feat: re-establish EAR support - WPB-23473

[David-Henner]

WPB-23473 [iOS] Refactor database key access for message encryption & migrations

Issue

This PR re-establishes Encryption at Rest after it was broken by the introduction of dynamic background contexts. The implementation decouples encryption logic from NSManagedObjectContext and centralizes database key management through a service-based architecture.

The previous EAR implementation had critical issues:

1. Missing keys in dynamic contexts - Ad-hoc background contexts created via CoreDataStack.newBackgroundContext() lacked the database key, causing decryption errors and disappearing messages
2. Migration failures - EAR enable/disable operations create temporary contexts that were missing the database key, causing migration failure
3. Initialization deadlock - Setting the database key on the contexts was causing a deadlock on the view context.

Changes

• Created EARMessageEncryptionService for database key management and centralized encryption
• Created EARMigrator for migrations when enabling / disabling EAR
• Made EARService initialization async
• Split unit tests from integration tests with EARServiceTests and EARServiceIntegrationTests
• Added doc comments

---

Checklist

• Title contains a reference JIRA issue number like [WPB-XXX].
• Description is filled and free of optional paragraphs.
• Adds/updates automated tests.

[github-actions]

Test Results

    8 files    982 suites   9m 50s ⏱️
7 059 tests 7 031 ✅ 28 💤 0 ❌
7 060 runs  7 032 ✅ 28 💤 0 ❌

Results for commit 18f63c3.

♻️ This comment has been updated with latest results.

Summary: workflow run #22218036080
Allure report (download zip): html-report-28036-feat_ear-support-without-new-sync

[datadog-wireapp]

⚠️ Tests

✨ Fix all issues with Cursor

⚠️ Warnings

🧪 14 Tests failed

testThatDatabaseIsLocked_AfterBackgroundTaskCompletesInTheBackground() from UnitTests.ZMUserSessionTests_EncryptionAtRest (Datadog) (Fix with Cursor)

Crash: WireSyncEngine Test Host at ZMUserSessionTests_EncryptionAtRest.setEncryptionAtRest(enabled:file:line:)

testThatDatabaseIsLocked_AfterEnteringBackground() from UnitTests.ZMUserSessionTests_EncryptionAtRest (Datadog) (Fix with Cursor)

Crash: WireSyncEngine Test Host at ZMUserSessionTests_EncryptionAtRest.setEncryptionAtRest(enabled:file:line:)

testThatDatabaseIsLocked_WhenTheCustomTimeoutHasExpiredInTheBackground() from UnitTests.ZMUserSessionTests_EncryptionAtRest (Datadog) (Fix with Cursor)

Crash: WireSyncEngine Test Host at implicit closure #1 in ZMUserSessionTests_EncryptionAtRest.testThatDatabaseIsLocked_WhenTheCustomTimeoutHasExpiredInTheBackground()

View all

ℹ️ Info

❄️ No new flaky tests detected

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 27f2676 | Docs | Was this helpful? Give us feedback!}

[David-Henner]

Moved these security tests to EARServiceIntegrationTests

[David-Henner]

moved to EARServiceIntegrationTests

[David-Henner]

moved to EARServiceIntegrationTests

[David-Henner]

This test class is skipped temporarily

[netbe]

left a couple questions before approving

[netbe]

question: can't we just do defer { lock.unlock() from the top?

[David-Henner]

sure

[David-Henner]

cbbf667

[netbe]

suggestion: what about making the method async

[johnxnguyen]

My intuition is that since this context has just been created and not returned, in no place else could there be a simultaneous performAndWait which could lead to a deadlock.

[David-Henner]

I agree

[netbe]

todo: check the security tests is enabled the Security Tests plan

[David-Henner]

done cbbf667

[netbe]

question: why do we need real objects here?

[David-Henner]

They're used to generate and store real keys. The test is verifying that the service is replacing keys after disabling / enabling EAR.

[johnxnguyen]

Looks good! I'll approve when the current conversations are resolved. Also, are we able to playtest these changes as is or is there something missing?

[johnxnguyen]

suggestion: a comment explaining this save would be nice.

[David-Henner]

TBH I'm not sure why it's there. I've moved this part of the code from the NSManagedObjecContext extension.

[johnxnguyen]

My intuition is that since this context has just been created and not returned, in no place else could there be a simultaneous performAndWait which could lead to a deadlock.

[David-Henner]

Looks good! I'll approve when the current conversations are resolved. Also, are we able to playtest these changes as is or is there something missing?

@johnxnguyen besides incremental sync support coming in a separate PR, there's nothing missing and it can be playtested

[emil-wire]

getEarMessageEncryptionService() will throw if this context wasn’t wired with the EAR service. Any ad‑hoc context that skips setEARMessageEncryptionService will now fail encryption at runtime when EAR is enabled - can we enforce injection or assert here?

[David-Henner]

added an assertion cbbf667

[emil-wire]

Same as above: this assumes earMessageEncryptionService is injected into the context. If any context is created outside CoreDataStack (or before injection), draft encryption will throw - can we assert/guard or centralize context creation to guarantee injection?

[David-Henner]

same as above, I added an assertion. Additionally, the context creation is centralized through CoreDataStack. Although there's nothing restricting from creating a context differently

[sonarqubecloud]

Quality Gate passed

Issues
69 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[netbe]

Looks good to me

[netbe]

question: why is it skipped ?

[netbe]

disabled tests will be re-enabled in another PR I guess

[David-Henner]

yes