fix: EAR Security Tests - WPB-23474 🍒 (#4452)

Co-authored-by: David-Henner <david.henner@wire.com>

Author: github-actions[bot]

WireDomain/Sources/WireDomain/Notifications/Components/NSEUserScope.swift

@@ -155,7 +155,7 @@ final class NSEUserScope: Component<NSEUserScopeDependency> {
             throw Failure.mainAppRequired(message: "no self client id")
         }
 
-        let earService = await EARService(
+        let earService = await EARServiceFactory.createEARService(
             accountID: accountID,
             coreDataStack: coreDataStack,
             sharedUserDefaults: dependency.sharedUserDefaults,

wire-ios-data-model/Source/Authentication/EAR/EARService.swift

@@ -50,54 +50,17 @@ public class EARService: EARServiceInterface {
 
     // MARK: - Life cycle
 
-    /// Create a new `EARService`.
-    ///
-    /// - Parameters:
-    ///   - accountID: The id of the self user.
-    ///   - databaseContexts: A list of database contexts that require access to the database key.
-    ///   - canPerformKeyMigration: Whether key migration can be performed. Key migration should not be performed when
-    /// the service is running in app extensions.
-    ///   - sharedUserDefaults: The shared user defaults in which to keep track of whether EAR is enabled.
-    ///   - authenticationContext: The authentication context used to access encryption keys.
-
-    public convenience init(
-        accountID: UUID,
-        databaseContexts: [NSManagedObjectContext] = [],
-        coreDataStack: CoreDataStackProtocol,
-        canPerformKeyMigration: Bool = false,
-        sharedUserDefaults: UserDefaults,
-        authenticationContext: any AuthenticationContextProtocol
-    ) async {
-        let earStorage = EARStorage(userID: accountID, sharedUserDefaults: sharedUserDefaults)
-        let messageEncryptionService = EARMessageEncryptionService(earStorage: earStorage)
-        let migrator = EARMigrator(messageEncryptionService: messageEncryptionService)
-
-        await self.init(
-            accountID: accountID,
-            keyRepository: EARKeyRepository(),
-            keyEncryptor: EARKeyEncryptor(),
-            databaseContexts: databaseContexts,
-            coreDataStack: coreDataStack,
-            canPerformKeyMigration: canPerformKeyMigration,
-            earStorage: earStorage,
-            messageEncryptionService: messageEncryptionService,
-            migrator: migrator,
-            authenticationContext: authenticationContext
-        )
-    }
-
     init(
         accountID: UUID,
         keyRepository: EARKeyRepositoryInterface = EARKeyRepository(),
         keyEncryptor: EARKeyEncryptorInterface = EARKeyEncryptor(),
-        databaseContexts: [NSManagedObjectContext],
         coreDataStack: CoreDataStackProtocol,
         canPerformKeyMigration: Bool,
         earStorage: EARStorage,
         messageEncryptionService: EARMessageEncryptionServiceProtocol,
         migrator: EARMigratorProtocol,
         authenticationContext: AuthenticationContextProtocol
-    ) async {
+    ) {
         self.accountID = accountID
         self.keyRepository = keyRepository
         self.keyEncryptor = keyEncryptor
@@ -114,17 +77,19 @@ public class EARService: EARServiceInterface {
 
         coreDataStack.setEARMessageEncryptionService(messageEncryptionService)
 
-        for context in databaseContexts {
-            await context.perform {
-                context.earMessageEncryptionService = messageEncryptionService
-            }
-        }
-
         if canPerformKeyMigration {
             migrateKeysIfNeeded()
         }
     }
 
+    func setupDatabaseContexts(databaseContexts: [NSManagedObjectContext]) async {
+        for context in databaseContexts {
+            await context.perform { [service = earMessageEncryptionService] in
+                context.earMessageEncryptionService = service
+            }
+        }
+    }
+
     // MARK: - Lock status
 
     public var isLocked: Bool {

wire-ios-data-model/Source/Authentication/EAR/EARServiceFactory.swift

@@ -0,0 +1,137 @@
+//
+// Wire
+// Copyright (C) 2026 Wire Swiss GmbH
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program. If not, see http://www.gnu.org/licenses/.
+//
+
+public enum EARServiceFactory {
+
+    // MARK: - Public Interface
+
+    /// Create a new `EARService`.
+    ///
+    /// - Parameters:
+    ///   - accountID: The id of the self user.
+    ///   - databaseContexts: The managed object contexts on which to set the `EARMessageEncryptionService`
+    ///   - coreDataStack: The core data stack on which the `EARMessageEncryptionService` will be set.
+    ///   - canPerformKeyMigration: Whether key migration can be performed. Key migration should not be performed when
+    /// the service is running in app extensions.
+    ///   - sharedUserDefaults:  The shared user defaults in which to keep track of whether EAR is enabled.
+    ///   - authenticationContext: The authentication context used to access encryption keys.
+    /// - Returns: a newly created `EARService` instance
+    ///
+    public static func createEARService(
+        accountID: UUID,
+        databaseContexts: [NSManagedObjectContext] = [],
+        coreDataStack: CoreDataStackProtocol,
+        canPerformKeyMigration: Bool = false,
+        sharedUserDefaults: UserDefaults,
+        authenticationContext: any AuthenticationContextProtocol
+    ) async -> EARServiceInterface {
+        let earStorage = EARStorage(userID: accountID, sharedUserDefaults: sharedUserDefaults)
+        let messageEncryptionService = EARMessageEncryptionService(earStorage: earStorage)
+        let migrator = EARMigrator(messageEncryptionService: messageEncryptionService)
+
+        let earService = EARService(
+            accountID: accountID,
+            keyRepository: EARKeyRepository(),
+            keyEncryptor: EARKeyEncryptor(),
+            coreDataStack: coreDataStack,
+            canPerformKeyMigration: canPerformKeyMigration,
+            earStorage: earStorage,
+            messageEncryptionService: messageEncryptionService,
+            migrator: migrator,
+            authenticationContext: authenticationContext
+        )
+
+        await internalSetupDatabaseContexts(
+            databaseContexts: databaseContexts,
+            onEARService: earService
+        )
+
+        return earService
+    }
+
+    // MARK: - Tests Interface
+
+    #if DEBUG
+
+        /// Synchronously creates an `EARService` instance
+        ///
+        /// - Parameters:
+        ///   - accountID: The id of the self user.
+        ///   - coreDataStack: The core data stack on which the `EARMessageEncryptionService` will be set.
+        ///   - canPerformKeyMigration: Whether key migration can be performed. Key migration should not be performed
+        /// when
+        /// the service is running in app extensions.
+        ///   - sharedUserDefaults: The shared user defaults in which to keep track of whether EAR is enabled.
+        ///   - authenticationContext:  The authentication context used to access encryption keys.
+        /// - Returns: a newly created `EARService` instance
+        ///
+        public static func createEARService(
+            accountID: UUID,
+            coreDataStack: CoreDataStackProtocol,
+            canPerformKeyMigration: Bool = false,
+            sharedUserDefaults: UserDefaults,
+            authenticationContext: any AuthenticationContextProtocol
+        ) -> EARService {
+            let earStorage = EARStorage(userID: accountID, sharedUserDefaults: sharedUserDefaults)
+            let messageEncryptionService = EARMessageEncryptionService(earStorage: earStorage)
+            let migrator = EARMigrator(messageEncryptionService: messageEncryptionService)
+
+            return EARService(
+                accountID: accountID,
+                keyRepository: EARKeyRepository(),
+                keyEncryptor: EARKeyEncryptor(),
+                coreDataStack: coreDataStack,
+                canPerformKeyMigration: canPerformKeyMigration,
+                earStorage: earStorage,
+                messageEncryptionService: messageEncryptionService,
+                migrator: migrator,
+                authenticationContext: authenticationContext
+            )
+        }
+
+        /// Sets the `EARMessageEncryptionService` on the given managed object contexts
+        ///
+        /// - Parameters:
+        ///   - databaseContexts: The managed object contexts on which to set the `EARMessageEncryptionService`
+        ///   - earService: The `EARService` instance to setup
+        ///
+        public static func setupDatabaseContexts(
+            databaseContexts: [NSManagedObjectContext],
+            onEARService earService: EARService
+        ) async {
+            await internalSetupDatabaseContexts(
+                databaseContexts: databaseContexts,
+                onEARService: earService
+            )
+        }
+
+    #endif
+
+    // MARK: - Private Helpers
+
+    private static func internalSetupDatabaseContexts(
+        databaseContexts: [NSManagedObjectContext],
+        onEARService earService: EARService
+    ) async {
+        guard !databaseContexts.isEmpty else { return }
+
+        await earService.setupDatabaseContexts(
+            databaseContexts: databaseContexts
+        )
+    }
+}

wire-ios-data-model/Tests/Authentication/EAR/EARServiceIntegrationTests.swift

@@ -67,19 +67,20 @@ final class EARServiceIntegrationTests: EARServiceTestsBase, @MainActor EARServi
         canPerformMigration: Bool = false,
         contexts: [NSManagedObjectContext]? = nil
     ) async -> EARService {
-        let sut = await EARService(
+        let sut = EARService(
             accountID: userID,
             keyRepository: keyRepository,
             keyEncryptor: keyEncryptor,
-            databaseContexts: contexts ?? [uiMOC, syncMOC],
             coreDataStack: coreDataStack,
             canPerformKeyMigration: canPerformMigration,
             earStorage: earStorage,
             messageEncryptionService: messageEncryptionService,
             migrator: migrator,
             authenticationContext: MockAuthenticationContextProtocol()
         )
-
+        await sut.setupDatabaseContexts(
+            databaseContexts: contexts ?? [uiMOC, syncMOC]
+        )
         sut.delegate = self
         return sut
     }
@@ -391,18 +392,18 @@ final class EARServiceIntegrationTests: EARServiceTestsBase, @MainActor EARServi
         let messageEncryptionService = EARMessageEncryptionService(earStorage: earStorage)
         let migrator = EARMigrator(messageEncryptionService: messageEncryptionService)
 
-        let sut = await EARService(
+        let sut = EARService(
             accountID: userID,
             keyRepository: EARKeyRepository(),  // Real keychain access
             keyEncryptor: EARKeyEncryptor(),    // Real crypto
-            databaseContexts: [uiMOC],
             coreDataStack: coreDataStack,
             canPerformKeyMigration: false,
             earStorage: earStorage,
             messageEncryptionService: messageEncryptionService,
             migrator: migrator,
             authenticationContext: MockAuthenticationContextProtocol()
         )
+        await sut.setupDatabaseContexts(databaseContexts: [uiMOC])
         sut.delegate = self
 
         let oldDatabaseKey = try sut.generateKeys()

wire-ios-data-model/Tests/Authentication/EAR/EARServiceTests.swift

@@ -61,11 +61,10 @@ final class EARServiceTests: EARServiceTestsBase, @MainActor EARServiceDelegate
     func createSUT(
         canPerformMigration: Bool = false
     ) async -> EARService {
-        let sut = await EARService(
+        let sut = EARService(
             accountID: userID,
             keyRepository: keyRepository,
             keyEncryptor: keyEncryptor,
-            databaseContexts: [uiMOC, syncMOC],
             coreDataStack: coreDataStack,
             canPerformKeyMigration: canPerformMigration,
             earStorage: earStorage,
@@ -74,6 +73,9 @@ final class EARServiceTests: EARServiceTestsBase, @MainActor EARServiceDelegate
             authenticationContext: MockAuthenticationContextProtocol()
         )
 
+        await sut.setupDatabaseContexts(
+            databaseContexts: [uiMOC, syncMOC]
+        )
         sut.delegate = self
         return sut
     }

wire-ios-data-model/WireDataModel.xcodeproj/project.pbxproj

@@ -386,6 +386,7 @@
 		882B86BE2E8441AA008A50CA /* RemoveCoreCryptoKeysUseCase.swift in Sources */ = {isa = PBXBuildFile; fileRef = 882B86BD2E84419A008A50CA /* RemoveCoreCryptoKeysUseCase.swift */; };
 		8838CFA42EC4CB1B00495012 /* NSManagedObjectContext+AccountDirectory.swift in Sources */ = {isa = PBXBuildFile; fileRef = 8838CFA32EC4CB0D00495012 /* NSManagedObjectContext+AccountDirectory.swift */; };
 		884371662EB8E9F3003DA083 /* store2-132-0.wiredatabase in Resources */ = {isa = PBXBuildFile; fileRef = 884371652EB8E9F3003DA083 /* store2-132-0.wiredatabase */; };
+		885B4BC12F6062B9001D7D72 /* EARServiceFactory.swift in Sources */ = {isa = PBXBuildFile; fileRef = 885B4BC02F6062B4001D7D72 /* EARServiceFactory.swift */; };
 		88A80B632F320E9200F7E372 /* EARMessageEncryptionService.swift in Sources */ = {isa = PBXBuildFile; fileRef = 88A80B622F320E7500F7E372 /* EARMessageEncryptionService.swift */; };
 		88A80B652F3381ED00F7E372 /* EARMigrator.swift in Sources */ = {isa = PBXBuildFile; fileRef = 88A80B642F3381DF00F7E372 /* EARMigrator.swift */; };
 		88B81BD62EC232C600248D7A /* store2-133-0.wiredatabase in Resources */ = {isa = PBXBuildFile; fileRef = 88B81BD52EC232C600248D7A /* store2-133-0.wiredatabase */; };
@@ -1123,6 +1124,7 @@
 		882B86BD2E84419A008A50CA /* RemoveCoreCryptoKeysUseCase.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = RemoveCoreCryptoKeysUseCase.swift; sourceTree = "<group>"; };
 		8838CFA32EC4CB0D00495012 /* NSManagedObjectContext+AccountDirectory.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = "NSManagedObjectContext+AccountDirectory.swift"; sourceTree = "<group>"; };
 		884371652EB8E9F3003DA083 /* store2-132-0.wiredatabase */ = {isa = PBXFileReference; lastKnownFileType = file; path = "store2-132-0.wiredatabase"; sourceTree = "<group>"; };
+		885B4BC02F6062B4001D7D72 /* EARServiceFactory.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = EARServiceFactory.swift; sourceTree = "<group>"; };
 		88A80B622F320E7500F7E372 /* EARMessageEncryptionService.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = EARMessageEncryptionService.swift; sourceTree = "<group>"; };
 		88A80B642F3381DF00F7E372 /* EARMigrator.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = EARMigrator.swift; sourceTree = "<group>"; };
 		88B81BD52EC232C600248D7A /* store2-133-0.wiredatabase */ = {isa = PBXFileReference; lastKnownFileType = file; path = "store2-133-0.wiredatabase"; sourceTree = "<group>"; };
@@ -2088,6 +2090,7 @@
 				E6E504282BC542C5004948E7 /* EARPrivateKeys.swift */,
 				E6E504292BC542C5004948E7 /* EARPublicKeys.swift */,
 				E6E5042A2BC542C5004948E7 /* EARService.swift */,
+				885B4BC02F6062B4001D7D72 /* EARServiceFactory.swift */,
 				E6E5042B2BC542C5004948E7 /* EARServiceDelegate.swift */,
 				E6E5042C2BC542C5004948E7 /* EARServiceFailure.swift */,
 				E6E5042D2BC542C5004948E7 /* EARStorage.swift */,
@@ -3572,6 +3575,7 @@
 				16CDEBFB2209D13B00E74A41 /* ZMMessage+Quotes.swift in Sources */,
 				EE997A1425062295008336D2 /* Logging.swift in Sources */,
 				F9331C841CB4191B00139ECC /* NSPredicate+ZMSearch.m in Sources */,
+				885B4BC12F6062B9001D7D72 /* EARServiceFactory.swift in Sources */,
 				BFCD502D21511D58008CD845 /* DraftMessage.swift in Sources */,
 				63B1336B29A503D100009D84 /* MLSGroupStatus.swift in Sources */,
 				EE3EFE9725305A84009499E5 /* ModifiedObjects+Mergeable.swift in Sources */,

wire-ios-share-engine/Sources/SharingSession.swift

@@ -244,7 +244,8 @@ public final class SharingSession {
             featureRepository: featureRepository
         )
         let contextStorage = LAContextStorage()
-        let earService = await EARService(
+
+        let earService = await EARServiceFactory.createEARService(
             accountID: accountIdentifier,
             databaseContexts: [
                 coreDataStack.viewContext,

wire-ios-share-engine/Sources/SharingSessionLoader.swift

@@ -318,7 +318,7 @@ public struct SharingSessionLoader {
             transportSession: transportSession
         )
         let contextStorage = LAContextStorage()
-        let earService = await EARService(
+        let earService = await EARServiceFactory.createEARService(
             accountID: accountID,
             databaseContexts: [
                 coreDataStack.viewContext,

wire-ios-share-engine/WireShareEngineTests/BaseSharingSessionTests.swift

@@ -176,7 +176,7 @@ class BaseTest: ZMTBaseTest {
     }
 
     func createSharingSession() async throws -> SharingSession {
-        let earService = await EARService(
+        let earService = await EARServiceFactory.createEARService(
             accountID: accountIdentifier,
             databaseContexts: [coreDataStack.viewContext, coreDataStack.syncContext],
             coreDataStack: coreDataStack,

wire-ios-sync-engine/Source/SessionManager/SessionFactories.swift

@@ -118,7 +118,7 @@ open class AuthenticatedSessionFactory {
             localDomain: BackendInfo.domain
         )
         let contextStorage = LAContextStorage()
-        let earService = await EARService(
+        let earService = await EARServiceFactory.createEARService(
             accountID: coreDataStack.account.userIdentifier,
             databaseContexts: [
                 coreDataStack.viewContext,