Merge pull request #6703 from vector-im/feature/bca/crosssigning_reset_warning

warn on cross signing reset

changelog.d/6702.bugfix

@@ -0,0 +1 @@
+Add Warning shield when a user previously verified rotated their cross signing keys

dependencies.gradle

@@ -167,7 +167,8 @@ ext.libs = [
         tests       : [
                 'kluent'                 : "org.amshove.kluent:kluent-android:1.68",
                 'timberJunitRule'        : "net.lachlanmckee:timber-junit-rule:1.0.1",
-                'junit'                  : "junit:junit:4.13.2"
+                'junit'                  : "junit:junit:4.13.2",
+                'robolectric'            : "org.robolectric:robolectric:4.8",
         ]
 ]
 

matrix-sdk-android/src/androidTest/java/org/matrix/android/sdk/common/CryptoTestHelper.kt

@@ -365,7 +365,7 @@ class CryptoTestHelper(val testHelper: CommonTestHelper) {
         }
 
         testHelper.retryPeriodically {
-            alice.cryptoService().crossSigningService().isUserTrusted(bob.myUserId)
+            bob.cryptoService().crossSigningService().isUserTrusted(alice.myUserId)
         }
     }
 

matrix-sdk-android/src/androidTest/java/org/matrix/android/sdk/internal/crypto/crosssigning/XSigningTest.kt

@@ -25,7 +25,6 @@ import org.junit.Assert.assertNull
 import org.junit.Assert.assertTrue
 import org.junit.Assert.fail
 import org.junit.FixMethodOrder
-import org.junit.Ignore
 import org.junit.Test
 import org.junit.runner.RunWith
 import org.junit.runners.MethodSorters
@@ -42,13 +41,13 @@ import org.matrix.android.sdk.common.CommonTestHelper.Companion.runCryptoTest
 import org.matrix.android.sdk.common.CommonTestHelper.Companion.runSessionTest
 import org.matrix.android.sdk.common.SessionTestParams
 import org.matrix.android.sdk.common.TestConstants
+import timber.log.Timber
 import kotlin.coroutines.Continuation
 import kotlin.coroutines.resume
 
 @RunWith(AndroidJUnit4::class)
 @FixMethodOrder(MethodSorters.NAME_ASCENDING)
 @LargeTest
-@Ignore
 class XSigningTest : InstrumentedTest {
 
     @Test
@@ -214,4 +213,104 @@ class XSigningTest : InstrumentedTest {
         val result = aliceSession.cryptoService().crossSigningService().checkDeviceTrust(bobUserId, bobSecondDeviceId, null)
         assertTrue("Bob second device should be trusted from alice POV", result.isCrossSignedVerified())
     }
+
+    @Test
+    fun testWarnOnCrossSigningReset() = runCryptoTest(context()) { cryptoTestHelper, testHelper ->
+        val cryptoTestData = cryptoTestHelper.doE2ETestWithAliceAndBobInARoom()
+
+        val aliceSession = cryptoTestData.firstSession
+        val bobSession = cryptoTestData.secondSession
+
+        val aliceAuthParams = UserPasswordAuth(
+                user = aliceSession.myUserId,
+                password = TestConstants.PASSWORD
+        )
+        val bobAuthParams = UserPasswordAuth(
+                user = bobSession!!.myUserId,
+                password = TestConstants.PASSWORD
+        )
+
+        testHelper.waitForCallback<Unit> {
+            aliceSession.cryptoService().crossSigningService().initializeCrossSigning(object : UserInteractiveAuthInterceptor {
+                override fun performStage(flowResponse: RegistrationFlowResponse, errCode: String?, promise: Continuation<UIABaseAuth>) {
+                    promise.resume(aliceAuthParams)
+                }
+            }, it)
+        }
+        testHelper.waitForCallback<Unit> {
+            bobSession.cryptoService().crossSigningService().initializeCrossSigning(object : UserInteractiveAuthInterceptor {
+                override fun performStage(flowResponse: RegistrationFlowResponse, errCode: String?, promise: Continuation<UIABaseAuth>) {
+                    promise.resume(bobAuthParams)
+                }
+            }, it)
+        }
+
+        cryptoTestHelper.verifySASCrossSign(aliceSession, bobSession, cryptoTestData.roomId)
+
+        testHelper.retryPeriodically {
+            aliceSession.cryptoService().crossSigningService().isUserTrusted(bobSession.myUserId)
+        }
+
+        testHelper.retryPeriodically {
+            aliceSession.cryptoService().crossSigningService().checkUserTrust(bobSession.myUserId).isVerified()
+        }
+
+        aliceSession.cryptoService()
+        // Ensure also that bob device is trusted
+        testHelper.retryPeriodically {
+            val deviceInfo = aliceSession.cryptoService().getUserDevices(bobSession.myUserId).firstOrNull()
+            Timber.v("#TEST device:${deviceInfo?.shortDebugString()} trust ${deviceInfo?.trustLevel}")
+            deviceInfo?.trustLevel?.crossSigningVerified == true
+        }
+
+        val currentBobMSK = aliceSession.cryptoService().crossSigningService()
+                .getUserCrossSigningKeys(bobSession.myUserId)!!
+                .masterKey()!!.unpaddedBase64PublicKey!!
+
+        testHelper.waitForCallback<Unit> {
+            bobSession.cryptoService().crossSigningService().initializeCrossSigning(object : UserInteractiveAuthInterceptor {
+                override fun performStage(flowResponse: RegistrationFlowResponse, errCode: String?, promise: Continuation<UIABaseAuth>) {
+                    promise.resume(bobAuthParams)
+                }
+            }, it)
+        }
+
+        testHelper.retryPeriodically {
+            val newBobMsk = aliceSession.cryptoService().crossSigningService()
+                    .getUserCrossSigningKeys(bobSession.myUserId)
+                    ?.masterKey()?.unpaddedBase64PublicKey
+            newBobMsk != null && newBobMsk != currentBobMSK
+        }
+
+        // trick to force event to sync
+        bobSession.roomService().getRoom(cryptoTestData.roomId)!!.typingService().userIsTyping()
+
+        // assert that bob is not trusted anymore from alice s
+        testHelper.retryPeriodically {
+            val trust = aliceSession.cryptoService().crossSigningService().checkUserTrust(bobSession.myUserId)
+            !trust.isVerified()
+        }
+
+        // trick to force event to sync
+        bobSession.roomService().getRoom(cryptoTestData.roomId)!!.typingService().userStopsTyping()
+        bobSession.roomService().getRoom(cryptoTestData.roomId)!!.typingService().userIsTyping()
+
+        testHelper.retryPeriodically {
+            val info = aliceSession.cryptoService().crossSigningService().getUserCrossSigningKeys(bobSession.myUserId)
+            info?.wasTrustedOnce == true
+        }
+
+        // trick to force event to sync
+        bobSession.roomService().getRoom(cryptoTestData.roomId)!!.typingService().userStopsTyping()
+        bobSession.roomService().getRoom(cryptoTestData.roomId)!!.typingService().userIsTyping()
+
+        testHelper.retryPeriodically {
+            !aliceSession.cryptoService().crossSigningService().isUserTrusted(bobSession.myUserId)
+        }
+
+        // Ensure also that bob device are not trusted
+        testHelper.retryPeriodically {
+            aliceSession.cryptoService().getUserDevices(bobSession.myUserId).first().trustLevel?.crossSigningVerified != true
+        }
+    }
 }

matrix-sdk-android/src/main/java/org/matrix/android/sdk/api/session/crypto/crosssigning/MXCrossSigningInfo.kt

@@ -18,7 +18,8 @@ package org.matrix.android.sdk.api.session.crypto.crosssigning
 
 data class MXCrossSigningInfo(
         val userId: String,
-        val crossSigningKeys: List<CryptoCrossSigningKey>
+        val crossSigningKeys: List<CryptoCrossSigningKey>,
+        val wasTrustedOnce: Boolean
 ) {
 
     fun isTrusted(): Boolean = masterKey()?.trustLevel?.isVerified() == true &&

matrix-sdk-android/src/main/java/org/matrix/android/sdk/api/session/crypto/model/UserVerificationLevel.kt

@@ -0,0 +1,28 @@
+/*
+ * Copyright 2022 The Matrix.org Foundation C.I.C.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.matrix.android.sdk.api.session.crypto.model
+
+enum class UserVerificationLevel {
+
+    VERIFIED_ALL_DEVICES_TRUSTED,
+
+    VERIFIED_WITH_DEVICES_UNTRUSTED,
+
+    UNVERIFIED_BUT_WAS_PREVIOUSLY,
+
+    WAS_NEVER_VERIFIED,
+}

matrix-sdk-android/src/main/java/org/matrix/android/sdk/internal/crypto/crosssigning/DefaultCrossSigningService.kt

@@ -60,7 +60,7 @@ import javax.inject.Inject
 
 @SessionScope
 internal class DefaultCrossSigningService @Inject constructor(
-        @UserId private val userId: String,
+        @UserId private val myUserId: String,
         @SessionId private val sessionId: String,
         private val cryptoStore: IMXCryptoStore,
         private val deviceListManager: DeviceListManager,
@@ -127,7 +127,7 @@ internal class DefaultCrossSigningService @Inject constructor(
                 }
 
                 // Recover local trust in case private key are there?
-                setUserKeysAsTrusted(userId, checkUserTrust(userId).isVerified())
+                setUserKeysAsTrusted(myUserId, checkUserTrust(myUserId).isVerified())
             }
         } catch (e: Throwable) {
             // Mmm this kind of a big issue
@@ -167,9 +167,13 @@ internal class DefaultCrossSigningService @Inject constructor(
                 }
 
                 override fun onSuccess(data: InitializeCrossSigningTask.Result) {
-                    val crossSigningInfo = MXCrossSigningInfo(userId, listOf(data.masterKeyInfo, data.userKeyInfo, data.selfSignedKeyInfo))
+                    val crossSigningInfo = MXCrossSigningInfo(
+                            myUserId,
+                            listOf(data.masterKeyInfo, data.userKeyInfo, data.selfSignedKeyInfo),
+                            true
+                    )
                     cryptoStore.setMyCrossSigningInfo(crossSigningInfo)
-                    setUserKeysAsTrusted(userId, true)
+                    setUserKeysAsTrusted(myUserId, true)
                     cryptoStore.storePrivateKeysInfo(data.masterKeyPK, data.userKeyPK, data.selfSigningKeyPK)
                     crossSigningOlm.masterPkSigning = OlmPkSigning().apply { initWithSeed(data.masterKeyPK.fromBase64()) }
                     crossSigningOlm.userPkSigning = OlmPkSigning().apply { initWithSeed(data.userKeyPK.fromBase64()) }
@@ -266,7 +270,7 @@ internal class DefaultCrossSigningService @Inject constructor(
             uskKeyPrivateKey: String?,
             sskPrivateKey: String?
     ): UserTrustResult {
-        val mxCrossSigningInfo = getMyCrossSigningKeys() ?: return UserTrustResult.CrossSigningNotConfigured(userId)
+        val mxCrossSigningInfo = getMyCrossSigningKeys() ?: return UserTrustResult.CrossSigningNotConfigured(myUserId)
 
         var masterKeyIsTrusted = false
         var userKeyIsTrusted = false
@@ -330,7 +334,7 @@ internal class DefaultCrossSigningService @Inject constructor(
             val checkSelfTrust = checkSelfTrust()
             if (checkSelfTrust.isVerified()) {
                 cryptoStore.storePrivateKeysInfo(masterKeyPrivateKey, uskKeyPrivateKey, sskPrivateKey)
-                setUserKeysAsTrusted(userId, true)
+                setUserKeysAsTrusted(myUserId, true)
             }
             return checkSelfTrust
         }
@@ -351,7 +355,7 @@ internal class DefaultCrossSigningService @Inject constructor(
      * .
      */
     override fun isUserTrusted(otherUserId: String): Boolean {
-        return cryptoStore.getCrossSigningInfo(userId)?.isTrusted() == true
+        return cryptoStore.getCrossSigningInfo(otherUserId)?.isTrusted() == true
     }
 
     override fun isCrossSigningVerified(): Boolean {
@@ -363,7 +367,7 @@ internal class DefaultCrossSigningService @Inject constructor(
      */
     override fun checkUserTrust(otherUserId: String): UserTrustResult {
         Timber.v("## CrossSigning  checkUserTrust for $otherUserId")
-        if (otherUserId == userId) {
+        if (otherUserId == myUserId) {
             return checkSelfTrust()
         }
         // I trust a user if I trust his master key
@@ -371,16 +375,14 @@ internal class DefaultCrossSigningService @Inject constructor(
         // TODO what if the master key is signed by a device key that i have verified
 
         // First let's get my user key
-        val myCrossSigningInfo = cryptoStore.getCrossSigningInfo(userId)
+        val myCrossSigningInfo = cryptoStore.getCrossSigningInfo(myUserId)
 
-        checkOtherMSKTrusted(myCrossSigningInfo, cryptoStore.getCrossSigningInfo(otherUserId))
+        return checkOtherMSKTrusted(myCrossSigningInfo, cryptoStore.getCrossSigningInfo(otherUserId))
-
-        return UserTrustResult.Success
     }
 
     fun checkOtherMSKTrusted(myCrossSigningInfo: MXCrossSigningInfo?, otherInfo: MXCrossSigningInfo?): UserTrustResult {
         val myUserKey = myCrossSigningInfo?.userKey()
-                ?: return UserTrustResult.CrossSigningNotConfigured(userId)
+                ?: return UserTrustResult.CrossSigningNotConfigured(myUserId)
 
         if (!myCrossSigningInfo.isTrusted()) {
             return UserTrustResult.KeysNotTrusted(myCrossSigningInfo)
@@ -391,7 +393,7 @@ internal class DefaultCrossSigningService @Inject constructor(
                 ?: return UserTrustResult.UnknownCrossSignatureInfo(otherInfo?.userId ?: "")
 
         val masterKeySignaturesMadeByMyUserKey = otherMasterKey.signatures
-                ?.get(userId) // Signatures made by me
+                ?.get(myUserId) // Signatures made by me
                 ?.get("ed25519:${myUserKey.unpaddedBase64PublicKey}")
 
         if (masterKeySignaturesMadeByMyUserKey.isNullOrBlank()) {
@@ -417,9 +419,9 @@ internal class DefaultCrossSigningService @Inject constructor(
         // Special case when it's me,
         // I have to check that MSK -> USK -> SSK
         // and that MSK is trusted (i know the private key, or is signed by a trusted device)
-        val myCrossSigningInfo = cryptoStore.getCrossSigningInfo(userId)
+        val myCrossSigningInfo = cryptoStore.getCrossSigningInfo(myUserId)
 
-        return checkSelfTrust(myCrossSigningInfo, cryptoStore.getUserDeviceList(userId))
+        return checkSelfTrust(myCrossSigningInfo, cryptoStore.getUserDeviceList(myUserId))
     }
 
     fun checkSelfTrust(myCrossSigningInfo: MXCrossSigningInfo?, myDevices: List<CryptoDeviceInfo>?): UserTrustResult {
@@ -429,7 +431,7 @@ internal class DefaultCrossSigningService @Inject constructor(
 //        val myCrossSigningInfo = cryptoStore.getCrossSigningInfo(userId)
 
         val myMasterKey = myCrossSigningInfo?.masterKey()
-                ?: return UserTrustResult.CrossSigningNotConfigured(userId)
+                ?: return UserTrustResult.CrossSigningNotConfigured(myUserId)
 
         // Is the master key trusted
         // 1) check if I know the private key
@@ -453,7 +455,7 @@ internal class DefaultCrossSigningService @Inject constructor(
             olmPkSigning?.releaseSigning()
         } else {
             // Maybe it's signed by a locally trusted device?
-            myMasterKey.signatures?.get(userId)?.forEach { (key, value) ->
+            myMasterKey.signatures?.get(myUserId)?.forEach { (key, value) ->
                 val potentialDeviceId = key.removePrefix("ed25519:")
                 val potentialDevice = myDevices?.firstOrNull { it.deviceId == potentialDeviceId } // cryptoStore.getUserDevice(userId, potentialDeviceId)
                 if (potentialDevice != null && potentialDevice.isVerified) {
@@ -475,14 +477,14 @@ internal class DefaultCrossSigningService @Inject constructor(
         }
 
         val myUserKey = myCrossSigningInfo.userKey()
-                ?: return UserTrustResult.CrossSigningNotConfigured(userId)
+                ?: return UserTrustResult.CrossSigningNotConfigured(myUserId)
 
         val userKeySignaturesMadeByMyMasterKey = myUserKey.signatures
-                ?.get(userId) // Signatures made by me
+                ?.get(myUserId) // Signatures made by me
                 ?.get("ed25519:${myMasterKey.unpaddedBase64PublicKey}")
 
         if (userKeySignaturesMadeByMyMasterKey.isNullOrBlank()) {
-            Timber.d("## CrossSigning  checkUserTrust false for $userId, USK not signed by MSK")
+            Timber.d("## CrossSigning  checkUserTrust false for $myUserId, USK not signed by MSK")
             return UserTrustResult.KeyNotSigned(myUserKey)
         }
 
@@ -498,14 +500,14 @@ internal class DefaultCrossSigningService @Inject constructor(
         }
 
         val mySSKey = myCrossSigningInfo.selfSigningKey()
-                ?: return UserTrustResult.CrossSigningNotConfigured(userId)
+                ?: return UserTrustResult.CrossSigningNotConfigured(myUserId)
 
         val ssKeySignaturesMadeByMyMasterKey = mySSKey.signatures
-                ?.get(userId) // Signatures made by me
+                ?.get(myUserId) // Signatures made by me
                 ?.get("ed25519:${myMasterKey.unpaddedBase64PublicKey}")
 
         if (ssKeySignaturesMadeByMyMasterKey.isNullOrBlank()) {
-            Timber.d("## CrossSigning  checkUserTrust false for $userId, SSK not signed by MSK")
+            Timber.d("## CrossSigning  checkUserTrust false for $myUserId, SSK not signed by MSK")
             return UserTrustResult.KeyNotSigned(mySSKey)
         }
 
@@ -555,14 +557,14 @@ internal class DefaultCrossSigningService @Inject constructor(
 
     override fun trustUser(otherUserId: String, callback: MatrixCallback<Unit>) {
         cryptoCoroutineScope.launch(coroutineDispatchers.crypto) {
-            Timber.d("## CrossSigning - Mark user $userId as trusted ")
+            Timber.d("## CrossSigning - Mark user $otherUserId as trusted ")
             // We should have this user keys
             val otherMasterKeys = getUserCrossSigningKeys(otherUserId)?.masterKey()
             if (otherMasterKeys == null) {
                 callback.onFailure(Throwable("## CrossSigning - Other master signing key is not known"))
                 return@launch
             }
-            val myKeys = getUserCrossSigningKeys(userId)
+            val myKeys = getUserCrossSigningKeys(myUserId)
             if (myKeys == null) {
                 callback.onFailure(Throwable("## CrossSigning - CrossSigning is not setup for this account"))
                 return@launch
@@ -586,16 +588,22 @@ internal class DefaultCrossSigningService @Inject constructor(
             }
 
             cryptoStore.setUserKeysAsTrusted(otherUserId, true)
-            // TODO update local copy with new signature directly here? kind of local echo of trust?
 
-            Timber.d("## CrossSigning - Upload signature of $userId MSK signed by USK")
+            Timber.d("## CrossSigning - Upload signature of $otherUserId MSK signed by USK")
             val uploadQuery = UploadSignatureQueryBuilder()
-                    .withSigningKeyInfo(otherMasterKeys.copyForSignature(userId, userPubKey, newSignature))
+                    .withSigningKeyInfo(otherMasterKeys.copyForSignature(myUserId, userPubKey, newSignature))
                     .build()
             uploadSignaturesTask.configureWith(UploadSignaturesTask.Params(uploadQuery)) {
                 this.executionThread = TaskThread.CRYPTO
                 this.callback = callback
             }.executeBy(taskExecutor)
+
+            // Local echo for device cross trust, to avoid having to wait for a notification of key change
+            cryptoStore.getUserDeviceList(otherUserId)?.forEach { device ->
+                val updatedTrust = checkDeviceTrust(device.userId, device.deviceId, device.trustLevel?.isLocallyVerified() ?: false)
+                Timber.v("## CrossSigning - update trust for device ${device.deviceId} of user $otherUserId , verified=$updatedTrust")
+                cryptoStore.setDeviceTrust(device.userId, device.deviceId, updatedTrust.isCrossSignedVerified(), updatedTrust.isLocallyVerified())
+            }
         }
     }
 
@@ -604,20 +612,20 @@ internal class DefaultCrossSigningService @Inject constructor(
             cryptoStore.markMyMasterKeyAsLocallyTrusted(true)
             checkSelfTrust()
             // re-verify all trusts
-            onUsersDeviceUpdate(listOf(userId))
+            onUsersDeviceUpdate(listOf(myUserId))
         }
     }
 
     override fun trustDevice(deviceId: String, callback: MatrixCallback<Unit>) {
         cryptoCoroutineScope.launch(coroutineDispatchers.crypto) {
             // This device should be yours
-            val device = cryptoStore.getUserDevice(userId, deviceId)
+            val device = cryptoStore.getUserDevice(myUserId, deviceId)
             if (device == null) {
                 callback.onFailure(IllegalArgumentException("This device [$deviceId] is not known, or not yours"))
                 return@launch
             }
 
-            val myKeys = getUserCrossSigningKeys(userId)
+            val myKeys = getUserCrossSigningKeys(myUserId)
             if (myKeys == null) {
                 callback.onFailure(Throwable("CrossSigning is not setup for this account"))
                 return@launch
@@ -639,7 +647,7 @@ internal class DefaultCrossSigningService @Inject constructor(
             }
             val toUpload = device.copy(
                     signatures = mapOf(
-                            userId
+                            myUserId
                                     to
                                     mapOf(
                                             "ed25519:$ssPubKey" to newSignature
@@ -661,8 +669,8 @@ internal class DefaultCrossSigningService @Inject constructor(
         val otherDevice = cryptoStore.getUserDevice(otherUserId, otherDeviceId)
                 ?: return DeviceTrustResult.UnknownDevice(otherDeviceId)
 
-        val myKeys = getUserCrossSigningKeys(userId)
+        val myKeys = getUserCrossSigningKeys(myUserId)
-                ?: return legacyFallbackTrust(locallyTrusted, DeviceTrustResult.CrossSigningNotConfigured(userId))
+                ?: return legacyFallbackTrust(locallyTrusted, DeviceTrustResult.CrossSigningNotConfigured(myUserId))
 
         if (!myKeys.isTrusted()) return legacyFallbackTrust(locallyTrusted, DeviceTrustResult.KeysNotTrusted(myKeys))
 
@@ -717,7 +725,7 @@ internal class DefaultCrossSigningService @Inject constructor(
 
     fun checkDeviceTrust(myKeys: MXCrossSigningInfo?, otherKeys: MXCrossSigningInfo?, otherDevice: CryptoDeviceInfo): DeviceTrustResult {
         val locallyTrusted = otherDevice.trustLevel?.isLocallyVerified()
-        myKeys ?: return legacyFallbackTrust(locallyTrusted, DeviceTrustResult.CrossSigningNotConfigured(userId))
+        myKeys ?: return legacyFallbackTrust(locallyTrusted, DeviceTrustResult.CrossSigningNotConfigured(myUserId))
 
         if (!myKeys.isTrusted()) return legacyFallbackTrust(locallyTrusted, DeviceTrustResult.KeysNotTrusted(myKeys))
 
@@ -805,7 +813,7 @@ internal class DefaultCrossSigningService @Inject constructor(
         cryptoStore.setUserKeysAsTrusted(otherUserId, trusted)
         // If it's me, recheck trust of all users and devices?
         val users = ArrayList<String>()
-        if (otherUserId == userId && currentTrust != trusted) {
+        if (otherUserId == myUserId && currentTrust != trusted) {
             // notify key requester
             outgoingKeyRequestManager.onSelfCrossSigningTrustChanged(trusted)
             cryptoStore.updateUsersTrust {

matrix-sdk-android/src/main/java/org/matrix/android/sdk/internal/crypto/crosssigning/UpdateTrustWorker.kt

@@ -161,6 +161,7 @@ internal class UpdateTrustWorker(context: Context, params: WorkerParameters, ses
             // i have all the new trusts, update DB
             trusts.forEach {
                 val verified = it.value?.isVerified() == true
+                Timber.v("[$myUserId] ## CrossSigning - Updating user trust: ${it.key} to $verified")
                 updateCrossSigningKeysTrust(cryptoRealm, it.key, verified)
             }
 
@@ -259,14 +260,16 @@ internal class UpdateTrustWorker(context: Context, params: WorkerParameters, ses
         cryptoRealm.where(CrossSigningInfoEntity::class.java)
                 .equalTo(CrossSigningInfoEntityFields.USER_ID, userId)
                 .findFirst()
-                ?.crossSigningKeys
+                ?.let { userKeyInfo ->
-                ?.forEach { info ->
+                    userKeyInfo
+                            .crossSigningKeys
+                            .forEach { key ->
                                 // optimization to avoid trigger updates when there is no change..
-                    if (info.trustLevelEntity?.isVerified() != verified) {
+                                if (key.trustLevelEntity?.isVerified() != verified) {
                                     Timber.d("## CrossSigning - Trust change for $userId : $verified")
-                        val level = info.trustLevelEntity
+                                    val level = key.trustLevelEntity
                                     if (level == null) {
-                            info.trustLevelEntity = cryptoRealm.createObject(TrustLevelEntity::class.java).also {
+                                        key.trustLevelEntity = cryptoRealm.createObject(TrustLevelEntity::class.java).also {
                                             it.locallyVerified = verified
                                             it.crossSignedVerified = verified
                                         }
@@ -276,6 +279,10 @@ internal class UpdateTrustWorker(context: Context, params: WorkerParameters, ses
                                     }
                                 }
                             }
+                    if (verified) {
+                        userKeyInfo.wasUserVerifiedOnce = true
+                    }
+                }
     }
 
     private fun computeRoomShield(
@@ -299,8 +306,18 @@ internal class UpdateTrustWorker(context: Context, params: WorkerParameters, ses
                     getCrossSigningInfo(cryptoRealm, userId)?.isTrusted() == true
                 }
 
+        val resetTrust = listToCheck
+                .filter { userId ->
+                    val crossSigningInfo = getCrossSigningInfo(cryptoRealm, userId)
+                    crossSigningInfo?.isTrusted() != true && crossSigningInfo?.wasTrustedOnce == true
+                }
+
         return if (allTrustedUserIds.isEmpty()) {
+            if (resetTrust.isEmpty()) {
                 RoomEncryptionTrustLevel.Default
+            } else {
+                RoomEncryptionTrustLevel.Warning
+            }
         } else {
             // If one of the verified user as an untrusted device -> warning
             // If all devices of all verified users are trusted -> green
@@ -327,12 +344,16 @@ internal class UpdateTrustWorker(context: Context, params: WorkerParameters, ses
                         if (hasWarning) {
                             RoomEncryptionTrustLevel.Warning
                         } else {
+                            if (resetTrust.isEmpty()) {
                                 if (listToCheck.size == allTrustedUserIds.size) {
                                     // all users are trusted and all devices are verified
                                     RoomEncryptionTrustLevel.Trusted
                                 } else {
                                     RoomEncryptionTrustLevel.Default
                                 }
+                            } else {
+                                RoomEncryptionTrustLevel.Warning
+                            }
                         }
                     }
         }
@@ -344,7 +365,8 @@ internal class UpdateTrustWorker(context: Context, params: WorkerParameters, ses
                 userId = userId,
                 crossSigningKeys = xsignInfo.crossSigningKeys.mapNotNull {
                     crossSigningKeysMapper.map(userId, it)
-                }
+                },
+                wasTrustedOnce = xsignInfo.wasUserVerifiedOnce
         )
     }
 

matrix-sdk-android/src/main/java/org/matrix/android/sdk/internal/crypto/store/db/RealmCryptoStore.kt

@@ -1611,7 +1611,8 @@ internal class RealmCryptoStore @Inject constructor(
                 userId = userId,
                 crossSigningKeys = xsignInfo.crossSigningKeys.mapNotNull {
                     crossSigningKeysMapper.map(userId, it)
-                }
+                },
+                wasTrustedOnce = xsignInfo.wasUserVerifiedOnce
         )
     }
 

matrix-sdk-android/src/main/java/org/matrix/android/sdk/internal/crypto/store/db/RealmCryptoStoreMigration.kt

@@ -35,6 +35,7 @@ import org.matrix.android.sdk.internal.crypto.store.db.migration.MigrateCryptoTo
 import org.matrix.android.sdk.internal.crypto.store.db.migration.MigrateCryptoTo016
 import org.matrix.android.sdk.internal.crypto.store.db.migration.MigrateCryptoTo017
 import org.matrix.android.sdk.internal.crypto.store.db.migration.MigrateCryptoTo018
+import org.matrix.android.sdk.internal.crypto.store.db.migration.MigrateCryptoTo019
 import org.matrix.android.sdk.internal.util.database.MatrixRealmMigration
 import org.matrix.android.sdk.internal.util.time.Clock
 import javax.inject.Inject
@@ -49,7 +50,7 @@ internal class RealmCryptoStoreMigration @Inject constructor(
         private val clock: Clock,
 ) : MatrixRealmMigration(
         dbName = "Crypto",
-        schemaVersion = 18L,
+        schemaVersion = 19L,
 ) {
     /**
      * Forces all RealmCryptoStoreMigration instances to be equal.
@@ -77,5 +78,6 @@ internal class RealmCryptoStoreMigration @Inject constructor(
         if (oldVersion < 16) MigrateCryptoTo016(realm).perform()
         if (oldVersion < 17) MigrateCryptoTo017(realm).perform()
         if (oldVersion < 18) MigrateCryptoTo018(realm).perform()
+        if (oldVersion < 19) MigrateCryptoTo019(realm).perform()
     }
 }

matrix-sdk-android/src/main/java/org/matrix/android/sdk/internal/crypto/store/db/migration/MigrateCryptoTo019.kt

@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2022 The Matrix.org Foundation C.I.C.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.matrix.android.sdk.internal.crypto.store.db.migration
+
+import io.realm.DynamicRealm
+import io.realm.DynamicRealmObject
+import org.matrix.android.sdk.api.session.crypto.crosssigning.KeyUsage
+import org.matrix.android.sdk.internal.crypto.store.db.model.CrossSigningInfoEntityFields
+import org.matrix.android.sdk.internal.crypto.store.db.model.KeyInfoEntityFields
+import org.matrix.android.sdk.internal.crypto.store.db.model.TrustLevelEntityFields
+import org.matrix.android.sdk.internal.util.database.RealmMigrator
+
+/**
+ * This migration is adding support for trusted flags on megolm sessions.
+ * We can't really assert the trust of existing keys, so for the sake of simplicity we are going to
+ * mark existing keys as safe.
+ * This migration can take long depending on the account
+ */
+internal class MigrateCryptoTo019(realm: DynamicRealm) : RealmMigrator(realm, 18) {
+
+    override fun doMigrate(realm: DynamicRealm) {
+        realm.schema.get("CrossSigningInfoEntity")
+                ?.addField(CrossSigningInfoEntityFields.WAS_USER_VERIFIED_ONCE, Boolean::class.java)
+                ?.transform { dynamicObject ->
+
+                    val knowKeys = dynamicObject.getList(CrossSigningInfoEntityFields.CROSS_SIGNING_KEYS.`$`)
+                    val msk = knowKeys.firstOrNull {
+                        it.getList(KeyInfoEntityFields.USAGES.`$`, String::class.java).orEmpty().contains(KeyUsage.MASTER.value)
+                    }
+                    val ssk = knowKeys.firstOrNull {
+                        it.getList(KeyInfoEntityFields.USAGES.`$`, String::class.java).orEmpty().contains(KeyUsage.SELF_SIGNING.value)
+                    }
+                    val isTrusted = isDynamicKeyInfoTrusted(msk?.get<DynamicRealmObject>(KeyInfoEntityFields.TRUST_LEVEL_ENTITY.`$`)) &&
+                            isDynamicKeyInfoTrusted(ssk?.get<DynamicRealmObject>(KeyInfoEntityFields.TRUST_LEVEL_ENTITY.`$`))
+
+                    dynamicObject.setBoolean(CrossSigningInfoEntityFields.WAS_USER_VERIFIED_ONCE, isTrusted)
+                }
+    }
+
+    private fun isDynamicKeyInfoTrusted(keyInfo: DynamicRealmObject?): Boolean {
+        if (keyInfo == null) return false
+        return !keyInfo.isNull(TrustLevelEntityFields.CROSS_SIGNED_VERIFIED) && keyInfo.getBoolean(TrustLevelEntityFields.CROSS_SIGNED_VERIFIED) &&
+                !keyInfo.isNull(TrustLevelEntityFields.LOCALLY_VERIFIED) && keyInfo.getBoolean(TrustLevelEntityFields.LOCALLY_VERIFIED)
+    }
+}

matrix-sdk-android/src/main/java/org/matrix/android/sdk/internal/crypto/store/db/model/CrossSigningInfoEntity.kt

@@ -25,6 +25,7 @@ import org.matrix.android.sdk.internal.extensions.clearWith
 internal open class CrossSigningInfoEntity(
         @PrimaryKey
         var userId: String? = null,
+        var wasUserVerifiedOnce: Boolean = false,
         var crossSigningKeys: RealmList<KeyInfoEntity> = RealmList()
 ) : RealmObject() {
 

vector/build.gradle

@@ -289,6 +289,8 @@ dependencies {
     testImplementation libs.tests.junit
     testImplementation libs.tests.kluent
     testImplementation libs.mockk.mockk
+    testImplementation libs.androidx.coreTesting
+    testImplementation libs.tests.robolectric
     // Plant Timber tree for test
     testImplementation libs.tests.timberJunitRule
     testImplementation libs.airbnb.mavericksTesting

vector/src/main/java/im/vector/app/core/epoxy/profiles/BaseProfileMatrixItem.kt

@@ -26,7 +26,7 @@ import im.vector.app.core.epoxy.onClick
 import im.vector.app.core.extensions.setTextOrHide
 import im.vector.app.features.displayname.getBestName
 import im.vector.app.features.home.AvatarRenderer
-import org.matrix.android.sdk.api.session.crypto.model.RoomEncryptionTrustLevel
+import org.matrix.android.sdk.api.session.crypto.model.UserVerificationLevel
 import org.matrix.android.sdk.api.util.MatrixItem
 
 abstract class BaseProfileMatrixItem<T : ProfileMatrixItem.Holder>(@LayoutRes layoutId: Int) : VectorEpoxyModel<T>(layoutId) {
@@ -35,7 +35,7 @@ abstract class BaseProfileMatrixItem<T : ProfileMatrixItem.Holder>(@LayoutRes la
     @EpoxyAttribute var editable: Boolean = true
 
     @EpoxyAttribute
-    var userEncryptionTrustLevel: RoomEncryptionTrustLevel? = null
+    var userVerificationLevel: UserVerificationLevel? = null
 
     @EpoxyAttribute(EpoxyAttribute.Option.DoNotHash)
     var clickListener: ClickListener? = null
@@ -53,6 +53,6 @@ abstract class BaseProfileMatrixItem<T : ProfileMatrixItem.Holder>(@LayoutRes la
         holder.subtitleView.setTextOrHide(matrixId)
         holder.editableView.isVisible = editable
         avatarRenderer.render(matrixItem, holder.avatarImageView)
-        holder.avatarDecorationImageView.render(userEncryptionTrustLevel)
+        holder.avatarDecorationImageView.renderUser(userVerificationLevel)
     }
 }

vector/src/main/java/im/vector/app/core/ui/views/ShieldImageView.kt

@@ -24,6 +24,7 @@ import androidx.core.view.isVisible
 import im.vector.app.R
 import im.vector.app.features.home.room.detail.timeline.item.E2EDecoration
 import org.matrix.android.sdk.api.session.crypto.model.RoomEncryptionTrustLevel
+import org.matrix.android.sdk.api.session.crypto.model.UserVerificationLevel
 
 class ShieldImageView @JvmOverloads constructor(
         context: Context,
@@ -102,6 +103,35 @@ class ShieldImageView @JvmOverloads constructor(
             }
         }
     }
+
+    fun renderUser(userVerificationLevel: UserVerificationLevel?, borderLess: Boolean = false) {
+        isVisible = userVerificationLevel != null
+        when (userVerificationLevel) {
+            UserVerificationLevel.VERIFIED_ALL_DEVICES_TRUSTED -> {
+                contentDescription = context.getString(R.string.a11y_trust_level_trusted)
+                setImageResource(
+                        if (borderLess) R.drawable.ic_shield_trusted_no_border
+                        else R.drawable.ic_shield_trusted
+                )
+            }
+            UserVerificationLevel.UNVERIFIED_BUT_WAS_PREVIOUSLY,
+            UserVerificationLevel.VERIFIED_WITH_DEVICES_UNTRUSTED -> {
+                contentDescription = context.getString(R.string.a11y_trust_level_warning)
+                setImageResource(
+                        if (borderLess) R.drawable.ic_shield_warning_no_border
+                        else R.drawable.ic_shield_warning
+                )
+            }
+            UserVerificationLevel.WAS_NEVER_VERIFIED -> {
+                contentDescription = context.getString(R.string.a11y_trust_level_default)
+                setImageResource(
+                        if (borderLess) R.drawable.ic_shield_black_no_border
+                        else R.drawable.ic_shield_black
+                )
+            }
+            null -> Unit
+        }
+    }
 }
 
 @DrawableRes

vector/src/main/java/im/vector/app/features/roommemberprofile/RoomMemberProfileFragment.kt

@@ -59,7 +59,7 @@ import im.vector.app.features.home.room.detail.timeline.helper.MatrixItemColorPr
 import im.vector.app.features.roommemberprofile.devices.DeviceListBottomSheet
 import im.vector.app.features.roommemberprofile.powerlevel.EditPowerLevelDialogs
 import kotlinx.parcelize.Parcelize
-import org.matrix.android.sdk.api.session.crypto.model.RoomEncryptionTrustLevel
+import org.matrix.android.sdk.api.session.crypto.model.UserVerificationLevel
 import org.matrix.android.sdk.api.session.room.powerlevels.Role
 import org.matrix.android.sdk.api.util.MatrixItem
 import javax.inject.Inject
@@ -235,23 +235,27 @@ class RoomMemberProfileFragment :
                         if (state.userMXCrossSigningInfo.isTrusted()) {
                             // User is trusted
                             if (state.allDevicesAreCrossSignedTrusted) {
-                                RoomEncryptionTrustLevel.Trusted
+                                UserVerificationLevel.VERIFIED_ALL_DEVICES_TRUSTED
                             } else {
-                                RoomEncryptionTrustLevel.Warning
+                                UserVerificationLevel.VERIFIED_WITH_DEVICES_UNTRUSTED
                             }
                         } else {
-                            RoomEncryptionTrustLevel.Default
+                            if (state.userMXCrossSigningInfo.wasTrustedOnce) {
+                                UserVerificationLevel.UNVERIFIED_BUT_WAS_PREVIOUSLY
+                            } else {
+                                UserVerificationLevel.WAS_NEVER_VERIFIED
+                            }
                         }
                     } else {
                         // Legacy
                         if (state.allDevicesAreTrusted) {
-                            RoomEncryptionTrustLevel.Trusted
+                            UserVerificationLevel.VERIFIED_ALL_DEVICES_TRUSTED
                         } else {
-                            RoomEncryptionTrustLevel.Warning
+                            UserVerificationLevel.VERIFIED_WITH_DEVICES_UNTRUSTED
                         }
                     }
-                    headerViews.memberProfileDecorationImageView.render(trustLevel)
+                    headerViews.memberProfileDecorationImageView.renderUser(trustLevel)
-                    views.matrixProfileDecorationToolbarAvatarImageView.render(trustLevel)
+                    views.matrixProfileDecorationToolbarAvatarImageView.renderUser(trustLevel)
                 } else {
                     headerViews.memberProfileDecorationImageView.isVisible = false
                 }

vector/src/main/java/im/vector/app/features/roomprofile/members/RoomMemberListController.kt

@@ -129,7 +129,7 @@ class RoomMemberListController @Inject constructor(
             id(roomMember.userId)
             matrixItem(roomMember.toMatrixItem())
             avatarRenderer(host.avatarRenderer)
-            userEncryptionTrustLevel(data.trustLevelMap.invoke()?.get(roomMember.userId))
+            userVerificationLevel(data.trustLevelMap.invoke()?.get(roomMember.userId))
             clickListener {
                 host.callback?.onRoomMemberClicked(roomMember)
             }

vector/src/main/java/im/vector/app/features/roomprofile/members/RoomMemberListViewModel.kt

@@ -37,7 +37,8 @@ import kotlinx.coroutines.launch
 import org.matrix.android.sdk.api.extensions.orFalse
 import org.matrix.android.sdk.api.query.QueryStringValue
 import org.matrix.android.sdk.api.session.Session
-import org.matrix.android.sdk.api.session.crypto.model.RoomEncryptionTrustLevel
+import org.matrix.android.sdk.api.session.crypto.model.CryptoDeviceInfo
+import org.matrix.android.sdk.api.session.crypto.model.UserVerificationLevel
 import org.matrix.android.sdk.api.session.events.model.EventType
 import org.matrix.android.sdk.api.session.events.model.toModel
 import org.matrix.android.sdk.api.session.getRoom
@@ -116,14 +117,7 @@ class RoomMemberListViewModel @AssistedInject constructor(
                                 .map { deviceList ->
                                     // If any key change, emit the userIds list
                                     deviceList.groupBy { it.userId }.mapValues {
-                                        val allDeviceTrusted = it.value.fold(it.value.isNotEmpty()) { prev, next ->
+                                        getUserTrustLevel(it.key, it.value)
-                                            prev && next.trustLevel?.isCrossSigningVerified().orFalse()
-                                        }
-                                        if (session.cryptoService().crossSigningService().getUserCrossSigningKeys(it.key)?.isTrusted().orFalse()) {
-                                            if (allDeviceTrusted) RoomEncryptionTrustLevel.Trusted else RoomEncryptionTrustLevel.Warning
-                                        } else {
-                                            RoomEncryptionTrustLevel.Default
-                                        }
                                     }
                                 }
                     }
@@ -133,6 +127,29 @@ class RoomMemberListViewModel @AssistedInject constructor(
         }
     }
 
+    private fun getUserTrustLevel(userId: String, devices: List<CryptoDeviceInfo>): UserVerificationLevel {
+        val allDeviceTrusted = devices.fold(devices.isNotEmpty()) { prev, next ->
+            prev && next.trustLevel?.isCrossSigningVerified().orFalse()
+        }
+        val mxCrossSigningInfo = session.cryptoService().crossSigningService().getUserCrossSigningKeys(userId)
+        return when {
+            mxCrossSigningInfo == null -> {
+                UserVerificationLevel.WAS_NEVER_VERIFIED
+            }
+            mxCrossSigningInfo.isTrusted() -> {
+                if (allDeviceTrusted) UserVerificationLevel.VERIFIED_ALL_DEVICES_TRUSTED
+                else UserVerificationLevel.VERIFIED_WITH_DEVICES_UNTRUSTED
+            }
+            else -> {
+                if (mxCrossSigningInfo.wasTrustedOnce) {
+                    UserVerificationLevel.UNVERIFIED_BUT_WAS_PREVIOUSLY
+                } else {
+                    UserVerificationLevel.WAS_NEVER_VERIFIED
+                }
+            }
+        }
+    }
+
     private fun observePowerLevel() {
         PowerLevelsFlowFactory(room).createFlow()
                 .onEach {

vector/src/main/java/im/vector/app/features/roomprofile/members/RoomMemberListViewState.kt

@@ -23,7 +23,7 @@ import com.airbnb.mvrx.Uninitialized
 import im.vector.app.R
 import im.vector.app.core.platform.GenericIdArgs
 import im.vector.app.features.roomprofile.RoomProfileArgs
-import org.matrix.android.sdk.api.session.crypto.model.RoomEncryptionTrustLevel
+import org.matrix.android.sdk.api.session.crypto.model.UserVerificationLevel
 import org.matrix.android.sdk.api.session.events.model.Event
 import org.matrix.android.sdk.api.session.room.model.RoomMemberSummary
 import org.matrix.android.sdk.api.session.room.model.RoomSummary
@@ -36,7 +36,7 @@ data class RoomMemberListViewState(
         val ignoredUserIds: List<String> = emptyList(),
         val filter: String = "",
         val threePidInvites: Async<List<Event>> = Uninitialized,
-        val trustLevelMap: Async<Map<String, RoomEncryptionTrustLevel?>> = Uninitialized,
+        val trustLevelMap: Async<Map<String, UserVerificationLevel>> = Uninitialized,
         val actionsPermissions: ActionPermissions = ActionPermissions()
 ) : MavericksState {
 

vector/src/main/java/im/vector/app/features/spaces/people/SpacePeopleListController.kt

@@ -77,7 +77,7 @@ class SpacePeopleListController @Inject constructor(
                                     id(roomMember.userId)
                                     matrixItem(roomMember.toMatrixItem())
                                     avatarRenderer(host.avatarRenderer)
-                                    userEncryptionTrustLevel(data.trustLevelMap.invoke()?.get(roomMember.userId))
+                                    userVerificationLevel(data.trustLevelMap.invoke()?.get(roomMember.userId))
                                             .apply {
                                                 val pl = host.toPowerLevelLabel(memberEntry.first)
                                                 if (memberEntry.first == RoomMemberListCategories.INVITE) {

vector/src/test/java/im/vector/app/features/MemberListViewModelTest.kt

@@ -0,0 +1,282 @@
+/*
+ * Copyright (c) 2022 New Vector Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package im.vector.app.features
+
+import androidx.arch.core.executor.testing.InstantTaskExecutorRule
+import androidx.lifecycle.MutableLiveData
+import com.airbnb.mvrx.test.MvRxTestRule
+import im.vector.app.features.roomprofile.RoomProfileArgs
+import im.vector.app.features.roomprofile.members.RoomMemberListViewModel
+import im.vector.app.features.roomprofile.members.RoomMemberListViewState
+import im.vector.app.features.roomprofile.members.RoomMemberSummaryComparator
+import im.vector.app.test.test
+import im.vector.app.test.testCoroutineDispatchers
+import io.mockk.coEvery
+import io.mockk.every
+import io.mockk.mockk
+import org.junit.Rule
+import org.junit.Test
+import org.matrix.android.sdk.api.session.Session
+import org.matrix.android.sdk.api.session.crypto.CryptoService
+import org.matrix.android.sdk.api.session.crypto.crosssigning.CrossSigningService
+import org.matrix.android.sdk.api.session.crypto.crosssigning.CryptoCrossSigningKey
+import org.matrix.android.sdk.api.session.crypto.crosssigning.DeviceTrustLevel
+import org.matrix.android.sdk.api.session.crypto.crosssigning.MXCrossSigningInfo
+import org.matrix.android.sdk.api.session.crypto.model.CryptoDeviceInfo
+import org.matrix.android.sdk.api.session.crypto.model.UserVerificationLevel
+import org.matrix.android.sdk.api.session.room.Room
+import org.matrix.android.sdk.api.session.room.RoomService
+import org.matrix.android.sdk.api.session.room.crypto.RoomCryptoService
+import org.matrix.android.sdk.api.session.room.members.MembershipService
+import org.matrix.android.sdk.api.session.room.model.Membership
+import org.matrix.android.sdk.api.session.room.model.RoomMemberSummary
+import org.matrix.android.sdk.api.session.room.model.RoomSummary
+import org.matrix.android.sdk.api.session.room.state.StateService
+import org.matrix.android.sdk.api.session.user.UserService
+import org.matrix.android.sdk.api.util.Optional
+
+class MemberListViewModelTest {
+
+    @get:Rule
+    val mvrxTestRule = MvRxTestRule()
+
+    @get:Rule
+    val instantExecutorRule = InstantTaskExecutorRule()
+
+    private val fakeRoomId = "!roomId"
+    private val args = RoomProfileArgs(fakeRoomId)
+
+    private val aliceMxid = "@alice:example.com"
+    private val bobMxid = "@bob:example.com"
+    private val marcMxid = "@marc:example.com"
+
+    private val aliceDevice1 = CryptoDeviceInfo(
+            deviceId = "ALICE_1",
+            userId = aliceMxid,
+            trustLevel = DeviceTrustLevel(true, true)
+    )
+
+    private val aliceDevice2 = CryptoDeviceInfo(
+            deviceId = "ALICE_2",
+            userId = aliceMxid,
+            trustLevel = DeviceTrustLevel(false, false)
+    )
+
+    private val bobDevice1 = CryptoDeviceInfo(
+            deviceId = "BOB_1",
+            userId = bobMxid,
+            trustLevel = DeviceTrustLevel(true, true)
+    )
+
+    private val bobDevice2 = CryptoDeviceInfo(
+            deviceId = "BOB_2",
+            userId = bobMxid,
+            trustLevel = DeviceTrustLevel(true, true)
+    )
+
+    private val markDevice = CryptoDeviceInfo(
+            deviceId = "MARK_1",
+            userId = marcMxid,
+            trustLevel = DeviceTrustLevel(false, true)
+    )
+
+    private val fakeMembershipservice: MembershipService = mockk {
+
+        val memberList = mutableListOf<RoomMemberSummary>(
+                RoomMemberSummary(Membership.JOIN, aliceMxid, displayName = "Alice"),
+                RoomMemberSummary(Membership.JOIN, bobMxid, displayName = "Bob"),
+                RoomMemberSummary(Membership.JOIN, marcMxid, displayName = "marc")
+        )
+
+        every { getRoomMembers(any()) } returns memberList
+
+        every { getRoomMembersLive(any()) } returns MutableLiveData(memberList)
+
+        every { areAllMembersLoadedLive() } returns MutableLiveData(true)
+
+        coEvery { areAllMembersLoaded() } returns true
+    }
+
+    private val fakeRoomCryptoService: RoomCryptoService = mockk {
+        every { isEncrypted() } returns true
+    }
+    private val fakeRoom: Room = mockk {
+
+        val fakeStateService: StateService = mockk {
+            every { getStateEventLive(any(), any()) } returns MutableLiveData()
+            every { getStateEventsLive(any(), any()) } returns MutableLiveData()
+            every { getStateEvent(any(), any()) } returns null
+        }
+
+        every { stateService() } returns fakeStateService
+
+        every { coroutineDispatchers } returns testCoroutineDispatchers
+
+        every { getRoomSummaryLive() } returns MutableLiveData<Optional<RoomSummary>>(Optional(fakeRoomSummary))
+
+        every { membershipService() } returns fakeMembershipservice
+
+        every { roomCryptoService() } returns fakeRoomCryptoService
+
+        every { roomSummary() } returns fakeRoomSummary
+    }
+
+    private val fakeUserService: UserService = mockk {
+        every { getIgnoredUsersLive() } returns MutableLiveData()
+    }
+
+    val fakeSession: Session = mockk {
+
+        val fakeCrossSigningService: CrossSigningService = mockk {
+            every { isUserTrusted(aliceMxid) } returns true
+            every { isUserTrusted(bobMxid) } returns true
+            every { isUserTrusted(marcMxid) } returns false
+
+            every { getUserCrossSigningKeys(aliceMxid) } returns MXCrossSigningInfo(
+                    aliceMxid,
+                    crossSigningKeys = listOf(
+                            CryptoCrossSigningKey(
+                                    aliceMxid,
+                                    usages = listOf("master"),
+                                    keys = emptyMap(),
+                                    trustLevel = DeviceTrustLevel(true, true),
+                                    signatures = emptyMap()
+                            ),
+                            CryptoCrossSigningKey(
+                                    aliceMxid,
+                                    usages = listOf("self_signing"),
+                                    keys = emptyMap(),
+                                    trustLevel = DeviceTrustLevel(true, true),
+                                    signatures = emptyMap()
+                            ),
+                            CryptoCrossSigningKey(
+                                    aliceMxid,
+                                    usages = listOf("user_signing"),
+                                    keys = emptyMap(),
+                                    trustLevel = DeviceTrustLevel(true, true),
+                                    signatures = emptyMap()
+                            )
+                    ),
+                    true
+            )
+            every { getUserCrossSigningKeys(bobMxid) } returns MXCrossSigningInfo(
+                    aliceMxid,
+                    crossSigningKeys = listOf(
+                            CryptoCrossSigningKey(
+                                    bobMxid,
+                                    usages = listOf("master"),
+                                    keys = emptyMap(),
+                                    trustLevel = DeviceTrustLevel(true, true),
+                                    signatures = emptyMap()
+                            ),
+                            CryptoCrossSigningKey(
+                                    bobMxid,
+                                    usages = listOf("self_signing"),
+                                    keys = emptyMap(),
+                                    trustLevel = DeviceTrustLevel(true, true),
+                                    signatures = emptyMap()
+                            ),
+                            CryptoCrossSigningKey(
+                                    bobMxid,
+                                    usages = listOf("user_signing"),
+                                    keys = emptyMap(),
+                                    trustLevel = DeviceTrustLevel(true, true),
+                                    signatures = emptyMap()
+                            )
+                    ),
+                    true
+            )
+            every { getUserCrossSigningKeys(marcMxid) } returns MXCrossSigningInfo(
+                    aliceMxid,
+                    crossSigningKeys = listOf(
+                            CryptoCrossSigningKey(
+                                    marcMxid,
+                                    usages = listOf("master"),
+                                    keys = emptyMap(),
+                                    trustLevel = DeviceTrustLevel(false, false),
+                                    signatures = emptyMap()
+                            ),
+                            CryptoCrossSigningKey(
+                                    marcMxid,
+                                    usages = listOf("self_signing"),
+                                    keys = emptyMap(),
+                                    trustLevel = DeviceTrustLevel(false, false),
+                                    signatures = emptyMap()
+                            ),
+                            CryptoCrossSigningKey(
+                                    marcMxid,
+                                    usages = listOf("user_signing"),
+                                    keys = emptyMap(),
+                                    trustLevel = DeviceTrustLevel(false, false),
+                                    signatures = emptyMap()
+                            )
+                    ),
+                    true
+            )
+        }
+
+        val fakeCryptoService: CryptoService = mockk {
+            every { crossSigningService() } returns fakeCrossSigningService
+
+            every {
+                getLiveCryptoDeviceInfo(listOf(aliceMxid, bobMxid, marcMxid))
+            } returns MutableLiveData(
+                    listOf(
+                            aliceDevice1, aliceDevice2, bobDevice1, bobDevice2, markDevice
+                    )
+            )
+        }
+
+        val fakeRoomService: RoomService = mockk {
+            every { getRoom(any()) } returns fakeRoom
+        }
+        every { roomService() } returns fakeRoomService
+        every { userService() } returns fakeUserService
+        every { cryptoService() } returns fakeCryptoService
+    }
+
+    private val fakeRoomSummary = RoomSummary(
+            roomId = fakeRoomId,
+            displayName = "Fake Room",
+            topic = "A topic",
+            isEncrypted = true,
+            encryptionEventTs = 0,
+            typingUsers = emptyList(),
+    )
+
+    @Test
+    fun testBasicUserVerificationLevels() {
+        val viewModel = createViewModel()
+        viewModel
+                .test()
+                .assertLatestState {
+                    val trustMap = it.trustLevelMap.invoke() ?: return@assertLatestState false
+                    trustMap[aliceMxid] == UserVerificationLevel.VERIFIED_WITH_DEVICES_UNTRUSTED &&
+                            trustMap[bobMxid] == UserVerificationLevel.VERIFIED_ALL_DEVICES_TRUSTED &&
+                            trustMap[marcMxid] == UserVerificationLevel.UNVERIFIED_BUT_WAS_PREVIOUSLY
+                }
+                .finish()
+    }
+
+    private fun createViewModel(): RoomMemberListViewModel {
+        return RoomMemberListViewModel(
+                RoomMemberListViewState(args),
+                RoomMemberSummaryComparator(),
+                fakeSession,
+        )
+    }
+}

vector/src/test/java/im/vector/app/features/RoomMemberListControllerTest.kt

@@ -0,0 +1,132 @@
+/*
+ * Copyright (c) 2022 New Vector Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package im.vector.app.features
+
+import androidx.arch.core.executor.testing.InstantTaskExecutorRule
+import com.airbnb.mvrx.Success
+import com.airbnb.mvrx.test.MvRxTestRule
+import im.vector.app.core.epoxy.profiles.ProfileMatrixItemWithPowerLevelWithPresence
+import im.vector.app.features.roomprofile.members.RoomMemberListCategories
+import im.vector.app.features.roomprofile.members.RoomMemberListController
+import im.vector.app.features.roomprofile.members.RoomMemberListViewState
+import io.mockk.every
+import io.mockk.mockk
+import org.amshove.kluent.shouldBeEqualTo
+import org.junit.Rule
+import org.junit.Test
+import org.junit.runner.RunWith
+import org.matrix.android.sdk.api.session.crypto.model.UserVerificationLevel
+import org.matrix.android.sdk.api.session.room.model.Membership
+import org.matrix.android.sdk.api.session.room.model.RoomMemberSummary
+import org.matrix.android.sdk.api.session.room.model.RoomSummary
+import org.robolectric.RobolectricTestRunner
+
+@RunWith(RobolectricTestRunner::class)
+class RoomMemberListControllerTest {
+
+    @get:Rule
+    val mvrxTestRule = MvRxTestRule()
+
+    @get:Rule
+    val instantExecutorRule = InstantTaskExecutorRule()
+
+    @Test
+    fun testControllerUserVerificationLevel() {
+        val roomListController = RoomMemberListController(
+                avatarRenderer = mockk {
+                },
+                stringProvider = mockk {
+                    every { getString(any()) } answers {
+                        this.args[0].toString()
+                    }
+                },
+                colorProvider = mockk {
+                    every { getColorFromAttribute(any()) } returns 0x0
+                },
+                roomMemberSummaryFilter = mockk(relaxed = true) {
+                    every { test(any()) } returns true
+                }
+        )
+
+        val fakeRoomSummary = RoomSummary(
+                roomId = "!roomId",
+                displayName = "Fake Room",
+                topic = "A topic",
+                isEncrypted = true,
+                encryptionEventTs = 0,
+                typingUsers = emptyList(),
+        )
+
+        val state = RoomMemberListViewState(
+                roomId = "!roomId",
+                roomSummary = Success(fakeRoomSummary),
+                areAllMembersLoaded = true,
+                roomMemberSummaries = Success(
+                        listOf(
+                                RoomMemberListCategories.USER to listOf(
+                                        RoomMemberSummary(
+                                                membership = Membership.JOIN,
+                                                userId = "@alice:example.com"
+                                        ),
+                                        RoomMemberSummary(
+                                                membership = Membership.JOIN,
+                                                userId = "@bob:example.com"
+                                        ),
+                                        RoomMemberSummary(
+                                                membership = Membership.JOIN,
+                                                userId = "@carl:example.com"
+                                        ),
+                                        RoomMemberSummary(
+                                                membership = Membership.JOIN,
+                                                userId = "@massy:example.com"
+                                        )
+                                )
+                        )
+                ),
+                trustLevelMap = Success(
+                        mapOf(
+                                "@alice:example.com" to UserVerificationLevel.UNVERIFIED_BUT_WAS_PREVIOUSLY,
+                                "@bob:example.com" to UserVerificationLevel.VERIFIED_ALL_DEVICES_TRUSTED,
+                                "@carl:example.com" to UserVerificationLevel.WAS_NEVER_VERIFIED,
+                                "@massy:example.com" to UserVerificationLevel.VERIFIED_WITH_DEVICES_UNTRUSTED,
+                        )
+                )
+        )
+
+        roomListController.setData(state)
+
+        val models = roomListController.adapter.copyOfModels
+
+        val profileItems = models.filterIsInstance<ProfileMatrixItemWithPowerLevelWithPresence>()
+
+        profileItems.firstOrNull {
+            it.matrixItem.id == "@alice:example.com"
+        }!!.userVerificationLevel shouldBeEqualTo UserVerificationLevel.UNVERIFIED_BUT_WAS_PREVIOUSLY
+
+        profileItems.firstOrNull {
+            it.matrixItem.id == "@bob:example.com"
+        }!!.userVerificationLevel shouldBeEqualTo UserVerificationLevel.VERIFIED_ALL_DEVICES_TRUSTED
+
+        profileItems.firstOrNull {
+            it.matrixItem.id == "@carl:example.com"
+        }!!.userVerificationLevel shouldBeEqualTo UserVerificationLevel.WAS_NEVER_VERIFIED
+
+        profileItems.firstOrNull {
+            it.matrixItem.id == "@massy:example.com"
+        }!!.userVerificationLevel shouldBeEqualTo UserVerificationLevel.VERIFIED_WITH_DEVICES_UNTRUSTED
+    }
+}