feat: use new API for rotating credentials in groups after enrolling into e2ei

typfel · typfel · commit d33d4918ac80 · 2025-04-07T14:25:29.000+02:00
diff --git a/wire-ios-request-strategy/Sources/E2EIdentity/E2EIKeyPackageRotator.swift b/wire-ios-request-strategy/Sources/E2EIdentity/E2EIKeyPackageRotator.swift
@@ -48,7 +48,6 @@ public class E2EIKeyPackageRotator: E2EIKeyPackageRotating {
     private let coreCryptoProvider: CoreCryptoProviderProtocol
     private let conversationEventProcessor: ConversationEventProcessorProtocol
     private let context: NSManagedObjectContext
-    private let commitSender: CommitSending
     private let newKeyPackageCount: UInt32 = 100
     private let featureRepository: FeatureRepositoryInterface
     private let onNewCRLsDistributionPointsSubject: PassthroughSubject<CRLsDistributionPoints, Never>
@@ -66,17 +65,12 @@ public class E2EIKeyPackageRotator: E2EIKeyPackageRotating {
         conversationEventProcessor: ConversationEventProcessorProtocol,
         context: NSManagedObjectContext,
         onNewCRLsDistributionPointsSubject: PassthroughSubject<CRLsDistributionPoints, Never>,
-        commitSender: CommitSending? = nil,
         featureRepository: FeatureRepositoryInterface
     ) {
         self.coreCryptoProvider = coreCryptoProvider
         self.conversationEventProcessor = conversationEventProcessor
         self.context = context
         self.onNewCRLsDistributionPointsSubject = onNewCRLsDistributionPointsSubject
-        self.commitSender = commitSender ?? CommitSender(
-            coreCryptoProvider: coreCryptoProvider,
-            notificationContext: context.notificationContext
-        )
         self.featureRepository = featureRepository
     }
 
@@ -93,76 +87,81 @@ public class E2EIKeyPackageRotator: E2EIKeyPackageRotating {
         guard let enrollment = enrollment as? E2eiEnrollment else {
             throw Error.invalidIdentity
         }
+        
+        let crlNewDistributionPoints = try await coreCrypto.perform { context in
+            try await context.saveX509Credential(
+                enrollment: enrollment,
+                certificateChain: certificateChain
+            )
+        }
+        
+        try await replaceKeyPackages()
+        try await replaceCredentialsInExistingConversations()
 
-        // TODO: jacob update iterate over all conversation with e2eiRotate
-//        // Get the rotate bundle from core crypto
-//        let rotateBundle = try await coreCrypto.perform {
-//            try await $0.e2eiRotateAll(
-//                enrollment: enrollment,
-//                certificateChain: certificateChain,
-//                newKeyPackagesCount: newKeyPackageCount
-//            )
-//        }
-//
-//        guard !rotateBundle.commits.isEmpty else {
-//            // TODO: [WPB-6281] [jacob] remove this guard when implementing
-//            return
-//        }
-//
-//        // Replace the key packages with the ones including the certificate
-//        try await replaceKeyPackages(rotateBundle: rotateBundle)
-//
-//        // Send migration commits after key packages rotations
-//        for (groupID, commit) in rotateBundle.commits {
-//            do {
-//                try await migrateConversation(with: groupID, commit: commit)
-//            } catch {
-//                WireLogger.e2ei.warn("failed to rotate keys for group: \(String(describing: error))")
-//            }
-//        }
-//
-//        // Publish new certificate revocation lists (CRLs) distribution points
-//        if let newDistributionPoints = CRLsDistributionPoints(from: rotateBundle.crlNewDistributionPoints) {
-//            onNewCRLsDistributionPointsSubject.send(newDistributionPoints)
-//        }
+        // Publish new certificate revocation lists (CRLs) distribution points
+        if let newDistributionPoints = CRLsDistributionPoints(from: crlNewDistributionPoints) {
+            onNewCRLsDistributionPointsSubject.send(newDistributionPoints)
+        }
     }
 
     // MARK: - Helpers
-
-    // TODO: jacob update iterate over all conversation with e2eiRotate
-//    private func replaceKeyPackages(rotateBundle: RotateBundle) async throws {
-//
-//        guard let clientID = await context.perform({ [self] in
-//            ZMUser.selfUser(in: context).selfClient()?.remoteIdentifier
-//        }) else {
-//            throw Error.noSelfClient
-//        }
-//
-//        let newKeyPackages = rotateBundle.newKeyPackages.map { $0.base64String() }
-//        let mlsConfig = await featureRepository.fetchMLS().config
-//        guard let ciphersuite = MLSCipherSuite(rawValue: mlsConfig.defaultCipherSuite.rawValue) else {
-//            throw Error.invalidCiphersuite
-//        }
-//        var action = ReplaceSelfMLSKeyPackagesAction(
-//            clientID: clientID,
-//            keyPackages: newKeyPackages,
-//            ciphersuite: ciphersuite
-//        )
-//        try await action.perform(in: context.notificationContext)
-//    }
-
-    private func migrateConversation(with groupID: String, commit: CommitBundle) async throws {
-        guard let groupData = groupID.zmHexDecodedData() else {
-            throw Error.invalidGroupID
+    
+    private func replaceCredentialsInExistingConversations() async throws {
+        let mlsConversationsToMigrate = try await context.perform ({
+            var mlsGroupIDs = try ZMConversation.fetchConversationsWithMLSGroupStatus(
+                mlsGroupStatus: .ready,
+                in: self.context
+            ).compactMap { $0.mlsGroupID }
+            
+            if let selfMLSGroupID = ZMConversation.fetchSelfMLSConversation(in: self.context)?.mlsGroupID {
+                mlsGroupIDs.append(selfMLSGroupID)
+            }
+            
+            return mlsGroupIDs
+        })
+        
+        try await coreCrypto.perform { context in
+            for groupID in mlsConversationsToMigrate {
+                do {
+                    try await context.e2eiRotate(conversationId: groupID.data)
+                } catch {
+                    WireLogger.e2ei.warn("failed to rotate keys for group \(groupID.safeForLoggingDescription): \(String(describing: error))")
+                }
+            }
         }
-
-        let groupID = MLSGroupID(groupData)
-        let events = try await commitSender.sendCommitBundle(
-            commit,
-            for: groupID
-        )
-
-        await conversationEventProcessor.processConversationEvents(events)
     }
 
+    private func replaceKeyPackages() async throws {
+        let mlsConfig = await featureRepository.fetchMLS().config
+        
+        guard let clientID = await context.perform({ [self] in
+            ZMUser.selfUser(in: context).selfClient()?.remoteIdentifier
+        }) else {
+            throw Error.noSelfClient
+        }
+        
+        guard let ciphersuite = MLSCipherSuite(rawValue: mlsConfig.defaultCipherSuite.rawValue) else {
+            throw Error.invalidCiphersuite
+        }
+        
+        try await coreCrypto.perform { coreCryptoContext in
+            let rawCiphersuite = UInt16(ciphersuite.rawValue)
+            let newKeyPackages = try await coreCryptoContext.clientKeypackages(
+                ciphersuite: rawCiphersuite,
+                credentialType: .x509,
+                amountRequested: self.newKeyPackageCount
+            ).map({ $0.base64String() })
+            
+            var action = ReplaceSelfMLSKeyPackagesAction(
+                clientID: clientID,
+                keyPackages: newKeyPackages,
+                ciphersuite: ciphersuite
+            )
+            try await action.perform(in: self.context.notificationContext)
+            try await coreCryptoContext.deleteStaleKeyPackages(
+                ciphersuite: rawCiphersuite
+            )
+        }
+    }
+    
 }
diff --git a/wire-ios-request-strategy/Sources/E2EIdentity/E2EIKeyPackageRotatorTests.swift b/wire-ios-request-strategy/Sources/E2EIdentity/E2EIKeyPackageRotatorTests.swift
@@ -27,7 +27,6 @@ class E2EIKeyPackageRotatorTests: MessagingTestBase {
 
     private var mockCoreCrypto: MockCoreCryptoProtocol!
     private var mockCoreCryptoProvider: MockCoreCryptoProviderProtocol!
-    private var mockCommitSender: MockCommitSending!
     private var mockConversationEventProcessor: MockConversationEventProcessorProtocol!
     private var mockFeatureRepository: MockFeatureRepositoryInterface!
     private var sut: E2EIKeyPackageRotator!
@@ -36,7 +35,6 @@ class E2EIKeyPackageRotatorTests: MessagingTestBase {
         super.setUp()
 
         mockCoreCrypto = MockCoreCryptoProtocol()
-        mockCommitSender = MockCommitSending()
         mockConversationEventProcessor = MockConversationEventProcessorProtocol()
         mockCoreCryptoProvider = MockCoreCryptoProviderProtocol()
         mockCoreCryptoProvider.coreCrypto_MockValue = MockSafeCoreCrypto(coreCrypto: mockCoreCrypto)
@@ -47,7 +45,6 @@ class E2EIKeyPackageRotatorTests: MessagingTestBase {
             conversationEventProcessor: mockConversationEventProcessor,
             context: syncMOC,
             onNewCRLsDistributionPointsSubject: .init(),
-            commitSender: mockCommitSender,
             featureRepository: mockFeatureRepository
         )
     }
