@causa/workspace-google 0.5.0 → 0.6.0

package/README.md

@@ -57,6 +57,14 @@ secrets:
 
 When the GCP project is not specified in the secret ID, it is inferred from `google.secretManager.project`, or `google.project` (in this order). This allows defining the GCP project a single time if needed.
 
+A second secret backend, `google.accessToken`, does not fetch secrets from a source but rather returns a GCP access token, which can be used to access Google services:
+
+```yaml
+secrets:
+  gcpAccessToken:
+    backend: google.accessToken
+```
+
 ## 🔨 Custom `google` commands
 
 This modules adds a new command to the CLI: `cs google`. Here is the list of subcommands that are exposed.

package/dist/functions/emulator/start-spanner.d.ts

@@ -22,9 +22,17 @@ export declare class EmulatorStartForSpanner extends EmulatorStart {
      * @returns The configuration for the Spanner emulator.
      */
     private startSpannerEmulator;
+    /**
+     * Creates the Spanner instance and databases within the emulator.
+     *
+     * @param context The {@link WorkspaceContext}.
+     * @returns The configuration for the created instance and databases.
+     */
+    private initializeEmulator;
     /**
      * Creates a local instance within the Spanner emulator.
      *
+     * @param spanner The {@link Spanner} client.
      * @param context The {@link WorkspaceContext}.
      * @returns The created Spanner {@link Instance} and the corresponding client configuration.
      */

package/dist/functions/emulator/start-spanner.js

@@ -27,10 +27,9 @@ export class EmulatorStartForSpanner extends EmulatorStart {
             return {};
         }
         const emulatorConf = await this.startSpannerEmulator(context);
-        const { instance, instanceConf } = await this.createInstance(context);
-        const databaseConf = await this.createDatabases(instance, context);
+        const instanceAndDatabaseConf = await this.initializeEmulator(context);
         context.logger.info('🗃️ Successfully initialized Spanner emulator.');
-        return { ...emulatorConf, ...instanceConf, ...databaseConf };
+        return { ...emulatorConf, ...instanceAndDatabaseConf };
     }
     /**
      * Starts the Spanner emulator.
@@ -61,22 +60,35 @@ export class EmulatorStartForSpanner extends EmulatorStart {
         };
     }
     /**
-     * Creates a local instance within the Spanner emulator.
+     * Creates the Spanner instance and databases within the emulator.
      *
      * @param context The {@link WorkspaceContext}.
-     * @returns The created Spanner {@link Instance} and the corresponding client configuration.
+     * @returns The configuration for the created instance and databases.
      */
-    async createInstance(context) {
-        const instanceName = context
-            .asConfiguration()
-            .get('google.spanner.emulator.instanceName') ?? 'local';
-        context.logger.info(`🗃️ Creating Spanner emulator instance '${instanceName}'.`);
+    async initializeEmulator(context) {
         const spanner = new Spanner({
             servicePath: '127.0.0.1',
             port: SPANNER_GRPC_PORT,
             projectId: getLocalGcpProject(context),
             sslCreds: credentials.createInsecure(),
         });
+        const { instance, instanceConf } = await this.createInstance(spanner, context);
+        const databaseConf = await this.createDatabases(instance, context);
+        spanner.close();
+        return { ...instanceConf, ...databaseConf };
+    }
+    /**
+     * Creates a local instance within the Spanner emulator.
+     *
+     * @param spanner The {@link Spanner} client.
+     * @param context The {@link WorkspaceContext}.
+     * @returns The created Spanner {@link Instance} and the corresponding client configuration.
+     */
+    async createInstance(spanner, context) {
+        const instanceName = context
+            .asConfiguration()
+            .get('google.spanner.emulator.instanceName') ?? 'local';
+        context.logger.info(`🗃️ Creating Spanner emulator instance '${instanceName}'.`);
         const [instance, operation] = await spanner.createInstance(instanceName, {
             config: 'emulator-config',
             displayName: instanceName,
@@ -98,8 +110,11 @@ export class EmulatorStartForSpanner extends EmulatorStart {
             context.logger.info(`🗃️ Creating Spanner emulator database '${database.id}'.`);
             // Discarding `DROP TABLE` statements as the emulator does not seem to handle them properly.
             const ddls = database.ddls.filter((statement) => !statement.toUpperCase().startsWith('DROP TABLE'));
-            const operation = (await instance.createDatabase(database.id, { schema: ddls }))[1];
+            const [db, operation] = await instance.createDatabase(database.id, {
+                schema: ddls,
+            });
             await operation.promise();
+            await db.close();
         }));
         return databases.length === 0
             ? {}

package/dist/functions/google-app-check/generate-token.js

@@ -21,7 +21,7 @@ const TOKEN_TTL = 3600;
 /**
  * Generates a new AppCheck token.
  */
-export let GoogleAppCheckGenerateToken = class GoogleAppCheckGenerateToken extends WorkspaceFunction {
+let GoogleAppCheckGenerateToken = class GoogleAppCheckGenerateToken extends WorkspaceFunction {
     /**
      * The ID of the Firebase app for which the token will be generated.
      * If `undefined`, a Firebase app ID will be found in the configuration or using the API.
@@ -64,3 +64,4 @@ If the Firebase app ID is not specified, it will:
         outputFn: (token) => console.log(token),
     })
 ], GoogleAppCheckGenerateToken);
+export { GoogleAppCheckGenerateToken };

package/dist/functions/google-firebase-storage/merge-rules.js

@@ -27,7 +27,7 @@ const DEFAULT_FIREBASE_STORAGE_SECURITY_RULE_FILE = 'storage.rules';
  * Returns a configuration with `google.firebaseStorage.securityRuleFile` set, such that the function can be used as a
  * processor.
  */
-export let GoogleFirebaseStorageMergeRules = class GoogleFirebaseStorageMergeRules extends WorkspaceFunction {
+let GoogleFirebaseStorageMergeRules = class GoogleFirebaseStorageMergeRules extends WorkspaceFunction {
     tearDown;
     async _call(context) {
         if (this.tearDown) {
@@ -69,3 +69,4 @@ Input files are looked for in the workspace using the globs defined in google.fi
         outputFn: ({ securityRuleFile }) => console.log(securityRuleFile),
     })
 ], GoogleFirebaseStorageMergeRules);
+export { GoogleFirebaseStorageMergeRules };

package/dist/functions/google-firestore/merge-rules.js

@@ -27,7 +27,7 @@ const DEFAULT_FIRESTORE_SECURITY_RULE_FILE = 'firestore.rules';
  * Returns a configuration with `google.firestore.securityRuleFile` set, such that the function can be used as a
  * processor.
  */
-export let GoogleFirestoreMergeRules = class GoogleFirestoreMergeRules extends WorkspaceFunction {
+let GoogleFirestoreMergeRules = class GoogleFirestoreMergeRules extends WorkspaceFunction {
     tearDown;
     async _call(context) {
         if (this.tearDown) {
@@ -69,3 +69,4 @@ Input files are looked for in the workspace using the globs defined in google.fi
         outputFn: ({ securityRuleFile }) => console.log(securityRuleFile),
     })
 ], GoogleFirestoreMergeRules);
+export { GoogleFirestoreMergeRules };

package/dist/functions/google-identity-platform/generate-token.js

@@ -21,7 +21,7 @@ import { GoogleIdentityPlatformGenerateCustomToken } from './generate-custom-tok
  * For this function to succeed, the `google.project` should be set, which usually means setting the environment in the
  * context. Also `google.firebase` children can be used to configure (and speed up) how tokens are generated.
  */
-export let GoogleIdentityPlatformGenerateToken = class GoogleIdentityPlatformGenerateToken extends WorkspaceFunction {
+let GoogleIdentityPlatformGenerateToken = class GoogleIdentityPlatformGenerateToken extends WorkspaceFunction {
     /**
      * The ID of the user for which the token will be generated.
      */
@@ -71,3 +71,4 @@ Optional custom claims can be included in the signed token.`,
         outputFn: (token) => console.log(token),
     })
 ], GoogleIdentityPlatformGenerateToken);
+export { GoogleIdentityPlatformGenerateToken };

package/dist/functions/google-services/enable.js

@@ -20,7 +20,7 @@ const MAX_SERVICE_BATCH = 20;
 /**
  * Enables GCP services defined in `google.services` for the GCP project defined in `google.project`.
  */
-export let GoogleServicesEnable = class GoogleServicesEnable extends WorkspaceFunction {
+let GoogleServicesEnable = class GoogleServicesEnable extends WorkspaceFunction {
     tearDown;
     async _call(context) {
         if (this.tearDown) {
@@ -72,3 +72,4 @@ They will be enabled in the 'google.project' GCP project.`,
         outputFn: ({ services }) => console.log(services.join('\n')),
     })
 ], GoogleServicesEnable);
+export { GoogleServicesEnable };

package/dist/functions/index.js

@@ -8,7 +8,7 @@ import { GooglePubSubWriteTopics } from './google-pubsub/index.js';
 import { GoogleServicesEnable } from './google-services/index.js';
 import { GoogleSpannerListDatabases, GoogleSpannerWriteDatabases, } from './google-spanner/index.js';
 import { ProjectGetArtefactDestinationForCloudFunctions, ProjectGetArtefactDestinationForCloudRun, ProjectPushArtefactForCloudFunctions, } from './project/index.js';
-import { SecretFetchForGoogleSecretManager } from './secret/index.js';
+import { SecretFetchForGoogleAccessToken, SecretFetchForGoogleSecretManager, } from './secret/index.js';
 export function registerFunctions(context) {
-    context.registerFunctionImplementations(EmulatorStartForFirebaseStorage, EmulatorStartForFirestore, EmulatorStartForIdentityPlatform, EmulatorStartForPubSub, EmulatorStartForSpanner, EmulatorStopForFirebaseStorage, EmulatorStopForFirestore, EmulatorStopForIdentityPlatform, EmulatorStopForPubSub, EmulatorStopForSpanner, EventTopicBrokerCreateTopicForPubSub, EventTopicBrokerCreateTriggerForCloudRun, EventTopicBrokerDeleteTopicForPubSub, EventTopicBrokerDeleteTriggerResourceForCloudRunInvokerRole, EventTopicBrokerDeleteTriggerResourceForPubSubSubscription, EventTopicBrokerDeleteTriggerResourceForServiceAccount, EventTopicBrokerGetTopicIdForPubSub, EventTopicBrokerPublishEventsForGoogle, GoogleAppCheckGenerateToken, GoogleFirebaseStorageMergeRules, GoogleFirestoreMergeRules, GoogleIdentityPlatformGenerateCustomToken, GoogleIdentityPlatformGenerateToken, GooglePubSubWriteTopics, GoogleServicesEnable, GoogleSpannerListDatabases, GoogleSpannerWriteDatabases, ProjectGetArtefactDestinationForCloudFunctions, ProjectGetArtefactDestinationForCloudRun, ProjectPushArtefactForCloudFunctions, SecretFetchForGoogleSecretManager);
+    context.registerFunctionImplementations(EmulatorStartForFirebaseStorage, EmulatorStartForFirestore, EmulatorStartForIdentityPlatform, EmulatorStartForPubSub, EmulatorStartForSpanner, EmulatorStopForFirebaseStorage, EmulatorStopForFirestore, EmulatorStopForIdentityPlatform, EmulatorStopForPubSub, EmulatorStopForSpanner, EventTopicBrokerCreateTopicForPubSub, EventTopicBrokerCreateTriggerForCloudRun, EventTopicBrokerDeleteTopicForPubSub, EventTopicBrokerDeleteTriggerResourceForCloudRunInvokerRole, EventTopicBrokerDeleteTriggerResourceForPubSubSubscription, EventTopicBrokerDeleteTriggerResourceForServiceAccount, EventTopicBrokerGetTopicIdForPubSub, EventTopicBrokerPublishEventsForGoogle, GoogleAppCheckGenerateToken, GoogleFirebaseStorageMergeRules, GoogleFirestoreMergeRules, GoogleIdentityPlatformGenerateCustomToken, GoogleIdentityPlatformGenerateToken, GooglePubSubWriteTopics, GoogleServicesEnable, GoogleSpannerListDatabases, GoogleSpannerWriteDatabases, ProjectGetArtefactDestinationForCloudFunctions, ProjectGetArtefactDestinationForCloudRun, ProjectPushArtefactForCloudFunctions, SecretFetchForGoogleAccessToken, SecretFetchForGoogleSecretManager);
 }

package/dist/functions/secret/fetch-access-token.d.ts

@@ -0,0 +1,18 @@
+import { SecretFetch, WorkspaceContext } from '@causa/workspace';
+/**
+ * An error thrown when the auth client does not return a token.
+ */
+export declare class AuthClientResponseError extends Error {
+    constructor();
+}
+/**
+ * Implements {@link SecretFetch} to retrieve a Google access token.
+ * This backend does not require any configuration, as it does not fetch a specific secret and can only return a single
+ * value. A Google access token can be used to authenticate with other Google services. The returned token is configured
+ * with the current user (or service account)'s credentials, and for the configured GCP project (if any).
+ * The backend ID is `google.accessToken`.
+ */
+export declare class SecretFetchForGoogleAccessToken extends SecretFetch {
+    _call(context: WorkspaceContext): Promise<string>;
+    _supports(): boolean;
+}

package/dist/functions/secret/fetch-access-token.js

@@ -0,0 +1,30 @@
+import { SecretFetch } from '@causa/workspace';
+import { GoogleApisService } from '../../services/index.js';
+/**
+ * An error thrown when the auth client does not return a token.
+ */
+export class AuthClientResponseError extends Error {
+    constructor() {
+        super('Failed to retrieve the Google access token from the auth client response.');
+    }
+}
+/**
+ * Implements {@link SecretFetch} to retrieve a Google access token.
+ * This backend does not require any configuration, as it does not fetch a specific secret and can only return a single
+ * value. A Google access token can be used to authenticate with other Google services. The returned token is configured
+ * with the current user (or service account)'s credentials, and for the configured GCP project (if any).
+ * The backend ID is `google.accessToken`.
+ */
+export class SecretFetchForGoogleAccessToken extends SecretFetch {
+    async _call(context) {
+        const authClient = await context.service(GoogleApisService).getAuthClient();
+        const { token } = await authClient.getAccessToken();
+        if (!token) {
+            throw new AuthClientResponseError();
+        }
+        return token;
+    }
+    _supports() {
+        return this.backend === 'google.accessToken';
+    }
+}

package/dist/functions/secret/index.d.ts

@@ -1 +1,2 @@
+export { SecretFetchForGoogleAccessToken } from './fetch-access-token.js';
 export { SecretFetchForGoogleSecretManager } from './fetch-secret-manager.js';

package/dist/functions/secret/index.js

@@ -1 +1,2 @@
+export { SecretFetchForGoogleAccessToken } from './fetch-access-token.js';
 export { SecretFetchForGoogleSecretManager } from './fetch-secret-manager.js';

package/dist/services/google-apis.d.ts

@@ -1,4 +1,5 @@
 import { WorkspaceContext } from '@causa/workspace';
+import { AuthClient } from 'google-auth-library';
 import { GoogleApis } from 'googleapis';
 import { ApiClient, OptionsOfApiClient } from './google-apis.types.js';
 /**
@@ -9,7 +10,7 @@ export declare class GoogleApisService {
     /**
      * The GCP project ID read from the {@link WorkspaceContext} configuration.
      */
-    readonly projectId: string;
+    readonly projectId: string | undefined;
     constructor(context: WorkspaceContext);
     /**
      * The promise returning the `JSONClient` configured with the {@link GoogleApisService.projectId}.
@@ -20,7 +21,7 @@ export declare class GoogleApisService {
      *
      * @returns The auth client.
      */
-    getAuthClient(): Promise<any>;
+    getAuthClient(): Promise<AuthClient>;
     /**
      * Creates a new client for one of Google's APIs.
      * Authentication is automatically configured.

package/dist/services/google-apis.js

@@ -9,8 +9,9 @@ export class GoogleApisService {
      */
     projectId;
     constructor(context) {
-        const googleConf = context.asConfiguration();
-        this.projectId = googleConf.getOrThrow('google.project');
+        this.projectId = context
+            .asConfiguration()
+            .get('google.project');
     }
     /**
      * The promise returning the `JSONClient` configured with the {@link GoogleApisService.projectId}.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@causa/workspace-google",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "The Causa workspace module providing many functionalities related to GCP and its services.",
   "repository": "github:causa-io/workspace-module-google",
   "license": "ISC",
@@ -31,41 +31,42 @@
   "dependencies": {
     "@causa/cli": ">= 0.4.0 < 1.0.0",
     "@causa/workspace": ">= 0.12.0 < 1.0.0",
-    "@causa/workspace-core": ">= 0.14.1 < 1.0.0",
-    "@google-cloud/apikeys": "^0.2.2",
-    "@google-cloud/bigquery": "^7.1.1",
-    "@google-cloud/iam-credentials": "^2.0.4",
-    "@google-cloud/pubsub": "^4.0.0",
-    "@google-cloud/resource-manager": "^4.3.0",
-    "@google-cloud/run": "^0.6.0",
-    "@google-cloud/secret-manager": "^4.2.2",
-    "@google-cloud/service-usage": "^2.2.2",
-    "@google-cloud/spanner": "^6.15.0",
-    "@google-cloud/storage": "^7.0.0",
-    "@grpc/grpc-js": "~1.8.21",
+    "@causa/workspace-core": ">= 0.16.0 < 1.0.0",
+    "@google-cloud/apikeys": "^1.0.1",
+    "@google-cloud/bigquery": "^7.3.0",
+    "@google-cloud/iam-credentials": "^3.0.1",
+    "@google-cloud/pubsub": "^4.0.6",
+    "@google-cloud/resource-manager": "^5.0.1",
+    "@google-cloud/run": "^1.0.1",
+    "@google-cloud/secret-manager": "^5.0.1",
+    "@google-cloud/service-usage": "^3.1.0",
+    "@google-cloud/spanner": "^7.0.0",
+    "@google-cloud/storage": "^7.1.0",
+    "@grpc/grpc-js": "^1.9.4",
     "class-validator": "^0.14.0",
-    "firebase": "^10.1.0",
-    "firebase-admin": "^11.10.1",
+    "firebase": "^10.4.0",
+    "firebase-admin": "^11.11.0",
     "globby": "^13.2.2",
-    "googleapis": "^123.0.0",
-    "pino": "^8.15.0",
-    "uuid": "^9.0.0"
+    "google-auth-library": "^9.0.0",
+    "googleapis": "^126.0.1",
+    "pino": "^8.15.1",
+    "uuid": "^9.0.1"
   },
   "devDependencies": {
-    "@tsconfig/node18": "^18.2.0",
-    "@types/jest": "^29.5.3",
-    "@types/node": "^18.17.2",
-    "@types/uuid": "^9.0.2",
-    "@typescript-eslint/eslint-plugin": "^6.2.1",
+    "@tsconfig/node18": "^18.2.2",
+    "@types/jest": "^29.5.5",
+    "@types/node": "^18.18.0",
+    "@types/uuid": "^9.0.4",
+    "@typescript-eslint/eslint-plugin": "^6.7.3",
     "copyfiles": "^2.4.1",
-    "eslint": "^8.46.0",
-    "eslint-config-prettier": "^8.10.0",
+    "eslint": "^8.50.0",
+    "eslint-config-prettier": "^9.0.0",
     "eslint-plugin-prettier": "^5.0.0",
-    "jest": "^29.6.2",
+    "jest": "^29.7.0",
     "jest-extended": "^4.0.1",
-    "rimraf": "^5.0.1",
+    "rimraf": "^5.0.5",
     "ts-jest": "^29.1.1",
     "ts-node": "^10.9.1",
-    "typescript": "^5.1.6"
+    "typescript": "^5.2.2"
   }
 }