npm - firebase-tools - Versions diffs - 10.1.2 → 10.2.0 - Mend

firebase-tools 10.1.2 → 10.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (65) hide show

package/lib/api.js +1 -0
package/lib/apiv2.js +92 -48
package/lib/archiveDirectory.js +63 -73
package/lib/auth.js +62 -25
package/lib/commands/ext-configure.js +1 -0
package/lib/commands/ext-dev-usage.js +3 -8
package/lib/commands/ext-install.js +1 -0
package/lib/commands/ext-uninstall.js +1 -0
package/lib/commands/ext-update.js +1 -0
package/lib/commands/functions-secrets-access.js +17 -0
package/lib/commands/functions-secrets-destroy.js +40 -0
package/lib/commands/functions-secrets-get.js +21 -0
package/lib/commands/functions-secrets-prune.js +50 -0
package/lib/commands/functions-secrets-set.js +46 -0
package/lib/commands/index.js +7 -3
package/lib/commands/login.js +1 -1
package/lib/database/metadata.js +16 -24
package/lib/deploy/functions/backend.js +11 -1
package/lib/deploy/functions/ensure.js +112 -0
package/lib/deploy/functions/ensureCloudBuildEnabled.js +0 -49
package/lib/deploy/functions/prepare.js +13 -19
package/lib/deploy/functions/release/fabricator.js +4 -1
package/lib/deploy/functions/runtimes/discovery/v1alpha1.js +1 -0
package/lib/deploy/functions/runtimes/node/parseTriggers.js +12 -0
package/lib/deploy/functions/validate.js +83 -1
package/lib/deploy/hosting/convertConfig.js +45 -24
package/lib/deploy/hosting/prepare.js +1 -1
package/lib/emulator/controller.js +3 -1
package/lib/emulator/emulatorLogger.js +7 -0
package/lib/emulator/functionsEmulator.js +113 -79
package/lib/emulator/functionsEmulatorRuntime.js +100 -83
package/lib/emulator/functionsEmulatorShared.js +51 -1
package/lib/emulator/functionsEmulatorShell.js +1 -2
package/lib/emulator/functionsRuntimeWorker.js +1 -1
package/lib/emulator/storage/apis/gcloud.js +2 -2
package/lib/emulator/storage/files.js +8 -3
package/lib/extensions/askUserForParam.js +1 -1
package/lib/extensions/diagnose.js +56 -0
package/lib/extensions/extensionsApi.js +0 -1
package/lib/extensions/extensionsHelper.js +10 -17
package/lib/extensions/resolveSource.js +1 -53
package/lib/extensions/secretsUtils.js +1 -1
package/lib/extensions/updateHelper.js +0 -14
package/lib/extensions/utils.js +4 -2
package/lib/functions/env.js +5 -7
package/lib/functions/secrets.js +112 -0
package/lib/gcp/cloudbilling.js +8 -19
package/lib/gcp/cloudfunctions.js +24 -48
package/lib/gcp/cloudlogging.js +8 -11
package/lib/gcp/cloudmonitoring.js +8 -5
package/lib/gcp/cloudscheduler.js +7 -18
package/lib/gcp/firedata.js +5 -4
package/lib/gcp/firestore.js +5 -5
package/lib/gcp/iam.js +18 -33
package/lib/gcp/resourceManager.js +8 -13
package/lib/gcp/runtimeconfig.js +31 -53
package/lib/gcp/secretManager.js +137 -77
package/lib/gcp/storage.js +25 -29
package/lib/previews.js +1 -1
package/lib/serve/functions.js +2 -2
package/lib/utils.js +6 -1
package/npm-shrinkwrap.json +962 -987
package/package.json +5 -3
package/schema/firebase-config.json +387 -12
package/templates/init/hosting/index.html +1 -1

package/lib/commands/functions-secrets-prune.js ADDED Viewed

@@ -0,0 +1,50 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const backend = require("../deploy/functions/backend");
+const command_1 = require("../command");
+const projectUtils_1 = require("../projectUtils");
+const secrets_1 = require("../functions/secrets");
+const requirePermissions_1 = require("../requirePermissions");
+const deploymentTool_1 = require("../deploymentTool");
+const utils_1 = require("../utils");
+const prompt_1 = require("../prompt");
+const secretManager_1 = require("../gcp/secretManager");
+exports.default = new command_1.Command("functions:secrets:prune")
+    .description("Destroys unused secrets")
+    .before(requirePermissions_1.requirePermissions, [
+    "cloudfunctions.functions.list",
+    "secretmanager.secrets.list",
+    "secretmanager.versions.list",
+    "secretmanager.versions.destroy",
+])
+    .action(async (options) => {
+    const projectNumber = await (0, projectUtils_1.needProjectNumber)(options);
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    (0, utils_1.logBullet)("Loading secrets...");
+    const haveBackend = await backend.existingBackend({ projectId });
+    const haveEndpoints = backend
+        .allEndpoints(haveBackend)
+        .filter((e) => (0, deploymentTool_1.isFirebaseManaged)(e.labels || []));
+    const pruned = await (0, secrets_1.pruneSecrets)({ projectNumber, projectId }, haveEndpoints);
+    if (pruned.length === 0) {
+        (0, utils_1.logBullet)("All secrets are in use. Nothing to prune today.");
+        return;
+    }
+    (0, utils_1.logBullet)(`Found ${pruned.length} unused active secret versions:\n\t` +
+        pruned.map((sv) => `${sv.secret}@${sv.version}`).join("\n\t"));
+    const confirm = await (0, prompt_1.promptOnce)({
+        name: "destroy",
+        type: "confirm",
+        default: true,
+        message: `Do you want to destroy unused secret versions?`,
+    }, options);
+    if (!confirm) {
+        (0, utils_1.logBullet)("Run the following commands to destroy each unused secret version:\n\t" +
+            pruned
+                .map((sv) => `firebase functions:secrets:destroy ${sv.secret}@${sv.version}`)
+                .join("\n\t"));
+        return;
+    }
+    await Promise.all(pruned.map((sv) => (0, secretManager_1.destroySecretVersion)(projectId, sv.secret, sv.version)));
+    (0, utils_1.logSuccess)("Destroyed all unused secrets!");
+});

package/lib/commands/functions-secrets-set.js ADDED Viewed

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tty = require("tty");
+const fs = require("fs");
+const clc = require("cli-color");
+const secrets_1 = require("../functions/secrets");
+const command_1 = require("../command");
+const requirePermissions_1 = require("../requirePermissions");
+const prompt_1 = require("../prompt");
+const utils_1 = require("../utils");
+const projectUtils_1 = require("../projectUtils");
+const secretManager_1 = require("../gcp/secretManager");
+exports.default = new command_1.Command("functions:secrets:set <KEY>")
+    .description("Create or update a secret for use in Cloud Functions for Firebase")
+    .withForce("Does not ensure input keys are valid or upgrade existing secrets to have Firebase manage them.")
+    .before(requirePermissions_1.requirePermissions, [
+    "secretmanager.secrets.create",
+    "secretmanager.secrets.get",
+    "secretmanager.secrets.update",
+    "secretmanager.versions.add",
+])
+    .option("--data-file <dataFile>", 'File path from which to read secret data. Set to "-" to read the secret data from stdin.')
+    .action(async (unvalidatedKey, options) => {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const key = await (0, secrets_1.ensureValidKey)(unvalidatedKey, options);
+    const secret = await (0, secrets_1.ensureSecret)(projectId, key, options);
+    let secretValue;
+    if ((!options.dataFile || options.dataFile === "-") && tty.isatty(0)) {
+        secretValue = await (0, prompt_1.promptOnce)({
+            name: key,
+            type: "password",
+            message: `Enter a value for ${key}`,
+        });
+    }
+    else {
+        let dataFile = 0;
+        if (options.dataFile && options.dataFile !== "-") {
+            dataFile = options.dataFile;
+        }
+        secretValue = fs.readFileSync(dataFile, "utf-8");
+    }
+    const secretVersion = await (0, secretManager_1.addVersion)(projectId, key, secretValue);
+    (0, utils_1.logSuccess)(`Created a new secret version ${(0, secretManager_1.toSecretVersionResourceName)(secretVersion)}`);
+    (0, utils_1.logBullet)("Please deploy your functions for the change to take effect by running:\n\t" +
+        clc.bold("firebase deploy --only functions"));
+});

package/lib/commands/index.js CHANGED Viewed

@@ -91,9 +91,7 @@ module.exports = function (client) {
     client.functions = {};
     client.functions.config = {};
     client.functions.config.clone = loadCommand("functions-config-clone");
-    if (previews.dotenv) {
-        client.functions.config.export = loadCommand("functions-config-export");
-    }
+    client.functions.config.export = loadCommand("functions-config-export");
     client.functions.config.get = loadCommand("functions-config-get");
     client.functions.config.set = loadCommand("functions-config-set");
     client.functions.config.unset = loadCommand("functions-config-unset");
@@ -104,6 +102,12 @@ module.exports = function (client) {
     if (previews.deletegcfartifacts) {
         client.functions.deletegcfartifacts = loadCommand("functions-deletegcfartifacts");
     }
+    client.functions.secrets = {};
+    client.functions.secrets.access = loadCommand("functions-secrets-access");
+    client.functions.secrets.destroy = loadCommand("functions-secrets-destroy");
+    client.functions.secrets.get = loadCommand("functions-secrets-get");
+    client.functions.secrets.prune = loadCommand("functions-secrets-prune");
+    client.functions.secrets.set = loadCommand("functions-secrets-set");
     client.help = loadCommand("help");
     client.hosting = {};
     client.hosting.channel = {};

package/lib/commands/login.js CHANGED Viewed

@@ -12,7 +12,7 @@ const auth = require("../auth");
 const utils_1 = require("../utils");
 module.exports = new command_1.Command("login")
     .description("log the CLI into Firebase")
-    .option("--no-localhost", "copy and paste a code instead of starting a local server for authentication")
+    .option("--no-localhost", "login from a device without an accessible localhost")
     .option("--reauth", "force reauthentication even if already logged in")
     .action(async (options) => {
     if (options.nonInteractive) {

package/lib/database/metadata.js CHANGED Viewed

@@ -1,7 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.setRulesetLabels = exports.createRuleset = exports.getRulesetLabels = exports.getRuleset = exports.listAllRulesets = void 0;
-const api = require("../api");
+const api_1 = require("../api");
+const apiv2_1 = require("../apiv2");
 const logger_1 = require("../logger");
 const utils = require("../utils");
 function handleErrorResponse(response) {
@@ -13,12 +14,9 @@ function handleErrorResponse(response) {
         code: 2,
     });
 }
+const apiClient = new apiv2_1.Client({ urlPrefix: api_1.rtdbMetadataOrigin });
 async function listAllRulesets(databaseName) {
-    const response = await api.request("GET", `/namespaces/${databaseName}/rulesets`, {
-        auth: true,
-        origin: api.rtdbMetadataOrigin,
-        json: true,
-    });
+    const response = await apiClient.get(`/namespaces/${databaseName}/rulesets`, { resolveOnHTTPError: true });
     if (response.status === 200) {
         return response.body.rulesets;
     }
@@ -26,11 +24,7 @@ async function listAllRulesets(databaseName) {
 }
 exports.listAllRulesets = listAllRulesets;
 async function getRuleset(databaseName, rulesetId) {
-    const response = await api.request("GET", `/namespaces/${databaseName}/rulesets/${rulesetId}`, {
-        auth: true,
-        origin: api.rtdbMetadataOrigin,
-        json: true,
-    });
+    const response = await apiClient.get(`/namespaces/${databaseName}/rulesets/${rulesetId}`, { resolveOnHTTPError: true });
     if (response.status === 200) {
         return response.body;
     }
@@ -38,9 +32,8 @@ async function getRuleset(databaseName, rulesetId) {
 }
 exports.getRuleset = getRuleset;
 async function getRulesetLabels(databaseName) {
-    const response = await api.request("GET", `/namespaces/${databaseName}/ruleset_labels`, {
-        auth: true,
-        origin: api.rtdbMetadataOrigin,
+    const response = await apiClient.get(`/namespaces/${databaseName}/ruleset_labels`, {
+        resolveOnHTTPError: true,
     });
     if (response.status === 200) {
         return response.body;
@@ -49,23 +42,22 @@ async function getRulesetLabels(databaseName) {
 }
 exports.getRulesetLabels = getRulesetLabels;
 async function createRuleset(databaseName, source) {
-    const response = await api.request("POST", `/.settings/rulesets.json`, {
-        auth: true,
-        origin: utils.addSubdomain(api.realtimeOrigin, databaseName),
-        json: false,
-        data: source,
+    const localApiClient = new apiv2_1.Client({
+        urlPrefix: utils.addSubdomain(api_1.realtimeOrigin, databaseName),
     });
+    const response = await localApiClient.post(`/.settings/rulesets.json`, source, { resolveOnHTTPError: true });
     if (response.status === 200) {
-        return JSON.parse(response.body).id;
+        return response.body.id;
     }
     return handleErrorResponse(response);
 }
 exports.createRuleset = createRuleset;
 async function setRulesetLabels(databaseName, labels) {
-    const response = await api.request("PUT", `/.settings/ruleset_labels.json`, {
-        auth: true,
-        origin: utils.addSubdomain(api.realtimeOrigin, databaseName),
-        data: labels,
+    const localApiClient = new apiv2_1.Client({
+        urlPrefix: utils.addSubdomain(api_1.realtimeOrigin, databaseName),
+    });
+    const response = await localApiClient.put(`/.settings/ruleset_labels.json`, labels, {
+        resolveOnHTTPError: true,
     });
     if (response.status === 200) {
         return response.body;

package/lib/deploy/functions/backend.js CHANGED Viewed

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.compareFunctions = exports.missingEndpoint = exports.hasEndpoint = exports.regionalEndpoints = exports.matchingBackend = exports.someEndpoint = exports.allEndpoints = exports.checkAvailability = exports.existingBackend = exports.scheduleIdForFunction = exports.functionName = exports.isEmptyBackend = exports.of = exports.empty = exports.isTaskQueueTriggered = exports.isScheduleTriggered = exports.isEventTriggered = exports.isHttpsTriggered = exports.SCHEDULED_FUNCTION_LABEL = exports.memoryOptionDisplayName = exports.endpointTriggerType = void 0;
+exports.compareFunctions = exports.missingEndpoint = exports.hasEndpoint = exports.regionalEndpoints = exports.matchingBackend = exports.findEndpoint = exports.someEndpoint = exports.allEndpoints = exports.checkAvailability = exports.existingBackend = exports.scheduleIdForFunction = exports.functionName = exports.isEmptyBackend = exports.of = exports.empty = exports.isTaskQueueTriggered = exports.isScheduleTriggered = exports.isEventTriggered = exports.isHttpsTriggered = exports.SCHEDULED_FUNCTION_LABEL = exports.MIN_MEMORY_FOR_CONCURRENCY = exports.DEFAULT_MEMORY = exports.memoryOptionDisplayName = exports.endpointTriggerType = void 0;
 const gcf = require("../../gcp/cloudfunctions");
 const gcfV2 = require("../../gcp/cloudfunctionsv2");
 const utils = require("../../utils");
@@ -36,6 +36,8 @@ function memoryOptionDisplayName(option) {
     }[option];
 }
 exports.memoryOptionDisplayName = memoryOptionDisplayName;
+exports.DEFAULT_MEMORY = 256;
+exports.MIN_MEMORY_FOR_CONCURRENCY = 2048;
 exports.SCHEDULED_FUNCTION_LABEL = Object.freeze({ deployment: "firebase-schedule" });
 function isHttpsTriggered(triggered) {
     return {}.hasOwnProperty.call(triggered, "httpsTrigger");
@@ -184,6 +186,14 @@ function someEndpoint(backend, predicate) {
     return false;
 }
 exports.someEndpoint = someEndpoint;
+function findEndpoint(backend, predicate) {
+    for (const endpoints of Object.values(backend.endpoints)) {
+        const endpoint = Object.values(endpoints).find(predicate);
+        if (endpoint)
+            return endpoint;
+    }
+}
+exports.findEndpoint = findEndpoint;
 function matchingBackend(backend, predicate) {
     const filtered = Object.assign({}, empty());
     for (const endpoint of allEndpoints(backend)) {

package/lib/deploy/functions/ensure.js ADDED Viewed

@@ -0,0 +1,112 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secretAccess = exports.maybeEnableAR = exports.cloudBuildEnabled = exports.defaultServiceAccount = void 0;
+const clc = require("cli-color");
+const ensureApiEnabled_1 = require("../../ensureApiEnabled");
+const error_1 = require("../../error");
+const utils_1 = require("../../utils");
+const secretManager_1 = require("../../gcp/secretManager");
+const previews_1 = require("../../previews");
+const projects_1 = require("../../management/projects");
+const functional_1 = require("../../functional");
+const track = require("../../track");
+const backend = require("./backend");
+const ensureApiEnabled = require("../../ensureApiEnabled");
+const FAQ_URL = "https://firebase.google.com/support/faq#functions-runtime";
+const CLOUD_BUILD_API = "cloudbuild.googleapis.com";
+async function defaultServiceAccount(e) {
+    const metadata = await (0, projects_1.getFirebaseProject)(e.project);
+    if (e.platform === "gcfv1") {
+        return `${metadata.projectId}@appspot.gserviceaccount.com`;
+    }
+    else if (e.platform === "gcfv2") {
+        return `${metadata.projectNumber}-compute@developer.gserviceaccount.com`;
+    }
+    (0, functional_1.assertExhaustive)(e.platform);
+}
+exports.defaultServiceAccount = defaultServiceAccount;
+function nodeBillingError(projectId) {
+    track("functions_runtime_notices", "nodejs10_billing_error");
+    return new error_1.FirebaseError(`Cloud Functions deployment requires the pay-as-you-go (Blaze) billing plan. To upgrade your project, visit the following URL:
+https://console.firebase.google.com/project/${projectId}/usage/details
+For additional information about this requirement, see Firebase FAQs:
+${FAQ_URL}`, { exit: 1 });
+}
+function nodePermissionError(projectId) {
+    track("functions_runtime_notices", "nodejs10_permission_error");
+    return new error_1.FirebaseError(`Cloud Functions deployment requires the Cloud Build API to be enabled. The current credentials do not have permission to enable APIs for project ${clc.bold(projectId)}.
+Please ask a project owner to visit the following URL to enable Cloud Build:
+https://console.cloud.google.com/apis/library/cloudbuild.googleapis.com?project=${projectId}
+For additional information about this requirement, see Firebase FAQs:
+${FAQ_URL}
+`);
+}
+function isPermissionError(e) {
+    var _a, _b, _c;
+    return ((_c = (_b = (_a = e.context) === null || _a === void 0 ? void 0 : _a.body) === null || _b === void 0 ? void 0 : _b.error) === null || _c === void 0 ? void 0 : _c.status) === "PERMISSION_DENIED";
+}
+async function cloudBuildEnabled(projectId) {
+    try {
+        await (0, ensureApiEnabled_1.ensure)(projectId, CLOUD_BUILD_API, "functions");
+    }
+    catch (e) {
+        if ((0, error_1.isBillingError)(e)) {
+            throw nodeBillingError(projectId);
+        }
+        else if (isPermissionError(e)) {
+            throw nodePermissionError(projectId);
+        }
+        throw e;
+    }
+}
+exports.cloudBuildEnabled = cloudBuildEnabled;
+async function maybeEnableAR(projectId) {
+    if (!previews_1.previews.artifactregistry) {
+        return ensureApiEnabled.check(projectId, "artifactregistry.googleapis.com", "functions", true);
+    }
+    await ensureApiEnabled.ensure(projectId, "artifactregistry.googleapis.com", "functions");
+    return true;
+}
+exports.maybeEnableAR = maybeEnableAR;
+async function secretsToServiceAccounts(b) {
+    const secretsToSa = {};
+    for (const e of backend.allEndpoints(b)) {
+        const sa = e.serviceAccountEmail || (await module.exports.defaultServiceAccount(e));
+        for (const s of e.secretEnvironmentVariables || []) {
+            const serviceAccounts = secretsToSa[s.secret] || new Set();
+            serviceAccounts.add(sa);
+            secretsToSa[s.secret] = serviceAccounts;
+        }
+    }
+    return secretsToSa;
+}
+async function secretAccess(projectId, wantBackend, haveBackend) {
+    var _a, _b;
+    const ensureAccess = async (secret, serviceAccounts) => {
+        (0, utils_1.logLabeledBullet)("functions", `ensuring ${clc.bold(serviceAccounts.join(", "))} access to secret ${clc.bold(secret)}.`);
+        await (0, secretManager_1.ensureServiceAgentRole)({ name: secret, projectId }, serviceAccounts, "roles/secretmanager.secretAccessor");
+        (0, utils_1.logLabeledSuccess)("functions", `ensured ${clc.bold(serviceAccounts.join(", "))} access to ${clc.bold(secret)}.`);
+    };
+    const wantSecrets = await secretsToServiceAccounts(wantBackend);
+    const haveSecrets = await secretsToServiceAccounts(haveBackend);
+    for (const [secret, serviceAccounts] of Object.entries(haveSecrets)) {
+        for (const serviceAccount of serviceAccounts) {
+            (_a = wantSecrets[secret]) === null || _a === void 0 ? void 0 : _a.delete(serviceAccount);
+        }
+        if (((_b = wantSecrets[secret]) === null || _b === void 0 ? void 0 : _b.size) == 0) {
+            delete wantSecrets[secret];
+        }
+    }
+    const ensure = [];
+    for (const [secret, serviceAccounts] of Object.entries(wantSecrets)) {
+        ensure.push(ensureAccess(secret, Array.from(serviceAccounts)));
+    }
+    await Promise.all(ensure);
+}
+exports.secretAccess = secretAccess;

package/lib/deploy/functions/ensureCloudBuildEnabled.js CHANGED Viewed

@@ -1,50 +1 @@
 "use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ensureCloudBuildEnabled = void 0;
-const cli_color_1 = require("cli-color");
-const track = require("../../track");
-const ensureApiEnabled_1 = require("../../ensureApiEnabled");
-const error_1 = require("../../error");
-const FAQ_URL = "https://firebase.google.com/support/faq#functions-runtime";
-const CLOUD_BUILD_API = "cloudbuild.googleapis.com";
-function nodeBillingError(projectId) {
-    track("functions_runtime_notices", "nodejs10_billing_error");
-    return new error_1.FirebaseError(`Cloud Functions deployment requires the pay-as-you-go (Blaze) billing plan. To upgrade your project, visit the following URL:
-https://console.firebase.google.com/project/${projectId}/usage/details
-For additional information about this requirement, see Firebase FAQs:
-${FAQ_URL}`, { exit: 1 });
-}
-function nodePermissionError(projectId) {
-    track("functions_runtime_notices", "nodejs10_permission_error");
-    return new error_1.FirebaseError(`Cloud Functions deployment requires the Cloud Build API to be enabled. The current credentials do not have permission to enable APIs for project ${(0, cli_color_1.bold)(projectId)}.
-Please ask a project owner to visit the following URL to enable Cloud Build:
-https://console.cloud.google.com/apis/library/cloudbuild.googleapis.com?project=${projectId}
-For additional information about this requirement, see Firebase FAQs:
-${FAQ_URL}
-`);
-}
-function isPermissionError(e) {
-    var _a, _b, _c;
-    return ((_c = (_b = (_a = e.context) === null || _a === void 0 ? void 0 : _a.body) === null || _b === void 0 ? void 0 : _b.error) === null || _c === void 0 ? void 0 : _c.status) === "PERMISSION_DENIED";
-}
-async function ensureCloudBuildEnabled(projectId) {
-    try {
-        await (0, ensureApiEnabled_1.ensure)(projectId, CLOUD_BUILD_API, "functions");
-    }
-    catch (e) {
-        if ((0, error_1.isBillingError)(e)) {
-            throw nodeBillingError(projectId);
-        }
-        else if (isPermissionError(e)) {
-            throw nodePermissionError(projectId);
-        }
-        throw e;
-    }
-}
-exports.ensureCloudBuildEnabled = ensureCloudBuildEnabled;

package/lib/deploy/functions/prepare.js CHANGED Viewed

@@ -2,20 +2,19 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.inferDetailsFromExisting = exports.prepare = void 0;
 const clc = require("cli-color");
-const ensureCloudBuildEnabled_1 = require("./ensureCloudBuildEnabled");
-const functionsDeployHelper_1 = require("./functionsDeployHelper");
-const utils_1 = require("../../utils");
-const prepareFunctionsUpload_1 = require("./prepareFunctionsUpload");
-const prompts_1 = require("./prompts");
 const backend = require("./backend");
 const ensureApiEnabled = require("../../ensureApiEnabled");
 const functionsConfig = require("../../functionsConfig");
 const functionsEnv = require("../../functions/env");
-const previews_1 = require("../../previews");
-const projectUtils_1 = require("../../projectUtils");
-const track_1 = require("../../track");
 const runtimes = require("./runtimes");
 const validate = require("./validate");
+const ensure = require("./ensure");
+const functionsDeployHelper_1 = require("./functionsDeployHelper");
+const utils_1 = require("../../utils");
+const prepareFunctionsUpload_1 = require("./prepareFunctionsUpload");
+const prompts_1 = require("./prompts");
+const projectUtils_1 = require("../../projectUtils");
+const track_1 = require("../../track");
 const logger_1 = require("../../logger");
 const triggerRegionHelper_1 = require("./triggerRegionHelper");
 const checkIam_1 = require("./checkIam");
@@ -24,14 +23,7 @@ function hasUserConfig(config) {
     return Object.keys(config).length > 1;
 }
 function hasDotenv(opts) {
-    return previews_1.previews.dotenv && functionsEnv.hasUserEnvs(opts);
-}
-async function maybeEnableAR(projectId) {
-    if (previews_1.previews.artifactregistry) {
-        return ensureApiEnabled.check(projectId, "artifactregistry.googleapis.com", "functions", true);
-    }
-    await ensureApiEnabled.ensure(projectId, "artifactregistry.googleapis.com", "functions");
-    return true;
+    return functionsEnv.hasUserEnvs(opts);
 }
 async function prepare(context, options, payload) {
     const projectId = (0, projectUtils_1.needProjectId)(options);
@@ -54,8 +46,8 @@ async function prepare(context, options, payload) {
     const checkAPIsEnabled = await Promise.all([
         ensureApiEnabled.ensure(projectId, "cloudfunctions.googleapis.com", "functions"),
         ensureApiEnabled.check(projectId, "runtimeconfig.googleapis.com", "runtimeconfig", true),
-        (0, ensureCloudBuildEnabled_1.ensureCloudBuildEnabled)(projectId),
-        maybeEnableAR(projectId),
+        ensure.cloudBuildEnabled(projectId),
+        ensure.maybeEnableAR(projectId),
     ]);
     context.runtimeConfigEnabled = checkAPIsEnabled[1];
     context.artifactRegistryEnabled = checkAPIsEnabled[3];
@@ -113,7 +105,7 @@ async function prepare(context, options, payload) {
     await Promise.all(Object.values(wantBackend.requiredAPIs).map((api) => {
         return ensureApiEnabled.ensure(projectId, api, "functions", false);
     }));
-    validate.functionIdsAreValid(backend.allEndpoints(wantBackend));
+    validate.endpointsAreValid(wantBackend);
     context.filters = (0, functionsDeployHelper_1.getFilterGroups)(options);
     const matchingBackend = backend.matchingBackend(wantBackend, (endpoint) => {
         return (0, functionsDeployHelper_1.functionMatchesAnyGroup)(endpoint, context.filters);
@@ -125,6 +117,8 @@ async function prepare(context, options, payload) {
     await (0, prompts_1.promptForFailurePolicies)(options, matchingBackend, haveBackend);
     await (0, prompts_1.promptForMinInstances)(options, matchingBackend, haveBackend);
     await backend.checkAvailability(context, wantBackend);
+    await validate.secretsAreValid(projectId, matchingBackend);
+    await ensure.secretAccess(projectId, matchingBackend, haveBackend);
 }
 exports.prepare = prepare;
 function inferDetailsFromExisting(want, have, usedDotenv) {

package/lib/deploy/functions/release/fabricator.js CHANGED Viewed

@@ -242,7 +242,10 @@ class Fabricator {
                     .catch(rethrowAs(endpoint, "set invoker"));
             }
         }
-        await this.setConcurrency(endpoint, serviceName, endpoint.concurrency || DEFAULT_GCFV2_CONCURRENCY);
+        const mem = endpoint.availableMemoryMb || backend.DEFAULT_MEMORY;
+        if (mem >= backend.MIN_MEMORY_FOR_CONCURRENCY && endpoint.concurrency != 1) {
+            await this.setConcurrency(endpoint, serviceName, endpoint.concurrency || DEFAULT_GCFV2_CONCURRENCY);
+        }
     }
     async updateV1Function(endpoint, scraper) {
         var _a;

package/lib/deploy/functions/runtimes/discovery/v1alpha1.js CHANGED Viewed

@@ -56,6 +56,7 @@ function parseEndpoints(manifest, id, project, defaultRegion, runtime) {
         labels: "object",
         ingressSettings: "string",
         environmentVariables: "object",
+        secretEnvironmentVariables: "array",
         httpsTrigger: "object",
         eventTrigger: "object",
         scheduleTrigger: "object",

package/lib/deploy/functions/runtimes/node/parseTriggers.js CHANGED Viewed

@@ -107,6 +107,18 @@ function addResourcesToBackend(projectId, runtime, annotation, want) {
             }
             endpoint.vpcConnector = maybeId;
         }
+        if (annotation.secrets) {
+            const secretEnvs = [];
+            for (const secret of annotation.secrets) {
+                const secretEnv = {
+                    secret,
+                    projectId,
+                    key: secret,
+                };
+                secretEnvs.push(secretEnv);
+            }
+            endpoint.secretEnvironmentVariables = secretEnvs;
+        }
         proto.copyIfPresent(endpoint, annotation, "concurrency", "serviceAccountEmail", "labels", "vpcConnectorEgressSettings", "ingressSettings", "timeout", "maxInstances", "minInstances", "availableMemoryMb");
         want.endpoints[region] = want.endpoints[region] || {};
         want.endpoints[region][endpoint.id] = endpoint;

package/lib/deploy/functions/validate.js CHANGED Viewed

@@ -1,10 +1,41 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.functionIdsAreValid = exports.functionsDirectoryExists = void 0;
+exports.secretsAreValid = exports.functionIdsAreValid = exports.functionsDirectoryExists = exports.endpointsAreValid = void 0;
 const path = require("path");
 const clc = require("cli-color");
 const error_1 = require("../../error");
+const secretManager_1 = require("../../gcp/secretManager");
+const logger_1 = require("../../logger");
 const fsutils = require("../../fsutils");
+const backend = require("./backend");
+const utils = require("../../utils");
+const secrets = require("../../functions/secrets");
+function endpointsAreValid(wantBackend) {
+    functionIdsAreValid(backend.allEndpoints(wantBackend));
+    const gcfV1WithConcurrency = backend
+        .allEndpoints(wantBackend)
+        .filter((endpoint) => (endpoint.concurrency || 1) != 1 && endpoint.platform == "gcfv1")
+        .map((endpoint) => endpoint.id);
+    if (gcfV1WithConcurrency.length) {
+        const msg = `Cannot set concurrency on the functions ${gcfV1WithConcurrency.join(",")} because they are GCF gen 1`;
+        throw new error_1.FirebaseError(msg);
+    }
+    const tooSmallForConcurrency = backend
+        .allEndpoints(wantBackend)
+        .filter((endpoint) => {
+        if ((endpoint.concurrency || 1) == 1) {
+            return false;
+        }
+        const mem = endpoint.availableMemoryMb || backend.DEFAULT_MEMORY;
+        return mem < backend.MIN_MEMORY_FOR_CONCURRENCY;
+    })
+        .map((endpoint) => endpoint.id);
+    if (tooSmallForConcurrency.length) {
+        const msg = `Cannot set concurency on the functions ${tooSmallForConcurrency.join(",")} because they have fewer than 2GB memory`;
+        throw new error_1.FirebaseError(msg);
+    }
+}
+exports.endpointsAreValid = endpointsAreValid;
 function functionsDirectoryExists(sourceDir, projectDir) {
     if (!fsutils.dirExistsSync(sourceDir)) {
         const sourceDirName = path.relative(projectDir, sourceDir);
@@ -35,3 +66,54 @@ function functionIdsAreValid(functions) {
     }
 }
 exports.functionIdsAreValid = functionIdsAreValid;
+async function secretsAreValid(projectId, wantBackend) {
+    const endpoints = backend
+        .allEndpoints(wantBackend)
+        .filter((e) => e.secretEnvironmentVariables && e.secretEnvironmentVariables.length > 0);
+    validatePlatformTargets(endpoints);
+    await validateSecretVersions(projectId, endpoints);
+}
+exports.secretsAreValid = secretsAreValid;
+function validatePlatformTargets(endpoints) {
+    const supportedPlatforms = ["gcfv1"];
+    const unsupported = endpoints.filter((e) => !supportedPlatforms.includes(e.platform));
+    if (unsupported.length > 0) {
+        const errs = unsupported.map((e) => `${e.id}[platform=${e.platform}]`);
+        throw new error_1.FirebaseError(`Tried to set secret environment variables on ${errs.join(", ")}. ` +
+            `Only ${supportedPlatforms.join(", ")} support secret environments.`);
+    }
+}
+async function validateSecretVersions(projectId, endpoints) {
+    const toResolve = new Set();
+    for (const s of secrets.of(endpoints)) {
+        toResolve.add(s.secret);
+    }
+    const results = await utils.allSettled(Array.from(toResolve).map(async (secret) => {
+        const sv = await (0, secretManager_1.getSecretVersion)(projectId, secret, "latest");
+        logger_1.logger.debug(`Resolved secret version of ${clc.bold(secret)} to ${clc.bold(sv.versionId)}.`);
+        return sv;
+    }));
+    const secretVersions = {};
+    const errs = [];
+    for (const result of results) {
+        if (result.status === "fulfilled") {
+            const sv = result.value;
+            if (sv.state != "ENABLED") {
+                errs.push(new error_1.FirebaseError(`Expected secret ${sv.secret.name}@${sv.versionId} to be in state ENABLED not ${sv.state}.`));
+            }
+            secretVersions[sv.secret.name] = sv;
+        }
+        else {
+            errs.push(new error_1.FirebaseError(result.reason.message));
+        }
+    }
+    if (errs.length) {
+        throw new error_1.FirebaseError("Failed to validate secret versions", { children: errs });
+    }
+    for (const s of secrets.of(endpoints)) {
+        s.version = secretVersions[s.secret].versionId;
+        if (!s.version) {
+            throw new error_1.FirebaseError("Secret version is unexpectedly undefined. This should never happen.");
+        }
+    }
+}