From 167fa9a7ab1456f8ea4e2933057dd370c42b83cc Mon Sep 17 00:00:00 2001 From: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com> Date: Mon, 21 Jul 2025 19:35:31 +0200 Subject: [PATCH 01/37] [PM-18054] Chrome extension biometric unlock not functioning correctly with Windows Hello. (#14953) * Chrome extension biometric unlock not functioning correctly with Windows Hello. When unlocking via Windows Hello prompt, the popup have to be in the foreground. If it is not, even for short amount of time (few seconds), if later prompt confirmed, it won't return success when returning signed os key half. * unit test coverage * unit test coverage * exclude test files from build * use electron `setAlwaysOnTop` instead of toggle * remove Windows os key half created with derive_key_material biometric function, that prompted Windows Hello. Moves Windows hello prompt into getBiometricKey. Witness key no longer needed. * windows crate formatting * remove biometric on app start for windows * failing os biometrics windows unit tests * cleanup of os biometrics windows unit tests * increased coverage of os biometrics windows unit tests * open Windows Hello prompt in the currently focused window, instead of always desktop app * conflict resolution after merge, typescript lint issues, increased test coverage. * backwards compatibility when require password on start was disabled * biometric unlock cancellation and error handling * biometric settings simplifications --- .../desktop_native/core/src/biometric/mod.rs | 90 ++++ .../core/src/biometric/windows.rs | 185 ++------ .../src/app/accounts/settings.component.html | 13 +- .../app/accounts/settings.component.spec.ts | 96 ++--- .../src/app/accounts/settings.component.ts | 42 +- .../biometrics/os-biometrics-linux.service.ts | 27 +- .../os-biometrics-windows.service.spec.ts | 402 ++++++++++++------ .../os-biometrics-windows.service.ts | 196 ++------- apps/desktop/src/locales/en/messages.json | 12 - apps/desktop/src/main.ts | 18 +- apps/desktop/tsconfig.json | 3 +- 11 files changed, 481 insertions(+), 603 deletions(-) diff --git a/apps/desktop/desktop_native/core/src/biometric/mod.rs b/apps/desktop/desktop_native/core/src/biometric/mod.rs index 79be43b1bfc..e4d51f5da9a 100644 --- a/apps/desktop/desktop_native/core/src/biometric/mod.rs +++ b/apps/desktop/desktop_native/core/src/biometric/mod.rs @@ -83,3 +83,93 @@ impl KeyMaterial { Ok(Sha256::digest(self.digest_material())) } } + +#[cfg(test)] +mod tests { + use crate::biometric::{decrypt, encrypt, KeyMaterial}; + use crate::crypto::CipherString; + use base64::{engine::general_purpose::STANDARD as base64_engine, Engine}; + use std::str::FromStr; + + fn key_material() -> KeyMaterial { + KeyMaterial { + os_key_part_b64: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=".to_owned(), + client_key_part_b64: Some("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=".to_owned()), + } + } + + #[test] + fn test_encrypt() { + let key_material = key_material(); + let iv_b64 = "l9fhDUP/wDJcKwmEzcb/3w==".to_owned(); + let secret = encrypt("secret", &key_material, &iv_b64) + .unwrap() + .parse::() + .unwrap(); + + match secret { + CipherString::AesCbc256_B64 { iv, data: _ } => { + assert_eq!(iv_b64, base64_engine.encode(iv)); + } + _ => panic!("Invalid cipher string"), + } + } + + #[test] + fn test_decrypt() { + let secret = + CipherString::from_str("0.l9fhDUP/wDJcKwmEzcb/3w==|uP4LcqoCCj5FxBDP77NV6Q==").unwrap(); // output from test_encrypt + let key_material = key_material(); + assert_eq!(decrypt(&secret, &key_material).unwrap(), "secret") + } + + #[test] + fn key_material_produces_valid_key() { + let result = key_material().derive_key().unwrap(); + assert_eq!(result.len(), 32); + } + + #[test] + fn key_material_uses_os_part() { + let mut key_material = key_material(); + let result = key_material.derive_key().unwrap(); + key_material.os_key_part_b64 = "BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=".to_owned(); + let result2 = key_material.derive_key().unwrap(); + assert_ne!(result, result2); + } + + #[test] + fn key_material_uses_client_part() { + let mut key_material = key_material(); + let result = key_material.derive_key().unwrap(); + key_material.client_key_part_b64 = + Some("BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=".to_owned()); + let result2 = key_material.derive_key().unwrap(); + assert_ne!(result, result2); + } + + #[test] + fn key_material_produces_consistent_os_only_key() { + let mut key_material = key_material(); + key_material.client_key_part_b64 = None; + let result = key_material.derive_key().unwrap(); + assert_eq!( + result, + [ + 81, 100, 62, 172, 151, 119, 182, 58, 123, 38, 129, 116, 209, 253, 66, 118, 218, + 237, 236, 155, 201, 234, 11, 198, 229, 171, 246, 144, 71, 188, 84, 246 + ] + .into() + ); + } + + #[test] + fn key_material_produces_unique_os_only_key() { + let mut key_material = key_material(); + key_material.client_key_part_b64 = None; + let result = key_material.derive_key().unwrap(); + key_material.os_key_part_b64 = "BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=".to_owned(); + let result2 = key_material.derive_key().unwrap(); + assert_ne!(result, result2); + } +} diff --git a/apps/desktop/desktop_native/core/src/biometric/windows.rs b/apps/desktop/desktop_native/core/src/biometric/windows.rs index 4c2e2c8ae25..99bec132edb 100644 --- a/apps/desktop/desktop_native/core/src/biometric/windows.rs +++ b/apps/desktop/desktop_native/core/src/biometric/windows.rs @@ -1,22 +1,18 @@ -use std::{ - ffi::c_void, - str::FromStr, - sync::{atomic::AtomicBool, Arc}, -}; +use std::{ffi::c_void, str::FromStr}; use anyhow::{anyhow, Result}; use base64::{engine::general_purpose::STANDARD as base64_engine, Engine}; use rand::RngCore; use sha2::{Digest, Sha256}; use windows::{ - core::{factory, h, HSTRING}, - Security::{ - Credentials::{ - KeyCredentialCreationOption, KeyCredentialManager, KeyCredentialStatus, UI::*, - }, - Cryptography::CryptographicBuffer, + core::{factory, HSTRING}, + Security::Credentials::UI::{ + UserConsentVerificationResult, UserConsentVerifier, UserConsentVerifierAvailability, + }, + Win32::{ + Foundation::HWND, System::WinRT::IUserConsentVerifierInterop, + UI::WindowsAndMessaging::GetForegroundWindow, }, - Win32::{Foundation::HWND, System::WinRT::IUserConsentVerifierInterop}, }; use windows_future::IAsyncOperation; @@ -25,10 +21,7 @@ use crate::{ crypto::CipherString, }; -use super::{ - decrypt, encrypt, - windows_focus::{focus_security_prompt, set_focus}, -}; +use super::{decrypt, encrypt, windows_focus::set_focus}; /// The Windows OS implementation of the biometric trait. pub struct Biometric {} @@ -44,9 +37,15 @@ impl super::BiometricTrait for Biometric { // should set the window to the foreground and focus it. set_focus(window); + // Windows Hello prompt must be in foreground, focused, otherwise the face or fingerprint + // unlock will not work. We get the current foreground window, which will either be the + // Bitwarden desktop app or the browser extension. + let foreground_window = unsafe { GetForegroundWindow() }; + let interop = factory::()?; - let operation: IAsyncOperation = - unsafe { interop.RequestVerificationForWindowAsync(window, &HSTRING::from(message))? }; + let operation: IAsyncOperation = unsafe { + interop.RequestVerificationForWindowAsync(foreground_window, &HSTRING::from(message))? + }; let result = operation.get()?; match result { @@ -65,14 +64,6 @@ impl super::BiometricTrait for Biometric { } } - /// Derive the symmetric encryption key from the Windows Hello signature. - /// - /// This works by signing a static challenge string with Windows Hello protected key store. The - /// signed challenge is then hashed using SHA-256 and used as the symmetric encryption key for the - /// Windows Hello protected keys. - /// - /// Windows will only sign the challenge if the user has successfully authenticated with Windows, - /// ensuring user presence. fn derive_key_material(challenge_str: Option<&str>) -> Result { let challenge: [u8; 16] = match challenge_str { Some(challenge_str) => base64_engine @@ -81,51 +72,10 @@ impl super::BiometricTrait for Biometric { .map_err(|e: Vec<_>| anyhow!("Expect length {}, got {}", 16, e.len()))?, None => random_challenge(), }; - let bitwarden = h!("Bitwarden"); - let result = KeyCredentialManager::RequestCreateAsync( - bitwarden, - KeyCredentialCreationOption::FailIfExists, - )? - .get()?; - - let result = match result.Status()? { - KeyCredentialStatus::CredentialAlreadyExists => { - KeyCredentialManager::OpenAsync(bitwarden)?.get()? - } - KeyCredentialStatus::Success => result, - _ => return Err(anyhow!("Failed to create key credential")), - }; - - let challenge_buffer = CryptographicBuffer::CreateFromByteArray(&challenge)?; - let async_operation = result.Credential()?.RequestSignAsync(&challenge_buffer)?; - focus_security_prompt(); - - let done = Arc::new(AtomicBool::new(false)); - let done_clone = done.clone(); - let _ = std::thread::spawn(move || loop { - if !done_clone.load(std::sync::atomic::Ordering::Relaxed) { - focus_security_prompt(); - std::thread::sleep(std::time::Duration::from_millis(500)); - } else { - break; - } - }); - - let signature = async_operation.get(); - done.store(true, std::sync::atomic::Ordering::Relaxed); - let signature = signature?; - - if signature.Status()? != KeyCredentialStatus::Success { - return Err(anyhow!("Failed to sign data")); - } - - let signature_buffer = signature.Result()?; - let mut signature_value = - windows::core::Array::::with_len(signature_buffer.Length().unwrap() as usize); - CryptographicBuffer::CopyToByteArray(&signature_buffer, &mut signature_value)?; - - let key = Sha256::digest(&*signature_value); + // Uses a key derived from the iv. This key is not intended to add any security + // but only a place-holder + let key = Sha256::digest(challenge); let key_b64 = base64_engine.encode(key); let iv_b64 = base64_engine.encode(challenge); Ok(OsDerivedKey { key_b64, iv_b64 }) @@ -182,10 +132,9 @@ fn random_challenge() -> [u8; 16] { mod tests { use super::*; - use crate::biometric::{encrypt, BiometricTrait}; + use crate::biometric::BiometricTrait; #[test] - #[cfg(feature = "manual_test")] fn test_derive_key_material() { let iv_input = "l9fhDUP/wDJcKwmEzcb/3w=="; let result = ::derive_key_material(Some(iv_input)).unwrap(); @@ -195,7 +144,6 @@ mod tests { } #[test] - #[cfg(feature = "manual_test")] fn test_derive_key_material_no_iv() { let result = ::derive_key_material(None).unwrap(); let key = base64_engine.decode(result.key_b64).unwrap(); @@ -221,38 +169,8 @@ mod tests { assert!(::available().await.unwrap()) } - #[test] - fn test_encrypt() { - let key_material = KeyMaterial { - os_key_part_b64: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=".to_owned(), - client_key_part_b64: Some("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=".to_owned()), - }; - let iv_b64 = "l9fhDUP/wDJcKwmEzcb/3w==".to_owned(); - let secret = encrypt("secret", &key_material, &iv_b64) - .unwrap() - .parse::() - .unwrap(); - - match secret { - CipherString::AesCbc256_B64 { iv, data: _ } => { - assert_eq!(iv_b64, base64_engine.encode(iv)); - } - _ => panic!("Invalid cipher string"), - } - } - - #[test] - fn test_decrypt() { - let secret = - CipherString::from_str("0.l9fhDUP/wDJcKwmEzcb/3w==|uP4LcqoCCj5FxBDP77NV6Q==").unwrap(); // output from test_encrypt - let key_material = KeyMaterial { - os_key_part_b64: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=".to_owned(), - client_key_part_b64: Some("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=".to_owned()), - }; - assert_eq!(decrypt(&secret, &key_material).unwrap(), "secret") - } - #[tokio::test] + #[cfg(feature = "manual_test")] async fn get_biometric_secret_requires_key() { let result = ::get_biometric_secret("", "", None).await; assert!(result.is_err()); @@ -263,6 +181,7 @@ mod tests { } #[tokio::test] + #[cfg(feature = "manual_test")] async fn get_biometric_secret_handles_unencrypted_secret() { let test = "test"; let secret = "password"; @@ -284,6 +203,7 @@ mod tests { } #[tokio::test] + #[cfg(feature = "manual_test")] async fn get_biometric_secret_handles_encrypted_secret() { let test = "test"; let secret = @@ -316,61 +236,4 @@ mod tests { "Key material is required for Windows Hello protected keys" ); } - - fn key_material() -> KeyMaterial { - KeyMaterial { - os_key_part_b64: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=".to_owned(), - client_key_part_b64: Some("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=".to_owned()), - } - } - - #[test] - fn key_material_produces_valid_key() { - let result = key_material().derive_key().unwrap(); - assert_eq!(result.len(), 32); - } - - #[test] - fn key_material_uses_os_part() { - let mut key_material = key_material(); - let result = key_material.derive_key().unwrap(); - key_material.os_key_part_b64 = "BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=".to_owned(); - let result2 = key_material.derive_key().unwrap(); - assert_ne!(result, result2); - } - - #[test] - fn key_material_uses_client_part() { - let mut key_material = key_material(); - let result = key_material.derive_key().unwrap(); - key_material.client_key_part_b64 = - Some("BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=".to_owned()); - let result2 = key_material.derive_key().unwrap(); - assert_ne!(result, result2); - } - - #[test] - fn key_material_produces_consistent_os_only_key() { - let mut key_material = key_material(); - key_material.client_key_part_b64 = None; - let result = key_material.derive_key().unwrap(); - assert_eq!( - result, - [ - 81, 100, 62, 172, 151, 119, 182, 58, 123, 38, 129, 116, 209, 253, 66, 118, 218, - 237, 236, 155, 201, 234, 11, 198, 229, 171, 246, 144, 71, 188, 84, 246 - ] - .into() - ); - } - - #[test] - fn key_material_produces_unique_os_only_key() { - let mut key_material = key_material(); - key_material.client_key_part_b64 = None; - let result = key_material.derive_key().unwrap(); - key_material.os_key_part_b64 = "BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=".to_owned(); - let result2 = key_material.derive_key().unwrap(); - assert_ne!(result, result2); - } } diff --git a/apps/desktop/src/app/accounts/settings.component.html b/apps/desktop/src/app/accounts/settings.component.html index 46cd323b071..473cfa73f1d 100644 --- a/apps/desktop/src/app/accounts/settings.component.html +++ b/apps/desktop/src/app/accounts/settings.component.html @@ -126,13 +126,13 @@ {{ biometricText | i18n }} - {{ - additionalBiometricSettingsText | i18n + {{ + "additionalTouchIdSettings" | i18n }}
@@ -152,7 +152,7 @@ supportsBiometric && this.form.value.biometric && (userHasMasterPassword || (this.form.value.pin && userHasPinSet)) && - this.isWindows + false " >
@@ -170,9 +170,6 @@ }
- {{ - "recommendedForSecurity" | i18n - }} diff --git a/apps/desktop/src/app/accounts/settings.component.spec.ts b/apps/desktop/src/app/accounts/settings.component.spec.ts index 16ada3fbc07..819438eaa3b 100644 --- a/apps/desktop/src/app/accounts/settings.component.spec.ts +++ b/apps/desktop/src/app/accounts/settings.component.spec.ts @@ -271,74 +271,46 @@ describe("SettingsComponent", () => { vaultTimeoutSettingsService.isBiometricLockSet.mockResolvedValue(true); }); - it("require password or pin on app start message when RemoveUnlockWithPin policy is disabled and pin set and windows desktop", async () => { - const policy = new Policy(); - policy.type = PolicyType.RemoveUnlockWithPin; - policy.enabled = false; - policyService.policiesByType$.mockReturnValue(of([policy])); - platformUtilsService.getDevice.mockReturnValue(DeviceType.WindowsDesktop); - i18nService.t.mockImplementation((id: string) => { - if (id === "requirePasswordOnStart") { - return "Require password or pin on app start"; - } else if (id === "requirePasswordWithoutPinOnStart") { - return "Require password on app start"; - } - return ""; + describe("windows desktop", () => { + beforeEach(() => { + platformUtilsService.getDevice.mockReturnValue(DeviceType.WindowsDesktop); + + // Recreate component to apply the correct device + fixture = TestBed.createComponent(SettingsComponent); + component = fixture.componentInstance; }); - pinServiceAbstraction.isPinSet.mockResolvedValue(true); - await component.ngOnInit(); - fixture.detectChanges(); + it("require password or pin on app start not visible when RemoveUnlockWithPin policy is disabled and pin set and windows desktop", async () => { + const policy = new Policy(); + policy.type = PolicyType.RemoveUnlockWithPin; + policy.enabled = false; + policyService.policiesByType$.mockReturnValue(of([policy])); + pinServiceAbstraction.isPinSet.mockResolvedValue(true); - const requirePasswordOnStartLabelElement = fixture.debugElement.query( - By.css("label[for='requirePasswordOnStart']"), - ); - expect(requirePasswordOnStartLabelElement).not.toBeNull(); - expect(requirePasswordOnStartLabelElement.children).toHaveLength(1); - expect(requirePasswordOnStartLabelElement.children[0].name).toBe("input"); - expect(requirePasswordOnStartLabelElement.children[0].attributes).toMatchObject({ - id: "requirePasswordOnStart", - type: "checkbox", + await component.ngOnInit(); + fixture.detectChanges(); + + const requirePasswordOnStartLabelElement = fixture.debugElement.query( + By.css("label[for='requirePasswordOnStart']"), + ); + expect(requirePasswordOnStartLabelElement).toBeNull(); }); - const textNodes = requirePasswordOnStartLabelElement.childNodes - .filter((node) => node.nativeNode.nodeType === Node.TEXT_NODE) - .map((node) => node.nativeNode.wholeText?.trim()); - expect(textNodes).toContain("Require password or pin on app start"); - }); - it("require password on app start message when RemoveUnlockWithPin policy is enabled and pin set and windows desktop", async () => { - const policy = new Policy(); - policy.type = PolicyType.RemoveUnlockWithPin; - policy.enabled = true; - policyService.policiesByType$.mockReturnValue(of([policy])); - platformUtilsService.getDevice.mockReturnValue(DeviceType.WindowsDesktop); - i18nService.t.mockImplementation((id: string) => { - if (id === "requirePasswordOnStart") { - return "Require password or pin on app start"; - } else if (id === "requirePasswordWithoutPinOnStart") { - return "Require password on app start"; - } - return ""; + it("require password on app start not visible when RemoveUnlockWithPin policy is enabled and pin set and windows desktop", async () => { + const policy = new Policy(); + policy.type = PolicyType.RemoveUnlockWithPin; + policy.enabled = true; + policyService.policiesByType$.mockReturnValue(of([policy])); + pinServiceAbstraction.isPinSet.mockResolvedValue(true); + + await component.ngOnInit(); + fixture.detectChanges(); + + const requirePasswordOnStartLabelElement = fixture.debugElement.query( + By.css("label[for='requirePasswordOnStart']"), + ); + expect(requirePasswordOnStartLabelElement).toBeNull(); }); - pinServiceAbstraction.isPinSet.mockResolvedValue(true); - - await component.ngOnInit(); - fixture.detectChanges(); - - const requirePasswordOnStartLabelElement = fixture.debugElement.query( - By.css("label[for='requirePasswordOnStart']"), - ); - expect(requirePasswordOnStartLabelElement).not.toBeNull(); - expect(requirePasswordOnStartLabelElement.children).toHaveLength(1); - expect(requirePasswordOnStartLabelElement.children[0].name).toBe("input"); - expect(requirePasswordOnStartLabelElement.children[0].attributes).toMatchObject({ - id: "requirePasswordOnStart", - type: "checkbox", - }); - const textNodes = requirePasswordOnStartLabelElement.childNodes - .filter((node) => node.nativeNode.nodeType === Node.TEXT_NODE) - .map((node) => node.nativeNode.wholeText?.trim()); - expect(textNodes).toContain("Require password on app start"); }); }); diff --git a/apps/desktop/src/app/accounts/settings.component.ts b/apps/desktop/src/app/accounts/settings.component.ts index 74f02f8b619..bbe5fb60719 100644 --- a/apps/desktop/src/app/accounts/settings.component.ts +++ b/apps/desktop/src/app/accounts/settings.component.ts @@ -78,6 +78,7 @@ export class SettingsComponent implements OnInit, OnDestroy { showOpenAtLoginOption = false; isWindows: boolean; isLinux: boolean; + isMac: boolean; enableTrayText: string; enableTrayDescText: string; @@ -170,31 +171,33 @@ export class SettingsComponent implements OnInit, OnDestroy { private configService: ConfigService, private validationService: ValidationService, ) { - const isMac = this.platformUtilsService.getDevice() === DeviceType.MacOsDesktop; + this.isMac = this.platformUtilsService.getDevice() === DeviceType.MacOsDesktop; + this.isLinux = this.platformUtilsService.getDevice() === DeviceType.LinuxDesktop; + this.isWindows = this.platformUtilsService.getDevice() === DeviceType.WindowsDesktop; // Workaround to avoid ghosting trays https://github.com/electron/electron/issues/17622 this.requireEnableTray = this.platformUtilsService.getDevice() === DeviceType.LinuxDesktop; - const trayKey = isMac ? "enableMenuBar" : "enableTray"; + const trayKey = this.isMac ? "enableMenuBar" : "enableTray"; this.enableTrayText = this.i18nService.t(trayKey); this.enableTrayDescText = this.i18nService.t(trayKey + "Desc"); - const minToTrayKey = isMac ? "enableMinToMenuBar" : "enableMinToTray"; + const minToTrayKey = this.isMac ? "enableMinToMenuBar" : "enableMinToTray"; this.enableMinToTrayText = this.i18nService.t(minToTrayKey); this.enableMinToTrayDescText = this.i18nService.t(minToTrayKey + "Desc"); - const closeToTrayKey = isMac ? "enableCloseToMenuBar" : "enableCloseToTray"; + const closeToTrayKey = this.isMac ? "enableCloseToMenuBar" : "enableCloseToTray"; this.enableCloseToTrayText = this.i18nService.t(closeToTrayKey); this.enableCloseToTrayDescText = this.i18nService.t(closeToTrayKey + "Desc"); - const startToTrayKey = isMac ? "startToMenuBar" : "startToTray"; + const startToTrayKey = this.isMac ? "startToMenuBar" : "startToTray"; this.startToTrayText = this.i18nService.t(startToTrayKey); this.startToTrayDescText = this.i18nService.t(startToTrayKey + "Desc"); this.showOpenAtLoginOption = !ipc.platform.isWindowsStore; // DuckDuckGo browser is only for macos initially - this.showDuckDuckGoIntegrationOption = isMac; + this.showDuckDuckGoIntegrationOption = this.isMac; const localeOptions: any[] = []; this.i18nService.supportedTranslationLocales.forEach((locale) => { @@ -239,7 +242,6 @@ export class SettingsComponent implements OnInit, OnDestroy { async ngOnInit() { this.vaultTimeoutOptions = await this.generateVaultTimeoutOptions(); const activeAccount = await firstValueFrom(this.accountService.activeAccount$); - this.isLinux = (await this.platformUtilsService.getDevice()) === DeviceType.LinuxDesktop; // Autotype is for Windows initially const isWindows = this.platformUtilsService.getDevice() === DeviceType.WindowsDesktop; @@ -250,8 +252,6 @@ export class SettingsComponent implements OnInit, OnDestroy { this.userHasMasterPassword = await this.userVerificationService.hasMasterPassword(); - this.isWindows = this.platformUtilsService.getDevice() === DeviceType.WindowsDesktop; - this.currentUserEmail = activeAccount.email; this.currentUserId = activeAccount.id; @@ -911,28 +911,4 @@ export class SettingsComponent implements OnInit, OnDestroy { throw new Error("Unsupported platform"); } } - - get autoPromptBiometricsText() { - switch (this.platformUtilsService.getDevice()) { - case DeviceType.MacOsDesktop: - return "autoPromptTouchId"; - case DeviceType.WindowsDesktop: - return "autoPromptWindowsHello"; - case DeviceType.LinuxDesktop: - return "autoPromptPolkit"; - default: - throw new Error("Unsupported platform"); - } - } - - get additionalBiometricSettingsText() { - switch (this.platformUtilsService.getDevice()) { - case DeviceType.MacOsDesktop: - return "additionalTouchIdSettings"; - case DeviceType.WindowsDesktop: - return "additionalWindowsHelloSettings"; - default: - throw new Error("Unsupported platform"); - } - } } diff --git a/apps/desktop/src/key-management/biometrics/os-biometrics-linux.service.ts b/apps/desktop/src/key-management/biometrics/os-biometrics-linux.service.ts index c310f337182..26a8e949f38 100644 --- a/apps/desktop/src/key-management/biometrics/os-biometrics-linux.service.ts +++ b/apps/desktop/src/key-management/biometrics/os-biometrics-linux.service.ts @@ -34,6 +34,7 @@ const policyFileName = "com.bitwarden.Bitwarden.policy"; const policyPath = "/usr/share/polkit-1/actions/"; const SERVICE = "Bitwarden_biometric"; + function getLookupKeyForUser(userId: UserId): string { return `${userId}_user_biometric`; } @@ -45,16 +46,18 @@ export default class OsBiometricsServiceLinux implements OsBiometricService { private cryptoFunctionService: CryptoFunctionService, private logService: LogService, ) {} + private _iv: string | null = null; // Use getKeyMaterial helper instead of direct access private _osKeyHalf: string | null = null; private clientKeyHalves = new Map(); async setBiometricKey(userId: UserId, key: SymmetricCryptoKey): Promise { - const clientKeyPartB64 = Utils.fromBufferToB64( - await this.getOrCreateBiometricEncryptionClientKeyHalf(userId, key), - ); - const storageDetails = await this.getStorageDetails({ clientKeyHalfB64: clientKeyPartB64 }); + const clientKeyHalf = await this.getOrCreateBiometricEncryptionClientKeyHalf(userId, key); + + const storageDetails = await this.getStorageDetails({ + clientKeyHalfB64: clientKeyHalf ? Utils.fromBufferToB64(clientKeyHalf) : undefined, + }); await biometrics.setBiometricSecret( SERVICE, getLookupKeyForUser(userId), @@ -63,6 +66,7 @@ export default class OsBiometricsServiceLinux implements OsBiometricService { storageDetails.ivB64, ); } + async deleteBiometricKey(userId: UserId): Promise { try { await passwords.deletePassword(SERVICE, getLookupKeyForUser(userId)); @@ -91,11 +95,15 @@ export default class OsBiometricsServiceLinux implements OsBiometricService { if (value == null || value == "") { return null; } else { - const clientKeyHalf = this.clientKeyHalves.get(userId); - const clientKeyPartB64 = Utils.fromBufferToB64(clientKeyHalf); + let clientKeyPartB64: string | null = null; + if (this.clientKeyHalves.has(userId)) { + clientKeyPartB64 = Utils.fromBufferToB64(this.clientKeyHalves.get(userId)!); + } const encValue = new EncString(value); this.setIv(encValue.iv); - const storageDetails = await this.getStorageDetails({ clientKeyHalfB64: clientKeyPartB64 }); + const storageDetails = await this.getStorageDetails({ + clientKeyHalfB64: clientKeyPartB64 ?? undefined, + }); const storedValue = await biometrics.getBiometricSecret( SERVICE, getLookupKeyForUser(userId), @@ -169,7 +177,6 @@ export default class OsBiometricsServiceLinux implements OsBiometricService { }): Promise<{ key_material: biometrics.KeyMaterial; ivB64: string }> { if (this._osKeyHalf == null) { const keyMaterial = await biometrics.deriveKeyMaterial(this._iv); - // osKeyHalf is based on the iv and in contrast to windows is not locked behind user verification! this._osKeyHalf = keyMaterial.keyB64; this._iv = keyMaterial.ivB64; } @@ -209,8 +216,8 @@ export default class OsBiometricsServiceLinux implements OsBiometricService { } if (clientKeyHalf == null) { // Set a key half if it doesn't exist - const keyBytes = await this.cryptoFunctionService.randomBytes(32); - const encKey = await this.encryptService.encryptBytes(keyBytes, key); + clientKeyHalf = await this.cryptoFunctionService.randomBytes(32); + const encKey = await this.encryptService.encryptBytes(clientKeyHalf, key); await this.biometricStateService.setEncryptedClientKeyHalf(encKey, userId); } diff --git a/apps/desktop/src/key-management/biometrics/os-biometrics-windows.service.spec.ts b/apps/desktop/src/key-management/biometrics/os-biometrics-windows.service.spec.ts index 674d97bf696..f301efc70e7 100644 --- a/apps/desktop/src/key-management/biometrics/os-biometrics-windows.service.spec.ts +++ b/apps/desktop/src/key-management/biometrics/os-biometrics-windows.service.spec.ts @@ -1,51 +1,65 @@ +import { randomBytes } from "node:crypto"; + +import { BrowserWindow } from "electron"; import { mock } from "jest-mock-extended"; import { CryptoFunctionService } from "@bitwarden/common/key-management/crypto/abstractions/crypto-function.service"; import { EncryptService } from "@bitwarden/common/key-management/crypto/abstractions/encrypt.service"; import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; import { LogService } from "@bitwarden/common/platform/abstractions/log.service"; +import { Utils } from "@bitwarden/common/platform/misc/utils"; import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key"; import { UserId } from "@bitwarden/common/types/guid"; -import { passwords } from "@bitwarden/desktop-napi"; +import { biometrics, passwords } from "@bitwarden/desktop-napi"; import { BiometricsStatus, BiometricStateService } from "@bitwarden/key-management"; import { WindowMain } from "../../main/window.main"; import OsBiometricsServiceWindows from "./os-biometrics-windows.service"; -jest.mock("@bitwarden/desktop-napi", () => ({ - biometrics: { - available: jest.fn(), - setBiometricSecret: jest.fn(), - getBiometricSecret: jest.fn(), - deleteBiometricSecret: jest.fn(), - prompt: jest.fn(), - deriveKeyMaterial: jest.fn(), - }, - passwords: { - getPassword: jest.fn(), - deletePassword: jest.fn(), - isAvailable: jest.fn(), - PASSWORD_NOT_FOUND: "Password not found", - }, -})); +import OsDerivedKey = biometrics.OsDerivedKey; + +jest.mock("@bitwarden/desktop-napi", () => { + return { + biometrics: { + available: jest.fn().mockResolvedValue(true), + getBiometricSecret: jest.fn().mockResolvedValue(""), + setBiometricSecret: jest.fn().mockResolvedValue(""), + deleteBiometricSecret: jest.fn(), + deriveKeyMaterial: jest.fn().mockResolvedValue({ + keyB64: "", + ivB64: "", + }), + prompt: jest.fn().mockResolvedValue(true), + }, + passwords: { + getPassword: jest.fn().mockResolvedValue(null), + deletePassword: jest.fn().mockImplementation(() => {}), + isAvailable: jest.fn(), + PASSWORD_NOT_FOUND: "Password not found", + }, + }; +}); + +describe("OsBiometricsServiceWindows", function () { + const i18nService = mock(); + const windowMain = mock(); + const browserWindow = mock(); + const encryptionService: EncryptService = mock(); + const cryptoFunctionService: CryptoFunctionService = mock(); + const biometricStateService: BiometricStateService = mock(); + const logService = mock(); -describe("OsBiometricsServiceWindows", () => { let service: OsBiometricsServiceWindows; - let i18nService: I18nService; - let windowMain: WindowMain; - let logService: LogService; - let biometricStateService: BiometricStateService; - const mockUserId = "test-user-id" as UserId; + const key = new SymmetricCryptoKey(new Uint8Array(64)); + const userId = "test-user-id" as UserId; + const serviceKey = "Bitwarden_biometric"; + const storageKey = `${userId}_user_biometric`; beforeEach(() => { - i18nService = mock(); - windowMain = mock(); - logService = mock(); - biometricStateService = mock(); - const encryptionService = mock(); - const cryptoFunctionService = mock(); + windowMain.win = browserWindow; + service = new OsBiometricsServiceWindows( i18nService, windowMain, @@ -62,20 +76,13 @@ describe("OsBiometricsServiceWindows", () => { describe("getBiometricsFirstUnlockStatusForUser", () => { const userId = "test-user-id" as UserId; - it("should return Available when requirePasswordOnRestart is false", async () => { - biometricStateService.getRequirePasswordOnStart = jest.fn().mockResolvedValue(false); - const result = await service.getBiometricsFirstUnlockStatusForUser(userId); - expect(result).toBe(BiometricsStatus.Available); - }); - it("should return Available when requirePasswordOnRestart is true and client key half is set", async () => { - biometricStateService.getRequirePasswordOnStart = jest.fn().mockResolvedValue(true); + it("should return Available when client key half is set", async () => { (service as any).clientKeyHalves = new Map(); (service as any).clientKeyHalves.set(userId, new Uint8Array([1, 2, 3, 4])); const result = await service.getBiometricsFirstUnlockStatusForUser(userId); expect(result).toBe(BiometricsStatus.Available); }); - it("should return UnlockNeeded when requirePasswordOnRestart is true and client key half is not set", async () => { - biometricStateService.getRequirePasswordOnStart = jest.fn().mockResolvedValue(true); + it("should return UnlockNeeded when client key half is not set", async () => { (service as any).clientKeyHalves = new Map(); const result = await service.getBiometricsFirstUnlockStatusForUser(userId); expect(result).toBe(BiometricsStatus.UnlockNeeded); @@ -83,32 +90,7 @@ describe("OsBiometricsServiceWindows", () => { }); describe("getOrCreateBiometricEncryptionClientKeyHalf", () => { - const userId = "test-user-id" as UserId; - const key = new SymmetricCryptoKey(new Uint8Array(64)); - let encryptionService: EncryptService; - let cryptoFunctionService: CryptoFunctionService; - - beforeEach(() => { - encryptionService = mock(); - cryptoFunctionService = mock(); - service = new OsBiometricsServiceWindows( - mock(), - windowMain, - mock(), - biometricStateService, - encryptionService, - cryptoFunctionService, - ); - }); - - it("should return null if getRequirePasswordOnRestart is false", async () => { - biometricStateService.getRequirePasswordOnStart = jest.fn().mockResolvedValue(false); - const result = await service.getOrCreateBiometricEncryptionClientKeyHalf(userId, key); - expect(result).toBeNull(); - }); - it("should return cached key half if already present", async () => { - biometricStateService.getRequirePasswordOnStart = jest.fn().mockResolvedValue(true); const cachedKeyHalf = new Uint8Array([10, 20, 30]); (service as any).clientKeyHalves.set(userId.toString(), cachedKeyHalf); const result = await service.getOrCreateBiometricEncryptionClientKeyHalf(userId, key); @@ -116,7 +98,6 @@ describe("OsBiometricsServiceWindows", () => { }); it("should decrypt and return existing encrypted client key half", async () => { - biometricStateService.getRequirePasswordOnStart = jest.fn().mockResolvedValue(true); biometricStateService.getEncryptedClientKeyHalf = jest .fn() .mockResolvedValue(new Uint8Array([1, 2, 3])); @@ -132,7 +113,6 @@ describe("OsBiometricsServiceWindows", () => { }); it("should generate, encrypt, store, and cache a new key half if none exists", async () => { - biometricStateService.getRequirePasswordOnStart = jest.fn().mockResolvedValue(true); biometricStateService.getEncryptedClientKeyHalf = jest.fn().mockResolvedValue(null); const randomBytes = new Uint8Array([7, 8, 9]); cryptoFunctionService.randomBytes = jest.fn().mockResolvedValue(randomBytes); @@ -148,101 +128,251 @@ describe("OsBiometricsServiceWindows", () => { encrypted, userId, ); - expect(result).toBeNull(); - expect((service as any).clientKeyHalves.get(userId.toString())).toBeNull(); + expect(result).toEqual(randomBytes); + expect((service as any).clientKeyHalves.get(userId.toString())).toEqual(randomBytes); }); }); + describe("supportsBiometrics", () => { + it("should return true if biometrics are available", async () => { + biometrics.available = jest.fn().mockResolvedValue(true); + + const result = await service.supportsBiometrics(); + + expect(result).toBe(true); + }); + + it("should return false if biometrics are not available", async () => { + biometrics.available = jest.fn().mockResolvedValue(false); + + const result = await service.supportsBiometrics(); + + expect(result).toBe(false); + }); + }); + + describe("getBiometricKey", () => { + beforeEach(() => { + biometrics.prompt = jest.fn().mockResolvedValue(true); + }); + + it("should return null when unsuccessfully authenticated biometrics", async () => { + biometrics.prompt = jest.fn().mockResolvedValue(false); + + const result = await service.getBiometricKey(userId); + + expect(result).toBeNull(); + }); + + it.each([null, undefined, ""])( + "should throw error when no biometric key is found '%s'", + async (password) => { + passwords.getPassword = jest.fn().mockResolvedValue(password); + + await expect(service.getBiometricKey(userId)).rejects.toThrow( + "Biometric key not found for user", + ); + + expect(passwords.getPassword).toHaveBeenCalledWith(serviceKey, storageKey); + }, + ); + + it.each([[false], [true]])( + "should return the biometricKey and setBiometricSecret called if password is not encrypted and cached clientKeyHalves is %s", + async (haveClientKeyHalves) => { + const clientKeyHalveBytes = new Uint8Array([1, 2, 3]); + if (haveClientKeyHalves) { + service["clientKeyHalves"].set(userId, clientKeyHalveBytes); + } + const biometricKey = key.toBase64(); + passwords.getPassword = jest.fn().mockResolvedValue(biometricKey); + biometrics.deriveKeyMaterial = jest.fn().mockResolvedValue({ + keyB64: "testKeyB64", + ivB64: "testIvB64", + } satisfies OsDerivedKey); + + const result = await service.getBiometricKey(userId); + + expect(result.toBase64()).toBe(biometricKey); + expect(passwords.getPassword).toHaveBeenCalledWith(serviceKey, storageKey); + expect(biometrics.setBiometricSecret).toHaveBeenCalledWith( + serviceKey, + storageKey, + biometricKey, + { + osKeyPartB64: "testKeyB64", + clientKeyPartB64: haveClientKeyHalves + ? Utils.fromBufferToB64(clientKeyHalveBytes) + : undefined, + }, + "testIvB64", + ); + }, + ); + + it.each([[false], [true]])( + "should return the biometricKey if password is encrypted and cached clientKeyHalves is %s", + async (haveClientKeyHalves) => { + const clientKeyHalveBytes = new Uint8Array([1, 2, 3]); + if (haveClientKeyHalves) { + service["clientKeyHalves"].set(userId, clientKeyHalveBytes); + } + const biometricKey = key.toBase64(); + const biometricKeyEncrypted = "2.testId|data|mac"; + passwords.getPassword = jest.fn().mockResolvedValue(biometricKeyEncrypted); + biometrics.getBiometricSecret = jest.fn().mockResolvedValue(biometricKey); + biometrics.deriveKeyMaterial = jest.fn().mockResolvedValue({ + keyB64: "testKeyB64", + ivB64: "testIvB64", + } satisfies OsDerivedKey); + + const result = await service.getBiometricKey(userId); + + expect(result.toBase64()).toBe(biometricKey); + expect(passwords.getPassword).toHaveBeenCalledWith(serviceKey, storageKey); + expect(biometrics.setBiometricSecret).not.toHaveBeenCalled(); + expect(biometrics.getBiometricSecret).toHaveBeenCalledWith(serviceKey, storageKey, { + osKeyPartB64: "testKeyB64", + clientKeyPartB64: haveClientKeyHalves + ? Utils.fromBufferToB64(clientKeyHalveBytes) + : undefined, + }); + }, + ); + }); + describe("deleteBiometricKey", () => { const serviceName = "Bitwarden_biometric"; const keyName = "test-user-id_user_biometric"; - const witnessKeyName = "test-user-id_user_biometric_witness"; it("should delete biometric key successfully", async () => { - await service.deleteBiometricKey(mockUserId); + await service.deleteBiometricKey(userId); expect(passwords.deletePassword).toHaveBeenCalledWith(serviceName, keyName); - expect(passwords.deletePassword).toHaveBeenCalledWith(serviceName, witnessKeyName); }); - it.each([ - [false, false], - [false, true], - [true, false], - ])( - "should not throw error if key found: %s and witness key found: %s", - async (keyFound, witnessKeyFound) => { - passwords.deletePassword = jest.fn().mockImplementation((_, account) => { - if (account === keyName) { - if (!keyFound) { - throw new Error(passwords.PASSWORD_NOT_FOUND); - } - return Promise.resolve(); - } - if (account === witnessKeyName) { - if (!witnessKeyFound) { - throw new Error(passwords.PASSWORD_NOT_FOUND); - } - return Promise.resolve(); - } - throw new Error("Unexpected key"); - }); + it.each([[false], [true]])("should not throw error if key found: %s", async (keyFound) => { + if (!keyFound) { + passwords.deletePassword = jest + .fn() + .mockRejectedValue(new Error(passwords.PASSWORD_NOT_FOUND)); + } - await service.deleteBiometricKey(mockUserId); + await service.deleteBiometricKey(userId); - expect(passwords.deletePassword).toHaveBeenCalledWith(serviceName, keyName); - expect(passwords.deletePassword).toHaveBeenCalledWith(serviceName, witnessKeyName); - if (!keyFound) { - expect(logService.debug).toHaveBeenCalledWith( - "[OsBiometricService] Biometric key %s not found for service %s.", - keyName, - serviceName, - ); - } - if (!witnessKeyFound) { - expect(logService.debug).toHaveBeenCalledWith( - "[OsBiometricService] Biometric witness key %s not found for service %s.", - witnessKeyName, - serviceName, - ); - } - }, - ); + expect(passwords.deletePassword).toHaveBeenCalledWith(serviceName, keyName); + if (!keyFound) { + expect(logService.debug).toHaveBeenCalledWith( + "[OsBiometricService] Biometric key %s not found for service %s.", + keyName, + serviceName, + ); + } + }); it("should throw error when deletePassword for key throws unexpected errors", async () => { const error = new Error("Unexpected error"); - passwords.deletePassword = jest.fn().mockImplementation((_, account) => { - if (account === keyName) { - throw error; - } - if (account === witnessKeyName) { - return Promise.resolve(); - } - throw new Error("Unexpected key"); - }); + passwords.deletePassword = jest.fn().mockRejectedValue(error); - await expect(service.deleteBiometricKey(mockUserId)).rejects.toThrow(error); + await expect(service.deleteBiometricKey(userId)).rejects.toThrow(error); expect(passwords.deletePassword).toHaveBeenCalledWith(serviceName, keyName); - expect(passwords.deletePassword).not.toHaveBeenCalledWith(serviceName, witnessKeyName); + }); + }); + + describe("authenticateBiometric", () => { + const hwnd = randomBytes(32).buffer; + const consentMessage = "Test Windows Hello Consent Message"; + + beforeEach(() => { + windowMain.win.getNativeWindowHandle = jest.fn().mockReturnValue(hwnd); + i18nService.t.mockReturnValue(consentMessage); }); - it("should throw error when deletePassword for witness key throws unexpected errors", async () => { - const error = new Error("Unexpected error"); - passwords.deletePassword = jest.fn().mockImplementation((_, account) => { - if (account === keyName) { - return Promise.resolve(); - } - if (account === witnessKeyName) { - throw error; - } - throw new Error("Unexpected key"); - }); + it("should return true when biometric authentication is successful", async () => { + const result = await service.authenticateBiometric(); - await expect(service.deleteBiometricKey(mockUserId)).rejects.toThrow(error); + expect(result).toBe(true); + expect(biometrics.prompt).toHaveBeenCalledWith(hwnd, consentMessage); + }); - expect(passwords.deletePassword).toHaveBeenCalledWith(serviceName, keyName); - expect(passwords.deletePassword).toHaveBeenCalledWith(serviceName, witnessKeyName); + it("should return false when biometric authentication fails", async () => { + biometrics.prompt = jest.fn().mockResolvedValue(false); + + const result = await service.authenticateBiometric(); + + expect(result).toBe(false); + expect(biometrics.prompt).toHaveBeenCalledWith(hwnd, consentMessage); + }); + }); + + describe("getStorageDetails", () => { + it.each([ + ["testClientKeyHalfB64", "testIvB64"], + [undefined, "testIvB64"], + ["testClientKeyHalfB64", null], + [undefined, null], + ])( + "should derive key material and ivB64 and return it when os key half not saved yet", + async (clientKeyHalfB64, ivB64) => { + service["setIv"](ivB64); + + const derivedKeyMaterial = { + keyB64: "derivedKeyB64", + ivB64: "derivedIvB64", + }; + biometrics.deriveKeyMaterial = jest.fn().mockResolvedValue(derivedKeyMaterial); + + const result = await service["getStorageDetails"]({ clientKeyHalfB64 }); + + expect(result).toEqual({ + key_material: { + osKeyPartB64: derivedKeyMaterial.keyB64, + clientKeyPartB64: clientKeyHalfB64, + }, + ivB64: derivedKeyMaterial.ivB64, + }); + expect(biometrics.deriveKeyMaterial).toHaveBeenCalledWith(ivB64); + expect(service["_osKeyHalf"]).toEqual(derivedKeyMaterial.keyB64); + expect(service["_iv"]).toEqual(derivedKeyMaterial.ivB64); + }, + ); + + it("should throw an error when deriving key material and returned iv is null", async () => { + service["setIv"]("testIvB64"); + + const derivedKeyMaterial = { + keyB64: "derivedKeyB64", + ivB64: null as string | undefined | null, + }; + biometrics.deriveKeyMaterial = jest.fn().mockResolvedValue(derivedKeyMaterial); + + await expect( + service["getStorageDetails"]({ clientKeyHalfB64: "testClientKeyHalfB64" }), + ).rejects.toThrow("Initialization Vector is null"); + + expect(biometrics.deriveKeyMaterial).toHaveBeenCalledWith("testIvB64"); + }); + }); + + describe("setIv", () => { + it("should set the iv and reset the osKeyHalf", () => { + const iv = "testIv"; + service["_osKeyHalf"] = "testOsKeyHalf"; + + service["setIv"](iv); + + expect(service["_iv"]).toBe(iv); + expect(service["_osKeyHalf"]).toBeNull(); + }); + + it("should set the iv to null when iv is undefined and reset the osKeyHalf", () => { + service["_osKeyHalf"] = "testOsKeyHalf"; + + service["setIv"](undefined); + + expect(service["_iv"]).toBeNull(); + expect(service["_osKeyHalf"]).toBeNull(); }); }); }); diff --git a/apps/desktop/src/key-management/biometrics/os-biometrics-windows.service.ts b/apps/desktop/src/key-management/biometrics/os-biometrics-windows.service.ts index 65abced1526..897304c9f61 100644 --- a/apps/desktop/src/key-management/biometrics/os-biometrics-windows.service.ts +++ b/apps/desktop/src/key-management/biometrics/os-biometrics-windows.service.ts @@ -3,7 +3,6 @@ import { EncryptService } from "@bitwarden/common/key-management/crypto/abstract import { EncString } from "@bitwarden/common/key-management/crypto/models/enc-string"; import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; import { LogService } from "@bitwarden/common/platform/abstractions/log.service"; -import { EncryptionType } from "@bitwarden/common/platform/enums"; import { Utils } from "@bitwarden/common/platform/misc/utils"; import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key"; import { UserId } from "@bitwarden/common/types/guid"; @@ -14,10 +13,8 @@ import { WindowMain } from "../../main/window.main"; import { OsBiometricService } from "./os-biometrics.service"; -const KEY_WITNESS_SUFFIX = "_witness"; -const WITNESS_VALUE = "known key"; - const SERVICE = "Bitwarden_biometric"; + function getLookupKeyForUser(userId: UserId): string { return `${userId}_user_biometric`; } @@ -43,18 +40,25 @@ export default class OsBiometricsServiceWindows implements OsBiometricService { } async getBiometricKey(userId: UserId): Promise { - const value = await passwords.getPassword(SERVICE, getLookupKeyForUser(userId)); - let clientKeyHalfB64: string | null = null; - if (this.clientKeyHalves.has(userId)) { - clientKeyHalfB64 = Utils.fromBufferToB64(this.clientKeyHalves.get(userId)); + const success = await this.authenticateBiometric(); + if (!success) { + return null; } + const value = await passwords.getPassword(SERVICE, getLookupKeyForUser(userId)); if (value == null || value == "") { - return null; - } else if (!EncString.isSerializedEncString(value)) { + throw new Error("Biometric key not found for user"); + } + + let clientKeyHalfB64: string | null = null; + if (this.clientKeyHalves.has(userId)) { + clientKeyHalfB64 = Utils.fromBufferToB64(this.clientKeyHalves.get(userId)!); + } + + if (!EncString.isSerializedEncString(value)) { // Update to format encrypted with client key half const storageDetails = await this.getStorageDetails({ - clientKeyHalfB64: clientKeyHalfB64, + clientKeyHalfB64: clientKeyHalfB64 ?? undefined, }); await biometrics.setBiometricSecret( @@ -69,7 +73,7 @@ export default class OsBiometricsServiceWindows implements OsBiometricService { const encValue = new EncString(value); this.setIv(encValue.iv); const storageDetails = await this.getStorageDetails({ - clientKeyHalfB64: clientKeyHalfB64, + clientKeyHalfB64: clientKeyHalfB64 ?? undefined, }); return SymmetricCryptoKey.fromString( await biometrics.getBiometricSecret( @@ -84,35 +88,16 @@ export default class OsBiometricsServiceWindows implements OsBiometricService { async setBiometricKey(userId: UserId, key: SymmetricCryptoKey): Promise { const clientKeyHalf = await this.getOrCreateBiometricEncryptionClientKeyHalf(userId, key); - if ( - await this.valueUpToDate({ - value: key, - clientKeyPartB64: Utils.fromBufferToB64(clientKeyHalf), - service: SERVICE, - storageKey: getLookupKeyForUser(userId), - }) - ) { - return; - } - const storageDetails = await this.getStorageDetails({ clientKeyHalfB64: Utils.fromBufferToB64(clientKeyHalf), }); - const storedValue = await biometrics.setBiometricSecret( + await biometrics.setBiometricSecret( SERVICE, getLookupKeyForUser(userId), key.toBase64(), storageDetails.key_material, storageDetails.ivB64, ); - const parsedStoredValue = new EncString(storedValue); - await this.storeValueWitness( - key, - parsedStoredValue, - SERVICE, - getLookupKeyForUser(userId), - Utils.fromBufferToB64(clientKeyHalf), - ); } async deleteBiometricKey(userId: UserId): Promise { @@ -129,21 +114,11 @@ export default class OsBiometricsServiceWindows implements OsBiometricService { throw e; } } - try { - await passwords.deletePassword(SERVICE, getLookupKeyForUser(userId) + KEY_WITNESS_SUFFIX); - } catch (e) { - if (e instanceof Error && e.message === passwords.PASSWORD_NOT_FOUND) { - this.logService.debug( - "[OsBiometricService] Biometric witness key %s not found for service %s.", - getLookupKeyForUser(userId) + KEY_WITNESS_SUFFIX, - SERVICE, - ); - } else { - throw e; - } - } } + /** + * Prompts Windows Hello + */ async authenticateBiometric(): Promise { const hwnd = this.windowMain.win.getNativeWindowHandle(); return await biometrics.prompt(hwnd, this.i18nService.t("windowsHelloConsentMessage")); @@ -155,7 +130,6 @@ export default class OsBiometricsServiceWindows implements OsBiometricService { clientKeyHalfB64: string | undefined; }): Promise<{ key_material: biometrics.KeyMaterial; ivB64: string }> { if (this._osKeyHalf == null) { - // Prompts Windows Hello const keyMaterial = await biometrics.deriveKeyMaterial(this._iv); this._osKeyHalf = keyMaterial.keyB64; this._iv = keyMaterial.ivB64; @@ -187,118 +161,6 @@ export default class OsBiometricsServiceWindows implements OsBiometricService { this._osKeyHalf = null; } - /** - * Stores a witness key alongside the encrypted value. This is used to determine if the value is up to date. - * - * @param unencryptedValue The key to store - * @param encryptedValue The encrypted value of the key to store. Used to sync IV of the witness key with the stored key. - * @param service The service to store the witness key under - * @param storageKey The key to store the witness key under. The witness key will be stored under storageKey + {@link KEY_WITNESS_SUFFIX} - * @returns - */ - private async storeValueWitness( - unencryptedValue: SymmetricCryptoKey, - encryptedValue: EncString, - service: string, - storageKey: string, - clientKeyPartB64: string | undefined, - ) { - if (encryptedValue.iv == null) { - return; - } - - const storageDetails = { - keyMaterial: this.witnessKeyMaterial(unencryptedValue, clientKeyPartB64), - ivB64: encryptedValue.iv, - }; - await biometrics.setBiometricSecret( - service, - storageKey + KEY_WITNESS_SUFFIX, - WITNESS_VALUE, - storageDetails.keyMaterial, - storageDetails.ivB64, - ); - } - - /** - * Uses a witness key stored alongside the encrypted value to determine if the value is up to date. - * @param value The value being validated - * @param service The service the value is stored under - * @param storageKey The key the value is stored under. The witness key will be stored under storageKey + {@link KEY_WITNESS_SUFFIX} - * @returns Boolean indicating if the value is up to date. - */ - // Uses a witness key stored alongside the encrypted value to determine if the value is up to date. - private async valueUpToDate({ - value, - clientKeyPartB64, - service, - storageKey, - }: { - value: SymmetricCryptoKey; - clientKeyPartB64: string | undefined; - service: string; - storageKey: string; - }): Promise { - const witnessKeyMaterial = this.witnessKeyMaterial(value, clientKeyPartB64); - if (witnessKeyMaterial == null) { - return false; - } - - let witness = null; - try { - witness = await biometrics.getBiometricSecret( - service, - storageKey + KEY_WITNESS_SUFFIX, - witnessKeyMaterial, - ); - } catch (e) { - if (e instanceof Error && e.message === passwords.PASSWORD_NOT_FOUND) { - this.logService.debug( - "[OsBiometricService] Biometric witness key %s not found for service %s, value is not up to date.", - storageKey + KEY_WITNESS_SUFFIX, - service, - ); - } else { - this.logService.error( - "[OsBiometricService] Error retrieving witness key, assuming value is not up to date.", - e, - ); - } - return false; - } - - if (witness === WITNESS_VALUE) { - return true; - } - - return false; - } - - /** Derives a witness key from a symmetric key being stored for biometric protection */ - private witnessKeyMaterial( - symmetricKey: SymmetricCryptoKey, - clientKeyPartB64: string | undefined, - ): biometrics.KeyMaterial { - let key = null; - const innerKey = symmetricKey.inner(); - if (innerKey.type === EncryptionType.AesCbc256_HmacSha256_B64) { - key = Utils.fromBufferToB64(innerKey.authenticationKey); - } else { - key = Utils.fromBufferToB64(innerKey.encryptionKey); - } - - const result = { - osKeyPartB64: key, - clientKeyPartB64, - }; - - // napi-rs fails to convert null values - if (result.clientKeyPartB64 == null) { - delete result.clientKeyPartB64; - } - return result; - } - async needsSetup() { return false; } @@ -312,14 +174,9 @@ export default class OsBiometricsServiceWindows implements OsBiometricService { async getOrCreateBiometricEncryptionClientKeyHalf( userId: UserId, key: SymmetricCryptoKey, - ): Promise { - const requireClientKeyHalf = await this.biometricStateService.getRequirePasswordOnStart(userId); - if (!requireClientKeyHalf) { - return null; - } - + ): Promise { if (this.clientKeyHalves.has(userId)) { - return this.clientKeyHalves.get(userId); + return this.clientKeyHalves.get(userId)!; } // Retrieve existing key half if it exists @@ -331,8 +188,8 @@ export default class OsBiometricsServiceWindows implements OsBiometricService { } if (clientKeyHalf == null) { // Set a key half if it doesn't exist - const keyBytes = await this.cryptoFunctionService.randomBytes(32); - const encKey = await this.encryptService.encryptBytes(keyBytes, key); + clientKeyHalf = await this.cryptoFunctionService.randomBytes(32); + const encKey = await this.encryptService.encryptBytes(clientKeyHalf, key); await this.biometricStateService.setEncryptedClientKeyHalf(encKey, userId); } @@ -342,11 +199,6 @@ export default class OsBiometricsServiceWindows implements OsBiometricService { } async getBiometricsFirstUnlockStatusForUser(userId: UserId): Promise { - const requireClientKeyHalf = await this.biometricStateService.getRequirePasswordOnStart(userId); - if (!requireClientKeyHalf) { - return BiometricsStatus.Available; - } - if (this.clientKeyHalves.has(userId)) { return BiometricsStatus.Available; } else { diff --git a/apps/desktop/src/locales/en/messages.json b/apps/desktop/src/locales/en/messages.json index 1ad0dcf308f..e5e6dcb2882 100644 --- a/apps/desktop/src/locales/en/messages.json +++ b/apps/desktop/src/locales/en/messages.json @@ -1813,9 +1813,6 @@ "unlockWithWindowsHello": { "message": "Unlock with Windows Hello" }, - "additionalWindowsHelloSettings": { - "message": "Additional Windows Hello settings" - }, "unlockWithPolkit": { "message": "Unlock with system authentication" }, @@ -1831,12 +1828,6 @@ "touchIdConsentMessage": { "message": "unlock your vault" }, - "autoPromptWindowsHello": { - "message": "Ask for Windows Hello on app start" - }, - "autoPromptPolkit": { - "message": "Ask for system authentication on launch" - }, "autoPromptTouchId": { "message": "Ask for Touch ID on app start" }, @@ -1846,9 +1837,6 @@ "requirePasswordWithoutPinOnStart": { "message": "Require password on app start" }, - "recommendedForSecurity": { - "message": "Recommended for security." - }, "lockWithMasterPassOnRestart1": { "message": "Lock with master password on restart" }, diff --git a/apps/desktop/src/main.ts b/apps/desktop/src/main.ts index eee5e3c84f2..9b5aa0b31e9 100644 --- a/apps/desktop/src/main.ts +++ b/apps/desktop/src/main.ts @@ -201,6 +201,16 @@ export class Main { this.logService, true, ); + + this.windowMain = new WindowMain( + biometricStateService, + this.logService, + this.storageService, + this.desktopSettingsService, + (arg) => this.processDeepLink(arg), + (win) => this.trayMain.setupWindowListeners(win), + ); + this.biometricsService = new MainBiometricsService( this.i18nService, this.windowMain, @@ -211,14 +221,6 @@ export class Main { this.mainCryptoFunctionService, ); - this.windowMain = new WindowMain( - biometricStateService, - this.logService, - this.storageService, - this.desktopSettingsService, - (arg) => this.processDeepLink(arg), - (win) => this.trayMain.setupWindowListeners(win), - ); this.messagingMain = new MessagingMain(this, this.desktopSettingsService); this.updaterMain = new UpdaterMain(this.i18nService, this.windowMain); diff --git a/apps/desktop/tsconfig.json b/apps/desktop/tsconfig.json index 7db3e84e451..70a59ad164c 100644 --- a/apps/desktop/tsconfig.json +++ b/apps/desktop/tsconfig.json @@ -3,5 +3,6 @@ "angularCompilerOptions": { "strictTemplates": true }, - "include": ["src", "../../libs/common/src/key-management/crypto/services/encrypt.worker.ts"] + "include": ["src", "../../libs/common/src/key-management/crypto/services/encrypt.worker.ts"], + "exclude": ["src/**/*.spec.ts"] } From 8365efb47324524562af02ee4994f4e5c59cbc3a Mon Sep 17 00:00:00 2001 From: Bryan Cunningham Date: Mon, 21 Jul 2025 14:04:21 -0400 Subject: [PATCH 02/37] remove absolute positioning of radio indicator (#15623) --- libs/components/src/radio-button/radio-input.component.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libs/components/src/radio-button/radio-input.component.ts b/libs/components/src/radio-button/radio-input.component.ts index 6140969d651..33100db1679 100644 --- a/libs/components/src/radio-button/radio-input.component.ts +++ b/libs/components/src/radio-button/radio-input.component.ts @@ -32,6 +32,7 @@ export class RadioInputComponent implements BitFormControlAbstraction { "tw-border-secondary-600", "tw-w-[1.12rem]", "tw-h-[1.12rem]", + "!tw-p-[.125rem]", "tw-flex-none", // Flexbox fix for bit-form-control "hover:tw-border-2", @@ -45,9 +46,8 @@ export class RadioInputComponent implements BitFormControlAbstraction { "before:tw-content-['']", "before:tw-transition", "before:tw-block", - "before:tw-absolute", "before:tw-rounded-full", - "before:tw-inset-[2px]", + "before:tw-size-full", "disabled:tw-cursor-auto", "disabled:tw-bg-secondary-100", From b33bdd60aec8674bdd2c059c39252941df82ecfa Mon Sep 17 00:00:00 2001 From: Vijay Oommen Date: Mon, 21 Jul 2025 13:45:48 -0500 Subject: [PATCH 03/37] [PM-23758] Api method to save and retrieve report summary (#15705) --- .../risk-insights/models/password-health.ts | 7 ++ .../risk-insights-api.service.spec.ts | 83 +++++++++++++++++++ .../services/risk-insights-api.service.ts | 45 ++++++++++ 3 files changed, 135 insertions(+) create mode 100644 bitwarden_license/bit-common/src/dirt/reports/risk-insights/services/risk-insights-api.service.spec.ts create mode 100644 bitwarden_license/bit-common/src/dirt/reports/risk-insights/services/risk-insights-api.service.ts diff --git a/bitwarden_license/bit-common/src/dirt/reports/risk-insights/models/password-health.ts b/bitwarden_license/bit-common/src/dirt/reports/risk-insights/models/password-health.ts index 62eb0122dca..6be24d60b89 100644 --- a/bitwarden_license/bit-common/src/dirt/reports/risk-insights/models/password-health.ts +++ b/bitwarden_license/bit-common/src/dirt/reports/risk-insights/models/password-health.ts @@ -158,6 +158,13 @@ export interface PasswordHealthReportApplicationsRequest { url: string; } +export interface EncryptedDataModel { + organizationId: OrganizationId; + encryptedData: string; + encryptionKey: string; + date: Date; +} + // FIXME: update to use a const object instead of a typescript enum // eslint-disable-next-line @bitwarden/platform/no-enums export enum DrawerType { diff --git a/bitwarden_license/bit-common/src/dirt/reports/risk-insights/services/risk-insights-api.service.spec.ts b/bitwarden_license/bit-common/src/dirt/reports/risk-insights/services/risk-insights-api.service.spec.ts new file mode 100644 index 00000000000..ef9fc768944 --- /dev/null +++ b/bitwarden_license/bit-common/src/dirt/reports/risk-insights/services/risk-insights-api.service.spec.ts @@ -0,0 +1,83 @@ +import { mock } from "jest-mock-extended"; + +import { ApiService } from "@bitwarden/common/abstractions/api.service"; + +import { EncryptedDataModel } from "../models/password-health"; + +import { RiskInsightsApiService } from "./risk-insights-api.service"; + +describe("RiskInsightsApiService", () => { + let service: RiskInsightsApiService; + const mockApiService = mock(); + + beforeEach(() => { + service = new RiskInsightsApiService(mockApiService); + }); + + it("should be created", () => { + expect(service).toBeTruthy(); + }); + + describe("getRiskInsightsSummary", () => { + it("should call apiService.send with correct parameters and return an Observable", (done) => { + const orgId = "org123"; + const minDate = new Date("2024-01-01"); + const maxDate = new Date("2024-01-31"); + const mockResponse: EncryptedDataModel[] = [{ encryptedData: "abc" } as EncryptedDataModel]; + + mockApiService.send.mockResolvedValueOnce(mockResponse); + + service.getRiskInsightsSummary(orgId, minDate, maxDate).subscribe((result) => { + expect(mockApiService.send).toHaveBeenCalledWith( + "GET", + `organization-report-summary/org123?from=2024-01-01&to=2024-01-31`, + null, + true, + true, + ); + expect(result).toEqual(mockResponse); + done(); + }); + }); + }); + + describe("saveRiskInsightsSummary", () => { + it("should call apiService.send with correct parameters and return an Observable", (done) => { + const data: EncryptedDataModel = { encryptedData: "xyz" } as EncryptedDataModel; + + mockApiService.send.mockResolvedValueOnce(undefined); + + service.saveRiskInsightsSummary(data).subscribe((result) => { + expect(mockApiService.send).toHaveBeenCalledWith( + "POST", + "organization-report-summary", + data, + true, + true, + ); + expect(result).toBeUndefined(); + done(); + }); + }); + }); + + describe("updateRiskInsightsSummary", () => { + it("should call apiService.send with correct parameters and return an Observable", (done) => { + const data: EncryptedDataModel = { encryptedData: "xyz" } as EncryptedDataModel; + + mockApiService.send.mockResolvedValueOnce(undefined); + + service.updateRiskInsightsSummary(data).subscribe((result) => { + expect(mockApiService.send).toHaveBeenCalledWith( + "PUT", + "organization-report-summary", + data, + true, + true, + ); + expect(result).toBeUndefined(); + done(); + }); + }); + }); +}); diff --git a/bitwarden_license/bit-common/src/dirt/reports/risk-insights/services/risk-insights-api.service.ts b/bitwarden_license/bit-common/src/dirt/reports/risk-insights/services/risk-insights-api.service.ts new file mode 100644 index 00000000000..0d69947b826 --- /dev/null +++ b/bitwarden_license/bit-common/src/dirt/reports/risk-insights/services/risk-insights-api.service.ts @@ -0,0 +1,45 @@ +import { from, Observable } from "rxjs"; + +import { ApiService } from "@bitwarden/common/abstractions/api.service"; + +import { EncryptedDataModel } from "../models/password-health"; + +export class RiskInsightsApiService { + constructor(private apiService: ApiService) {} + + getRiskInsightsSummary( + orgId: string, + minDate: Date, + maxDate: Date, + ): Observable { + const minDateStr = minDate.toISOString().split("T")[0]; + const maxDateStr = maxDate.toISOString().split("T")[0]; + const dbResponse = this.apiService.send( + "GET", + `organization-report-summary/${orgId.toString()}?from=${minDateStr}&to=${maxDateStr}`, + null, + true, + true, + ); + + return from(dbResponse as Promise); + } + + saveRiskInsightsSummary(data: EncryptedDataModel): Observable { + const dbResponse = this.apiService.send( + "POST", + "organization-report-summary", + data, + true, + true, + ); + + return from(dbResponse as Promise); + } + + updateRiskInsightsSummary(data: EncryptedDataModel): Observable { + const dbResponse = this.apiService.send("PUT", "organization-report-summary", data, true, true); + + return from(dbResponse as Promise); + } +} From 83f9061474f54cbb4923f907d3bd83396ad6a0c1 Mon Sep 17 00:00:00 2001 From: Andy Pixley <3723676+pixman20@users.noreply.github.com> Date: Mon, 21 Jul 2025 15:54:28 -0400 Subject: [PATCH 04/37] [BRE-831] migrate secrets akv (#15158) --- .github/workflows/build-browser-target.yml | 5 + .github/workflows/build-browser.yml | 60 ++++++-- .github/workflows/build-cli-target.yml | 5 + .github/workflows/build-cli.yml | 61 ++++++-- .github/workflows/build-desktop-target.yml | 5 + .github/workflows/build-desktop.yml | 136 ++++++++++++++---- .github/workflows/build-web-target.yml | 6 + .github/workflows/build-web.yml | 60 +++++--- .github/workflows/chromatic.yml | 26 +++- .github/workflows/crowdin-pull.yml | 41 ++++-- .github/workflows/deploy-web.yml | 77 ++++++---- .github/workflows/lint-crowdin-config.yml | 22 ++- .github/workflows/publish-cli.yml | 53 +++++-- .github/workflows/publish-desktop.yml | 50 +++++-- .github/workflows/publish-web.yml | 30 +++- .github/workflows/release-desktop-beta.yml | 112 ++++++++++++--- .github/workflows/repository-management.yml | 54 ++++++- .../retrieve-current-desktop-rollout.yml | 13 +- .github/workflows/staged-rollout-desktop.yml | 13 +- .github/workflows/version-auto-bump.yml | 24 +++- 20 files changed, 680 insertions(+), 173 deletions(-) diff --git a/.github/workflows/build-browser-target.yml b/.github/workflows/build-browser-target.yml index a2ae48d419b..ef3beef4b8b 100644 --- a/.github/workflows/build-browser-target.yml +++ b/.github/workflows/build-browser-target.yml @@ -28,6 +28,8 @@ jobs: check-run: name: Check PR run uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main + permissions: + contents: read run-workflow: name: Build Browser @@ -35,4 +37,7 @@ jobs: if: ${{ github.event.pull_request.head.repo.full_name != github.repository }} uses: ./.github/workflows/build-browser.yml secrets: inherit + permissions: + contents: read + id-token: write diff --git a/.github/workflows/build-browser.yml b/.github/workflows/build-browser.yml index 40b03d9e753..bd7d70e8543 100644 --- a/.github/workflows/build-browser.yml +++ b/.github/workflows/build-browser.yml @@ -41,7 +41,8 @@ defaults: run: shell: bash -permissions: {} +permissions: + contents: read jobs: setup: @@ -77,10 +78,8 @@ jobs: - name: Check secrets id: check-secrets - env: - AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} run: | - has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }} + has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }} echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT @@ -302,6 +301,9 @@ jobs: build-safari: name: Build Safari runs-on: macos-13 + permissions: + contents: read + id-token: write needs: - setup - locales-test @@ -327,10 +329,19 @@ jobs: node --version npm --version - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-clients + secrets: "KEYCHAIN-PASSWORD" - name: Download Provisioning Profiles secrets env: @@ -366,9 +377,12 @@ jobs: az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Set up keychain env: - KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain @@ -440,6 +454,10 @@ jobs: name: Crowdin Push if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main' runs-on: ubuntu-22.04 + permissions: + contents: write + pull-requests: write + id-token: write needs: - build - build-safari @@ -449,10 +467,12 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -461,6 +481,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "crowdin-api-token" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Upload Sources uses: crowdin/github-action@f214c8723025f41fc55b2ad26e67b60b80b1885d # v2.7.1 env: @@ -478,6 +501,9 @@ jobs: name: Check for failures if: always() runs-on: ubuntu-22.04 + permissions: + contents: read + id-token: write needs: - setup - locales-test @@ -493,11 +519,13 @@ jobs: && contains(needs.*.result, 'failure') run: exit 1 - - name: Login to Azure - Prod Subscription - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure if: failure() + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -507,6 +535,10 @@ jobs: keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" + - name: Log out from Azure + if: failure() + uses: bitwarden/gh-actions/azure-logout@main + - name: Notify Slack on failure uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 if: failure() diff --git a/.github/workflows/build-cli-target.yml b/.github/workflows/build-cli-target.yml index 6b493d4e6d9..54865ddaddd 100644 --- a/.github/workflows/build-cli-target.yml +++ b/.github/workflows/build-cli-target.yml @@ -28,6 +28,8 @@ jobs: check-run: name: Check PR run uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main + permissions: + contents: read run-workflow: name: Build CLI @@ -35,4 +37,7 @@ jobs: if: ${{ github.event.pull_request.head.repo.full_name != github.repository }} uses: ./.github/workflows/build-cli.yml secrets: inherit + permissions: + contents: read + id-token: write diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index ac314a4c33a..b31b22b926e 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -78,10 +78,8 @@ jobs: - name: Check secrets id: check-secrets - env: - AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} run: | - has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }} + has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }} echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT @@ -108,6 +106,10 @@ jobs: _NODE_VERSION: ${{ needs.setup.outputs.node_version }} _WIN_PKG_FETCH_VERSION: 20.11.1 _WIN_PKG_VERSION: 3.5 + permissions: + contents: read + id-token: write + steps: - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -156,9 +158,11 @@ jobs: - name: Login to Azure if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }} - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Get certificates if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }} @@ -168,10 +172,21 @@ jobs: az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 + - name: Get Azure Key Vault secrets + id: get-kv-secrets + if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }} + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-clients + secrets: "KEYCHAIN-PASSWORD,APP-STORE-CONNECT-AUTH-KEY,APP-STORE-CONNECT-TEAM-ISSUER" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Set up keychain if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }} env: - KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain @@ -199,13 +214,13 @@ jobs: run: | mkdir ~/private_keys cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8 - ${{ secrets.APP_STORE_CONNECT_AUTH_KEY }} + ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} EOF - name: Notarize app if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }} env: - APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }} + APP_STORE_CONNECT_TEAM_ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_6TV9MKN3GP.p8 run: | @@ -261,6 +276,9 @@ jobs: { build_prefix: "bit", artifact_prefix: "", readable: "commercial license" } ] runs-on: windows-2022 + permissions: + contents: read + id-token: write needs: setup env: _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} @@ -344,11 +362,13 @@ jobs: ResourceHacker -open version-info.rc -save version-info.res -action compile ResourceHacker -open %WIN_PKG_BUILT% -save %WIN_PKG_BUILT% -action addoverwrite -resource version-info.res - - name: Login to Azure + - name: Log in to Azure if: ${{ needs.setup.outputs.has_secrets == 'true' }} - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -362,6 +382,10 @@ jobs: code-signing-client-secret, code-signing-cert-name" + - name: Log out from Azure + if: ${{ needs.setup.outputs.has_secrets == 'true' }} + uses: bitwarden/gh-actions/azure-logout@main + - name: Install run: npm ci working-directory: ./ @@ -520,6 +544,9 @@ jobs: name: Check for failures if: always() runs-on: ubuntu-24.04 + permissions: + contents: read + id-token: write needs: - setup - cli @@ -534,11 +561,13 @@ jobs: && contains(needs.*.result, 'failure') run: exit 1 - - name: Login to Azure - Prod Subscription - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure if: failure() + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -548,6 +577,10 @@ jobs: keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" + - name: Log out from Azure + if: failure() + uses: bitwarden/gh-actions/azure-logout@main + - name: Notify Slack on failure uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 if: failure() diff --git a/.github/workflows/build-desktop-target.yml b/.github/workflows/build-desktop-target.yml index fa21b3fe5d9..31ac819a3e6 100644 --- a/.github/workflows/build-desktop-target.yml +++ b/.github/workflows/build-desktop-target.yml @@ -28,6 +28,8 @@ jobs: check-run: name: Check PR run uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main + permissions: + contents: read run-workflow: name: Build Desktop @@ -35,4 +37,7 @@ jobs: if: ${{ github.event.pull_request.head.repo.full_name != github.repository }} uses: ./.github/workflows/build-desktop.yml secrets: inherit + permissions: + contents: read + id-token: write diff --git a/.github/workflows/build-desktop.yml b/.github/workflows/build-desktop.yml index a022fe7fd0f..366d439fb45 100644 --- a/.github/workflows/build-desktop.yml +++ b/.github/workflows/build-desktop.yml @@ -147,10 +147,8 @@ jobs: - name: Check secrets id: check-secrets - env: - AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} run: | - has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }} + has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }} echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT linux: @@ -404,6 +402,9 @@ jobs: runs-on: windows-2022 needs: - setup + permissions: + contents: read + id-token: write defaults: run: shell: pwsh @@ -438,11 +439,13 @@ jobs: choco --version rustup show - - name: Login to Azure + - name: Log in to Azure if: ${{ needs.setup.outputs.has_secrets == 'true' }} - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -456,6 +459,10 @@ jobs: code-signing-client-secret, code-signing-cert-name" + - name: Log out from Azure + if: ${{ needs.setup.outputs.has_secrets == 'true' }} + uses: bitwarden/gh-actions/azure-logout@main + - name: Install Node dependencies run: npm ci working-directory: ./ @@ -655,6 +662,9 @@ jobs: runs-on: macos-13 needs: - setup + permissions: + contents: read + id-token: write env: _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} _NODE_VERSION: ${{ needs.setup.outputs.node_version }} @@ -700,11 +710,21 @@ jobs: path: apps/browser/dist/Safari key: ${{ runner.os }}-${{ github.run_id }}-safari-extension - - name: Login to Azure + - name: Log in to Azure if: ${{ needs.setup.outputs.has_secrets == 'true' }} - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + if: ${{ needs.setup.outputs.has_secrets == 'true' }} + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-clients + secrets: "KEYCHAIN-PASSWORD" - name: Download Provisioning Profiles secrets if: ${{ needs.setup.outputs.has_secrets == 'true' }} @@ -747,10 +767,14 @@ jobs: az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 + - name: Log out from Azure + if: ${{ needs.setup.outputs.has_secrets == 'true' }} + uses: bitwarden/gh-actions/azure-logout@main + - name: Set up keychain if: ${{ needs.setup.outputs.has_secrets == 'true' }} env: - KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain @@ -850,6 +874,10 @@ jobs: if: ${{ needs.setup.outputs.has_secrets == 'true' }} uses: ./.github/workflows/build-browser.yml secrets: inherit + permissions: + contents: write + pull-requests: write + id-token: write macos-package-github: @@ -860,6 +888,9 @@ jobs: - browser-build - macos-build - setup + permissions: + contents: read + id-token: write env: _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} _NODE_VERSION: ${{ needs.setup.outputs.node_version }} @@ -905,10 +936,19 @@ jobs: path: apps/browser/dist/Safari key: ${{ runner.os }}-${{ github.run_id }}-safari-extension - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-clients + secrets: "KEYCHAIN-PASSWORD,APP-STORE-CONNECT-AUTH-KEY,APP-STORE-CONNECT-TEAM-ISSUER" - name: Download Provisioning Profiles secrets env: @@ -949,9 +989,12 @@ jobs: az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Set up keychain env: - KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain @@ -1055,12 +1098,12 @@ jobs: run: | mkdir ~/private_keys cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8 - ${{ secrets.APP_STORE_CONNECT_AUTH_KEY }} + ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} EOF - name: Build application (dist) env: - APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }} + APP_STORE_CONNECT_TEAM_ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_6TV9MKN3GP.p8 CSC_FOR_PULL_REQUEST: true @@ -1103,6 +1146,9 @@ jobs: - browser-build - macos-build - setup + permissions: + contents: read + id-token: write env: _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} _NODE_VERSION: ${{ needs.setup.outputs.node_version }} @@ -1148,10 +1194,19 @@ jobs: path: apps/browser/dist/Safari key: ${{ runner.os }}-${{ github.run_id }}-safari-extension - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-clients + secrets: "KEYCHAIN-PASSWORD,APP-STORE-CONNECT-AUTH-KEY,APP-STORE-CONNECT-TEAM-ISSUER" - name: Retrieve Slack secret id: retrieve-slack-secret @@ -1199,9 +1254,12 @@ jobs: az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Set up keychain env: - KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain @@ -1305,12 +1363,12 @@ jobs: run: | mkdir ~/private_keys cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8 - ${{ secrets.APP_STORE_CONNECT_AUTH_KEY }} + ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} EOF - name: Build application for App Store env: - APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }} + APP_STORE_CONNECT_TEAM_ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_6TV9MKN3GP.p8 CSC_FOR_PULL_REQUEST: true @@ -1334,7 +1392,7 @@ jobs: cat << EOF > ~/secrets/appstoreconnect-fastlane.json { - "issuer_id": "${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }}", + "issuer_id": "${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }}", "key_id": "6TV9MKN3GP", "key": "$KEY_WITHOUT_NEWLINES" } @@ -1346,7 +1404,7 @@ jobs: github.event_name != 'pull_request_target' && (inputs.testflight_distribute || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc-desktop') env: - APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }} + APP_STORE_CONNECT_TEAM_ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP BRANCH: ${{ github.ref }} run: | @@ -1396,6 +1454,10 @@ jobs: - windows - macos-package-github - macos-package-mas + permissions: + contents: write + pull-requests: write + id-token: write runs-on: ubuntu-22.04 steps: - name: Check out repo @@ -1403,10 +1465,12 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -1415,6 +1479,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "crowdin-api-token" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Upload Sources uses: crowdin/github-action@f214c8723025f41fc55b2ad26e67b60b80b1885d # v2.7.1 env: @@ -1442,6 +1509,9 @@ jobs: - macos-package-github - macos-package-mas - crowdin-push + permissions: + contents: read + id-token: write steps: - name: Check if any job failed if: | @@ -1450,11 +1520,13 @@ jobs: && contains(needs.*.result, 'failure') run: exit 1 - - name: Login to Azure - Prod Subscription - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure if: failure() + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -1464,6 +1536,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Notify Slack on failure uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 if: failure() @@ -1471,3 +1546,4 @@ jobs: SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} with: status: ${{ job.status }} + diff --git a/.github/workflows/build-web-target.yml b/.github/workflows/build-web-target.yml index ca10e6d46f2..b1055885400 100644 --- a/.github/workflows/build-web-target.yml +++ b/.github/workflows/build-web-target.yml @@ -27,6 +27,8 @@ jobs: check-run: name: Check PR run uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main + permissions: + contents: read run-workflow: name: Build Web @@ -34,4 +36,8 @@ jobs: if: ${{ github.event.pull_request.head.repo.full_name != github.repository }} uses: ./.github/workflows/build-web.yml secrets: inherit + permissions: + contents: read + id-token: write + security-events: write diff --git a/.github/workflows/build-web.yml b/.github/workflows/build-web.yml index 745376b46d8..b4163d161cf 100644 --- a/.github/workflows/build-web.yml +++ b/.github/workflows/build-web.yml @@ -51,7 +51,8 @@ env: _AZ_REGISTRY: bitwardenprod.azurecr.io _GITHUB_PR_REPO_NAME: ${{ github.event.pull_request.head.repo.full_name }} -permissions: {} +permissions: + contents: read jobs: setup: @@ -80,10 +81,8 @@ jobs: - name: Check secrets id: check-secrets - env: - AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} run: | - has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }} + has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }} echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT @@ -204,11 +203,13 @@ jobs: uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 ########## ACRs ########## - - name: Login to Prod Azure + - name: Log in to Azure if: ${{ needs.setup.outputs.has_secrets == 'true' }} - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Log into Prod container registry if: ${{ needs.setup.outputs.has_secrets == 'true' }} @@ -328,11 +329,19 @@ jobs: - name: Log out of Docker run: docker logout $_AZ_REGISTRY + - name: Log out from Azure + if: ${{ needs.setup.outputs.has_secrets == 'true' }} + uses: bitwarden/gh-actions/azure-logout@main + crowdin-push: name: Crowdin Push if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main' needs: build-containers + permissions: + contents: write + pull-requests: write + id-token: write runs-on: ubuntu-24.04 steps: - name: Check out repo @@ -340,10 +349,12 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -352,6 +363,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "crowdin-api-token" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Upload Sources uses: crowdin/github-action@f214c8723025f41fc55b2ad26e67b60b80b1885d # v2.7.1 env: @@ -370,11 +384,15 @@ jobs: if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main' runs-on: ubuntu-24.04 needs: build-containers + permissions: + id-token: write steps: - - name: Login to Azure - CI Subscription - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve github PAT secrets id: retrieve-secret-pat @@ -383,6 +401,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "github-pat-bitwarden-devops-bot-repo-scope" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Trigger web vault deploy using GitHub Run ID uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: @@ -409,6 +430,8 @@ jobs: - build-containers - crowdin-push - trigger-web-vault-deploy + permissions: + id-token: write steps: - name: Check if any job failed if: | @@ -417,11 +440,13 @@ jobs: && contains(needs.*.result, 'failure') run: exit 1 - - name: Login to Azure - Prod Subscription - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main if: failure() with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -431,6 +456,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Notify Slack on failure uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 if: failure() diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml index 78733bc5a8b..4ee39305f84 100644 --- a/.github/workflows/chromatic.yml +++ b/.github/workflows/chromatic.yml @@ -15,6 +15,8 @@ jobs: check-run: name: Check PR run uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main + permissions: + contents: read chromatic: name: Chromatic @@ -23,6 +25,7 @@ jobs: permissions: contents: read pull-requests: write + id-token: write steps: - name: Check out repo @@ -30,13 +33,13 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - + - name: Get changed files id: get-changed-files-for-chromatic uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 with: filters: | - storyFiles: + storyFiles: - "apps/!(cli)/**" - "bitwarden_license/bit-web/src/app/**" - "libs/!(eslint)/**" @@ -74,11 +77,28 @@ jobs: if: steps.get-changed-files-for-chromatic.outputs.storyFiles == 'true' run: npm run build-storybook:ci + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-clients + secrets: "CHROMATIC-PROJECT-TOKEN" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Publish to Chromatic uses: chromaui/action@e8cc4c31775280b175a3c440076c00d19a9014d7 # v11.28.2 with: token: ${{ secrets.GITHUB_TOKEN }} - projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }} + projectToken: ${{ steps.get-kv-secrets.outputs.CHROMATIC-PROJECT-TOKEN }} storybookBuildDir: ./storybook-static exitOnceUploaded: true onlyChanged: true diff --git a/.github/workflows/crowdin-pull.yml b/.github/workflows/crowdin-pull.yml index 2fc035ec038..0b891203855 100644 --- a/.github/workflows/crowdin-pull.yml +++ b/.github/workflows/crowdin-pull.yml @@ -10,6 +10,9 @@ jobs: crowdin-sync: name: Autosync runs-on: ubuntu-24.04 + permissions: + contents: read + id-token: write strategy: fail-fast: false matrix: @@ -21,22 +24,19 @@ jobs: - app_name: web crowdin_project_id: "308189" steps: - - name: Generate GH App token - uses: actions/create-github-app-token@30bf6253fa41bdc8d1501d202ad15287582246b4 # v2.0.3 - id: app-token + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - app-id: ${{ secrets.BW_GHAPP_ID }} - private-key: ${{ secrets.BW_GHAPP_KEY }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - - name: Checkout repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main with: - token: ${{ steps.app-token.outputs.token }} - - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 - with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + keyvault: gh-org-bitwarden + secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" - name: Retrieve secrets id: retrieve-secrets @@ -45,6 +45,21 @@ jobs: keyvault: "bitwarden-ci" secrets: "crowdin-api-token, github-gpg-private-key, github-gpg-private-key-passphrase" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + + - name: Generate GH App token + uses: actions/create-github-app-token@30bf6253fa41bdc8d1501d202ad15287582246b4 # v2.0.3 + id: app-token + with: + app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }} + private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }} + + - name: Checkout repo + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + token: ${{ steps.app-token.outputs.token }} + - name: Download translations uses: bitwarden/gh-actions/crowdin@main env: diff --git a/.github/workflows/deploy-web.yml b/.github/workflows/deploy-web.yml index 1cde8dd636a..3ffe18d1729 100644 --- a/.github/workflows/deploy-web.yml +++ b/.github/workflows/deploy-web.yml @@ -66,8 +66,9 @@ jobs: environment_url: ${{ steps.config.outputs.environment_url }} environment_name: ${{ steps.config.outputs.environment_name }} environment_artifact: ${{ steps.config.outputs.environment_artifact }} - azure_login_creds: ${{ steps.config.outputs.azure_login_creds }} - retrive_secrets_keyvault: ${{ steps.config.outputs.retrive_secrets_keyvault }} + azure_login_client_key_name: ${{ steps.config.outputs.azure_login_client_key_name }} + azure_login_subscription_id_key_name: ${{ steps.config.outputs.azure_login_subscription_id_key_name }} + retrieve_secrets_keyvault: ${{ steps.config.outputs.retrieve_secrets_keyvault }} sync_utility: ${{ steps.config.outputs.sync_utility }} sync_delete_destination_files: ${{ steps.config.outputs.sync_delete_destination_files }} slack_channel_name: ${{ steps.config.outputs.slack_channel_name }} @@ -81,40 +82,45 @@ jobs: case ${{ inputs.environment }} in "USQA") - echo "azure_login_creds=AZURE_KV_US_QA_SERVICE_PRINCIPAL" >> $GITHUB_OUTPUT - echo "retrive_secrets_keyvault=bw-webvault-rlktusqa-kv" >> $GITHUB_OUTPUT + echo "azure_login_client_key_name=AZURE_CLIENT_ID_USQA" >> $GITHUB_OUTPUT + echo "azure_login_subscription_id_key_name=AZURE_SUBSCRIPTION_ID_USQA" >> $GITHUB_OUTPUT + echo "retrieve_secrets_keyvault=bw-webvault-rlktusqa-kv" >> $GITHUB_OUTPUT echo "environment_artifact=web-*-cloud-QA.zip" >> $GITHUB_OUTPUT echo "environment_name=Web Vault - US QA Cloud" >> $GITHUB_OUTPUT echo "environment_url=http://vault.$ENV_NAME_LOWER.bitwarden.pw" >> $GITHUB_OUTPUT echo "slack_channel_name=alerts-deploy-qa" >> $GITHUB_OUTPUT ;; "EUQA") - echo "azure_login_creds=AZURE_KV_EU_QA_SERVICE_PRINCIPAL" >> $GITHUB_OUTPUT - echo "retrive_secrets_keyvault=webvaulteu-westeurope-qa" >> $GITHUB_OUTPUT + echo "azure_login_client_key_name=AZURE_CLIENT_ID_EUQA" >> $GITHUB_OUTPUT + echo "azure_login_subscription_id_key_name=AZURE_SUBSCRIPTION_ID_EUQA" >> $GITHUB_OUTPUT + echo "retrieve_secrets_keyvault=webvaulteu-westeurope-qa" >> $GITHUB_OUTPUT echo "environment_artifact=web-*-cloud-euqa.zip" >> $GITHUB_OUTPUT echo "environment_name=Web Vault - EU QA Cloud" >> $GITHUB_OUTPUT echo "environment_url=http://vault.$ENV_NAME_LOWER.bitwarden.pw" >> $GITHUB_OUTPUT echo "slack_channel_name=alerts-deploy-qa" >> $GITHUB_OUTPUT ;; "USPROD") - echo "azure_login_creds=AZURE_KV_US_PROD_SERVICE_PRINCIPAL" >> $GITHUB_OUTPUT - echo "retrive_secrets_keyvault=bw-webvault-klrt-kv" >> $GITHUB_OUTPUT + echo "azure_login_client_key_name=AZURE_CLIENT_ID_USPROD" >> $GITHUB_OUTPUT + echo "azure_login_subscription_id_key_name=AZURE_SUBSCRIPTION_ID_USPROD" >> $GITHUB_OUTPUT + echo "retrieve_secrets_keyvault=bw-webvault-klrt-kv" >> $GITHUB_OUTPUT echo "environment_artifact=web-*-cloud-COMMERCIAL.zip" >> $GITHUB_OUTPUT echo "environment_name=Web Vault - US Production Cloud" >> $GITHUB_OUTPUT echo "environment_url=http://vault.bitwarden.com" >> $GITHUB_OUTPUT echo "slack_channel_name=alerts-deploy-prd" >> $GITHUB_OUTPUT ;; "EUPROD") - echo "azure_login_creds=AZURE_KV_EU_PRD_SERVICE_PRINCIPAL" >> $GITHUB_OUTPUT - echo "retrive_secrets_keyvault=webvault-westeurope-prod" >> $GITHUB_OUTPUT + echo "azure_login_client_key_name=AZURE_CLIENT_ID_EUPROD" >> $GITHUB_OUTPUT + echo "azure_login_subscription_id_key_name=AZURE_SUBSCRIPTION_ID_EUPROD" >> $GITHUB_OUTPUT + echo "retrieve_secrets_keyvault=webvault-westeurope-prod" >> $GITHUB_OUTPUT echo "environment_artifact=web-*-cloud-euprd.zip" >> $GITHUB_OUTPUT echo "environment_name=Web Vault - EU Production Cloud" >> $GITHUB_OUTPUT echo "environment_url=http://vault.bitwarden.eu" >> $GITHUB_OUTPUT echo "slack_channel_name=alerts-deploy-prd" >> $GITHUB_OUTPUT ;; "USDEV") - echo "azure_login_creds=AZURE_KV_US_DEV_SERVICE_PRINCIPAL" >> $GITHUB_OUTPUT - echo "retrive_secrets_keyvault=webvault-eastus-dev" >> $GITHUB_OUTPUT + echo "azure_login_client_key_name=AZURE_CLIENT_ID_USDEV" >> $GITHUB_OUTPUT + echo "azure_login_subscription_id_key_name=AZURE_SUBSCRIPTION_ID_USDEV" >> $GITHUB_OUTPUT + echo "retrieve_secrets_keyvault=webvault-eastus-dev" >> $GITHUB_OUTPUT echo "environment_artifact=web-*-cloud-usdev.zip" >> $GITHUB_OUTPUT echo "environment_name=Web Vault - US Development Cloud" >> $GITHUB_OUTPUT echo "environment_url=http://vault.$ENV_NAME_LOWER.bitwarden.pw" >> $GITHUB_OUTPUT @@ -180,6 +186,9 @@ jobs: name: Check if Web artifact is present runs-on: ubuntu-22.04 needs: setup + permissions: + contents: read + id-token: write env: _ENVIRONMENT_ARTIFACT: ${{ needs.setup.outputs.environment_artifact }} outputs: @@ -209,11 +218,13 @@ jobs: branch: ${{ inputs.branch-or-tag }} artifacts: ${{ env._ENVIRONMENT_ARTIFACT }} - - name: Login to Azure + - name: Log in to Azure if: ${{ steps.download-latest-artifacts.outcome == 'failure' }} - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets for Build trigger if: ${{ steps.download-latest-artifacts.outcome == 'failure' }} @@ -223,6 +234,10 @@ jobs: keyvault: "bitwarden-ci" secrets: "github-pat-bitwarden-devops-bot-repo-scope" + - name: Log out from Azure + if: ${{ steps.download-latest-artifacts.outcome == 'failure' }} + uses: bitwarden/gh-actions/azure-logout@main + - name: 'Trigger build web for missing branch/tag ${{ inputs.branch-or-tag }}' if: ${{ steps.download-latest-artifacts.outcome == 'failure' }} uses: convictional/trigger-workflow-and-wait@f69fa9eedd3c62a599220f4d5745230e237904be # v1.6.5 @@ -277,7 +292,9 @@ jobs: event: 'start' commit-sha: ${{ needs.artifact-check.outputs.artifact_build_commit }} url: https://github.com/bitwarden/clients/actions/runs/${{ github.run_id }} - AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} update-summary: name: Display commit @@ -302,6 +319,9 @@ jobs: _ENVIRONMENT_URL: ${{ needs.setup.outputs.environment_url }} _ENVIRONMENT_NAME: ${{ needs.setup.outputs.environment_name }} _ENVIRONMENT_ARTIFACT: ${{ needs.setup.outputs.environment_artifact }} + permissions: + id-token: write + deployments: write steps: - name: Create GitHub deployment uses: chrnorm/deployment-action@55729fcebec3d284f60f5bcabbd8376437d696b1 # v2.0.7 @@ -309,23 +329,25 @@ jobs: with: token: '${{ secrets.GITHUB_TOKEN }}' initial-status: 'in_progress' - environment_url: ${{ env._ENVIRONMENT_URL }} + environment-url: ${{ env._ENVIRONMENT_URL }} environment: ${{ env._ENVIRONMENT_NAME }} task: 'deploy' description: 'Deployment from branch/tag: ${{ inputs.branch-or-tag }}' ref: ${{ needs.artifact-check.outputs.artifact_build_commit }} - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets[needs.setup.outputs.azure_login_creds] }} + subscription_id: ${{ secrets[needs.setup.outputs.azure_login_subscription_id_key_name] }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets[needs.setup.outputs.azure_login_client_key_name] }} - name: Retrieve Storage Account connection string for az sync if: ${{ needs.setup.outputs.sync_utility == 'az-sync' }} id: retrieve-secrets-az-sync uses: bitwarden/gh-actions/get-keyvault-secrets@main with: - keyvault: ${{ needs.setup.outputs.retrive_secrets_keyvault }} + keyvault: ${{ needs.setup.outputs.retrieve_secrets_keyvault }} secrets: "sa-bitwarden-web-vault-dev-key-temp" - name: Retrieve Storage Account name and SPN credentials for azcopy @@ -333,9 +355,12 @@ jobs: id: retrieve-secrets-azcopy uses: bitwarden/gh-actions/get-keyvault-secrets@main with: - keyvault: ${{ needs.setup.outputs.retrive_secrets_keyvault }} + keyvault: ${{ needs.setup.outputs.retrieve_secrets_keyvault }} secrets: "sa-bitwarden-web-vault-name,sp-bitwarden-web-vault-password,sp-bitwarden-web-vault-appid,sp-bitwarden-web-vault-tenant" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: 'Download latest cloud asset using GitHub Run ID: ${{ inputs.build-web-run-id }}' if: ${{ inputs.build-web-run-id }} uses: bitwarden/gh-actions/download-artifacts@main @@ -397,7 +422,7 @@ jobs: uses: chrnorm/deployment-status@9a72af4586197112e0491ea843682b5dc280d806 # v2.0.3 with: token: '${{ secrets.GITHUB_TOKEN }}' - environment_url: ${{ env._ENVIRONMENT_URL }} + environment-url: ${{ env._ENVIRONMENT_URL }} state: 'success' deployment-id: ${{ steps.deployment.outputs.deployment_id }} @@ -406,7 +431,7 @@ jobs: uses: chrnorm/deployment-status@9a72af4586197112e0491ea843682b5dc280d806 # v2.0.3 with: token: '${{ secrets.GITHUB_TOKEN }}' - environment_url: ${{ env._ENVIRONMENT_URL }} + environment-url: ${{ env._ENVIRONMENT_URL }} state: 'failure' deployment-id: ${{ steps.deployment.outputs.deployment_id }} @@ -419,6 +444,8 @@ jobs: - notify-start - azure-deploy - artifact-check + permissions: + id-token: write steps: - name: Notify Slack with result uses: bitwarden/gh-actions/report-deployment-status-to-slack@main @@ -431,4 +458,6 @@ jobs: url: https://github.com/bitwarden/clients/actions/runs/${{ github.run_id }} commit-sha: ${{ needs.artifact-check.outputs.artifact_build_commit }} update-ts: ${{ needs.notify-start.outputs.ts }} - AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} diff --git a/.github/workflows/lint-crowdin-config.yml b/.github/workflows/lint-crowdin-config.yml index adb5950e3a0..38a3ef59ea7 100644 --- a/.github/workflows/lint-crowdin-config.yml +++ b/.github/workflows/lint-crowdin-config.yml @@ -5,12 +5,14 @@ on: types: [opened, synchronize] paths: - '**/crowdin.yml' -permissions: {} jobs: lint-crowdin-config: name: Lint Crowdin Config ${{ matrix.app.name }} runs-on: ubuntu-24.04 + permissions: + contents: read + id-token: write strategy: matrix: app: [ @@ -22,17 +24,25 @@ jobs: - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - fetch-depth: 1 - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + fetch-depth: 1 + + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main with: keyvault: "bitwarden-ci" secrets: "crowdin-api-token" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Lint ${{ matrix.app.name }} config uses: crowdin/github-action@f214c8723025f41fc55b2ad26e67b60b80b1885d # v2.7.1 env: @@ -42,4 +52,4 @@ jobs: with: dryrun_action: true command: 'config lint' - command_args: '--verbose -c ${{ matrix.app.config_path }}' \ No newline at end of file + command_args: '--verbose -c ${{ matrix.app.config_path }}' diff --git a/.github/workflows/publish-cli.yml b/.github/workflows/publish-cli.yml index d758e6f11c9..efb0f541d70 100644 --- a/.github/workflows/publish-cli.yml +++ b/.github/workflows/publish-cli.yml @@ -48,6 +48,10 @@ jobs: defaults: run: working-directory: . + permissions: + contents: read + deployments: write + steps: - name: Branch check if: ${{ inputs.publish_type != 'Dry Run' }} @@ -86,6 +90,10 @@ jobs: name: Deploy Snap runs-on: ubuntu-22.04 needs: setup + permissions: + contents: read + packages: read + id-token: write if: inputs.snap_publish env: _PKG_VERSION: ${{ needs.setup.outputs.release_version }} @@ -93,10 +101,12 @@ jobs: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -105,6 +115,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "snapcraft-store-token" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Install Snap uses: samuelmeuli/action-snapcraft@d33c176a9b784876d966f80fb1b461808edc0641 # v2.1.1 @@ -123,6 +136,10 @@ jobs: name: Deploy Choco runs-on: windows-2022 needs: setup + permissions: + contents: read + packages: read + id-token: write if: inputs.choco_publish env: _PKG_VERSION: ${{ needs.setup.outputs.release_version }} @@ -130,10 +147,12 @@ jobs: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -142,6 +161,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "cli-choco-api-key" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Setup Chocolatey run: choco apikey --key $env:CHOCO_API_KEY --source https://push.chocolatey.org/ env: @@ -163,6 +185,10 @@ jobs: name: Publish NPM runs-on: ubuntu-22.04 needs: setup + permissions: + contents: read + packages: read + id-token: write if: inputs.npm_publish env: _PKG_VERSION: ${{ needs.setup.outputs.release_version }} @@ -170,10 +196,12 @@ jobs: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -182,6 +210,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "npm-api-key" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Download and set up artifact run: | mkdir -p build @@ -210,6 +241,10 @@ jobs: - npm - snap - choco + permissions: + contents: read + deployments: write + if: ${{ always() && inputs.publish_type != 'Dry Run' }} steps: - name: Check if any job failed diff --git a/.github/workflows/publish-desktop.yml b/.github/workflows/publish-desktop.yml index ae631165db9..aafc4d25ed4 100644 --- a/.github/workflows/publish-desktop.yml +++ b/.github/workflows/publish-desktop.yml @@ -42,6 +42,9 @@ jobs: release_channel: ${{ steps.release_channel.outputs.channel }} tag_name: ${{ steps.version.outputs.tag_name }} deployment_id: ${{ steps.deployment.outputs.deployment_id }} + permissions: + contents: read + deployments: write steps: - name: Branch check if: ${{ inputs.publish_type != 'Dry Run' }} @@ -106,14 +109,21 @@ jobs: name: Electron blob publish runs-on: ubuntu-22.04 needs: setup + permissions: + contents: read + packages: read + id-token: write + deployments: write env: _PKG_VERSION: ${{ needs.setup.outputs.release_version }} _RELEASE_TAG: ${{ needs.setup.outputs.tag_name }} steps: - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -124,6 +134,9 @@ jobs: aws-electron-access-key, aws-electron-bucket-name" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Create artifacts directory run: mkdir -p apps/desktop/artifacts @@ -176,6 +189,9 @@ jobs: name: Deploy Snap runs-on: ubuntu-22.04 needs: setup + permissions: + contents: read + id-token: write if: inputs.snap_publish env: _PKG_VERSION: ${{ needs.setup.outputs.release_version }} @@ -184,10 +200,12 @@ jobs: - name: Checkout Repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -196,6 +214,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "snapcraft-store-token" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Install Snap uses: samuelmeuli/action-snapcraft@d33c176a9b784876d966f80fb1b461808edc0641 # v2.1.1 @@ -220,6 +241,9 @@ jobs: name: Deploy Choco runs-on: windows-2022 needs: setup + permissions: + contents: read + id-token: write if: inputs.choco_publish env: _PKG_VERSION: ${{ needs.setup.outputs.release_version }} @@ -233,10 +257,12 @@ jobs: dotnet --version dotnet nuget --version - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -245,6 +271,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "cli-choco-api-key" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Setup Chocolatey run: choco apikey --key $env:CHOCO_API_KEY --source https://push.chocolatey.org/ env: @@ -271,6 +300,9 @@ jobs: - electron-blob - snap - choco + permissions: + contents: read + deployments: write if: ${{ always() && inputs.publish_type != 'Dry Run' }} steps: - name: Check if any job failed diff --git a/.github/workflows/publish-web.yml b/.github/workflows/publish-web.yml index 69b29086d36..a6f0f1be066 100644 --- a/.github/workflows/publish-web.yml +++ b/.github/workflows/publish-web.yml @@ -24,6 +24,8 @@ jobs: outputs: release_version: ${{ steps.version.outputs.version }} tag_version: ${{ steps.version.outputs.tag }} + permissions: + contents: read steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -52,6 +54,10 @@ jobs: name: Release self-host docker runs-on: ubuntu-22.04 needs: setup + permissions: + id-token: write + contents: read + deployments: write env: _BRANCH_NAME: ${{ github.ref_name }} _RELEASE_VERSION: ${{ needs.setup.outputs.release_version }} @@ -69,10 +75,12 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 ########## ACR ########## - - name: Login to Azure - PROD Subscription - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Login to Azure ACR run: az acr login -n bitwardenprod @@ -121,6 +129,9 @@ jobs: docker push $_AZ_REGISTRY/web-sh:latest fi + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Update deployment status to Success if: ${{ inputs.publish_type != 'Dry Run' && success() }} uses: chrnorm/deployment-status@9a72af4586197112e0491ea843682b5dc280d806 # v2.0.3 @@ -147,11 +158,15 @@ jobs: runs-on: ubuntu-22.04 needs: - setup + permissions: + id-token: write steps: - - name: Log in to Azure - CI subscription - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve GitHub PAT secrets id: retrieve-secret-pat @@ -160,6 +175,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "github-pat-bitwarden-devops-bot-repo-scope" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Trigger self-host build uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: diff --git a/.github/workflows/release-desktop-beta.yml b/.github/workflows/release-desktop-beta.yml index a5e374395d8..e3eb9090cb7 100644 --- a/.github/workflows/release-desktop-beta.yml +++ b/.github/workflows/release-desktop-beta.yml @@ -15,6 +15,8 @@ jobs: setup: name: Setup runs-on: ubuntu-22.04 + permissions: + contents: write outputs: release_version: ${{ steps.version.outputs.version }} release_channel: ${{ steps.release_channel.outputs.channel }} @@ -115,6 +117,8 @@ jobs: name: Linux Build runs-on: ubuntu-22.04 needs: setup + permissions: + contents: read env: _PACKAGE_VERSION: ${{ needs.setup.outputs.release_version }} _NODE_VERSION: ${{ needs.setup.outputs.node_version }} @@ -204,6 +208,9 @@ jobs: name: Windows Build runs-on: windows-2022 needs: setup + permissions: + contents: read + id-token: write defaults: run: shell: pwsh @@ -237,10 +244,12 @@ jobs: npm --version choco --version - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -253,6 +262,9 @@ jobs: code-signing-client-secret, code-signing-cert-name" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Install Node dependencies run: npm ci working-directory: ./ @@ -394,6 +406,9 @@ jobs: name: MacOS Build runs-on: macos-13 needs: setup + permissions: + contents: read + id-token: write env: _PACKAGE_VERSION: ${{ needs.setup.outputs.release_version }} _NODE_VERSION: ${{ needs.setup.outputs.node_version }} @@ -438,6 +453,20 @@ jobs: path: apps/browser/dist/Safari key: ${{ runner.os }}-${{ github.run_id }}-safari-extension + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-clients + secrets: "KEYCHAIN-PASSWORD" + - name: Download Provisioning Profiles secrets env: ACCOUNT_NAME: bitwardenci @@ -472,9 +501,12 @@ jobs: az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Set up keychain env: - KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain @@ -528,6 +560,10 @@ jobs: needs: - setup - macos-build + permissions: + contents: read + packages: read + id-token: write env: _PACKAGE_VERSION: ${{ needs.setup.outputs.release_version }} _NODE_VERSION: ${{ needs.setup.outputs.node_version }} @@ -572,10 +608,19 @@ jobs: path: apps/browser/dist/Safari key: ${{ runner.os }}-${{ github.run_id }}-safari-extension - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-clients + secrets: "KEYCHAIN-PASSWORD,APPLE-ID-USERNAME,APPLE-ID-PASSWORD" - name: Download Provisioning Profiles secrets env: @@ -611,9 +656,12 @@ jobs: az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Set up keychain env: - KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain @@ -702,8 +750,8 @@ jobs: - name: Build application (dist) env: - APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} + APPLE_ID_USERNAME: ${{ steps.get-kv-secrets.outputs.APPLE-ID-USERNAME }} + APPLE_ID_PASSWORD: ${{ steps.get-kv-secrets.outputs.APPLE-ID-PASSWORD }} run: npm run pack:mac - name: Upload .zip artifact @@ -741,6 +789,10 @@ jobs: needs: - setup - macos-build + permissions: + contents: read + packages: read + id-token: write env: _PACKAGE_VERSION: ${{ needs.setup.outputs.release_version }} _NODE_VERSION: ${{ needs.setup.outputs.node_version }} @@ -785,6 +837,20 @@ jobs: path: apps/browser/dist/Safari key: ${{ runner.os }}-${{ github.run_id }}-safari-extension + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-clients + secrets: "KEYCHAIN-PASSWORD,APPLE-ID-USERNAME,APPLE-ID-PASSWORD" + - name: Download Provisioning Profiles secrets env: ACCOUNT_NAME: bitwardenci @@ -819,9 +885,12 @@ jobs: az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Set up keychain env: - KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain @@ -911,8 +980,8 @@ jobs: - name: Build application for App Store run: npm run pack:mac:mas env: - APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} + APPLE_ID_USERNAME: ${{ steps.get-kv-secrets.outputs.APPLE-ID-USERNAME }} + APPLE_ID_PASSWORD: ${{ steps.get-kv-secrets.outputs.APPLE-ID-PASSWORD }} - name: Upload .pkg artifact uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 @@ -931,6 +1000,10 @@ jobs: - macos-build - macos-package-github - macos-package-mas + permissions: + contents: read + id-token: write + deployments: write steps: - name: Create GitHub deployment uses: chrnorm/deployment-action@55729fcebec3d284f60f5bcabbd8376437d696b1 # v2.0.7 @@ -942,10 +1015,12 @@ jobs: description: 'Deployment ${{ needs.setup.outputs.release_version }} to channel ${{ needs.setup.outputs.release_channel }} from branch ${{ needs.setup.outputs.branch_name }}' task: release - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -956,6 +1031,9 @@ jobs: aws-electron-access-key, aws-electron-bucket-name" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Download all artifacts uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: @@ -1008,6 +1086,8 @@ jobs: - macos-package-github - macos-package-mas - release + permissions: + contents: write steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/repository-management.yml b/.github/workflows/repository-management.yml index d91e0a12afd..ecb8e448a8a 100644 --- a/.github/workflows/repository-management.yml +++ b/.github/workflows/repository-management.yml @@ -36,7 +36,9 @@ on: description: "New version override (leave blank for automatic calculation, example: '2024.1.0')" required: false type: string + permissions: {} + jobs: setup: name: Setup @@ -56,6 +58,7 @@ jobs: fi echo "branch=$BRANCH" >> $GITHUB_OUTPUT + bump_version: name: Bump Version if: ${{ always() }} @@ -66,6 +69,9 @@ jobs: version_cli: ${{ steps.set-final-version-output.outputs.version_cli }} version_desktop: ${{ steps.set-final-version-output.outputs.version_desktop }} version_web: ${{ steps.set-final-version-output.outputs.version_web }} + permissions: + id-token: write + steps: - name: Validate version input format if: ${{ inputs.version_number_override != '' }} @@ -73,12 +79,29 @@ jobs: with: version: ${{ inputs.version_number_override }} + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Generate GH App token uses: actions/create-github-app-token@30bf6253fa41bdc8d1501d202ad15287582246b4 # v2.0.3 id: app-token with: - app-id: ${{ secrets.BW_GHAPP_ID }} - private-key: ${{ secrets.BW_GHAPP_KEY }} + app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }} + private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }} - name: Check out branch uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -400,6 +423,7 @@ jobs: - name: Push changes if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }} run: git push + cut_branch: name: Cut branch if: ${{ needs.setup.outputs.branch == 'rc' }} @@ -407,13 +431,33 @@ jobs: - setup - bump_version runs-on: ubuntu-24.04 + permissions: + id-token: write + steps: + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Generate GH App token uses: actions/create-github-app-token@30bf6253fa41bdc8d1501d202ad15287582246b4 # v2.0.3 id: app-token with: - app-id: ${{ secrets.BW_GHAPP_ID }} - private-key: ${{ secrets.BW_GHAPP_KEY }} + app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }} + private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }} - name: Check out target ref uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -435,4 +479,4 @@ jobs: BRANCH_NAME: ${{ needs.setup.outputs.branch }} run: | git switch --quiet --create $BRANCH_NAME - git push --quiet --set-upstream origin $BRANCH_NAME \ No newline at end of file + git push --quiet --set-upstream origin $BRANCH_NAME diff --git a/.github/workflows/retrieve-current-desktop-rollout.yml b/.github/workflows/retrieve-current-desktop-rollout.yml index 2ab3072f566..c45453ed9d0 100644 --- a/.github/workflows/retrieve-current-desktop-rollout.yml +++ b/.github/workflows/retrieve-current-desktop-rollout.yml @@ -11,11 +11,15 @@ jobs: rollout: name: Retrieve Rollout Percentage runs-on: ubuntu-22.04 + permissions: + id-token: write steps: - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -26,6 +30,9 @@ jobs: aws-electron-access-key, aws-electron-bucket-name" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Download channel update info files from S3 env: AWS_ACCESS_KEY_ID: ${{ steps.retrieve-secrets.outputs.aws-electron-access-id }} diff --git a/.github/workflows/staged-rollout-desktop.yml b/.github/workflows/staged-rollout-desktop.yml index 4ec3af3be97..4adf81100bd 100644 --- a/.github/workflows/staged-rollout-desktop.yml +++ b/.github/workflows/staged-rollout-desktop.yml @@ -18,11 +18,15 @@ jobs: rollout: name: Update Rollout Percentage runs-on: ubuntu-22.04 + permissions: + id-token: write steps: - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -33,6 +37,9 @@ jobs: aws-electron-access-key, aws-electron-bucket-name" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Download channel update info files from S3 env: AWS_ACCESS_KEY_ID: ${{ steps.retrieve-secrets.outputs.aws-electron-access-id }} diff --git a/.github/workflows/version-auto-bump.yml b/.github/workflows/version-auto-bump.yml index e8bd1dde246..3cb5646886a 100644 --- a/.github/workflows/version-auto-bump.yml +++ b/.github/workflows/version-auto-bump.yml @@ -9,13 +9,33 @@ jobs: bump-version: name: Bump Desktop Version runs-on: ubuntu-24.04 + permissions: + id-token: write + contents: write steps: + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Generate GH App token uses: actions/create-github-app-token@30bf6253fa41bdc8d1501d202ad15287582246b4 # v2.0.3 id: app-token with: - app-id: ${{ secrets.BW_GHAPP_ID }} - private-key: ${{ secrets.BW_GHAPP_KEY }} + app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }} + private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }} - name: Check out target ref uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 From 1f20bcecf0b0154ed45c889625e734069113a643 Mon Sep 17 00:00:00 2001 From: Alex Morask <144709477+amorask-bitwarden@users.noreply.github.com> Date: Mon, 21 Jul 2025 15:06:02 -0500 Subject: [PATCH 05/37] Hide bank account for premium and when non-premium selects non-US country (#15707) --- .../change-payment-method-dialog.component.ts | 6 +++- .../enter-payment-method.component.ts | 31 ++++++++++--------- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/apps/web/src/app/billing/payment/components/change-payment-method-dialog.component.ts b/apps/web/src/app/billing/payment/components/change-payment-method-dialog.component.ts index efd0055fb95..ff5156ba636 100644 --- a/apps/web/src/app/billing/payment/components/change-payment-method-dialog.component.ts +++ b/apps/web/src/app/billing/payment/components/change-payment-method-dialog.component.ts @@ -28,7 +28,11 @@ type DialogResult = {{ "changePaymentMethod" | i18n }}
- +
diff --git a/apps/web/src/app/billing/payment/components/enter-payment-method.component.ts b/apps/web/src/app/billing/payment/components/enter-payment-method.component.ts index 4f5b2e3b15c..b73c3297e9e 100644 --- a/apps/web/src/app/billing/payment/components/enter-payment-method.component.ts +++ b/apps/web/src/app/billing/payment/components/enter-payment-method.component.ts @@ -1,6 +1,6 @@ import { Component, Input, OnInit } from "@angular/core"; import { FormControl, FormGroup, Validators } from "@angular/forms"; -import { BehaviorSubject, startWith, Subject, takeUntil } from "rxjs"; +import { map, Observable, of, startWith, Subject, takeUntil } from "rxjs"; import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; import { LogService } from "@bitwarden/common/platform/abstractions/log.service"; @@ -48,7 +48,7 @@ type PaymentMethodFormGroup = FormGroup<{ {{ "creditCard" | i18n }} - @if (showBankAccount) { + @if (showBankAccount$ | async) { @@ -226,20 +226,12 @@ type PaymentMethodFormGroup = FormGroup<{ export class EnterPaymentMethodComponent implements OnInit { @Input({ required: true }) group!: PaymentMethodFormGroup; - private showBankAccountSubject = new BehaviorSubject(true); - showBankAccount$ = this.showBankAccountSubject.asObservable(); - @Input() - set showBankAccount(value: boolean) { - this.showBankAccountSubject.next(value); - } - get showBankAccount(): boolean { - return this.showBankAccountSubject.value; - } - - @Input() showPayPal: boolean = true; - @Input() showAccountCredit: boolean = false; - @Input() includeBillingAddress: boolean = false; + @Input() private showBankAccount = true; + @Input() showPayPal = true; + @Input() showAccountCredit = false; + @Input() includeBillingAddress = false; + protected showBankAccount$!: Observable; protected selectableCountries = selectableCountries; private destroy$ = new Subject(); @@ -267,7 +259,16 @@ export class EnterPaymentMethodComponent implements OnInit { } if (!this.includeBillingAddress) { + this.showBankAccount$ = of(this.showBankAccount); this.group.controls.billingAddress.disable(); + } else { + this.group.controls.billingAddress.patchValue({ + country: "US", + }); + this.showBankAccount$ = this.group.controls.billingAddress.controls.country.valueChanges.pipe( + startWith(this.group.controls.billingAddress.controls.country.value), + map((country) => this.showBankAccount && country === "US"), + ); } this.group.controls.type.valueChanges From 77940116e6818ef5eb4eb8247aab6e75574bf0a3 Mon Sep 17 00:00:00 2001 From: Robyn MacCallum Date: Mon, 21 Jul 2025 16:15:39 -0400 Subject: [PATCH 06/37] DDG integration files modified workflow (#15665) * Create alert-ddg-files-modified.yml * Update alert-ddg-files-modified.yml * Add encrypted-message-handler.service to alert-ddg-files-modified.yml * Pin action versions * Add permissions * Update alert-ddg-files-modified.yml * Update alert-ddg-files-modified.yml * Add parameter to get list of files changed * Wording update * Update CODEOWNERS * Make branch target main --- .github/CODEOWNERS | 2 + .../workflows/alert-ddg-files-modified.yml | 50 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 .github/workflows/alert-ddg-files-modified.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index ef2e26916e5..7d7fec2a5ea 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -138,6 +138,8 @@ apps/desktop/desktop_native/autotype @bitwarden/team-autofill-dev # DuckDuckGo integration apps/desktop/native-messaging-test-runner @bitwarden/team-autofill-dev apps/desktop/src/services/duckduckgo-message-handler.service.ts @bitwarden/team-autofill-dev +apps/desktop/src/services/encrypted-message-handler.service.ts @bitwarden/team-autofill-dev +.github/workflows/alert-ddg-files-modified.yml @bitwarden/team-autofill-dev # SSH Agent apps/desktop/desktop_native/core/src/ssh_agent @bitwarden/team-autofill-dev @bitwarden/wg-ssh-keys diff --git a/.github/workflows/alert-ddg-files-modified.yml b/.github/workflows/alert-ddg-files-modified.yml new file mode 100644 index 00000000000..61bb7f1e8af --- /dev/null +++ b/.github/workflows/alert-ddg-files-modified.yml @@ -0,0 +1,50 @@ +name: DDG File Change Monitor + +on: + pull_request: + branches: [ main ] + types: [ opened, synchronize ] + +jobs: + check-files: + name: Check files + runs-on: ubuntu-22.04 + permissions: + contents: read + pull-requests: write + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Get changed files + id: changed-files + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 + with: + list-files: shell + filters: | + monitored: + - 'apps/desktop/native-messaging-test-runner/**' + - 'apps/desktop/src/services/duckduckgo-message-handler.service.ts' + - 'apps/desktop/src/services/encrypted-message-handler.service.ts' + + - name: Comment on PR if monitored files changed + if: steps.changed-files.outputs.monitored == 'true' + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const changedFiles = `${{ steps.changed-files.outputs.monitored_files }}`.split(' ').filter(file => file.trim() !== ''); + + const message = `⚠️🦆 **DuckDuckGo Integration files have been modified in this PR:** + + ${changedFiles.map(file => `- \`${file}\``).join('\n')} + + Please run the DuckDuckGo native messaging test runner from this branch using [these instructions](https://contributing.bitwarden.com/getting-started/clients/desktop/native-messaging-test-runner) and ensure it functions properly.`; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: message + }); From 81ee26733e6040a8d32afda67b5c3db3d8d094e0 Mon Sep 17 00:00:00 2001 From: Andy Pixley <3723676+pixman20@users.noreply.github.com> Date: Mon, 21 Jul 2025 16:17:39 -0400 Subject: [PATCH 07/37] [BRE-831] Fixing permissions (#15713) --- .github/workflows/deploy-web.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy-web.yml b/.github/workflows/deploy-web.yml index 3ffe18d1729..e21f7ae1e79 100644 --- a/.github/workflows/deploy-web.yml +++ b/.github/workflows/deploy-web.yml @@ -277,6 +277,8 @@ jobs: - artifact-check runs-on: ubuntu-22.04 if: ${{ always() && ( contains( inputs.environment , 'QA' ) || contains( inputs.environment , 'DEV' ) ) }} + permissions: + id-token: write outputs: channel_id: ${{ steps.slack-message.outputs.channel_id }} ts: ${{ steps.slack-message.outputs.ts }} From 391f540d1f488354002090823c3054e960b28a15 Mon Sep 17 00:00:00 2001 From: Shane Melton Date: Mon, 21 Jul 2025 23:27:01 -0700 Subject: [PATCH 08/37] [PM-22136] Implement SDK cipher encryption (#15337) * [PM-22136] Update sdk cipher view map to support uknown uuid type * [PM-22136] Add key to CipherView for copying to SdkCipherView for encryption * [PM-22136] Add fromSdk* helpers to Cipher domain objects * [PM-22136] Add toSdk* helpers to Cipher View objects * [PM-22136] Add encrypt() to cipher encryption service * [PM-22136] Add feature flag * [PM-22136] Use new SDK encrypt method when feature flag is enabled * [PM-22136] Filter out null/empty URIs * [PM-22136] Change default value for cipher view arrays to []. See ADR-0014. * [PM-22136] Keep encrypted key value on attachment so that it is passed to the SDK * [PM-22136] Keep encrypted key value on CipherView so that it is passed to the SDK during encryption * [PM-22136] Update failing attachment test * [PM-22136] Update failing importer tests due to new default value for arrays * [PM-22136] Update CipherView.fromJson to handle the prototype of EncString for the cipher key * [PM-22136] Add tickets for followup work * [PM-22136] Use new set_fido2_credentials SDK method instead * [PM-22136] Fix missing prototype when decrypting Fido2Credentials * [PM-22136] Fix test after sdk change * [PM-22136] Update @bitwarden/sdk-internal version * [PM-22136] Fix some strict typing errors * [PM-23348] Migrate move cipher to org to SDK (#15567) * [PM-23348] Add moveToOrganization method to cipher-encryption.service.ts * [PM-23348] Use cipherEncryptionService.moveToOrganization in cipherService shareWithServer and shareManyWithServer methods * [PM-23348] Update cipherFormService to use the shareWithServer() method instead of encrypt() * [PM-23348] Fix typo * [PM-23348] Add missing docs * [PM-22136] Fix EncString import after merge with main --- libs/common/src/enums/feature-flag.enum.ts | 2 + .../abstractions/cipher-encryption.service.ts | 25 +- .../src/vault/abstractions/cipher.service.ts | 10 + .../models/api/cipher-permissions.api.ts | 9 +- .../src/vault/models/data/local.data.ts | 41 +++ .../vault/models/domain/attachment.spec.ts | 1 + .../src/vault/models/domain/attachment.ts | 21 ++ libs/common/src/vault/models/domain/card.ts | 20 ++ .../src/vault/models/domain/cipher.spec.ts | 188 +++++++++++++- libs/common/src/vault/models/domain/cipher.ts | 60 ++++- .../vault/models/domain/fido2-credential.ts | 28 ++ .../src/vault/models/domain/field.spec.ts | 39 ++- libs/common/src/vault/models/domain/field.ts | 18 ++ .../src/vault/models/domain/identity.ts | 32 +++ .../src/vault/models/domain/login-uri.ts | 13 + libs/common/src/vault/models/domain/login.ts | 27 ++ .../src/vault/models/domain/password.ts | 16 ++ .../src/vault/models/domain/secure-note.ts | 15 ++ .../common/src/vault/models/domain/ssh-key.ts | 17 ++ .../common/src/vault/models/view/card.view.ts | 10 +- .../src/vault/models/view/cipher.view.spec.ts | 94 ++++++- .../src/vault/models/view/cipher.view.ts | 116 +++++++-- .../models/view/fido2-credential.view.ts | 23 +- .../src/vault/models/view/field.view.ts | 14 +- .../src/vault/models/view/identity.view.ts | 10 +- .../src/vault/models/view/login-uri.view.ts | 9 + .../src/vault/models/view/login.view.ts | 22 +- .../models/view/password-history.view.spec.ts | 13 + .../models/view/password-history.view.ts | 10 + .../src/vault/models/view/secure-note.view.ts | 10 +- .../src/vault/models/view/ssh-key.view.ts | 11 + .../src/vault/services/cipher.service.spec.ts | 167 +++++++++++- .../src/vault/services/cipher.service.ts | 122 +++++++-- .../default-cipher-encryption.service.spec.ts | 245 ++++++++++++++++-- .../default-cipher-encryption.service.ts | 106 +++++++- libs/importer/src/importers/base-importer.ts | 6 - .../keeper/keeper-csv-importer.spec.ts | 2 +- .../keeper/keeper-json-importer.spec.ts | 2 +- .../services/default-cipher-form.service.ts | 35 ++- .../cipher-view/cipher-view.component.html | 4 +- .../password-history-view.component.spec.ts | 11 +- package-lock.json | 8 +- package.json | 2 +- 43 files changed, 1485 insertions(+), 149 deletions(-) diff --git a/libs/common/src/enums/feature-flag.enum.ts b/libs/common/src/enums/feature-flag.enum.ts index 1af2ab1f0a9..8e9dc6fd35e 100644 --- a/libs/common/src/enums/feature-flag.enum.ts +++ b/libs/common/src/enums/feature-flag.enum.ts @@ -54,6 +54,7 @@ export enum FeatureFlag { PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form", PM19941MigrateCipherDomainToSdk = "pm-19941-migrate-cipher-domain-to-sdk", PM22134SdkCipherListView = "pm-22134-sdk-cipher-list-view", + PM22136_SdkCipherEncryption = "pm-22136-sdk-cipher-encryption", CipherKeyEncryption = "cipher-key-encryption", EndUserNotifications = "pm-10609-end-user-notifications", RemoveCardItemTypePolicy = "pm-16442-remove-card-item-type-policy", @@ -103,6 +104,7 @@ export const DefaultFeatureFlagValue = { [FeatureFlag.RemoveCardItemTypePolicy]: FALSE, [FeatureFlag.PM22134SdkCipherListView]: FALSE, [FeatureFlag.PM19315EndUserActivationMvp]: FALSE, + [FeatureFlag.PM22136_SdkCipherEncryption]: FALSE, /* Auth */ [FeatureFlag.PM16117_SetInitialPasswordRefactor]: FALSE, diff --git a/libs/common/src/vault/abstractions/cipher-encryption.service.ts b/libs/common/src/vault/abstractions/cipher-encryption.service.ts index 6b2a8e8943e..067c63b2110 100644 --- a/libs/common/src/vault/abstractions/cipher-encryption.service.ts +++ b/libs/common/src/vault/abstractions/cipher-encryption.service.ts @@ -1,6 +1,7 @@ +import { EncryptionContext } from "@bitwarden/common/vault/abstractions/cipher.service"; import { CipherListView } from "@bitwarden/sdk-internal"; -import { UserId } from "../../types/guid"; +import { UserId, OrganizationId } from "../../types/guid"; import { Cipher } from "../models/domain/cipher"; import { AttachmentView } from "../models/view/attachment.view"; import { CipherView } from "../models/view/cipher.view"; @@ -9,6 +10,28 @@ import { CipherView } from "../models/view/cipher.view"; * Service responsible for encrypting and decrypting ciphers. */ export abstract class CipherEncryptionService { + /** + * Encrypts a cipher using the SDK for the given userId. + * @param model The cipher view to encrypt + * @param userId The user ID to initialize the SDK client with + * + * @returns A promise that resolves to the encryption context, or undefined if encryption fails + */ + abstract encrypt(model: CipherView, userId: UserId): Promise; + + /** + * Move the cipher to the specified organization by re-encrypting its keys with the organization's key. + * The cipher.organizationId will be updated to the new organizationId. + * @param model The cipher view to move to the organization + * @param organizationId The ID of the organization to move the cipher to + * @param userId The user ID to initialize the SDK client with + */ + abstract moveToOrganization( + model: CipherView, + organizationId: OrganizationId, + userId: UserId, + ): Promise; + /** * Decrypts a cipher using the SDK for the given userId. * diff --git a/libs/common/src/vault/abstractions/cipher.service.ts b/libs/common/src/vault/abstractions/cipher.service.ts index d1d686a66af..2f186369463 100644 --- a/libs/common/src/vault/abstractions/cipher.service.ts +++ b/libs/common/src/vault/abstractions/cipher.service.ts @@ -120,11 +120,21 @@ export abstract class CipherService implements UserKeyRotationDataProvider; + + /** + * Move a cipher to an organization by re-encrypting its keys with the organization's key. + * @param cipher The cipher to move + * @param organizationId The Id of the organization to move the cipher to + * @param collectionIds The collection Ids to assign the cipher to in the organization + * @param userId The Id of the user performing the operation + * @param originalCipher Optional original cipher that will be used to compare/update password history + */ abstract shareWithServer( cipher: CipherView, organizationId: string, collectionIds: string[], userId: UserId, + originalCipher?: Cipher, ): Promise; abstract shareManyWithServer( ciphers: CipherView[], diff --git a/libs/common/src/vault/models/api/cipher-permissions.api.ts b/libs/common/src/vault/models/api/cipher-permissions.api.ts index b7341d39b1d..f9b62c4fc8d 100644 --- a/libs/common/src/vault/models/api/cipher-permissions.api.ts +++ b/libs/common/src/vault/models/api/cipher-permissions.api.ts @@ -4,7 +4,7 @@ import { CipherPermissions as SdkCipherPermissions } from "@bitwarden/sdk-intern import { BaseResponse } from "../../../models/response/base.response"; -export class CipherPermissionsApi extends BaseResponse { +export class CipherPermissionsApi extends BaseResponse implements SdkCipherPermissions { delete: boolean = false; restore: boolean = false; @@ -35,4 +35,11 @@ export class CipherPermissionsApi extends BaseResponse { return permissions; } + + /** + * Converts the CipherPermissionsApi to an SdkCipherPermissions + */ + toSdkCipherPermissions(): SdkCipherPermissions { + return this; + } } diff --git a/libs/common/src/vault/models/data/local.data.ts b/libs/common/src/vault/models/data/local.data.ts index 9ba820a58a2..50a24feba6f 100644 --- a/libs/common/src/vault/models/data/local.data.ts +++ b/libs/common/src/vault/models/data/local.data.ts @@ -1,4 +1,45 @@ +import { + LocalDataView as SdkLocalDataView, + LocalData as SdkLocalData, +} from "@bitwarden/sdk-internal"; + export type LocalData = { lastUsedDate?: number; lastLaunched?: number; }; + +/** + * Convert the SdkLocalDataView to LocalData + * @param localData + */ +export function fromSdkLocalData( + localData: SdkLocalDataView | SdkLocalData | undefined, +): LocalData | undefined { + if (localData == null) { + return undefined; + } + return { + lastUsedDate: localData.lastUsedDate ? new Date(localData.lastUsedDate).getTime() : undefined, + lastLaunched: localData.lastLaunched ? new Date(localData.lastLaunched).getTime() : undefined, + }; +} + +/** + * Convert the LocalData to SdkLocalData + * @param localData + */ +export function toSdkLocalData( + localData: LocalData | undefined, +): (SdkLocalDataView & SdkLocalData) | undefined { + if (localData == null) { + return undefined; + } + return { + lastUsedDate: localData.lastUsedDate + ? new Date(localData.lastUsedDate).toISOString() + : undefined, + lastLaunched: localData.lastLaunched + ? new Date(localData.lastLaunched).toISOString() + : undefined, + }; +} diff --git a/libs/common/src/vault/models/domain/attachment.spec.ts b/libs/common/src/vault/models/domain/attachment.spec.ts index d2b536b0590..2ea2c3d9a1d 100644 --- a/libs/common/src/vault/models/domain/attachment.spec.ts +++ b/libs/common/src/vault/models/domain/attachment.spec.ts @@ -93,6 +93,7 @@ describe("Attachment", () => { sizeName: "1.1 KB", fileName: "fileName", key: expect.any(SymmetricCryptoKey), + encryptedKey: attachment.key, }); }); diff --git a/libs/common/src/vault/models/domain/attachment.ts b/libs/common/src/vault/models/domain/attachment.ts index abfebffb2e6..638f354c4b8 100644 --- a/libs/common/src/vault/models/domain/attachment.ts +++ b/libs/common/src/vault/models/domain/attachment.ts @@ -56,6 +56,7 @@ export class Attachment extends Domain { if (this.key != null) { view.key = await this.decryptAttachmentKey(orgId, encKey); + view.encryptedKey = this.key; // Keep the encrypted key for the view } return view; @@ -131,4 +132,24 @@ export class Attachment extends Domain { key: this.key?.toJSON(), }; } + + /** + * Maps an SDK Attachment object to an Attachment + * @param obj - The SDK attachment object + */ + static fromSdkAttachment(obj: SdkAttachment): Attachment | undefined { + if (!obj) { + return undefined; + } + + const attachment = new Attachment(); + attachment.id = obj.id; + attachment.url = obj.url; + attachment.size = obj.size; + attachment.sizeName = obj.sizeName; + attachment.fileName = EncString.fromJSON(obj.fileName); + attachment.key = EncString.fromJSON(obj.key); + + return attachment; + } } diff --git a/libs/common/src/vault/models/domain/card.ts b/libs/common/src/vault/models/domain/card.ts index c78f9dfb719..688053ae93c 100644 --- a/libs/common/src/vault/models/domain/card.ts +++ b/libs/common/src/vault/models/domain/card.ts @@ -103,4 +103,24 @@ export class Card extends Domain { code: this.code?.toJSON(), }; } + + /** + * Maps an SDK Card object to a Card + * @param obj - The SDK Card object + */ + static fromSdkCard(obj: SdkCard): Card | undefined { + if (obj == null) { + return undefined; + } + + const card = new Card(); + card.cardholderName = EncString.fromJSON(obj.cardholderName); + card.brand = EncString.fromJSON(obj.brand); + card.number = EncString.fromJSON(obj.number); + card.expMonth = EncString.fromJSON(obj.expMonth); + card.expYear = EncString.fromJSON(obj.expYear); + card.code = EncString.fromJSON(obj.code); + + return card; + } } diff --git a/libs/common/src/vault/models/domain/cipher.spec.ts b/libs/common/src/vault/models/domain/cipher.spec.ts index 3ea8916a10b..60fff8b510e 100644 --- a/libs/common/src/vault/models/domain/cipher.spec.ts +++ b/libs/common/src/vault/models/domain/cipher.spec.ts @@ -10,6 +10,7 @@ import { UriMatchType, CipherRepromptType as SdkCipherRepromptType, LoginLinkedIdType, + Cipher as SdkCipher, } from "@bitwarden/sdk-internal"; import { makeStaticByteArray, mockEnc, mockFromJson } from "../../../../spec/utils"; @@ -206,7 +207,7 @@ describe("Cipher DTO", () => { it("Convert", () => { const cipher = new Cipher(cipherData); - expect(cipher).toEqual({ + expect(cipher).toMatchObject({ initializerKey: InitializerKey.Cipher, id: "id", organizationId: "orgId", @@ -339,9 +340,9 @@ describe("Cipher DTO", () => { edit: true, viewPassword: true, login: loginView, - attachments: null, - fields: null, - passwordHistory: null, + attachments: [], + fields: [], + passwordHistory: [], collectionIds: undefined, revisionDate: new Date("2022-01-31T12:00:00.000Z"), creationDate: new Date("2022-01-01T12:00:00.000Z"), @@ -462,9 +463,9 @@ describe("Cipher DTO", () => { edit: true, viewPassword: true, secureNote: { type: 0 }, - attachments: null, - fields: null, - passwordHistory: null, + attachments: [], + fields: [], + passwordHistory: [], collectionIds: undefined, revisionDate: new Date("2022-01-31T12:00:00.000Z"), creationDate: new Date("2022-01-01T12:00:00.000Z"), @@ -603,9 +604,9 @@ describe("Cipher DTO", () => { edit: true, viewPassword: true, card: cardView, - attachments: null, - fields: null, - passwordHistory: null, + attachments: [], + fields: [], + passwordHistory: [], collectionIds: undefined, revisionDate: new Date("2022-01-31T12:00:00.000Z"), creationDate: new Date("2022-01-01T12:00:00.000Z"), @@ -768,9 +769,9 @@ describe("Cipher DTO", () => { edit: true, viewPassword: true, identity: identityView, - attachments: null, - fields: null, - passwordHistory: null, + attachments: [], + fields: [], + passwordHistory: [], collectionIds: undefined, revisionDate: new Date("2022-01-31T12:00:00.000Z"), creationDate: new Date("2022-01-01T12:00:00.000Z"), @@ -1001,6 +1002,167 @@ describe("Cipher DTO", () => { revisionDate: "2022-01-31T12:00:00.000Z", }); }); + + it("should map from SDK Cipher", () => { + jest.restoreAllMocks(); + const sdkCipher: SdkCipher = { + id: "id", + organizationId: "orgId", + folderId: "folderId", + collectionIds: [], + key: "EncryptedString", + name: "EncryptedString", + notes: "EncryptedString", + type: SdkCipherType.Login, + login: { + username: "EncryptedString", + password: "EncryptedString", + passwordRevisionDate: "2022-01-31T12:00:00.000Z", + uris: [ + { + uri: "EncryptedString", + uriChecksum: "EncryptedString", + match: UriMatchType.Domain, + }, + ], + totp: "EncryptedString", + autofillOnPageLoad: false, + fido2Credentials: undefined, + }, + identity: undefined, + card: undefined, + secureNote: undefined, + sshKey: undefined, + favorite: false, + reprompt: SdkCipherRepromptType.None, + organizationUseTotp: true, + edit: true, + permissions: new CipherPermissionsApi(), + viewPassword: true, + localData: { + lastUsedDate: "2025-04-15T12:00:00.000Z", + lastLaunched: "2025-04-15T12:00:00.000Z", + }, + attachments: [ + { + id: "a1", + url: "url", + size: "1100", + sizeName: "1.1 KB", + fileName: "file", + key: "EncKey", + }, + { + id: "a2", + url: "url", + size: "1100", + sizeName: "1.1 KB", + fileName: "file", + key: "EncKey", + }, + ], + fields: [ + { + name: "EncryptedString", + value: "EncryptedString", + type: FieldType.Linked, + linkedId: LoginLinkedIdType.Username, + }, + { + name: "EncryptedString", + value: "EncryptedString", + type: FieldType.Linked, + linkedId: LoginLinkedIdType.Password, + }, + ], + passwordHistory: [ + { + password: "EncryptedString", + lastUsedDate: "2022-01-31T12:00:00.000Z", + }, + ], + creationDate: "2022-01-01T12:00:00.000Z", + deletedDate: undefined, + revisionDate: "2022-01-31T12:00:00.000Z", + }; + + const lastUsedDate = new Date("2025-04-15T12:00:00.000Z").getTime(); + const lastLaunched = new Date("2025-04-15T12:00:00.000Z").getTime(); + + const cipherData: CipherData = { + id: "id", + organizationId: "orgId", + folderId: "folderId", + edit: true, + permissions: new CipherPermissionsApi(), + collectionIds: [], + viewPassword: true, + organizationUseTotp: true, + favorite: false, + revisionDate: "2022-01-31T12:00:00.000Z", + type: CipherType.Login, + name: "EncryptedString", + notes: "EncryptedString", + creationDate: "2022-01-01T12:00:00.000Z", + deletedDate: null, + reprompt: CipherRepromptType.None, + key: "EncryptedString", + login: { + uris: [ + { + uri: "EncryptedString", + uriChecksum: "EncryptedString", + match: UriMatchStrategy.Domain, + }, + ], + username: "EncryptedString", + password: "EncryptedString", + passwordRevisionDate: "2022-01-31T12:00:00.000Z", + totp: "EncryptedString", + autofillOnPageLoad: false, + }, + passwordHistory: [ + { password: "EncryptedString", lastUsedDate: "2022-01-31T12:00:00.000Z" }, + ], + attachments: [ + { + id: "a1", + url: "url", + size: "1100", + sizeName: "1.1 KB", + fileName: "file", + key: "EncKey", + }, + { + id: "a2", + url: "url", + size: "1100", + sizeName: "1.1 KB", + fileName: "file", + key: "EncKey", + }, + ], + fields: [ + { + name: "EncryptedString", + value: "EncryptedString", + type: FieldType.Linked, + linkedId: LoginLinkedId.Username, + }, + { + name: "EncryptedString", + value: "EncryptedString", + type: FieldType.Linked, + linkedId: LoginLinkedId.Password, + }, + ], + }; + const expectedCipher = new Cipher(cipherData, { lastUsedDate, lastLaunched }); + + const cipher = Cipher.fromSdkCipher(sdkCipher); + + expect(cipher).toEqual(expectedCipher); + }); }); }); diff --git a/libs/common/src/vault/models/domain/cipher.ts b/libs/common/src/vault/models/domain/cipher.ts index 2f64fb82726..2a13cb06d71 100644 --- a/libs/common/src/vault/models/domain/cipher.ts +++ b/libs/common/src/vault/models/domain/cipher.ts @@ -2,6 +2,7 @@ // @ts-strict-ignore import { Jsonify } from "type-fest"; +import { uuidToString } from "@bitwarden/common/platform/abstractions/sdk/sdk.service"; import { Cipher as SdkCipher } from "@bitwarden/sdk-internal"; import { EncString } from "../../../key-management/crypto/models/enc-string"; @@ -14,7 +15,7 @@ import { CipherRepromptType } from "../../enums/cipher-reprompt-type"; import { CipherType } from "../../enums/cipher-type"; import { CipherPermissionsApi } from "../api/cipher-permissions.api"; import { CipherData } from "../data/cipher.data"; -import { LocalData } from "../data/local.data"; +import { LocalData, fromSdkLocalData, toSdkLocalData } from "../data/local.data"; import { AttachmentView } from "../view/attachment.view"; import { CipherView } from "../view/cipher.view"; import { FieldView } from "../view/field.view"; @@ -361,16 +362,7 @@ export class Cipher extends Domain implements Decryptable { } : undefined, viewPassword: this.viewPassword ?? true, - localData: this.localData - ? { - lastUsedDate: this.localData.lastUsedDate - ? new Date(this.localData.lastUsedDate).toISOString() - : undefined, - lastLaunched: this.localData.lastLaunched - ? new Date(this.localData.lastLaunched).toISOString() - : undefined, - } - : undefined, + localData: toSdkLocalData(this.localData), attachments: this.attachments?.map((a) => a.toSdkAttachment()), fields: this.fields?.map((f) => f.toSdkField()), passwordHistory: this.passwordHistory?.map((ph) => ph.toSdkPasswordHistory()), @@ -408,4 +400,50 @@ export class Cipher extends Domain implements Decryptable { return sdkCipher; } + + /** + * Maps an SDK Cipher object to a Cipher + * @param sdkCipher - The SDK Cipher object + */ + static fromSdkCipher(sdkCipher: SdkCipher | null): Cipher | undefined { + if (sdkCipher == null) { + return undefined; + } + + const cipher = new Cipher(); + + cipher.id = sdkCipher.id ? uuidToString(sdkCipher.id) : undefined; + cipher.organizationId = sdkCipher.organizationId + ? uuidToString(sdkCipher.organizationId) + : undefined; + cipher.folderId = sdkCipher.folderId ? uuidToString(sdkCipher.folderId) : undefined; + cipher.collectionIds = sdkCipher.collectionIds ? sdkCipher.collectionIds.map(uuidToString) : []; + cipher.key = EncString.fromJSON(sdkCipher.key); + cipher.name = EncString.fromJSON(sdkCipher.name); + cipher.notes = EncString.fromJSON(sdkCipher.notes); + cipher.type = sdkCipher.type; + cipher.favorite = sdkCipher.favorite; + cipher.organizationUseTotp = sdkCipher.organizationUseTotp; + cipher.edit = sdkCipher.edit; + cipher.permissions = CipherPermissionsApi.fromSdkCipherPermissions(sdkCipher.permissions); + cipher.viewPassword = sdkCipher.viewPassword; + cipher.localData = fromSdkLocalData(sdkCipher.localData); + cipher.attachments = sdkCipher.attachments?.map((a) => Attachment.fromSdkAttachment(a)) ?? []; + cipher.fields = sdkCipher.fields?.map((f) => Field.fromSdkField(f)) ?? []; + cipher.passwordHistory = + sdkCipher.passwordHistory?.map((ph) => Password.fromSdkPasswordHistory(ph)) ?? []; + cipher.creationDate = new Date(sdkCipher.creationDate); + cipher.revisionDate = new Date(sdkCipher.revisionDate); + cipher.deletedDate = sdkCipher.deletedDate ? new Date(sdkCipher.deletedDate) : null; + cipher.reprompt = sdkCipher.reprompt; + + // Cipher type specific properties + cipher.login = Login.fromSdkLogin(sdkCipher.login); + cipher.secureNote = SecureNote.fromSdkSecureNote(sdkCipher.secureNote); + cipher.card = Card.fromSdkCard(sdkCipher.card); + cipher.identity = Identity.fromSdkIdentity(sdkCipher.identity); + cipher.sshKey = SshKey.fromSdkSshKey(sdkCipher.sshKey); + + return cipher; + } } diff --git a/libs/common/src/vault/models/domain/fido2-credential.ts b/libs/common/src/vault/models/domain/fido2-credential.ts index 508f8a6d5fb..5dbf55b44fc 100644 --- a/libs/common/src/vault/models/domain/fido2-credential.ts +++ b/libs/common/src/vault/models/domain/fido2-credential.ts @@ -173,4 +173,32 @@ export class Fido2Credential extends Domain { creationDate: this.creationDate.toISOString(), }; } + + /** + * Maps an SDK Fido2Credential object to a Fido2Credential + * @param obj - The SDK Fido2Credential object + */ + static fromSdkFido2Credential(obj: SdkFido2Credential): Fido2Credential | undefined { + if (!obj) { + return undefined; + } + + const credential = new Fido2Credential(); + + credential.credentialId = EncString.fromJSON(obj.credentialId); + credential.keyType = EncString.fromJSON(obj.keyType); + credential.keyAlgorithm = EncString.fromJSON(obj.keyAlgorithm); + credential.keyCurve = EncString.fromJSON(obj.keyCurve); + credential.keyValue = EncString.fromJSON(obj.keyValue); + credential.rpId = EncString.fromJSON(obj.rpId); + credential.userHandle = EncString.fromJSON(obj.userHandle); + credential.userName = EncString.fromJSON(obj.userName); + credential.counter = EncString.fromJSON(obj.counter); + credential.rpName = EncString.fromJSON(obj.rpName); + credential.userDisplayName = EncString.fromJSON(obj.userDisplayName); + credential.discoverable = EncString.fromJSON(obj.discoverable); + credential.creationDate = new Date(obj.creationDate); + + return credential; + } } diff --git a/libs/common/src/vault/models/domain/field.spec.ts b/libs/common/src/vault/models/domain/field.spec.ts index 08bc0da84fe..b5e26199e7d 100644 --- a/libs/common/src/vault/models/domain/field.spec.ts +++ b/libs/common/src/vault/models/domain/field.spec.ts @@ -1,6 +1,14 @@ +import { + Field as SdkField, + FieldType, + LoginLinkedIdType, + CardLinkedIdType, + IdentityLinkedIdType, +} from "@bitwarden/sdk-internal"; + import { mockEnc, mockFromJson } from "../../../../spec"; import { EncryptedString, EncString } from "../../../key-management/crypto/models/enc-string"; -import { CardLinkedId, FieldType, IdentityLinkedId, LoginLinkedId } from "../../enums"; +import { CardLinkedId, IdentityLinkedId, LoginLinkedId } from "../../enums"; import { FieldData } from "../../models/data/field.data"; import { Field } from "../../models/domain/field"; @@ -103,5 +111,34 @@ describe("Field", () => { identityField.linkedId = IdentityLinkedId.LicenseNumber; expect(identityField.toSdkField().linkedId).toBe(415); }); + + it("should map from SDK Field", () => { + // Test Login LinkedId + const loginField: SdkField = { + name: undefined, + value: undefined, + type: FieldType.Linked, + linkedId: LoginLinkedIdType.Username, + }; + expect(Field.fromSdkField(loginField)!.linkedId).toBe(100); + + // Test Card LinkedId + const cardField: SdkField = { + name: undefined, + value: undefined, + type: FieldType.Linked, + linkedId: CardLinkedIdType.Number, + }; + expect(Field.fromSdkField(cardField)!.linkedId).toBe(305); + + // Test Identity LinkedId + const identityFieldSdkField: SdkField = { + name: undefined, + value: undefined, + type: FieldType.Linked, + linkedId: IdentityLinkedIdType.LicenseNumber, + }; + expect(Field.fromSdkField(identityFieldSdkField)!.linkedId).toBe(415); + }); }); }); diff --git a/libs/common/src/vault/models/domain/field.ts b/libs/common/src/vault/models/domain/field.ts index d6453932cc7..53756e21046 100644 --- a/libs/common/src/vault/models/domain/field.ts +++ b/libs/common/src/vault/models/domain/field.ts @@ -90,4 +90,22 @@ export class Field extends Domain { linkedId: this.linkedId as unknown as SdkLinkedIdType, }; } + + /** + * Maps SDK Field to Field + * @param obj The SDK Field object to map + */ + static fromSdkField(obj: SdkField): Field | undefined { + if (!obj) { + return undefined; + } + + const field = new Field(); + field.name = EncString.fromJSON(obj.name); + field.value = EncString.fromJSON(obj.value); + field.type = obj.type; + field.linkedId = obj.linkedId; + + return field; + } } diff --git a/libs/common/src/vault/models/domain/identity.ts b/libs/common/src/vault/models/domain/identity.ts index 5dc752531be..16e68c72551 100644 --- a/libs/common/src/vault/models/domain/identity.ts +++ b/libs/common/src/vault/models/domain/identity.ts @@ -195,4 +195,36 @@ export class Identity extends Domain { licenseNumber: this.licenseNumber?.toJSON(), }; } + + /** + * Maps an SDK Identity object to an Identity + * @param obj - The SDK Identity object + */ + static fromSdkIdentity(obj: SdkIdentity): Identity | undefined { + if (obj == null) { + return undefined; + } + + const identity = new Identity(); + identity.title = EncString.fromJSON(obj.title); + identity.firstName = EncString.fromJSON(obj.firstName); + identity.middleName = EncString.fromJSON(obj.middleName); + identity.lastName = EncString.fromJSON(obj.lastName); + identity.address1 = EncString.fromJSON(obj.address1); + identity.address2 = EncString.fromJSON(obj.address2); + identity.address3 = EncString.fromJSON(obj.address3); + identity.city = EncString.fromJSON(obj.city); + identity.state = EncString.fromJSON(obj.state); + identity.postalCode = EncString.fromJSON(obj.postalCode); + identity.country = EncString.fromJSON(obj.country); + identity.company = EncString.fromJSON(obj.company); + identity.email = EncString.fromJSON(obj.email); + identity.phone = EncString.fromJSON(obj.phone); + identity.ssn = EncString.fromJSON(obj.ssn); + identity.username = EncString.fromJSON(obj.username); + identity.passportNumber = EncString.fromJSON(obj.passportNumber); + identity.licenseNumber = EncString.fromJSON(obj.licenseNumber); + + return identity; + } } diff --git a/libs/common/src/vault/models/domain/login-uri.ts b/libs/common/src/vault/models/domain/login-uri.ts index e7bc2e8892e..9cfa4951dd8 100644 --- a/libs/common/src/vault/models/domain/login-uri.ts +++ b/libs/common/src/vault/models/domain/login-uri.ts @@ -102,4 +102,17 @@ export class LoginUri extends Domain { match: this.match, }; } + + static fromSdkLoginUri(obj: SdkLoginUri): LoginUri | undefined { + if (obj == null) { + return undefined; + } + + const view = new LoginUri(); + view.uri = EncString.fromJSON(obj.uri); + view.uriChecksum = obj.uriChecksum ? EncString.fromJSON(obj.uriChecksum) : undefined; + view.match = obj.match; + + return view; + } } diff --git a/libs/common/src/vault/models/domain/login.ts b/libs/common/src/vault/models/domain/login.ts index 4d77983d4af..93af2269185 100644 --- a/libs/common/src/vault/models/domain/login.ts +++ b/libs/common/src/vault/models/domain/login.ts @@ -163,4 +163,31 @@ export class Login extends Domain { fido2Credentials: this.fido2Credentials?.map((f) => f.toSdkFido2Credential()), }; } + + /** + * Maps an SDK Login object to a Login + * @param obj - The SDK Login object + */ + static fromSdkLogin(obj: SdkLogin): Login | undefined { + if (!obj) { + return undefined; + } + + const login = new Login(); + + login.uris = + obj.uris?.filter((u) => u.uri != null).map((uri) => LoginUri.fromSdkLoginUri(uri)) ?? []; + login.username = EncString.fromJSON(obj.username); + login.password = EncString.fromJSON(obj.password); + login.passwordRevisionDate = obj.passwordRevisionDate + ? new Date(obj.passwordRevisionDate) + : undefined; + login.totp = EncString.fromJSON(obj.totp); + login.autofillOnPageLoad = obj.autofillOnPageLoad ?? false; + login.fido2Credentials = obj.fido2Credentials?.map((f) => + Fido2Credential.fromSdkFido2Credential(f), + ); + + return login; + } } diff --git a/libs/common/src/vault/models/domain/password.ts b/libs/common/src/vault/models/domain/password.ts index f8aacf765bf..b8a30099454 100644 --- a/libs/common/src/vault/models/domain/password.ts +++ b/libs/common/src/vault/models/domain/password.ts @@ -71,4 +71,20 @@ export class Password extends Domain { lastUsedDate: this.lastUsedDate.toISOString(), }; } + + /** + * Maps an SDK PasswordHistory object to a Password + * @param obj - The SDK PasswordHistory object + */ + static fromSdkPasswordHistory(obj: PasswordHistory): Password | undefined { + if (!obj) { + return undefined; + } + + const passwordHistory = new Password(); + passwordHistory.password = EncString.fromJSON(obj.password); + passwordHistory.lastUsedDate = new Date(obj.lastUsedDate); + + return passwordHistory; + } } diff --git a/libs/common/src/vault/models/domain/secure-note.ts b/libs/common/src/vault/models/domain/secure-note.ts index ac7977b0e46..1426ff85eab 100644 --- a/libs/common/src/vault/models/domain/secure-note.ts +++ b/libs/common/src/vault/models/domain/secure-note.ts @@ -54,4 +54,19 @@ export class SecureNote extends Domain { type: this.type, }; } + + /** + * Maps an SDK SecureNote object to a SecureNote + * @param obj - The SDK SecureNote object + */ + static fromSdkSecureNote(obj: SdkSecureNote): SecureNote | undefined { + if (obj == null) { + return undefined; + } + + const secureNote = new SecureNote(); + secureNote.type = obj.type; + + return secureNote; + } } diff --git a/libs/common/src/vault/models/domain/ssh-key.ts b/libs/common/src/vault/models/domain/ssh-key.ts index c0afcd83fc2..0c8abf76e44 100644 --- a/libs/common/src/vault/models/domain/ssh-key.ts +++ b/libs/common/src/vault/models/domain/ssh-key.ts @@ -85,4 +85,21 @@ export class SshKey extends Domain { fingerprint: this.keyFingerprint.toJSON(), }; } + + /** + * Maps an SDK SshKey object to a SshKey + * @param obj - The SDK SshKey object + */ + static fromSdkSshKey(obj: SdkSshKey): SshKey | undefined { + if (obj == null) { + return undefined; + } + + const sshKey = new SshKey(); + sshKey.privateKey = EncString.fromJSON(obj.privateKey); + sshKey.publicKey = EncString.fromJSON(obj.publicKey); + sshKey.keyFingerprint = EncString.fromJSON(obj.fingerprint); + + return sshKey; + } } diff --git a/libs/common/src/vault/models/view/card.view.ts b/libs/common/src/vault/models/view/card.view.ts index dd7f5d6be57..ed02fa68365 100644 --- a/libs/common/src/vault/models/view/card.view.ts +++ b/libs/common/src/vault/models/view/card.view.ts @@ -10,7 +10,7 @@ import { linkedFieldOption } from "../../linked-field-option.decorator"; import { ItemView } from "./item.view"; -export class CardView extends ItemView { +export class CardView extends ItemView implements SdkCardView { @linkedFieldOption(LinkedId.CardholderName, { sortPosition: 0 }) cardholderName: string = null; @linkedFieldOption(LinkedId.ExpMonth, { sortPosition: 3, i18nKey: "expirationMonth" }) @@ -168,4 +168,12 @@ export class CardView extends ItemView { return cardView; } + + /** + * Converts the CardView to an SDK CardView. + * The view implements the SdkView so we can safely return `this` + */ + toSdkCardView(): SdkCardView { + return this; + } } diff --git a/libs/common/src/vault/models/view/cipher.view.spec.ts b/libs/common/src/vault/models/view/cipher.view.spec.ts index b9d3e42aa62..46cea06979f 100644 --- a/libs/common/src/vault/models/view/cipher.view.spec.ts +++ b/libs/common/src/vault/models/view/cipher.view.spec.ts @@ -1,3 +1,7 @@ +import { Jsonify } from "type-fest"; + +import { EncString } from "@bitwarden/common/key-management/crypto/models/enc-string"; +import { CipherPermissionsApi } from "@bitwarden/common/vault/models/api/cipher-permissions.api"; import { CipherView as SdkCipherView, CipherType as SdkCipherType, @@ -85,6 +89,25 @@ describe("CipherView", () => { expect(actual).toMatchObject(expected); }); + + it("handle both string and object inputs for the cipher key", () => { + const cipherKeyString = "cipherKeyString"; + const cipherKeyObject = new EncString("cipherKeyObject"); + + // Test with string input + let actual = CipherView.fromJSON({ + key: cipherKeyString, + }); + expect(actual.key).toBeInstanceOf(EncString); + expect(actual.key?.toJSON()).toBe(cipherKeyString); + + // Test with object input (which can happen when cipher view is stored in an InMemory state provider) + actual = CipherView.fromJSON({ + key: cipherKeyObject, + } as Jsonify); + expect(actual.key).toBeInstanceOf(EncString); + expect(actual.key?.toJSON()).toBe(cipherKeyObject.toJSON()); + }); }); describe("fromSdkCipherView", () => { @@ -196,11 +219,80 @@ describe("CipherView", () => { __fromSdk: true, }, ], - passwordHistory: null, + passwordHistory: [], creationDate: new Date("2022-01-01T12:00:00.000Z"), revisionDate: new Date("2022-01-02T12:00:00.000Z"), deletedDate: null, }); }); }); + + describe("toSdkCipherView", () => { + it("maps properties correctly", () => { + const cipherView = new CipherView(); + cipherView.id = "0a54d80c-14aa-4ef8-8c3a-7ea99ce5b602"; + cipherView.organizationId = "000f2a6e-da5e-4726-87ed-1c5c77322c3c"; + cipherView.folderId = "41b22db4-8e2a-4ed2-b568-f1186c72922f"; + cipherView.collectionIds = ["b0473506-3c3c-4260-a734-dfaaf833ab6f"]; + cipherView.key = new EncString("some-key"); + cipherView.name = "name"; + cipherView.notes = "notes"; + cipherView.type = CipherType.Login; + cipherView.favorite = true; + cipherView.edit = true; + cipherView.viewPassword = false; + cipherView.reprompt = CipherRepromptType.None; + cipherView.organizationUseTotp = false; + cipherView.localData = { + lastLaunched: new Date("2022-01-01T12:00:00.000Z").getTime(), + lastUsedDate: new Date("2022-01-02T12:00:00.000Z").getTime(), + }; + cipherView.permissions = new CipherPermissionsApi(); + cipherView.permissions.restore = true; + cipherView.permissions.delete = true; + cipherView.attachments = []; + cipherView.fields = []; + cipherView.passwordHistory = []; + cipherView.login = new LoginView(); + cipherView.revisionDate = new Date("2022-01-02T12:00:00.000Z"); + cipherView.creationDate = new Date("2022-01-02T12:00:00.000Z"); + + const sdkCipherView = cipherView.toSdkCipherView(); + + expect(sdkCipherView).toMatchObject({ + id: "0a54d80c-14aa-4ef8-8c3a-7ea99ce5b602", + organizationId: "000f2a6e-da5e-4726-87ed-1c5c77322c3c", + folderId: "41b22db4-8e2a-4ed2-b568-f1186c72922f", + collectionIds: ["b0473506-3c3c-4260-a734-dfaaf833ab6f"], + key: "some-key", + name: "name", + notes: "notes", + type: SdkCipherType.Login, + favorite: true, + edit: true, + viewPassword: false, + reprompt: SdkCipherRepromptType.None, + organizationUseTotp: false, + localData: { + lastLaunched: "2022-01-01T12:00:00.000Z", + lastUsedDate: "2022-01-02T12:00:00.000Z", + }, + permissions: { + restore: true, + delete: true, + }, + deletedDate: undefined, + creationDate: "2022-01-02T12:00:00.000Z", + revisionDate: "2022-01-02T12:00:00.000Z", + attachments: [], + passwordHistory: [], + login: undefined, + identity: undefined, + card: undefined, + secureNote: undefined, + sshKey: undefined, + fields: [], + } as SdkCipherView); + }); + }); }); diff --git a/libs/common/src/vault/models/view/cipher.view.ts b/libs/common/src/vault/models/view/cipher.view.ts index 353fffa8eef..0c41e49c3ab 100644 --- a/libs/common/src/vault/models/view/cipher.view.ts +++ b/libs/common/src/vault/models/view/cipher.view.ts @@ -1,5 +1,7 @@ // FIXME: Update this file to be type safe and remove this and next line // @ts-strict-ignore +import { EncString } from "@bitwarden/common/key-management/crypto/models/enc-string"; +import { uuidToString, asUuid } from "@bitwarden/common/platform/abstractions/sdk/sdk.service"; import { CipherView as SdkCipherView } from "@bitwarden/sdk-internal"; import { View } from "../../../models/view/view"; @@ -9,7 +11,7 @@ import { DeepJsonify } from "../../../types/deep-jsonify"; import { CipherType, LinkedIdType } from "../../enums"; import { CipherRepromptType } from "../../enums/cipher-reprompt-type"; import { CipherPermissionsApi } from "../api/cipher-permissions.api"; -import { LocalData } from "../data/local.data"; +import { LocalData, toSdkLocalData, fromSdkLocalData } from "../data/local.data"; import { Cipher } from "../domain/cipher"; import { AttachmentView } from "./attachment.view"; @@ -41,14 +43,17 @@ export class CipherView implements View, InitializerMetadata { card = new CardView(); secureNote = new SecureNoteView(); sshKey = new SshKeyView(); - attachments: AttachmentView[] = null; - fields: FieldView[] = null; - passwordHistory: PasswordHistoryView[] = null; + attachments: AttachmentView[] = []; + fields: FieldView[] = []; + passwordHistory: PasswordHistoryView[] = []; collectionIds: string[] = null; revisionDate: Date = null; creationDate: Date = null; deletedDate: Date = null; reprompt: CipherRepromptType = CipherRepromptType.None; + // We need a copy of the encrypted key so we can pass it to + // the SdkCipherView during encryption + key?: EncString; /** * Flag to indicate if the cipher decryption failed. @@ -76,6 +81,7 @@ export class CipherView implements View, InitializerMetadata { this.deletedDate = c.deletedDate; // Old locally stored ciphers might have reprompt == null. If so set it to None. this.reprompt = c.reprompt ?? CipherRepromptType.None; + this.key = c.key; } private get item() { @@ -194,6 +200,18 @@ export class CipherView implements View, InitializerMetadata { const attachments = obj.attachments?.map((a: any) => AttachmentView.fromJSON(a)); const fields = obj.fields?.map((f: any) => FieldView.fromJSON(f)); const passwordHistory = obj.passwordHistory?.map((ph: any) => PasswordHistoryView.fromJSON(ph)); + const permissions = CipherPermissionsApi.fromJSON(obj.permissions); + let key: EncString | undefined; + + if (obj.key != null) { + if (typeof obj.key === "string") { + // If the key is a string, we need to parse it as EncString + key = EncString.fromJSON(obj.key); + } else if ((obj.key as any) instanceof EncString) { + // If the key is already an EncString instance, we can use it directly + key = obj.key; + } + } Object.assign(view, obj, { creationDate: creationDate, @@ -202,6 +220,8 @@ export class CipherView implements View, InitializerMetadata { attachments: attachments, fields: fields, passwordHistory: passwordHistory, + permissions: permissions, + key: key, }); switch (obj.type) { @@ -236,9 +256,9 @@ export class CipherView implements View, InitializerMetadata { } const cipherView = new CipherView(); - cipherView.id = obj.id ?? null; - cipherView.organizationId = obj.organizationId ?? null; - cipherView.folderId = obj.folderId ?? null; + cipherView.id = uuidToString(obj.id) ?? null; + cipherView.organizationId = uuidToString(obj.organizationId) ?? null; + cipherView.folderId = uuidToString(obj.folderId) ?? null; cipherView.name = obj.name; cipherView.notes = obj.notes ?? null; cipherView.type = obj.type; @@ -247,26 +267,18 @@ export class CipherView implements View, InitializerMetadata { cipherView.permissions = CipherPermissionsApi.fromSdkCipherPermissions(obj.permissions); cipherView.edit = obj.edit; cipherView.viewPassword = obj.viewPassword; - cipherView.localData = obj.localData - ? { - lastUsedDate: obj.localData.lastUsedDate - ? new Date(obj.localData.lastUsedDate).getTime() - : undefined, - lastLaunched: obj.localData.lastLaunched - ? new Date(obj.localData.lastLaunched).getTime() - : undefined, - } - : undefined; + cipherView.localData = fromSdkLocalData(obj.localData); cipherView.attachments = - obj.attachments?.map((a) => AttachmentView.fromSdkAttachmentView(a)) ?? null; - cipherView.fields = obj.fields?.map((f) => FieldView.fromSdkFieldView(f)) ?? null; + obj.attachments?.map((a) => AttachmentView.fromSdkAttachmentView(a)) ?? []; + cipherView.fields = obj.fields?.map((f) => FieldView.fromSdkFieldView(f)) ?? []; cipherView.passwordHistory = - obj.passwordHistory?.map((ph) => PasswordHistoryView.fromSdkPasswordHistoryView(ph)) ?? null; - cipherView.collectionIds = obj.collectionIds ?? null; + obj.passwordHistory?.map((ph) => PasswordHistoryView.fromSdkPasswordHistoryView(ph)) ?? []; + cipherView.collectionIds = obj.collectionIds?.map((i) => uuidToString(i)) ?? []; cipherView.revisionDate = obj.revisionDate == null ? null : new Date(obj.revisionDate); cipherView.creationDate = obj.creationDate == null ? null : new Date(obj.creationDate); cipherView.deletedDate = obj.deletedDate == null ? null : new Date(obj.deletedDate); cipherView.reprompt = obj.reprompt ?? CipherRepromptType.None; + cipherView.key = EncString.fromJSON(obj.key); switch (obj.type) { case CipherType.Card: @@ -290,4 +302,66 @@ export class CipherView implements View, InitializerMetadata { return cipherView; } + + /** + * Maps CipherView to SdkCipherView + * + * @returns {SdkCipherView} The SDK cipher view object + */ + toSdkCipherView(): SdkCipherView { + const sdkCipherView: SdkCipherView = { + id: this.id ? asUuid(this.id) : undefined, + organizationId: this.organizationId ? asUuid(this.organizationId) : undefined, + folderId: this.folderId ? asUuid(this.folderId) : undefined, + name: this.name ?? "", + notes: this.notes, + type: this.type ?? CipherType.Login, + favorite: this.favorite, + organizationUseTotp: this.organizationUseTotp, + permissions: this.permissions?.toSdkCipherPermissions(), + edit: this.edit, + viewPassword: this.viewPassword, + localData: toSdkLocalData(this.localData), + attachments: this.attachments?.map((a) => a.toSdkAttachmentView()), + fields: this.fields?.map((f) => f.toSdkFieldView()), + passwordHistory: this.passwordHistory?.map((ph) => ph.toSdkPasswordHistoryView()), + collectionIds: this.collectionIds?.map((i) => i) ?? [], + // Revision and creation dates are non-nullable in SDKCipherView + revisionDate: (this.revisionDate ?? new Date()).toISOString(), + creationDate: (this.creationDate ?? new Date()).toISOString(), + deletedDate: this.deletedDate?.toISOString(), + reprompt: this.reprompt ?? CipherRepromptType.None, + key: this.key?.toJSON(), + // Cipher type specific properties are set in the switch statement below + // CipherView initializes each with default constructors (undefined values) + // The SDK does not expect those undefined values and will throw exceptions + login: undefined, + card: undefined, + identity: undefined, + secureNote: undefined, + sshKey: undefined, + }; + + switch (this.type) { + case CipherType.Card: + sdkCipherView.card = this.card.toSdkCardView(); + break; + case CipherType.Identity: + sdkCipherView.identity = this.identity.toSdkIdentityView(); + break; + case CipherType.Login: + sdkCipherView.login = this.login.toSdkLoginView(); + break; + case CipherType.SecureNote: + sdkCipherView.secureNote = this.secureNote.toSdkSecureNoteView(); + break; + case CipherType.SshKey: + sdkCipherView.sshKey = this.sshKey.toSdkSshKeyView(); + break; + default: + break; + } + + return sdkCipherView; + } } diff --git a/libs/common/src/vault/models/view/fido2-credential.view.ts b/libs/common/src/vault/models/view/fido2-credential.view.ts index bf1d324d22d..410757ebe30 100644 --- a/libs/common/src/vault/models/view/fido2-credential.view.ts +++ b/libs/common/src/vault/models/view/fido2-credential.view.ts @@ -2,7 +2,10 @@ // @ts-strict-ignore import { Jsonify } from "type-fest"; -import { Fido2CredentialView as SdkFido2CredentialView } from "@bitwarden/sdk-internal"; +import { + Fido2CredentialView as SdkFido2CredentialView, + Fido2CredentialFullView, +} from "@bitwarden/sdk-internal"; import { ItemView } from "./item.view"; @@ -56,4 +59,22 @@ export class Fido2CredentialView extends ItemView { return view; } + + toSdkFido2CredentialFullView(): Fido2CredentialFullView { + return { + credentialId: this.credentialId, + keyType: this.keyType, + keyAlgorithm: this.keyAlgorithm, + keyCurve: this.keyCurve, + keyValue: this.keyValue, + rpId: this.rpId, + userHandle: this.userHandle, + userName: this.userName, + counter: this.counter.toString(), + rpName: this.rpName, + userDisplayName: this.userDisplayName, + discoverable: this.discoverable ? "true" : "false", + creationDate: this.creationDate?.toISOString(), + }; + } } diff --git a/libs/common/src/vault/models/view/field.view.ts b/libs/common/src/vault/models/view/field.view.ts index 770150f8a63..8c9a923aed2 100644 --- a/libs/common/src/vault/models/view/field.view.ts +++ b/libs/common/src/vault/models/view/field.view.ts @@ -2,7 +2,7 @@ // @ts-strict-ignore import { Jsonify } from "type-fest"; -import { FieldView as SdkFieldView } from "@bitwarden/sdk-internal"; +import { FieldView as SdkFieldView, FieldType as SdkFieldType } from "@bitwarden/sdk-internal"; import { View } from "../../../models/view/view"; import { FieldType, LinkedIdType } from "../../enums"; @@ -50,4 +50,16 @@ export class FieldView implements View { return view; } + + /** + * Converts the FieldView to an SDK FieldView. + */ + toSdkFieldView(): SdkFieldView { + return { + name: this.name ?? undefined, + value: this.value ?? undefined, + type: this.type ?? SdkFieldType.Text, + linkedId: this.linkedId ?? undefined, + }; + } } diff --git a/libs/common/src/vault/models/view/identity.view.ts b/libs/common/src/vault/models/view/identity.view.ts index 877940e4aea..2b863dc5e5f 100644 --- a/libs/common/src/vault/models/view/identity.view.ts +++ b/libs/common/src/vault/models/view/identity.view.ts @@ -10,7 +10,7 @@ import { linkedFieldOption } from "../../linked-field-option.decorator"; import { ItemView } from "./item.view"; -export class IdentityView extends ItemView { +export class IdentityView extends ItemView implements SdkIdentityView { @linkedFieldOption(LinkedId.Title, { sortPosition: 0 }) title: string = null; @linkedFieldOption(LinkedId.MiddleName, { sortPosition: 2 }) @@ -192,4 +192,12 @@ export class IdentityView extends ItemView { return identityView; } + + /** + * Converts the IdentityView to an SDK IdentityView. + * The view implements the SdkView so we can safely return `this` + */ + toSdkIdentityView(): SdkIdentityView { + return this; + } } diff --git a/libs/common/src/vault/models/view/login-uri.view.ts b/libs/common/src/vault/models/view/login-uri.view.ts index 43d47aa4a3c..38cd517e542 100644 --- a/libs/common/src/vault/models/view/login-uri.view.ts +++ b/libs/common/src/vault/models/view/login-uri.view.ts @@ -129,6 +129,15 @@ export class LoginUriView implements View { return view; } + /** Converts a LoginUriView object to an SDK LoginUriView object. */ + toSdkLoginUriView(): SdkLoginUriView { + return { + uri: this.uri ?? undefined, + match: this.match ?? undefined, + uriChecksum: undefined, // SDK handles uri checksum generation internally + }; + } + matchesUri( targetUri: string, equivalentDomains: Set, diff --git a/libs/common/src/vault/models/view/login.view.ts b/libs/common/src/vault/models/view/login.view.ts index c6e6ca001e4..d268cf4afaa 100644 --- a/libs/common/src/vault/models/view/login.view.ts +++ b/libs/common/src/vault/models/view/login.view.ts @@ -124,10 +124,30 @@ export class LoginView extends ItemView { obj.passwordRevisionDate == null ? null : new Date(obj.passwordRevisionDate); loginView.totp = obj.totp ?? null; loginView.autofillOnPageLoad = obj.autofillOnPageLoad ?? null; - loginView.uris = obj.uris?.map((uri) => LoginUriView.fromSdkLoginUriView(uri)) || []; + loginView.uris = + obj.uris + ?.filter((uri) => uri.uri != null && uri.uri !== "") + .map((uri) => LoginUriView.fromSdkLoginUriView(uri)) || []; // FIDO2 credentials are not decrypted here, they remain encrypted loginView.fido2Credentials = null; return loginView; } + + /** + * Converts the LoginView to an SDK LoginView. + * + * Note: FIDO2 credentials remain encrypted in the SDK view so they are not included here. + */ + toSdkLoginView(): SdkLoginView { + return { + username: this.username, + password: this.password, + passwordRevisionDate: this.passwordRevisionDate?.toISOString(), + totp: this.totp, + autofillOnPageLoad: this.autofillOnPageLoad ?? undefined, + uris: this.uris?.map((uri) => uri.toSdkLoginUriView()), + fido2Credentials: undefined, // FIDO2 credentials are handled separately and remain encrypted + }; + } } diff --git a/libs/common/src/vault/models/view/password-history.view.spec.ts b/libs/common/src/vault/models/view/password-history.view.spec.ts index 81894ec7493..512ec8d86d8 100644 --- a/libs/common/src/vault/models/view/password-history.view.spec.ts +++ b/libs/common/src/vault/models/view/password-history.view.spec.ts @@ -33,4 +33,17 @@ describe("PasswordHistoryView", () => { }); }); }); + + describe("toSdkPasswordHistoryView", () => { + it("should return a SdkPasswordHistoryView", () => { + const passwordHistoryView = new PasswordHistoryView(); + passwordHistoryView.password = "password"; + passwordHistoryView.lastUsedDate = new Date("2023-10-01T00:00:00.000Z"); + + expect(passwordHistoryView.toSdkPasswordHistoryView()).toMatchObject({ + password: "password", + lastUsedDate: "2023-10-01T00:00:00.000Z", + }); + }); + }); }); diff --git a/libs/common/src/vault/models/view/password-history.view.ts b/libs/common/src/vault/models/view/password-history.view.ts index 31f05f4cc71..9bd708b19fd 100644 --- a/libs/common/src/vault/models/view/password-history.view.ts +++ b/libs/common/src/vault/models/view/password-history.view.ts @@ -41,4 +41,14 @@ export class PasswordHistoryView implements View { return view; } + + /** + * Converts the PasswordHistoryView to an SDK PasswordHistoryView. + */ + toSdkPasswordHistoryView(): SdkPasswordHistoryView { + return { + password: this.password ?? "", + lastUsedDate: this.lastUsedDate.toISOString(), + }; + } } diff --git a/libs/common/src/vault/models/view/secure-note.view.ts b/libs/common/src/vault/models/view/secure-note.view.ts index 8e7a6b4652d..5e401961869 100644 --- a/libs/common/src/vault/models/view/secure-note.view.ts +++ b/libs/common/src/vault/models/view/secure-note.view.ts @@ -9,7 +9,7 @@ import { SecureNote } from "../domain/secure-note"; import { ItemView } from "./item.view"; -export class SecureNoteView extends ItemView { +export class SecureNoteView extends ItemView implements SdkSecureNoteView { type: SecureNoteType = null; constructor(n?: SecureNote) { @@ -42,4 +42,12 @@ export class SecureNoteView extends ItemView { return secureNoteView; } + + /** + * Converts the SecureNoteView to an SDK SecureNoteView. + * The view implements the SdkView so we can safely return `this` + */ + toSdkSecureNoteView(): SdkSecureNoteView { + return this; + } } diff --git a/libs/common/src/vault/models/view/ssh-key.view.ts b/libs/common/src/vault/models/view/ssh-key.view.ts index a83793678dc..0547eeb7f8e 100644 --- a/libs/common/src/vault/models/view/ssh-key.view.ts +++ b/libs/common/src/vault/models/view/ssh-key.view.ts @@ -63,4 +63,15 @@ export class SshKeyView extends ItemView { return sshKeyView; } + + /** + * Converts the SshKeyView to an SDK SshKeyView. + */ + toSdkSshKeyView(): SdkSshKeyView { + return { + privateKey: this.privateKey, + publicKey: this.publicKey, + fingerprint: this.keyFingerprint, + }; + } } diff --git a/libs/common/src/vault/services/cipher.service.spec.ts b/libs/common/src/vault/services/cipher.service.spec.ts index bf30b78ca63..f027122993d 100644 --- a/libs/common/src/vault/services/cipher.service.spec.ts +++ b/libs/common/src/vault/services/cipher.service.spec.ts @@ -1,7 +1,9 @@ import { mock } from "jest-mock-extended"; import { BehaviorSubject, map, of } from "rxjs"; +import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum"; import { LogService } from "@bitwarden/common/platform/abstractions/log.service"; +import { CipherResponse } from "@bitwarden/common/vault/models/response/cipher.response"; // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop. // eslint-disable-next-line no-restricted-imports import { CipherDecryptionKeys, KeyService } from "@bitwarden/key-management"; @@ -23,7 +25,7 @@ import { Utils } from "../../platform/misc/utils"; import { EncArrayBuffer } from "../../platform/models/domain/enc-array-buffer"; import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key"; import { ContainerService } from "../../platform/services/container.service"; -import { CipherId, UserId } from "../../types/guid"; +import { CipherId, UserId, OrganizationId, CollectionId } from "../../types/guid"; import { CipherKey, OrgKey, UserKey } from "../../types/key"; import { CipherEncryptionService } from "../abstractions/cipher-encryption.service"; import { EncryptionContext } from "../abstractions/cipher.service"; @@ -108,6 +110,7 @@ describe("Cipher Service", () => { const cipherEncryptionService = mock(); const userId = "TestUserId" as UserId; + const orgId = "4ff8c0b2-1d3e-4f8c-9b2d-1d3e4f8c0b2" as OrganizationId; let cipherService: CipherService; let encryptionContext: EncryptionContext; @@ -155,7 +158,9 @@ describe("Cipher Service", () => { ); configService.checkServerMeetsVersionRequirement$.mockReturnValue(of(false)); - configService.getFeatureFlag.mockResolvedValue(false); + configService.getFeatureFlag + .calledWith(FeatureFlag.CipherKeyEncryption) + .mockResolvedValue(false); const spy = jest.spyOn(cipherFileUploadService, "upload"); @@ -270,6 +275,55 @@ describe("Cipher Service", () => { jest.spyOn(cipherService as any, "getAutofillOnPageLoadDefault").mockResolvedValue(true); }); + it("should call encrypt method of CipherEncryptionService when feature flag is true", async () => { + configService.getFeatureFlag + .calledWith(FeatureFlag.PM22136_SdkCipherEncryption) + .mockResolvedValue(true); + cipherEncryptionService.encrypt.mockResolvedValue(encryptionContext); + + const result = await cipherService.encrypt(cipherView, userId); + + expect(result).toEqual(encryptionContext); + expect(cipherEncryptionService.encrypt).toHaveBeenCalledWith(cipherView, userId); + }); + + it("should call legacy encrypt when feature flag is false", async () => { + configService.getFeatureFlag + .calledWith(FeatureFlag.PM22136_SdkCipherEncryption) + .mockResolvedValue(false); + + jest.spyOn(cipherService as any, "encryptCipher").mockResolvedValue(encryptionContext.cipher); + + const result = await cipherService.encrypt(cipherView, userId); + + expect(result).toEqual(encryptionContext); + expect(cipherEncryptionService.encrypt).not.toHaveBeenCalled(); + }); + + it("should call legacy encrypt when keys are provided", async () => { + configService.getFeatureFlag + .calledWith(FeatureFlag.PM22136_SdkCipherEncryption) + .mockResolvedValue(true); + + jest.spyOn(cipherService as any, "encryptCipher").mockResolvedValue(encryptionContext.cipher); + + const encryptKey = new SymmetricCryptoKey(new Uint8Array(32)); + const decryptKey = new SymmetricCryptoKey(new Uint8Array(32)); + + let result = await cipherService.encrypt(cipherView, userId, encryptKey); + + expect(result).toEqual(encryptionContext); + expect(cipherEncryptionService.encrypt).not.toHaveBeenCalled(); + + result = await cipherService.encrypt(cipherView, userId, undefined, decryptKey); + expect(result).toEqual(encryptionContext); + expect(cipherEncryptionService.encrypt).not.toHaveBeenCalled(); + + result = await cipherService.encrypt(cipherView, userId, encryptKey, decryptKey); + expect(result).toEqual(encryptionContext); + expect(cipherEncryptionService.encrypt).not.toHaveBeenCalled(); + }); + it("should return the encrypting user id", async () => { keyService.getOrgKey.mockReturnValue( Promise.resolve(new SymmetricCryptoKey(new Uint8Array(32)) as OrgKey), @@ -310,7 +364,9 @@ describe("Cipher Service", () => { }); it("is null when feature flag is false", async () => { - configService.getFeatureFlag.mockResolvedValue(false); + configService.getFeatureFlag + .calledWith(FeatureFlag.CipherKeyEncryption) + .mockResolvedValue(false); const { cipher } = await cipherService.encrypt(cipherView, userId); expect(cipher.key).toBeNull(); @@ -318,7 +374,9 @@ describe("Cipher Service", () => { describe("when feature flag is true", () => { beforeEach(() => { - configService.getFeatureFlag.mockResolvedValue(true); + configService.getFeatureFlag + .calledWith(FeatureFlag.CipherKeyEncryption) + .mockResolvedValue(true); }); it("is null when the cipher is not viewPassword", async () => { @@ -348,7 +406,9 @@ describe("Cipher Service", () => { }); it("is not called when feature flag is false", async () => { - configService.getFeatureFlag.mockResolvedValue(false); + configService.getFeatureFlag + .calledWith(FeatureFlag.CipherKeyEncryption) + .mockResolvedValue(false); await cipherService.encrypt(cipherView, userId); @@ -357,7 +417,9 @@ describe("Cipher Service", () => { describe("when feature flag is true", () => { beforeEach(() => { - configService.getFeatureFlag.mockResolvedValue(true); + configService.getFeatureFlag + .calledWith(FeatureFlag.CipherKeyEncryption) + .mockResolvedValue(true); }); it("is called when cipher viewPassword is true", async () => { @@ -401,7 +463,9 @@ describe("Cipher Service", () => { let encryptedKey: EncString; beforeEach(() => { - configService.getFeatureFlag.mockResolvedValue(true); + configService.getFeatureFlag + .calledWith(FeatureFlag.CipherKeyEncryption) + .mockResolvedValue(true); configService.checkServerMeetsVersionRequirement$.mockReturnValue(of(true)); searchService.indexedEntityId$.mockReturnValue(of(null)); @@ -474,7 +538,9 @@ describe("Cipher Service", () => { describe("decrypt", () => { it("should call decrypt method of CipherEncryptionService when feature flag is true", async () => { - configService.getFeatureFlag.mockResolvedValue(true); + configService.getFeatureFlag + .calledWith(FeatureFlag.PM19941MigrateCipherDomainToSdk) + .mockResolvedValue(true); cipherEncryptionService.decrypt.mockResolvedValue(new CipherView(encryptionContext.cipher)); const result = await cipherService.decrypt(encryptionContext.cipher, userId); @@ -488,7 +554,9 @@ describe("Cipher Service", () => { it("should call legacy decrypt when feature flag is false", async () => { const mockUserKey = new SymmetricCryptoKey(new Uint8Array(32)) as UserKey; - configService.getFeatureFlag.mockResolvedValue(false); + configService.getFeatureFlag + .calledWith(FeatureFlag.PM19941MigrateCipherDomainToSdk) + .mockResolvedValue(false); cipherService.getKeyForCipherKeyDecryption = jest.fn().mockResolvedValue(mockUserKey); encryptService.decryptToBytes.mockResolvedValue(new Uint8Array(32)); jest @@ -509,7 +577,9 @@ describe("Cipher Service", () => { it("should use SDK when feature flag is enabled", async () => { const cipher = new Cipher(cipherData); const attachment = new AttachmentView(cipher.attachments![0]); - configService.getFeatureFlag.mockResolvedValue(true); + configService.getFeatureFlag + .calledWith(FeatureFlag.PM19941MigrateCipherDomainToSdk) + .mockResolvedValue(true); jest.spyOn(cipherService, "ciphers$").mockReturnValue(of({ [cipher.id]: cipherData })); cipherEncryptionService.decryptAttachmentContent.mockResolvedValue(mockDecryptedContent); @@ -534,7 +604,9 @@ describe("Cipher Service", () => { }); it("should use legacy decryption when feature flag is enabled", async () => { - configService.getFeatureFlag.mockResolvedValue(false); + configService.getFeatureFlag + .calledWith(FeatureFlag.PM19941MigrateCipherDomainToSdk) + .mockResolvedValue(false); const cipher = new Cipher(cipherData); const attachment = new AttachmentView(cipher.attachments![0]); attachment.key = makeSymmetricCryptoKey(64); @@ -557,4 +629,77 @@ describe("Cipher Service", () => { expect(encryptService.decryptFileData).toHaveBeenCalledWith(mockEncBuf, attachment.key); }); }); + + describe("shareWithServer()", () => { + it("should use cipherEncryptionService to move the cipher when feature flag enabled", async () => { + configService.getFeatureFlag + .calledWith(FeatureFlag.PM22136_SdkCipherEncryption) + .mockResolvedValue(true); + + apiService.putShareCipher.mockResolvedValue(new CipherResponse(cipherData)); + + const expectedCipher = new Cipher(cipherData); + expectedCipher.organizationId = orgId; + const cipherView = new CipherView(expectedCipher); + const collectionIds = ["collection1", "collection2"] as CollectionId[]; + + cipherView.organizationId = undefined; // Ensure organizationId is undefined for this test + + cipherEncryptionService.moveToOrganization.mockResolvedValue({ + cipher: expectedCipher, + encryptedFor: userId, + }); + + await cipherService.shareWithServer(cipherView, orgId, collectionIds, userId); + + // Expect SDK usage + expect(cipherEncryptionService.moveToOrganization).toHaveBeenCalledWith( + cipherView, + orgId, + userId, + ); + // Expect collectionIds to be assigned + expect(apiService.putShareCipher).toHaveBeenCalledWith( + cipherView.id, + expect.objectContaining({ + cipher: expect.objectContaining({ organizationId: orgId }), + collectionIds: collectionIds, + }), + ); + }); + + it("should use legacy encryption when feature flag disabled", async () => { + configService.getFeatureFlag + .calledWith(FeatureFlag.PM22136_SdkCipherEncryption) + .mockResolvedValue(false); + + apiService.putShareCipher.mockResolvedValue(new CipherResponse(cipherData)); + + const expectedCipher = new Cipher(cipherData); + expectedCipher.organizationId = orgId; + const cipherView = new CipherView(expectedCipher); + const collectionIds = ["collection1", "collection2"] as CollectionId[]; + + cipherView.organizationId = undefined; // Ensure organizationId is undefined for this test + + const oldEncryptSharedSpy = jest + .spyOn(cipherService as any, "encryptSharedCipher") + .mockResolvedValue({ + cipher: expectedCipher, + encryptedFor: userId, + }); + + await cipherService.shareWithServer(cipherView, orgId, collectionIds, userId); + + // Expect no SDK usage + expect(cipherEncryptionService.moveToOrganization).not.toHaveBeenCalled(); + expect(oldEncryptSharedSpy).toHaveBeenCalledWith( + expect.objectContaining({ + organizationId: orgId, + collectionIds: collectionIds, + } as unknown as CipherView), + userId, + ); + }); + }); }); diff --git a/libs/common/src/vault/services/cipher.service.ts b/libs/common/src/vault/services/cipher.service.ts index 8bef5289a95..1524e4e1b29 100644 --- a/libs/common/src/vault/services/cipher.service.ts +++ b/libs/common/src/vault/services/cipher.service.ts @@ -231,13 +231,14 @@ export class CipherService implements CipherServiceAbstraction { this.clearCipherViewsForUser$.next(userId); } - async encrypt( - model: CipherView, - userId: UserId, - keyForCipherEncryption?: SymmetricCryptoKey, - keyForCipherKeyDecryption?: SymmetricCryptoKey, - originalCipher: Cipher = null, - ): Promise { + /** + * Adjusts the cipher history for the given model by updating its history properties based on the original cipher. + * @param model The cipher model to adjust. + * @param userId The acting userId + * @param originalCipher The original cipher to compare against. If not provided, it will be fetched from the store. + * @private + */ + private async adjustCipherHistory(model: CipherView, userId: UserId, originalCipher?: Cipher) { if (model.id != null) { if (originalCipher == null) { originalCipher = await this.get(model.id, userId); @@ -247,6 +248,25 @@ export class CipherService implements CipherServiceAbstraction { } this.adjustPasswordHistoryLength(model); } + } + + async encrypt( + model: CipherView, + userId: UserId, + keyForCipherEncryption?: SymmetricCryptoKey, + keyForCipherKeyDecryption?: SymmetricCryptoKey, + originalCipher: Cipher = null, + ): Promise { + await this.adjustCipherHistory(model, userId, originalCipher); + + const sdkEncryptionEnabled = + (await this.configService.getFeatureFlag(FeatureFlag.PM22136_SdkCipherEncryption)) && + keyForCipherEncryption == null && // PM-23085 - SDK encryption does not currently support custom keys (e.g. key rotation) + keyForCipherKeyDecryption == null; // PM-23348 - Or has explicit methods for re-encrypting ciphers with different keys (e.g. move to org) + + if (sdkEncryptionEnabled) { + return await this.cipherEncryptionService.encrypt(model, userId); + } const cipher = new Cipher(); cipher.id = model.id; @@ -854,22 +874,48 @@ export class CipherService implements CipherServiceAbstraction { organizationId: string, collectionIds: string[], userId: UserId, + originalCipher?: Cipher, ): Promise { - const attachmentPromises: Promise[] = []; - if (cipher.attachments != null) { - cipher.attachments.forEach((attachment) => { - if (attachment.key == null) { - attachmentPromises.push( - this.shareAttachmentWithServer(attachment, cipher.id, organizationId), - ); - } - }); - } - await Promise.all(attachmentPromises); + const sdkCipherEncryptionEnabled = await this.configService.getFeatureFlag( + FeatureFlag.PM22136_SdkCipherEncryption, + ); + + await this.adjustCipherHistory(cipher, userId, originalCipher); + + let encCipher: EncryptionContext; + if (sdkCipherEncryptionEnabled) { + // The SDK does not expect the cipher to already have an organizationId. It will result in the wrong + // cipher encryption key being used during the move to organization operation. + if (cipher.organizationId != null) { + throw new Error("Cipher is already associated with an organization."); + } + + encCipher = await this.cipherEncryptionService.moveToOrganization( + cipher, + organizationId as OrganizationId, + userId, + ); + encCipher.cipher.collectionIds = collectionIds; + } else { + // This old attachment logic is safe to remove after it is replaced in PM-22750; which will require fixing + // the attachment before sharing. + const attachmentPromises: Promise[] = []; + if (cipher.attachments != null) { + cipher.attachments.forEach((attachment) => { + if (attachment.key == null) { + attachmentPromises.push( + this.shareAttachmentWithServer(attachment, cipher.id, organizationId), + ); + } + }); + } + await Promise.all(attachmentPromises); + + cipher.organizationId = organizationId; + cipher.collectionIds = collectionIds; + encCipher = await this.encryptSharedCipher(cipher, userId); + } - cipher.organizationId = organizationId; - cipher.collectionIds = collectionIds; - const encCipher = await this.encryptSharedCipher(cipher, userId); const request = new CipherShareRequest(encCipher); const response = await this.apiService.putShareCipher(cipher.id, request); const data = new CipherData(response, collectionIds); @@ -883,16 +929,36 @@ export class CipherService implements CipherServiceAbstraction { collectionIds: string[], userId: UserId, ) { + const sdkCipherEncryptionEnabled = await this.configService.getFeatureFlag( + FeatureFlag.PM22136_SdkCipherEncryption, + ); const promises: Promise[] = []; const encCiphers: Cipher[] = []; for (const cipher of ciphers) { - cipher.organizationId = organizationId; - cipher.collectionIds = collectionIds; - promises.push( - this.encryptSharedCipher(cipher, userId).then((c) => { - encCiphers.push(c.cipher); - }), - ); + if (sdkCipherEncryptionEnabled) { + // The SDK does not expect the cipher to already have an organizationId. It will result in the wrong + // cipher encryption key being used during the move to organization operation. + if (cipher.organizationId != null) { + throw new Error("Cipher is already associated with an organization."); + } + + promises.push( + this.cipherEncryptionService + .moveToOrganization(cipher, organizationId as OrganizationId, userId) + .then((encCipher) => { + encCipher.cipher.collectionIds = collectionIds; + encCiphers.push(encCipher.cipher); + }), + ); + } else { + cipher.organizationId = organizationId; + cipher.collectionIds = collectionIds; + promises.push( + this.encryptSharedCipher(cipher, userId).then((c) => { + encCiphers.push(c.cipher); + }), + ); + } } await Promise.all(promises); const request = new CipherBulkShareRequest(encCiphers, collectionIds, userId); diff --git a/libs/common/src/vault/services/default-cipher-encryption.service.spec.ts b/libs/common/src/vault/services/default-cipher-encryption.service.spec.ts index 4d05a5197fb..9e0cf62ed08 100644 --- a/libs/common/src/vault/services/default-cipher-encryption.service.spec.ts +++ b/libs/common/src/vault/services/default-cipher-encryption.service.spec.ts @@ -1,20 +1,22 @@ import { mock } from "jest-mock-extended"; import { of } from "rxjs"; +import { Fido2Credential } from "@bitwarden/common/vault/models/domain/fido2-credential"; import { - Fido2Credential, + Fido2Credential as SdkFido2Credential, Cipher as SdkCipher, CipherType as SdkCipherType, CipherView as SdkCipherView, CipherListView, AttachmentView as SdkAttachmentView, + Fido2CredentialFullView, } from "@bitwarden/sdk-internal"; import { mockEnc } from "../../../spec"; import { UriMatchStrategy } from "../../models/domain/domain-service"; import { LogService } from "../../platform/abstractions/log.service"; import { SdkService } from "../../platform/abstractions/sdk/sdk.service"; -import { UserId } from "../../types/guid"; +import { UserId, CipherId, OrganizationId } from "../../types/guid"; import { CipherRepromptType, CipherType } from "../enums"; import { CipherPermissionsApi } from "../models/api/cipher-permissions.api"; import { CipherData } from "../models/data/cipher.data"; @@ -25,10 +27,15 @@ import { Fido2CredentialView } from "../models/view/fido2-credential.view"; import { DefaultCipherEncryptionService } from "./default-cipher-encryption.service"; +const cipherId = "bdc4ef23-1116-477e-ae73-247854af58cb" as CipherId; +const orgId = "c5e9654f-6cc5-44c4-8e09-3d323522668c" as OrganizationId; +const folderId = "a3e9654f-6cc5-44c4-8e09-3d323522668c"; +const userId = "59fbbb44-8cc8-4279-ab40-afc5f68704f4" as UserId; + const cipherData: CipherData = { - id: "id", - organizationId: "orgId", - folderId: "folderId", + id: cipherId, + organizationId: orgId, + folderId: folderId, edit: true, viewPassword: true, organizationUseTotp: true, @@ -78,13 +85,17 @@ describe("DefaultCipherEncryptionService", () => { const sdkService = mock(); const logService = mock(); let sdkCipherView: SdkCipherView; + let sdkCipher: SdkCipher; const mockSdkClient = { vault: jest.fn().mockReturnValue({ ciphers: jest.fn().mockReturnValue({ + encrypt: jest.fn(), + set_fido2_credentials: jest.fn(), decrypt: jest.fn(), decrypt_list: jest.fn(), decrypt_fido2_credentials: jest.fn(), + move_to_organization: jest.fn(), }), attachments: jest.fn().mockReturnValue({ decrypt_buffer: jest.fn(), @@ -99,21 +110,25 @@ describe("DefaultCipherEncryptionService", () => { take: jest.fn().mockReturnValue(mockRef), }; - const userId = "user-id" as UserId; - let cipherObj: Cipher; + let cipherViewObj: CipherView; beforeEach(() => { sdkService.userClient$ = jest.fn((userId: UserId) => of(mockSdk)) as any; cipherEncryptionService = new DefaultCipherEncryptionService(sdkService, logService); cipherObj = new Cipher(cipherData); + cipherViewObj = new CipherView(cipherObj); jest.spyOn(cipherObj, "toSdkCipher").mockImplementation(() => { return { id: cipherData.id } as SdkCipher; }); + jest.spyOn(cipherViewObj, "toSdkCipherView").mockImplementation(() => { + return { id: cipherData.id } as SdkCipherView; + }); + sdkCipherView = { - id: "test-id", + id: cipherId as string, type: SdkCipherType.Login, name: "test-name", login: { @@ -121,16 +136,211 @@ describe("DefaultCipherEncryptionService", () => { password: "test-password", }, } as SdkCipherView; + + sdkCipher = { + id: cipherId, + type: SdkCipherType.Login, + name: "encrypted-name", + login: { + username: "encrypted-username", + password: "encrypted-password", + }, + } as unknown as SdkCipher; }); afterEach(() => { jest.clearAllMocks(); }); + describe("encrypt", () => { + it("should encrypt a cipher successfully", async () => { + const expectedCipher: Cipher = { + id: cipherId as string, + type: CipherType.Login, + name: "encrypted-name", + login: { + username: "encrypted-username", + password: "encrypted-password", + }, + } as unknown as Cipher; + + mockSdkClient.vault().ciphers().encrypt.mockReturnValue({ + cipher: sdkCipher, + encryptedFor: userId, + }); + jest.spyOn(Cipher, "fromSdkCipher").mockReturnValue(expectedCipher); + + const result = await cipherEncryptionService.encrypt(cipherViewObj, userId); + + expect(result).toBeDefined(); + expect(result!.cipher).toEqual(expectedCipher); + expect(result!.encryptedFor).toBe(userId); + expect(cipherViewObj.toSdkCipherView).toHaveBeenCalled(); + expect(mockSdkClient.vault().ciphers().encrypt).toHaveBeenCalledWith({ id: cipherData.id }); + }); + + it("should encrypt FIDO2 credentials if present", async () => { + const fidoCredentialView = new Fido2CredentialView(); + fidoCredentialView.credentialId = "credentialId"; + + cipherViewObj.login.fido2Credentials = [fidoCredentialView]; + + jest.spyOn(fidoCredentialView, "toSdkFido2CredentialFullView").mockImplementation( + () => + ({ + credentialId: "credentialId", + }) as Fido2CredentialFullView, + ); + jest.spyOn(cipherViewObj, "toSdkCipherView").mockImplementation( + () => + ({ + id: cipherId as string, + login: { + fido2Credentials: undefined, + }, + }) as unknown as SdkCipherView, + ); + + mockSdkClient + .vault() + .ciphers() + .set_fido2_credentials.mockReturnValue({ + id: cipherId as string, + login: { + fido2Credentials: [ + { + credentialId: "encrypted-credentialId", + }, + ], + }, + }); + + mockSdkClient.vault().ciphers().encrypt.mockReturnValue({ + cipher: sdkCipher, + encryptedFor: userId, + }); + + cipherObj.login!.fido2Credentials = [ + { credentialId: "encrypted-credentialId" } as unknown as Fido2Credential, + ]; + + jest.spyOn(Cipher, "fromSdkCipher").mockReturnValue(cipherObj); + + const result = await cipherEncryptionService.encrypt(cipherViewObj, userId); + + expect(result).toBeDefined(); + expect(result!.cipher.login!.fido2Credentials).toHaveLength(1); + + // Ensure set_fido2_credentials was called with correct parameters + expect(mockSdkClient.vault().ciphers().set_fido2_credentials).toHaveBeenCalledWith( + expect.objectContaining({ id: cipherId }), + [{ credentialId: "credentialId" }], + ); + + // Encrypted fido2 credential should be in the cipher passed to encrypt + expect(mockSdkClient.vault().ciphers().encrypt).toHaveBeenCalledWith( + expect.objectContaining({ + id: cipherId, + login: { fido2Credentials: [{ credentialId: "encrypted-credentialId" }] }, + }), + ); + }); + }); + + describe("moveToOrganization", () => { + it("should call the sdk method to move a cipher to an organization", async () => { + const expectedCipher: Cipher = { + id: cipherId as string, + type: CipherType.Login, + name: "encrypted-name", + organizationId: orgId, + login: { + username: "encrypted-username", + password: "encrypted-password", + }, + } as unknown as Cipher; + + mockSdkClient.vault().ciphers().move_to_organization.mockReturnValue({ + id: cipherId, + organizationId: orgId, + }); + mockSdkClient.vault().ciphers().encrypt.mockReturnValue({ + cipher: sdkCipher, + encryptedFor: userId, + }); + jest.spyOn(Cipher, "fromSdkCipher").mockReturnValue(expectedCipher); + + const result = await cipherEncryptionService.moveToOrganization(cipherViewObj, orgId, userId); + + expect(result).toBeDefined(); + expect(result!.cipher).toEqual(expectedCipher); + expect(result!.encryptedFor).toBe(userId); + expect(cipherViewObj.toSdkCipherView).toHaveBeenCalled(); + expect(mockSdkClient.vault().ciphers().move_to_organization).toHaveBeenCalledWith( + { id: cipherData.id }, + orgId, + ); + }); + + it("should re-encrypt any fido2 credentials when moving to an organization", async () => { + const mockSdkCredentialView = { + username: "username", + } as unknown as Fido2CredentialFullView; + const mockCredentialView = mock(); + mockCredentialView.toSdkFido2CredentialFullView.mockReturnValue(mockSdkCredentialView); + cipherViewObj.login.fido2Credentials = [mockCredentialView]; + const expectedCipher: Cipher = { + id: cipherId as string, + type: CipherType.Login, + name: "encrypted-name", + organizationId: orgId, + login: { + username: "encrypted-username", + password: "encrypted-password", + fido2Credentials: [{ username: "encrypted-username" }], + }, + } as unknown as Cipher; + + mockSdkClient + .vault() + .ciphers() + .set_fido2_credentials.mockReturnValue({ + id: cipherId as string, + login: { + fido2Credentials: [mockSdkCredentialView], + }, + } as SdkCipherView); + mockSdkClient.vault().ciphers().move_to_organization.mockReturnValue({ + id: cipherId, + organizationId: orgId, + }); + mockSdkClient.vault().ciphers().encrypt.mockReturnValue({ + cipher: sdkCipher, + encryptedFor: userId, + }); + jest.spyOn(Cipher, "fromSdkCipher").mockReturnValue(expectedCipher); + + const result = await cipherEncryptionService.moveToOrganization(cipherViewObj, orgId, userId); + + expect(result).toBeDefined(); + expect(result!.cipher).toEqual(expectedCipher); + expect(result!.encryptedFor).toBe(userId); + expect(cipherViewObj.toSdkCipherView).toHaveBeenCalled(); + expect(mockSdkClient.vault().ciphers().set_fido2_credentials).toHaveBeenCalledWith( + expect.objectContaining({ id: cipherId }), + expect.arrayContaining([mockSdkCredentialView]), + ); + expect(mockSdkClient.vault().ciphers().move_to_organization).toHaveBeenCalledWith( + { id: cipherData.id, login: { fido2Credentials: [mockSdkCredentialView] } }, + orgId, + ); + }); + }); + describe("decrypt", () => { it("should decrypt a cipher successfully", async () => { const expectedCipherView: CipherView = { - id: "test-id", + id: cipherId as string, type: CipherType.Login, name: "test-name", login: { @@ -168,12 +378,12 @@ describe("DefaultCipherEncryptionService", () => { discoverable: mockEnc("true"), creationDate: new Date("2023-01-01T12:00:00.000Z"), }, - ] as unknown as Fido2Credential[]; + ] as unknown as SdkFido2Credential[]; sdkCipherView.login!.fido2Credentials = fido2Credentials; const expectedCipherView: CipherView = { - id: "test-id", + id: cipherId, type: CipherType.Login, name: "test-name", login: { @@ -228,13 +438,15 @@ describe("DefaultCipherEncryptionService", () => { it("should decrypt multiple ciphers successfully", async () => { const ciphers = [new Cipher(cipherData), new Cipher(cipherData)]; + const cipherId2 = "bdc4ef23-2222-477e-ae73-247854af58cb" as CipherId; + const expectedViews = [ { - id: "test-id-1", + id: cipherId as string, name: "test-name-1", } as CipherView, { - id: "test-id-2", + id: cipherId2 as string, name: "test-name-2", } as CipherView, ]; @@ -242,8 +454,11 @@ describe("DefaultCipherEncryptionService", () => { mockSdkClient .vault() .ciphers() - .decrypt.mockReturnValueOnce({ id: "test-id-1", name: "test-name-1" } as SdkCipherView) - .mockReturnValueOnce({ id: "test-id-2", name: "test-name-2" } as SdkCipherView); + .decrypt.mockReturnValueOnce({ + id: cipherId, + name: "test-name-1", + } as unknown as SdkCipherView) + .mockReturnValueOnce({ id: cipherId2, name: "test-name-2" } as unknown as SdkCipherView); jest .spyOn(CipherView, "fromSdkCipherView") diff --git a/libs/common/src/vault/services/default-cipher-encryption.service.ts b/libs/common/src/vault/services/default-cipher-encryption.service.ts index 2c57df6f5bb..3547bafb4c9 100644 --- a/libs/common/src/vault/services/default-cipher-encryption.service.ts +++ b/libs/common/src/vault/services/default-cipher-encryption.service.ts @@ -1,10 +1,15 @@ import { EMPTY, catchError, firstValueFrom, map } from "rxjs"; -import { CipherListView } from "@bitwarden/sdk-internal"; +import { EncryptionContext } from "@bitwarden/common/vault/abstractions/cipher.service"; +import { + CipherListView, + BitwardenClient, + CipherView as SdkCipherView, +} from "@bitwarden/sdk-internal"; import { LogService } from "../../platform/abstractions/log.service"; -import { SdkService } from "../../platform/abstractions/sdk/sdk.service"; -import { UserId } from "../../types/guid"; +import { SdkService, asUuid } from "../../platform/abstractions/sdk/sdk.service"; +import { UserId, OrganizationId } from "../../types/guid"; import { CipherEncryptionService } from "../abstractions/cipher-encryption.service"; import { CipherType } from "../enums"; import { Cipher } from "../models/domain/cipher"; @@ -18,6 +23,67 @@ export class DefaultCipherEncryptionService implements CipherEncryptionService { private logService: LogService, ) {} + async encrypt(model: CipherView, userId: UserId): Promise { + return firstValueFrom( + this.sdkService.userClient$(userId).pipe( + map((sdk) => { + if (!sdk) { + throw new Error("SDK not available"); + } + + using ref = sdk.take(); + const sdkCipherView = this.toSdkCipherView(model, ref.value); + + const encryptionContext = ref.value.vault().ciphers().encrypt(sdkCipherView); + + return { + cipher: Cipher.fromSdkCipher(encryptionContext.cipher)!, + encryptedFor: asUuid(encryptionContext.encryptedFor), + }; + }), + catchError((error: unknown) => { + this.logService.error(`Failed to encrypt cipher: ${error}`); + return EMPTY; + }), + ), + ); + } + + async moveToOrganization( + model: CipherView, + organizationId: OrganizationId, + userId: UserId, + ): Promise { + return firstValueFrom( + this.sdkService.userClient$(userId).pipe( + map((sdk) => { + if (!sdk) { + throw new Error("SDK not available"); + } + + using ref = sdk.take(); + const sdkCipherView = this.toSdkCipherView(model, ref.value); + + const movedCipherView = ref.value + .vault() + .ciphers() + .move_to_organization(sdkCipherView, asUuid(organizationId)); + + const encryptionContext = ref.value.vault().ciphers().encrypt(movedCipherView); + + return { + cipher: Cipher.fromSdkCipher(encryptionContext.cipher)!, + encryptedFor: asUuid(encryptionContext.encryptedFor), + }; + }), + catchError((error: unknown) => { + this.logService.error(`Failed to move cipher to organization: ${error}`); + return EMPTY; + }), + ), + ); + } + async decrypt(cipher: Cipher, userId: UserId): Promise { return firstValueFrom( this.sdkService.userClient$(userId).pipe( @@ -51,11 +117,8 @@ export class DefaultCipherEncryptionService implements CipherEncryptionService { clientCipherView.login.fido2Credentials = fido2CredentialViews .map((f) => { const view = Fido2CredentialView.fromSdkFido2CredentialView(f)!; - - return { - ...view, - keyValue: decryptedKeyValue, - }; + view.keyValue = decryptedKeyValue; + return view; }) .filter((view): view is Fido2CredentialView => view !== undefined); } @@ -104,10 +167,8 @@ export class DefaultCipherEncryptionService implements CipherEncryptionService { clientCipherView.login.fido2Credentials = fido2CredentialViews .map((f) => { const view = Fido2CredentialView.fromSdkFido2CredentialView(f)!; - return { - ...view, - keyValue: decryptedKeyValue, - }; + view.keyValue = decryptedKeyValue; + return view; }) .filter((view): view is Fido2CredentialView => view !== undefined); } @@ -187,4 +248,25 @@ export class DefaultCipherEncryptionService implements CipherEncryptionService { ), ); } + + /** + * Helper method to convert a CipherView model to an SDK CipherView. Has special handling for Fido2 credentials + * that need to be encrypted before being sent to the SDK. + * @param model The CipherView model to convert + * @param sdk An instance of SDK client + * @private + */ + private toSdkCipherView(model: CipherView, sdk: BitwardenClient): SdkCipherView { + let sdkCipherView = model.toSdkCipherView(); + + if (model.type === CipherType.Login && model.login?.hasFido2Credentials) { + // Encrypt Fido2 credentials separately + const fido2Credentials = model.login.fido2Credentials?.map((f) => + f.toSdkFido2CredentialFullView(), + ); + sdkCipherView = sdk.vault().ciphers().set_fido2_credentials(sdkCipherView, fido2Credentials); + } + + return sdkCipherView; + } } diff --git a/libs/importer/src/importers/base-importer.ts b/libs/importer/src/importers/base-importer.ts index 463d61dbbdf..1a97bc5a325 100644 --- a/libs/importer/src/importers/base-importer.ts +++ b/libs/importer/src/importers/base-importer.ts @@ -320,12 +320,6 @@ export abstract class BaseImporter { } else { cipher.notes = cipher.notes.trim(); } - if (cipher.fields != null && cipher.fields.length === 0) { - cipher.fields = null; - } - if (cipher.passwordHistory != null && cipher.passwordHistory.length === 0) { - cipher.passwordHistory = null; - } } protected processKvp( diff --git a/libs/importer/src/importers/keeper/keeper-csv-importer.spec.ts b/libs/importer/src/importers/keeper/keeper-csv-importer.spec.ts index d7a4d487bcb..026c501cf5a 100644 --- a/libs/importer/src/importers/keeper/keeper-csv-importer.spec.ts +++ b/libs/importer/src/importers/keeper/keeper-csv-importer.spec.ts @@ -66,7 +66,7 @@ describe("Keeper CSV Importer", () => { expect(result != null).toBe(true); const cipher = result.ciphers.shift(); - expect(cipher.fields).toBeNull(); + expect(cipher.fields.length).toBe(0); const cipher2 = result.ciphers.shift(); expect(cipher2.fields.length).toBe(2); diff --git a/libs/importer/src/importers/keeper/keeper-json-importer.spec.ts b/libs/importer/src/importers/keeper/keeper-json-importer.spec.ts index 31169021e0c..22008f3b4c1 100644 --- a/libs/importer/src/importers/keeper/keeper-json-importer.spec.ts +++ b/libs/importer/src/importers/keeper/keeper-json-importer.spec.ts @@ -39,7 +39,7 @@ describe("Keeper Json Importer", () => { expect(cipher3.login.username).toEqual("someUserName"); expect(cipher3.login.password).toEqual("w4k4k1wergf$^&@#*%2"); expect(cipher3.notes).toBeNull(); - expect(cipher3.fields).toBeNull(); + expect(cipher3.fields.length).toBe(0); expect(cipher3.login.uris.length).toEqual(1); const uriView3 = cipher3.login.uris.shift(); expect(uriView3.uri).toEqual("https://example.com"); diff --git a/libs/vault/src/cipher-form/services/default-cipher-form.service.ts b/libs/vault/src/cipher-form/services/default-cipher-form.service.ts index 5228c85c3f7..d195ff8b00b 100644 --- a/libs/vault/src/cipher-form/services/default-cipher-form.service.ts +++ b/libs/vault/src/cipher-form/services/default-cipher-form.service.ts @@ -5,7 +5,7 @@ import { firstValueFrom, map } from "rxjs"; import { AccountService } from "@bitwarden/common/auth/abstractions/account.service"; import { getUserId } from "@bitwarden/common/auth/services/account.service"; -import { UserId } from "@bitwarden/common/types/guid"; +import { UserId, OrganizationId } from "@bitwarden/common/types/guid"; import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service"; import { CipherType } from "@bitwarden/common/vault/enums"; import { Cipher } from "@bitwarden/common/vault/models/domain/cipher"; @@ -31,21 +31,13 @@ export class DefaultCipherFormService implements CipherFormService { } async saveCipher(cipher: CipherView, config: CipherFormConfig): Promise { - // Passing the original cipher is important here as it is responsible for appending to password history const activeUserId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId)); - const encrypted = await this.cipherService.encrypt( - cipher, - activeUserId, - null, - null, - config.originalCipher ?? null, - ); - const encryptedCipher = encrypted.cipher; let savedCipher: Cipher; // Creating a new cipher if (cipher.id == null) { + const encrypted = await this.cipherService.encrypt(cipher, activeUserId); savedCipher = await this.cipherService.createWithServer(encrypted, config.admin); return await this.cipherService.decrypt(savedCipher, activeUserId); } @@ -61,16 +53,37 @@ export class DefaultCipherFormService implements CipherFormService { // Call shareWithServer if the owner is changing from a user to an organization if (config.originalCipher.organizationId === null && cipher.organizationId != null) { + // shareWithServer expects the cipher to have no organizationId set + const organizationId = cipher.organizationId as OrganizationId; + cipher.organizationId = null; + savedCipher = await this.cipherService.shareWithServer( cipher, - cipher.organizationId, + organizationId, cipher.collectionIds, activeUserId, + config.originalCipher, ); // If the collectionIds are the same, update the cipher normally } else if (isSetEqual(originalCollectionIds, newCollectionIds)) { + const encrypted = await this.cipherService.encrypt( + cipher, + activeUserId, + null, + null, + config.originalCipher, + ); savedCipher = await this.cipherService.updateWithServer(encrypted, config.admin); } else { + const encrypted = await this.cipherService.encrypt( + cipher, + activeUserId, + null, + null, + config.originalCipher, + ); + const encryptedCipher = encrypted.cipher; + // Updating a cipher with collection changes is not supported with a single request currently // First update the cipher with the original collectionIds encryptedCipher.collectionIds = config.originalCipher.collectionIds; diff --git a/libs/vault/src/cipher-view/cipher-view.component.html b/libs/vault/src/cipher-view/cipher-view.component.html index a2ade0e885c..e65dd62500e 100644 --- a/libs/vault/src/cipher-view/cipher-view.component.html +++ b/libs/vault/src/cipher-view/cipher-view.component.html @@ -67,12 +67,12 @@ - + - + { }); describe("history", () => { - const password1 = { password: "bad-password-1", lastUsedDate: new Date("09/13/2004") }; - const password2 = { password: "bad-password-2", lastUsedDate: new Date("02/01/2004") }; + const password1 = { + password: "bad-password-1", + lastUsedDate: new Date("09/13/2004"), + } as PasswordHistoryView; + const password2 = { + password: "bad-password-2", + lastUsedDate: new Date("02/01/2004"), + } as PasswordHistoryView; beforeEach(async () => { mockCipher.passwordHistory = [password1, password2]; diff --git a/package-lock.json b/package-lock.json index e6d4a0b9b89..b9f661f6915 100644 --- a/package-lock.json +++ b/package-lock.json @@ -23,7 +23,7 @@ "@angular/platform-browser": "19.2.14", "@angular/platform-browser-dynamic": "19.2.14", "@angular/router": "19.2.14", - "@bitwarden/sdk-internal": "0.2.0-main.225", + "@bitwarden/sdk-internal": "0.2.0-main.227", "@electron/fuses": "1.8.0", "@emotion/css": "11.13.5", "@koa/multer": "4.0.0", @@ -4604,9 +4604,9 @@ "link": true }, "node_modules/@bitwarden/sdk-internal": { - "version": "0.2.0-main.225", - "resolved": "https://registry.npmjs.org/@bitwarden/sdk-internal/-/sdk-internal-0.2.0-main.225.tgz", - "integrity": "sha512-bhSFNX584GPJ9wMBYff1d18/Hfj+o+D4E1l3uDLZNXRI9s7w919AQWqJ0xUy1vh8gpkLJovkf64HQGqs0OiQQA==", + "version": "0.2.0-main.227", + "resolved": "https://registry.npmjs.org/@bitwarden/sdk-internal/-/sdk-internal-0.2.0-main.227.tgz", + "integrity": "sha512-afOsl9jwi1qyX/tF4bYP3EWXgc8oMgnCA0hPPh+AJpn7GgoAPCi+WXaJkbBPwRpxZFKEpwt3oLRNTvtkECvFJw==", "license": "GPL-3.0", "dependencies": { "type-fest": "^4.41.0" diff --git a/package.json b/package.json index b7923a92f6f..ac00e674310 100644 --- a/package.json +++ b/package.json @@ -158,7 +158,7 @@ "@angular/platform-browser": "19.2.14", "@angular/platform-browser-dynamic": "19.2.14", "@angular/router": "19.2.14", - "@bitwarden/sdk-internal": "0.2.0-main.225", + "@bitwarden/sdk-internal": "0.2.0-main.227", "@electron/fuses": "1.8.0", "@emotion/css": "11.13.5", "@koa/multer": "4.0.0", From b54944da416925c90fabc0479d2cc20b4c3f32da Mon Sep 17 00:00:00 2001 From: Bernd Schoolmann Date: Tue, 22 Jul 2025 12:35:55 +0200 Subject: [PATCH 09/37] Deprecate encstring's decrypt function (#15703) --- libs/common/src/key-management/crypto/models/enc-string.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libs/common/src/key-management/crypto/models/enc-string.ts b/libs/common/src/key-management/crypto/models/enc-string.ts index 1ff98d1b6b6..3478ced0cf3 100644 --- a/libs/common/src/key-management/crypto/models/enc-string.ts +++ b/libs/common/src/key-management/crypto/models/enc-string.ts @@ -153,6 +153,10 @@ export class EncString implements Encrypted { return EXPECTED_NUM_PARTS_BY_ENCRYPTION_TYPE[encType] === encPieces.length; } + /** + * @deprecated - This function is deprecated. Use EncryptService.decryptString instead. + * @returns - The decrypted string, or `[error: cannot decrypt]` if decryption fails. + */ async decrypt( orgId: string | null, key: SymmetricCryptoKey | null = null, From 481910b82374631454a173816f4b24ba2336437d Mon Sep 17 00:00:00 2001 From: Bernd Schoolmann Date: Tue, 22 Jul 2025 13:03:04 +0200 Subject: [PATCH 10/37] Fix breaking sdk change and update to 231 (#15617) --- .../src/platform/services/sdk/default-sdk.service.ts | 1 + package-lock.json | 8 ++++---- package.json | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/libs/common/src/platform/services/sdk/default-sdk.service.ts b/libs/common/src/platform/services/sdk/default-sdk.service.ts index 1dfdfd207c0..c12fbe2dbb2 100644 --- a/libs/common/src/platform/services/sdk/default-sdk.service.ts +++ b/libs/common/src/platform/services/sdk/default-sdk.service.ts @@ -228,6 +228,7 @@ export class DefaultSdkService implements SdkService { }, privateKey, signingKey: undefined, + securityState: undefined, }); // We initialize the org crypto even if the org_keys are diff --git a/package-lock.json b/package-lock.json index b9f661f6915..e44797997f1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -23,7 +23,7 @@ "@angular/platform-browser": "19.2.14", "@angular/platform-browser-dynamic": "19.2.14", "@angular/router": "19.2.14", - "@bitwarden/sdk-internal": "0.2.0-main.227", + "@bitwarden/sdk-internal": "0.2.0-main.231", "@electron/fuses": "1.8.0", "@emotion/css": "11.13.5", "@koa/multer": "4.0.0", @@ -4604,9 +4604,9 @@ "link": true }, "node_modules/@bitwarden/sdk-internal": { - "version": "0.2.0-main.227", - "resolved": "https://registry.npmjs.org/@bitwarden/sdk-internal/-/sdk-internal-0.2.0-main.227.tgz", - "integrity": "sha512-afOsl9jwi1qyX/tF4bYP3EWXgc8oMgnCA0hPPh+AJpn7GgoAPCi+WXaJkbBPwRpxZFKEpwt3oLRNTvtkECvFJw==", + "version": "0.2.0-main.231", + "resolved": "https://registry.npmjs.org/@bitwarden/sdk-internal/-/sdk-internal-0.2.0-main.231.tgz", + "integrity": "sha512-fDKB/RFVvkRPWlhL/qhPAdJDjD1EpFjpEjjpY0v5QNGalh6NCztOr1OcMc4kvipPp4g+epZjs3SPN38K6R+7zw==", "license": "GPL-3.0", "dependencies": { "type-fest": "^4.41.0" diff --git a/package.json b/package.json index ac00e674310..089ef3342e9 100644 --- a/package.json +++ b/package.json @@ -158,7 +158,7 @@ "@angular/platform-browser": "19.2.14", "@angular/platform-browser-dynamic": "19.2.14", "@angular/router": "19.2.14", - "@bitwarden/sdk-internal": "0.2.0-main.227", + "@bitwarden/sdk-internal": "0.2.0-main.231", "@electron/fuses": "1.8.0", "@emotion/css": "11.13.5", "@koa/multer": "4.0.0", From 2a07b952ef5c633ea4b470f64039cb13c02c0aa4 Mon Sep 17 00:00:00 2001 From: Shane Melton Date: Tue, 22 Jul 2025 06:32:00 -0700 Subject: [PATCH 11/37] [PM-24000] Convert string date values to Date objects for CipherExport types (#15715) --- libs/common/src/models/export/cipher.export.ts | 7 ++++--- libs/common/src/models/export/password-history.export.ts | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/libs/common/src/models/export/cipher.export.ts b/libs/common/src/models/export/cipher.export.ts index ad6d8b7a609..d343621328c 100644 --- a/libs/common/src/models/export/cipher.export.ts +++ b/libs/common/src/models/export/cipher.export.ts @@ -53,6 +53,7 @@ export class CipherExport { view.notes = req.notes; view.favorite = req.favorite; view.reprompt = req.reprompt ?? CipherRepromptType.None; + view.key = req.key != null ? new EncString(req.key) : null; if (req.fields != null) { view.fields = req.fields.map((f) => FieldExport.toView(f)); @@ -80,9 +81,9 @@ export class CipherExport { view.passwordHistory = req.passwordHistory.map((ph) => PasswordHistoryExport.toView(ph)); } - view.creationDate = req.creationDate; - view.revisionDate = req.revisionDate; - view.deletedDate = req.deletedDate; + view.creationDate = req.creationDate ? new Date(req.creationDate) : null; + view.revisionDate = req.revisionDate ? new Date(req.revisionDate) : null; + view.deletedDate = req.deletedDate ? new Date(req.deletedDate) : null; return view; } diff --git a/libs/common/src/models/export/password-history.export.ts b/libs/common/src/models/export/password-history.export.ts index e5a44e4e330..f443a2f4ace 100644 --- a/libs/common/src/models/export/password-history.export.ts +++ b/libs/common/src/models/export/password-history.export.ts @@ -16,7 +16,7 @@ export class PasswordHistoryExport { static toView(req: PasswordHistoryExport, view = new PasswordHistoryView()) { view.password = req.password; - view.lastUsedDate = req.lastUsedDate; + view.lastUsedDate = req.lastUsedDate ? new Date(req.lastUsedDate) : null; return view; } From 5290e0a63beb5ec5f134c996c7e25e3814cbce4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=A8=20Audrey=20=E2=9C=A8?= Date: Tue, 22 Jul 2025 09:33:34 -0400 Subject: [PATCH 12/37] [PM-19054] configure send with email otp authentication via cli (#15360) --- apps/cli/src/commands/get.command.ts | 10 +- .../src/tools/send/commands/create.command.ts | 10 +- .../src/tools/send/commands/edit.command.ts | 24 ++- apps/cli/src/tools/send/commands/index.ts | 1 + .../tools/send/commands/template.command.ts | 35 ++++ .../src/tools/send/models/send.response.ts | 3 + apps/cli/src/tools/send/send.program.ts | 64 +++--- apps/cli/src/tools/send/util.spec.ts | 194 ++++++++++++++++++ apps/cli/src/tools/send/util.ts | 55 +++++ .../src/tools/send/models/data/send.data.ts | 2 + .../src/tools/send/models/domain/send.spec.ts | 6 +- .../src/tools/send/models/domain/send.ts | 2 + .../tools/send/models/request/send.request.ts | 2 + .../send/models/response/send.response.ts | 2 + .../src/tools/send/models/view/send.view.ts | 1 + .../src/tools/send/services/send.service.ts | 7 +- 16 files changed, 369 insertions(+), 49 deletions(-) create mode 100644 apps/cli/src/tools/send/commands/template.command.ts create mode 100644 apps/cli/src/tools/send/util.spec.ts create mode 100644 apps/cli/src/tools/send/util.ts diff --git a/apps/cli/src/commands/get.command.ts b/apps/cli/src/commands/get.command.ts index aa2db7c81ab..b20052fbb53 100644 --- a/apps/cli/src/commands/get.command.ts +++ b/apps/cli/src/commands/get.command.ts @@ -25,7 +25,6 @@ import { LoginExport } from "@bitwarden/common/models/export/login.export"; import { SecureNoteExport } from "@bitwarden/common/models/export/secure-note.export"; import { ErrorResponse } from "@bitwarden/common/models/response/error.response"; import { Utils } from "@bitwarden/common/platform/misc/utils"; -import { SendType } from "@bitwarden/common/tools/send/enums/send-type"; import { CipherId, OrganizationId, UserId } from "@bitwarden/common/types/guid"; import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service"; import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction"; @@ -44,7 +43,6 @@ import { SelectionReadOnly } from "../admin-console/models/selection-read-only"; import { Response } from "../models/response"; import { StringResponse } from "../models/response/string.response"; import { TemplateResponse } from "../models/response/template.response"; -import { SendResponse } from "../tools/send/models/send.response"; import { CliUtils } from "../utils"; import { CipherResponse } from "../vault/models/cipher.response"; import { FolderResponse } from "../vault/models/folder.response"; @@ -577,11 +575,11 @@ export class GetCommand extends DownloadCommand { case "org-collection": template = OrganizationCollectionRequest.template(); break; - case "send.text": - template = SendResponse.template(SendType.Text); - break; case "send.file": - template = SendResponse.template(SendType.File); + case "send.text": + template = Response.badRequest( + `Invalid template object. Use \`bw send template ${id}\` instead.`, + ); break; default: return Response.badRequest("Unknown template object."); diff --git a/apps/cli/src/tools/send/commands/create.command.ts b/apps/cli/src/tools/send/commands/create.command.ts index a9264c50126..d4f544d39b7 100644 --- a/apps/cli/src/tools/send/commands/create.command.ts +++ b/apps/cli/src/tools/send/commands/create.command.ts @@ -76,9 +76,14 @@ export class SendCreateCommand { const filePath = req.file?.fileName ?? options.file; const text = req.text?.text ?? options.text; const hidden = req.text?.hidden ?? options.hidden; - const password = req.password ?? options.password; + const password = req.password ?? options.password ?? undefined; + const emails = req.emails ?? options.emails ?? undefined; const maxAccessCount = req.maxAccessCount ?? options.maxAccessCount; + if (emails !== undefined && password !== undefined) { + return Response.badRequest("--password and --emails are mutually exclusive."); + } + req.key = null; req.maxAccessCount = maxAccessCount; @@ -133,6 +138,7 @@ export class SendCreateCommand { // Add dates from template encSend.deletionDate = sendView.deletionDate; encSend.expirationDate = sendView.expirationDate; + encSend.emails = emails && emails.join(","); await this.sendApiService.save([encSend, fileData]); const newSend = await this.sendService.getFromState(encSend.id); @@ -151,12 +157,14 @@ class Options { text: string; maxAccessCount: number; password: string; + emails: Array; hidden: boolean; constructor(passedOptions: Record) { this.file = passedOptions?.file; this.text = passedOptions?.text; this.password = passedOptions?.password; + this.emails = passedOptions?.email; this.hidden = CliUtils.convertBooleanOption(passedOptions?.hidden); this.maxAccessCount = passedOptions?.maxAccessCount != null ? parseInt(passedOptions.maxAccessCount, null) : null; diff --git a/apps/cli/src/tools/send/commands/edit.command.ts b/apps/cli/src/tools/send/commands/edit.command.ts index ed719b58311..09f89041cc5 100644 --- a/apps/cli/src/tools/send/commands/edit.command.ts +++ b/apps/cli/src/tools/send/commands/edit.command.ts @@ -50,11 +50,21 @@ export class SendEditCommand { const normalizedOptions = new Options(cmdOptions); req.id = normalizedOptions.itemId || req.id; - - if (req.id != null) { - req.id = req.id.toLowerCase(); + if (normalizedOptions.emails) { + req.emails = normalizedOptions.emails; + req.password = undefined; + } else if (normalizedOptions.password) { + req.emails = undefined; + req.password = normalizedOptions.password; + } else if (req.password && (typeof req.password !== "string" || req.password === "")) { + req.password = undefined; } + if (!req.id) { + return Response.error("`itemid` was not provided."); + } + + req.id = req.id.toLowerCase(); const send = await this.sendService.getFromState(req.id); if (send == null) { @@ -76,10 +86,6 @@ export class SendEditCommand { let sendView = await send.decrypt(); sendView = SendResponse.toView(req, sendView); - if (typeof req.password !== "string" || req.password === "") { - req.password = null; - } - try { const [encSend, encFileData] = await this.sendService.encrypt(sendView, null, req.password); // Add dates from template @@ -97,8 +103,12 @@ export class SendEditCommand { class Options { itemId: string; + password: string; + emails: string[]; constructor(passedOptions: Record) { this.itemId = passedOptions?.itemId || passedOptions?.itemid; + this.password = passedOptions.password; + this.emails = passedOptions.email; } } diff --git a/apps/cli/src/tools/send/commands/index.ts b/apps/cli/src/tools/send/commands/index.ts index 645f5c0d1db..452c228dd9b 100644 --- a/apps/cli/src/tools/send/commands/index.ts +++ b/apps/cli/src/tools/send/commands/index.ts @@ -5,3 +5,4 @@ export * from "./get.command"; export * from "./list.command"; export * from "./receive.command"; export * from "./remove-password.command"; +export * from "./template.command"; diff --git a/apps/cli/src/tools/send/commands/template.command.ts b/apps/cli/src/tools/send/commands/template.command.ts new file mode 100644 index 00000000000..c1c2c97b03d --- /dev/null +++ b/apps/cli/src/tools/send/commands/template.command.ts @@ -0,0 +1,35 @@ +import { SendType } from "@bitwarden/common/tools/send/enums/send-type"; + +import { Response } from "../../../models/response"; +import { TemplateResponse } from "../../../models/response/template.response"; +import { SendResponse } from "../models/send.response"; + +export class SendTemplateCommand { + constructor() {} + + run(type: string): Response { + let template: SendResponse | undefined; + let response: Response; + + switch (type) { + case "send.text": + case "text": + template = SendResponse.template(SendType.Text); + break; + case "send.file": + case "file": + template = SendResponse.template(SendType.File); + break; + default: + response = Response.badRequest("Unknown template object."); + } + + if (template) { + response = Response.success(new TemplateResponse(template)); + } + + response ??= Response.badRequest("An error occurred while retrieving the template."); + + return response; + } +} diff --git a/apps/cli/src/tools/send/models/send.response.ts b/apps/cli/src/tools/send/models/send.response.ts index 4d680b5c0a1..a0c1d3f83c6 100644 --- a/apps/cli/src/tools/send/models/send.response.ts +++ b/apps/cli/src/tools/send/models/send.response.ts @@ -26,6 +26,7 @@ export class SendResponse implements BaseResponse { req.deletionDate = this.getStandardDeletionDate(deleteInDays); req.expirationDate = null; req.password = null; + req.emails = null; req.disabled = false; req.hideEmail = false; return req; @@ -50,6 +51,7 @@ export class SendResponse implements BaseResponse { view.deletionDate = send.deletionDate; view.expirationDate = send.expirationDate; view.password = send.password; + view.emails = send.emails ?? []; view.disabled = send.disabled; view.hideEmail = send.hideEmail; return view; @@ -87,6 +89,7 @@ export class SendResponse implements BaseResponse { expirationDate: Date; password: string; passwordSet: boolean; + emails?: Array; disabled: boolean; hideEmail: boolean; diff --git a/apps/cli/src/tools/send/send.program.ts b/apps/cli/src/tools/send/send.program.ts index cbeda188a99..650f448e558 100644 --- a/apps/cli/src/tools/send/send.program.ts +++ b/apps/cli/src/tools/send/send.program.ts @@ -4,13 +4,12 @@ import * as fs from "fs"; import * as path from "path"; import * as chalk from "chalk"; -import { program, Command, OptionValues } from "commander"; +import { program, Command, Option, OptionValues } from "commander"; import { Utils } from "@bitwarden/common/platform/misc/utils"; import { SendType } from "@bitwarden/common/tools/send/enums/send-type"; import { BaseProgram } from "../../base-program"; -import { GetCommand } from "../../commands/get.command"; import { Response } from "../../models/response"; import { CliUtils } from "../../utils"; @@ -22,10 +21,12 @@ import { SendListCommand, SendReceiveCommand, SendRemovePasswordCommand, + SendTemplateCommand, } from "./commands"; import { SendFileResponse } from "./models/send-file.response"; import { SendTextResponse } from "./models/send-text.response"; import { SendResponse } from "./models/send.response"; +import { parseEmail } from "./util"; const writeLn = CliUtils.writeLn; @@ -48,6 +49,17 @@ export class SendProgram extends BaseProgram { "The number of days in the future to set deletion date, defaults to 7", "7", ) + .addOption( + new Option( + "--password ", + "optional password to access this Send. Can also be specified in JSON.", + ).conflicts("email"), + ) + .option( + "--email ", + "optional emails to access this Send. Can also be specified in JSON.", + parseEmail, + ) .option("-a, --maxAccessCount ", "The amount of max possible accesses.") .option("--hidden", "Hide in web by default. Valid only if --file is not set.") .option( @@ -139,26 +151,9 @@ export class SendProgram extends BaseProgram { return new Command("template") .argument("", "Valid objects are: send.text, send.file") .description("Get json templates for send objects") - .action(async (object) => { - const cmd = new GetCommand( - this.serviceContainer.cipherService, - this.serviceContainer.folderService, - this.serviceContainer.collectionService, - this.serviceContainer.totpService, - this.serviceContainer.auditService, - this.serviceContainer.keyService, - this.serviceContainer.encryptService, - this.serviceContainer.searchService, - this.serviceContainer.apiService, - this.serviceContainer.organizationService, - this.serviceContainer.eventCollectionService, - this.serviceContainer.billingAccountProfileStateService, - this.serviceContainer.accountService, - this.serviceContainer.cliRestrictedItemTypesService, - ); - const response = await cmd.run("template", object, null); - this.processResponse(response); - }); + .action((options: OptionValues) => + this.processResponse(new SendTemplateCommand().run(options.object)), + ); } private getCommand(): Command { @@ -208,10 +203,6 @@ export class SendProgram extends BaseProgram { .option("--file ", "file to Send. Can also be specified in parent's JSON.") .option("--text ", "text to Send. Can also be specified in parent's JSON.") .option("--hidden", "text hidden flag. Valid only with the --text option.") - .option( - "--password ", - "optional password to access this Send. Can also be specified in JSON", - ) .on("--help", () => { writeLn(""); writeLn("Note:"); @@ -219,13 +210,13 @@ export class SendProgram extends BaseProgram { writeLn("", true); }) .action(async (encodedJson: string, options: OptionValues, args: { parent: Command }) => { - // Work-around to support `--fullObject` option for `send create --fullObject` - // Calling `option('--fullObject', ...)` above won't work due to Commander doesn't like same option - // to be defind on both parent-command and sub-command - const { fullObject = false } = args.parent.opts(); + // subcommands inherit flags from their parent; they cannot override them + const { fullObject = false, email = undefined, password = undefined } = args.parent.opts(); const mergedOptions = { ...options, fullObject: fullObject, + email, + password, }; const response = await this.runCreate(encodedJson, mergedOptions); @@ -247,7 +238,7 @@ export class SendProgram extends BaseProgram { writeLn(" You cannot update a File-type Send's file. Just delete and remake it"); writeLn("", true); }) - .action(async (encodedJson: string, options: OptionValues) => { + .action(async (encodedJson: string, options: OptionValues, args: { parent: Command }) => { await this.exitIfLocked(); const getCmd = new SendGetCommand( this.serviceContainer.sendService, @@ -264,7 +255,16 @@ export class SendProgram extends BaseProgram { this.serviceContainer.billingAccountProfileStateService, this.serviceContainer.accountService, ); - const response = await cmd.run(encodedJson, options); + + // subcommands inherit flags from their parent; they cannot override them + const { email = undefined, password = undefined } = args.parent.opts(); + const mergedOptions = { + ...options, + email, + password, + }; + + const response = await cmd.run(encodedJson, mergedOptions); this.processResponse(response); }); } diff --git a/apps/cli/src/tools/send/util.spec.ts b/apps/cli/src/tools/send/util.spec.ts new file mode 100644 index 00000000000..2cfc2a1b4c8 --- /dev/null +++ b/apps/cli/src/tools/send/util.spec.ts @@ -0,0 +1,194 @@ +import { parseEmail } from "./util"; + +describe("parseEmail", () => { + describe("single email address parsing", () => { + it("should parse a valid single email address", () => { + const result = parseEmail("test@example.com", []); + expect(result).toEqual(["test@example.com"]); + }); + + it("should parse email with dots in local part", () => { + const result = parseEmail("test.user@example.com", []); + expect(result).toEqual(["test.user@example.com"]); + }); + + it("should parse email with underscores and hyphens", () => { + const result = parseEmail("test_user-name@example.com", []); + expect(result).toEqual(["test_user-name@example.com"]); + }); + + it("should parse email with plus sign", () => { + const result = parseEmail("test+user@example.com", []); + expect(result).toEqual(["test+user@example.com"]); + }); + + it("should parse email with dots and hyphens in domain", () => { + const result = parseEmail("user@test-domain.co.uk", []); + expect(result).toEqual(["user@test-domain.co.uk"]); + }); + + it("should add single email to existing previousInput array", () => { + const result = parseEmail("new@example.com", ["existing@test.com"]); + expect(result).toEqual(["existing@test.com", "new@example.com"]); + }); + }); + + describe("comma-separated email lists", () => { + it("should parse comma-separated email list", () => { + const result = parseEmail("test@example.com,user@domain.com", []); + expect(result).toEqual(["test@example.com", "user@domain.com"]); + }); + + it("should parse comma-separated emails with spaces", () => { + const result = parseEmail("test@example.com, user@domain.com, admin@site.org", []); + expect(result).toEqual(["test@example.com", "user@domain.com", "admin@site.org"]); + }); + + it("should combine comma-separated emails with previousInput", () => { + const result = parseEmail("new1@example.com,new2@domain.com", ["existing@test.com"]); + expect(result).toEqual(["existing@test.com", "new1@example.com", "new2@domain.com"]); + }); + + it("should throw error for invalid email in comma-separated list", () => { + expect(() => { + parseEmail("valid@example.com,invalid-email,another@domain.com", []); + }).toThrow("Invalid email address: invalid-email"); + }); + }); + + describe("space-separated email lists", () => { + it("should parse space-separated email list", () => { + const result = parseEmail("test@example.com user@domain.com", []); + expect(result).toEqual(["test@example.com", "user@domain.com"]); + }); + + it("should parse space-separated emails with multiple spaces", () => { + const result = parseEmail("test@example.com user@domain.com admin@site.org", []); + expect(result).toEqual(["test@example.com", "user@domain.com", "admin@site.org"]); + }); + + it("should combine space-separated emails with previousInput", () => { + const result = parseEmail("new1@example.com new2@domain.com", ["existing@test.com"]); + expect(result).toEqual(["existing@test.com", "new1@example.com", "new2@domain.com"]); + }); + + it("should throw error for invalid email in space-separated list", () => { + expect(() => { + parseEmail("valid@example.com invalid-email another@domain.com", []); + }).toThrow("Invalid email address: invalid-email"); + }); + }); + + describe("JSON array input format", () => { + it("should parse valid JSON array of emails", () => { + const result = parseEmail('["test@example.com", "user@domain.com"]', []); + expect(result).toEqual(["test@example.com", "user@domain.com"]); + }); + + it("should parse single email in JSON array", () => { + const result = parseEmail('["test@example.com"]', []); + expect(result).toEqual(["test@example.com"]); + }); + + it("should parse empty JSON array", () => { + const result = parseEmail("[]", []); + expect(result).toEqual([]); + }); + + it("should combine JSON array with previousInput", () => { + const result = parseEmail('["new1@example.com", "new2@domain.com"]', ["existing@test.com"]); + expect(result).toEqual(["existing@test.com", "new1@example.com", "new2@domain.com"]); + }); + + it("should throw error for malformed JSON", () => { + expect(() => { + parseEmail('["test@example.com", "user@domain.com"', []); + }).toThrow(); + }); + + it("should throw error for JSON that is not an array", () => { + expect(() => { + parseEmail('{"email": "test@example.com"}', []); + }).toThrow("Invalid email address:"); + }); + + it("should throw error for JSON string instead of array", () => { + expect(() => { + parseEmail('"test@example.com"', []); + }).toThrow("`input` must be a single address, a comma-separated list, or a JSON array"); + }); + + it("should throw error for JSON number instead of array", () => { + expect(() => { + parseEmail("123", []); + }).toThrow("`input` must be a single address, a comma-separated list, or a JSON array"); + }); + }); + + describe("`previousInput` parameter handling", () => { + it("should handle undefined previousInput", () => { + const result = parseEmail("test@example.com", undefined as any); + expect(result).toEqual(["test@example.com"]); + }); + + it("should handle null previousInput", () => { + const result = parseEmail("test@example.com", null as any); + expect(result).toEqual(["test@example.com"]); + }); + + it("should preserve existing emails in previousInput", () => { + const existing = ["existing1@test.com", "existing2@test.com"]; + const result = parseEmail("new@example.com", existing); + expect(result).toEqual(["existing1@test.com", "existing2@test.com", "new@example.com"]); + }); + }); + + describe("error cases and edge conditions", () => { + it("should throw error for empty string input", () => { + expect(() => { + parseEmail("", []); + }).toThrow("`input` must be a single address, a comma-separated list, or a JSON array"); + }); + + it("should return empty array for whitespace-only input", () => { + const result = parseEmail(" ", []); + expect(result).toEqual([]); + }); + + it("should throw error for invalid single email", () => { + expect(() => { + parseEmail("invalid-email", []); + }).toThrow("`input` must be a single address, a comma-separated list, or a JSON array"); + }); + + it("should throw error for email without @ symbol", () => { + expect(() => { + parseEmail("testexample.com", []); + }).toThrow("`input` must be a single address, a comma-separated list, or a JSON array"); + }); + + it("should throw error for email without domain", () => { + expect(() => { + parseEmail("test@", []); + }).toThrow("`input` must be a single address, a comma-separated list, or a JSON array"); + }); + + it("should throw error for email without local part", () => { + expect(() => { + parseEmail("@example.com", []); + }).toThrow("`input` must be a single address, a comma-separated list, or a JSON array"); + }); + + it("should throw error for input that looks like file path", () => { + expect(() => { + parseEmail("/path/to/file.txt", []); + }).toThrow("`input` must be a single address, a comma-separated list, or a JSON array"); + }); + + it("should throw error for input that looks like URL", () => { + expect(() => { + parseEmail("https://example.com", []); + }).toThrow("`input` must be a single address, a comma-separated list, or a JSON array"); + }); + }); +}); diff --git a/apps/cli/src/tools/send/util.ts b/apps/cli/src/tools/send/util.ts new file mode 100644 index 00000000000..bf66f916bbb --- /dev/null +++ b/apps/cli/src/tools/send/util.ts @@ -0,0 +1,55 @@ +/** + * Parses email addresses from various input formats and combines them with previously parsed emails. + * + * Supports: single email, JSON array, comma-separated, or space-separated lists. + * Note: Function signature follows Commander.js option parsing pattern. + * + * @param input - Email input string in any supported format + * @param previousInput - Previously parsed email addresses to append to + * @returns Combined array of email addresses + * @throws {Error} For invalid JSON, non-array JSON, invalid email addresses, or unrecognized format + * + * @example + * parseEmail("user@example.com", []) // ["user@example.com"] + * parseEmail('["user1@example.com", "user2@example.com"]', []) // ["user1@example.com", "user2@example.com"] + * parseEmail("user1@example.com, user2@example.com", []) // ["user1@example.com", "user2@example.com"] + */ +export function parseEmail(input: string, previousInput: string[]) { + let result = previousInput ?? []; + + if (isEmail(input)) { + result.push(input); + } else if (input.startsWith("[")) { + const json = JSON.parse(input); + if (!Array.isArray(json)) { + throw new Error("invalid JSON"); + } + + result = result.concat(json); + } else if (input.includes(",")) { + result = result.concat(parseList(input, ",")); + } else if (input.includes(" ")) { + result = result.concat(parseList(input, " ")); + } else { + throw new Error("`input` must be a single address, a comma-separated list, or a JSON array"); + } + + return result; +} + +function isEmail(input: string) { + return !!input && !!input.match(/^([\w._+-]+?)@([\w._+-]+?)$/); +} + +function parseList(value: string, separator: string) { + const parts = value + .split(separator) + .map((v) => v.trim()) + .filter((v) => !!v.length); + const invalid = parts.find((v) => !isEmail(v)); + if (invalid) { + throw new Error(`Invalid email address: ${invalid}`); + } + + return parts; +} diff --git a/libs/common/src/tools/send/models/data/send.data.ts b/libs/common/src/tools/send/models/data/send.data.ts index e4df5e48dce..2c6377de0c9 100644 --- a/libs/common/src/tools/send/models/data/send.data.ts +++ b/libs/common/src/tools/send/models/data/send.data.ts @@ -21,6 +21,7 @@ export class SendData { expirationDate: string; deletionDate: string; password: string; + emails: string; disabled: boolean; hideEmail: boolean; @@ -41,6 +42,7 @@ export class SendData { this.expirationDate = response.expirationDate; this.deletionDate = response.deletionDate; this.password = response.password; + this.emails = response.emails; this.disabled = response.disable; this.hideEmail = response.hideEmail; diff --git a/libs/common/src/tools/send/models/domain/send.spec.ts b/libs/common/src/tools/send/models/domain/send.spec.ts index 8df9a144108..e9b0ae7b3b8 100644 --- a/libs/common/src/tools/send/models/domain/send.spec.ts +++ b/libs/common/src/tools/send/models/domain/send.spec.ts @@ -29,14 +29,15 @@ describe("Send", () => { text: "encText", hidden: true, }, - file: null, + file: null!, key: "encKey", - maxAccessCount: null, + maxAccessCount: null!, accessCount: 10, revisionDate: "2022-01-31T12:00:00.000Z", expirationDate: "2022-01-31T12:00:00.000Z", deletionDate: "2022-01-31T12:00:00.000Z", password: "password", + emails: null!, disabled: false, hideEmail: true, }; @@ -86,6 +87,7 @@ describe("Send", () => { expirationDate: new Date("2022-01-31T12:00:00.000Z"), deletionDate: new Date("2022-01-31T12:00:00.000Z"), password: "password", + emails: null!, disabled: false, hideEmail: true, }); diff --git a/libs/common/src/tools/send/models/domain/send.ts b/libs/common/src/tools/send/models/domain/send.ts index 89fe92c2c7b..48057aedd2d 100644 --- a/libs/common/src/tools/send/models/domain/send.ts +++ b/libs/common/src/tools/send/models/domain/send.ts @@ -27,6 +27,7 @@ export class Send extends Domain { expirationDate: Date; deletionDate: Date; password: string; + emails: string; disabled: boolean; hideEmail: boolean; @@ -53,6 +54,7 @@ export class Send extends Domain { this.maxAccessCount = obj.maxAccessCount; this.accessCount = obj.accessCount; this.password = obj.password; + this.emails = obj.emails; this.disabled = obj.disabled; this.revisionDate = obj.revisionDate != null ? new Date(obj.revisionDate) : null; this.deletionDate = obj.deletionDate != null ? new Date(obj.deletionDate) : null; diff --git a/libs/common/src/tools/send/models/request/send.request.ts b/libs/common/src/tools/send/models/request/send.request.ts index 9e4f1e14837..f7e3ff26d7f 100644 --- a/libs/common/src/tools/send/models/request/send.request.ts +++ b/libs/common/src/tools/send/models/request/send.request.ts @@ -17,6 +17,7 @@ export class SendRequest { text: SendTextApi; file: SendFileApi; password: string; + emails: string; disabled: boolean; hideEmail: boolean; @@ -30,6 +31,7 @@ export class SendRequest { this.deletionDate = send.deletionDate != null ? send.deletionDate.toISOString() : null; this.key = send.key != null ? send.key.encryptedString : null; this.password = send.password; + this.emails = send.emails; this.disabled = send.disabled; this.hideEmail = send.hideEmail; diff --git a/libs/common/src/tools/send/models/response/send.response.ts b/libs/common/src/tools/send/models/response/send.response.ts index 76550f5cdfd..5c6bd4dc1a6 100644 --- a/libs/common/src/tools/send/models/response/send.response.ts +++ b/libs/common/src/tools/send/models/response/send.response.ts @@ -20,6 +20,7 @@ export class SendResponse extends BaseResponse { expirationDate: string; deletionDate: string; password: string; + emails: string; disable: boolean; hideEmail: boolean; @@ -37,6 +38,7 @@ export class SendResponse extends BaseResponse { this.expirationDate = this.getResponseProperty("ExpirationDate"); this.deletionDate = this.getResponseProperty("DeletionDate"); this.password = this.getResponseProperty("Password"); + this.emails = this.getResponseProperty("Emails"); this.disable = this.getResponseProperty("Disabled") || false; this.hideEmail = this.getResponseProperty("HideEmail") || false; diff --git a/libs/common/src/tools/send/models/view/send.view.ts b/libs/common/src/tools/send/models/view/send.view.ts index 2c269892a6f..54657b12438 100644 --- a/libs/common/src/tools/send/models/view/send.view.ts +++ b/libs/common/src/tools/send/models/view/send.view.ts @@ -26,6 +26,7 @@ export class SendView implements View { deletionDate: Date = null; expirationDate: Date = null; password: string = null; + emails: string[] = []; disabled = false; hideEmail = false; diff --git a/libs/common/src/tools/send/services/send.service.ts b/libs/common/src/tools/send/services/send.service.ts index 57463b3b42b..6e2b4391c96 100644 --- a/libs/common/src/tools/send/services/send.service.ts +++ b/libs/common/src/tools/send/services/send.service.ts @@ -74,7 +74,12 @@ export class SendService implements InternalSendServiceAbstraction { model.key = key.material; model.cryptoKey = key.derivedKey; } - if (password != null) { + + const hasEmails = (model.emails?.length ?? 0) > 0; + if (hasEmails) { + send.emails = model.emails.join(","); + send.password = null; + } else if (password != null) { // Note: Despite being called key, the passwordKey is not used for encryption. // It is used as a static proof that the client knows the password, and has the encryption key. const passwordKey = await this.keyGenerationService.deriveKeyFromPassword( From 96f31aac3adcd3abcc917c523bcb7f671ab76ffa Mon Sep 17 00:00:00 2001 From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com> Date: Tue, 22 Jul 2025 15:58:17 +0100 Subject: [PATCH 13/37] [PM 18701]Optional payment modal after signup (#15384) * Implement the planservice * Add the pricing component and service * Add the change plan type service * resolve the unit test issues * Move the changeSubscriptionFrequency endpoint * Rename planservice to plancardservice * Remove unused and correct typos * Resolve the double asignment * resolve the unit test failing * Remove default payment setting to card * remove unnecessary check * Property initialPaymentMethod has no initializer * move the logic to service * Move estimate tax to pricing service * Refactor thr pricing summary component * Resolve the lint unit test error * Add changes for auto modal * Remove custom role for sm * Resolve the blank member page issue * Changes on the pricing display --- .../members/members.component.html | 5 + .../members/members.component.ts | 20 + .../organizations/members/members.module.ts | 2 + .../organization-payment-method.component.ts | 12 +- .../app/billing/services/plan-card.service.ts | 59 +++ .../services/pricing-summary.service.ts | 155 ++++++++ .../billing/shared/billing-shared.module.ts | 6 + .../shared/plan-card/plan-card.component.html | 45 +++ .../shared/plan-card/plan-card.component.ts | 68 ++++ .../pricing-summary.component.html | 259 +++++++++++++ .../pricing-summary.component.ts | 48 +++ .../trial-payment-dialog.component.html | 117 ++++++ .../trial-payment-dialog.component.ts | 365 ++++++++++++++++++ ...ganization-free-trial-warning.component.ts | 20 +- .../services/organization-warnings.service.ts | 34 +- apps/web/src/locales/en/messages.json | 29 +- ...ization-billing-api.service.abstraction.ts | 6 + .../request/change-plan-frequency.request.ts | 9 + .../organization-billing-api.service.ts | 14 + 19 files changed, 1264 insertions(+), 9 deletions(-) create mode 100644 apps/web/src/app/billing/services/plan-card.service.ts create mode 100644 apps/web/src/app/billing/services/pricing-summary.service.ts create mode 100644 apps/web/src/app/billing/shared/plan-card/plan-card.component.html create mode 100644 apps/web/src/app/billing/shared/plan-card/plan-card.component.ts create mode 100644 apps/web/src/app/billing/shared/pricing-summary/pricing-summary.component.html create mode 100644 apps/web/src/app/billing/shared/pricing-summary/pricing-summary.component.ts create mode 100644 apps/web/src/app/billing/shared/trial-payment-dialog/trial-payment-dialog.component.html create mode 100644 apps/web/src/app/billing/shared/trial-payment-dialog/trial-payment-dialog.component.ts create mode 100644 libs/common/src/billing/models/request/change-plan-frequency.request.ts diff --git a/apps/web/src/app/admin-console/organizations/members/members.component.html b/apps/web/src/app/admin-console/organizations/members/members.component.html index 962191021e8..49946806efc 100644 --- a/apps/web/src/app/admin-console/organizations/members/members.component.html +++ b/apps/web/src/app/admin-console/organizations/members/members.component.html @@ -1,3 +1,8 @@ + + protected deleteManagedMemberWarningService: DeleteManagedMemberWarningService, private configService: ConfigService, private organizationUserService: OrganizationUserService, + private organizationWarningsService: OrganizationWarningsService, ) { super( apiService, @@ -247,6 +250,13 @@ export class MembersComponent extends BaseMembersComponent this.showUserManagementControls$ = organization$.pipe( map((organization) => organization.canManageUsers), ); + organization$ + .pipe( + takeUntilDestroyed(), + tap((org) => (this.organization = org)), + switchMap((org) => this.organizationWarningsService.showInactiveSubscriptionDialog$(org)), + ) + .subscribe(); } async getUsers(): Promise { @@ -932,4 +942,14 @@ export class MembersComponent extends BaseMembersComponent .getCheckedUsers() .every((member) => member.managedByOrganization && validStatuses.includes(member.status)); } + + async navigateToPaymentMethod() { + const managePaymentDetailsOutsideCheckout = await this.configService.getFeatureFlag( + FeatureFlag.PM21881_ManagePaymentDetailsOutsideCheckout, + ); + const route = managePaymentDetailsOutsideCheckout ? "payment-details" : "payment-method"; + await this.router.navigate(["organizations", `${this.organization?.id}`, "billing", route], { + state: { launchPaymentModalAutomatically: true }, + }); + } } diff --git a/apps/web/src/app/admin-console/organizations/members/members.module.ts b/apps/web/src/app/admin-console/organizations/members/members.module.ts index 98431758d2f..5f626d44161 100644 --- a/apps/web/src/app/admin-console/organizations/members/members.module.ts +++ b/apps/web/src/app/admin-console/organizations/members/members.module.ts @@ -5,6 +5,7 @@ import { PasswordStrengthV2Component } from "@bitwarden/angular/tools/password-s import { PasswordCalloutComponent } from "@bitwarden/auth/angular"; import { ScrollLayoutDirective } from "@bitwarden/components"; +import { OrganizationFreeTrialWarningComponent } from "../../../billing/warnings/components"; import { LooseComponentsModule } from "../../../shared"; import { SharedOrganizationModule } from "../shared"; @@ -29,6 +30,7 @@ import { MembersComponent } from "./members.component"; ScrollingModule, PasswordStrengthV2Component, ScrollLayoutDirective, + OrganizationFreeTrialWarningComponent, ], declarations: [ BulkConfirmDialogComponent, diff --git a/apps/web/src/app/billing/organizations/payment-method/organization-payment-method.component.ts b/apps/web/src/app/billing/organizations/payment-method/organization-payment-method.component.ts index 9b144fe59a7..aa7bf5e5d11 100644 --- a/apps/web/src/app/billing/organizations/payment-method/organization-payment-method.component.ts +++ b/apps/web/src/app/billing/organizations/payment-method/organization-payment-method.component.ts @@ -36,6 +36,10 @@ import { AdjustPaymentDialogComponent, AdjustPaymentDialogResultType, } from "../../shared/adjust-payment-dialog/adjust-payment-dialog.component"; +import { + TRIAL_PAYMENT_METHOD_DIALOG_RESULT_TYPE, + TrialPaymentDialogComponent, +} from "../../shared/trial-payment-dialog/trial-payment-dialog.component"; import { FreeTrial } from "../../types/free-trial"; @Component({ @@ -212,15 +216,15 @@ export class OrganizationPaymentMethodComponent implements OnDestroy { }; changePayment = async () => { - const dialogRef = AdjustPaymentDialogComponent.open(this.dialogService, { + const dialogRef = TrialPaymentDialogComponent.open(this.dialogService, { data: { - initialPaymentMethod: this.paymentSource?.type, organizationId: this.organizationId, - productTier: this.organization?.productTierType, + subscription: this.organizationSubscriptionResponse, + productTierType: this.organization?.productTierType, }, }); const result = await lastValueFrom(dialogRef.closed); - if (result === AdjustPaymentDialogResultType.Submitted) { + if (result === TRIAL_PAYMENT_METHOD_DIALOG_RESULT_TYPE.SUBMITTED) { this.location.replaceState(this.location.path(), "", {}); if (this.launchPaymentModalAutomatically && !this.organization.enabled) { await this.syncService.fullSync(true); diff --git a/apps/web/src/app/billing/services/plan-card.service.ts b/apps/web/src/app/billing/services/plan-card.service.ts new file mode 100644 index 00000000000..25974a428fd --- /dev/null +++ b/apps/web/src/app/billing/services/plan-card.service.ts @@ -0,0 +1,59 @@ +import { Injectable } from "@angular/core"; + +import { ApiService } from "@bitwarden/common/abstractions/api.service"; +import { OrganizationSubscriptionResponse } from "@bitwarden/common/billing/models/response/organization-subscription.response"; +import { PlanResponse } from "@bitwarden/common/billing/models/response/plan.response"; + +@Injectable({ providedIn: "root" }) +export class PlanCardService { + constructor(private apiService: ApiService) {} + + async getCadenceCards( + currentPlan: PlanResponse, + subscription: OrganizationSubscriptionResponse, + isSecretsManagerTrial: boolean, + ) { + const plans = await this.apiService.getPlans(); + + const filteredPlans = plans.data.filter((plan) => !!plan.PasswordManager); + + const result = + filteredPlans?.filter( + (plan) => + plan.productTier === currentPlan.productTier && !plan.disabled && !plan.legacyYear, + ) || []; + + const planCards = result.map((plan) => { + let costPerMember = 0; + + if (plan.PasswordManager.basePrice) { + costPerMember = plan.isAnnual + ? plan.PasswordManager.basePrice / 12 + : plan.PasswordManager.basePrice; + } else if (!plan.PasswordManager.basePrice && plan.PasswordManager.hasAdditionalSeatsOption) { + const secretsManagerCost = subscription.useSecretsManager + ? plan.SecretsManager.seatPrice + : 0; + const passwordManagerCost = isSecretsManagerTrial ? 0 : plan.PasswordManager.seatPrice; + costPerMember = (secretsManagerCost + passwordManagerCost) / (plan.isAnnual ? 12 : 1); + } + + const percentOff = subscription.customerDiscount?.percentOff ?? 0; + + const discount = + (percentOff === 0 && plan.isAnnual) || isSecretsManagerTrial ? 20 : percentOff; + + return { + title: plan.isAnnual ? "Annually" : "Monthly", + costPerMember, + discount, + isDisabled: false, + isSelected: plan.isAnnual, + isAnnual: plan.isAnnual, + productTier: plan.productTier, + }; + }); + + return planCards.reverse(); + } +} diff --git a/apps/web/src/app/billing/services/pricing-summary.service.ts b/apps/web/src/app/billing/services/pricing-summary.service.ts new file mode 100644 index 00000000000..0b048b379d8 --- /dev/null +++ b/apps/web/src/app/billing/services/pricing-summary.service.ts @@ -0,0 +1,155 @@ +import { Injectable } from "@angular/core"; + +import { Organization } from "@bitwarden/common/admin-console/models/domain/organization"; +import { TaxServiceAbstraction } from "@bitwarden/common/billing/abstractions/tax.service.abstraction"; +import { PlanInterval, ProductTierType } from "@bitwarden/common/billing/enums"; +import { TaxInformation } from "@bitwarden/common/billing/models/domain/tax-information"; +import { PreviewOrganizationInvoiceRequest } from "@bitwarden/common/billing/models/request/preview-organization-invoice.request"; +import { OrganizationSubscriptionResponse } from "@bitwarden/common/billing/models/response/organization-subscription.response"; +import { PlanResponse } from "@bitwarden/common/billing/models/response/plan.response"; + +import { PricingSummaryData } from "../shared/pricing-summary/pricing-summary.component"; + +@Injectable({ + providedIn: "root", +}) +export class PricingSummaryService { + private estimatedTax: number = 0; + + constructor(private taxService: TaxServiceAbstraction) {} + + async getPricingSummaryData( + plan: PlanResponse, + sub: OrganizationSubscriptionResponse, + organization: Organization, + selectedInterval: PlanInterval, + taxInformation: TaxInformation, + isSecretsManagerTrial: boolean, + ): Promise { + // Calculation helpers + const passwordManagerSeatTotal = + plan.PasswordManager?.hasAdditionalSeatsOption && !isSecretsManagerTrial + ? plan.PasswordManager.seatPrice * Math.abs(sub?.seats || 0) + : 0; + + const secretsManagerSeatTotal = plan.SecretsManager?.hasAdditionalSeatsOption + ? plan.SecretsManager.seatPrice * Math.abs(sub?.smSeats || 0) + : 0; + + const additionalServiceAccount = this.getAdditionalServiceAccount(plan, sub); + + const additionalStorageTotal = plan.PasswordManager?.hasAdditionalStorageOption + ? plan.PasswordManager.additionalStoragePricePerGb * + (sub?.maxStorageGb ? sub.maxStorageGb - 1 : 0) + : 0; + + const additionalStoragePriceMonthly = plan.PasswordManager?.additionalStoragePricePerGb || 0; + + const additionalServiceAccountTotal = + plan.SecretsManager?.hasAdditionalServiceAccountOption && additionalServiceAccount > 0 + ? plan.SecretsManager.additionalPricePerServiceAccount * additionalServiceAccount + : 0; + + let passwordManagerSubtotal = plan.PasswordManager?.basePrice || 0; + if (plan.PasswordManager?.hasAdditionalSeatsOption) { + passwordManagerSubtotal += passwordManagerSeatTotal; + } + if (plan.PasswordManager?.hasPremiumAccessOption) { + passwordManagerSubtotal += plan.PasswordManager.premiumAccessOptionPrice; + } + + const secretsManagerSubtotal = plan.SecretsManager + ? (plan.SecretsManager.basePrice || 0) + + secretsManagerSeatTotal + + additionalServiceAccountTotal + : 0; + + const totalAppliedDiscount = 0; + const discountPercentageFromSub = isSecretsManagerTrial + ? 0 + : (sub?.customerDiscount?.percentOff ?? 0); + const discountPercentage = 20; + const acceptingSponsorship = false; + const storageGb = sub?.maxStorageGb ? sub?.maxStorageGb - 1 : 0; + + this.estimatedTax = await this.getEstimatedTax(organization, plan, sub, taxInformation); + + const total = organization?.useSecretsManager + ? passwordManagerSubtotal + + additionalStorageTotal + + secretsManagerSubtotal + + this.estimatedTax + : passwordManagerSubtotal + additionalStorageTotal + this.estimatedTax; + + return { + selectedPlanInterval: selectedInterval === PlanInterval.Annually ? "year" : "month", + passwordManagerSeats: + plan.productTier === ProductTierType.Families ? plan.PasswordManager.baseSeats : sub?.seats, + passwordManagerSeatTotal, + secretsManagerSeatTotal, + additionalStorageTotal, + additionalStoragePriceMonthly, + additionalServiceAccountTotal, + totalAppliedDiscount, + secretsManagerSubtotal, + passwordManagerSubtotal, + total, + organization, + sub, + selectedPlan: plan, + selectedInterval, + discountPercentageFromSub, + discountPercentage, + acceptingSponsorship, + additionalServiceAccount, + storageGb, + isSecretsManagerTrial, + estimatedTax: this.estimatedTax, + }; + } + + async getEstimatedTax( + organization: Organization, + currentPlan: PlanResponse, + sub: OrganizationSubscriptionResponse, + taxInformation: TaxInformation, + ) { + if (!taxInformation || !taxInformation.country || !taxInformation.postalCode) { + return 0; + } + + const request: PreviewOrganizationInvoiceRequest = { + organizationId: organization.id, + passwordManager: { + additionalStorage: 0, + plan: currentPlan?.type, + seats: sub.seats, + }, + taxInformation: { + postalCode: taxInformation.postalCode, + country: taxInformation.country, + taxId: taxInformation.taxId, + }, + }; + + if (organization.useSecretsManager) { + request.secretsManager = { + seats: sub.smSeats ?? 0, + additionalMachineAccounts: + (sub.smServiceAccounts ?? 0) - (sub.plan.SecretsManager?.baseServiceAccount ?? 0), + }; + } + const invoiceResponse = await this.taxService.previewOrganizationInvoice(request); + return invoiceResponse.taxAmount; + } + + getAdditionalServiceAccount(plan: PlanResponse, sub: OrganizationSubscriptionResponse): number { + if (!plan || !plan.SecretsManager) { + return 0; + } + const baseServiceAccount = plan.SecretsManager?.baseServiceAccount || 0; + const usedServiceAccounts = sub?.smServiceAccounts || 0; + const additionalServiceAccounts = baseServiceAccount - usedServiceAccounts; + return additionalServiceAccounts <= 0 ? Math.abs(additionalServiceAccounts) : 0; + } +} diff --git a/apps/web/src/app/billing/shared/billing-shared.module.ts b/apps/web/src/app/billing/shared/billing-shared.module.ts index 9a69755b209..7322f047551 100644 --- a/apps/web/src/app/billing/shared/billing-shared.module.ts +++ b/apps/web/src/app/billing/shared/billing-shared.module.ts @@ -12,10 +12,13 @@ import { BillingHistoryComponent } from "./billing-history.component"; import { OffboardingSurveyComponent } from "./offboarding-survey.component"; import { PaymentComponent } from "./payment/payment.component"; import { PaymentMethodComponent } from "./payment-method.component"; +import { PlanCardComponent } from "./plan-card/plan-card.component"; +import { PricingSummaryComponent } from "./pricing-summary/pricing-summary.component"; import { IndividualSelfHostingLicenseUploaderComponent } from "./self-hosting-license-uploader/individual-self-hosting-license-uploader.component"; import { OrganizationSelfHostingLicenseUploaderComponent } from "./self-hosting-license-uploader/organization-self-hosting-license-uploader.component"; import { SecretsManagerSubscribeComponent } from "./sm-subscribe.component"; import { TaxInfoComponent } from "./tax-info.component"; +import { TrialPaymentDialogComponent } from "./trial-payment-dialog/trial-payment-dialog.component"; import { UpdateLicenseDialogComponent } from "./update-license-dialog.component"; import { UpdateLicenseComponent } from "./update-license.component"; import { VerifyBankAccountComponent } from "./verify-bank-account/verify-bank-account.component"; @@ -41,6 +44,9 @@ import { VerifyBankAccountComponent } from "./verify-bank-account/verify-bank-ac AdjustStorageDialogComponent, IndividualSelfHostingLicenseUploaderComponent, OrganizationSelfHostingLicenseUploaderComponent, + TrialPaymentDialogComponent, + PlanCardComponent, + PricingSummaryComponent, ], exports: [ SharedModule, diff --git a/apps/web/src/app/billing/shared/plan-card/plan-card.component.html b/apps/web/src/app/billing/shared/plan-card/plan-card.component.html new file mode 100644 index 00000000000..08fd3b435f6 --- /dev/null +++ b/apps/web/src/app/billing/shared/plan-card/plan-card.component.html @@ -0,0 +1,45 @@ +@let isFocused = plan().isSelected; +@let isRecommended = plan().isAnnual; + + +
+ @if (isRecommended) { +
+ {{ "recommended" | i18n }} +
+ } +
+

+ {{ plan().title }} + + + {{ "upgradeDiscount" | i18n: plan().discount }} +

+ + {{ plan().costPerMember | currency: "$" }} + /{{ "monthPerMember" | i18n }} + +
+
+ diff --git a/apps/web/src/app/billing/shared/plan-card/plan-card.component.ts b/apps/web/src/app/billing/shared/plan-card/plan-card.component.ts new file mode 100644 index 00000000000..9e3f03a5e7d --- /dev/null +++ b/apps/web/src/app/billing/shared/plan-card/plan-card.component.ts @@ -0,0 +1,68 @@ +import { Component, input, output } from "@angular/core"; + +import { ProductTierType } from "@bitwarden/common/billing/enums"; + +export interface PlanCard { + title: string; + costPerMember: number; + discount?: number; + isDisabled: boolean; + isAnnual: boolean; + isSelected: boolean; + productTier: ProductTierType; +} + +@Component({ + selector: "app-plan-card", + templateUrl: "./plan-card.component.html", + standalone: false, +}) +export class PlanCardComponent { + plan = input.required(); + productTiers = ProductTierType; + + cardClicked = output(); + + getPlanCardContainerClasses(): string[] { + const isSelected = this.plan().isSelected; + const isDisabled = this.plan().isDisabled; + if (isDisabled) { + return [ + "tw-cursor-not-allowed", + "tw-bg-secondary-100", + "tw-font-normal", + "tw-bg-blur", + "tw-text-muted", + "tw-block", + "tw-rounded", + ]; + } + + return isSelected + ? [ + "tw-cursor-pointer", + "tw-block", + "tw-rounded", + "tw-border", + "tw-border-solid", + "tw-border-primary-600", + "tw-border-2", + "tw-rounded-lg", + "hover:tw-border-primary-700", + "focus:tw-border-3", + "focus:tw-border-primary-700", + "focus:tw-rounded-lg", + ] + : [ + "tw-cursor-pointer", + "tw-block", + "tw-rounded", + "tw-border", + "tw-border-solid", + "tw-border-secondary-300", + "hover:tw-border-text-main", + "focus:tw-border-2", + "focus:tw-border-primary-700", + ]; + } +} diff --git a/apps/web/src/app/billing/shared/pricing-summary/pricing-summary.component.html b/apps/web/src/app/billing/shared/pricing-summary/pricing-summary.component.html new file mode 100644 index 00000000000..855b83bdb2d --- /dev/null +++ b/apps/web/src/app/billing/shared/pricing-summary/pricing-summary.component.html @@ -0,0 +1,259 @@ + +
+

+ {{ "total" | i18n }}: + {{ summaryData.total - summaryData.totalAppliedDiscount | currency: "USD" : "$" }} USD + / {{ summaryData.selectedPlanInterval | i18n }} + +

+
+ + + +
+ + + + + + + + + + + + + + +

{{ "passwordManager" | i18n }}

+ + + +

+ + + + {{ summaryData.passwordManagerSeats }} {{ "members" | i18n }} × + {{ + (summaryData.selectedPlan.isAnnual + ? summaryData.selectedPlan.PasswordManager.basePrice / 12 + : summaryData.selectedPlan.PasswordManager.basePrice + ) | currency: "$" + }} + /{{ summaryData.selectedPlanInterval | i18n }} + + + {{ "basePrice" | i18n }}: + {{ summaryData.selectedPlan.PasswordManager.basePrice | currency: "$" }} + {{ "monthAbbr" | i18n }} + + + + + + {{ + summaryData.selectedPlan.PasswordManager.basePrice | currency: "$" + }} + {{ "freeWithSponsorship" | i18n }} + + + {{ summaryData.selectedPlan.PasswordManager.basePrice | currency: "$" }} + + +

+ + + + +

+ + {{ "additionalUsers" | i18n }}: + {{ summaryData.passwordManagerSeats || 0 }}  + {{ + "members" | i18n + }} + × + {{ summaryData.selectedPlan.PasswordManager.seatPrice | currency: "$" }} + /{{ summaryData.selectedPlanInterval | i18n }} + + + {{ summaryData.passwordManagerSeatTotal | currency: "$" }} + + + {{ "freeForOneYear" | i18n }} + +

+ + + + +

+ + {{ summaryData.storageGb }} {{ "additionalStorageGbMessage" | i18n }} + × + {{ summaryData.additionalStoragePriceMonthly | currency: "$" }} + /{{ summaryData.selectedPlanInterval | i18n }} + + + + + {{ summaryData.additionalStorageTotal | currency: "$" }} + + + {{ + summaryData.storageGb * + summaryData.selectedPlan.PasswordManager.additionalStoragePricePerGb + | currency: "$" + }} + + + +

+ + + + + + + +

{{ "secretsManager" | i18n }}

+ + + +

+ + + + {{ summaryData.sub?.smSeats }} {{ "members" | i18n }} × + {{ + (summaryData.selectedPlan.isAnnual + ? summaryData.selectedPlan.SecretsManager.basePrice / 12 + : summaryData.selectedPlan.SecretsManager.basePrice + ) | currency: "$" + }} + /{{ summaryData.selectedPlanInterval | i18n }} + + + {{ "basePrice" | i18n }}: + {{ summaryData.selectedPlan.SecretsManager.basePrice | currency: "$" }} + {{ "monthAbbr" | i18n }} + + + + + {{ summaryData.selectedPlan.SecretsManager.basePrice | currency: "$" }} + +

+ + + + +

+ + {{ "additionalUsers" | i18n }}: + {{ summaryData.sub?.smSeats || 0 }}  + {{ + "members" | i18n + }} + × + {{ summaryData.selectedPlan.SecretsManager.seatPrice | currency: "$" }} + /{{ summaryData.selectedPlanInterval | i18n }} + + + {{ summaryData.secretsManagerSeatTotal | currency: "$" }} + +

+ + + + +

+ + {{ summaryData.additionalServiceAccount }} + {{ "serviceAccounts" | i18n | lowercase }} + × + {{ + summaryData.selectedPlan?.SecretsManager?.additionalPricePerServiceAccount + | currency: "$" + }} + /{{ summaryData.selectedPlanInterval | i18n }} + + {{ summaryData.additionalServiceAccountTotal | currency: "$" }} +

+ + + + + + +

+ + {{ + "providerDiscount" | i18n: this.summaryData.discountPercentageFromSub | lowercase + }} + + + {{ summaryData.totalAppliedDiscount | currency: "$" }} + +

+ + +
+ + +
+ +

+ {{ "estimatedTax" | i18n }} + {{ summaryData.estimatedTax | currency: "USD" : "$" }} +

+ +
+ +
+ +

+ {{ "total" | i18n }} + + {{ summaryData.total - summaryData.totalAppliedDiscount | currency: "USD" : "$" }} + / {{ summaryData.selectedPlanInterval | i18n }} + +

+ +
+ + diff --git a/apps/web/src/app/billing/shared/pricing-summary/pricing-summary.component.ts b/apps/web/src/app/billing/shared/pricing-summary/pricing-summary.component.ts new file mode 100644 index 00000000000..d4fdf35b743 --- /dev/null +++ b/apps/web/src/app/billing/shared/pricing-summary/pricing-summary.component.ts @@ -0,0 +1,48 @@ +import { Component, Input } from "@angular/core"; + +import { Organization } from "@bitwarden/common/admin-console/models/domain/organization"; +import { PlanInterval } from "@bitwarden/common/billing/enums"; +import { OrganizationSubscriptionResponse } from "@bitwarden/common/billing/models/response/organization-subscription.response"; +import { PlanResponse } from "@bitwarden/common/billing/models/response/plan.response"; + +export interface PricingSummaryData { + selectedPlanInterval: string; + passwordManagerSeats: number; + passwordManagerSeatTotal: number; + secretsManagerSeatTotal: number; + additionalStorageTotal: number; + additionalStoragePriceMonthly: number; + additionalServiceAccountTotal: number; + totalAppliedDiscount: number; + secretsManagerSubtotal: number; + passwordManagerSubtotal: number; + total: number; + organization?: Organization; + sub?: OrganizationSubscriptionResponse; + selectedPlan?: PlanResponse; + selectedInterval?: PlanInterval; + discountPercentageFromSub?: number; + discountPercentage?: number; + acceptingSponsorship?: boolean; + additionalServiceAccount?: number; + totalOpened?: boolean; + storageGb?: number; + isSecretsManagerTrial?: boolean; + estimatedTax?: number; +} + +@Component({ + selector: "app-pricing-summary", + templateUrl: "./pricing-summary.component.html", + standalone: false, +}) +export class PricingSummaryComponent { + @Input() summaryData!: PricingSummaryData; + planIntervals = PlanInterval; + + toggleTotalOpened(): void { + if (this.summaryData) { + this.summaryData.totalOpened = !this.summaryData.totalOpened; + } + } +} diff --git a/apps/web/src/app/billing/shared/trial-payment-dialog/trial-payment-dialog.component.html b/apps/web/src/app/billing/shared/trial-payment-dialog/trial-payment-dialog.component.html new file mode 100644 index 00000000000..dbd2899c9e0 --- /dev/null +++ b/apps/web/src/app/billing/shared/trial-payment-dialog/trial-payment-dialog.component.html @@ -0,0 +1,117 @@ + + + {{ "subscribetoEnterprise" | i18n: currentPlanName }} + + +
+

{{ "subscribeEnterpriseSubtitle" | i18n: currentPlanName }}

+ + + +
    +
  • + + {{ "includeEnterprisePolicies" | i18n }} +
    • +
  • + + {{ "passwordLessSso" | i18n }} +
    • +
  • + + {{ "accountRecovery" | i18n }} +
    • +
  • + + {{ "customRoles" | i18n }} +
    • +
  • + + {{ "unlimitedSecretsAndProjects" | i18n }} +
    • +
+ +
    +
  • + + {{ "secureDataSharing" | i18n }} +
    • +
  • + + {{ "eventLogMonitoring" | i18n }} +
    • +
  • + + {{ "directoryIntegration" | i18n }} +
    • +
  • + + {{ "unlimitedSecretsAndProjects" | i18n }} +
    • +
+ +
    +
  • + + {{ "premiumAccounts" | i18n }} +
    • +
  • + + {{ "unlimitedSharing" | i18n }} +
    • +
  • + + {{ "createUnlimitedCollections" | i18n }} +
    • +
+ + +
+
+

{{ "selectAPlan" | i18n }}

+
+ + +
+ @for (planCard of planCards(); track $index) { + + } +
+ +
+ + +

{{ "paymentMethod" | i18n }}

+ + + + + + + +
+ + + + + + diff --git a/apps/web/src/app/billing/shared/trial-payment-dialog/trial-payment-dialog.component.ts b/apps/web/src/app/billing/shared/trial-payment-dialog/trial-payment-dialog.component.ts new file mode 100644 index 00000000000..ca51ae80e1f --- /dev/null +++ b/apps/web/src/app/billing/shared/trial-payment-dialog/trial-payment-dialog.component.ts @@ -0,0 +1,365 @@ +import { Component, EventEmitter, Inject, OnInit, Output, signal, ViewChild } from "@angular/core"; +import { firstValueFrom, map } from "rxjs"; + +import { ManageTaxInformationComponent } from "@bitwarden/angular/billing/components"; +import { ApiService } from "@bitwarden/common/abstractions/api.service"; +import { OrganizationApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization/organization-api.service.abstraction"; +import { + getOrganizationById, + OrganizationService, +} from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction"; +import { Organization } from "@bitwarden/common/admin-console/models/domain/organization"; +import { AccountService } from "@bitwarden/common/auth/abstractions/account.service"; +import { BillingApiServiceAbstraction } from "@bitwarden/common/billing/abstractions"; +import { OrganizationBillingApiServiceAbstraction } from "@bitwarden/common/billing/abstractions/organizations/organization-billing-api.service.abstraction"; +import { PaymentMethodType, PlanInterval, ProductTierType } from "@bitwarden/common/billing/enums"; +import { TaxInformation } from "@bitwarden/common/billing/models/domain"; +import { ChangePlanFrequencyRequest } from "@bitwarden/common/billing/models/request/change-plan-frequency.request"; +import { ExpandedTaxInfoUpdateRequest } from "@bitwarden/common/billing/models/request/expanded-tax-info-update.request"; +import { PreviewOrganizationInvoiceRequest } from "@bitwarden/common/billing/models/request/preview-organization-invoice.request"; +import { UpdatePaymentMethodRequest } from "@bitwarden/common/billing/models/request/update-payment-method.request"; +import { OrganizationSubscriptionResponse } from "@bitwarden/common/billing/models/response/organization-subscription.response"; +import { PlanResponse } from "@bitwarden/common/billing/models/response/plan.response"; +import { ListResponse } from "@bitwarden/common/models/response/list.response"; +import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; +import { + DIALOG_DATA, + DialogConfig, + DialogRef, + DialogService, + ToastService, +} from "@bitwarden/components"; + +import { PlanCardService } from "../../services/plan-card.service"; +import { PaymentComponent } from "../payment/payment.component"; +import { PlanCard } from "../plan-card/plan-card.component"; +import { PricingSummaryData } from "../pricing-summary/pricing-summary.component"; + +import { PricingSummaryService } from "./../../services/pricing-summary.service"; + +type TrialPaymentDialogParams = { + organizationId: string; + subscription: OrganizationSubscriptionResponse; + productTierType: ProductTierType; + initialPaymentMethod?: PaymentMethodType; +}; + +export const TRIAL_PAYMENT_METHOD_DIALOG_RESULT_TYPE = { + CLOSED: "closed", + SUBMITTED: "submitted", +} as const; + +export type TrialPaymentDialogResultType = + (typeof TRIAL_PAYMENT_METHOD_DIALOG_RESULT_TYPE)[keyof typeof TRIAL_PAYMENT_METHOD_DIALOG_RESULT_TYPE]; + +interface OnSuccessArgs { + organizationId: string; +} + +@Component({ + selector: "app-trial-payment-dialog", + templateUrl: "./trial-payment-dialog.component.html", + standalone: false, +}) +export class TrialPaymentDialogComponent implements OnInit { + @ViewChild(PaymentComponent) paymentComponent!: PaymentComponent; + @ViewChild(ManageTaxInformationComponent) taxComponent!: ManageTaxInformationComponent; + + currentPlan!: PlanResponse; + currentPlanName!: string; + productTypes = ProductTierType; + organization!: Organization; + organizationId!: string; + sub!: OrganizationSubscriptionResponse; + selectedInterval: PlanInterval = PlanInterval.Annually; + + planCards = signal([]); + plans!: ListResponse; + + @Output() onSuccess = new EventEmitter(); + protected initialPaymentMethod: PaymentMethodType; + protected taxInformation!: TaxInformation; + protected readonly ResultType = TRIAL_PAYMENT_METHOD_DIALOG_RESULT_TYPE; + pricingSummaryData!: PricingSummaryData; + + constructor( + @Inject(DIALOG_DATA) private dialogParams: TrialPaymentDialogParams, + private dialogRef: DialogRef, + private organizationService: OrganizationService, + private i18nService: I18nService, + private organizationApiService: OrganizationApiServiceAbstraction, + private accountService: AccountService, + private planCardService: PlanCardService, + private pricingSummaryService: PricingSummaryService, + private apiService: ApiService, + private toastService: ToastService, + private billingApiService: BillingApiServiceAbstraction, + private organizationBillingApiServiceAbstraction: OrganizationBillingApiServiceAbstraction, + ) { + this.initialPaymentMethod = this.dialogParams.initialPaymentMethod ?? PaymentMethodType.Card; + } + + async ngOnInit(): Promise { + this.currentPlanName = this.resolvePlanName(this.dialogParams.productTierType); + this.sub = + this.dialogParams.subscription ?? + (await this.organizationApiService.getSubscription(this.dialogParams.organizationId)); + this.organizationId = this.dialogParams.organizationId; + this.currentPlan = this.sub?.plan; + const userId = await firstValueFrom(this.accountService.activeAccount$.pipe(map((a) => a?.id))); + if (!userId) { + throw new Error("User ID is required"); + } + const organization = await firstValueFrom( + this.organizationService + .organizations$(userId) + .pipe(getOrganizationById(this.organizationId)), + ); + if (!organization) { + throw new Error("Organization not found"); + } + this.organization = organization; + + const planCards = await this.planCardService.getCadenceCards( + this.currentPlan, + this.sub, + this.isSecretsManagerTrial(), + ); + + this.planCards.set(planCards); + + if (!this.selectedInterval) { + this.selectedInterval = planCards.find((card) => card.isSelected)?.isAnnual + ? PlanInterval.Annually + : PlanInterval.Monthly; + } + + const taxInfo = await this.organizationApiService.getTaxInfo(this.organizationId); + this.taxInformation = TaxInformation.from(taxInfo); + + this.pricingSummaryData = await this.pricingSummaryService.getPricingSummaryData( + this.currentPlan, + this.sub, + this.organization, + this.selectedInterval, + this.taxInformation, + this.isSecretsManagerTrial(), + ); + + this.plans = await this.apiService.getPlans(); + } + + static open = ( + dialogService: DialogService, + dialogConfig: DialogConfig, + ) => dialogService.open(TrialPaymentDialogComponent, dialogConfig); + + async setSelected(planCard: PlanCard) { + this.selectedInterval = planCard.isAnnual ? PlanInterval.Annually : PlanInterval.Monthly; + + this.planCards.update((planCards) => { + return planCards.map((planCard) => { + if (planCard.isSelected) { + return { + ...planCard, + isSelected: false, + }; + } else { + return { + ...planCard, + isSelected: true, + }; + } + }); + }); + + await this.selectPlan(); + + this.pricingSummaryData = await this.pricingSummaryService.getPricingSummaryData( + this.currentPlan, + this.sub, + this.organization, + this.selectedInterval, + this.taxInformation, + this.isSecretsManagerTrial(), + ); + } + + protected async selectPlan() { + if ( + this.selectedInterval === PlanInterval.Monthly && + this.currentPlan.productTier == ProductTierType.Families + ) { + return; + } + + const filteredPlans = this.plans.data.filter( + (plan) => + plan.productTier === this.currentPlan.productTier && + plan.isAnnual === (this.selectedInterval === PlanInterval.Annually), + ); + if (filteredPlans.length > 0) { + this.currentPlan = filteredPlans[0]; + } + try { + await this.refreshSalesTax(); + } catch (error) { + const errorMessage = error instanceof Error ? error.message : String(error); + const translatedMessage = this.i18nService.t(errorMessage); + this.toastService.showToast({ + title: "", + variant: "error", + message: !translatedMessage || translatedMessage === "" ? errorMessage : translatedMessage, + }); + } + } + + protected get showTaxIdField(): boolean { + switch (this.currentPlan.productTier) { + case ProductTierType.Free: + case ProductTierType.Families: + return false; + default: + return true; + } + } + + private async refreshSalesTax(): Promise { + if ( + this.taxInformation === undefined || + !this.taxInformation.country || + !this.taxInformation.postalCode + ) { + return; + } + + const request: PreviewOrganizationInvoiceRequest = { + organizationId: this.organizationId, + passwordManager: { + additionalStorage: 0, + plan: this.currentPlan?.type, + seats: this.sub.seats, + }, + taxInformation: { + postalCode: this.taxInformation.postalCode, + country: this.taxInformation.country, + taxId: this.taxInformation.taxId, + }, + }; + + if (this.organization.useSecretsManager) { + request.secretsManager = { + seats: this.sub.smSeats ?? 0, + additionalMachineAccounts: + (this.sub.smServiceAccounts ?? 0) - + (this.sub.plan.SecretsManager?.baseServiceAccount ?? 0), + }; + } + + this.pricingSummaryData = await this.pricingSummaryService.getPricingSummaryData( + this.currentPlan, + this.sub, + this.organization, + this.selectedInterval, + this.taxInformation, + this.isSecretsManagerTrial(), + ); + } + + async taxInformationChanged(event: TaxInformation) { + this.taxInformation = event; + this.toggleBankAccount(); + await this.refreshSalesTax(); + } + + toggleBankAccount = () => { + this.paymentComponent.showBankAccount = this.taxInformation.country === "US"; + + if ( + !this.paymentComponent.showBankAccount && + this.paymentComponent.selected === PaymentMethodType.BankAccount + ) { + this.paymentComponent.select(PaymentMethodType.Card); + } + }; + + isSecretsManagerTrial(): boolean { + return ( + this.sub?.subscription?.items?.some((item) => + this.sub?.customerDiscount?.appliesTo?.includes(item.productId), + ) ?? false + ); + } + + async onSubscribe(): Promise { + if (!this.taxComponent.validate()) { + this.taxComponent.markAllAsTouched(); + } + try { + await this.updateOrganizationPaymentMethod( + this.organizationId, + this.paymentComponent, + this.taxInformation, + ); + + if (this.currentPlan.type !== this.sub.planType) { + const changePlanRequest = new ChangePlanFrequencyRequest(); + changePlanRequest.newPlanType = this.currentPlan.type; + await this.organizationBillingApiServiceAbstraction.changeSubscriptionFrequency( + this.organizationId, + changePlanRequest, + ); + } + + this.toastService.showToast({ + variant: "success", + title: undefined, + message: this.i18nService.t("updatedPaymentMethod"), + }); + + this.onSuccess.emit({ organizationId: this.organizationId }); + this.dialogRef.close(TRIAL_PAYMENT_METHOD_DIALOG_RESULT_TYPE.SUBMITTED); + } catch (error) { + const msg = + typeof error === "object" && error !== null && "message" in error + ? (error as { message: string }).message + : String(error); + this.toastService.showToast({ + variant: "error", + title: undefined, + message: this.i18nService.t(msg) || msg, + }); + } + } + + private async updateOrganizationPaymentMethod( + organizationId: string, + paymentComponent: PaymentComponent, + taxInformation: TaxInformation, + ): Promise { + const paymentSource = await paymentComponent.tokenize(); + + const request = new UpdatePaymentMethodRequest(); + request.paymentSource = paymentSource; + request.taxInformation = ExpandedTaxInfoUpdateRequest.From(taxInformation); + + await this.billingApiService.updateOrganizationPaymentMethod(organizationId, request); + } + + resolvePlanName(productTier: ProductTierType): string { + switch (productTier) { + case ProductTierType.Enterprise: + return this.i18nService.t("planNameEnterprise"); + case ProductTierType.Free: + return this.i18nService.t("planNameFree"); + case ProductTierType.Families: + return this.i18nService.t("planNameFamilies"); + case ProductTierType.Teams: + return this.i18nService.t("planNameTeams"); + case ProductTierType.TeamsStarter: + return this.i18nService.t("planNameTeamsStarter"); + default: + return this.i18nService.t("planNameFree"); + } + } +} diff --git a/apps/web/src/app/billing/warnings/components/organization-free-trial-warning.component.ts b/apps/web/src/app/billing/warnings/components/organization-free-trial-warning.component.ts index 074358537b6..a7ce53c9998 100644 --- a/apps/web/src/app/billing/warnings/components/organization-free-trial-warning.component.ts +++ b/apps/web/src/app/billing/warnings/components/organization-free-trial-warning.component.ts @@ -1,8 +1,10 @@ import { AsyncPipe } from "@angular/common"; -import { Component, EventEmitter, Input, OnInit, Output } from "@angular/core"; -import { Observable } from "rxjs"; +import { Component, EventEmitter, Input, OnDestroy, OnInit, Output } from "@angular/core"; +import { Observable, Subject } from "rxjs"; +import { takeUntil } from "rxjs/operators"; import { Organization } from "@bitwarden/common/admin-console/models/domain/organization"; +import { OrganizationId } from "@bitwarden/common/types/guid"; import { AnchorLinkDirective, BannerComponent } from "@bitwarden/components"; import { I18nPipe } from "@bitwarden/ui-common"; @@ -37,16 +39,28 @@ import { OrganizationFreeTrialWarning } from "../types"; `, imports: [AnchorLinkDirective, AsyncPipe, BannerComponent, I18nPipe], }) -export class OrganizationFreeTrialWarningComponent implements OnInit { +export class OrganizationFreeTrialWarningComponent implements OnInit, OnDestroy { @Input({ required: true }) organization!: Organization; @Output() clicked = new EventEmitter(); warning$!: Observable; + private destroy$ = new Subject(); constructor(private organizationWarningsService: OrganizationWarningsService) {} ngOnInit() { this.warning$ = this.organizationWarningsService.getFreeTrialWarning$(this.organization); + this.organizationWarningsService + .refreshWarningsForOrganization$(this.organization.id as OrganizationId) + .pipe(takeUntil(this.destroy$)) + .subscribe(() => { + this.refresh(); + }); + } + + ngOnDestroy() { + this.destroy$.next(); + this.destroy$.complete(); } refresh = () => { diff --git a/apps/web/src/app/billing/warnings/services/organization-warnings.service.ts b/apps/web/src/app/billing/warnings/services/organization-warnings.service.ts index fa53992afe0..78c17a5d384 100644 --- a/apps/web/src/app/billing/warnings/services/organization-warnings.service.ts +++ b/apps/web/src/app/billing/warnings/services/organization-warnings.service.ts @@ -1,6 +1,7 @@ +import { Location } from "@angular/common"; import { Injectable } from "@angular/core"; import { Router } from "@angular/router"; -import { filter, from, lastValueFrom, map, Observable, switchMap, takeWhile } from "rxjs"; +import { filter, from, lastValueFrom, map, Observable, Subject, switchMap, takeWhile } from "rxjs"; import { take } from "rxjs/operators"; import { OrganizationApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization/organization-api.service.abstraction"; @@ -10,10 +11,15 @@ import { OrganizationWarningsResponse } from "@bitwarden/common/billing/models/r import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum"; import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service"; import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; +import { SyncService } from "@bitwarden/common/platform/sync"; import { OrganizationId } from "@bitwarden/common/types/guid"; import { DialogService } from "@bitwarden/components"; import { openChangePlanDialog } from "../../organizations/change-plan-dialog.component"; +import { + TRIAL_PAYMENT_METHOD_DIALOG_RESULT_TYPE, + TrialPaymentDialogComponent, +} from "../../shared/trial-payment-dialog/trial-payment-dialog.component"; import { OrganizationFreeTrialWarning, OrganizationResellerRenewalWarning } from "../types"; const format = (date: Date) => @@ -26,6 +32,7 @@ const format = (date: Date) => @Injectable({ providedIn: "root" }) export class OrganizationWarningsService { private cache$ = new Map>(); + private refreshWarnings$ = new Subject(); constructor( private configService: ConfigService, @@ -34,6 +41,8 @@ export class OrganizationWarningsService { private organizationApiService: OrganizationApiServiceAbstraction, private organizationBillingApiService: OrganizationBillingApiServiceAbstraction, private router: Router, + private location: Location, + protected syncService: SyncService, ) {} getFreeTrialWarning$ = ( @@ -174,10 +183,33 @@ export class OrganizationWarningsService { }); break; } + case "add_payment_method_optional_trial": { + const organizationSubscriptionResponse = + await this.organizationApiService.getSubscription(organization.id); + + const dialogRef = TrialPaymentDialogComponent.open(this.dialogService, { + data: { + organizationId: organization.id, + subscription: organizationSubscriptionResponse, + productTierType: organization?.productTierType, + }, + }); + const result = await lastValueFrom(dialogRef.closed); + if (result === TRIAL_PAYMENT_METHOD_DIALOG_RESULT_TYPE.SUBMITTED) { + this.refreshWarnings$.next(organization.id as OrganizationId); + } + } } }), ); + refreshWarningsForOrganization$(organizationId: OrganizationId): Observable { + return this.refreshWarnings$.pipe( + filter((id) => id === organizationId), + map((): void => void 0), + ); + } + private getResponse$ = ( organization: Organization, bypassCache: boolean = false, diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json index d5ded3c75ea..9c9ecc79721 100644 --- a/apps/web/src/locales/en/messages.json +++ b/apps/web/src/locales/en/messages.json @@ -568,6 +568,9 @@ "cancel": { "message": "Cancel" }, + "later": { + "message": "Later" + }, "canceled": { "message": "Canceled" }, @@ -4630,6 +4633,9 @@ "receiveMarketingEmailsV2": { "message": "Get advice, announcements, and research opportunities from Bitwarden in your inbox." }, + "subscribe": { + "message": "Subscribe" + }, "unsubscribe": { "message": "Unsubscribe" }, @@ -10900,5 +10906,26 @@ "example": "12-3456789" } } + }, + "subscribetoEnterprise": { + "message": "Subscribe to $PLAN$", + "placeholders": { + "plan": { + "content": "$1", + "example": "Teams" + } + } + }, + "subscribeEnterpriseSubtitle": { + "message": "Your 7-day $PLAN$ trial starts today. Add a payment method now to continue using these features after your trial ends: ", + "placeholders": { + "plan": { + "content": "$1", + "example": "Teams" + } + } + }, + "unlimitedSecretsAndProjects": { + "message": "Unlimited secrets and projects" } -} +} \ No newline at end of file diff --git a/libs/common/src/billing/abstractions/organizations/organization-billing-api.service.abstraction.ts b/libs/common/src/billing/abstractions/organizations/organization-billing-api.service.abstraction.ts index 4975da0d7d2..29301e626b9 100644 --- a/libs/common/src/billing/abstractions/organizations/organization-billing-api.service.abstraction.ts +++ b/libs/common/src/billing/abstractions/organizations/organization-billing-api.service.abstraction.ts @@ -1,3 +1,4 @@ +import { ChangePlanFrequencyRequest } from "@bitwarden/common/billing/models/request/change-plan-frequency.request"; import { OrganizationWarningsResponse } from "@bitwarden/common/billing/models/response/organization-warnings.response"; import { @@ -28,4 +29,9 @@ export abstract class OrganizationBillingApiServiceAbstraction { organizationKey: string; }, ) => Promise; + + abstract changeSubscriptionFrequency: ( + organizationId: string, + request: ChangePlanFrequencyRequest, + ) => Promise; } diff --git a/libs/common/src/billing/models/request/change-plan-frequency.request.ts b/libs/common/src/billing/models/request/change-plan-frequency.request.ts new file mode 100644 index 00000000000..70b77181663 --- /dev/null +++ b/libs/common/src/billing/models/request/change-plan-frequency.request.ts @@ -0,0 +1,9 @@ +import { PlanType } from "../../enums"; + +export class ChangePlanFrequencyRequest { + newPlanType: PlanType; + + constructor(newPlanType?: PlanType) { + this.newPlanType = newPlanType!; + } +} diff --git a/libs/common/src/billing/services/organization/organization-billing-api.service.ts b/libs/common/src/billing/services/organization/organization-billing-api.service.ts index 1189316a487..e9456f61026 100644 --- a/libs/common/src/billing/services/organization/organization-billing-api.service.ts +++ b/libs/common/src/billing/services/organization/organization-billing-api.service.ts @@ -1,3 +1,4 @@ +import { ChangePlanFrequencyRequest } from "@bitwarden/common/billing/models/request/change-plan-frequency.request"; import { OrganizationWarningsResponse } from "@bitwarden/common/billing/models/response/organization-warnings.response"; import { ApiService } from "../../../abstractions/api.service"; @@ -83,4 +84,17 @@ export class OrganizationBillingApiService implements OrganizationBillingApiServ return response as string; } + + async changeSubscriptionFrequency( + organizationId: string, + request: ChangePlanFrequencyRequest, + ): Promise { + return await this.apiService.send( + "POST", + "/organizations/" + organizationId + "/billing/change-frequency", + request, + true, + false, + ); + } } From da6fb82fd8ed68a910f2558373d0e5cfcdbc0162 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 22 Jul 2025 10:21:19 -0500 Subject: [PATCH 14/37] [deps] AC: Update core-js to v3.44.0 (#15284) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- apps/cli/package.json | 2 +- package-lock.json | 10 +++++----- package.json | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/apps/cli/package.json b/apps/cli/package.json index ca7af3ec596..54855d72104 100644 --- a/apps/cli/package.json +++ b/apps/cli/package.json @@ -69,7 +69,7 @@ "browser-hrtime": "1.1.8", "chalk": "4.1.2", "commander": "11.1.0", - "core-js": "3.42.0", + "core-js": "3.44.0", "form-data": "4.0.2", "https-proxy-agent": "7.0.6", "inquirer": "8.2.6", diff --git a/package-lock.json b/package-lock.json index e44797997f1..01a9ea8c09c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -42,7 +42,7 @@ "bufferutil": "4.0.9", "chalk": "4.1.2", "commander": "11.1.0", - "core-js": "3.42.0", + "core-js": "3.44.0", "form-data": "4.0.2", "https-proxy-agent": "7.0.6", "inquirer": "8.2.6", @@ -205,7 +205,7 @@ "browser-hrtime": "1.1.8", "chalk": "4.1.2", "commander": "11.1.0", - "core-js": "3.42.0", + "core-js": "3.44.0", "form-data": "4.0.2", "https-proxy-agent": "7.0.6", "inquirer": "8.2.6", @@ -17512,9 +17512,9 @@ } }, "node_modules/core-js": { - "version": "3.42.0", - "resolved": "https://registry.npmjs.org/core-js/-/core-js-3.42.0.tgz", - "integrity": "sha512-Sz4PP4ZA+Rq4II21qkNqOEDTDrCvcANId3xpIgB34NDkWc3UduWj2dqEtN9yZIq8Dk3HyPI33x9sqqU5C8sr0g==", + "version": "3.44.0", + "resolved": "https://registry.npmjs.org/core-js/-/core-js-3.44.0.tgz", + "integrity": "sha512-aFCtd4l6GvAXwVEh3XbbVqJGHDJt0OZRa+5ePGx3LLwi12WfexqQxcsohb2wgsa/92xtl19Hd66G/L+TaAxDMw==", "hasInstallScript": true, "license": "MIT", "funding": { diff --git a/package.json b/package.json index 089ef3342e9..2cb60a6afd1 100644 --- a/package.json +++ b/package.json @@ -177,7 +177,7 @@ "bufferutil": "4.0.9", "chalk": "4.1.2", "commander": "11.1.0", - "core-js": "3.42.0", + "core-js": "3.44.0", "form-data": "4.0.2", "https-proxy-agent": "7.0.6", "inquirer": "8.2.6", From e99abb49ec26e983fa76b2bb114d6c330d0a9ce6 Mon Sep 17 00:00:00 2001 From: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> Date: Tue, 22 Jul 2025 10:30:50 -0500 Subject: [PATCH 15/37] [PM-23621] Require userId for initAccount on the key-service (#15684) * require userID for initAccount on key service * add unit test coverage * update consumer --- .../login-decryption-options.component.ts | 2 +- .../src/abstractions/key.service.ts | 7 +- libs/key-management/src/key.service.spec.ts | 101 ++++++++++++++++++ libs/key-management/src/key.service.ts | 14 ++- 4 files changed, 112 insertions(+), 12 deletions(-) diff --git a/libs/auth/src/angular/login-decryption-options/login-decryption-options.component.ts b/libs/auth/src/angular/login-decryption-options/login-decryption-options.component.ts index bbdc0106786..a2018817fed 100644 --- a/libs/auth/src/angular/login-decryption-options/login-decryption-options.component.ts +++ b/libs/auth/src/angular/login-decryption-options/login-decryption-options.component.ts @@ -249,7 +249,7 @@ export class LoginDecryptionOptionsComponent implements OnInit { } try { - const { publicKey, privateKey } = await this.keyService.initAccount(); + const { publicKey, privateKey } = await this.keyService.initAccount(this.activeAccountId); const keysRequest = new KeysRequest(publicKey, privateKey.encryptedString); await this.apiService.postAccountKeys(keysRequest); diff --git a/libs/key-management/src/abstractions/key.service.ts b/libs/key-management/src/abstractions/key.service.ts index c843d8dc872..3c0d6c8a138 100644 --- a/libs/key-management/src/abstractions/key.service.ts +++ b/libs/key-management/src/abstractions/key.service.ts @@ -386,11 +386,12 @@ export abstract class KeyService { /** * Initialize all necessary crypto keys needed for a new account. * Warning! This completely replaces any existing keys! + * @param userId The user id of the target user. * @returns The user's newly created public key, private key, and encrypted private key - * - * @throws An error if there is no user currently active. + * @throws An error if the userId is null or undefined. + * @throws An error if the user already has a user key. */ - abstract initAccount(): Promise<{ + abstract initAccount(userId: UserId): Promise<{ userKey: UserKey; publicKey: string; privateKey: EncString; diff --git a/libs/key-management/src/key.service.spec.ts b/libs/key-management/src/key.service.spec.ts index 395d668de9f..7a033792c79 100644 --- a/libs/key-management/src/key.service.spec.ts +++ b/libs/key-management/src/key.service.spec.ts @@ -1047,4 +1047,105 @@ describe("keyService", () => { }); }); }); + + describe("initAccount", () => { + let userKey: UserKey; + let mockPublicKey: string; + let mockPrivateKey: EncString; + + beforeEach(() => { + userKey = makeSymmetricCryptoKey(64); + mockPublicKey = "mockPublicKey"; + mockPrivateKey = makeEncString("mockPrivateKey"); + + keyGenerationService.createKey.mockResolvedValue(userKey); + jest.spyOn(keyService, "makeKeyPair").mockResolvedValue([mockPublicKey, mockPrivateKey]); + jest.spyOn(keyService, "setUserKey").mockResolvedValue(); + }); + + test.each([null as unknown as UserId, undefined as unknown as UserId])( + "throws when the provided userId is %s", + async (userId) => { + await expect(keyService.initAccount(userId)).rejects.toThrow("UserId is required."); + expect(keyService.setUserKey).not.toHaveBeenCalled(); + }, + ); + + it("throws when user already has a user key", async () => { + const existingUserKey = makeSymmetricCryptoKey(64); + stateProvider.singleUser.getFake(mockUserId, USER_KEY).nextState(existingUserKey); + + await expect(keyService.initAccount(mockUserId)).rejects.toThrow( + "Cannot initialize account, keys already exist.", + ); + expect(logService.error).toHaveBeenCalledWith( + "Tried to initialize account with existing user key.", + ); + expect(keyService.setUserKey).not.toHaveBeenCalled(); + }); + + it("throws when private key creation fails", async () => { + // Simulate failure + const invalidPrivateKey = new EncString( + "2.AAAw2vTUePO+CCyokcIfVw==|DTBNlJ5yVsV2Bsk3UU3H6Q==|YvFBff5gxWqM+UsFB6BKimKxhC32AtjF3IStpU1Ijwg=", + ); + invalidPrivateKey.encryptedString = null as unknown as EncryptedString; + jest.spyOn(keyService, "makeKeyPair").mockResolvedValue([mockPublicKey, invalidPrivateKey]); + + await expect(keyService.initAccount(mockUserId)).rejects.toThrow( + "Failed to create valid private key.", + ); + expect(keyService.setUserKey).not.toHaveBeenCalled(); + }); + + it("successfully initializes account with new keys", async () => { + const keyCreationSize = 512; + const privateKeyState = stateProvider.singleUser.getFake( + mockUserId, + USER_ENCRYPTED_PRIVATE_KEY, + ); + + const result = await keyService.initAccount(mockUserId); + + expect(keyGenerationService.createKey).toHaveBeenCalledWith(keyCreationSize); + expect(keyService.makeKeyPair).toHaveBeenCalledWith(userKey); + expect(keyService.setUserKey).toHaveBeenCalledWith(userKey, mockUserId); + expect(privateKeyState.nextMock).toHaveBeenCalledWith(mockPrivateKey.encryptedString); + expect(result).toEqual({ + userKey: userKey, + publicKey: mockPublicKey, + privateKey: mockPrivateKey, + }); + }); + }); + + describe("makeKeyPair", () => { + test.each([null as unknown as SymmetricCryptoKey, undefined as unknown as SymmetricCryptoKey])( + "throws when the provided key is %s", + async (key) => { + await expect(keyService.makeKeyPair(key)).rejects.toThrow( + "'key' is a required parameter and must be non-null.", + ); + }, + ); + + it("generates a key pair and returns public key and encrypted private key", async () => { + const mockKey = new SymmetricCryptoKey(new Uint8Array(64)); + const mockKeyPair: [Uint8Array, Uint8Array] = [new Uint8Array(256), new Uint8Array(256)]; + const mockPublicKeyB64 = "mockPublicKeyB64"; + const mockPrivateKeyEncString = makeEncString("encryptedPrivateKey"); + + cryptoFunctionService.rsaGenerateKeyPair.mockResolvedValue(mockKeyPair); + jest.spyOn(Utils, "fromBufferToB64").mockReturnValue(mockPublicKeyB64); + encryptService.wrapDecapsulationKey.mockResolvedValue(mockPrivateKeyEncString); + + const [publicKey, privateKey] = await keyService.makeKeyPair(mockKey); + + expect(cryptoFunctionService.rsaGenerateKeyPair).toHaveBeenCalledWith(2048); + expect(Utils.fromBufferToB64).toHaveBeenCalledWith(mockKeyPair[0]); + expect(encryptService.wrapDecapsulationKey).toHaveBeenCalledWith(mockKeyPair[1], mockKey); + expect(publicKey).toBe(mockPublicKeyB64); + expect(privateKey).toBe(mockPrivateKeyEncString); + }); + }); }); diff --git a/libs/key-management/src/key.service.ts b/libs/key-management/src/key.service.ts index fca080252f6..0f4b101d9b2 100644 --- a/libs/key-management/src/key.service.ts +++ b/libs/key-management/src/key.service.ts @@ -661,19 +661,17 @@ export class DefaultKeyService implements KeyServiceAbstraction { * Initialize all necessary crypto keys needed for a new account. * Warning! This completely replaces any existing keys! */ - async initAccount(): Promise<{ + async initAccount(userId: UserId): Promise<{ userKey: UserKey; publicKey: string; privateKey: EncString; }> { - const activeUserId = await firstValueFrom(this.stateProvider.activeUserId$); - - if (activeUserId == null) { - throw new Error("Cannot initilize an account if one is not active."); + if (userId == null) { + throw new Error("UserId is required."); } // Verify user key doesn't exist - const existingUserKey = await this.getUserKey(activeUserId); + const existingUserKey = await this.getUserKey(userId); if (existingUserKey != null) { this.logService.error("Tried to initialize account with existing user key."); @@ -686,9 +684,9 @@ export class DefaultKeyService implements KeyServiceAbstraction { throw new Error("Failed to create valid private key."); } - await this.setUserKey(userKey, activeUserId); + await this.setUserKey(userKey, userId); await this.stateProvider - .getUser(activeUserId, USER_ENCRYPTED_PRIVATE_KEY) + .getUser(userId, USER_ENCRYPTED_PRIVATE_KEY) .update(() => privateKey.encryptedString!); return { From a563e6d91000f453f5cbd8f904f397dccc96d058 Mon Sep 17 00:00:00 2001 From: Justin Baur <19896123+justindbaur@users.noreply.github.com> Date: Tue, 22 Jul 2025 11:47:25 -0400 Subject: [PATCH 16/37] Add `messaging` & `messaging-internal` libraries (#15711) --- .github/CODEOWNERS | 2 + .../sync/sync-service.listener.spec.ts | 4 +- .../abstractions/messaging.service.ts | 2 +- libs/common/src/platform/messaging/index.ts | 5 +- .../common/src/platform/messaging/internal.ts | 6 +- .../messaging/subject-message.sender.spec.ts | 65 ------------------- libs/messaging-internal/README.md | 5 ++ libs/messaging-internal/eslint.config.mjs | 3 + libs/messaging-internal/jest.config.js | 10 +++ libs/messaging-internal/package.json | 11 ++++ libs/messaging-internal/project.json | 33 ++++++++++ .../src}/helpers.spec.ts | 5 +- .../src}/helpers.ts | 8 +-- libs/messaging-internal/src/index.ts | 5 ++ .../src/messaging-internal.spec.ts | 8 +++ .../src/subject-message.sender.spec.ts | 59 +++++++++++++++++ .../src}/subject-message.sender.ts | 6 +- libs/messaging-internal/tsconfig.eslint.json | 6 ++ libs/messaging-internal/tsconfig.json | 13 ++++ libs/messaging-internal/tsconfig.lib.json | 10 +++ libs/messaging-internal/tsconfig.spec.json | 10 +++ libs/messaging/README.md | 5 ++ libs/messaging/eslint.config.mjs | 3 + libs/messaging/jest.config.js | 10 +++ libs/messaging/package.json | 11 ++++ libs/messaging/project.json | 33 ++++++++++ libs/messaging/src/index.ts | 4 ++ libs/messaging/src/is-external-message.ts | 5 ++ .../src}/message.listener.spec.ts | 26 ++++---- .../src}/message.listener.ts | 0 .../src}/message.sender.ts | 0 libs/messaging/src/messaging.spec.ts | 8 +++ .../messaging => messaging/src}/types.ts | 0 libs/messaging/tsconfig.eslint.json | 6 ++ libs/messaging/tsconfig.json | 13 ++++ libs/messaging/tsconfig.lib.json | 16 +++++ libs/messaging/tsconfig.spec.json | 17 +++++ package-lock.json | 17 +++++ tsconfig.base.json | 2 + 39 files changed, 347 insertions(+), 105 deletions(-) delete mode 100644 libs/common/src/platform/messaging/subject-message.sender.spec.ts create mode 100644 libs/messaging-internal/README.md create mode 100644 libs/messaging-internal/eslint.config.mjs create mode 100644 libs/messaging-internal/jest.config.js create mode 100644 libs/messaging-internal/package.json create mode 100644 libs/messaging-internal/project.json rename libs/{common/src/platform/messaging => messaging-internal/src}/helpers.spec.ts (90%) rename libs/{common/src/platform/messaging => messaging-internal/src}/helpers.ts (65%) create mode 100644 libs/messaging-internal/src/index.ts create mode 100644 libs/messaging-internal/src/messaging-internal.spec.ts create mode 100644 libs/messaging-internal/src/subject-message.sender.spec.ts rename libs/{common/src/platform/messaging => messaging-internal/src}/subject-message.sender.ts (77%) create mode 100644 libs/messaging-internal/tsconfig.eslint.json create mode 100644 libs/messaging-internal/tsconfig.json create mode 100644 libs/messaging-internal/tsconfig.lib.json create mode 100644 libs/messaging-internal/tsconfig.spec.json create mode 100644 libs/messaging/README.md create mode 100644 libs/messaging/eslint.config.mjs create mode 100644 libs/messaging/jest.config.js create mode 100644 libs/messaging/package.json create mode 100644 libs/messaging/project.json create mode 100644 libs/messaging/src/index.ts create mode 100644 libs/messaging/src/is-external-message.ts rename libs/{common/src/platform/messaging => messaging/src}/message.listener.spec.ts (55%) rename libs/{common/src/platform/messaging => messaging/src}/message.listener.ts (100%) rename libs/{common/src/platform/messaging => messaging/src}/message.sender.ts (100%) create mode 100644 libs/messaging/src/messaging.spec.ts rename libs/{common/src/platform/messaging => messaging/src}/types.ts (100%) create mode 100644 libs/messaging/tsconfig.eslint.json create mode 100644 libs/messaging/tsconfig.json create mode 100644 libs/messaging/tsconfig.lib.json create mode 100644 libs/messaging/tsconfig.spec.json diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 7d7fec2a5ea..203c7ae7607 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -94,6 +94,8 @@ libs/platform @bitwarden/team-platform-dev libs/storage-core @bitwarden/team-platform-dev libs/logging @bitwarden/team-platform-dev libs/storage-test-utils @bitwarden/team-platform-dev +libs/messaging @bitwarden/team-platform-dev +libs/messaging-internal @bitwarden/team-platform-dev # Web utils used across app and connectors apps/web/src/utils/ @bitwarden/team-platform-dev # Web core and shared files diff --git a/apps/browser/src/platform/sync/sync-service.listener.spec.ts b/apps/browser/src/platform/sync/sync-service.listener.spec.ts index dc0674a7ae5..383586c0cd0 100644 --- a/apps/browser/src/platform/sync/sync-service.listener.spec.ts +++ b/apps/browser/src/platform/sync/sync-service.listener.spec.ts @@ -3,10 +3,8 @@ import { Subject, firstValueFrom } from "rxjs"; import { LogService } from "@bitwarden/common/platform/abstractions/log.service"; import { MessageListener, MessageSender } from "@bitwarden/common/platform/messaging"; -// This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop. -// eslint-disable-next-line no-restricted-imports -import { tagAsExternal } from "@bitwarden/common/platform/messaging/helpers"; import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction"; +import { tagAsExternal } from "@bitwarden/messaging-internal"; import { FullSyncMessage } from "./foreground-sync.service"; import { FULL_SYNC_FINISHED, SyncServiceListener } from "./sync-service.listener"; diff --git a/libs/common/src/platform/abstractions/messaging.service.ts b/libs/common/src/platform/abstractions/messaging.service.ts index f24279f932a..3520d9352ef 100644 --- a/libs/common/src/platform/abstractions/messaging.service.ts +++ b/libs/common/src/platform/abstractions/messaging.service.ts @@ -1,3 +1,3 @@ // Export the new message sender as the legacy MessagingService to minimize changes in the initial PR, // team specific PR's will come after. -export { MessageSender as MessagingService } from "../messaging/message.sender"; +export { MessageSender as MessagingService } from "@bitwarden/messaging"; diff --git a/libs/common/src/platform/messaging/index.ts b/libs/common/src/platform/messaging/index.ts index a9b4eca5ae8..5d452f32b31 100644 --- a/libs/common/src/platform/messaging/index.ts +++ b/libs/common/src/platform/messaging/index.ts @@ -1,4 +1 @@ -export { MessageListener } from "./message.listener"; -export { MessageSender } from "./message.sender"; -export { Message, CommandDefinition } from "./types"; -export { isExternalMessage } from "./helpers"; +export * from "@bitwarden/messaging"; diff --git a/libs/common/src/platform/messaging/internal.ts b/libs/common/src/platform/messaging/internal.ts index 08763d48bc5..9fe261f2264 100644 --- a/libs/common/src/platform/messaging/internal.ts +++ b/libs/common/src/platform/messaging/internal.ts @@ -1,5 +1 @@ -// Built in implementations -export { SubjectMessageSender } from "./subject-message.sender"; - -// Helpers meant to be used only by other implementations -export { tagAsExternal, getCommand } from "./helpers"; +export * from "@bitwarden/messaging-internal"; diff --git a/libs/common/src/platform/messaging/subject-message.sender.spec.ts b/libs/common/src/platform/messaging/subject-message.sender.spec.ts deleted file mode 100644 index 4278fca7bc1..00000000000 --- a/libs/common/src/platform/messaging/subject-message.sender.spec.ts +++ /dev/null @@ -1,65 +0,0 @@ -import { Subject } from "rxjs"; - -import { subscribeTo } from "../../../spec/observable-tracker"; - -import { SubjectMessageSender } from "./internal"; -import { MessageSender } from "./message.sender"; -import { Message, CommandDefinition } from "./types"; - -describe("SubjectMessageSender", () => { - const subject = new Subject>(); - const subjectObservable = subject.asObservable(); - - const sut: MessageSender = new SubjectMessageSender(subject); - - describe("send", () => { - it("will send message with command from message definition", async () => { - const commandDefinition = new CommandDefinition<{ test: number }>("myCommand"); - - const tracker = subscribeTo(subjectObservable); - const pausePromise = tracker.pauseUntilReceived(1); - - sut.send(commandDefinition, { test: 1 }); - - await pausePromise; - - expect(tracker.emissions[0]).toEqual({ command: "myCommand", test: 1 }); - }); - - it("will send message with command from normal string", async () => { - const tracker = subscribeTo(subjectObservable); - const pausePromise = tracker.pauseUntilReceived(1); - - sut.send("myCommand", { test: 1 }); - - await pausePromise; - - expect(tracker.emissions[0]).toEqual({ command: "myCommand", test: 1 }); - }); - - it("will send message with object even if payload not given", async () => { - const tracker = subscribeTo(subjectObservable); - const pausePromise = tracker.pauseUntilReceived(1); - - sut.send("myCommand"); - - await pausePromise; - - expect(tracker.emissions[0]).toEqual({ command: "myCommand" }); - }); - - it.each([null, undefined])( - "will send message with object even if payload is null-ish (%s)", - async (payloadValue) => { - const tracker = subscribeTo(subjectObservable); - const pausePromise = tracker.pauseUntilReceived(1); - - sut.send("myCommand", payloadValue); - - await pausePromise; - - expect(tracker.emissions[0]).toEqual({ command: "myCommand" }); - }, - ); - }); -}); diff --git a/libs/messaging-internal/README.md b/libs/messaging-internal/README.md new file mode 100644 index 00000000000..a2f36138ad7 --- /dev/null +++ b/libs/messaging-internal/README.md @@ -0,0 +1,5 @@ +# messaging-internal + +Owned by: platform + +Internal details to accompany @bitwarden/messaging this library should not be consumed in non-platform code. diff --git a/libs/messaging-internal/eslint.config.mjs b/libs/messaging-internal/eslint.config.mjs new file mode 100644 index 00000000000..9c37d10e3ff --- /dev/null +++ b/libs/messaging-internal/eslint.config.mjs @@ -0,0 +1,3 @@ +import baseConfig from "../../eslint.config.mjs"; + +export default [...baseConfig]; diff --git a/libs/messaging-internal/jest.config.js b/libs/messaging-internal/jest.config.js new file mode 100644 index 00000000000..152244f6603 --- /dev/null +++ b/libs/messaging-internal/jest.config.js @@ -0,0 +1,10 @@ +module.exports = { + displayName: "messaging-internal", + preset: "../../jest.preset.js", + testEnvironment: "node", + transform: { + "^.+\\.[tj]s$": ["ts-jest", { tsconfig: "/tsconfig.spec.json" }], + }, + moduleFileExtensions: ["ts", "js", "html"], + coverageDirectory: "../../coverage/libs/messaging-internal", +}; diff --git a/libs/messaging-internal/package.json b/libs/messaging-internal/package.json new file mode 100644 index 00000000000..7a0a13d2d67 --- /dev/null +++ b/libs/messaging-internal/package.json @@ -0,0 +1,11 @@ +{ + "name": "@bitwarden/messaging-internal", + "version": "0.0.1", + "description": "Internal details to accompany @bitwarden/messaging this library should not be consumed in non-platform code.", + "private": true, + "type": "commonjs", + "main": "dist/index.js", + "types": "dist/index.d.ts", + "license": "GPL-3.0", + "author": "platform" +} diff --git a/libs/messaging-internal/project.json b/libs/messaging-internal/project.json new file mode 100644 index 00000000000..ad55cde5c20 --- /dev/null +++ b/libs/messaging-internal/project.json @@ -0,0 +1,33 @@ +{ + "name": "messaging-internal", + "$schema": "../../node_modules/nx/schemas/project-schema.json", + "sourceRoot": "libs/messaging-internal/src", + "projectType": "library", + "tags": [], + "targets": { + "build": { + "executor": "@nx/js:tsc", + "outputs": ["{options.outputPath}"], + "options": { + "outputPath": "dist/libs/messaging-internal", + "main": "libs/messaging-internal/src/index.ts", + "tsConfig": "libs/messaging-internal/tsconfig.lib.json", + "assets": ["libs/messaging-internal/*.md"] + } + }, + "lint": { + "executor": "@nx/eslint:lint", + "outputs": ["{options.outputFile}"], + "options": { + "lintFilePatterns": ["libs/messaging-internal/**/*.ts"] + } + }, + "test": { + "executor": "@nx/jest:jest", + "outputs": ["{workspaceRoot}/coverage/{projectRoot}"], + "options": { + "jestConfig": "libs/messaging-internal/jest.config.js" + } + } + } +} diff --git a/libs/common/src/platform/messaging/helpers.spec.ts b/libs/messaging-internal/src/helpers.spec.ts similarity index 90% rename from libs/common/src/platform/messaging/helpers.spec.ts rename to libs/messaging-internal/src/helpers.spec.ts index 8839a542ffc..5a97ff959cc 100644 --- a/libs/common/src/platform/messaging/helpers.spec.ts +++ b/libs/messaging-internal/src/helpers.spec.ts @@ -1,7 +1,8 @@ import { Subject, firstValueFrom } from "rxjs"; -import { getCommand, isExternalMessage, tagAsExternal } from "./helpers"; -import { Message, CommandDefinition } from "./types"; +import { CommandDefinition, isExternalMessage, Message } from "@bitwarden/messaging"; + +import { getCommand, tagAsExternal } from "./helpers"; describe("helpers", () => { describe("getCommand", () => { diff --git a/libs/common/src/platform/messaging/helpers.ts b/libs/messaging-internal/src/helpers.ts similarity index 65% rename from libs/common/src/platform/messaging/helpers.ts rename to libs/messaging-internal/src/helpers.ts index e7521ea42a2..00231b455b7 100644 --- a/libs/common/src/platform/messaging/helpers.ts +++ b/libs/messaging-internal/src/helpers.ts @@ -1,6 +1,6 @@ import { map } from "rxjs"; -import { CommandDefinition } from "./types"; +import { CommandDefinition, EXTERNAL_SOURCE_TAG } from "@bitwarden/messaging"; export const getCommand = ( commandDefinition: CommandDefinition> | string, @@ -12,12 +12,6 @@ export const getCommand = ( } }; -export const EXTERNAL_SOURCE_TAG = Symbol("externalSource"); - -export const isExternalMessage = (message: Record) => { - return message?.[EXTERNAL_SOURCE_TAG] === true; -}; - export const tagAsExternal = >() => { return map((message: T) => { return Object.assign(message, { [EXTERNAL_SOURCE_TAG]: true }); diff --git a/libs/messaging-internal/src/index.ts b/libs/messaging-internal/src/index.ts new file mode 100644 index 00000000000..08763d48bc5 --- /dev/null +++ b/libs/messaging-internal/src/index.ts @@ -0,0 +1,5 @@ +// Built in implementations +export { SubjectMessageSender } from "./subject-message.sender"; + +// Helpers meant to be used only by other implementations +export { tagAsExternal, getCommand } from "./helpers"; diff --git a/libs/messaging-internal/src/messaging-internal.spec.ts b/libs/messaging-internal/src/messaging-internal.spec.ts new file mode 100644 index 00000000000..b2b50a218bd --- /dev/null +++ b/libs/messaging-internal/src/messaging-internal.spec.ts @@ -0,0 +1,8 @@ +import * as lib from "./index"; + +describe("messaging-internal", () => { + // This test will fail until something is exported from index.ts + it("should work", () => { + expect(lib).toBeDefined(); + }); +}); diff --git a/libs/messaging-internal/src/subject-message.sender.spec.ts b/libs/messaging-internal/src/subject-message.sender.spec.ts new file mode 100644 index 00000000000..e3e5305d1b2 --- /dev/null +++ b/libs/messaging-internal/src/subject-message.sender.spec.ts @@ -0,0 +1,59 @@ +import { bufferCount, firstValueFrom, Subject } from "rxjs"; + +import { CommandDefinition, Message } from "@bitwarden/messaging"; + +import { SubjectMessageSender } from "./subject-message.sender"; + +describe("SubjectMessageSender", () => { + const subject = new Subject>(); + const subjectObservable = subject.asObservable(); + + const sut = new SubjectMessageSender(subject); + + describe("send", () => { + it("will send message with command from message definition", async () => { + const commandDefinition = new CommandDefinition<{ test: number }>("myCommand"); + + const emissionsPromise = firstValueFrom(subjectObservable.pipe(bufferCount(1))); + + sut.send(commandDefinition, { test: 1 }); + + const emissions = await emissionsPromise; + + expect(emissions[0]).toEqual({ command: "myCommand", test: 1 }); + }); + + it("will send message with command from normal string", async () => { + const emissionsPromise = firstValueFrom(subjectObservable.pipe(bufferCount(1))); + + sut.send("myCommand", { test: 1 }); + + const emissions = await emissionsPromise; + + expect(emissions[0]).toEqual({ command: "myCommand", test: 1 }); + }); + + it("will send message with object even if payload not given", async () => { + const emissionsPromise = firstValueFrom(subjectObservable.pipe(bufferCount(1))); + + sut.send("myCommand"); + + const emissions = await emissionsPromise; + + expect(emissions[0]).toEqual({ command: "myCommand" }); + }); + + it.each([null, undefined])( + "will send message with object even if payload is null-ish (%s)", + async (payloadValue) => { + const emissionsPromise = firstValueFrom(subjectObservable.pipe(bufferCount(1))); + + sut.send("myCommand", payloadValue); + + const emissions = await emissionsPromise; + + expect(emissions[0]).toEqual({ command: "myCommand" }); + }, + ); + }); +}); diff --git a/libs/common/src/platform/messaging/subject-message.sender.ts b/libs/messaging-internal/src/subject-message.sender.ts similarity index 77% rename from libs/common/src/platform/messaging/subject-message.sender.ts rename to libs/messaging-internal/src/subject-message.sender.ts index 170f8a24c6f..e8df5913b01 100644 --- a/libs/common/src/platform/messaging/subject-message.sender.ts +++ b/libs/messaging-internal/src/subject-message.sender.ts @@ -1,8 +1,8 @@ import { Subject } from "rxjs"; -import { getCommand } from "./internal"; -import { MessageSender } from "./message.sender"; -import { Message, CommandDefinition } from "./types"; +import { CommandDefinition, Message, MessageSender } from "@bitwarden/messaging"; + +import { getCommand } from "./helpers"; export class SubjectMessageSender implements MessageSender { constructor(private readonly messagesSubject: Subject>>) {} diff --git a/libs/messaging-internal/tsconfig.eslint.json b/libs/messaging-internal/tsconfig.eslint.json new file mode 100644 index 00000000000..3daf120441a --- /dev/null +++ b/libs/messaging-internal/tsconfig.eslint.json @@ -0,0 +1,6 @@ +{ + "extends": "../../tsconfig.base.json", + "files": [], + "include": ["src/**/*.ts", "src/**/*.js"], + "exclude": ["**/build", "**/dist"] +} diff --git a/libs/messaging-internal/tsconfig.json b/libs/messaging-internal/tsconfig.json new file mode 100644 index 00000000000..62ebbd94647 --- /dev/null +++ b/libs/messaging-internal/tsconfig.json @@ -0,0 +1,13 @@ +{ + "extends": "../../tsconfig.base.json", + "files": [], + "include": [], + "references": [ + { + "path": "./tsconfig.lib.json" + }, + { + "path": "./tsconfig.spec.json" + } + ] +} diff --git a/libs/messaging-internal/tsconfig.lib.json b/libs/messaging-internal/tsconfig.lib.json new file mode 100644 index 00000000000..9cbf6736007 --- /dev/null +++ b/libs/messaging-internal/tsconfig.lib.json @@ -0,0 +1,10 @@ +{ + "extends": "./tsconfig.json", + "compilerOptions": { + "outDir": "../../dist/out-tsc", + "declaration": true, + "types": ["node"] + }, + "include": ["src/**/*.ts"], + "exclude": ["jest.config.js", "src/**/*.spec.ts"] +} diff --git a/libs/messaging-internal/tsconfig.spec.json b/libs/messaging-internal/tsconfig.spec.json new file mode 100644 index 00000000000..1275f148a18 --- /dev/null +++ b/libs/messaging-internal/tsconfig.spec.json @@ -0,0 +1,10 @@ +{ + "extends": "./tsconfig.json", + "compilerOptions": { + "outDir": "../../dist/out-tsc", + "module": "commonjs", + "moduleResolution": "node10", + "types": ["jest", "node"] + }, + "include": ["jest.config.ts", "src/**/*.test.ts", "src/**/*.spec.ts", "src/**/*.d.ts"] +} diff --git a/libs/messaging/README.md b/libs/messaging/README.md new file mode 100644 index 00000000000..98eb96a5a40 --- /dev/null +++ b/libs/messaging/README.md @@ -0,0 +1,5 @@ +# messaging + +Owned by: platform + +Services for sending and recieving messages from different contexts of the same application. diff --git a/libs/messaging/eslint.config.mjs b/libs/messaging/eslint.config.mjs new file mode 100644 index 00000000000..9c37d10e3ff --- /dev/null +++ b/libs/messaging/eslint.config.mjs @@ -0,0 +1,3 @@ +import baseConfig from "../../eslint.config.mjs"; + +export default [...baseConfig]; diff --git a/libs/messaging/jest.config.js b/libs/messaging/jest.config.js new file mode 100644 index 00000000000..f0450499e31 --- /dev/null +++ b/libs/messaging/jest.config.js @@ -0,0 +1,10 @@ +module.exports = { + displayName: "messaging", + preset: "../../jest.preset.js", + testEnvironment: "node", + transform: { + "^.+\\.[tj]s$": ["ts-jest", { tsconfig: "/tsconfig.spec.json" }], + }, + moduleFileExtensions: ["ts", "js", "html"], + coverageDirectory: "../../coverage/libs/messaging", +}; diff --git a/libs/messaging/package.json b/libs/messaging/package.json new file mode 100644 index 00000000000..01c8d7cb0e7 --- /dev/null +++ b/libs/messaging/package.json @@ -0,0 +1,11 @@ +{ + "name": "@bitwarden/messaging", + "version": "0.0.1", + "description": "Services for sending and recieving messages from different contexts of the same application.", + "private": true, + "type": "commonjs", + "main": "dist/index.js", + "types": "dist/index.d.ts", + "license": "GPL-3.0", + "author": "platform" +} diff --git a/libs/messaging/project.json b/libs/messaging/project.json new file mode 100644 index 00000000000..f00e0bd2dc9 --- /dev/null +++ b/libs/messaging/project.json @@ -0,0 +1,33 @@ +{ + "name": "messaging", + "$schema": "../../node_modules/nx/schemas/project-schema.json", + "sourceRoot": "libs/messaging/src", + "projectType": "library", + "tags": [], + "targets": { + "build": { + "executor": "@nx/js:tsc", + "outputs": ["{options.outputPath}"], + "options": { + "outputPath": "dist/libs/messaging", + "main": "libs/messaging/src/index.ts", + "tsConfig": "libs/messaging/tsconfig.lib.json", + "assets": ["libs/messaging/*.md"] + } + }, + "lint": { + "executor": "@nx/eslint:lint", + "outputs": ["{options.outputFile}"], + "options": { + "lintFilePatterns": ["libs/messaging/**/*.ts"] + } + }, + "test": { + "executor": "@nx/jest:jest", + "outputs": ["{workspaceRoot}/coverage/{projectRoot}"], + "options": { + "jestConfig": "libs/messaging/jest.config.js" + } + } + } +} diff --git a/libs/messaging/src/index.ts b/libs/messaging/src/index.ts new file mode 100644 index 00000000000..9090ff581c1 --- /dev/null +++ b/libs/messaging/src/index.ts @@ -0,0 +1,4 @@ +export { MessageListener } from "./message.listener"; +export { MessageSender } from "./message.sender"; +export { Message, CommandDefinition } from "./types"; +export { isExternalMessage, EXTERNAL_SOURCE_TAG } from "./is-external-message"; diff --git a/libs/messaging/src/is-external-message.ts b/libs/messaging/src/is-external-message.ts new file mode 100644 index 00000000000..46775cb14d6 --- /dev/null +++ b/libs/messaging/src/is-external-message.ts @@ -0,0 +1,5 @@ +export const EXTERNAL_SOURCE_TAG = Symbol("externalSource"); + +export const isExternalMessage = (message: Record) => { + return message?.[EXTERNAL_SOURCE_TAG] === true; +}; diff --git a/libs/common/src/platform/messaging/message.listener.spec.ts b/libs/messaging/src/message.listener.spec.ts similarity index 55% rename from libs/common/src/platform/messaging/message.listener.spec.ts rename to libs/messaging/src/message.listener.spec.ts index 98bbf1fdc82..19787c6feae 100644 --- a/libs/common/src/platform/messaging/message.listener.spec.ts +++ b/libs/messaging/src/message.listener.spec.ts @@ -1,6 +1,4 @@ -import { Subject } from "rxjs"; - -import { subscribeTo } from "../../../spec/observable-tracker"; +import { bufferCount, firstValueFrom, Subject } from "rxjs"; import { MessageListener } from "./message.listener"; import { Message, CommandDefinition } from "./types"; @@ -13,35 +11,33 @@ describe("MessageListener", () => { describe("allMessages$", () => { it("runs on all nexts", async () => { - const tracker = subscribeTo(sut.allMessages$); - - const pausePromise = tracker.pauseUntilReceived(2); + const emissionsPromise = firstValueFrom(sut.allMessages$.pipe(bufferCount(2))); subject.next({ command: "command1", test: 1 }); subject.next({ command: "command2", test: 2 }); - await pausePromise; + const emissions = await emissionsPromise; - expect(tracker.emissions[0]).toEqual({ command: "command1", test: 1 }); - expect(tracker.emissions[1]).toEqual({ command: "command2", test: 2 }); + expect(emissions[0]).toEqual({ command: "command1", test: 1 }); + expect(emissions[1]).toEqual({ command: "command2", test: 2 }); }); }); describe("messages$", () => { it("runs on only my commands", async () => { - const tracker = subscribeTo(sut.messages$(testCommandDefinition)); - - const pausePromise = tracker.pauseUntilReceived(2); + const emissionsPromise = firstValueFrom( + sut.messages$(testCommandDefinition).pipe(bufferCount(2)), + ); subject.next({ command: "notMyCommand", test: 1 }); subject.next({ command: "myCommand", test: 2 }); subject.next({ command: "myCommand", test: 3 }); subject.next({ command: "notMyCommand", test: 4 }); - await pausePromise; + const emissions = await emissionsPromise; - expect(tracker.emissions[0]).toEqual({ command: "myCommand", test: 2 }); - expect(tracker.emissions[1]).toEqual({ command: "myCommand", test: 3 }); + expect(emissions[0]).toEqual({ command: "myCommand", test: 2 }); + expect(emissions[1]).toEqual({ command: "myCommand", test: 3 }); }); }); }); diff --git a/libs/common/src/platform/messaging/message.listener.ts b/libs/messaging/src/message.listener.ts similarity index 100% rename from libs/common/src/platform/messaging/message.listener.ts rename to libs/messaging/src/message.listener.ts diff --git a/libs/common/src/platform/messaging/message.sender.ts b/libs/messaging/src/message.sender.ts similarity index 100% rename from libs/common/src/platform/messaging/message.sender.ts rename to libs/messaging/src/message.sender.ts diff --git a/libs/messaging/src/messaging.spec.ts b/libs/messaging/src/messaging.spec.ts new file mode 100644 index 00000000000..170b24750c5 --- /dev/null +++ b/libs/messaging/src/messaging.spec.ts @@ -0,0 +1,8 @@ +import * as lib from "./index"; + +describe("messaging", () => { + // This test will fail until something is exported from index.ts + it("should work", () => { + expect(lib).toBeDefined(); + }); +}); diff --git a/libs/common/src/platform/messaging/types.ts b/libs/messaging/src/types.ts similarity index 100% rename from libs/common/src/platform/messaging/types.ts rename to libs/messaging/src/types.ts diff --git a/libs/messaging/tsconfig.eslint.json b/libs/messaging/tsconfig.eslint.json new file mode 100644 index 00000000000..3daf120441a --- /dev/null +++ b/libs/messaging/tsconfig.eslint.json @@ -0,0 +1,6 @@ +{ + "extends": "../../tsconfig.base.json", + "files": [], + "include": ["src/**/*.ts", "src/**/*.js"], + "exclude": ["**/build", "**/dist"] +} diff --git a/libs/messaging/tsconfig.json b/libs/messaging/tsconfig.json new file mode 100644 index 00000000000..62ebbd94647 --- /dev/null +++ b/libs/messaging/tsconfig.json @@ -0,0 +1,13 @@ +{ + "extends": "../../tsconfig.base.json", + "files": [], + "include": [], + "references": [ + { + "path": "./tsconfig.lib.json" + }, + { + "path": "./tsconfig.spec.json" + } + ] +} diff --git a/libs/messaging/tsconfig.lib.json b/libs/messaging/tsconfig.lib.json new file mode 100644 index 00000000000..1f3b89d988e --- /dev/null +++ b/libs/messaging/tsconfig.lib.json @@ -0,0 +1,16 @@ +{ + "extends": "./tsconfig.json", + "compilerOptions": { + "outDir": "../../dist/out-tsc", + "declaration": true, + "types": ["node"] + }, + "include": [ + "src/**/*.ts", + "../messaging-internal/src/subject-message.sender.spec.ts", + "../messaging-internal/src/subject-message.sender.ts", + "../messaging-internal/src/helpers.spec.ts", + "../messaging-internal/src/helpers.ts" + ], + "exclude": ["jest.config.js", "src/**/*.spec.ts"] +} diff --git a/libs/messaging/tsconfig.spec.json b/libs/messaging/tsconfig.spec.json new file mode 100644 index 00000000000..2e5b192faff --- /dev/null +++ b/libs/messaging/tsconfig.spec.json @@ -0,0 +1,17 @@ +{ + "extends": "./tsconfig.json", + "compilerOptions": { + "outDir": "../../dist/out-tsc", + "module": "commonjs", + "moduleResolution": "node10", + "types": ["jest", "node"] + }, + "include": [ + "jest.config.ts", + "src/**/*.test.ts", + "src/**/*.spec.ts", + "src/**/*.d.ts", + "../messaging-internal/src/subject-message.sender.spec.ts", + "../messaging-internal/src/helpers.spec.ts" + ] +} diff --git a/package-lock.json b/package-lock.json index 01a9ea8c09c..fbbc4c25b44 100644 --- a/package-lock.json +++ b/package-lock.json @@ -352,6 +352,15 @@ "version": "0.0.1", "license": "GPL-3.0" }, + "libs/messaging": { + "name": "@bitwarden/messaging", + "version": "0.0.1", + "license": "GPL-3.0" + }, + "libs/messaging-internal": { + "version": "0.0.1", + "license": "GPL-3.0" + }, "libs/node": { "name": "@bitwarden/node", "version": "0.0.0", @@ -4591,6 +4600,14 @@ "resolved": "libs/logging", "link": true }, + "node_modules/@bitwarden/messaging": { + "resolved": "libs/messaging", + "link": true + }, + "node_modules/@bitwarden/messaging-internal": { + "resolved": "libs/messaging-internal", + "link": true + }, "node_modules/@bitwarden/node": { "resolved": "libs/node", "link": true diff --git a/tsconfig.base.json b/tsconfig.base.json index c462ab97d37..478fce4bfd8 100644 --- a/tsconfig.base.json +++ b/tsconfig.base.json @@ -38,6 +38,8 @@ "@bitwarden/key-management": ["./libs/key-management/src"], "@bitwarden/key-management-ui": ["./libs/key-management-ui/src"], "@bitwarden/logging": ["libs/logging/src"], + "@bitwarden/messaging": ["libs/messaging/src/index.ts"], + "@bitwarden/messaging-internal": ["libs/messaging-internal/src/index.ts"], "@bitwarden/node/*": ["./libs/node/src/*"], "@bitwarden/nx-plugin": ["libs/nx-plugin/src/index.ts"], "@bitwarden/platform": ["./libs/platform/src"], From 9839087b00a3de91e8b4a87cce4d9e74a201d95b Mon Sep 17 00:00:00 2001 From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com> Date: Tue, 22 Jul 2025 11:30:22 -0500 Subject: [PATCH 17/37] Only return ciphers when they exist. (#15716) conditionals within the template are checking for an empty array rather than an empty ciphers property. --- .../vault-list-items-container.component.ts | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/apps/browser/src/vault/popup/components/vault-v2/vault-list-items-container/vault-list-items-container.component.ts b/apps/browser/src/vault/popup/components/vault-v2/vault-list-items-container/vault-list-items-container.component.ts index 5fc1c43210c..5a08ed3002b 100644 --- a/apps/browser/src/vault/popup/components/vault-v2/vault-list-items-container/vault-list-items-container.component.ts +++ b/apps/browser/src/vault/popup/components/vault-v2/vault-list-items-container/vault-list-items-container.component.ts @@ -146,14 +146,16 @@ export class VaultListItemsContainerComponent implements AfterViewInit { ciphers: PopupCipherViewLike[]; }[] >(() => { + const ciphers = this.ciphers(); + // Not grouping by type, return a single group with all ciphers - if (!this.groupByType()) { - return [{ ciphers: this.ciphers() }]; + if (!this.groupByType() && ciphers.length > 0) { + return [{ ciphers }]; } const groups: Record = {}; - this.ciphers().forEach((cipher) => { + ciphers.forEach((cipher) => { let groupKey = "all"; switch (CipherViewLikeUtils.getType(cipher)) { case CipherType.Card: From 6aa59d5ba795a5ddd513a913ce4ea93129c65946 Mon Sep 17 00:00:00 2001 From: Andy Pixley <3723676+pixman20@users.noreply.github.com> Date: Tue, 22 Jul 2025 12:46:02 -0400 Subject: [PATCH 18/37] [BRE-831] Fixing PR target permissions (#15729) --- .github/workflows/build-browser-target.yml | 3 ++- .github/workflows/build-desktop-target.yml | 3 ++- .github/workflows/build-web-target.yml | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-browser-target.yml b/.github/workflows/build-browser-target.yml index ef3beef4b8b..e89a41c1009 100644 --- a/.github/workflows/build-browser-target.yml +++ b/.github/workflows/build-browser-target.yml @@ -38,6 +38,7 @@ jobs: uses: ./.github/workflows/build-browser.yml secrets: inherit permissions: - contents: read + contents: write + pull-requests: write id-token: write diff --git a/.github/workflows/build-desktop-target.yml b/.github/workflows/build-desktop-target.yml index 31ac819a3e6..96a0e6880f8 100644 --- a/.github/workflows/build-desktop-target.yml +++ b/.github/workflows/build-desktop-target.yml @@ -38,6 +38,7 @@ jobs: uses: ./.github/workflows/build-desktop.yml secrets: inherit permissions: - contents: read + contents: write + pull-requests: write id-token: write diff --git a/.github/workflows/build-web-target.yml b/.github/workflows/build-web-target.yml index b1055885400..2f9e201ac60 100644 --- a/.github/workflows/build-web-target.yml +++ b/.github/workflows/build-web-target.yml @@ -37,7 +37,8 @@ jobs: uses: ./.github/workflows/build-web.yml secrets: inherit permissions: - contents: read + contents: write + pull-requests: write id-token: write security-events: write From 8aeeb92958bb6bd9396444ba08ccfdd52b730390 Mon Sep 17 00:00:00 2001 From: Oscar Hinton Date: Tue, 22 Jul 2025 18:48:00 +0200 Subject: [PATCH 19/37] [PM-24030] Migrate abstract services in libs/common strict TS (#15727) Migrates the abstract classes in libs/common to be strict ts compatible. Primarily by adding abstract to every field and converting it to a function syntax instead of lambda. --- libs/common/src/abstractions/api.service.ts | 446 ++++++++++-------- .../event/event-collection.service.ts | 10 +- .../event/event-upload.service.ts | 4 +- .../org-domain-api.service.abstraction.ts | 22 +- .../org-domain.service.abstraction.ts | 16 +- .../organization-api.service.abstraction.ts | 94 ++-- .../organization.service.abstraction.ts | 19 +- .../abstractions/provider.service.ts | 10 +- .../provider-api.service.abstraction.ts | 24 +- .../src/auth/abstractions/account.service.ts | 14 +- .../abstractions/anonymous-hub.service.ts | 6 +- .../src/auth/abstractions/avatar.service.ts | 4 +- .../devices-api.service.abstraction.ts | 24 +- .../src/auth/abstractions/token.service.ts | 60 ++- ...er-verification-api.service.abstraction.ts | 10 +- .../user-verification.service.abstraction.ts | 22 +- .../webauthn-login-api.service.abstraction.ts | 6 +- ...authn-login-prf-key.service.abstraction.ts | 6 +- .../webauthn-login.service.abstraction.ts | 10 +- ...account-billing-api.service.abstraction.ts | 11 +- .../billing-account-profile-state.service.ts | 2 - .../billing-api.service.abstraction.ts | 67 ++- .../organization-billing.service.ts | 20 +- .../device-trust.service.abstraction.ts | 32 +- .../vault-timeout-settings.service.ts | 18 +- .../abstractions/vault-timeout.service.ts | 8 +- ...fido2-authenticator.service.abstraction.ts | 12 +- .../fido2/fido2-client.service.abstraction.ts | 12 +- ...ido2-user-interface.service.abstraction.ts | 22 +- .../platform/abstractions/state.service.ts | 30 +- .../password-strength.service.abstraction.ts | 8 +- .../services/send-api.service.abstraction.ts | 37 +- .../send/services/send.service.abstraction.ts | 28 +- .../src/vault/abstractions/cipher.service.ts | 2 - .../file-upload/cipher-file-upload.service.ts | 6 +- .../folder/folder-api.service.abstraction.ts | 13 +- .../folder/folder.service.abstraction.ts | 32 +- .../src/vault/abstractions/search.service.ts | 22 +- .../vault-settings/vault-settings.service.ts | 20 +- 39 files changed, 595 insertions(+), 614 deletions(-) diff --git a/libs/common/src/abstractions/api.service.ts b/libs/common/src/abstractions/api.service.ts index 4969e87f1c6..015a742c1ac 100644 --- a/libs/common/src/abstractions/api.service.ts +++ b/libs/common/src/abstractions/api.service.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop. // eslint-disable-next-line no-restricted-imports import { @@ -128,7 +126,7 @@ import { OptionalCipherResponse } from "../vault/models/response/optional-cipher * of this decision please read https://contributing.bitwarden.com/architecture/adr/refactor-api-service. */ export abstract class ApiService { - send: ( + abstract send( method: "GET" | "POST" | "PUT" | "DELETE" | "PATCH", path: string, body: any, @@ -136,196 +134,225 @@ export abstract class ApiService { hasResponse: boolean, apiUrl?: string | null, alterHeaders?: (headers: Headers) => void, - ) => Promise; + ): Promise; - postIdentityToken: ( + abstract postIdentityToken( request: | PasswordTokenRequest | SsoTokenRequest | UserApiTokenRequest | WebAuthnLoginTokenRequest, - ) => Promise< + ): Promise< IdentityTokenResponse | IdentityTwoFactorResponse | IdentityDeviceVerificationResponse >; - refreshIdentityToken: () => Promise; + abstract refreshIdentityToken(): Promise; - getProfile: () => Promise; - getUserSubscription: () => Promise; - getTaxInfo: () => Promise; - putProfile: (request: UpdateProfileRequest) => Promise; - putAvatar: (request: UpdateAvatarRequest) => Promise; - putTaxInfo: (request: TaxInfoUpdateRequest) => Promise; - postPrelogin: (request: PreloginRequest) => Promise; - postEmailToken: (request: EmailTokenRequest) => Promise; - postEmail: (request: EmailRequest) => Promise; - postSetKeyConnectorKey: (request: SetKeyConnectorKeyRequest) => Promise; - postSecurityStamp: (request: SecretVerificationRequest) => Promise; - getAccountRevisionDate: () => Promise; - postPasswordHint: (request: PasswordHintRequest) => Promise; - postPremium: (data: FormData) => Promise; - postReinstatePremium: () => Promise; - postAccountStorage: (request: StorageRequest) => Promise; - postAccountPayment: (request: PaymentRequest) => Promise; - postAccountLicense: (data: FormData) => Promise; - postAccountKeys: (request: KeysRequest) => Promise; - postAccountVerifyEmail: () => Promise; - postAccountVerifyEmailToken: (request: VerifyEmailRequest) => Promise; - postAccountRecoverDelete: (request: DeleteRecoverRequest) => Promise; - postAccountRecoverDeleteToken: (request: VerifyDeleteRecoverRequest) => Promise; - postAccountKdf: (request: KdfRequest) => Promise; - postUserApiKey: (id: string, request: SecretVerificationRequest) => Promise; - postUserRotateApiKey: (id: string, request: SecretVerificationRequest) => Promise; - postConvertToKeyConnector: () => Promise; + abstract getProfile(): Promise; + abstract getUserSubscription(): Promise; + abstract getTaxInfo(): Promise; + abstract putProfile(request: UpdateProfileRequest): Promise; + abstract putAvatar(request: UpdateAvatarRequest): Promise; + abstract putTaxInfo(request: TaxInfoUpdateRequest): Promise; + abstract postPrelogin(request: PreloginRequest): Promise; + abstract postEmailToken(request: EmailTokenRequest): Promise; + abstract postEmail(request: EmailRequest): Promise; + abstract postSetKeyConnectorKey(request: SetKeyConnectorKeyRequest): Promise; + abstract postSecurityStamp(request: SecretVerificationRequest): Promise; + abstract getAccountRevisionDate(): Promise; + abstract postPasswordHint(request: PasswordHintRequest): Promise; + abstract postPremium(data: FormData): Promise; + abstract postReinstatePremium(): Promise; + abstract postAccountStorage(request: StorageRequest): Promise; + abstract postAccountPayment(request: PaymentRequest): Promise; + abstract postAccountLicense(data: FormData): Promise; + abstract postAccountKeys(request: KeysRequest): Promise; + abstract postAccountVerifyEmail(): Promise; + abstract postAccountVerifyEmailToken(request: VerifyEmailRequest): Promise; + abstract postAccountRecoverDelete(request: DeleteRecoverRequest): Promise; + abstract postAccountRecoverDeleteToken(request: VerifyDeleteRecoverRequest): Promise; + abstract postAccountKdf(request: KdfRequest): Promise; + abstract postUserApiKey(id: string, request: SecretVerificationRequest): Promise; + abstract postUserRotateApiKey( + id: string, + request: SecretVerificationRequest, + ): Promise; + abstract postConvertToKeyConnector(): Promise; //passwordless - getAuthRequest: (id: string) => Promise; - putAuthRequest: (id: string, request: PasswordlessAuthRequest) => Promise; - getAuthRequests: () => Promise>; - getLastAuthRequest: () => Promise; + abstract getAuthRequest(id: string): Promise; + abstract putAuthRequest( + id: string, + request: PasswordlessAuthRequest, + ): Promise; + abstract getAuthRequests(): Promise>; + abstract getLastAuthRequest(): Promise; - getUserBillingHistory: () => Promise; - getUserBillingPayment: () => Promise; + abstract getUserBillingHistory(): Promise; + abstract getUserBillingPayment(): Promise; - getCipher: (id: string) => Promise; - getFullCipherDetails: (id: string) => Promise; - getCipherAdmin: (id: string) => Promise; - getAttachmentData: ( + abstract getCipher(id: string): Promise; + abstract getFullCipherDetails(id: string): Promise; + abstract getCipherAdmin(id: string): Promise; + abstract getAttachmentData( cipherId: string, attachmentId: string, emergencyAccessId?: string, - ) => Promise; - getAttachmentDataAdmin: (cipherId: string, attachmentId: string) => Promise; - getCiphersOrganization: (organizationId: string) => Promise>; - postCipher: (request: CipherRequest) => Promise; - postCipherCreate: (request: CipherCreateRequest) => Promise; - postCipherAdmin: (request: CipherCreateRequest) => Promise; - putCipher: (id: string, request: CipherRequest) => Promise; - putPartialCipher: (id: string, request: CipherPartialRequest) => Promise; - putCipherAdmin: (id: string, request: CipherRequest) => Promise; - deleteCipher: (id: string) => Promise; - deleteCipherAdmin: (id: string) => Promise; - deleteManyCiphers: (request: CipherBulkDeleteRequest) => Promise; - deleteManyCiphersAdmin: (request: CipherBulkDeleteRequest) => Promise; - putMoveCiphers: (request: CipherBulkMoveRequest) => Promise; - putShareCipher: (id: string, request: CipherShareRequest) => Promise; - putShareCiphers: (request: CipherBulkShareRequest) => Promise>; - putCipherCollections: ( + ): Promise; + abstract getAttachmentDataAdmin( + cipherId: string, + attachmentId: string, + ): Promise; + abstract getCiphersOrganization(organizationId: string): Promise>; + abstract postCipher(request: CipherRequest): Promise; + abstract postCipherCreate(request: CipherCreateRequest): Promise; + abstract postCipherAdmin(request: CipherCreateRequest): Promise; + abstract putCipher(id: string, request: CipherRequest): Promise; + abstract putPartialCipher(id: string, request: CipherPartialRequest): Promise; + abstract putCipherAdmin(id: string, request: CipherRequest): Promise; + abstract deleteCipher(id: string): Promise; + abstract deleteCipherAdmin(id: string): Promise; + abstract deleteManyCiphers(request: CipherBulkDeleteRequest): Promise; + abstract deleteManyCiphersAdmin(request: CipherBulkDeleteRequest): Promise; + abstract putMoveCiphers(request: CipherBulkMoveRequest): Promise; + abstract putShareCipher(id: string, request: CipherShareRequest): Promise; + abstract putShareCiphers(request: CipherBulkShareRequest): Promise>; + abstract putCipherCollections( id: string, request: CipherCollectionsRequest, - ) => Promise; - putCipherCollectionsAdmin: (id: string, request: CipherCollectionsRequest) => Promise; - postPurgeCiphers: (request: SecretVerificationRequest, organizationId?: string) => Promise; - putDeleteCipher: (id: string) => Promise; - putDeleteCipherAdmin: (id: string) => Promise; - putDeleteManyCiphers: (request: CipherBulkDeleteRequest) => Promise; - putDeleteManyCiphersAdmin: (request: CipherBulkDeleteRequest) => Promise; - putRestoreCipher: (id: string) => Promise; - putRestoreCipherAdmin: (id: string) => Promise; - putRestoreManyCiphers: ( + ): Promise; + abstract putCipherCollectionsAdmin(id: string, request: CipherCollectionsRequest): Promise; + abstract postPurgeCiphers( + request: SecretVerificationRequest, + organizationId?: string, + ): Promise; + abstract putDeleteCipher(id: string): Promise; + abstract putDeleteCipherAdmin(id: string): Promise; + abstract putDeleteManyCiphers(request: CipherBulkDeleteRequest): Promise; + abstract putDeleteManyCiphersAdmin(request: CipherBulkDeleteRequest): Promise; + abstract putRestoreCipher(id: string): Promise; + abstract putRestoreCipherAdmin(id: string): Promise; + abstract putRestoreManyCiphers( request: CipherBulkRestoreRequest, - ) => Promise>; - putRestoreManyCiphersAdmin: ( + ): Promise>; + abstract putRestoreManyCiphersAdmin( request: CipherBulkRestoreRequest, - ) => Promise>; + ): Promise>; - postCipherAttachment: ( + abstract postCipherAttachment( id: string, request: AttachmentRequest, - ) => Promise; - deleteCipherAttachment: (id: string, attachmentId: string) => Promise; - deleteCipherAttachmentAdmin: (id: string, attachmentId: string) => Promise; - postShareCipherAttachment: ( + ): Promise; + abstract deleteCipherAttachment(id: string, attachmentId: string): Promise; + abstract deleteCipherAttachmentAdmin(id: string, attachmentId: string): Promise; + abstract postShareCipherAttachment( id: string, attachmentId: string, data: FormData, organizationId: string, - ) => Promise; - renewAttachmentUploadUrl: ( + ): Promise; + abstract renewAttachmentUploadUrl( id: string, attachmentId: string, - ) => Promise; - postAttachmentFile: (id: string, attachmentId: string, data: FormData) => Promise; + ): Promise; + abstract postAttachmentFile(id: string, attachmentId: string, data: FormData): Promise; - getUserCollections: () => Promise>; - getCollections: (organizationId: string) => Promise>; - getCollectionUsers: (organizationId: string, id: string) => Promise; - getCollectionAccessDetails: ( + abstract getUserCollections(): Promise>; + abstract getCollections(organizationId: string): Promise>; + abstract getCollectionUsers( organizationId: string, id: string, - ) => Promise; - getManyCollectionsWithAccessDetails: ( + ): Promise; + abstract getCollectionAccessDetails( + organizationId: string, + id: string, + ): Promise; + abstract getManyCollectionsWithAccessDetails( orgId: string, - ) => Promise>; - postCollection: ( + ): Promise>; + abstract postCollection( organizationId: string, request: CollectionRequest, - ) => Promise; - putCollection: ( + ): Promise; + abstract putCollection( organizationId: string, id: string, request: CollectionRequest, - ) => Promise; - deleteCollection: (organizationId: string, id: string) => Promise; - deleteManyCollections: (organizationId: string, collectionIds: string[]) => Promise; + ): Promise; + abstract deleteCollection(organizationId: string, id: string): Promise; + abstract deleteManyCollections(organizationId: string, collectionIds: string[]): Promise; - getGroupUsers: (organizationId: string, id: string) => Promise; - deleteGroupUser: (organizationId: string, id: string, organizationUserId: string) => Promise; - - getSync: () => Promise; - - getSettingsDomains: () => Promise; - putSettingsDomains: (request: UpdateDomainsRequest) => Promise; - - getTwoFactorProviders: () => Promise>; - getTwoFactorOrganizationProviders: ( + abstract getGroupUsers(organizationId: string, id: string): Promise; + abstract deleteGroupUser( organizationId: string, - ) => Promise>; - getTwoFactorAuthenticator: ( + id: string, + organizationUserId: string, + ): Promise; + + abstract getSync(): Promise; + + abstract getSettingsDomains(): Promise; + abstract putSettingsDomains(request: UpdateDomainsRequest): Promise; + + abstract getTwoFactorProviders(): Promise>; + abstract getTwoFactorOrganizationProviders( + organizationId: string, + ): Promise>; + abstract getTwoFactorAuthenticator( request: SecretVerificationRequest, - ) => Promise; - getTwoFactorEmail: (request: SecretVerificationRequest) => Promise; - getTwoFactorDuo: (request: SecretVerificationRequest) => Promise; - getTwoFactorOrganizationDuo: ( + ): Promise; + abstract getTwoFactorEmail(request: SecretVerificationRequest): Promise; + abstract getTwoFactorDuo(request: SecretVerificationRequest): Promise; + abstract getTwoFactorOrganizationDuo( organizationId: string, request: SecretVerificationRequest, - ) => Promise; - getTwoFactorYubiKey: (request: SecretVerificationRequest) => Promise; - getTwoFactorWebAuthn: (request: SecretVerificationRequest) => Promise; - getTwoFactorWebAuthnChallenge: (request: SecretVerificationRequest) => Promise; - getTwoFactorRecover: (request: SecretVerificationRequest) => Promise; - putTwoFactorAuthenticator: ( + ): Promise; + abstract getTwoFactorYubiKey( + request: SecretVerificationRequest, + ): Promise; + abstract getTwoFactorWebAuthn( + request: SecretVerificationRequest, + ): Promise; + abstract getTwoFactorWebAuthnChallenge( + request: SecretVerificationRequest, + ): Promise; + abstract getTwoFactorRecover( + request: SecretVerificationRequest, + ): Promise; + abstract putTwoFactorAuthenticator( request: UpdateTwoFactorAuthenticatorRequest, - ) => Promise; - deleteTwoFactorAuthenticator: ( + ): Promise; + abstract deleteTwoFactorAuthenticator( request: DisableTwoFactorAuthenticatorRequest, - ) => Promise; - putTwoFactorEmail: (request: UpdateTwoFactorEmailRequest) => Promise; - putTwoFactorDuo: (request: UpdateTwoFactorDuoRequest) => Promise; - putTwoFactorOrganizationDuo: ( + ): Promise; + abstract putTwoFactorEmail(request: UpdateTwoFactorEmailRequest): Promise; + abstract putTwoFactorDuo(request: UpdateTwoFactorDuoRequest): Promise; + abstract putTwoFactorOrganizationDuo( organizationId: string, request: UpdateTwoFactorDuoRequest, - ) => Promise; - putTwoFactorYubiKey: ( + ): Promise; + abstract putTwoFactorYubiKey( request: UpdateTwoFactorYubikeyOtpRequest, - ) => Promise; - putTwoFactorWebAuthn: ( + ): Promise; + abstract putTwoFactorWebAuthn( request: UpdateTwoFactorWebAuthnRequest, - ) => Promise; - deleteTwoFactorWebAuthn: ( + ): Promise; + abstract deleteTwoFactorWebAuthn( request: UpdateTwoFactorWebAuthnDeleteRequest, - ) => Promise; - putTwoFactorDisable: (request: TwoFactorProviderRequest) => Promise; - putTwoFactorOrganizationDisable: ( + ): Promise; + abstract putTwoFactorDisable( + request: TwoFactorProviderRequest, + ): Promise; + abstract putTwoFactorOrganizationDisable( organizationId: string, request: TwoFactorProviderRequest, - ) => Promise; - postTwoFactorEmailSetup: (request: TwoFactorEmailRequest) => Promise; - postTwoFactorEmail: (request: TwoFactorEmailRequest) => Promise; - getDeviceVerificationSettings: () => Promise; - putDeviceVerificationSettings: ( + ): Promise; + abstract postTwoFactorEmailSetup(request: TwoFactorEmailRequest): Promise; + abstract postTwoFactorEmail(request: TwoFactorEmailRequest): Promise; + abstract getDeviceVerificationSettings(): Promise; + abstract putDeviceVerificationSettings( request: DeviceVerificationRequest, - ) => Promise; + ): Promise; - getCloudCommunicationsEnabled: () => Promise; + abstract getCloudCommunicationsEnabled(): Promise; abstract getOrganizationConnection( id: string, type: OrganizationConnectionType, @@ -340,136 +367,147 @@ export abstract class ApiService { configType: { new (response: any): TConfig }, organizationConnectionId: string, ): Promise>; - deleteOrganizationConnection: (id: string) => Promise; - getPlans: () => Promise>; + abstract deleteOrganizationConnection(id: string): Promise; + abstract getPlans(): Promise>; - getProviderUsers: (providerId: string) => Promise>; - getProviderUser: (providerId: string, id: string) => Promise; - postProviderUserInvite: (providerId: string, request: ProviderUserInviteRequest) => Promise; - postProviderUserReinvite: (providerId: string, id: string) => Promise; - postManyProviderUserReinvite: ( + abstract getProviderUsers( + providerId: string, + ): Promise>; + abstract getProviderUser(providerId: string, id: string): Promise; + abstract postProviderUserInvite( + providerId: string, + request: ProviderUserInviteRequest, + ): Promise; + abstract postProviderUserReinvite(providerId: string, id: string): Promise; + abstract postManyProviderUserReinvite( providerId: string, request: ProviderUserBulkRequest, - ) => Promise>; - postProviderUserAccept: ( + ): Promise>; + abstract postProviderUserAccept( providerId: string, id: string, request: ProviderUserAcceptRequest, - ) => Promise; - postProviderUserConfirm: ( + ): Promise; + abstract postProviderUserConfirm( providerId: string, id: string, request: ProviderUserConfirmRequest, - ) => Promise; - postProviderUsersPublicKey: ( + ): Promise; + abstract postProviderUsersPublicKey( providerId: string, request: ProviderUserBulkRequest, - ) => Promise>; - postProviderUserBulkConfirm: ( + ): Promise>; + abstract postProviderUserBulkConfirm( providerId: string, request: ProviderUserBulkConfirmRequest, - ) => Promise>; - putProviderUser: ( + ): Promise>; + abstract putProviderUser( providerId: string, id: string, request: ProviderUserUpdateRequest, - ) => Promise; - deleteProviderUser: (organizationId: string, id: string) => Promise; - deleteManyProviderUsers: ( + ): Promise; + abstract deleteProviderUser(organizationId: string, id: string): Promise; + abstract deleteManyProviderUsers( providerId: string, request: ProviderUserBulkRequest, - ) => Promise>; - getProviderClients: ( + ): Promise>; + abstract getProviderClients( providerId: string, - ) => Promise>; - postProviderAddOrganization: ( + ): Promise>; + abstract postProviderAddOrganization( providerId: string, request: ProviderAddOrganizationRequest, - ) => Promise; - postProviderCreateOrganization: ( + ): Promise; + abstract postProviderCreateOrganization( providerId: string, request: ProviderOrganizationCreateRequest, - ) => Promise; - deleteProviderOrganization: (providerId: string, organizationId: string) => Promise; + ): Promise; + abstract deleteProviderOrganization(providerId: string, organizationId: string): Promise; - getEvents: (start: string, end: string, token: string) => Promise>; - getEventsCipher: ( + abstract getEvents( + start: string, + end: string, + token: string, + ): Promise>; + abstract getEventsCipher( id: string, start: string, end: string, token: string, - ) => Promise>; - getEventsOrganization: ( + ): Promise>; + abstract getEventsOrganization( id: string, start: string, end: string, token: string, - ) => Promise>; - getEventsOrganizationUser: ( + ): Promise>; + abstract getEventsOrganizationUser( organizationId: string, id: string, start: string, end: string, token: string, - ) => Promise>; - getEventsProvider: ( + ): Promise>; + abstract getEventsProvider( id: string, start: string, end: string, token: string, - ) => Promise>; - getEventsProviderUser: ( + ): Promise>; + abstract getEventsProviderUser( providerId: string, id: string, start: string, end: string, token: string, - ) => Promise>; + ): Promise>; /** * Posts events for a user * @param request The array of events to upload * @param userId The optional user id the events belong to. If no user id is provided the active user id is used. */ - postEventsCollect: (request: EventRequest[], userId?: UserId) => Promise; + abstract postEventsCollect(request: EventRequest[], userId?: UserId): Promise; - deleteSsoUser: (organizationId: string) => Promise; - getSsoUserIdentifier: () => Promise; + abstract deleteSsoUser(organizationId: string): Promise; + abstract getSsoUserIdentifier(): Promise; - getUserPublicKey: (id: string) => Promise; + abstract getUserPublicKey(id: string): Promise; - getHibpBreach: (username: string) => Promise; + abstract getHibpBreach(username: string): Promise; - postBitPayInvoice: (request: BitPayInvoiceRequest) => Promise; - postSetupPayment: () => Promise; + abstract postBitPayInvoice(request: BitPayInvoiceRequest): Promise; + abstract postSetupPayment(): Promise; - getActiveBearerToken: () => Promise; - fetch: (request: Request) => Promise; - nativeFetch: (request: Request) => Promise; + abstract getActiveBearerToken(): Promise; + abstract fetch(request: Request): Promise; + abstract nativeFetch(request: Request): Promise; - preValidateSso: (identifier: string) => Promise; + abstract preValidateSso(identifier: string): Promise; - postCreateSponsorship: ( + abstract postCreateSponsorship( sponsorshipOrgId: string, request: OrganizationSponsorshipCreateRequest, - ) => Promise; - getSponsorshipSyncStatus: ( + ): Promise; + abstract getSponsorshipSyncStatus( sponsoredOrgId: string, - ) => Promise; - deleteRemoveSponsorship: (sponsoringOrgId: string) => Promise; - postPreValidateSponsorshipToken: ( + ): Promise; + abstract deleteRemoveSponsorship(sponsoringOrgId: string): Promise; + abstract postPreValidateSponsorshipToken( sponsorshipToken: string, - ) => Promise; - postRedeemSponsorship: ( + ): Promise; + abstract postRedeemSponsorship( sponsorshipToken: string, request: OrganizationSponsorshipRedeemRequest, - ) => Promise; + ): Promise; - getMasterKeyFromKeyConnector: (keyConnectorUrl: string) => Promise; - postUserKeyToKeyConnector: ( + abstract getMasterKeyFromKeyConnector( + keyConnectorUrl: string, + ): Promise; + abstract postUserKeyToKeyConnector( keyConnectorUrl: string, request: KeyConnectorUserKeyRequest, - ) => Promise; - getKeyConnectorAlive: (keyConnectorUrl: string) => Promise; - getOrganizationExport: (organizationId: string) => Promise; + ): Promise; + abstract getKeyConnectorAlive(keyConnectorUrl: string): Promise; + abstract getOrganizationExport(organizationId: string): Promise; } diff --git a/libs/common/src/abstractions/event/event-collection.service.ts b/libs/common/src/abstractions/event/event-collection.service.ts index 6ca94d93a62..4f06b76c5eb 100644 --- a/libs/common/src/abstractions/event/event-collection.service.ts +++ b/libs/common/src/abstractions/event/event-collection.service.ts @@ -1,18 +1,16 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { EventType } from "../../enums"; import { CipherView } from "../../vault/models/view/cipher.view"; export abstract class EventCollectionService { - collectMany: ( + abstract collectMany( eventType: EventType, ciphers: CipherView[], uploadImmediately?: boolean, - ) => Promise; - collect: ( + ): Promise; + abstract collect( eventType: EventType, cipherId?: string, uploadImmediately?: boolean, organizationId?: string, - ) => Promise; + ): Promise; } diff --git a/libs/common/src/abstractions/event/event-upload.service.ts b/libs/common/src/abstractions/event/event-upload.service.ts index af2e7a77e7f..352c7cb0255 100644 --- a/libs/common/src/abstractions/event/event-upload.service.ts +++ b/libs/common/src/abstractions/event/event-upload.service.ts @@ -1,7 +1,5 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { UserId } from "../../types/guid"; export abstract class EventUploadService { - uploadEvents: (userId?: UserId) => Promise; + abstract uploadEvents(userId?: UserId): Promise; } diff --git a/libs/common/src/admin-console/abstractions/organization-domain/org-domain-api.service.abstraction.ts b/libs/common/src/admin-console/abstractions/organization-domain/org-domain-api.service.abstraction.ts index 5a393ed1996..b1452c1359b 100644 --- a/libs/common/src/admin-console/abstractions/organization-domain/org-domain-api.service.abstraction.ts +++ b/libs/common/src/admin-console/abstractions/organization-domain/org-domain-api.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { ListResponse } from "../../../models/response/list.response"; import { OrganizationDomainRequest } from "../../services/organization-domain/requests/organization-domain.request"; @@ -8,19 +6,19 @@ import { OrganizationDomainResponse } from "./responses/organization-domain.resp import { VerifiedOrganizationDomainSsoDetailsResponse } from "./responses/verified-organization-domain-sso-details.response"; export abstract class OrgDomainApiServiceAbstraction { - getAllByOrgId: (orgId: string) => Promise>; - getByOrgIdAndOrgDomainId: ( + abstract getAllByOrgId(orgId: string): Promise>; + abstract getByOrgIdAndOrgDomainId( orgId: string, orgDomainId: string, - ) => Promise; - post: ( + ): Promise; + abstract post( orgId: string, orgDomain: OrganizationDomainRequest, - ) => Promise; - verify: (orgId: string, orgDomainId: string) => Promise; - delete: (orgId: string, orgDomainId: string) => Promise; - getClaimedOrgDomainByEmail: (email: string) => Promise; - getVerifiedOrgDomainsByEmail: ( + ): Promise; + abstract verify(orgId: string, orgDomainId: string): Promise; + abstract delete(orgId: string, orgDomainId: string): Promise; + abstract getClaimedOrgDomainByEmail(email: string): Promise; + abstract getVerifiedOrgDomainsByEmail( email: string, - ) => Promise>; + ): Promise>; } diff --git a/libs/common/src/admin-console/abstractions/organization-domain/org-domain.service.abstraction.ts b/libs/common/src/admin-console/abstractions/organization-domain/org-domain.service.abstraction.ts index 05a0b6d722f..7f08d226d15 100644 --- a/libs/common/src/admin-console/abstractions/organization-domain/org-domain.service.abstraction.ts +++ b/libs/common/src/admin-console/abstractions/organization-domain/org-domain.service.abstraction.ts @@ -1,22 +1,20 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; import { OrganizationDomainResponse } from "./responses/organization-domain.response"; export abstract class OrgDomainServiceAbstraction { - orgDomains$: Observable; + abstract orgDomains$: Observable; - get: (orgDomainId: string) => OrganizationDomainResponse; + abstract get(orgDomainId: string): OrganizationDomainResponse; - copyDnsTxt: (dnsTxt: string) => void; + abstract copyDnsTxt(dnsTxt: string): void; } // Note: this separate class is designed to hold methods that are not // meant to be used in components (e.g., data write methods) export abstract class OrgDomainInternalServiceAbstraction extends OrgDomainServiceAbstraction { - upsert: (orgDomains: OrganizationDomainResponse[]) => void; - replace: (orgDomains: OrganizationDomainResponse[]) => void; - clearCache: () => void; - delete: (orgDomainIds: string[]) => void; + abstract upsert(orgDomains: OrganizationDomainResponse[]): void; + abstract replace(orgDomains: OrganizationDomainResponse[]): void; + abstract clearCache(): void; + abstract delete(orgDomainIds: string[]): void; } diff --git a/libs/common/src/admin-console/abstractions/organization/organization-api.service.abstraction.ts b/libs/common/src/admin-console/abstractions/organization/organization-api.service.abstraction.ts index 000d1655416..10626d6758f 100644 --- a/libs/common/src/admin-console/abstractions/organization/organization-api.service.abstraction.ts +++ b/libs/common/src/admin-console/abstractions/organization/organization-api.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { OrganizationApiKeyRequest } from "../../../admin-console/models/request/organization-api-key.request"; import { OrganizationSsoRequest } from "../../../auth/models/request/organization-sso.request"; import { SecretVerificationRequest } from "../../../auth/models/request/secret-verification.request"; @@ -34,60 +32,66 @@ import { OrganizationKeysResponse } from "../../models/response/organization-key import { OrganizationResponse } from "../../models/response/organization.response"; import { ProfileOrganizationResponse } from "../../models/response/profile-organization.response"; -export class OrganizationApiServiceAbstraction { - get: (id: string) => Promise; - getBilling: (id: string) => Promise; - getBillingHistory: (id: string) => Promise; - getSubscription: (id: string) => Promise; - getLicense: (id: string, installationId: string) => Promise; - getAutoEnrollStatus: (identifier: string) => Promise; - create: (request: OrganizationCreateRequest) => Promise; - createWithoutPayment: ( +export abstract class OrganizationApiServiceAbstraction { + abstract get(id: string): Promise; + abstract getBilling(id: string): Promise; + abstract getBillingHistory(id: string): Promise; + abstract getSubscription(id: string): Promise; + abstract getLicense(id: string, installationId: string): Promise; + abstract getAutoEnrollStatus(identifier: string): Promise; + abstract create(request: OrganizationCreateRequest): Promise; + abstract createWithoutPayment( request: OrganizationNoPaymentMethodCreateRequest, - ) => Promise; - createLicense: (data: FormData) => Promise; - save: (id: string, request: OrganizationUpdateRequest) => Promise; - updatePayment: (id: string, request: PaymentRequest) => Promise; - upgrade: (id: string, request: OrganizationUpgradeRequest) => Promise; - updatePasswordManagerSeats: ( + ): Promise; + abstract createLicense(data: FormData): Promise; + abstract save(id: string, request: OrganizationUpdateRequest): Promise; + abstract updatePayment(id: string, request: PaymentRequest): Promise; + abstract upgrade(id: string, request: OrganizationUpgradeRequest): Promise; + abstract updatePasswordManagerSeats( id: string, request: OrganizationSubscriptionUpdateRequest, - ) => Promise; - updateSecretsManagerSubscription: ( + ): Promise; + abstract updateSecretsManagerSubscription( id: string, request: OrganizationSmSubscriptionUpdateRequest, - ) => Promise; - updateSeats: (id: string, request: SeatRequest) => Promise; - updateStorage: (id: string, request: StorageRequest) => Promise; - verifyBank: (id: string, request: VerifyBankRequest) => Promise; - reinstate: (id: string) => Promise; - leave: (id: string) => Promise; - delete: (id: string, request: SecretVerificationRequest) => Promise; - deleteUsingToken: ( + ): Promise; + abstract updateSeats(id: string, request: SeatRequest): Promise; + abstract updateStorage(id: string, request: StorageRequest): Promise; + abstract verifyBank(id: string, request: VerifyBankRequest): Promise; + abstract reinstate(id: string): Promise; + abstract leave(id: string): Promise; + abstract delete(id: string, request: SecretVerificationRequest): Promise; + abstract deleteUsingToken( organizationId: string, request: OrganizationVerifyDeleteRecoverRequest, - ) => Promise; - updateLicense: (id: string, data: FormData) => Promise; - importDirectory: (organizationId: string, request: ImportDirectoryRequest) => Promise; - getOrCreateApiKey: (id: string, request: OrganizationApiKeyRequest) => Promise; - getApiKeyInformation: ( + ): Promise; + abstract updateLicense(id: string, data: FormData): Promise; + abstract importDirectory(organizationId: string, request: ImportDirectoryRequest): Promise; + abstract getOrCreateApiKey( + id: string, + request: OrganizationApiKeyRequest, + ): Promise; + abstract getApiKeyInformation( id: string, organizationApiKeyType?: OrganizationApiKeyType, - ) => Promise>; - rotateApiKey: (id: string, request: OrganizationApiKeyRequest) => Promise; - getTaxInfo: (id: string) => Promise; - updateTaxInfo: (id: string, request: ExpandedTaxInfoUpdateRequest) => Promise; - getKeys: (id: string) => Promise; - updateKeys: (id: string, request: OrganizationKeysRequest) => Promise; - getSso: (id: string) => Promise; - updateSso: (id: string, request: OrganizationSsoRequest) => Promise; - selfHostedSyncLicense: (id: string) => Promise; - subscribeToSecretsManager: ( + ): Promise>; + abstract rotateApiKey(id: string, request: OrganizationApiKeyRequest): Promise; + abstract getTaxInfo(id: string): Promise; + abstract updateTaxInfo(id: string, request: ExpandedTaxInfoUpdateRequest): Promise; + abstract getKeys(id: string): Promise; + abstract updateKeys( + id: string, + request: OrganizationKeysRequest, + ): Promise; + abstract getSso(id: string): Promise; + abstract updateSso(id: string, request: OrganizationSsoRequest): Promise; + abstract selfHostedSyncLicense(id: string): Promise; + abstract subscribeToSecretsManager( id: string, request: SecretsManagerSubscribeRequest, - ) => Promise; - updateCollectionManagement: ( + ): Promise; + abstract updateCollectionManagement( id: string, request: OrganizationCollectionManagementUpdateRequest, - ) => Promise; + ): Promise; } diff --git a/libs/common/src/admin-console/abstractions/organization/organization.service.abstraction.ts b/libs/common/src/admin-console/abstractions/organization/organization.service.abstraction.ts index 05c214ece13..770cfd0011d 100644 --- a/libs/common/src/admin-console/abstractions/organization/organization.service.abstraction.ts +++ b/libs/common/src/admin-console/abstractions/organization/organization.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { map, Observable } from "rxjs"; import { UserId } from "../../../types/guid"; @@ -68,20 +66,20 @@ export abstract class OrganizationService { * Publishes state for all organizations under the specified user. * @returns An observable list of organizations */ - organizations$: (userId: UserId) => Observable; + abstract organizations$(userId: UserId): Observable; // @todo Clean these up. Continuing to expand them is not recommended. // @see https://bitwarden.atlassian.net/browse/AC-2252 - memberOrganizations$: (userId: UserId) => Observable; + abstract memberOrganizations$(userId: UserId): Observable; /** * Emits true if the user can create or manage a Free Bitwarden Families sponsorship. */ - canManageSponsorships$: (userId: UserId) => Observable; + abstract canManageSponsorships$(userId: UserId): Observable; /** * Emits true if any of the user's organizations have a Free Bitwarden Families sponsorship available. */ - familySponsorshipAvailable$: (userId: UserId) => Observable; - hasOrganizations: (userId: UserId) => Observable; + abstract familySponsorshipAvailable$(userId: UserId): Observable; + abstract hasOrganizations(userId: UserId): Observable; } /** @@ -96,7 +94,7 @@ export abstract class InternalOrganizationServiceAbstraction extends Organizatio * @param organization The organization state being saved. * @param userId The userId to replace state for. */ - upsert: (OrganizationData: OrganizationData, userId: UserId) => Promise; + abstract upsert(OrganizationData: OrganizationData, userId: UserId): Promise; /** * Replaces state for the entire registered organization list for the specified user. @@ -107,5 +105,8 @@ export abstract class InternalOrganizationServiceAbstraction extends Organizatio * user. * @param userId The userId to replace state for. */ - replace: (organizations: { [id: string]: OrganizationData }, userId: UserId) => Promise; + abstract replace( + organizations: { [id: string]: OrganizationData }, + userId: UserId, + ): Promise; } diff --git a/libs/common/src/admin-console/abstractions/provider.service.ts b/libs/common/src/admin-console/abstractions/provider.service.ts index 0cd21174ea1..340156020ff 100644 --- a/libs/common/src/admin-console/abstractions/provider.service.ts +++ b/libs/common/src/admin-console/abstractions/provider.service.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; import { UserId } from "../../types/guid"; @@ -7,8 +5,8 @@ import { ProviderData } from "../models/data/provider.data"; import { Provider } from "../models/domain/provider"; export abstract class ProviderService { - get$: (id: string) => Observable; - get: (id: string) => Promise; - getAll: () => Promise; - save: (providers: { [id: string]: ProviderData }, userId?: UserId) => Promise; + abstract get$(id: string): Observable; + abstract get(id: string): Promise; + abstract getAll(): Promise; + abstract save(providers: { [id: string]: ProviderData }, userId?: UserId): Promise; } diff --git a/libs/common/src/admin-console/abstractions/provider/provider-api.service.abstraction.ts b/libs/common/src/admin-console/abstractions/provider/provider-api.service.abstraction.ts index ffe79f0ad3b..f998fdc8ab7 100644 --- a/libs/common/src/admin-console/abstractions/provider/provider-api.service.abstraction.ts +++ b/libs/common/src/admin-console/abstractions/provider/provider-api.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { AddableOrganizationResponse } from "@bitwarden/common/admin-console/models/response/addable-organization.response"; import { ProviderSetupRequest } from "../../models/request/provider/provider-setup.request"; @@ -7,21 +5,23 @@ import { ProviderUpdateRequest } from "../../models/request/provider/provider-up import { ProviderVerifyRecoverDeleteRequest } from "../../models/request/provider/provider-verify-recover-delete.request"; import { ProviderResponse } from "../../models/response/provider/provider.response"; -export class ProviderApiServiceAbstraction { - postProviderSetup: (id: string, request: ProviderSetupRequest) => Promise; - getProvider: (id: string) => Promise; - putProvider: (id: string, request: ProviderUpdateRequest) => Promise; - providerRecoverDeleteToken: ( +export abstract class ProviderApiServiceAbstraction { + abstract postProviderSetup(id: string, request: ProviderSetupRequest): Promise; + abstract getProvider(id: string): Promise; + abstract putProvider(id: string, request: ProviderUpdateRequest): Promise; + abstract providerRecoverDeleteToken( organizationId: string, request: ProviderVerifyRecoverDeleteRequest, - ) => Promise; - deleteProvider: (id: string) => Promise; - getProviderAddableOrganizations: (providerId: string) => Promise; - addOrganizationToProvider: ( + ): Promise; + abstract deleteProvider(id: string): Promise; + abstract getProviderAddableOrganizations( + providerId: string, + ): Promise; + abstract addOrganizationToProvider( providerId: string, request: { key: string; organizationId: string; }, - ) => Promise; + ): Promise; } diff --git a/libs/common/src/auth/abstractions/account.service.ts b/libs/common/src/auth/abstractions/account.service.ts index 1686eefda06..a3dabeecf8a 100644 --- a/libs/common/src/auth/abstractions/account.service.ts +++ b/libs/common/src/auth/abstractions/account.service.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; import { UserId } from "../../types/guid"; @@ -35,20 +33,20 @@ export function accountInfoEqual(a: AccountInfo, b: AccountInfo) { } export abstract class AccountService { - accounts$: Observable>; + abstract accounts$: Observable>; - activeAccount$: Observable; + abstract activeAccount$: Observable; /** * Observable of the last activity time for each account. */ - accountActivity$: Observable>; + abstract accountActivity$: Observable>; /** Observable of the new device login verification property for the account. */ - accountVerifyNewDeviceLogin$: Observable; + abstract accountVerifyNewDeviceLogin$: Observable; /** Account list in order of descending recency */ - sortedUserIds$: Observable; + abstract sortedUserIds$: Observable; /** Next account that is not the current active account */ - nextUpAccount$: Observable; + abstract nextUpAccount$: Observable; /** * Updates the `accounts$` observable with the new account data. * diff --git a/libs/common/src/auth/abstractions/anonymous-hub.service.ts b/libs/common/src/auth/abstractions/anonymous-hub.service.ts index 8e705d67bfe..624a3a04d53 100644 --- a/libs/common/src/auth/abstractions/anonymous-hub.service.ts +++ b/libs/common/src/auth/abstractions/anonymous-hub.service.ts @@ -1,6 +1,4 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore export abstract class AnonymousHubService { - createHubConnection: (token: string) => Promise; - stopHubConnection: () => Promise; + abstract createHubConnection(token: string): Promise; + abstract stopHubConnection(): Promise; } diff --git a/libs/common/src/auth/abstractions/avatar.service.ts b/libs/common/src/auth/abstractions/avatar.service.ts index 89729aa3712..bd2c382e610 100644 --- a/libs/common/src/auth/abstractions/avatar.service.ts +++ b/libs/common/src/auth/abstractions/avatar.service.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; import { UserId } from "../../types/guid"; @@ -9,7 +7,7 @@ export abstract class AvatarService { * An observable monitoring the active user's avatar color. * The observable updates when the avatar color changes. */ - avatarColor$: Observable; + abstract avatarColor$: Observable; /** * Sets the avatar color of the active user * diff --git a/libs/common/src/auth/abstractions/devices-api.service.abstraction.ts b/libs/common/src/auth/abstractions/devices-api.service.abstraction.ts index cf6cdaefd85..54971a443b7 100644 --- a/libs/common/src/auth/abstractions/devices-api.service.abstraction.ts +++ b/libs/common/src/auth/abstractions/devices-api.service.abstraction.ts @@ -1,47 +1,45 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { ListResponse } from "../../models/response/list.response"; import { DeviceResponse } from "../abstractions/devices/responses/device.response"; import { UpdateDevicesTrustRequest } from "../models/request/update-devices-trust.request"; import { ProtectedDeviceResponse } from "../models/response/protected-device.response"; export abstract class DevicesApiServiceAbstraction { - getKnownDevice: (email: string, deviceIdentifier: string) => Promise; + abstract getKnownDevice(email: string, deviceIdentifier: string): Promise; - getDeviceByIdentifier: (deviceIdentifier: string) => Promise; + abstract getDeviceByIdentifier(deviceIdentifier: string): Promise; - getDevices: () => Promise>; + abstract getDevices(): Promise>; - updateTrustedDeviceKeys: ( + abstract updateTrustedDeviceKeys( deviceIdentifier: string, devicePublicKeyEncryptedUserKey: string, userKeyEncryptedDevicePublicKey: string, deviceKeyEncryptedDevicePrivateKey: string, - ) => Promise; + ): Promise; - updateTrust: ( + abstract updateTrust( updateDevicesTrustRequestModel: UpdateDevicesTrustRequest, deviceIdentifier: string, - ) => Promise; + ): Promise; - getDeviceKeys: (deviceIdentifier: string) => Promise; + abstract getDeviceKeys(deviceIdentifier: string): Promise; /** * Notifies the server that the device has a device key, but didn't receive any associated decryption keys. * Note: For debugging purposes only. * @param deviceIdentifier - current device identifier */ - postDeviceTrustLoss: (deviceIdentifier: string) => Promise; + abstract postDeviceTrustLoss(deviceIdentifier: string): Promise; /** * Deactivates a device * @param deviceId - The device ID */ - deactivateDevice: (deviceId: string) => Promise; + abstract deactivateDevice(deviceId: string): Promise; /** * Removes trust from a list of devices * @param deviceIds - The device IDs to be untrusted */ - untrustDevices: (deviceIds: string[]) => Promise; + abstract untrustDevices(deviceIds: string[]): Promise; } diff --git a/libs/common/src/auth/abstractions/token.service.ts b/libs/common/src/auth/abstractions/token.service.ts index 0c8db6fdcd1..2139f32fca2 100644 --- a/libs/common/src/auth/abstractions/token.service.ts +++ b/libs/common/src/auth/abstractions/token.service.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; import { VaultTimeout, VaultTimeoutAction } from "../../key-management/vault-timeout"; @@ -27,20 +25,20 @@ export abstract class TokenService { * * @returns A promise that resolves with the SetTokensResult containing the tokens that were set. */ - setTokens: ( + abstract setTokens( accessToken: string, vaultTimeoutAction: VaultTimeoutAction, vaultTimeout: VaultTimeout, refreshToken?: string, clientIdClientSecret?: [string, string], - ) => Promise; + ): Promise; /** * Clears the access token, refresh token, API Key Client ID, and API Key Client Secret out of memory, disk, and secure storage if supported. * @param userId The optional user id to clear the tokens for; if not provided, the active user id is used. * @returns A promise that resolves when the tokens have been cleared. */ - clearTokens: (userId?: UserId) => Promise; + abstract clearTokens(userId?: UserId): Promise; /** * Sets the access token in memory or disk based on the given vaultTimeoutAction and vaultTimeout @@ -51,11 +49,11 @@ export abstract class TokenService { * @param vaultTimeout The timeout for the vault. * @returns A promise that resolves with the access token that has been set. */ - setAccessToken: ( + abstract setAccessToken( accessToken: string, vaultTimeoutAction: VaultTimeoutAction, vaultTimeout: VaultTimeout, - ) => Promise; + ): Promise; // TODO: revisit having this public clear method approach once the state service is fully deprecated. /** @@ -67,21 +65,21 @@ export abstract class TokenService { * pass in the vaultTimeoutAction and vaultTimeout. * This avoids a circular dependency between the StateService, TokenService, and VaultTimeoutSettingsService. */ - clearAccessToken: (userId?: UserId) => Promise; + abstract clearAccessToken(userId?: UserId): Promise; /** * Gets the access token * @param userId - The optional user id to get the access token for; if not provided, the active user is used. * @returns A promise that resolves with the access token or null. */ - getAccessToken: (userId?: UserId) => Promise; + abstract getAccessToken(userId?: UserId): Promise; /** * Gets the refresh token. * @param userId - The optional user id to get the refresh token for; if not provided, the active user is used. * @returns A promise that resolves with the refresh token or null. */ - getRefreshToken: (userId?: UserId) => Promise; + abstract getRefreshToken(userId?: UserId): Promise; /** * Sets the API Key Client ID for the active user id in memory or disk based on the given vaultTimeoutAction and vaultTimeout. @@ -90,18 +88,18 @@ export abstract class TokenService { * @param vaultTimeout The timeout for the vault. * @returns A promise that resolves with the API Key Client ID that has been set. */ - setClientId: ( + abstract setClientId( clientId: string, vaultTimeoutAction: VaultTimeoutAction, vaultTimeout: VaultTimeout, userId?: UserId, - ) => Promise; + ): Promise; /** * Gets the API Key Client ID for the active user. * @returns A promise that resolves with the API Key Client ID or undefined */ - getClientId: (userId?: UserId) => Promise; + abstract getClientId(userId?: UserId): Promise; /** * Sets the API Key Client Secret for the active user id in memory or disk based on the given vaultTimeoutAction and vaultTimeout. @@ -110,18 +108,18 @@ export abstract class TokenService { * @param vaultTimeout The timeout for the vault. * @returns A promise that resolves with the client secret that has been set. */ - setClientSecret: ( + abstract setClientSecret( clientSecret: string, vaultTimeoutAction: VaultTimeoutAction, vaultTimeout: VaultTimeout, userId?: UserId, - ) => Promise; + ): Promise; /** * Gets the API Key Client Secret for the active user. * @returns A promise that resolves with the API Key Client Secret or undefined */ - getClientSecret: (userId?: UserId) => Promise; + abstract getClientSecret(userId?: UserId): Promise; /** * Sets the two factor token for the given email in global state. @@ -131,21 +129,21 @@ export abstract class TokenService { * @param twoFactorToken The two factor token to set. * @returns A promise that resolves when the two factor token has been set. */ - setTwoFactorToken: (email: string, twoFactorToken: string) => Promise; + abstract setTwoFactorToken(email: string, twoFactorToken: string): Promise; /** * Gets the two factor token for the given email. * @param email The email to get the two factor token for. * @returns A promise that resolves with the two factor token for the given email or null if it isn't found. */ - getTwoFactorToken: (email: string) => Promise; + abstract getTwoFactorToken(email: string): Promise; /** * Clears the two factor token for the given email out of global state. * @param email The email to clear the two factor token for. * @returns A promise that resolves when the two factor token has been cleared. */ - clearTwoFactorToken: (email: string) => Promise; + abstract clearTwoFactorToken(email: string): Promise; /** * Decodes the access token. @@ -153,13 +151,13 @@ export abstract class TokenService { * If null, the currently active user's token is used. * @returns A promise that resolves with the decoded access token. */ - decodeAccessToken: (tokenOrUserId?: string | UserId) => Promise; + abstract decodeAccessToken(tokenOrUserId?: string | UserId): Promise; /** * Gets the expiration date for the access token. Returns if token can't be decoded or has no expiration * @returns A promise that resolves with the expiration date for the access token. */ - getTokenExpirationDate: () => Promise; + abstract getTokenExpirationDate(): Promise; /** * Calculates the adjusted time in seconds until the access token expires, considering an optional offset. @@ -170,58 +168,58 @@ export abstract class TokenService { * based on the actual expiration. * @returns {Promise} Promise resolving to the adjusted seconds remaining. */ - tokenSecondsRemaining: (offsetSeconds?: number) => Promise; + abstract tokenSecondsRemaining(offsetSeconds?: number): Promise; /** * Checks if the access token needs to be refreshed. * @param {number} [minutes=5] - Optional number of minutes before the access token expires to consider refreshing it. * @returns A promise that resolves with a boolean indicating if the access token needs to be refreshed. */ - tokenNeedsRefresh: (minutes?: number) => Promise; + abstract tokenNeedsRefresh(minutes?: number): Promise; /** * Gets the user id for the active user from the access token. * @returns A promise that resolves with the user id for the active user. * @deprecated Use AccountService.activeAccount$ instead. */ - getUserId: () => Promise; + abstract getUserId(): Promise; /** * Gets the email for the active user from the access token. * @returns A promise that resolves with the email for the active user. * @deprecated Use AccountService.activeAccount$ instead. */ - getEmail: () => Promise; + abstract getEmail(): Promise; /** * Gets the email verified status for the active user from the access token. * @returns A promise that resolves with the email verified status for the active user. */ - getEmailVerified: () => Promise; + abstract getEmailVerified(): Promise; /** * Gets the name for the active user from the access token. * @returns A promise that resolves with the name for the active user. * @deprecated Use AccountService.activeAccount$ instead. */ - getName: () => Promise; + abstract getName(): Promise; /** * Gets the issuer for the active user from the access token. * @returns A promise that resolves with the issuer for the active user. */ - getIssuer: () => Promise; + abstract getIssuer(): Promise; /** * Gets whether or not the user authenticated via an external mechanism. * @param userId The optional user id to check for external authN status; if not provided, the active user is used. * @returns A promise that resolves with a boolean representing the user's external authN status. */ - getIsExternal: (userId: UserId) => Promise; + abstract getIsExternal(userId: UserId): Promise; /** Gets the active or passed in user's security stamp */ - getSecurityStamp: (userId?: UserId) => Promise; + abstract getSecurityStamp(userId?: UserId): Promise; /** Sets the security stamp for the active or passed in user */ - setSecurityStamp: (securityStamp: string, userId?: UserId) => Promise; + abstract setSecurityStamp(securityStamp: string, userId?: UserId): Promise; } diff --git a/libs/common/src/auth/abstractions/user-verification/user-verification-api.service.abstraction.ts b/libs/common/src/auth/abstractions/user-verification/user-verification-api.service.abstraction.ts index 42abc794061..275df417df2 100644 --- a/libs/common/src/auth/abstractions/user-verification/user-verification-api.service.abstraction.ts +++ b/libs/common/src/auth/abstractions/user-verification/user-verification-api.service.abstraction.ts @@ -1,13 +1,11 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { SecretVerificationRequest } from "../../models/request/secret-verification.request"; import { VerifyOTPRequest } from "../../models/request/verify-otp.request"; import { MasterPasswordPolicyResponse } from "../../models/response/master-password-policy.response"; export abstract class UserVerificationApiServiceAbstraction { - postAccountVerifyOTP: (request: VerifyOTPRequest) => Promise; - postAccountRequestOTP: () => Promise; - postAccountVerifyPassword: ( + abstract postAccountVerifyOTP(request: VerifyOTPRequest): Promise; + abstract postAccountRequestOTP(): Promise; + abstract postAccountVerifyPassword( request: SecretVerificationRequest, - ) => Promise; + ): Promise; } diff --git a/libs/common/src/auth/abstractions/user-verification/user-verification.service.abstraction.ts b/libs/common/src/auth/abstractions/user-verification/user-verification.service.abstraction.ts index 2d39854f8d9..d9749d9467c 100644 --- a/libs/common/src/auth/abstractions/user-verification/user-verification.service.abstraction.ts +++ b/libs/common/src/auth/abstractions/user-verification/user-verification.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { UserId } from "../../../types/guid"; import { SecretVerificationRequest } from "../../models/request/secret-verification.request"; import { UserVerificationOptions } from "../../types/user-verification-options"; @@ -16,9 +14,9 @@ export abstract class UserVerificationService { * @param verificationType Type of verification to restrict the options to * @returns Available verification options for the user */ - getAvailableVerificationOptions: ( + abstract getAvailableVerificationOptions( verificationType: keyof UserVerificationOptions, - ) => Promise; + ): Promise; /** * Create a new request model to be used for server-side verification * @param verification User-supplied verification data (Master Password or OTP) @@ -26,11 +24,11 @@ export abstract class UserVerificationService { * @param alreadyHashed Whether the master password is already hashed * @throws Error if the verification data is invalid */ - buildRequest: ( + abstract buildRequest( verification: Verification, requestClass?: new () => T, alreadyHashed?: boolean, - ) => Promise; + ): Promise; /** * Verifies the user using the provided verification data. * PIN or biometrics are verified client-side. @@ -39,11 +37,11 @@ export abstract class UserVerificationService { * @param verification User-supplied verification data (OTP, MP, PIN, or biometrics) * @throws Error if the verification data is invalid or the verification fails */ - verifyUser: (verification: Verification) => Promise; + abstract verifyUser(verification: Verification): Promise; /** * Request a one-time password (OTP) to be sent to the user's email */ - requestOTP: () => Promise; + abstract requestOTP(): Promise; /** * Check if user has master password or can only use passwordless technologies to log in * Note: This only checks the server, not the local state @@ -51,13 +49,13 @@ export abstract class UserVerificationService { * @returns True if the user has a master password * @deprecated Use UserDecryptionOptionsService.hasMasterPassword$ instead */ - hasMasterPassword: (userId?: string) => Promise; + abstract hasMasterPassword(userId?: string): Promise; /** * Check if the user has a master password and has used it during their current session * @param userId The user id to check. If not provided, the current user id used * @returns True if the user has a master password and has used it in the current session */ - hasMasterPasswordAndMasterKeyHash: (userId?: string) => Promise; + abstract hasMasterPasswordAndMasterKeyHash(userId?: string): Promise; /** * Verifies the user using the provided master password. * Attempts to verify client-side first, then server-side if necessary. @@ -68,9 +66,9 @@ export abstract class UserVerificationService { * @throws Error if the master password is invalid * @returns An object containing the master key, and master password policy options if verified on server. */ - verifyUserByMasterPassword: ( + abstract verifyUserByMasterPassword( verification: MasterPasswordVerification, userId: UserId, email: string, - ) => Promise; + ): Promise; } diff --git a/libs/common/src/auth/abstractions/webauthn/webauthn-login-api.service.abstraction.ts b/libs/common/src/auth/abstractions/webauthn/webauthn-login-api.service.abstraction.ts index ca87710d22f..1e0fc124755 100644 --- a/libs/common/src/auth/abstractions/webauthn/webauthn-login-api.service.abstraction.ts +++ b/libs/common/src/auth/abstractions/webauthn/webauthn-login-api.service.abstraction.ts @@ -1,7 +1,5 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { CredentialAssertionOptionsResponse } from "../../services/webauthn-login/response/credential-assertion-options.response"; -export class WebAuthnLoginApiServiceAbstraction { - getCredentialAssertionOptions: () => Promise; +export abstract class WebAuthnLoginApiServiceAbstraction { + abstract getCredentialAssertionOptions(): Promise; } diff --git a/libs/common/src/auth/abstractions/webauthn/webauthn-login-prf-key.service.abstraction.ts b/libs/common/src/auth/abstractions/webauthn/webauthn-login-prf-key.service.abstraction.ts index 5de89313ecc..d47b7ccbcef 100644 --- a/libs/common/src/auth/abstractions/webauthn/webauthn-login-prf-key.service.abstraction.ts +++ b/libs/common/src/auth/abstractions/webauthn/webauthn-login-prf-key.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { PrfKey } from "../../../types/key"; /** @@ -9,11 +7,11 @@ export abstract class WebAuthnLoginPrfKeyServiceAbstraction { /** * Get the salt used to generate the PRF-output used when logging in with WebAuthn. */ - getLoginWithPrfSalt: () => Promise; + abstract getLoginWithPrfSalt(): Promise; /** * Create a symmetric key from the PRF-output by stretching it. * This should be used as `ExternalKey` with `RotateableKeySet`. */ - createSymmetricKeyFromPrf: (prf: ArrayBuffer) => Promise; + abstract createSymmetricKeyFromPrf(prf: ArrayBuffer): Promise; } diff --git a/libs/common/src/auth/abstractions/webauthn/webauthn-login.service.abstraction.ts b/libs/common/src/auth/abstractions/webauthn/webauthn-login.service.abstraction.ts index 8e6ffae27a8..c482b1a214e 100644 --- a/libs/common/src/auth/abstractions/webauthn/webauthn-login.service.abstraction.ts +++ b/libs/common/src/auth/abstractions/webauthn/webauthn-login.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { AuthResult } from "../../models/domain/auth-result"; import { WebAuthnLoginCredentialAssertionOptionsView } from "../../models/view/webauthn-login/webauthn-login-credential-assertion-options.view"; import { WebAuthnLoginCredentialAssertionView } from "../../models/view/webauthn-login/webauthn-login-credential-assertion.view"; @@ -14,7 +12,7 @@ export abstract class WebAuthnLoginServiceAbstraction { * (whether FIDO2 user verification is required, the relying party id, timeout duration for the process to complete, etc.) * for the authenticator. */ - getCredentialAssertionOptions: () => Promise; + abstract getCredentialAssertionOptions(): Promise; /** * Asserts the credential. This involves user interaction with the authenticator @@ -27,9 +25,9 @@ export abstract class WebAuthnLoginServiceAbstraction { * @returns {WebAuthnLoginCredentialAssertionView} The assertion obtained from the authenticator. * If the assertion is not successfully obtained, it returns undefined. */ - assertCredential: ( + abstract assertCredential( credentialAssertionOptions: WebAuthnLoginCredentialAssertionOptionsView, - ) => Promise; + ): Promise; /** * Logs the user in using the assertion obtained from the authenticator. @@ -39,5 +37,5 @@ export abstract class WebAuthnLoginServiceAbstraction { * @param {WebAuthnLoginCredentialAssertionView} assertion - The assertion obtained from the authenticator * that needs to be validated for login. */ - logIn: (assertion: WebAuthnLoginCredentialAssertionView) => Promise; + abstract logIn(assertion: WebAuthnLoginCredentialAssertionView): Promise; } diff --git a/libs/common/src/billing/abstractions/account/account-billing-api.service.abstraction.ts b/libs/common/src/billing/abstractions/account/account-billing-api.service.abstraction.ts index e0e8b7377c5..0f28e728ea2 100644 --- a/libs/common/src/billing/abstractions/account/account-billing-api.service.abstraction.ts +++ b/libs/common/src/billing/abstractions/account/account-billing-api.service.abstraction.ts @@ -1,11 +1,12 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { BillingInvoiceResponse, BillingTransactionResponse, } from "../../models/response/billing.response"; -export class AccountBillingApiServiceAbstraction { - getBillingInvoices: (status?: string, startAfter?: string) => Promise; - getBillingTransactions: (startAfter?: string) => Promise; +export abstract class AccountBillingApiServiceAbstraction { + abstract getBillingInvoices( + status?: string, + startAfter?: string, + ): Promise; + abstract getBillingTransactions(startAfter?: string): Promise; } diff --git a/libs/common/src/billing/abstractions/account/billing-account-profile-state.service.ts b/libs/common/src/billing/abstractions/account/billing-account-profile-state.service.ts index a4253226880..de9642f9194 100644 --- a/libs/common/src/billing/abstractions/account/billing-account-profile-state.service.ts +++ b/libs/common/src/billing/abstractions/account/billing-account-profile-state.service.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; import { UserId } from "../../../types/guid"; diff --git a/libs/common/src/billing/abstractions/billing-api.service.abstraction.ts b/libs/common/src/billing/abstractions/billing-api.service.abstraction.ts index 21089933a59..2f3fe9125db 100644 --- a/libs/common/src/billing/abstractions/billing-api.service.abstraction.ts +++ b/libs/common/src/billing/abstractions/billing-api.service.abstraction.ts @@ -1,6 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore - import { TaxInfoResponse } from "@bitwarden/common/billing/models/response/tax-info.response"; import { OrganizationCreateRequest } from "../../admin-console/models/request/organization-create.request"; @@ -20,78 +17,78 @@ import { PaymentMethodResponse } from "../models/response/payment-method.respons import { ProviderSubscriptionResponse } from "../models/response/provider-subscription-response"; export abstract class BillingApiServiceAbstraction { - cancelOrganizationSubscription: ( + abstract cancelOrganizationSubscription( organizationId: string, request: SubscriptionCancellationRequest, - ) => Promise; + ): Promise; - cancelPremiumUserSubscription: (request: SubscriptionCancellationRequest) => Promise; + abstract cancelPremiumUserSubscription(request: SubscriptionCancellationRequest): Promise; - createProviderClientOrganization: ( + abstract createProviderClientOrganization( providerId: string, request: CreateClientOrganizationRequest, - ) => Promise; + ): Promise; - createSetupIntent: (paymentMethodType: PaymentMethodType) => Promise; + abstract createSetupIntent(paymentMethodType: PaymentMethodType): Promise; - getOrganizationBillingMetadata: ( + abstract getOrganizationBillingMetadata( organizationId: string, - ) => Promise; + ): Promise; - getOrganizationPaymentMethod: (organizationId: string) => Promise; + abstract getOrganizationPaymentMethod(organizationId: string): Promise; - getPlans: () => Promise>; + abstract getPlans(): Promise>; - getProviderClientInvoiceReport: (providerId: string, invoiceId: string) => Promise; + abstract getProviderClientInvoiceReport(providerId: string, invoiceId: string): Promise; - getProviderClientOrganizations: ( + abstract getProviderClientOrganizations( providerId: string, - ) => Promise>; + ): Promise>; - getProviderInvoices: (providerId: string) => Promise; + abstract getProviderInvoices(providerId: string): Promise; - getProviderSubscription: (providerId: string) => Promise; + abstract getProviderSubscription(providerId: string): Promise; - getProviderTaxInformation: (providerId: string) => Promise; + abstract getProviderTaxInformation(providerId: string): Promise; - updateOrganizationPaymentMethod: ( + abstract updateOrganizationPaymentMethod( organizationId: string, request: UpdatePaymentMethodRequest, - ) => Promise; + ): Promise; - updateOrganizationTaxInformation: ( + abstract updateOrganizationTaxInformation( organizationId: string, request: ExpandedTaxInfoUpdateRequest, - ) => Promise; + ): Promise; - updateProviderClientOrganization: ( + abstract updateProviderClientOrganization( providerId: string, organizationId: string, request: UpdateClientOrganizationRequest, - ) => Promise; + ): Promise; - updateProviderPaymentMethod: ( + abstract updateProviderPaymentMethod( providerId: string, request: UpdatePaymentMethodRequest, - ) => Promise; + ): Promise; - updateProviderTaxInformation: ( + abstract updateProviderTaxInformation( providerId: string, request: ExpandedTaxInfoUpdateRequest, - ) => Promise; + ): Promise; - verifyOrganizationBankAccount: ( + abstract verifyOrganizationBankAccount( organizationId: string, request: VerifyBankAccountRequest, - ) => Promise; + ): Promise; - verifyProviderBankAccount: ( + abstract verifyProviderBankAccount( providerId: string, request: VerifyBankAccountRequest, - ) => Promise; + ): Promise; - restartSubscription: ( + abstract restartSubscription( organizationId: string, request: OrganizationCreateRequest, - ) => Promise; + ): Promise; } diff --git a/libs/common/src/billing/abstractions/organization-billing.service.ts b/libs/common/src/billing/abstractions/organization-billing.service.ts index 58c537c99cc..113b55465a7 100644 --- a/libs/common/src/billing/abstractions/organization-billing.service.ts +++ b/libs/common/src/billing/abstractions/organization-billing.service.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; import { Organization } from "@bitwarden/common/admin-console/models/domain/organization"; @@ -49,20 +47,22 @@ export type SubscriptionInformation = { }; export abstract class OrganizationBillingServiceAbstraction { - getPaymentSource: (organizationId: string) => Promise; + abstract getPaymentSource(organizationId: string): Promise; - purchaseSubscription: (subscription: SubscriptionInformation) => Promise; - - purchaseSubscriptionNoPaymentMethod: ( + abstract purchaseSubscription( subscription: SubscriptionInformation, - ) => Promise; + ): Promise; - startFree: (subscription: SubscriptionInformation) => Promise; + abstract purchaseSubscriptionNoPaymentMethod( + subscription: SubscriptionInformation, + ): Promise; - restartSubscription: ( + abstract startFree(subscription: SubscriptionInformation): Promise; + + abstract restartSubscription( organizationId: string, subscription: SubscriptionInformation, - ) => Promise; + ): Promise; /** * Determines if breadcrumbing policies is enabled for the organizations meeting certain criteria. diff --git a/libs/common/src/key-management/device-trust/abstractions/device-trust.service.abstraction.ts b/libs/common/src/key-management/device-trust/abstractions/device-trust.service.abstraction.ts index d688c7f366b..2bc99e5e5c2 100644 --- a/libs/common/src/key-management/device-trust/abstractions/device-trust.service.abstraction.ts +++ b/libs/common/src/key-management/device-trust/abstractions/device-trust.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; import { OtherDeviceKeysUpdateRequest } from "@bitwarden/common/auth/models/request/update-devices-trust.request"; @@ -15,51 +13,51 @@ export abstract class DeviceTrustServiceAbstraction { * by Platform * @description Checks if the device trust feature is supported for the active user. */ - supportsDeviceTrust$: Observable; + abstract supportsDeviceTrust$: Observable; /** * Emits when a device has been trusted. This emission is specifically for the purpose of notifying * the consuming component to display a toast informing the user the device has been trusted. */ - deviceTrusted$: Observable; + abstract deviceTrusted$: Observable; /** * @description Checks if the device trust feature is supported for the given user. */ - supportsDeviceTrustByUserId$: (userId: UserId) => Observable; + abstract supportsDeviceTrustByUserId$(userId: UserId): Observable; /** * @description Retrieves the users choice to trust the device which can only happen after decryption * Note: this value should only be used once and then reset */ - getShouldTrustDevice: (userId: UserId) => Promise; - setShouldTrustDevice: (userId: UserId, value: boolean) => Promise; + abstract getShouldTrustDevice(userId: UserId): Promise; + abstract setShouldTrustDevice(userId: UserId, value: boolean): Promise; - trustDeviceIfRequired: (userId: UserId) => Promise; + abstract trustDeviceIfRequired(userId: UserId): Promise; - trustDevice: (userId: UserId) => Promise; + abstract trustDevice(userId: UserId): Promise; /** Retrieves the device key if it exists from state or secure storage if supported for the active user. */ - getDeviceKey: (userId: UserId) => Promise; - decryptUserKeyWithDeviceKey: ( + abstract getDeviceKey(userId: UserId): Promise; + abstract decryptUserKeyWithDeviceKey( userId: UserId, encryptedDevicePrivateKey: EncString, encryptedUserKey: EncString, deviceKey: DeviceKey, - ) => Promise; - rotateDevicesTrust: ( + ): Promise; + abstract rotateDevicesTrust( userId: UserId, newUserKey: UserKey, masterPasswordHash: string, - ) => Promise; + ): Promise; /** * Notifies the server that the device has a device key, but didn't receive any associated decryption keys. * Note: For debugging purposes only. */ - recordDeviceTrustLoss: () => Promise; - getRotatedData: ( + abstract recordDeviceTrustLoss(): Promise; + abstract getRotatedData( oldUserKey: UserKey, newUserKey: UserKey, userId: UserId, - ) => Promise; + ): Promise; } diff --git a/libs/common/src/key-management/vault-timeout/abstractions/vault-timeout-settings.service.ts b/libs/common/src/key-management/vault-timeout/abstractions/vault-timeout-settings.service.ts index 9ff362e4009..bcbf0029199 100644 --- a/libs/common/src/key-management/vault-timeout/abstractions/vault-timeout-settings.service.ts +++ b/libs/common/src/key-management/vault-timeout/abstractions/vault-timeout-settings.service.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; import { UserId } from "../../../types/guid"; @@ -13,11 +11,11 @@ export abstract class VaultTimeoutSettingsService { * @param vaultTimeoutAction The vault timeout action * @param userId The user id to set the data for. */ - setVaultTimeoutOptions: ( + abstract setVaultTimeoutOptions( userId: UserId, vaultTimeout: VaultTimeout, vaultTimeoutAction: VaultTimeoutAction, - ) => Promise; + ): Promise; /** * Get the available vault timeout actions for the current user @@ -25,13 +23,13 @@ export abstract class VaultTimeoutSettingsService { * **NOTE:** This observable is not yet connected to the state service, so it will not update when the state changes * @param userId The user id to check. If not provided, the current user is used */ - availableVaultTimeoutActions$: (userId?: string) => Observable; + abstract availableVaultTimeoutActions$(userId?: string): Observable; /** * Evaluates the user's available vault timeout actions and returns a boolean representing * if the user can lock or not */ - canLock: (userId: string) => Promise; + abstract canLock(userId: string): Promise; /** * Gets the vault timeout action for the given user id. The returned value is @@ -41,7 +39,7 @@ export abstract class VaultTimeoutSettingsService { * A new action will be emitted if the current state changes or if the user's policy changes and the new policy affects the action. * @param userId - the user id to get the vault timeout action for */ - getVaultTimeoutActionByUserId$: (userId: string) => Observable; + abstract getVaultTimeoutActionByUserId$(userId: string): Observable; /** * Get the vault timeout for the given user id. The returned value is calculated based on the current state @@ -50,14 +48,14 @@ export abstract class VaultTimeoutSettingsService { * A new timeout will be emitted if the current state changes or if the user's policy changes and the new policy affects the timeout. * @param userId The user id to get the vault timeout for */ - getVaultTimeoutByUserId$: (userId: string) => Observable; + abstract getVaultTimeoutByUserId$(userId: string): Observable; /** * Has the user enabled unlock with Biometric. * @param userId The user id to check. If not provided, the current user is used * @returns boolean true if biometric lock is set */ - isBiometricLockSet: (userId?: string) => Promise; + abstract isBiometricLockSet(userId?: string): Promise; - clear: (userId: UserId) => Promise; + abstract clear(userId: UserId): Promise; } diff --git a/libs/common/src/key-management/vault-timeout/abstractions/vault-timeout.service.ts b/libs/common/src/key-management/vault-timeout/abstractions/vault-timeout.service.ts index cb07c7d193a..1c88a5c51ea 100644 --- a/libs/common/src/key-management/vault-timeout/abstractions/vault-timeout.service.ts +++ b/libs/common/src/key-management/vault-timeout/abstractions/vault-timeout.service.ts @@ -1,7 +1,5 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore export abstract class VaultTimeoutService { - checkVaultTimeout: () => Promise; - lock: (userId?: string) => Promise; - logOut: (userId?: string) => Promise; + abstract checkVaultTimeout(): Promise; + abstract lock(userId?: string): Promise; + abstract logOut(userId?: string): Promise; } diff --git a/libs/common/src/platform/abstractions/fido2/fido2-authenticator.service.abstraction.ts b/libs/common/src/platform/abstractions/fido2/fido2-authenticator.service.abstraction.ts index fd3453198e6..c34c4b835cf 100644 --- a/libs/common/src/platform/abstractions/fido2/fido2-authenticator.service.abstraction.ts +++ b/libs/common/src/platform/abstractions/fido2/fido2-authenticator.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Fido2CredentialView } from "../../../vault/models/view/fido2-credential.view"; /** @@ -17,11 +15,11 @@ export abstract class Fido2AuthenticatorService { * @param abortController An AbortController that can be used to abort the operation. * @returns A promise that resolves with the new credential and an attestation signature. **/ - makeCredential: ( + abstract makeCredential( params: Fido2AuthenticatorMakeCredentialsParams, window: ParentWindowReference, abortController?: AbortController, - ) => Promise; + ): Promise; /** * Generate an assertion using an existing credential as describe in: @@ -31,11 +29,11 @@ export abstract class Fido2AuthenticatorService { * @param abortController An AbortController that can be used to abort the operation. * @returns A promise that resolves with the asserted credential and an assertion signature. */ - getAssertion: ( + abstract getAssertion( params: Fido2AuthenticatorGetAssertionParams, window: ParentWindowReference, abortController?: AbortController, - ) => Promise; + ): Promise; /** * Discover credentials for a given Relying Party @@ -43,7 +41,7 @@ export abstract class Fido2AuthenticatorService { * @param rpId The Relying Party's ID * @returns A promise that resolves with an array of discoverable credentials */ - silentCredentialDiscovery: (rpId: string) => Promise; + abstract silentCredentialDiscovery(rpId: string): Promise; } // FIXME: update to use a const object instead of a typescript enum diff --git a/libs/common/src/platform/abstractions/fido2/fido2-client.service.abstraction.ts b/libs/common/src/platform/abstractions/fido2/fido2-client.service.abstraction.ts index 55d9cce8049..f1ad26673fd 100644 --- a/libs/common/src/platform/abstractions/fido2/fido2-client.service.abstraction.ts +++ b/libs/common/src/platform/abstractions/fido2/fido2-client.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore export const UserRequestedFallbackAbortReason = "UserRequestedFallback"; export type UserVerification = "discouraged" | "preferred" | "required"; @@ -16,7 +14,7 @@ export type UserVerification = "discouraged" | "preferred" | "required"; * and for returning the results of the latter operations to the Web Authentication API's callers. */ export abstract class Fido2ClientService { - isFido2FeatureEnabled: (hostname: string, origin: string) => Promise; + abstract isFido2FeatureEnabled(hostname: string, origin: string): Promise; /** * Allows WebAuthn Relying Party scripts to request the creation of a new public key credential source. @@ -26,11 +24,11 @@ export abstract class Fido2ClientService { * @param abortController An AbortController that can be used to abort the operation. * @returns A promise that resolves with the new credential. */ - createCredential: ( + abstract createCredential( params: CreateCredentialParams, window: ParentWindowReference, abortController?: AbortController, - ) => Promise; + ): Promise; /** * Allows WebAuthn Relying Party scripts to discover and use an existing public key credential, with the user’s consent. @@ -41,11 +39,11 @@ export abstract class Fido2ClientService { * @param abortController An AbortController that can be used to abort the operation. * @returns A promise that resolves with the asserted credential. */ - assertCredential: ( + abstract assertCredential( params: AssertCredentialParams, window: ParentWindowReference, abortController?: AbortController, - ) => Promise; + ): Promise; } /** diff --git a/libs/common/src/platform/abstractions/fido2/fido2-user-interface.service.abstraction.ts b/libs/common/src/platform/abstractions/fido2/fido2-user-interface.service.abstraction.ts index 1f871f6c70f..28b199da78f 100644 --- a/libs/common/src/platform/abstractions/fido2/fido2-user-interface.service.abstraction.ts +++ b/libs/common/src/platform/abstractions/fido2/fido2-user-interface.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore /** * Parameters used to ask the user to confirm the creation of a new credential. */ @@ -69,11 +67,11 @@ export abstract class Fido2UserInterfaceService { * @param fallbackSupported Whether or not the browser natively supports WebAuthn. * @param abortController An abort controller that can be used to cancel/close the session. */ - newSession: ( + abstract newSession( fallbackSupported: boolean, window: ParentWindowReference, abortController?: AbortController, - ) => Promise; + ): Promise; } export abstract class Fido2UserInterfaceSession { @@ -84,9 +82,9 @@ export abstract class Fido2UserInterfaceSession { * @param abortController An abort controller that can be used to cancel/close the session. * @returns The ID of the cipher that contains the credentials the user picked. If not cipher was picked, return cipherId = undefined to to let the authenticator throw the error. */ - pickCredential: ( + abstract pickCredential( params: PickCredentialParams, - ) => Promise<{ cipherId: string; userVerified: boolean }>; + ): Promise<{ cipherId: string; userVerified: boolean }>; /** * Ask the user to confirm the creation of a new credential. @@ -95,30 +93,30 @@ export abstract class Fido2UserInterfaceSession { * @param abortController An abort controller that can be used to cancel/close the session. * @returns The ID of the cipher where the new credential should be saved. */ - confirmNewCredential: ( + abstract confirmNewCredential( params: NewCredentialParams, - ) => Promise<{ cipherId: string; userVerified: boolean }>; + ): Promise<{ cipherId: string; userVerified: boolean }>; /** * Make sure that the vault is unlocked. * This will open a window and ask the user to login or unlock the vault if necessary. */ - ensureUnlockedVault: () => Promise; + abstract ensureUnlockedVault(): Promise; /** * Inform the user that the operation was cancelled because their vault contains excluded credentials. * * @param existingCipherIds The IDs of the excluded credentials. */ - informExcludedCredential: (existingCipherIds: string[]) => Promise; + abstract informExcludedCredential(existingCipherIds: string[]): Promise; /** * Inform the user that the operation was cancelled because their vault does not contain any useable credentials. */ - informCredentialNotFound: (abortController?: AbortController) => Promise; + abstract informCredentialNotFound(abortController?: AbortController): Promise; /** * Close the session, including any windows that may be open. */ - close: () => void; + abstract close(): void; } diff --git a/libs/common/src/platform/abstractions/state.service.ts b/libs/common/src/platform/abstractions/state.service.ts index e4dbe76d7e4..4c1c000284e 100644 --- a/libs/common/src/platform/abstractions/state.service.ts +++ b/libs/common/src/platform/abstractions/state.service.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { BiometricKey } from "../../auth/types/biometric-key"; import { Account } from "../models/domain/account"; import { StorageOptions } from "../models/domain/storage-options"; @@ -19,47 +17,47 @@ export type InitOptions = { }; export abstract class StateService { - addAccount: (account: T) => Promise; - clean: (options?: StorageOptions) => Promise; - init: (initOptions?: InitOptions) => Promise; + abstract addAccount(account: T): Promise; + abstract clean(options?: StorageOptions): Promise; + abstract init(initOptions?: InitOptions): Promise; /** * Gets the user's auto key */ - getUserKeyAutoUnlock: (options?: StorageOptions) => Promise; + abstract getUserKeyAutoUnlock(options?: StorageOptions): Promise; /** * Sets the user's auto key */ - setUserKeyAutoUnlock: (value: string | null, options?: StorageOptions) => Promise; + abstract setUserKeyAutoUnlock(value: string | null, options?: StorageOptions): Promise; /** * Gets the user's biometric key */ - getUserKeyBiometric: (options?: StorageOptions) => Promise; + abstract getUserKeyBiometric(options?: StorageOptions): Promise; /** * Checks if the user has a biometric key available */ - hasUserKeyBiometric: (options?: StorageOptions) => Promise; + abstract hasUserKeyBiometric(options?: StorageOptions): Promise; /** * Sets the user's biometric key */ - setUserKeyBiometric: (value: BiometricKey, options?: StorageOptions) => Promise; + abstract setUserKeyBiometric(value: BiometricKey, options?: StorageOptions): Promise; /** * @deprecated For backwards compatible purposes only, use DesktopAutofillSettingsService */ - setEnableDuckDuckGoBrowserIntegration: ( + abstract setEnableDuckDuckGoBrowserIntegration( value: boolean, options?: StorageOptions, - ) => Promise; - getDuckDuckGoSharedKey: (options?: StorageOptions) => Promise; - setDuckDuckGoSharedKey: (value: string, options?: StorageOptions) => Promise; + ): Promise; + abstract getDuckDuckGoSharedKey(options?: StorageOptions): Promise; + abstract setDuckDuckGoSharedKey(value: string, options?: StorageOptions): Promise; /** * @deprecated Use `TokenService.hasAccessToken$()` or `AuthService.authStatusFor$` instead. */ - getIsAuthenticated: (options?: StorageOptions) => Promise; + abstract getIsAuthenticated(options?: StorageOptions): Promise; /** * @deprecated Use `AccountService.activeAccount$` instead. */ - getUserId: (options?: StorageOptions) => Promise; + abstract getUserId(options?: StorageOptions): Promise; } diff --git a/libs/common/src/tools/password-strength/password-strength.service.abstraction.ts b/libs/common/src/tools/password-strength/password-strength.service.abstraction.ts index a49a6d481b5..ccc47d487a4 100644 --- a/libs/common/src/tools/password-strength/password-strength.service.abstraction.ts +++ b/libs/common/src/tools/password-strength/password-strength.service.abstraction.ts @@ -1,7 +1,9 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { ZXCVBNResult } from "zxcvbn"; export abstract class PasswordStrengthServiceAbstraction { - getPasswordStrength: (password: string, email?: string, userInputs?: string[]) => ZXCVBNResult; + abstract getPasswordStrength( + password: string, + email?: string, + userInputs?: string[], + ): ZXCVBNResult; } diff --git a/libs/common/src/tools/send/services/send-api.service.abstraction.ts b/libs/common/src/tools/send/services/send-api.service.abstraction.ts index 570f3e746a0..80c4410af11 100644 --- a/libs/common/src/tools/send/services/send-api.service.abstraction.ts +++ b/libs/common/src/tools/send/services/send-api.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { ListResponse } from "../../../models/response/list.response"; import { EncArrayBuffer } from "../../../platform/models/domain/enc-array-buffer"; import { Send } from "../models/domain/send"; @@ -12,26 +10,29 @@ import { SendResponse } from "../models/response/send.response"; import { SendAccessView } from "../models/view/send-access.view"; export abstract class SendApiService { - getSend: (id: string) => Promise; - postSendAccess: ( + abstract getSend(id: string): Promise; + abstract postSendAccess( id: string, request: SendAccessRequest, apiUrl?: string, - ) => Promise; - getSends: () => Promise>; - postSend: (request: SendRequest) => Promise; - postFileTypeSend: (request: SendRequest) => Promise; - postSendFile: (sendId: string, fileId: string, data: FormData) => Promise; - putSend: (id: string, request: SendRequest) => Promise; - putSendRemovePassword: (id: string) => Promise; - deleteSend: (id: string) => Promise; - getSendFileDownloadData: ( + ): Promise; + abstract getSends(): Promise>; + abstract postSend(request: SendRequest): Promise; + abstract postFileTypeSend(request: SendRequest): Promise; + abstract postSendFile(sendId: string, fileId: string, data: FormData): Promise; + abstract putSend(id: string, request: SendRequest): Promise; + abstract putSendRemovePassword(id: string): Promise; + abstract deleteSend(id: string): Promise; + abstract getSendFileDownloadData( send: SendAccessView, request: SendAccessRequest, apiUrl?: string, - ) => Promise; - renewSendFileUploadUrl: (sendId: string, fileId: string) => Promise; - removePassword: (id: string) => Promise; - delete: (id: string) => Promise; - save: (sendData: [Send, EncArrayBuffer]) => Promise; + ): Promise; + abstract renewSendFileUploadUrl( + sendId: string, + fileId: string, + ): Promise; + abstract removePassword(id: string): Promise; + abstract delete(id: string): Promise; + abstract save(sendData: [Send, EncArrayBuffer]): Promise; } diff --git a/libs/common/src/tools/send/services/send.service.abstraction.ts b/libs/common/src/tools/send/services/send.service.abstraction.ts index f586e39a755..8301172477c 100644 --- a/libs/common/src/tools/send/services/send.service.abstraction.ts +++ b/libs/common/src/tools/send/services/send.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop. @@ -16,49 +14,49 @@ import { SendWithIdRequest } from "../models/request/send-with-id.request"; import { SendView } from "../models/view/send.view"; export abstract class SendService implements UserKeyRotationDataProvider { - sends$: Observable; - sendViews$: Observable; + abstract sends$: Observable; + abstract sendViews$: Observable; - encrypt: ( + abstract encrypt( model: SendView, file: File | ArrayBuffer, password: string, key?: SymmetricCryptoKey, - ) => Promise<[Send, EncArrayBuffer]>; + ): Promise<[Send, EncArrayBuffer]>; /** * Provides a send for a determined id * updates after a change occurs to the send that matches the id * @param id The id of the desired send * @returns An observable that listens to the value of the desired send */ - get$: (id: string) => Observable; + abstract get$(id: string): Observable; /** * Provides re-encrypted user sends for the key rotation process * @param newUserKey The new user key to use for re-encryption * @throws Error if the new user key is null or undefined * @returns A list of user sends that have been re-encrypted with the new user key */ - getRotatedData: ( + abstract getRotatedData( originalUserKey: UserKey, newUserKey: UserKey, userId: UserId, - ) => Promise; + ): Promise; /** * @deprecated Do not call this, use the sends$ observable collection */ - getAll: () => Promise; + abstract getAll(): Promise; /** * @deprecated Only use in CLI */ - getFromState: (id: string) => Promise; + abstract getFromState(id: string): Promise; /** * @deprecated Only use in CLI */ - getAllDecryptedFromState: (userId: UserId) => Promise; + abstract getAllDecryptedFromState(userId: UserId): Promise; } export abstract class InternalSendService extends SendService { - upsert: (send: SendData | SendData[]) => Promise; - replace: (sends: { [id: string]: SendData }, userId: UserId) => Promise; - delete: (id: string | string[]) => Promise; + abstract upsert(send: SendData | SendData[]): Promise; + abstract replace(sends: { [id: string]: SendData }, userId: UserId): Promise; + abstract delete(id: string | string[]): Promise; } diff --git a/libs/common/src/vault/abstractions/cipher.service.ts b/libs/common/src/vault/abstractions/cipher.service.ts index 2f186369463..2f4fcf0ef51 100644 --- a/libs/common/src/vault/abstractions/cipher.service.ts +++ b/libs/common/src/vault/abstractions/cipher.service.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop. diff --git a/libs/common/src/vault/abstractions/file-upload/cipher-file-upload.service.ts b/libs/common/src/vault/abstractions/file-upload/cipher-file-upload.service.ts index 812439e2ca9..13c79241e36 100644 --- a/libs/common/src/vault/abstractions/file-upload/cipher-file-upload.service.ts +++ b/libs/common/src/vault/abstractions/file-upload/cipher-file-upload.service.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { EncString } from "../../../key-management/crypto/models/enc-string"; import { EncArrayBuffer } from "../../../platform/models/domain/enc-array-buffer"; import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key"; @@ -7,11 +5,11 @@ import { Cipher } from "../../models/domain/cipher"; import { CipherResponse } from "../../models/response/cipher.response"; export abstract class CipherFileUploadService { - upload: ( + abstract upload( cipher: Cipher, encFileName: EncString, encData: EncArrayBuffer, admin: boolean, dataEncKey: [SymmetricCryptoKey, EncString], - ) => Promise; + ): Promise; } diff --git a/libs/common/src/vault/abstractions/folder/folder-api.service.abstraction.ts b/libs/common/src/vault/abstractions/folder/folder-api.service.abstraction.ts index 1bb4a52e929..1b89f1664ca 100644 --- a/libs/common/src/vault/abstractions/folder/folder-api.service.abstraction.ts +++ b/libs/common/src/vault/abstractions/folder/folder-api.service.abstraction.ts @@ -1,14 +1,11 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore - import { UserId } from "../../../types/guid"; import { FolderData } from "../../models/data/folder.data"; import { Folder } from "../../models/domain/folder"; import { FolderResponse } from "../../models/response/folder.response"; -export class FolderApiServiceAbstraction { - save: (folder: Folder, userId: UserId) => Promise; - delete: (id: string, userId: UserId) => Promise; - get: (id: string) => Promise; - deleteAll: (userId: UserId) => Promise; +export abstract class FolderApiServiceAbstraction { + abstract save(folder: Folder, userId: UserId): Promise; + abstract delete(id: string, userId: UserId): Promise; + abstract get(id: string): Promise; + abstract deleteAll(userId: UserId): Promise; } diff --git a/libs/common/src/vault/abstractions/folder/folder.service.abstraction.ts b/libs/common/src/vault/abstractions/folder/folder.service.abstraction.ts index 7324fe22c8d..e56bfda32a4 100644 --- a/libs/common/src/vault/abstractions/folder/folder.service.abstraction.ts +++ b/libs/common/src/vault/abstractions/folder/folder.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop. @@ -15,27 +13,27 @@ import { FolderWithIdRequest } from "../../models/request/folder-with-id.request import { FolderView } from "../../models/view/folder.view"; export abstract class FolderService implements UserKeyRotationDataProvider { - folders$: (userId: UserId) => Observable; - folderViews$: (userId: UserId) => Observable; + abstract folders$(userId: UserId): Observable; + abstract folderViews$(userId: UserId): Observable; - clearDecryptedFolderState: (userId: UserId) => Promise; - encrypt: (model: FolderView, key: SymmetricCryptoKey) => Promise; - get: (id: string, userId: UserId) => Promise; - getDecrypted$: (id: string, userId: UserId) => Observable; + abstract clearDecryptedFolderState(userId: UserId): Promise; + abstract encrypt(model: FolderView, key: SymmetricCryptoKey): Promise; + abstract get(id: string, userId: UserId): Promise; + abstract getDecrypted$(id: string, userId: UserId): Observable; /** * @deprecated Use firstValueFrom(folders$) directly instead * @param userId The user id * @returns Promise of folders array */ - getAllFromState: (userId: UserId) => Promise; + abstract getAllFromState(userId: UserId): Promise; /** * @deprecated Only use in CLI! */ - getFromState: (id: string, userId: UserId) => Promise; + abstract getFromState(id: string, userId: UserId): Promise; /** * @deprecated Only use in CLI! */ - getAllDecryptedFromState: (userId: UserId) => Promise; + abstract getAllDecryptedFromState(userId: UserId): Promise; /** * Returns user folders re-encrypted with the new user key. * @param originalUserKey the original user key @@ -44,16 +42,16 @@ export abstract class FolderService implements UserKeyRotationDataProvider Promise; + ): Promise; } export abstract class InternalFolderService extends FolderService { - upsert: (folder: FolderData | FolderData[], userId: UserId) => Promise; - replace: (folders: { [id: string]: FolderData }, userId: UserId) => Promise; - clear: (userId: UserId) => Promise; - delete: (id: string | string[], userId: UserId) => Promise; + abstract upsert(folder: FolderData | FolderData[], userId: UserId): Promise; + abstract replace(folders: { [id: string]: FolderData }, userId: UserId): Promise; + abstract clear(userId: UserId): Promise; + abstract delete(id: string | string[], userId: UserId): Promise; } diff --git a/libs/common/src/vault/abstractions/search.service.ts b/libs/common/src/vault/abstractions/search.service.ts index ed8bb2c3baf..57f301261c2 100644 --- a/libs/common/src/vault/abstractions/search.service.ts +++ b/libs/common/src/vault/abstractions/search.service.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; import { SendView } from "../../tools/send/models/view/send.view"; @@ -8,25 +6,25 @@ import { CipherView } from "../models/view/cipher.view"; import { CipherViewLike } from "../utils/cipher-view-like-utils"; export abstract class SearchService { - indexedEntityId$: (userId: UserId) => Observable; + abstract indexedEntityId$(userId: UserId): Observable; - clearIndex: (userId: UserId) => Promise; - isSearchable: (userId: UserId, query: string) => Promise; - indexCiphers: ( + abstract clearIndex(userId: UserId): Promise; + abstract isSearchable(userId: UserId, query: string): Promise; + abstract indexCiphers( userId: UserId, ciphersToIndex: CipherView[], indexedEntityGuid?: string, - ) => Promise; - searchCiphers: ( + ): Promise; + abstract searchCiphers( userId: UserId, query: string, filter?: ((cipher: C) => boolean) | ((cipher: C) => boolean)[], ciphers?: C[], - ) => Promise; - searchCiphersBasic: ( + ): Promise; + abstract searchCiphersBasic( ciphers: C[], query: string, deleted?: boolean, - ) => C[]; - searchSends: (sends: SendView[], query: string) => SendView[]; + ): C[]; + abstract searchSends(sends: SendView[], query: string): SendView[]; } diff --git a/libs/common/src/vault/abstractions/vault-settings/vault-settings.service.ts b/libs/common/src/vault/abstractions/vault-settings/vault-settings.service.ts index ea1e73c2685..01b0011b7f7 100644 --- a/libs/common/src/vault/abstractions/vault-settings/vault-settings.service.ts +++ b/libs/common/src/vault/abstractions/vault-settings/vault-settings.service.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; /** * Service for managing vault settings. @@ -9,42 +7,40 @@ export abstract class VaultSettingsService { * An observable monitoring the state of the enable passkeys setting. * The observable updates when the setting changes. */ - enablePasskeys$: Observable; + abstract enablePasskeys$: Observable; /** * An observable monitoring the state of the show cards on the current tab. */ - showCardsCurrentTab$: Observable; + abstract showCardsCurrentTab$: Observable; /** * An observable monitoring the state of the show identities on the current tab. */ - showIdentitiesCurrentTab$: Observable; - /** + abstract showIdentitiesCurrentTab$: Observable; /** * An observable monitoring the state of the click items on the Vault view * for Autofill suggestions. */ - clickItemsToAutofillVaultView$: Observable; - /** + abstract clickItemsToAutofillVaultView$: Observable; /** * Saves the enable passkeys setting to disk. * @param value The new value for the passkeys setting. */ - setEnablePasskeys: (value: boolean) => Promise; + abstract setEnablePasskeys(value: boolean): Promise; /** * Saves the show cards on tab page setting to disk. * @param value The new value for the show cards on tab page setting. */ - setShowCardsCurrentTab: (value: boolean) => Promise; + abstract setShowCardsCurrentTab(value: boolean): Promise; /** * Saves the show identities on tab page setting to disk. * @param value The new value for the show identities on tab page setting. */ - setShowIdentitiesCurrentTab: (value: boolean) => Promise; + abstract setShowIdentitiesCurrentTab(value: boolean): Promise; /** * Saves the click items on vault View for Autofill suggestions to disk. * @param value The new value for the click items on vault View for * Autofill suggestions setting. */ - setClickItemsToAutofillVaultView: (value: boolean) => Promise; + abstract setClickItemsToAutofillVaultView(value: boolean): Promise; } From 78353a988249bf109b4017b71ce8ebcc2393d496 Mon Sep 17 00:00:00 2001 From: Todd Martin <106564991+trmartin4@users.noreply.github.com> Date: Tue, 22 Jul 2025 14:04:23 -0400 Subject: [PATCH 20/37] fix(rpm): [PM-527] Remove build id links on rpm build --- apps/desktop/electron-builder.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/desktop/electron-builder.json b/apps/desktop/electron-builder.json index 832ab9d0bd3..800cdd848a7 100644 --- a/apps/desktop/electron-builder.json +++ b/apps/desktop/electron-builder.json @@ -240,7 +240,8 @@ "artifactName": "${productName}-${version}-${arch}.${ext}" }, "rpm": { - "artifactName": "${productName}-${version}-${arch}.${ext}" + "artifactName": "${productName}-${version}-${arch}.${ext}", + "fpm": ["--rpm-rpmbuild-define", "_build_id_links none"] }, "freebsd": { "artifactName": "${productName}-${version}-${arch}.${ext}" From d0fc9e9a2b1fbf5457736e5d80c5eb271187f638 Mon Sep 17 00:00:00 2001 From: Vincent Salucci <26154748+vincentsalucci@users.noreply.github.com> Date: Tue, 22 Jul 2025 13:19:26 -0500 Subject: [PATCH 21/37] [PM-19589] Update delete organization user event log message (#15714) * chore: update key and message with new content, refs PM-19589 * chore: update reference to new message key, refs PM-19589 * chore: update message based on product/design review, refs PM-19589 --- apps/web/src/app/core/event.service.ts | 4 ++-- apps/web/src/locales/en/messages.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/web/src/app/core/event.service.ts b/apps/web/src/app/core/event.service.ts index 14c87181f62..36d591cc390 100644 --- a/apps/web/src/app/core/event.service.ts +++ b/apps/web/src/app/core/event.service.ts @@ -342,9 +342,9 @@ export class EventService { ); break; case EventType.OrganizationUser_Deleted: - msg = this.i18nService.t("deletedUserId", this.formatOrgUserId(ev)); + msg = this.i18nService.t("deletedUserIdEventMessage", this.formatOrgUserId(ev)); humanReadableMsg = this.i18nService.t( - "deletedUserId", + "deletedUserIdEventMessage", this.getShortId(ev.organizationUserId), ); break; diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json index 9c9ecc79721..5d7cbd7d479 100644 --- a/apps/web/src/locales/en/messages.json +++ b/apps/web/src/locales/en/messages.json @@ -10295,8 +10295,8 @@ "organizationUserDeletedDesc": { "message": "The user was removed from the organization and all associated user data has been deleted." }, - "deletedUserId": { - "message": "Deleted user $ID$ - an owner / admin deleted the user account", + "deletedUserIdEventMessage": { + "message": "Deleted user $ID$", "placeholders": { "id": { "content": "$1", From 319528c647ad7e57cbc6f505ab390500696223c0 Mon Sep 17 00:00:00 2001 From: Miles Blackwood Date: Tue, 22 Jul 2025 14:45:59 -0400 Subject: [PATCH 22/37] Only call activeAccount$ when activeAccountStatus$ is Unlocked. (#15626) --- .../background/auto-submit-login.background.ts | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/apps/browser/src/autofill/background/auto-submit-login.background.ts b/apps/browser/src/autofill/background/auto-submit-login.background.ts index dcafe21b63c..dfdfa0f4d67 100644 --- a/apps/browser/src/autofill/background/auto-submit-login.background.ts +++ b/apps/browser/src/autofill/background/auto-submit-login.background.ts @@ -1,12 +1,12 @@ // FIXME: Update this file to be type safe and remove this and next line // @ts-strict-ignore -import { firstValueFrom, switchMap } from "rxjs"; +import { filter, firstValueFrom, of, switchMap } from "rxjs"; import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction"; import { PolicyType } from "@bitwarden/common/admin-console/enums"; import { Policy } from "@bitwarden/common/admin-console/models/domain/policy"; import { getFirstPolicy } from "@bitwarden/common/admin-console/services/policy/default-policy.service"; -import { AccountService } from "@bitwarden/common/auth/abstractions/account.service"; +import { Account, AccountService } from "@bitwarden/common/auth/abstractions/account.service"; import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service"; import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status"; import { getUserId } from "@bitwarden/common/auth/services/account.service"; @@ -51,9 +51,14 @@ export class AutoSubmitLoginBackground implements AutoSubmitLoginBackgroundAbstr * Initializes the auto-submit login policy. If the policy is not enabled, it * will trigger a removal of any established listeners. */ + async init() { - this.accountService.activeAccount$ + this.authService.activeAccountStatus$ .pipe( + switchMap((value) => + value === AuthenticationStatus.Unlocked ? this.accountService.activeAccount$ : of(null), + ), + filter((account): account is Account => account !== null), getUserId, switchMap((userId) => this.policyService.policiesByType$(PolicyType.AutomaticAppLogIn, userId), From 53aaa2c285261e706bb11914b9ce5b85b589d6b0 Mon Sep 17 00:00:00 2001 From: Robyn MacCallum Date: Tue, 22 Jul 2025 15:41:33 -0400 Subject: [PATCH 23/37] Update tsconfig and package json (#15636) --- .../package-lock.json | 16 ++++++++++++++++ .../native-messaging-test-runner/package.json | 6 +++++- .../native-messaging-test-runner/tsconfig.json | 12 ++++++++++-- 3 files changed, 31 insertions(+), 3 deletions(-) diff --git a/apps/desktop/native-messaging-test-runner/package-lock.json b/apps/desktop/native-messaging-test-runner/package-lock.json index 37b8cf96ff3..043393df58b 100644 --- a/apps/desktop/native-messaging-test-runner/package-lock.json +++ b/apps/desktop/native-messaging-test-runner/package-lock.json @@ -10,7 +10,9 @@ "license": "GPL-3.0", "dependencies": { "@bitwarden/common": "file:../../../libs/common", + "@bitwarden/logging": "dist/libs/logging/src", "@bitwarden/node": "file:../../../libs/node", + "@bitwarden/storage-core": "file:../../../libs/storage-core", "module-alias": "2.2.3", "ts-node": "10.9.2", "uuid": "11.1.0", @@ -31,14 +33,28 @@ "version": "0.0.0", "license": "GPL-3.0" }, + "../../../libs/storage-core": { + "name": "@bitwarden/storage-core", + "version": "0.0.1", + "license": "GPL-3.0" + }, + "dist/libs/logging/src": {}, "node_modules/@bitwarden/common": { "resolved": "../../../libs/common", "link": true }, + "node_modules/@bitwarden/logging": { + "resolved": "dist/libs/logging/src", + "link": true + }, "node_modules/@bitwarden/node": { "resolved": "../../../libs/node", "link": true }, + "node_modules/@bitwarden/storage-core": { + "resolved": "../../../libs/storage-core", + "link": true + }, "node_modules/@cspotcode/source-map-support": { "version": "0.8.1", "resolved": "https://registry.npmjs.org/@cspotcode/source-map-support/-/source-map-support-0.8.1.tgz", diff --git a/apps/desktop/native-messaging-test-runner/package.json b/apps/desktop/native-messaging-test-runner/package.json index ea6b1b3e7a8..56e3e4edcf8 100644 --- a/apps/desktop/native-messaging-test-runner/package.json +++ b/apps/desktop/native-messaging-test-runner/package.json @@ -16,6 +16,8 @@ "dependencies": { "@bitwarden/common": "file:../../../libs/common", "@bitwarden/node": "file:../../../libs/node", + "@bitwarden/storage-core": "file:../../../libs/storage-core", + "@bitwarden/logging": "dist/libs/logging/src", "module-alias": "2.2.3", "ts-node": "10.9.2", "uuid": "11.1.0", @@ -27,6 +29,8 @@ }, "_moduleAliases": { "@bitwarden/common": "dist/libs/common/src", - "@bitwarden/node/services/node-crypto-function.service": "dist/libs/node/src/services/node-crypto-function.service" + "@bitwarden/node/services/node-crypto-function.service": "dist/libs/node/src/services/node-crypto-function.service", + "@bitwarden/storage-core": "dist/libs/storage-core/src", + "@bitwarden/logging": "dist/libs/logging/src" } } diff --git a/apps/desktop/native-messaging-test-runner/tsconfig.json b/apps/desktop/native-messaging-test-runner/tsconfig.json index 608e5a3bf4c..dcdf992f986 100644 --- a/apps/desktop/native-messaging-test-runner/tsconfig.json +++ b/apps/desktop/native-messaging-test-runner/tsconfig.json @@ -1,6 +1,6 @@ { - "extends": "../tsconfig", "compilerOptions": { + "baseUrl": "./", "outDir": "dist", "target": "es6", "module": "CommonJS", @@ -10,7 +10,15 @@ "sourceMap": false, "declaration": false, "paths": { - "@src/*": ["src/*"] + "@src/*": ["src/*"], + "@bitwarden/user-core": ["../../../libs/user-core/src/index.ts"], + "@bitwarden/storage-core": ["../../../libs/storage-core/src/index.ts"], + "@bitwarden/logging": ["../../../libs/logging/src/index.ts"], + "@bitwarden/admin-console/*": ["../../../libs/admin-console/src/*"], + "@bitwarden/auth/*": ["../../../libs/auth/src/*"], + "@bitwarden/common/*": ["../../../libs/common/src/*"], + "@bitwarden/key-management": ["../../../libs/key-management/src/"], + "@bitwarden/node/*": ["../../../libs/node/src/*"] }, "plugins": [ { From c2bbb7c0312f27bb6a5455d43f693e0ae1918495 Mon Sep 17 00:00:00 2001 From: Oscar Hinton Date: Tue, 22 Jul 2025 21:59:42 +0200 Subject: [PATCH 24/37] Migrate vault abstract services to strict ts (#15731) --- .../src/vault/abstractions/deprecated-vault-filter.service.ts | 2 -- 1 file changed, 2 deletions(-) diff --git a/libs/angular/src/vault/abstractions/deprecated-vault-filter.service.ts b/libs/angular/src/vault/abstractions/deprecated-vault-filter.service.ts index 9a1a31b6068..30a4c6d4739 100644 --- a/libs/angular/src/vault/abstractions/deprecated-vault-filter.service.ts +++ b/libs/angular/src/vault/abstractions/deprecated-vault-filter.service.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop. From 54f0852f1a4c306fb5d087318ac429d7c3f10811 Mon Sep 17 00:00:00 2001 From: Oscar Hinton Date: Tue, 22 Jul 2025 22:00:07 +0200 Subject: [PATCH 25/37] Migrate auth abstract services to strict ts (#15732) --- .../set-password-jit.service.abstraction.ts | 4 +-- .../auth-request.service.abstraction.ts | 36 +++++++++---------- .../abstractions/login-strategy.service.ts | 26 +++++++------- 3 files changed, 30 insertions(+), 36 deletions(-) diff --git a/libs/auth/src/angular/set-password-jit/set-password-jit.service.abstraction.ts b/libs/auth/src/angular/set-password-jit/set-password-jit.service.abstraction.ts index da6e9368007..92db88868a2 100644 --- a/libs/auth/src/angular/set-password-jit/set-password-jit.service.abstraction.ts +++ b/libs/auth/src/angular/set-password-jit/set-password-jit.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { UserId } from "@bitwarden/common/types/guid"; import { MasterKey } from "@bitwarden/common/types/key"; import { KdfConfig } from "@bitwarden/key-management"; @@ -31,5 +29,5 @@ export abstract class SetPasswordJitService { * @throws If any property on the `credentials` object is null or undefined, or if a protectedUserKey * or newKeyPair could not be created. */ - setPassword: (credentials: SetPasswordCredentials) => Promise; + abstract setPassword(credentials: SetPasswordCredentials): Promise; } diff --git a/libs/auth/src/common/abstractions/auth-request.service.abstraction.ts b/libs/auth/src/common/abstractions/auth-request.service.abstraction.ts index 7e480c3a69c..9eea3fe7bb0 100644 --- a/libs/auth/src/common/abstractions/auth-request.service.abstraction.ts +++ b/libs/auth/src/common/abstractions/auth-request.service.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; import { AdminAuthRequestStorable } from "@bitwarden/common/auth/models/domain/admin-auth-req-storable"; @@ -10,20 +8,20 @@ import { UserKey, MasterKey } from "@bitwarden/common/types/key"; export abstract class AuthRequestServiceAbstraction { /** Emits an auth request id when an auth request has been approved. */ - authRequestPushNotification$: Observable; + abstract authRequestPushNotification$: Observable; /** * Emits when a login has been approved by an admin. This emission is specifically for the * purpose of notifying the consuming component to display a toast informing the user. */ - adminLoginApproved$: Observable; + abstract adminLoginApproved$: Observable; /** * Returns an admin auth request for the given user if it exists. * @param userId The user id. * @throws If `userId` is not provided. */ - abstract getAdminAuthRequest: (userId: UserId) => Promise; + abstract getAdminAuthRequest(userId: UserId): Promise; /** * Sets an admin auth request for the given user. * Note: use {@link clearAdminAuthRequest} to clear the request. @@ -31,16 +29,16 @@ export abstract class AuthRequestServiceAbstraction { * @param userId The user id. * @throws If `authRequest` or `userId` is not provided. */ - abstract setAdminAuthRequest: ( + abstract setAdminAuthRequest( authRequest: AdminAuthRequestStorable, userId: UserId, - ) => Promise; + ): Promise; /** * Clears an admin auth request for the given user. * @param userId The user id. * @throws If `userId` is not provided. */ - abstract clearAdminAuthRequest: (userId: UserId) => Promise; + abstract clearAdminAuthRequest(userId: UserId): Promise; /** * Gets a list of standard pending auth requests for the user. * @returns An observable of an array of auth request. @@ -61,42 +59,42 @@ export abstract class AuthRequestServiceAbstraction { * approval was successful. * @throws If the auth request is missing an id or key. */ - abstract approveOrDenyAuthRequest: ( + abstract approveOrDenyAuthRequest( approve: boolean, authRequest: AuthRequestResponse, - ) => Promise; + ): Promise; /** * Sets the `UserKey` from an auth request. Auth request must have a `UserKey`. * @param authReqResponse The auth request. * @param authReqPrivateKey The private key corresponding to the public key sent in the auth request. * @param userId The ID of the user for whose account we will set the key. */ - abstract setUserKeyAfterDecryptingSharedUserKey: ( + abstract setUserKeyAfterDecryptingSharedUserKey( authReqResponse: AuthRequestResponse, authReqPrivateKey: ArrayBuffer, userId: UserId, - ) => Promise; + ): Promise; /** * Sets the `MasterKey` and `MasterKeyHash` from an auth request. Auth request must have a `MasterKey` and `MasterKeyHash`. * @param authReqResponse The auth request. * @param authReqPrivateKey The private key corresponding to the public key sent in the auth request. * @param userId The ID of the user for whose account we will set the keys. */ - abstract setKeysAfterDecryptingSharedMasterKeyAndHash: ( + abstract setKeysAfterDecryptingSharedMasterKeyAndHash( authReqResponse: AuthRequestResponse, authReqPrivateKey: ArrayBuffer, userId: UserId, - ) => Promise; + ): Promise; /** * Decrypts a `UserKey` from a public key encrypted `UserKey`. * @param pubKeyEncryptedUserKey The public key encrypted `UserKey`. * @param privateKey The private key corresponding to the public key used to encrypt the `UserKey`. * @returns The decrypted `UserKey`. */ - abstract decryptPubKeyEncryptedUserKey: ( + abstract decryptPubKeyEncryptedUserKey( pubKeyEncryptedUserKey: string, privateKey: ArrayBuffer, - ) => Promise; + ): Promise; /** * Decrypts a `MasterKey` and `MasterKeyHash` from a public key encrypted `MasterKey` and `MasterKeyHash`. * @param pubKeyEncryptedMasterKey The public key encrypted `MasterKey`. @@ -104,18 +102,18 @@ export abstract class AuthRequestServiceAbstraction { * @param privateKey The private key corresponding to the public key used to encrypt the `MasterKey` and `MasterKeyHash`. * @returns The decrypted `MasterKey` and `MasterKeyHash`. */ - abstract decryptPubKeyEncryptedMasterKeyAndHash: ( + abstract decryptPubKeyEncryptedMasterKeyAndHash( pubKeyEncryptedMasterKey: string, pubKeyEncryptedMasterKeyHash: string, privateKey: ArrayBuffer, - ) => Promise<{ masterKey: MasterKey; masterKeyHash: string }>; + ): Promise<{ masterKey: MasterKey; masterKeyHash: string }>; /** * Handles incoming auth request push notifications. * @param notification push notification. * @remark We should only be receiving approved push notifications to prevent enumeration. */ - abstract sendAuthRequestPushNotification: (notification: AuthRequestPushNotification) => void; + abstract sendAuthRequestPushNotification(notification: AuthRequestPushNotification): void; /** * Creates a dash-delimited fingerprint for use in confirming the `AuthRequest` between the requesting and approving device. diff --git a/libs/auth/src/common/abstractions/login-strategy.service.ts b/libs/auth/src/common/abstractions/login-strategy.service.ts index b0fffae2ab4..64854393240 100644 --- a/libs/auth/src/common/abstractions/login-strategy.service.ts +++ b/libs/auth/src/common/abstractions/login-strategy.service.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable } from "rxjs"; import { AuthenticationType } from "@bitwarden/common/auth/enums/authentication-type"; @@ -20,60 +18,60 @@ export abstract class LoginStrategyServiceAbstraction { * The current strategy being used to authenticate. * Emits null if the session has timed out. */ - currentAuthType$: Observable; + abstract currentAuthType$: Observable; /** * If the login strategy uses the email address of the user, this * will return it. Otherwise, it will return null. */ - getEmail: () => Promise; + abstract getEmail(): Promise; /** * If the user is logging in with a master password, this will return * the master password hash. Otherwise, it will return null. */ - getMasterPasswordHash: () => Promise; + abstract getMasterPasswordHash(): Promise; /** * If the user is logging in with SSO, this will return * the email auth token. Otherwise, it will return null. * @see {@link SsoLoginStrategyData.ssoEmail2FaSessionToken} */ - getSsoEmail2FaSessionToken: () => Promise; + abstract getSsoEmail2FaSessionToken(): Promise; /** * Returns the access code if the user is logging in with an * Auth Request. Otherwise, it will return null. */ - getAccessCode: () => Promise; + abstract getAccessCode(): Promise; /** * Returns the auth request ID if the user is logging in with an * Auth Request. Otherwise, it will return null. */ - getAuthRequestId: () => Promise; + abstract getAuthRequestId(): Promise; /** * Sends a token request to the server using the provided credentials. */ - logIn: ( + abstract logIn( credentials: | UserApiLoginCredentials | PasswordLoginCredentials | SsoLoginCredentials | AuthRequestLoginCredentials | WebAuthnLoginCredentials, - ) => Promise; + ): Promise; /** * Sends a token request to the server with the provided two factor token. * This uses data stored from {@link LoginStrategyServiceAbstraction.logIn}, so that must be called first. * Returns an error if no session data is found. */ - logInTwoFactor: (twoFactor: TokenTwoFactorRequest) => Promise; + abstract logInTwoFactor(twoFactor: TokenTwoFactorRequest): Promise; /** * Creates a master key from the provided master password and email. */ - makePreloginKey: (masterPassword: string, email: string) => Promise; + abstract makePreloginKey(masterPassword: string, email: string): Promise; /** * Emits true if the authentication session has expired. */ - authenticationSessionTimeout$: Observable; + abstract get authenticationSessionTimeout$(): Observable; /** * Sends a token request to the server with the provided device verification OTP. */ - logInNewDeviceVerification: (deviceVerificationOtp: string) => Promise; + abstract logInNewDeviceVerification(deviceVerificationOtp: string): Promise; } From c37965174b4288789f06ff9be425da70c6d92e86 Mon Sep 17 00:00:00 2001 From: Oscar Hinton Date: Tue, 22 Jul 2025 22:00:24 +0200 Subject: [PATCH 26/37] Migrate platform owned abstract service to strict ts (#15734) --- .../fido2-active-request-manager.abstraction.ts | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/libs/common/src/platform/abstractions/fido2/fido2-active-request-manager.abstraction.ts b/libs/common/src/platform/abstractions/fido2/fido2-active-request-manager.abstraction.ts index ffb78d51bd3..390a6f4e5bd 100644 --- a/libs/common/src/platform/abstractions/fido2/fido2-active-request-manager.abstraction.ts +++ b/libs/common/src/platform/abstractions/fido2/fido2-active-request-manager.abstraction.ts @@ -1,5 +1,3 @@ -// FIXME: Update this file to be type safe and remove this and next line -// @ts-strict-ignore import { Observable, Subject } from "rxjs"; import { Fido2CredentialView } from "../../../vault/models/view/fido2-credential.view"; @@ -25,13 +23,13 @@ export interface ActiveRequest { export type RequestCollection = Readonly<{ [tabId: number]: ActiveRequest }>; export abstract class Fido2ActiveRequestManager { - getActiveRequest$: (tabId: number) => Observable; - getActiveRequest: (tabId: number) => ActiveRequest | undefined; - newActiveRequest: ( + abstract getActiveRequest$(tabId: number): Observable; + abstract getActiveRequest(tabId: number): ActiveRequest | undefined; + abstract newActiveRequest( tabId: number, credentials: Fido2CredentialView[], abortController: AbortController, - ) => Promise; - removeActiveRequest: (tabId: number) => void; - removeAllActiveRequests: () => void; + ): Promise; + abstract removeActiveRequest(tabId: number): void; + abstract removeAllActiveRequests(): void; } From 643d0c9a4c8eeafb36bd103e9ff84cfae2cb6c23 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 22 Jul 2025 15:56:08 -0700 Subject: [PATCH 27/37] [deps] Vault: Update form-data to v4.0.4 [SECURITY] (#15712) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- apps/cli/package.json | 2 +- package-lock.json | 12 +++++++----- package.json | 2 +- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/apps/cli/package.json b/apps/cli/package.json index 54855d72104..0d3c151f012 100644 --- a/apps/cli/package.json +++ b/apps/cli/package.json @@ -70,7 +70,7 @@ "chalk": "4.1.2", "commander": "11.1.0", "core-js": "3.44.0", - "form-data": "4.0.2", + "form-data": "4.0.4", "https-proxy-agent": "7.0.6", "inquirer": "8.2.6", "jsdom": "26.1.0", diff --git a/package-lock.json b/package-lock.json index fbbc4c25b44..85bd2a0efb0 100644 --- a/package-lock.json +++ b/package-lock.json @@ -43,7 +43,7 @@ "chalk": "4.1.2", "commander": "11.1.0", "core-js": "3.44.0", - "form-data": "4.0.2", + "form-data": "4.0.4", "https-proxy-agent": "7.0.6", "inquirer": "8.2.6", "jsdom": "26.1.0", @@ -206,7 +206,7 @@ "chalk": "4.1.2", "commander": "11.1.0", "core-js": "3.44.0", - "form-data": "4.0.2", + "form-data": "4.0.4", "https-proxy-agent": "7.0.6", "inquirer": "8.2.6", "jsdom": "26.1.0", @@ -358,6 +358,7 @@ "license": "GPL-3.0" }, "libs/messaging-internal": { + "name": "@bitwarden/messaging-internal", "version": "0.0.1", "license": "GPL-3.0" }, @@ -21194,14 +21195,15 @@ } }, "node_modules/form-data": { - "version": "4.0.2", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.2.tgz", - "integrity": "sha512-hGfm/slu0ZabnNt4oaRZ6uREyfCj6P4fT/n6A1rGV+Z0VdGXjfOhVUpkn6qVQONHGIFwmveGXyDs75+nr6FM8w==", + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz", + "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==", "license": "MIT", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.8", "es-set-tostringtag": "^2.1.0", + "hasown": "^2.0.2", "mime-types": "^2.1.12" }, "engines": { diff --git a/package.json b/package.json index 2cb60a6afd1..bcf4f326531 100644 --- a/package.json +++ b/package.json @@ -178,7 +178,7 @@ "chalk": "4.1.2", "commander": "11.1.0", "core-js": "3.44.0", - "form-data": "4.0.2", + "form-data": "4.0.4", "https-proxy-agent": "7.0.6", "inquirer": "8.2.6", "jsdom": "26.1.0", From 2f47add6f157db355603c072fbde9cd4881b4ad0 Mon Sep 17 00:00:00 2001 From: Nick Krantz <125900171+nick-livefront@users.noreply.github.com> Date: Tue, 22 Jul 2025 19:08:09 -0500 Subject: [PATCH 28/37] [PM-23596] Redirect to `/setup-extension` (#15641) * remove current redirection from auth code * update timeouts of the web browser interaction * add guard for setup-extension page * decrease timeout to 25ms * avoid redirection for mobile users + add tests * add tests * condense variables * catch error from profile fetch --------- Co-authored-by: Shane Melton --- .../web-registration-finish.service.spec.ts | 22 --- .../web-registration-finish.service.ts | 15 -- apps/web/src/app/core/core.module.ts | 1 - apps/web/src/app/oss-routing.module.ts | 2 + .../add-extension-later-dialog.component.html | 8 +- ...d-extension-later-dialog.component.spec.ts | 14 ++ .../add-extension-later-dialog.component.ts | 17 ++- .../setup-extension.component.spec.ts | 16 +++ .../setup-extension.component.ts | 30 +++- .../setup-extension-redirect.guard.spec.ts | 132 ++++++++++++++++++ .../guards/setup-extension-redirect.guard.ts | 109 +++++++++++++++ .../web-browser-interaction.service.spec.ts | 6 +- .../web-browser-interaction.service.ts | 17 ++- .../default-registration-finish.service.ts | 4 - .../registration-finish.component.ts | 3 +- .../registration-finish.service.ts | 5 - .../src/platform/state/state-definitions.ts | 7 + 17 files changed, 347 insertions(+), 61 deletions(-) create mode 100644 apps/web/src/app/vault/guards/setup-extension-redirect.guard.spec.ts create mode 100644 apps/web/src/app/vault/guards/setup-extension-redirect.guard.ts diff --git a/apps/web/src/app/auth/core/services/registration/web-registration-finish.service.spec.ts b/apps/web/src/app/auth/core/services/registration/web-registration-finish.service.spec.ts index 69a2f27a322..845df89622b 100644 --- a/apps/web/src/app/auth/core/services/registration/web-registration-finish.service.spec.ts +++ b/apps/web/src/app/auth/core/services/registration/web-registration-finish.service.spec.ts @@ -12,7 +12,6 @@ import { AccountApiService } from "@bitwarden/common/auth/abstractions/account-a import { OrganizationInvite } from "@bitwarden/common/auth/services/organization-invite/organization-invite"; import { OrganizationInviteService } from "@bitwarden/common/auth/services/organization-invite/organization-invite.service"; import { EncString } from "@bitwarden/common/key-management/crypto/models/enc-string"; -import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service"; import { LogService } from "@bitwarden/common/platform/abstractions/log.service"; import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key"; import { CsprngArray } from "@bitwarden/common/types/csprng"; @@ -30,7 +29,6 @@ describe("WebRegistrationFinishService", () => { let policyApiService: MockProxy; let logService: MockProxy; let policyService: MockProxy; - let configService: MockProxy; beforeEach(() => { keyService = mock(); @@ -39,7 +37,6 @@ describe("WebRegistrationFinishService", () => { policyApiService = mock(); logService = mock(); policyService = mock(); - configService = mock(); service = new WebRegistrationFinishService( keyService, @@ -48,7 +45,6 @@ describe("WebRegistrationFinishService", () => { policyApiService, logService, policyService, - configService, ); }); @@ -414,22 +410,4 @@ describe("WebRegistrationFinishService", () => { ); }); }); - - describe("determineLoginSuccessRoute", () => { - it("returns /setup-extension when the end user activation feature flag is enabled", async () => { - configService.getFeatureFlag.mockResolvedValue(true); - - const result = await service.determineLoginSuccessRoute(); - - expect(result).toBe("/setup-extension"); - }); - - it("returns /vault when the end user activation feature flag is disabled", async () => { - configService.getFeatureFlag.mockResolvedValue(false); - - const result = await service.determineLoginSuccessRoute(); - - expect(result).toBe("/vault"); - }); - }); }); diff --git a/apps/web/src/app/auth/core/services/registration/web-registration-finish.service.ts b/apps/web/src/app/auth/core/services/registration/web-registration-finish.service.ts index a3774e87db8..a9eba08be8c 100644 --- a/apps/web/src/app/auth/core/services/registration/web-registration-finish.service.ts +++ b/apps/web/src/app/auth/core/services/registration/web-registration-finish.service.ts @@ -14,12 +14,10 @@ import { Policy } from "@bitwarden/common/admin-console/models/domain/policy"; import { AccountApiService } from "@bitwarden/common/auth/abstractions/account-api.service"; import { RegisterFinishRequest } from "@bitwarden/common/auth/models/request/registration/register-finish.request"; import { OrganizationInviteService } from "@bitwarden/common/auth/services/organization-invite/organization-invite.service"; -import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum"; import { EncryptedString, EncString, } from "@bitwarden/common/key-management/crypto/models/enc-string"; -import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service"; import { LogService } from "@bitwarden/common/platform/abstractions/log.service"; import { KeyService } from "@bitwarden/key-management"; @@ -34,7 +32,6 @@ export class WebRegistrationFinishService private policyApiService: PolicyApiServiceAbstraction, private logService: LogService, private policyService: PolicyService, - private configService: ConfigService, ) { super(keyService, accountApiService); } @@ -79,18 +76,6 @@ export class WebRegistrationFinishService return masterPasswordPolicyOpts; } - override async determineLoginSuccessRoute(): Promise { - const endUserActivationFlagEnabled = await this.configService.getFeatureFlag( - FeatureFlag.PM19315EndUserActivationMvp, - ); - - if (endUserActivationFlagEnabled) { - return "/setup-extension"; - } else { - return super.determineLoginSuccessRoute(); - } - } - // Note: the org invite token and email verification are mutually exclusive. Only one will be present. override async buildRegisterRequest( email: string, diff --git a/apps/web/src/app/core/core.module.ts b/apps/web/src/app/core/core.module.ts index d98a2ee8cf2..7fe8ef4c79f 100644 --- a/apps/web/src/app/core/core.module.ts +++ b/apps/web/src/app/core/core.module.ts @@ -264,7 +264,6 @@ const safeProviders: SafeProvider[] = [ PolicyApiServiceAbstraction, LogService, PolicyService, - ConfigService, ], }), safeProvider({ diff --git a/apps/web/src/app/oss-routing.module.ts b/apps/web/src/app/oss-routing.module.ts index 8a2270113a9..1fb19757d60 100644 --- a/apps/web/src/app/oss-routing.module.ts +++ b/apps/web/src/app/oss-routing.module.ts @@ -83,6 +83,7 @@ import { SendComponent } from "./tools/send/send.component"; import { BrowserExtensionPromptInstallComponent } from "./vault/components/browser-extension-prompt/browser-extension-prompt-install.component"; import { BrowserExtensionPromptComponent } from "./vault/components/browser-extension-prompt/browser-extension-prompt.component"; import { SetupExtensionComponent } from "./vault/components/setup-extension/setup-extension.component"; +import { setupExtensionRedirectGuard } from "./vault/guards/setup-extension-redirect.guard"; import { VaultModule } from "./vault/individual-vault/vault.module"; const routes: Routes = [ @@ -628,6 +629,7 @@ const routes: Routes = [ children: [ { path: "vault", + canActivate: [setupExtensionRedirectGuard], loadChildren: () => VaultModule, }, { diff --git a/apps/web/src/app/vault/components/setup-extension/add-extension-later-dialog.component.html b/apps/web/src/app/vault/components/setup-extension/add-extension-later-dialog.component.html index df1786e227e..560bd5fd464 100644 --- a/apps/web/src/app/vault/components/setup-extension/add-extension-later-dialog.component.html +++ b/apps/web/src/app/vault/components/setup-extension/add-extension-later-dialog.component.html @@ -18,7 +18,13 @@ > {{ "getTheExtension" | i18n }} - + {{ "skipToWebApp" | i18n }} diff --git a/apps/web/src/app/vault/components/setup-extension/add-extension-later-dialog.component.spec.ts b/apps/web/src/app/vault/components/setup-extension/add-extension-later-dialog.component.spec.ts index d34dba737dd..a5d5ec4b939 100644 --- a/apps/web/src/app/vault/components/setup-extension/add-extension-later-dialog.component.spec.ts +++ b/apps/web/src/app/vault/components/setup-extension/add-extension-later-dialog.component.spec.ts @@ -1,3 +1,4 @@ +import { DialogRef } from "@angular/cdk/dialog"; import { ComponentFixture, TestBed } from "@angular/core/testing"; import { By } from "@angular/platform-browser"; import { provideNoopAnimations } from "@angular/platform-browser/animations"; @@ -5,20 +6,26 @@ import { RouterModule } from "@angular/router"; import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service"; +import { DIALOG_DATA } from "@bitwarden/components"; import { AddExtensionLaterDialogComponent } from "./add-extension-later-dialog.component"; describe("AddExtensionLaterDialogComponent", () => { let fixture: ComponentFixture; const getDevice = jest.fn().mockReturnValue(null); + const onDismiss = jest.fn(); beforeEach(async () => { + onDismiss.mockClear(); + await TestBed.configureTestingModule({ imports: [AddExtensionLaterDialogComponent, RouterModule.forRoot([])], providers: [ provideNoopAnimations(), { provide: PlatformUtilsService, useValue: { getDevice } }, { provide: I18nService, useValue: { t: (key: string) => key } }, + { provide: DialogRef, useValue: { close: jest.fn() } }, + { provide: DIALOG_DATA, useValue: { onDismiss } }, ], }).compileComponents(); @@ -39,4 +46,11 @@ describe("AddExtensionLaterDialogComponent", () => { expect(skipLink.attributes.href).toBe("/vault"); }); + + it('invokes `onDismiss` when "Skip to Web App" is clicked', () => { + const skipLink = fixture.debugElement.queryAll(By.css("a[bitButton]"))[1]; + skipLink.triggerEventHandler("click", {}); + + expect(onDismiss).toHaveBeenCalled(); + }); }); diff --git a/apps/web/src/app/vault/components/setup-extension/add-extension-later-dialog.component.ts b/apps/web/src/app/vault/components/setup-extension/add-extension-later-dialog.component.ts index 3324cb8b1b0..5f4e3f586f5 100644 --- a/apps/web/src/app/vault/components/setup-extension/add-extension-later-dialog.component.ts +++ b/apps/web/src/app/vault/components/setup-extension/add-extension-later-dialog.component.ts @@ -4,7 +4,17 @@ import { RouterModule } from "@angular/router"; import { JslibModule } from "@bitwarden/angular/jslib.module"; import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service"; import { getWebStoreUrl } from "@bitwarden/common/vault/utils/get-web-store-url"; -import { ButtonComponent, DialogModule, TypographyModule } from "@bitwarden/components"; +import { + ButtonComponent, + DIALOG_DATA, + DialogModule, + TypographyModule, +} from "@bitwarden/components"; + +export type AddExtensionLaterDialogData = { + /** Method invoked when the dialog is dismissed */ + onDismiss: () => void; +}; @Component({ selector: "vault-add-extension-later-dialog", @@ -13,6 +23,7 @@ import { ButtonComponent, DialogModule, TypographyModule } from "@bitwarden/comp }) export class AddExtensionLaterDialogComponent implements OnInit { private platformUtilsService = inject(PlatformUtilsService); + private data: AddExtensionLaterDialogData = inject(DIALOG_DATA); /** Download Url for the extension based on the browser */ protected webStoreUrl: string = ""; @@ -20,4 +31,8 @@ export class AddExtensionLaterDialogComponent implements OnInit { ngOnInit(): void { this.webStoreUrl = getWebStoreUrl(this.platformUtilsService.getDevice()); } + + async dismissExtensionPage() { + this.data.onDismiss(); + } } diff --git a/apps/web/src/app/vault/components/setup-extension/setup-extension.component.spec.ts b/apps/web/src/app/vault/components/setup-extension/setup-extension.component.spec.ts index 752e2c8d4a6..e824cd92f37 100644 --- a/apps/web/src/app/vault/components/setup-extension/setup-extension.component.spec.ts +++ b/apps/web/src/app/vault/components/setup-extension/setup-extension.component.spec.ts @@ -3,12 +3,14 @@ import { By } from "@angular/platform-browser"; import { Router, RouterModule } from "@angular/router"; import { BehaviorSubject } from "rxjs"; +import { AccountService } from "@bitwarden/common/auth/abstractions/account.service"; import { DeviceType } from "@bitwarden/common/enums"; import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum"; import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service"; import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service"; import { Utils } from "@bitwarden/common/platform/misc/utils"; +import { StateProvider } from "@bitwarden/common/platform/state"; import { WebBrowserInteractionService } from "../../services/web-browser-interaction.service"; @@ -21,11 +23,13 @@ describe("SetupExtensionComponent", () => { const getFeatureFlag = jest.fn().mockResolvedValue(false); const navigate = jest.fn().mockResolvedValue(true); const openExtension = jest.fn().mockResolvedValue(true); + const update = jest.fn().mockResolvedValue(true); const extensionInstalled$ = new BehaviorSubject(null); beforeEach(async () => { navigate.mockClear(); openExtension.mockClear(); + update.mockClear(); getFeatureFlag.mockClear().mockResolvedValue(true); window.matchMedia = jest.fn().mockReturnValue(false); @@ -36,6 +40,14 @@ describe("SetupExtensionComponent", () => { { provide: ConfigService, useValue: { getFeatureFlag } }, { provide: WebBrowserInteractionService, useValue: { extensionInstalled$, openExtension } }, { provide: PlatformUtilsService, useValue: { getDevice: () => DeviceType.UnknownBrowser } }, + { + provide: AccountService, + useValue: { activeAccount$: new BehaviorSubject({ account: { id: "account-id" } }) }, + }, + { + provide: StateProvider, + useValue: { getUser: () => ({ update }) }, + }, ], }).compileComponents(); @@ -120,6 +132,10 @@ describe("SetupExtensionComponent", () => { expect(openExtension).toHaveBeenCalled(); }); + + it("dismisses the extension page", () => { + expect(update).toHaveBeenCalledTimes(1); + }); }); }); }); diff --git a/apps/web/src/app/vault/components/setup-extension/setup-extension.component.ts b/apps/web/src/app/vault/components/setup-extension/setup-extension.component.ts index 9ee8e189627..14770ca5d6c 100644 --- a/apps/web/src/app/vault/components/setup-extension/setup-extension.component.ts +++ b/apps/web/src/app/vault/components/setup-extension/setup-extension.component.ts @@ -2,13 +2,16 @@ import { DOCUMENT, NgIf } from "@angular/common"; import { Component, DestroyRef, inject, OnDestroy, OnInit } from "@angular/core"; import { takeUntilDestroyed } from "@angular/core/rxjs-interop"; import { Router, RouterModule } from "@angular/router"; -import { pairwise, startWith } from "rxjs"; +import { firstValueFrom, pairwise, startWith } from "rxjs"; import { JslibModule } from "@bitwarden/angular/jslib.module"; +import { AccountService } from "@bitwarden/common/auth/abstractions/account.service"; +import { getUserId } from "@bitwarden/common/auth/services/account.service"; import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum"; import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service"; import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service"; import { Utils } from "@bitwarden/common/platform/misc/utils"; +import { StateProvider } from "@bitwarden/common/platform/state"; import { UnionOfValues } from "@bitwarden/common/vault/types/union-of-values"; import { getWebStoreUrl } from "@bitwarden/common/vault/utils/get-web-store-url"; import { @@ -20,9 +23,13 @@ import { } from "@bitwarden/components"; import { VaultIcons } from "@bitwarden/vault"; +import { SETUP_EXTENSION_DISMISSED } from "../../guards/setup-extension-redirect.guard"; import { WebBrowserInteractionService } from "../../services/web-browser-interaction.service"; -import { AddExtensionLaterDialogComponent } from "./add-extension-later-dialog.component"; +import { + AddExtensionLaterDialogComponent, + AddExtensionLaterDialogData, +} from "./add-extension-later-dialog.component"; import { AddExtensionVideosComponent } from "./add-extension-videos.component"; const SetupExtensionState = { @@ -53,6 +60,8 @@ export class SetupExtensionComponent implements OnInit, OnDestroy { private destroyRef = inject(DestroyRef); private platformUtilsService = inject(PlatformUtilsService); private dialogService = inject(DialogService); + private stateProvider = inject(StateProvider); + private accountService = inject(AccountService); private document = inject(DOCUMENT); protected SetupExtensionState = SetupExtensionState; @@ -96,6 +105,7 @@ export class SetupExtensionComponent implements OnInit, OnDestroy { // Extension was not installed and now it is, show success state if (previousState === false && currentState) { this.dialogRef?.close(); + void this.dismissExtensionPage(); this.state = SetupExtensionState.Success; } @@ -125,17 +135,31 @@ export class SetupExtensionComponent implements OnInit, OnDestroy { const isMobile = Utils.isMobileBrowser; if (!isFeatureEnabled || isMobile) { + await this.dismissExtensionPage(); await this.router.navigate(["/vault"]); } } /** Opens the add extension later dialog */ addItLater() { - this.dialogRef = this.dialogService.open(AddExtensionLaterDialogComponent); + this.dialogRef = this.dialogService.open( + AddExtensionLaterDialogComponent, + { + data: { + onDismiss: this.dismissExtensionPage.bind(this), + }, + }, + ); } /** Opens the browser extension */ openExtension() { void this.webBrowserExtensionInteractionService.openExtension(); } + + /** Update local state to never show this page again. */ + private async dismissExtensionPage() { + const accountId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId)); + void this.stateProvider.getUser(accountId, SETUP_EXTENSION_DISMISSED).update(() => true); + } } diff --git a/apps/web/src/app/vault/guards/setup-extension-redirect.guard.spec.ts b/apps/web/src/app/vault/guards/setup-extension-redirect.guard.spec.ts new file mode 100644 index 00000000000..e6fc03fd844 --- /dev/null +++ b/apps/web/src/app/vault/guards/setup-extension-redirect.guard.spec.ts @@ -0,0 +1,132 @@ +import { TestBed } from "@angular/core/testing"; +import { ActivatedRouteSnapshot, Router, RouterStateSnapshot } from "@angular/router"; +import { BehaviorSubject } from "rxjs"; + +import { VaultProfileService } from "@bitwarden/angular/vault/services/vault-profile.service"; +import { Account, AccountService } from "@bitwarden/common/auth/abstractions/account.service"; +import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum"; +import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service"; +import { Utils } from "@bitwarden/common/platform/misc/utils"; +import { StateProvider } from "@bitwarden/common/platform/state"; + +import { WebBrowserInteractionService } from "../services/web-browser-interaction.service"; + +import { setupExtensionRedirectGuard } from "./setup-extension-redirect.guard"; + +describe("setupExtensionRedirectGuard", () => { + const _state = Object.freeze({}) as RouterStateSnapshot; + const emptyRoute = Object.freeze({ queryParams: {} }) as ActivatedRouteSnapshot; + const seventeenDaysAgo = new Date(); + seventeenDaysAgo.setDate(seventeenDaysAgo.getDate() - 17); + + const account = { + id: "account-id", + } as unknown as Account; + + const activeAccount$ = new BehaviorSubject(account); + const extensionInstalled$ = new BehaviorSubject(false); + const state$ = new BehaviorSubject(false); + const createUrlTree = jest.fn(); + const getFeatureFlag = jest.fn().mockImplementation((key) => { + if (key === FeatureFlag.PM19315EndUserActivationMvp) { + return Promise.resolve(true); + } + + return Promise.resolve(false); + }); + const getProfileCreationDate = jest.fn().mockResolvedValue(seventeenDaysAgo); + + beforeEach(() => { + Utils.isMobileBrowser = false; + + getFeatureFlag.mockClear(); + getProfileCreationDate.mockClear(); + createUrlTree.mockClear(); + + TestBed.configureTestingModule({ + providers: [ + { provide: Router, useValue: { createUrlTree } }, + { provide: ConfigService, useValue: { getFeatureFlag } }, + { provide: AccountService, useValue: { activeAccount$ } }, + { provide: StateProvider, useValue: { getUser: () => ({ state$ }) } }, + { provide: WebBrowserInteractionService, useValue: { extensionInstalled$ } }, + { + provide: VaultProfileService, + useValue: { getProfileCreationDate }, + }, + ], + }); + }); + + function setupExtensionGuard(route?: ActivatedRouteSnapshot) { + // Run the guard within injection context so `inject` works as you'd expect + // Pass state object to make TypeScript happy + return TestBed.runInInjectionContext(async () => + setupExtensionRedirectGuard(route ?? emptyRoute, _state), + ); + } + + it("returns `true` when the profile was created more than 30 days ago", async () => { + const thirtyOneDaysAgo = new Date(); + thirtyOneDaysAgo.setDate(thirtyOneDaysAgo.getDate() - 31); + + getProfileCreationDate.mockResolvedValueOnce(thirtyOneDaysAgo); + + expect(await setupExtensionGuard()).toBe(true); + }); + + it("returns `true` when the profile check fails", async () => { + getProfileCreationDate.mockRejectedValueOnce(new Error("Profile check failed")); + + expect(await setupExtensionGuard()).toBe(true); + }); + + it("returns `true` when the feature flag is disabled", async () => { + getFeatureFlag.mockResolvedValueOnce(false); + + expect(await setupExtensionGuard()).toBe(true); + }); + + it("returns `true` when the user is on a mobile device", async () => { + Utils.isMobileBrowser = true; + + expect(await setupExtensionGuard()).toBe(true); + }); + + it("returns `true` when the user has dismissed the extension page", async () => { + state$.next(true); + + expect(await setupExtensionGuard()).toBe(true); + }); + + it("returns `true` when the user has the extension installed", async () => { + state$.next(false); + extensionInstalled$.next(true); + + expect(await setupExtensionGuard()).toBe(true); + }); + + it('redirects the user to "/setup-extension" when all criteria do not pass', async () => { + state$.next(false); + extensionInstalled$.next(false); + + await setupExtensionGuard(); + + expect(createUrlTree).toHaveBeenCalledWith(["/setup-extension"]); + }); + + describe("missing current account", () => { + afterAll(() => { + // reset `activeAccount$` observable + activeAccount$.next(account); + }); + + it("redirects to login when account is missing", async () => { + activeAccount$.next(null); + + await setupExtensionGuard(); + + expect(createUrlTree).toHaveBeenCalledWith(["/login"]); + }); + }); +}); diff --git a/apps/web/src/app/vault/guards/setup-extension-redirect.guard.ts b/apps/web/src/app/vault/guards/setup-extension-redirect.guard.ts new file mode 100644 index 00000000000..983fd8ed0aa --- /dev/null +++ b/apps/web/src/app/vault/guards/setup-extension-redirect.guard.ts @@ -0,0 +1,109 @@ +import { inject } from "@angular/core"; +import { CanActivateFn, Router } from "@angular/router"; +import { firstValueFrom, map } from "rxjs"; + +import { VaultProfileService } from "@bitwarden/angular/vault/services/vault-profile.service"; +import { AccountService } from "@bitwarden/common/auth/abstractions/account.service"; +import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum"; +import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service"; +import { Utils } from "@bitwarden/common/platform/misc/utils"; +import { + SETUP_EXTENSION_DISMISSED_DISK, + StateProvider, + UserKeyDefinition, +} from "@bitwarden/common/platform/state"; + +import { WebBrowserInteractionService } from "../services/web-browser-interaction.service"; + +export const SETUP_EXTENSION_DISMISSED = new UserKeyDefinition( + SETUP_EXTENSION_DISMISSED_DISK, + "setupExtensionDismissed", + { + deserializer: (dismissed) => dismissed, + clearOn: [], + }, +); + +export const setupExtensionRedirectGuard: CanActivateFn = async () => { + const router = inject(Router); + const configService = inject(ConfigService); + const accountService = inject(AccountService); + const vaultProfileService = inject(VaultProfileService); + const stateProvider = inject(StateProvider); + const webBrowserInteractionService = inject(WebBrowserInteractionService); + + const isMobile = Utils.isMobileBrowser; + + const endUserFeatureEnabled = await configService.getFeatureFlag( + FeatureFlag.PM19315EndUserActivationMvp, + ); + + // The extension page isn't applicable for mobile users, do not redirect them. + // Include before any other checks to avoid unnecessary processing. + if (!endUserFeatureEnabled || isMobile) { + return true; + } + + const currentAcct = await firstValueFrom(accountService.activeAccount$); + + if (!currentAcct) { + return router.createUrlTree(["/login"]); + } + + const hasExtensionInstalledPromise = firstValueFrom( + webBrowserInteractionService.extensionInstalled$, + ); + + const dismissedExtensionPage = await firstValueFrom( + stateProvider + .getUser(currentAcct.id, SETUP_EXTENSION_DISMISSED) + .state$.pipe(map((dismissed) => dismissed ?? false)), + ); + + const isProfileOlderThan30Days = await profileIsOlderThan30Days( + vaultProfileService, + currentAcct.id, + ).catch( + () => + // If the call for the profile fails for any reason, do not block the user + true, + ); + + if (dismissedExtensionPage || isProfileOlderThan30Days) { + return true; + } + + // Checking for the extension is a more expensive operation, do it last to avoid unnecessary delays. + const hasExtensionInstalled = await hasExtensionInstalledPromise; + + if (hasExtensionInstalled) { + return true; + } + + return router.createUrlTree(["/setup-extension"]); +}; + +/** Returns true when the user's profile is older than 30 days */ +async function profileIsOlderThan30Days( + vaultProfileService: VaultProfileService, + userId: string, +): Promise { + const creationDate = await vaultProfileService.getProfileCreationDate(userId); + return isMoreThan30DaysAgo(creationDate); +} + +/** Returns the true when the date given is older than 30 days */ +function isMoreThan30DaysAgo(date?: string | Date): boolean { + if (!date) { + return false; + } + + const inputDate = new Date(date).getTime(); + const today = new Date().getTime(); + + const differenceInMS = today - inputDate; + const msInADay = 1000 * 60 * 60 * 24; + const differenceInDays = Math.round(differenceInMS / msInADay); + + return differenceInDays > 30; +} diff --git a/apps/web/src/app/vault/services/web-browser-interaction.service.spec.ts b/apps/web/src/app/vault/services/web-browser-interaction.service.spec.ts index fef5d45e8c3..bfbfb0fb676 100644 --- a/apps/web/src/app/vault/services/web-browser-interaction.service.spec.ts +++ b/apps/web/src/app/vault/services/web-browser-interaction.service.spec.ts @@ -38,7 +38,7 @@ describe("WebBrowserInteractionService", () => { expect(installed).toBe(false); }); - tick(1500); + tick(150); })); it("returns true when the extension is installed", (done) => { @@ -58,13 +58,13 @@ describe("WebBrowserInteractionService", () => { }); // initial timeout, should emit false - tick(1500); + tick(26); expect(results[0]).toBe(false); tick(2500); // then emit `HasBwInstalled` dispatchEvent(VaultMessages.HasBwInstalled); - tick(); + tick(26); expect(results[1]).toBe(true); })); }); diff --git a/apps/web/src/app/vault/services/web-browser-interaction.service.ts b/apps/web/src/app/vault/services/web-browser-interaction.service.ts index f1005ef6dc9..1f91942591b 100644 --- a/apps/web/src/app/vault/services/web-browser-interaction.service.ts +++ b/apps/web/src/app/vault/services/web-browser-interaction.service.ts @@ -21,10 +21,19 @@ import { ExtensionPageUrls } from "@bitwarden/common/vault/enums"; import { VaultMessages } from "@bitwarden/common/vault/enums/vault-messages.enum"; /** - * The amount of time in milliseconds to wait for a response from the browser extension. + * The amount of time in milliseconds to wait for a response from the browser extension. A longer duration is + * used to allow for the extension to open and then emit to the message. * NOTE: This value isn't computed by any means, it is just a reasonable timeout for the extension to respond. */ -const MESSAGE_RESPONSE_TIMEOUT_MS = 1500; +const OPEN_RESPONSE_TIMEOUT_MS = 1500; + +/** + * Timeout for checking if the extension is installed. + * + * A shorter timeout is used to avoid waiting for too long for the extension. The listener for + * checking the installation runs in the background scripts so the response should be relatively quick. + */ +const CHECK_FOR_EXTENSION_TIMEOUT_MS = 25; @Injectable({ providedIn: "root", @@ -63,7 +72,7 @@ export class WebBrowserInteractionService { filter((event) => event.data.command === VaultMessages.PopupOpened), map(() => true), ), - timer(MESSAGE_RESPONSE_TIMEOUT_MS).pipe(map(() => false)), + timer(OPEN_RESPONSE_TIMEOUT_MS).pipe(map(() => false)), ) .pipe(take(1)) .subscribe((didOpen) => { @@ -85,7 +94,7 @@ export class WebBrowserInteractionService { filter((event) => event.data.command === VaultMessages.HasBwInstalled), map(() => true), ), - timer(MESSAGE_RESPONSE_TIMEOUT_MS).pipe(map(() => false)), + timer(CHECK_FOR_EXTENSION_TIMEOUT_MS).pipe(map(() => false)), ).pipe( tap({ subscribe: () => { diff --git a/libs/auth/src/angular/registration/registration-finish/default-registration-finish.service.ts b/libs/auth/src/angular/registration/registration-finish/default-registration-finish.service.ts index b51f45f1b27..2bef5670ac3 100644 --- a/libs/auth/src/angular/registration/registration-finish/default-registration-finish.service.ts +++ b/libs/auth/src/angular/registration/registration-finish/default-registration-finish.service.ts @@ -28,10 +28,6 @@ export class DefaultRegistrationFinishService implements RegistrationFinishServi return null; } - determineLoginSuccessRoute(): Promise { - return Promise.resolve("/vault"); - } - async finishRegistration( email: string, passwordInputResult: PasswordInputResult, diff --git a/libs/auth/src/angular/registration/registration-finish/registration-finish.component.ts b/libs/auth/src/angular/registration/registration-finish/registration-finish.component.ts index 1d1a2d8f892..dac62f039ee 100644 --- a/libs/auth/src/angular/registration/registration-finish/registration-finish.component.ts +++ b/libs/auth/src/angular/registration/registration-finish/registration-finish.component.ts @@ -204,8 +204,7 @@ export class RegistrationFinishComponent implements OnInit, OnDestroy { await this.loginSuccessHandlerService.run(authenticationResult.userId); - const successRoute = await this.registrationFinishService.determineLoginSuccessRoute(); - await this.router.navigate([successRoute]); + await this.router.navigate(["/vault"]); } catch (e) { // If login errors, redirect to login page per product. Don't show error this.logService.error("Error logging in after registration: ", e.message); diff --git a/libs/auth/src/angular/registration/registration-finish/registration-finish.service.ts b/libs/auth/src/angular/registration/registration-finish/registration-finish.service.ts index 523a4c79c54..5f3c04e5155 100644 --- a/libs/auth/src/angular/registration/registration-finish/registration-finish.service.ts +++ b/libs/auth/src/angular/registration/registration-finish/registration-finish.service.ts @@ -16,11 +16,6 @@ export abstract class RegistrationFinishService { */ abstract getMasterPasswordPolicyOptsFromOrgInvite(): Promise; - /** - * Returns the route the user is redirected to after a successful login. - */ - abstract determineLoginSuccessRoute(): Promise; - /** * Finishes the registration process by creating a new user account. * diff --git a/libs/common/src/platform/state/state-definitions.ts b/libs/common/src/platform/state/state-definitions.ts index 93c489a343e..a1c3ee35c5c 100644 --- a/libs/common/src/platform/state/state-definitions.ts +++ b/libs/common/src/platform/state/state-definitions.ts @@ -202,6 +202,13 @@ export const SECURITY_TASKS_DISK = new StateDefinition("securityTasks", "disk"); export const AT_RISK_PASSWORDS_PAGE_DISK = new StateDefinition("atRiskPasswordsPage", "disk"); export const NOTIFICATION_DISK = new StateDefinition("notifications", "disk"); export const NUDGES_DISK = new StateDefinition("nudges", "disk", { web: "disk-local" }); +export const SETUP_EXTENSION_DISMISSED_DISK = new StateDefinition( + "setupExtensionDismissed", + "disk", + { + web: "disk-local", + }, +); export const VAULT_BROWSER_INTRO_CAROUSEL = new StateDefinition( "vaultBrowserIntroCarousel", "disk", From e8629e5e1b276973ab9820e4ddc4a7a215bc69be Mon Sep 17 00:00:00 2001 From: cyprain-okeke <108260115+cyprain-okeke@users.noreply.github.com> Date: Wed, 23 Jul 2025 14:00:07 +0100 Subject: [PATCH 29/37] Resolve the dropdown display error (#15704) --- .../src/app/billing/settings/sponsored-families.component.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/web/src/app/billing/settings/sponsored-families.component.html b/apps/web/src/app/billing/settings/sponsored-families.component.html index 7708f63365e..7d240cb0665 100644 --- a/apps/web/src/app/billing/settings/sponsored-families.component.html +++ b/apps/web/src/app/billing/settings/sponsored-families.component.html @@ -28,7 +28,7 @@ > Date: Wed, 23 Jul 2025 09:51:02 -0400 Subject: [PATCH 30/37] Removing the notifications feature flag and logic (#15551) --- .../critical-applications.component.html | 1 - .../access-intelligence/critical-applications.component.ts | 6 ------ libs/common/src/enums/feature-flag.enum.ts | 6 ------ 3 files changed, 13 deletions(-) diff --git a/bitwarden_license/bit-web/src/app/dirt/access-intelligence/critical-applications.component.html b/bitwarden_license/bit-web/src/app/dirt/access-intelligence/critical-applications.component.html index 4e2b4e5c404..ffef3f3b0b9 100644 --- a/bitwarden_license/bit-web/src/app/dirt/access-intelligence/critical-applications.component.html +++ b/bitwarden_license/bit-web/src/app/dirt/access-intelligence/critical-applications.component.html @@ -29,7 +29,6 @@

{{ "criticalApplications" | i18n }}

+ diff --git a/libs/components/src/search/search.component.ts b/libs/components/src/search/search.component.ts index ef12e7eead6..c6c5f2757dd 100644 --- a/libs/components/src/search/search.component.ts +++ b/libs/components/src/search/search.component.ts @@ -1,6 +1,7 @@ // FIXME: Update this file to be type safe and remove this and next line // @ts-strict-ignore -import { Component, ElementRef, ViewChild, input, model } from "@angular/core"; +import { NgIf, NgClass } from "@angular/common"; +import { Component, ElementRef, ViewChild, input, model, signal, computed } from "@angular/core"; import { ControlValueAccessor, NG_VALUE_ACCESSOR, @@ -16,6 +17,9 @@ import { FocusableElement } from "../shared/focusable-element"; let nextId = 0; +/** + * Do not nest Search components inside another `
`, as they already contain their own standalone `` element for searching. + */ @Component({ selector: "bit-search", templateUrl: "./search.component.html", @@ -30,7 +34,7 @@ let nextId = 0; useExisting: SearchComponent, }, ], - imports: [InputModule, ReactiveFormsModule, FormsModule, I18nPipe], + imports: [InputModule, ReactiveFormsModule, FormsModule, I18nPipe, NgIf, NgClass], }) export class SearchComponent implements ControlValueAccessor, FocusableElement { private notifyOnChange: (v: string) => void; @@ -43,6 +47,11 @@ export class SearchComponent implements ControlValueAccessor, FocusableElement { // Use `type="text"` for Safari to improve rendering performance protected inputType = isBrowserSafariApi() ? ("text" as const) : ("search" as const); + protected isInputFocused = signal(false); + protected isFormHovered = signal(false); + + protected showResetButton = computed(() => this.isInputFocused() || this.isFormHovered()); + readonly disabled = model(); readonly placeholder = input(); readonly autocomplete = input(); @@ -52,11 +61,20 @@ export class SearchComponent implements ControlValueAccessor, FocusableElement { } onChange(searchText: string) { + this.searchText = searchText; // update the model when the input changes (so we can use it with *ngIf in the template) if (this.notifyOnChange != undefined) { this.notifyOnChange(searchText); } } + // Handle the reset button click + clearSearch() { + this.searchText = ""; + if (this.notifyOnChange) { + this.notifyOnChange(""); + } + } + onTouch() { if (this.notifyOnTouch != undefined) { this.notifyOnTouch(); diff --git a/libs/components/src/search/search.mdx b/libs/components/src/search/search.mdx index 7775225b8c2..98e91162c94 100644 --- a/libs/components/src/search/search.mdx +++ b/libs/components/src/search/search.mdx @@ -1,4 +1,4 @@ -import { Meta, Canvas, Source, Primary, Controls, Title } from "@storybook/addon-docs"; +import { Meta, Canvas, Source, Primary, Controls, Title, Description } from "@storybook/addon-docs"; import * as stories from "./search.stories"; @@ -9,6 +9,7 @@ import { SearchModule } from "@bitwarden/components"; ``` Search field + From aee23f72062cb7eee6065e7ce891294500e25766 Mon Sep 17 00:00:00 2001 From: Jason Ng Date: Wed, 23 Jul 2025 12:29:40 -0400 Subject: [PATCH 34/37] [PM-23722] remove previous change for the account security badge (#15739) --- .../tools/popup/settings/settings-v2.component.html | 11 +---------- .../src/tools/popup/settings/settings-v2.component.ts | 6 ------ libs/angular/src/vault/services/nudges.service.ts | 1 - 3 files changed, 1 insertion(+), 17 deletions(-) diff --git a/apps/browser/src/tools/popup/settings/settings-v2.component.html b/apps/browser/src/tools/popup/settings/settings-v2.component.html index 3f8bdb1cf2f..0b2e84712a4 100644 --- a/apps/browser/src/tools/popup/settings/settings-v2.component.html +++ b/apps/browser/src/tools/popup/settings/settings-v2.component.html @@ -10,16 +10,7 @@ -
-

{{ "accountSecurity" | i18n }}

- 1 -
+ {{ "accountSecurity" | i18n }} diff --git a/apps/browser/src/tools/popup/settings/settings-v2.component.ts b/apps/browser/src/tools/popup/settings/settings-v2.component.ts index 7d3b9c776fc..a0383b99390 100644 --- a/apps/browser/src/tools/popup/settings/settings-v2.component.ts +++ b/apps/browser/src/tools/popup/settings/settings-v2.component.ts @@ -50,12 +50,6 @@ export class SettingsV2Component implements OnInit { shareReplay({ bufferSize: 1, refCount: true }), ); - protected showAcctSecurityNudge$: Observable = this.authenticatedAccount$.pipe( - switchMap((account) => - this.nudgesService.showNudgeBadge$(NudgeType.AccountSecurity, account.id), - ), - ); - showDownloadBitwardenNudge$: Observable = this.authenticatedAccount$.pipe( switchMap((account) => this.nudgesService.showNudgeBadge$(NudgeType.DownloadBitwarden, account.id), diff --git a/libs/angular/src/vault/services/nudges.service.ts b/libs/angular/src/vault/services/nudges.service.ts index 584aacd9837..6cb7ae4abf1 100644 --- a/libs/angular/src/vault/services/nudges.service.ts +++ b/libs/angular/src/vault/services/nudges.service.ts @@ -160,7 +160,6 @@ export class NudgesService { hasActiveBadges$(userId: UserId): Observable { // Add more nudge types here if they have the settings badge feature const nudgeTypes = [ - NudgeType.AccountSecurity, NudgeType.EmptyVaultNudge, NudgeType.DownloadBitwarden, NudgeType.AutofillNudge, From 417c4cd13b33a667c5bc9c9bba2eac5b070fcb11 Mon Sep 17 00:00:00 2001 From: Jordan Aasen <166539328+jaasen-livefront@users.noreply.github.com> Date: Wed, 23 Jul 2025 09:33:29 -0700 Subject: [PATCH 35/37] [PM-23479] - Can see card filter in AC if you belong to multiple orgs (#15661) * hide card filter if user does not have a cipher with the allowing org * fix restricted item type filter visibility * do not include deleted ciphers --- .../vault-filter/vault-filter.component.ts | 5 +- .../components/vault-filter.component.ts | 48 ++++++++++++++++--- 2 files changed, 45 insertions(+), 8 deletions(-) diff --git a/apps/web/src/app/admin-console/organizations/collections/vault-filter/vault-filter.component.ts b/apps/web/src/app/admin-console/organizations/collections/vault-filter/vault-filter.component.ts index 49bf43d60bf..bf0df14c8c6 100644 --- a/apps/web/src/app/admin-console/organizations/collections/vault-filter/vault-filter.component.ts +++ b/apps/web/src/app/admin-console/organizations/collections/vault-filter/vault-filter.component.ts @@ -10,6 +10,7 @@ import { BillingApiServiceAbstraction } from "@bitwarden/common/billing/abstract import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service"; import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service"; +import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service"; import { TreeNode } from "@bitwarden/common/vault/models/domain/tree-node"; import { RestrictedItemTypesService } from "@bitwarden/common/vault/services/restricted-item-types.service"; import { DialogService, ToastService } from "@bitwarden/components"; @@ -53,6 +54,7 @@ export class VaultFilterComponent protected configService: ConfigService, protected accountService: AccountService, protected restrictedItemTypesService: RestrictedItemTypesService, + protected cipherService: CipherService, ) { super( vaultFilterService, @@ -65,6 +67,7 @@ export class VaultFilterComponent configService, accountService, restrictedItemTypesService, + cipherService, ); } @@ -131,7 +134,7 @@ export class VaultFilterComponent async buildAllFilters(): Promise { const builderFilter = {} as VaultFilterList; - builderFilter.typeFilter = await this.addTypeFilter(["favorites"]); + builderFilter.typeFilter = await this.addTypeFilter(["favorites"], this._organization?.id); builderFilter.collectionFilter = await this.addCollectionFilter(); builderFilter.trashFilter = await this.addTrashFilter(); return builderFilter; diff --git a/apps/web/src/app/vault/individual-vault/vault-filter/components/vault-filter.component.ts b/apps/web/src/app/vault/individual-vault/vault-filter/components/vault-filter.component.ts index 61dd3e9ca80..4525d702153 100644 --- a/apps/web/src/app/vault/individual-vault/vault-filter/components/vault-filter.component.ts +++ b/apps/web/src/app/vault/individual-vault/vault-filter/components/vault-filter.component.ts @@ -1,6 +1,7 @@ import { Component, EventEmitter, inject, Input, OnDestroy, OnInit, Output } from "@angular/core"; import { Router } from "@angular/router"; import { + combineLatest, distinctUntilChanged, firstValueFrom, map, @@ -20,6 +21,7 @@ import { BillingApiServiceAbstraction } from "@bitwarden/common/billing/abstract import { ConfigService } from "@bitwarden/common/platform/abstractions/config/config.service"; import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service"; +import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service"; import { CipherType } from "@bitwarden/common/vault/enums"; import { TreeNode } from "@bitwarden/common/vault/models/domain/tree-node"; import { RestrictedItemTypesService } from "@bitwarden/common/vault/services/restricted-item-types.service"; @@ -155,6 +157,7 @@ export class VaultFilterComponent implements OnInit, OnDestroy { protected configService: ConfigService, protected accountService: AccountService, protected restrictedItemTypesService: RestrictedItemTypesService, + protected cipherService: CipherService, ) {} async ngOnInit(): Promise { @@ -292,16 +295,47 @@ export class VaultFilterComponent implements OnInit, OnDestroy { return orgFilterSection; } - protected async addTypeFilter(excludeTypes: CipherStatus[] = []): Promise { + protected async addTypeFilter( + excludeTypes: CipherStatus[] = [], + organizationId?: string, + ): Promise { const allFilter: CipherTypeFilter = { id: "AllItems", name: "allItems", type: "all", icon: "" }; - const data$ = this.restrictedItemTypesService.restricted$.pipe( - map((restricted) => { - // List of types restricted by all orgs - const restrictedByAll = restricted - .filter((r) => r.allowViewOrgIds.length === 0) + const userId = await firstValueFrom(this.activeUserId$); + + const data$ = combineLatest([ + this.restrictedItemTypesService.restricted$, + this.cipherService.cipherViews$(userId), + ]).pipe( + map(([restrictedTypes, ciphers]) => { + const restrictedForUser = restrictedTypes + .filter((r) => { + // - All orgs restrict the type + if (r.allowViewOrgIds.length === 0) { + return true; + } + // - Admin console: user has no ciphers of that type in the selected org + // - Individual vault view: user has no ciphers of that type in any allowed org + return !ciphers?.some((c) => { + if (c.deletedDate || c.type !== r.cipherType) { + return false; + } + // If the cipher doesn't belong to an org it is automatically restricted + if (!c.organizationId) { + return false; + } + if (organizationId) { + return ( + c.organizationId === organizationId && + r.allowViewOrgIds.includes(c.organizationId) + ); + } + return r.allowViewOrgIds.includes(c.organizationId); + }); + }) .map((r) => r.cipherType); - const toExclude = [...excludeTypes, ...restrictedByAll]; + + const toExclude = [...excludeTypes, ...restrictedForUser]; return this.allTypeFilters.filter( (f) => typeof f.type === "string" || !toExclude.includes(f.type), ); From 2040be68e3dbc8a3113ebbd5b1700954bb89f039 Mon Sep 17 00:00:00 2001 From: Jordan Aasen <166539328+jaasen-livefront@users.noreply.github.com> Date: Wed, 23 Jul 2025 09:33:45 -0700 Subject: [PATCH 36/37] [PM-23360] - Hide restricted cipher types in "File -> New Item" on desktop (#15743) * hide restricted cipher types in file menu on desktop * fix bitwarden menu * small fixes --- apps/desktop/src/app/app.component.ts | 7 ++++++ apps/desktop/src/main/menu/menu.file.ts | 25 +++++++++++++++++++++- apps/desktop/src/main/menu/menu.updater.ts | 6 ++++-- apps/desktop/src/main/menu/menubar.ts | 1 + 4 files changed, 36 insertions(+), 3 deletions(-) diff --git a/apps/desktop/src/app/app.component.ts b/apps/desktop/src/app/app.component.ts index b5c34cc95a3..10aa7ff9eeb 100644 --- a/apps/desktop/src/app/app.component.ts +++ b/apps/desktop/src/app/app.component.ts @@ -68,6 +68,7 @@ import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.servi import { InternalFolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction"; import { SearchService } from "@bitwarden/common/vault/abstractions/search.service"; import { CipherType } from "@bitwarden/common/vault/enums"; +import { RestrictedItemTypesService } from "@bitwarden/common/vault/services/restricted-item-types.service"; import { DialogRef, DialogService, ToastOptions, ToastService } from "@bitwarden/components"; import { CredentialGeneratorHistoryDialogComponent } from "@bitwarden/generator-components"; import { KeyService, BiometricStateService } from "@bitwarden/key-management"; @@ -172,6 +173,7 @@ export class AppComponent implements OnInit, OnDestroy { private userDecryptionOptionsService: UserDecryptionOptionsServiceAbstraction, private readonly destroyRef: DestroyRef, private readonly documentLangSetter: DocumentLangSetter, + private restrictedItemTypesService: RestrictedItemTypesService, ) { this.deviceTrustToastService.setupListeners$.pipe(takeUntilDestroyed()).subscribe(); @@ -523,10 +525,12 @@ export class AppComponent implements OnInit, OnDestroy { private async updateAppMenu() { let updateRequest: MenuUpdateRequest; const stateAccounts = await firstValueFrom(this.accountService.accounts$); + if (stateAccounts == null || Object.keys(stateAccounts).length < 1) { updateRequest = { accounts: null, activeUserId: null, + restrictedCipherTypes: null, }; } else { const accounts: { [userId: string]: MenuAccount } = {}; @@ -557,6 +561,9 @@ export class AppComponent implements OnInit, OnDestroy { activeUserId: await firstValueFrom( this.accountService.activeAccount$.pipe(map((a) => a?.id)), ), + restrictedCipherTypes: ( + await firstValueFrom(this.restrictedItemTypesService.restricted$) + ).map((restrictedItems) => restrictedItems.cipherType), }; } diff --git a/apps/desktop/src/main/menu/menu.file.ts b/apps/desktop/src/main/menu/menu.file.ts index 19ba5e99792..a8cdb347a77 100644 --- a/apps/desktop/src/main/menu/menu.file.ts +++ b/apps/desktop/src/main/menu/menu.file.ts @@ -2,6 +2,7 @@ import { BrowserWindow, MenuItemConstructorOptions } from "electron"; import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service"; import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service"; +import { CipherType } from "@bitwarden/sdk-internal"; import { isMac, isMacAppStore } from "../../utils"; import { UpdaterMain } from "../updater.main"; @@ -54,6 +55,7 @@ export class FileMenu extends FirstMenu implements IMenubarMenu { accounts: { [userId: string]: MenuAccount }, isLocked: boolean, isLockable: boolean, + private restrictedCipherTypes: CipherType[], ) { super(i18nService, messagingService, updater, window, accounts, isLocked, isLockable); } @@ -77,6 +79,23 @@ export class FileMenu extends FirstMenu implements IMenubarMenu { }; } + private mapMenuItemToCipherType(itemId: string): CipherType { + switch (itemId) { + case "typeLogin": + return CipherType.Login; + case "typeCard": + return CipherType.Card; + case "typeIdentity": + return CipherType.Identity; + case "typeSecureNote": + return CipherType.SecureNote; + case "typeSshKey": + return CipherType.SshKey; + default: + throw new Error(`Unknown menu item id: ${itemId}`); + } + } + private get addNewItemSubmenu(): MenuItemConstructorOptions[] { return [ { @@ -109,7 +128,11 @@ export class FileMenu extends FirstMenu implements IMenubarMenu { click: () => this.sendMessage("newSshKey"), accelerator: "CmdOrCtrl+Shift+K", }, - ]; + ].filter((item) => { + return !this.restrictedCipherTypes?.some( + (restrictedType) => restrictedType === this.mapMenuItemToCipherType(item.id), + ); + }); } private get addNewFolder(): MenuItemConstructorOptions { diff --git a/apps/desktop/src/main/menu/menu.updater.ts b/apps/desktop/src/main/menu/menu.updater.ts index 6f82a78384f..8b658049de7 100644 --- a/apps/desktop/src/main/menu/menu.updater.ts +++ b/apps/desktop/src/main/menu/menu.updater.ts @@ -1,8 +1,10 @@ // FIXME: Update this file to be type safe and remove this and next line // @ts-strict-ignore +import { CipherType } from "@bitwarden/common/vault/enums"; export class MenuUpdateRequest { - activeUserId: string; - accounts: { [userId: string]: MenuAccount }; + activeUserId: string | null; + accounts: { [userId: string]: MenuAccount } | null; + restrictedCipherTypes: CipherType[] | null; } export class MenuAccount { diff --git a/apps/desktop/src/main/menu/menubar.ts b/apps/desktop/src/main/menu/menubar.ts index 825afdaa1e8..8ac3a084d95 100644 --- a/apps/desktop/src/main/menu/menubar.ts +++ b/apps/desktop/src/main/menu/menubar.ts @@ -83,6 +83,7 @@ export class Menubar { updateRequest?.accounts, isLocked, isLockable, + updateRequest?.restrictedCipherTypes, ), new EditMenu(i18nService, messagingService, isLocked), new ViewMenu(i18nService, messagingService, isLocked), From e47e1f79d9b8d48358e6b57f665a5455c4dab156 Mon Sep 17 00:00:00 2001 From: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com> Date: Wed, 23 Jul 2025 12:58:44 -0400 Subject: [PATCH 37/37] fix(ChangePasswordComp): [Auth/PM-23913] Extension popout now closes after a password change (#15681) --- .../extension-change-password.service.spec.ts | 50 +++++++++++++++++++ .../extension-change-password.service.ts | 29 +++++++++++ .../src/popup/services/services.module.ts | 8 +++ .../change-password.component.ts | 3 ++ .../change-password.service.abstraction.ts | 6 +++ 5 files changed, 96 insertions(+) create mode 100644 apps/browser/src/auth/popup/change-password/extension-change-password.service.spec.ts create mode 100644 apps/browser/src/auth/popup/change-password/extension-change-password.service.ts diff --git a/apps/browser/src/auth/popup/change-password/extension-change-password.service.spec.ts b/apps/browser/src/auth/popup/change-password/extension-change-password.service.spec.ts new file mode 100644 index 00000000000..a6a6b905218 --- /dev/null +++ b/apps/browser/src/auth/popup/change-password/extension-change-password.service.spec.ts @@ -0,0 +1,50 @@ +import { MockProxy, mock } from "jest-mock-extended"; + +import { ChangePasswordService } from "@bitwarden/angular/auth/password-management/change-password"; +import { MasterPasswordApiService } from "@bitwarden/common/auth/abstractions/master-password-api.service.abstraction"; +import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction"; +import { KeyService } from "@bitwarden/key-management"; + +import { BrowserApi } from "../../../platform/browser/browser-api"; +import BrowserPopupUtils from "../../../platform/browser/browser-popup-utils"; + +import { ExtensionChangePasswordService } from "./extension-change-password.service"; + +describe("ExtensionChangePasswordService", () => { + let keyService: MockProxy; + let masterPasswordApiService: MockProxy; + let masterPasswordService: MockProxy; + let window: MockProxy; + + let changePasswordService: ChangePasswordService; + + beforeEach(() => { + keyService = mock(); + masterPasswordApiService = mock(); + masterPasswordService = mock(); + window = mock(); + + changePasswordService = new ExtensionChangePasswordService( + keyService, + masterPasswordApiService, + masterPasswordService, + window, + ); + }); + + it("should instantiate the service", () => { + expect(changePasswordService).toBeDefined(); + }); + + it("should close the browser extension popout", () => { + const closePopupSpy = jest.spyOn(BrowserApi, "closePopup"); + const browserPopupUtilsInPopupSpy = jest + .spyOn(BrowserPopupUtils, "inPopout") + .mockReturnValue(true); + + changePasswordService.closeBrowserExtensionPopout?.(); + + expect(closePopupSpy).toHaveBeenCalledWith(window); + expect(browserPopupUtilsInPopupSpy).toHaveBeenCalledWith(window); + }); +}); diff --git a/apps/browser/src/auth/popup/change-password/extension-change-password.service.ts b/apps/browser/src/auth/popup/change-password/extension-change-password.service.ts new file mode 100644 index 00000000000..dd2ce48d27a --- /dev/null +++ b/apps/browser/src/auth/popup/change-password/extension-change-password.service.ts @@ -0,0 +1,29 @@ +import { + DefaultChangePasswordService, + ChangePasswordService, +} from "@bitwarden/angular/auth/password-management/change-password"; +import { MasterPasswordApiService } from "@bitwarden/common/auth/abstractions/master-password-api.service.abstraction"; +import { InternalMasterPasswordServiceAbstraction } from "@bitwarden/common/key-management/master-password/abstractions/master-password.service.abstraction"; +import { KeyService } from "@bitwarden/key-management"; + +import { BrowserApi } from "../../../platform/browser/browser-api"; +import BrowserPopupUtils from "../../../platform/browser/browser-popup-utils"; + +export class ExtensionChangePasswordService + extends DefaultChangePasswordService + implements ChangePasswordService +{ + constructor( + protected keyService: KeyService, + protected masterPasswordApiService: MasterPasswordApiService, + protected masterPasswordService: InternalMasterPasswordServiceAbstraction, + private win: Window, + ) { + super(keyService, masterPasswordApiService, masterPasswordService); + } + closeBrowserExtensionPopout(): void { + if (BrowserPopupUtils.inPopout(this.win)) { + BrowserApi.closePopup(this.win); + } + } +} diff --git a/apps/browser/src/popup/services/services.module.ts b/apps/browser/src/popup/services/services.module.ts index 3887c8c8b12..509f7554aef 100644 --- a/apps/browser/src/popup/services/services.module.ts +++ b/apps/browser/src/popup/services/services.module.ts @@ -5,6 +5,7 @@ import { merge, of, Subject } from "rxjs"; import { CollectionService } from "@bitwarden/admin-console/common"; import { DeviceManagementComponentServiceAbstraction } from "@bitwarden/angular/auth/device-management/device-management-component.service.abstraction"; +import { ChangePasswordService } from "@bitwarden/angular/auth/password-management/change-password"; import { AngularThemingService } from "@bitwarden/angular/platform/services/theming/angular-theming.service"; import { SafeProvider, safeProvider } from "@bitwarden/angular/platform/utils/safe-provider"; import { ViewCacheService } from "@bitwarden/angular/platform/view-cache"; @@ -45,6 +46,7 @@ import { AccountService as AccountServiceAbstraction, } from "@bitwarden/common/auth/abstractions/account.service"; import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service"; +import { MasterPasswordApiService } from "@bitwarden/common/auth/abstractions/master-password-api.service.abstraction"; import { SsoLoginServiceAbstraction } from "@bitwarden/common/auth/abstractions/sso-login.service.abstraction"; import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction"; import { @@ -143,6 +145,7 @@ import { import { AccountSwitcherService } from "../../auth/popup/account-switching/services/account-switcher.service"; import { ForegroundLockService } from "../../auth/popup/accounts/foreground-lock.service"; +import { ExtensionChangePasswordService } from "../../auth/popup/change-password/extension-change-password.service"; import { ExtensionLoginComponentService } from "../../auth/popup/login/extension-login-component.service"; import { ExtensionSsoComponentService } from "../../auth/popup/login/extension-sso-component.service"; import { ExtensionLogoutService } from "../../auth/popup/logout/extension-logout.service"; @@ -664,6 +667,11 @@ const safeProviders: SafeProvider[] = [ useClass: DefaultSshImportPromptService, deps: [DialogService, ToastService, PlatformUtilsService, I18nServiceAbstraction], }), + safeProvider({ + provide: ChangePasswordService, + useClass: ExtensionChangePasswordService, + deps: [KeyService, MasterPasswordApiService, InternalMasterPasswordServiceAbstraction, WINDOW], + }), safeProvider({ provide: NotificationsService, useClass: ForegroundNotificationsService, diff --git a/libs/angular/src/auth/password-management/change-password/change-password.component.ts b/libs/angular/src/auth/password-management/change-password/change-password.component.ts index 02738d33321..7bb9584e934 100644 --- a/libs/angular/src/auth/password-management/change-password/change-password.component.ts +++ b/libs/angular/src/auth/password-management/change-password/change-password.component.ts @@ -178,6 +178,9 @@ export class ChangePasswordComponent implements OnInit { // TODO: PM-23515 eventually use the logout service instead of messaging service once it is available without circular dependencies this.messagingService.send("logout"); + + // Close the popout if we are in a browser extension popout. + this.changePasswordService.closeBrowserExtensionPopout?.(); } } catch (error) { this.logService.error(error); diff --git a/libs/angular/src/auth/password-management/change-password/change-password.service.abstraction.ts b/libs/angular/src/auth/password-management/change-password/change-password.service.abstraction.ts index 2fd3bbae67a..1d6d789cdc5 100644 --- a/libs/angular/src/auth/password-management/change-password/change-password.service.abstraction.ts +++ b/libs/angular/src/auth/password-management/change-password/change-password.service.abstraction.ts @@ -59,4 +59,10 @@ export abstract class ChangePasswordService { * - Currently only used on the web change password service. */ clearDeeplinkState?: () => Promise; + + /** + * Optional method that closes the browser extension popout if in a popout + * If not in a popout, does nothing. + */ + abstract closeBrowserExtensionPopout?(): void; }