add required secrets for check run

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -9,26 +9,3 @@
 ## 📸 Screenshots
 
 <!-- Required for any UI changes; delete if not applicable. Use fixed width images for better display. -->
-
-## ⏰ Reminders before review
-
-- Contributor guidelines followed
-- All formatters and local linters executed and passed
-- Written new unit and / or integration tests where applicable
-- Used internationalization (i18n) for all UI strings
-- CI builds passed
-- Communicated to DevOps any deployment requirements
-- Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team
-
-## 🦮 Reviewer guidelines
-
-<!-- Suggested interactions but feel free to use (or not) as you desire! -->
-
-- 👍 (`:+1:`) or similar for great changes
-- 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
-- ❓ (`:question:`) for questions
-- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
-- 🎨 (`:art:`) for suggestions / improvements
-- ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention
-- 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt
-- ⛏ (`:pick:`) for minor or nitpick changes

.github/workflows/build-target.yml

@@ -0,0 +1,49 @@
+# This workflow is intended to be run when we need to build the client and produce artifacts
+# that require secrets when the PR source branch does not have access to secrets (e.g. a fork).
+# This workflow will run in the context of the target of the PR and have access to secrets.
+# This should only be done after reviewing the PR to ensure that no malicious code has been
+# introduced, as it could allow the code on the forked branch to have access to workflow secrets.
+
+name: Build on PR Target
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+    branches:
+      - main
+    paths:
+      - 'src/**'
+      - 'src-cli/**'
+      - 'jslib/**'
+      - 'resources/**'
+      - 'scripts/**'
+      - 'package.json'
+      - 'package-lock.json'
+      - 'tsconfig.json'
+      - 'angular.json'
+      - '.github/workflows/build.yml'
+      - '!*.md'
+      - '!*.txt'
+
+defaults:
+  run:
+    shell: bash
+
+permissions: {}
+
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+    permissions:
+      contents: read
+
+  run-workflow:
+    name: Run Build
+    needs: check-run
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+    uses: ./.github/workflows/build.yml
+    secrets: inherit
+    permissions:
+      contents: read
+      id-token: write

.github/workflows/build.yml

@@ -8,6 +8,16 @@ on:
       - "rc"
       - "hotfix-rc"
   workflow_dispatch: {}
+  workflow_call:
+    secrets:
+      Azure-KV-CI-Service-Principal:
+        required: true
+      AZURE_SUBSCRIPTION_ID:
+        required: true
+      AZURE_TENANT_ID:
+        required: true
+      AZURE_CLIENT_ID:
+        required: true
 
 permissions:
   contents: read

jslib/common/spec/domain/encString.spec.ts

@@ -1,195 +0,0 @@
-import { Substitute, Arg } from "@fluffy-spoon/substitute";
-
-import { CryptoService } from "@/jslib/common/src/abstractions/crypto.service";
-import { EncryptionType } from "@/jslib/common/src/enums/encryptionType";
-import { EncString } from "@/jslib/common/src/models/domain/encString";
-import { SymmetricCryptoKey } from "@/jslib/common/src/models/domain/symmetricCryptoKey";
-import { ContainerService } from "@/jslib/common/src/services/container.service";
-
-describe("EncString", () => {
-  afterEach(() => {
-    (window as any).bitwardenContainerService = undefined;
-  });
-
-  describe("Rsa2048_OaepSha256_B64", () => {
-    it("constructor", () => {
-      const encString = new EncString(EncryptionType.Rsa2048_OaepSha256_B64, "data");
-
-      expect(encString).toEqual({
-        data: "data",
-        encryptedString: "3.data",
-        encryptionType: 3,
-      });
-    });
-
-    describe("parse existing", () => {
-      it("valid", () => {
-        const encString = new EncString("3.data");
-
-        expect(encString).toEqual({
-          data: "data",
-          encryptedString: "3.data",
-          encryptionType: 3,
-        });
-      });
-
-      it("invalid", () => {
-        const encString = new EncString("3.data|test");
-
-        expect(encString).toEqual({
-          encryptedString: "3.data|test",
-          encryptionType: 3,
-        });
-      });
-    });
-
-    describe("decrypt", () => {
-      const encString = new EncString(EncryptionType.Rsa2048_OaepSha256_B64, "data");
-
-      const cryptoService = Substitute.for<CryptoService>();
-      cryptoService.getOrgKey(null).resolves(null);
-      cryptoService.decryptToUtf8(encString, Arg.any()).resolves("decrypted");
-
-      beforeEach(() => {
-        (window as any).bitwardenContainerService = new ContainerService(cryptoService);
-      });
-
-      it("decrypts correctly", async () => {
-        const decrypted = await encString.decrypt(null);
-
-        expect(decrypted).toBe("decrypted");
-      });
-
-      it("result should be cached", async () => {
-        const decrypted = await encString.decrypt(null);
-        cryptoService.received(1).decryptToUtf8(Arg.any(), Arg.any());
-
-        expect(decrypted).toBe("decrypted");
-      });
-    });
-  });
-
-  describe("AesCbc256_B64", () => {
-    it("constructor", () => {
-      const encString = new EncString(EncryptionType.AesCbc256_B64, "data", "iv");
-
-      expect(encString).toEqual({
-        data: "data",
-        encryptedString: "0.iv|data",
-        encryptionType: 0,
-        iv: "iv",
-      });
-    });
-
-    describe("parse existing", () => {
-      it("valid", () => {
-        const encString = new EncString("0.iv|data");
-
-        expect(encString).toEqual({
-          data: "data",
-          encryptedString: "0.iv|data",
-          encryptionType: 0,
-          iv: "iv",
-        });
-      });
-
-      it("invalid", () => {
-        const encString = new EncString("0.iv|data|mac");
-
-        expect(encString).toEqual({
-          encryptedString: "0.iv|data|mac",
-          encryptionType: 0,
-        });
-      });
-    });
-  });
-
-  describe("AesCbc256_HmacSha256_B64", () => {
-    it("constructor", () => {
-      const encString = new EncString(EncryptionType.AesCbc256_HmacSha256_B64, "data", "iv", "mac");
-
-      expect(encString).toEqual({
-        data: "data",
-        encryptedString: "2.iv|data|mac",
-        encryptionType: 2,
-        iv: "iv",
-        mac: "mac",
-      });
-    });
-
-    it("valid", () => {
-      const encString = new EncString("2.iv|data|mac");
-
-      expect(encString).toEqual({
-        data: "data",
-        encryptedString: "2.iv|data|mac",
-        encryptionType: 2,
-        iv: "iv",
-        mac: "mac",
-      });
-    });
-
-    it("invalid", () => {
-      const encString = new EncString("2.iv|data");
-
-      expect(encString).toEqual({
-        encryptedString: "2.iv|data",
-        encryptionType: 2,
-      });
-    });
-  });
-
-  it("Exit early if null", () => {
-    const encString = new EncString(null);
-
-    expect(encString).toEqual({
-      encryptedString: null,
-    });
-  });
-
-  describe("decrypt", () => {
-    it("throws exception when bitwarden container not initialized", async () => {
-      const encString = new EncString(null);
-
-      expect.assertions(1);
-      try {
-        await encString.decrypt(null);
-      } catch (e) {
-        expect(e.message).toEqual("global bitwardenContainerService not initialized.");
-      }
-    });
-
-    it("handles value it can't decrypt", async () => {
-      const encString = new EncString(null);
-
-      const cryptoService = Substitute.for<CryptoService>();
-      cryptoService.getOrgKey(null).resolves(null);
-      cryptoService.decryptToUtf8(encString, Arg.any()).throws("error");
-
-      (window as any).bitwardenContainerService = new ContainerService(cryptoService);
-
-      const decrypted = await encString.decrypt(null);
-
-      expect(decrypted).toBe("[error: cannot decrypt]");
-
-      expect(encString).toEqual({
-        decryptedValue: "[error: cannot decrypt]",
-        encryptedString: null,
-      });
-    });
-
-    it("passes along key", async () => {
-      const encString = new EncString(null);
-      const key = Substitute.for<SymmetricCryptoKey>();
-
-      const cryptoService = Substitute.for<CryptoService>();
-      cryptoService.getOrgKey(null).resolves(null);
-
-      (window as any).bitwardenContainerService = new ContainerService(cryptoService);
-
-      await encString.decrypt(null, key);
-
-      cryptoService.received().decryptToUtf8(encString, key);
-    });
-  });
-});

jslib/common/spec/services/stateMigration.service.ts

@@ -1,84 +0,0 @@
-import { Arg, Substitute, SubstituteOf } from "@fluffy-spoon/substitute";
-
-import { StorageService } from "@/jslib/common/src/abstractions/storage.service";
-import { StateVersion } from "@/jslib/common/src/enums/stateVersion";
-import { StateFactory } from "@/jslib/common/src/factories/stateFactory";
-import { Account } from "@/jslib/common/src/models/domain/account";
-import { GlobalState } from "@/jslib/common/src/models/domain/globalState";
-import { StateMigrationService } from "@/jslib/common/src/services/stateMigration.service";
-
-const userId = "USER_ID";
-
-describe("State Migration Service", () => {
-  let storageService: SubstituteOf<StorageService>;
-  let secureStorageService: SubstituteOf<StorageService>;
-  let stateFactory: SubstituteOf<StateFactory>;
-
-  let stateMigrationService: StateMigrationService;
-
-  beforeEach(() => {
-    storageService = Substitute.for<StorageService>();
-    secureStorageService = Substitute.for<StorageService>();
-    stateFactory = Substitute.for<StateFactory>();
-
-    stateMigrationService = new StateMigrationService(
-      storageService,
-      secureStorageService,
-      stateFactory,
-    );
-  });
-
-  describe("StateVersion 3 to 4 migration", async () => {
-    beforeEach(() => {
-      const globalVersion3: Partial<GlobalState> = {
-        stateVersion: StateVersion.Three,
-      };
-
-      storageService.get("global", Arg.any()).resolves(globalVersion3);
-      storageService.get("authenticatedAccounts", Arg.any()).resolves([userId]);
-    });
-
-    it("clears everBeenUnlocked", async () => {
-      const accountVersion3: Account = {
-        profile: {
-          apiKeyClientId: null,
-          convertAccountToKeyConnector: null,
-          email: "EMAIL",
-          emailVerified: true,
-          everBeenUnlocked: true,
-          hasPremiumPersonally: false,
-          kdfIterations: 100000,
-          kdfType: 0,
-          keyHash: "KEY_HASH",
-          lastSync: "LAST_SYNC",
-          userId: userId,
-          usesKeyConnector: false,
-          forcePasswordReset: false,
-        },
-      };
-
-      const expectedAccountVersion4: Account = {
-        profile: {
-          ...accountVersion3.profile,
-        },
-      };
-      delete expectedAccountVersion4.profile.everBeenUnlocked;
-
-      storageService.get(userId, Arg.any()).resolves(accountVersion3);
-
-      await stateMigrationService.migrate();
-
-      storageService.received(1).save(userId, expectedAccountVersion4, Arg.any());
-    });
-
-    it("updates StateVersion number", async () => {
-      await stateMigrationService.migrate();
-
-      storageService.received(1).save(
-        "global",
-        Arg.is((globals: GlobalState) => globals.stateVersion === StateVersion.Four),
-        Arg.any(),
-      );
-    });
-  });
-});

jslib/common/spec/utils.ts

@@ -1,7 +1,3 @@
-import { Substitute, Arg } from "@fluffy-spoon/substitute";
-
-import { EncString } from "@/jslib/common/src/models/domain/encString";
-
 function newGuid() {
   return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, (c) => {
     const r = (Math.random() * 16) | 0;
@@ -21,13 +17,6 @@ export function BuildTestObject<T, K extends keyof T = keyof T>(
   return Object.assign(constructor === null ? {} : new constructor(), def) as T;
 }
 
-export function mockEnc(s: string): EncString {
-  const mock = Substitute.for<EncString>();
-  mock.decrypt(Arg.any(), Arg.any()).resolves(s);
-
-  return mock;
-}
-
 export function makeStaticByteArray(length: number, start = 0) {
   const arr = new Uint8Array(length);
   for (let i = 0; i < length; i++) {

package.json

@@ -79,7 +79,6 @@
     "@angular/compiler-cli": "21.1.1",
     "@electron/notarize": "2.5.0",
     "@electron/rebuild": "4.0.1",
-    "@fluffy-spoon/substitute": "1.208.0",
     "@microsoft/microsoft-graph-types": "2.43.1",
     "@ngtools/webpack": "21.1.2",
     "@types/inquirer": "8.2.10",
@@ -113,7 +112,7 @@
     "eslint-import-resolver-typescript": "4.4.4",
     "eslint-plugin-import": "2.32.0",
     "eslint-plugin-rxjs-angular-x": "0.1.0",
-    "eslint-plugin-rxjs-x": "0.8.3",
+    "eslint-plugin-rxjs-x": "0.9.1",
     "form-data": "4.0.4",
     "glob": "13.0.0",
     "html-loader": "5.1.0",
@@ -138,7 +137,7 @@
     "tsconfig-paths-webpack-plugin": "4.2.0",
     "type-fest": "5.4.2",
     "typescript": "5.9.3",
-    "webpack": "5.104.1",
+    "webpack": "5.105.1",
     "webpack-cli": "6.0.1",
     "webpack-merge": "6.0.1",
     "webpack-node-externals": "3.0.0",

src/services/authService.spec.ts

@@ -1,7 +1,8 @@
-import { Arg, Substitute, SubstituteOf } from "@fluffy-spoon/substitute";
+import { mock } from "jest-mock-extended";
 
 import { ApiService } from "@/jslib/common/src/abstractions/api.service";
 import { AppIdService } from "@/jslib/common/src/abstractions/appId.service";
+import { MessagingService } from "@/jslib/common/src/abstractions/messaging.service";
 import { PlatformUtilsService } from "@/jslib/common/src/abstractions/platformUtils.service";
 import { Utils } from "@/jslib/common/src/misc/utils";
 import {
@@ -11,7 +12,6 @@ import {
 } from "@/jslib/common/src/models/domain/account";
 import { IdentityTokenResponse } from "@/jslib/common/src/models/response/identityTokenResponse";
 
-import { MessagingService } from "../../jslib/common/src/abstractions/messaging.service";
 import { Account, DirectoryConfigurations, DirectorySettings } from "../models/account";
 
 import { AuthService } from "./auth.service";
@@ -35,22 +35,22 @@ export function identityTokenResponseFactory() {
 }
 
 describe("AuthService", () => {
-  let apiService: SubstituteOf<ApiService>;
-  let appIdService: SubstituteOf<AppIdService>;
-  let platformUtilsService: SubstituteOf<PlatformUtilsService>;
-  let messagingService: SubstituteOf<MessagingService>;
-  let stateService: SubstituteOf<StateService>;
+  let apiService: jest.Mocked<ApiService>;
+  let appIdService: jest.Mocked<AppIdService>;
+  let platformUtilsService: jest.Mocked<PlatformUtilsService>;
+  let messagingService: jest.Mocked<MessagingService>;
+  let stateService: jest.Mocked<StateService>;
 
   let authService: AuthService;
 
   beforeEach(async () => {
-    apiService = Substitute.for();
-    appIdService = Substitute.for();
-    platformUtilsService = Substitute.for();
-    stateService = Substitute.for();
-    messagingService = Substitute.for();
+    apiService = mock<ApiService>();
+    appIdService = mock<AppIdService>();
+    platformUtilsService = mock<PlatformUtilsService>();
+    stateService = mock<StateService>();
+    messagingService = mock<MessagingService>();
 
-    appIdService.getAppId().resolves(deviceId);
+    appIdService.getAppId.mockResolvedValue(deviceId);
 
     authService = new AuthService(
       apiService,
@@ -62,11 +62,12 @@ describe("AuthService", () => {
   });
 
   it("sets the local environment after a successful login", async () => {
-    apiService.postIdentityToken(Arg.any()).resolves(identityTokenResponseFactory());
+    apiService.postIdentityToken.mockResolvedValue(identityTokenResponseFactory());
 
     await authService.logIn({ clientId, clientSecret });
 
-    stateService.received(1).addAccount(
+    expect(stateService.addAccount).toHaveBeenCalledTimes(1);
+    expect(stateService.addAccount).toHaveBeenCalledWith(
       new Account({
         profile: {
           ...new AccountProfile(),