fix: Switch to original Hocuri's group membership consistency algo (#3782)(#4624)

[iequidoo]

• If we don't know the parent (=In-Reply-To) message, then completely recreate the group member list
  (i.e. use the member list of the incoming message) (because we assume that we missed some messages
  & have a wrong group state).
• If the message has a "Chat-Group-Member-Removed: member@example.com" header, then remove this
  member.
• If the message has a "Chat-Group-Member-Added: member@example.com" header, then add this member.

That means:

• Remove checks for the presense of ContactId::SELF in the group. Thus all recipients of a message
  take the same decision about group membership changes, no matter if they are in the group
  currently. This fixes a situation when a recipient thinks it's not a member because it missed a
  message about its addition before.
  NOTE: But always recreate membership list if SELF has been added. The current/older versions of DC
  don't always set "In-Reply-To" to the latest message they sent (it depends on timings), so we need
  this heuristic currently.
• Recreate the group member list if we don't know the parent (=In-Reply-To) message, even if the
  sender isn't in the group as per our view, because we missed some messages and our view may be
  stale.

[iequidoo]

test_synchronize_member_list_on_group_rejoin() fails. The problem is that the current logic wrt setting In-Reply-To header has a race, if i change the test as follows:

--- a/python/tests/test_0_complex_or_slow.py                                                                                                                                                                         
+++ b/python/tests/test_0_complex_or_slow.py                                                                                                                                                                         
@@ -104,9 +104,11 @@ def test_synchronize_member_list_on_group_rejoin(self, acfactory, lp):                                                                                                                          
                                                                                                                                                                                                                     
         lp.sec("ac2: wait for a message about removal from the chat")                                                                                                                                               
         msg = ac2._evtracker.wait_next_incoming_message()                                                                                                                                                           
+        msg = ac3._evtracker.wait_next_incoming_message()                                                                                                                                                           
                                                                                                                                                                                                                     
         lp.sec("ac1: removing ac3")                                                                                                                                                                                 
         chat.remove_contact(ac3)                                                                                                                                                                                    
+        msg = ac3._evtracker.wait_next_incoming_message()                                                                                                                                                           
                                                                                                                                                                                                                     
         lp.sec("ac1: adding ac2 back")                                                                                                                                                                              
         # Group is promoted, message is sent automatically

, then it passes. Otherwise ac2 receives a message containing in In-Reply-To the message about the removal of itself (not ac3!), i.e. the known message, and doesn't rebuild the group member list. I'll make a workaround for that, otherwise the new algo won't work with the current/older versions of DC.

[iequidoo]

So, i need to bring back this check for SELF-addition, but it's the only place where this heuristic is needed. If In-Reply-To will always point to the latest message, this check could be removed someday.

[iequidoo]

Added 2 tests. Both fail for the previous algo

[link2xt]

Reference to the algorithm: #3782 (comment)

#4624 is already fixed with #4638

[link2xt]

What does "current/older versions" means, isn't it the same as "all versions"?

[iequidoo]

"current/older" doesn't include "future" versions :) I'm going to debug this. Looks like we're setting In-Reply-To to the Message-Id of the last successfully sent message, and the race occurs while the previous message is still being sent. If so, probably we need to carry in the new message a diff (wrt Chat-Group-Member-Added/Removed headers) to the referenced message, not to the message that is still being sent, i.e. to accumulate changes

[link2xt]

But once it is merged, the comment becomes outdated because it becomes the "current" version.

The bug is the same or related to #4676 I guess, maybe better merge a fix for it first so there could be a reference to exact version which is buggy.

[iequidoo]

Looks related, yes, but not sure it's the same. Will try to reproduce #4676 with the fix i added here. It's a couple of LOCs, but i should move it to a separate commit

[iequidoo]

So, this makes the w/a with self_added check necessary only for the older DC versions. Checked by hand with test_0_complex_or_slow.py::TestGroupStressTests::test_synchronize_member_list_on_group_rejoin

[link2xt]

LGTM, especially the tests make sense so there is some progress/improvement.

There is a small comment regarding the possibility of easily adding self to the group from which the user was previously removed, but I suggest merging this PR as is and only trying to fix this in a follow up PR if at all to avoid "security" discussions from blocking this PR and keeping it unmerged.

[link2xt]

Allowing someone who is not a member of the chat to modify it seems a bit dangerous.

This condition (recreate_member_list && !is_from_in_chat) is true if either self_added is true (which simply means that there is a ChatGroupMemberAdded header with our address, can be easily forged) or there is an InReplyTo pointing to unknown Message-ID (could also be easily forged, just put random string into InReplyTo).

Probably not a big deal because user can keep sending messages to all old group members anyway (e.g. from Thunderbird it is easy), the only security implication is that once someone replies to the chat they will leak who was added to the group after the user was removed.

[iequidoo]

Before this PR it's also possible for non-members of the chat to modify it, but not to recreate the member list completely. F.e. using the Chat-Group-Member-Added header. Was it done intentionally, @Septias, maybe you know? Maybe we should think more and either allow this or prohibit completely

[iequidoo]

Looks like it's just a missed check. But we can merge this PR which just makes the behaviour consistent and then open another one prohibiting chat modifications by non-members completely, e.g. just adding an additional check directly to allow_member_list_changes, to continue the discussion