@cloudcommerce/cli 0.4.0 → 0.4.1

package/.turbo/turbo-build.log

@@ -1,4 +1,4 @@
 
-> @cloudcommerce/cli@0.3.0 build /home/leo/code/ecomplus/cloud-commerce/packages/cli
+> @cloudcommerce/cli@0.4.0 build /home/leo/code/ecomplus/cloud-commerce/packages/cli
 > sh ../../scripts/build-lib.sh
 

package/lib/setup-gcloud.js

@@ -1,25 +1,112 @@
 import path from 'node:path';
-import { $, fs } from 'zx';
+import {
+  $, fs, question, echo,
+} from 'zx';
 
+let gcpAccessToken;
 const serviceAccountId = 'cloud-commerce-gh-actions';
 const getAccountEmail = (projectId) => {
   return `${serviceAccountId}@${projectId}.iam.gserviceaccount.com`;
 };
+const requestApi = async (projectId, options) => {
+  const body = options?.body;
+  let url = options?.baseURL
+        || `https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts`;
+  url += options?.url || '';
+  const data = await (await fetch(url, {
+    method: options?.method || 'GET',
+    headers: {
+      Authorization: `Bearer ${gcpAccessToken}`,
+      'Content-Type': 'application/json; charset=utf-8',
+    },
+    body,
+  })).json();
+  const { error } = data;
+  if (error) {
+    let msgErr = 'Unexpected error in request';
+    msgErr = error.message ? `Code: ${error.code} - ${error.message}` : msgErr;
+    const err = new Error(msgErr);
+    throw err;
+  }
+  return data;
+};
+const getGcpAccessToken = async () => {
+  await echo`-- Get the Google Cloud account credentials:
+  1. Access https://shell.cloud.google.com/?fromcloudshell=true&show=terminal
+  2. Execute \`gcloud auth application-default print-access-token\` in Cloud Shell
+`;
+  return question('Google Cloud access token: ');
+};
 const checkServiceAccountExists = async (projectId) => {
   let hasServiceAccount;
   try {
-    const { stderr } = await $`gcloud iam service-accounts describe ${getAccountEmail(projectId)}`;
-    hasServiceAccount = !/not_?found/i.test(stderr);
-  } catch (e) {
+    if (!gcpAccessToken) {
+      const { stderr } = await $`gcloud iam service-accounts describe ${getAccountEmail(projectId)}`;
+      hasServiceAccount = !/not_?found/i.test(stderr);
+    } else {
+      // https://cloud.google.com/iam/docs/creating-managing-service-accounts?hl=pt-br#listing
+      const { accounts: listAccounts } = await requestApi(projectId);
+      const accountFound = listAccounts
+                && listAccounts.find(({ email }) => email === getAccountEmail(projectId));
+      hasServiceAccount = Boolean(accountFound);
+    }
+  } catch {
     return null;
   }
   return hasServiceAccount;
 };
 const siginGcloudAndSetIAM = async (projectId, pwd) => {
-  if (/no credential/i.test((await $`gcloud auth list`).stderr)) {
-    await $`gcloud auth login`;
+  let hasGcloud;
+  try {
+    hasGcloud = Boolean(await $`command -v gcloud`);
+  } catch {
+    hasGcloud = false;
+  }
+  if (hasGcloud) {
+    if (/no credential/i.test((await $`gcloud auth list`).stderr)) {
+      await $`gcloud auth login`;
+    }
+    await $`gcloud config set project ${projectId}`;
+  } else {
+    gcpAccessToken = await getGcpAccessToken();
+  }
+  const serviceAccount = await checkServiceAccountExists(projectId);
+  if (!serviceAccount) {
+    const description = 'A service account with permission to deploy Cloud Commerce'
+            + ' from the GitHub repository to Firebase';
+    const displayName = 'Cloud Commerce GH Actions';
+    if (hasGcloud) {
+      await $`gcloud iam service-accounts create ${serviceAccountId} \
+        --description=${description} --display-name=${displayName}`;
+    } else if (gcpAccessToken) {
+      const body = JSON.stringify({
+        accountId: serviceAccountId,
+        serviceAccount: {
+          description,
+          displayName,
+        },
+      });
+      await requestApi(projectId, { method: 'POST', body });
+    }
+  }
+  await fs.ensureDir(path.join(pwd, '.cloudcommerce'));
+  const pathPolicyIAM = path.join(pwd, '.cloudcommerce', 'policyIAM.json');
+  let policyIAM = {};
+  const version = 3; // most recent
+  const baseURL = `https://cloudresourcemanager.googleapis.com/v1/projects/${projectId}`;
+  if (hasGcloud) {
+    await $`gcloud projects get-iam-policy ${projectId} --format json > ${pathPolicyIAM}`;
+    policyIAM = fs.readJSONSync(pathPolicyIAM);
+  } else if (gcpAccessToken) {
+    // https://cloud.google.com/iam/docs/granting-changing-revoking-access?hl=pt-br#view-access
+    // POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy
+    policyIAM = await requestApi(projectId, {
+      baseURL,
+      url: ':getIamPolicy',
+      method: 'POST',
+      body: JSON.stringify({ options: { requestedPolicyVersion: version } }),
+    });
   }
-  await $`gcloud config set project ${projectId}`;
   const roles = [
     'roles/firebase.admin',
     'roles/appengine.appAdmin',
@@ -32,17 +119,10 @@ const siginGcloudAndSetIAM = async (projectId, pwd) => {
     'roles/serviceusage.apiKeysViewer',
     'roles/serviceusage.serviceUsageAdmin',
   ];
-  const serviceAccount = await checkServiceAccountExists(projectId);
-  if (!serviceAccount) {
-    await $`gcloud iam service-accounts create ${serviceAccountId} \
-      --description="A service account with permission to deploy Cloud Commerce from the GitHub repository to Firebase" \
-      --display-name="Cloud Commerce GH Actions"`;
+  let { bindings } = policyIAM;
+  if (!bindings) {
+    bindings = [];
   }
-  await fs.ensureDir(path.join(pwd, '.cloudcommerce'));
-  const pathPolicyIAM = path.join(pwd, '.cloudcommerce', 'policyIAM.json');
-  await $`gcloud projects get-iam-policy ${projectId} --format json > ${pathPolicyIAM}`;
-  const policyIAM = fs.readJSONSync(pathPolicyIAM);
-  const { bindings } = policyIAM;
   let mustUpdatePolicy = false;
   roles.forEach((role) => {
     const roleFound = bindings.find((binding) => binding.role === role);
@@ -73,16 +153,36 @@ const siginGcloudAndSetIAM = async (projectId, pwd) => {
     }
   });
   if (mustUpdatePolicy) {
-    fs.writeJSONSync(pathPolicyIAM, policyIAM);
-    return $`gcloud projects set-iam-policy ${projectId} ${pathPolicyIAM}`;
+    if (hasGcloud) {
+      fs.writeJSONSync(pathPolicyIAM, policyIAM);
+      return $`gcloud projects set-iam-policy ${projectId} ${pathPolicyIAM}`;
+    }
+    if (gcpAccessToken) {
+      Object.assign(policyIAM, { version, bindings });
+      // POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:setIamPolicy
+      return requestApi(projectId, {
+        baseURL,
+        url: ':setIamPolicy',
+        method: 'POST',
+        body: JSON.stringify({ policy: policyIAM }),
+      });
+    }
   }
   return null;
 };
 const createServiceAccountKey = async (projectId, pwd) => {
   try {
     const pathFileKey = path.join(pwd, '.cloudcommerce', 'serviceAccountKey.json');
-    await $`gcloud iam service-accounts keys create ${pathFileKey} \
+    if (!gcpAccessToken) {
+      await $`gcloud iam service-accounts keys create ${pathFileKey} \
       --iam-account=${getAccountEmail(projectId)}`;
+    } else {
+      const { privateKeyData } = await requestApi(projectId, {
+        url: `/${getAccountEmail(projectId)}/keys`,
+        method: 'POST',
+      });
+      await $`echo '${privateKeyData}' | base64 --decode > ${pathFileKey}`;
+    }
     return JSON.stringify(fs.readJSONSync(pathFileKey));
   } catch (e) {
     return null;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@cloudcommerce/cli",
   "type": "module",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "description": "E-Com Plus Cloud Commerce CLI tools",
   "bin": {
     "cloudcommerce": "./bin/run.mjs"
@@ -26,7 +26,7 @@
     "libsodium-wrappers": "^0.7.10",
     "md5": "^2.3.0",
     "zx": "^7.1.1",
-    "@cloudcommerce/api": "0.4.0"
+    "@cloudcommerce/api": "0.4.1"
   },
   "scripts": {
     "build": "sh ../../scripts/build-lib.sh"

package/src/cli.ts

@@ -124,7 +124,7 @@ ECOM_STORE_ID=${storeId}
         //
       }
     }
-    let serviceAccountJSON : string | null = null;
+    let serviceAccountJSON: string | null = null;
     if (argv.gcloud !== false) {
       try {
         await siginGcloudAndSetIAM(projectId as string, pwd);

package/src/setup-gcloud.ts

@@ -1,27 +1,135 @@
 import path from 'node:path';
-import { $, fs } from 'zx';
+import {
+  $,
+  fs,
+  question,
+  echo,
+} from 'zx';
 
+let gcpAccessToken: string | undefined;
 const serviceAccountId = 'cloud-commerce-gh-actions';
 const getAccountEmail = (projectId: string) => {
   return `${serviceAccountId}@${projectId}.iam.gserviceaccount.com`;
 };
 
+const requestApi = async (
+  projectId: string,
+  options?: {
+    baseURL?: string,
+    url?: string,
+    method: string,
+    body?: string,
+  },
+) => {
+  const body = options?.body;
+  let url = options?.baseURL
+    || `https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts`;
+  url += options?.url || '';
+  const data = await (await fetch(
+    url,
+    {
+      method: options?.method || 'GET',
+      headers: {
+        Authorization: `Bearer ${gcpAccessToken}`,
+        'Content-Type': 'application/json; charset=utf-8',
+      },
+      body,
+    },
+  )).json() as any;
+  const { error } = data;
+  if (error) {
+    let msgErr = 'Unexpected error in request';
+    msgErr = error.message ? `Code: ${error.code} - ${error.message}` : msgErr;
+    const err = new Error(msgErr);
+    throw err;
+  }
+  return data;
+};
+
+const getGcpAccessToken = async () => {
+  await echo`-- Get the Google Cloud account credentials:
+  1. Access https://shell.cloud.google.com/?fromcloudshell=true&show=terminal
+  2. Execute \`gcloud auth application-default print-access-token\` in Cloud Shell
+`;
+  return question('Google Cloud access token: ');
+};
+
 const checkServiceAccountExists = async (projectId: string) => {
   let hasServiceAccount: boolean;
   try {
-    const { stderr } = await $`gcloud iam service-accounts describe ${getAccountEmail(projectId)}`;
-    hasServiceAccount = !/not_?found/i.test(stderr);
-  } catch (e) {
+    if (!gcpAccessToken) {
+      const { stderr } = await $`gcloud iam service-accounts describe ${getAccountEmail(projectId)}`;
+      hasServiceAccount = !/not_?found/i.test(stderr);
+    } else {
+      // https://cloud.google.com/iam/docs/creating-managing-service-accounts?hl=pt-br#listing
+      const { accounts: listAccounts } = await requestApi(projectId);
+      const accountFound = listAccounts
+        && listAccounts.find(({ email }) => email === getAccountEmail(projectId));
+      hasServiceAccount = Boolean(accountFound);
+    }
+  } catch {
     return null;
   }
   return hasServiceAccount;
 };
 
 const siginGcloudAndSetIAM = async (projectId: string, pwd: string) => {
-  if (/no credential/i.test((await $`gcloud auth list`).stderr)) {
-    await $`gcloud auth login`;
+  let hasGcloud: boolean;
+  try {
+    hasGcloud = Boolean(await $`command -v gcloud`);
+  } catch {
+    hasGcloud = false;
+  }
+  if (hasGcloud) {
+    if (/no credential/i.test((await $`gcloud auth list`).stderr)) {
+      await $`gcloud auth login`;
+    }
+    await $`gcloud config set project ${projectId}`;
+  } else {
+    gcpAccessToken = await getGcpAccessToken();
+  }
+
+  const serviceAccount = await checkServiceAccountExists(projectId);
+  if (!serviceAccount) {
+    const description = 'A service account with permission to deploy Cloud Commerce'
+      + ' from the GitHub repository to Firebase';
+    const displayName = 'Cloud Commerce GH Actions';
+    if (hasGcloud) {
+      await $`gcloud iam service-accounts create ${serviceAccountId} \
+        --description=${description} --display-name=${displayName}`;
+    } else if (gcpAccessToken) {
+      const body = JSON.stringify({
+        accountId: serviceAccountId,
+        serviceAccount: {
+          description,
+          displayName,
+        },
+      });
+      await requestApi(projectId, { method: 'POST', body });
+    }
+  }
+  await fs.ensureDir(path.join(pwd, '.cloudcommerce'));
+  const pathPolicyIAM = path.join(pwd, '.cloudcommerce', 'policyIAM.json');
+  let policyIAM: Record<string, any> = {};
+  const version = 3; // most recent
+  const baseURL = `https://cloudresourcemanager.googleapis.com/v1/projects/${projectId}`;
+  if (hasGcloud) {
+    await $`gcloud projects get-iam-policy ${projectId} --format json > ${pathPolicyIAM}`;
+    policyIAM = fs.readJSONSync(pathPolicyIAM);
+  } else if (gcpAccessToken) {
+    // https://cloud.google.com/iam/docs/granting-changing-revoking-access?hl=pt-br#view-access
+    // POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy
+    policyIAM = await requestApi(
+      projectId,
+      {
+        baseURL,
+        url: ':getIamPolicy',
+        method: 'POST',
+        body: JSON.stringify({ options: { requestedPolicyVersion: version } }),
+      },
+    );
   }
-  await $`gcloud config set project ${projectId}`;
+
   const roles = [
     'roles/firebase.admin',
     'roles/appengine.appAdmin',
@@ -34,18 +142,10 @@ const siginGcloudAndSetIAM = async (projectId: string, pwd: string) => {
     'roles/serviceusage.apiKeysViewer',
     'roles/serviceusage.serviceUsageAdmin',
   ];
-  const serviceAccount = await checkServiceAccountExists(projectId);
-  if (!serviceAccount) {
-    await $`gcloud iam service-accounts create ${serviceAccountId} \
-      --description="A service account with permission to deploy Cloud Commerce from the GitHub repository to Firebase" \
-      --display-name="Cloud Commerce GH Actions"`;
+  let { bindings } = policyIAM;
+  if (!bindings) {
+    bindings = [];
   }
-  await fs.ensureDir(path.join(pwd, '.cloudcommerce'));
-  const pathPolicyIAM = path.join(pwd, '.cloudcommerce', 'policyIAM.json');
-  await $`gcloud projects get-iam-policy ${projectId} --format json > ${pathPolicyIAM}`;
-  const policyIAM = fs.readJSONSync(pathPolicyIAM);
-  const { bindings } = policyIAM;
-
   let mustUpdatePolicy = false;
   roles.forEach((role) => {
     const roleFound = bindings.find((binding) => binding.role === role);
@@ -78,8 +178,22 @@ const siginGcloudAndSetIAM = async (projectId: string, pwd: string) => {
     }
   });
   if (mustUpdatePolicy) {
-    fs.writeJSONSync(pathPolicyIAM, policyIAM);
-    return $`gcloud projects set-iam-policy ${projectId} ${pathPolicyIAM}`;
+    if (hasGcloud) {
+      fs.writeJSONSync(pathPolicyIAM, policyIAM);
+      return $`gcloud projects set-iam-policy ${projectId} ${pathPolicyIAM}`;
+    } if (gcpAccessToken) {
+      Object.assign(policyIAM, { version, bindings });
+      // POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:setIamPolicy
+      return requestApi(
+        projectId,
+        {
+          baseURL,
+          url: ':setIamPolicy',
+          method: 'POST',
+          body: JSON.stringify({ policy: policyIAM }),
+        },
+      );
+    }
   }
   return null;
 };
@@ -87,8 +201,19 @@ const siginGcloudAndSetIAM = async (projectId: string, pwd: string) => {
 const createServiceAccountKey = async (projectId: string, pwd: string) => {
   try {
     const pathFileKey = path.join(pwd, '.cloudcommerce', 'serviceAccountKey.json');
-    await $`gcloud iam service-accounts keys create ${pathFileKey} \
+    if (!gcpAccessToken) {
+      await $`gcloud iam service-accounts keys create ${pathFileKey} \
       --iam-account=${getAccountEmail(projectId)}`;
+    } else {
+      const { privateKeyData } = await requestApi(
+        projectId,
+        {
+          url: `/${getAccountEmail(projectId)}/keys`,
+          method: 'POST',
+        },
+      );
+      await $`echo '${privateKeyData}' | base64 --decode > ${pathFileKey}`;
+    }
     return JSON.stringify(fs.readJSONSync(pathFileKey));
   } catch (e) {
     return null;