when_basic() {
            let case = TestContext::default();

            let [alice_android, alice_ios] = case.sessions().await;
            Box::pin(async move {
                let conversation = case.create_conversation([&alice_android, &alice_ios]).await;

                let (android_id, ios_id) = (alice_android.get_client_id().await, alice_ios.get_client_id().await);

                let mut android_ids = conversation
                    .guard()
                    .await
                    .get_device_identities(&[android_id.clone(), ios_id.clone()])
                    .await
                    .unwrap();
                android_ids.sort();

                let mut ios_ids = conversation
                    .guard_of(&alice_ios)
                    .await
                    .get_device_identities(&[android_id, ios_id])
                    .await
                    .unwrap();
                ios_ids.sort();

                assert_eq!(ios_ids.len(), 2);
                assert_eq!(ios_ids, android_ids);

                assert!(ios_ids.iter().all(|i| {
                    matches!(i.credential_type, CredentialType::Basic)
                        && matches!(i.status, DeviceStatus::Valid)
                        && i.x509_identity.is_none()
                        && !i.thumbprint.is_empty()
                        && !i.client_id.is_empty()
                }));
            })
            .await
        }

        #[macro_rules_attribute::apply(smol_macros::test)]
        async fn should_read_users() {
            let case = TestContext::default_x509();
            let [alice_android, alice_ios] = case.x509_client_ids_for_user(&uuid::Uuid::new_v4());
            let [bob_android] = case.x509_client_ids();

            let sessions = case
                .sessions_x509_with_client_ids([alice_android, alice_ios, bob_android])
                .await;

            Box::pin(async move {
                let conversation = case.create_conversation(&sessions).await;

                let nb_members = conversation.member_count().await;
                assert_eq!(nb_members, 3);

                let [alice_android, alice_ios, bob_android] = &sessions;
                assert_eq!(alice_android.get_user_id().await, alice_ios.get_user_id().await);

                // Finds both Alice's devices
                let alice_user_id = alice_android.get_user_id().await;
                let alice_identities = conversation
                    .guard()
                    .await
                    .get_user_identities(std::slice::from_ref(&alice_user_id))
                    .await
                    .unwrap();
                assert_eq!(alice_identities.len(), 1);
                let identities = alice_identities.get(&alice_user_id).unwrap();
                assert_eq!(identities.len(), 2);

                // Finds Bob only device
                let bob_user_id = bob_android.get_user_id().await;
                let bob_identities = conversation
                    .guard()
                    .await
                    .get_user_identities(std::slice::from_ref(&bob_user_id))
                    .await
                    .unwrap();
                assert_eq!(bob_identities.len(), 1);
                let identities = bob_identities.get(&bob_user_id).unwrap();
                assert_eq!(identities.len(), 1);

                let user_ids = [alice_user_id, bob_user_id];
                let expected_sizes = [2, 1];

                for session in &sessions {
                    all_identities_check(&conversation.guard_of(session).await, &user_ids, expected_sizes).await;
                }
            })
            .await
        }
    }

    mod export_secret {
        use openmls::prelude::ExportSecretError;

        use super::*;
        use crate::MlsErrorKind;

        #[apply(all_cred_cipher)]
        pub async fn can_export_secret_key(case: TestContext) {
            let [alice] = case.sessions().await;
            Box::pin(async move {
                let conversation = case.create_conversation([&alice]).await;

                let key_length = 128;
                let result = conversation.guard().await.export_secret_key(key_length).await;
                assert!(result.is_ok());
                assert_eq!(result.unwrap().len(), key_length);
            })
            .await
        }

        #[apply(all_cred_cipher)]
        pub async fn cannot_export_secret_key_invalid_length(case: TestContext) {
            let [alice] = case.sessions().await;
            Box::pin(async move {
                let conversation = case.create_conversation([&alice]).await;

                let result = conversation.guard().await.export_secret_key(usize::MAX).await;
                let error = result.unwrap_err();
                assert!(innermost_source_matches!(
                    error,
                    MlsErrorKind::MlsExportSecretError(ExportSecretError::KeyLengthTooLong)
                ));
            })
            .await
        }
    }

    mod get_client_ids {
        use super::*;

        #[apply(all_cred_cipher)]
        pub async fn can_get_client_ids(case: TestContext) {
            let [alice, bob] = case.sessions().await;
            Box::pin(async move {
                let conversation = case.create_conversation([&alice]).await;

                assert_eq!(conversation.guard().await.get_client_ids().await.len(), 1);

                let conversation = conversation.invite_notify([&bob]).await;

                assert_eq!(conversation.guard().await.get_client_ids().await.len(), 2);
            })
            .await
        }
    }

    mod external_sender {
        use super::*;

        #[apply(all_cred_cipher)]
        pub async fn should_fetch_ext_sender(mut case: TestContext) {
            let [alice, external_sender] = case.sessions().await;
            Box::pin(async move {
                use core_crypto_keystore::Sha256Hash;

                let conversation = case
                    .create_conversation_with_external_sender(&external_sender, [&alice])
                    .await;

                let alice_ext_sender = conversation.guard().await.get_external_sender().await.unwrap();
                assert!(!alice_ext_sender.is_empty());
                assert_eq!(
                    Sha256Hash::hash_from(alice_ext_sender),
                    external_sender.initial_credential.public_key_hash()
                );
            })
            .await
        }
    }
}