firebase-tools 10.1.5 → 10.2.0

package/lib/api.js

@@ -67,6 +67,7 @@ var _appendQueryData = function (path, data) {
     return path;
 };
 var api = {
+    authProxyOrigin: utils.envOverride("FIREBASE_AUTHPROXY_URL", "https://auth.firebase.tools"),
     clientId: utils.envOverride("FIREBASE_CLIENT_ID", "563584335869-fgrhgmd47bqnekij5i8b5pr03ho849e6.apps.googleusercontent.com"),
     clientSecret: utils.envOverride("FIREBASE_CLIENT_SECRET", "j9iVZfS8kkCEFUPaAeJV0sAi"),
     cloudbillingOrigin: utils.envOverride("FIREBASE_CLOUDBILLING_URL", "https://cloudbilling.googleapis.com"),

package/lib/auth.js

@@ -19,6 +19,10 @@ const logger_1 = require("./logger");
 const prompt_1 = require("./prompt");
 const scopes = require("./scopes");
 const defaultCredentials_1 = require("./defaultCredentials");
+const uuid_1 = require("uuid");
+const crypto_1 = require("crypto");
+const cli_color_1 = require("cli-color");
+const track_1 = require("./track");
 portfinder.basePort = 9005;
 function getGlobalDefaultAccount() {
     const user = configstore_1.configstore.get("user");
@@ -182,19 +186,23 @@ function getLoginUrl(callbackUrl, userHint) {
             login_hint: userHint,
         }));
 }
-async function getTokensFromAuthorizationCode(code, callbackUrl) {
+async function getTokensFromAuthorizationCode(code, callbackUrl, verifier) {
     var _a, _b;
     let res;
+    const params = {
+        code: code,
+        client_id: api.clientId,
+        client_secret: api.clientSecret,
+        redirect_uri: callbackUrl,
+        grant_type: "authorization_code",
+    };
+    if (verifier) {
+        params["code_verifier"] = verifier;
+    }
     try {
         res = await api.request("POST", "/o/oauth2/token", {
             origin: api.authOrigin,
-            form: {
-                code: code,
-                client_id: api.clientId,
-                client_secret: api.clientSecret,
-                redirect_uri: callbackUrl,
-                grant_type: "authorization_code",
-            },
+            form: params,
         });
     }
     catch (err) {
@@ -248,31 +256,58 @@ async function respondWithFile(req, res, statusCode, filename) {
     res.end(response);
     req.socket.destroy();
 }
-async function loginWithoutLocalhost(userHint) {
-    const callbackUrl = getCallbackUrl();
-    const authUrl = getLoginUrl(callbackUrl, userHint);
+function urlsafeBase64(base64string) {
+    return base64string.replace(/\+/g, "-").replace(/=+$/, "").replace(/\//g, "_");
+}
+async function loginRemotely(userHint) {
+    var _a;
+    const authProxyClient = new apiv2.Client({
+        urlPrefix: api.authProxyOrigin,
+        auth: false,
+    });
+    const sessionId = (0, uuid_1.v4)();
+    const codeVerifier = (0, crypto_1.randomBytes)(32).toString("hex");
+    const codeChallenge = urlsafeBase64((0, crypto_1.createHash)("sha256").update(codeVerifier).digest("base64"));
+    const attestToken = (_a = (await authProxyClient.post("/attest", {
+        session_id: sessionId,
+    })).body) === null || _a === void 0 ? void 0 : _a.token;
+    const loginUrl = `${api.authProxyOrigin}/login?code_challenge=${codeChallenge}&session=${sessionId}&attest=${attestToken}`;
+    logger_1.logger.info();
+    logger_1.logger.info("To sign in to the Firebase CLI:");
     logger_1.logger.info();
-    logger_1.logger.info("Visit this URL on any device to log in:");
-    logger_1.logger.info(clc.bold.underline(authUrl));
+    logger_1.logger.info("1. Take note of your session ID:");
+    logger_1.logger.info();
+    logger_1.logger.info(`   ${(0, cli_color_1.bold)(sessionId.substring(0, 5).toUpperCase())}`);
+    logger_1.logger.info();
+    logger_1.logger.info("2. Visit the URL below on any device and follow the instructions to get your code:");
+    logger_1.logger.info();
+    logger_1.logger.info(`   ${loginUrl}`);
+    logger_1.logger.info();
+    logger_1.logger.info("3. Paste or enter the authorization code below once you have it:");
     logger_1.logger.info();
-    open(authUrl);
     const code = await (0, prompt_1.promptOnce)({
         type: "input",
-        name: "code",
-        message: "Paste authorization code here:",
+        message: "Enter authorization code:",
     });
-    const tokens = await getTokensFromAuthorizationCode(code, callbackUrl);
-    return {
-        user: jwt.decode(tokens.id_token),
-        tokens: tokens,
-        scopes: SCOPES,
-    };
+    try {
+        const tokens = await getTokensFromAuthorizationCode(code, `${api.authProxyOrigin}/complete`, codeVerifier);
+        (0, track_1.track)("login", "google_remote");
+        return {
+            user: jwt.decode(tokens.id_token),
+            tokens: tokens,
+            scopes: SCOPES,
+        };
+    }
+    catch (e) {
+        throw new error_1.FirebaseError("Unable to authenticate using the provided code. Please try again.");
+    }
 }
 async function loginWithLocalhostGoogle(port, userHint) {
     const callbackUrl = getCallbackUrl(port);
     const authUrl = getLoginUrl(callbackUrl, userHint);
     const successTemplate = "../templates/loginSuccess.html";
     const tokens = await loginWithLocalhost(port, callbackUrl, authUrl, successTemplate, getTokensFromAuthorizationCode);
+    (0, track_1.track)("login", "google_localhost");
     return {
         user: jwt.decode(tokens.id_token),
         tokens: tokens,
@@ -283,7 +318,9 @@ async function loginWithLocalhostGitHub(port) {
     const callbackUrl = getCallbackUrl(port);
     const authUrl = getGithubLoginUrl(callbackUrl);
     const successTemplate = "../templates/loginSuccessGithub.html";
-    return loginWithLocalhost(port, callbackUrl, authUrl, successTemplate, getGithubTokensFromAuthorizationCode);
+    const tokens = await loginWithLocalhost(port, callbackUrl, authUrl, successTemplate, getGithubTokensFromAuthorizationCode);
+    (0, track_1.track)("login", "google_localhost");
+    return tokens;
 }
 async function loginWithLocalhost(port, callbackUrl, authUrl, successTemplate, getTokens) {
     return new Promise((resolve, reject) => {
@@ -331,10 +368,10 @@ async function loginGoogle(localhost, userHint) {
             return await loginWithLocalhostGoogle(port, userHint);
         }
         catch (_a) {
-            return await loginWithoutLocalhost(userHint);
+            return await loginRemotely(userHint);
         }
     }
-    return await loginWithoutLocalhost(userHint);
+    return await loginRemotely(userHint);
 }
 exports.loginGoogle = loginGoogle;
 async function loginGithub() {

package/lib/commands/ext-configure.js

@@ -27,6 +27,7 @@ exports.default = new command_1.Command("ext:configure <extensionInstanceId>")
     "firebaseextensions.instances.get",
 ])
     .before(checkMinRequiredVersion_1.checkMinRequiredVersion, "extMinVersion")
+    .before(extensionsHelper_1.diagnoseAndFixProject)
     .action(async (instanceId, options) => {
     const spinner = ora(`Configuring ${clc.bold(instanceId)}. This usually takes 3 to 5 minutes...`);
     try {

package/lib/commands/ext-install.js

@@ -201,6 +201,7 @@ exports.default = new command_1.Command("ext:install [extensionName]")
     .before(requirePermissions_1.requirePermissions, ["firebaseextensions.instances.create"])
     .before(extensionsHelper_1.ensureExtensionsApiEnabled)
     .before(checkMinRequiredVersion_1.checkMinRequiredVersion, "extMinVersion")
+    .before(extensionsHelper_1.diagnoseAndFixProject)
     .action(async (extensionName, options) => {
     const projectId = (0, projectUtils_1.needProjectId)(options);
     const paramsEnvPath = options.params;

package/lib/commands/ext-uninstall.js

@@ -33,6 +33,7 @@ exports.default = new command_1.Command("ext:uninstall <extensionInstanceId>")
     .before(requirePermissions_1.requirePermissions, ["firebaseextensions.instances.delete"])
     .before(extensionsHelper_1.ensureExtensionsApiEnabled)
     .before(checkMinRequiredVersion_1.checkMinRequiredVersion, "extMinVersion")
+    .before(extensionsHelper_1.diagnoseAndFixProject)
     .action(async (instanceId, options) => {
     const projectId = (0, projectUtils_1.needProjectId)(options);
     let instance;

package/lib/commands/ext-update.js

@@ -44,6 +44,7 @@ exports.default = new command_1.Command("ext:update <extensionInstanceId> [updat
 ])
     .before(extensionsHelper_1.ensureExtensionsApiEnabled)
     .before(checkMinRequiredVersion_1.checkMinRequiredVersion, "extMinVersion")
+    .before(extensionsHelper_1.diagnoseAndFixProject)
     .withForce()
     .option("--params <paramsFile>", "name of params variables file with .env format.")
     .action(async (instanceId, updateSource, options) => {

package/lib/commands/functions-secrets-access.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const command_1 = require("../command");
+const logger_1 = require("../logger");
+const projectUtils_1 = require("../projectUtils");
+const secretManager_1 = require("../gcp/secretManager");
+exports.default = new command_1.Command("functions:secrets:access <KEY>[@version]")
+    .description("Access secret value given secret and its version. Defaults to accessing the latest version.")
+    .action(async (key, options) => {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    let [name, version] = key.split("@");
+    if (!version) {
+        version = "latest";
+    }
+    const value = await (0, secretManager_1.accessSecretVersion)(projectId, name, version);
+    logger_1.logger.info(value);
+});

package/lib/commands/functions-secrets-destroy.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const command_1 = require("../command");
+const logger_1 = require("../logger");
+const projectUtils_1 = require("../projectUtils");
+const secretManager_1 = require("../gcp/secretManager");
+const prompt_1 = require("../prompt");
+const secrets = require("../functions/secrets");
+exports.default = new command_1.Command("functions:secrets:destroy <KEY>[@version]")
+    .description("Destroy a secret. Defaults to destroying the latest version.")
+    .withForce("Destroys a secret without confirmation.")
+    .action(async (key, options) => {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    let [name, version] = key.split("@");
+    if (!version) {
+        version = "latest";
+    }
+    const sv = await (0, secretManager_1.getSecretVersion)(projectId, name, version);
+    if (!options.force) {
+        const confirm = await (0, prompt_1.promptOnce)({
+            name: "destroy",
+            type: "confirm",
+            default: true,
+            message: `Are you sure you want to destroy ${sv.secret.name}@${sv.versionId}`,
+        }, options);
+        if (!confirm) {
+            return;
+        }
+    }
+    await (0, secretManager_1.destroySecretVersion)(projectId, name, version);
+    logger_1.logger.info(`Destroyed secret version ${name}@${sv.versionId}`);
+    const secret = await (0, secretManager_1.getSecret)(projectId, name);
+    if (secrets.isFirebaseManaged(secret)) {
+        const versions = await (0, secretManager_1.listSecretVersions)(projectId, name);
+        if (versions.filter((v) => v.state === "ENABLED").length === 0) {
+            logger_1.logger.info(`No active secret versions left. Destroying secret ${name}`);
+            await (0, secretManager_1.deleteSecret)(projectId, name);
+        }
+    }
+});

package/lib/commands/functions-secrets-get.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const Table = require("cli-table");
+const command_1 = require("../command");
+const logger_1 = require("../logger");
+const projectUtils_1 = require("../projectUtils");
+const secretManager_1 = require("../gcp/secretManager");
+exports.default = new command_1.Command("functions:secrets:get <KEY>")
+    .description("Get metadata for secret and its versions")
+    .action(async (key, options) => {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const versions = await (0, secretManager_1.listSecretVersions)(projectId, key);
+    const table = new Table({
+        head: ["Version", "State"],
+        style: { head: ["yellow"] },
+    });
+    for (const version of versions) {
+        table.push([version.versionId, version.state]);
+    }
+    logger_1.logger.info(table.toString());
+});

package/lib/commands/functions-secrets-prune.js

@@ -0,0 +1,50 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const backend = require("../deploy/functions/backend");
+const command_1 = require("../command");
+const projectUtils_1 = require("../projectUtils");
+const secrets_1 = require("../functions/secrets");
+const requirePermissions_1 = require("../requirePermissions");
+const deploymentTool_1 = require("../deploymentTool");
+const utils_1 = require("../utils");
+const prompt_1 = require("../prompt");
+const secretManager_1 = require("../gcp/secretManager");
+exports.default = new command_1.Command("functions:secrets:prune")
+    .description("Destroys unused secrets")
+    .before(requirePermissions_1.requirePermissions, [
+    "cloudfunctions.functions.list",
+    "secretmanager.secrets.list",
+    "secretmanager.versions.list",
+    "secretmanager.versions.destroy",
+])
+    .action(async (options) => {
+    const projectNumber = await (0, projectUtils_1.needProjectNumber)(options);
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    (0, utils_1.logBullet)("Loading secrets...");
+    const haveBackend = await backend.existingBackend({ projectId });
+    const haveEndpoints = backend
+        .allEndpoints(haveBackend)
+        .filter((e) => (0, deploymentTool_1.isFirebaseManaged)(e.labels || []));
+    const pruned = await (0, secrets_1.pruneSecrets)({ projectNumber, projectId }, haveEndpoints);
+    if (pruned.length === 0) {
+        (0, utils_1.logBullet)("All secrets are in use. Nothing to prune today.");
+        return;
+    }
+    (0, utils_1.logBullet)(`Found ${pruned.length} unused active secret versions:\n\t` +
+        pruned.map((sv) => `${sv.secret}@${sv.version}`).join("\n\t"));
+    const confirm = await (0, prompt_1.promptOnce)({
+        name: "destroy",
+        type: "confirm",
+        default: true,
+        message: `Do you want to destroy unused secret versions?`,
+    }, options);
+    if (!confirm) {
+        (0, utils_1.logBullet)("Run the following commands to destroy each unused secret version:\n\t" +
+            pruned
+                .map((sv) => `firebase functions:secrets:destroy ${sv.secret}@${sv.version}`)
+                .join("\n\t"));
+        return;
+    }
+    await Promise.all(pruned.map((sv) => (0, secretManager_1.destroySecretVersion)(projectId, sv.secret, sv.version)));
+    (0, utils_1.logSuccess)("Destroyed all unused secrets!");
+});

package/lib/commands/functions-secrets-set.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tty = require("tty");
+const fs = require("fs");
+const clc = require("cli-color");
+const secrets_1 = require("../functions/secrets");
+const command_1 = require("../command");
+const requirePermissions_1 = require("../requirePermissions");
+const prompt_1 = require("../prompt");
+const utils_1 = require("../utils");
+const projectUtils_1 = require("../projectUtils");
+const secretManager_1 = require("../gcp/secretManager");
+exports.default = new command_1.Command("functions:secrets:set <KEY>")
+    .description("Create or update a secret for use in Cloud Functions for Firebase")
+    .withForce("Does not ensure input keys are valid or upgrade existing secrets to have Firebase manage them.")
+    .before(requirePermissions_1.requirePermissions, [
+    "secretmanager.secrets.create",
+    "secretmanager.secrets.get",
+    "secretmanager.secrets.update",
+    "secretmanager.versions.add",
+])
+    .option("--data-file <dataFile>", 'File path from which to read secret data. Set to "-" to read the secret data from stdin.')
+    .action(async (unvalidatedKey, options) => {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const key = await (0, secrets_1.ensureValidKey)(unvalidatedKey, options);
+    const secret = await (0, secrets_1.ensureSecret)(projectId, key, options);
+    let secretValue;
+    if ((!options.dataFile || options.dataFile === "-") && tty.isatty(0)) {
+        secretValue = await (0, prompt_1.promptOnce)({
+            name: key,
+            type: "password",
+            message: `Enter a value for ${key}`,
+        });
+    }
+    else {
+        let dataFile = 0;
+        if (options.dataFile && options.dataFile !== "-") {
+            dataFile = options.dataFile;
+        }
+        secretValue = fs.readFileSync(dataFile, "utf-8");
+    }
+    const secretVersion = await (0, secretManager_1.addVersion)(projectId, key, secretValue);
+    (0, utils_1.logSuccess)(`Created a new secret version ${(0, secretManager_1.toSecretVersionResourceName)(secretVersion)}`);
+    (0, utils_1.logBullet)("Please deploy your functions for the change to take effect by running:\n\t" +
+        clc.bold("firebase deploy --only functions"));
+});

package/lib/commands/index.js

@@ -91,9 +91,7 @@ module.exports = function (client) {
     client.functions = {};
     client.functions.config = {};
     client.functions.config.clone = loadCommand("functions-config-clone");
-    if (previews.dotenv) {
-        client.functions.config.export = loadCommand("functions-config-export");
-    }
+    client.functions.config.export = loadCommand("functions-config-export");
     client.functions.config.get = loadCommand("functions-config-get");
     client.functions.config.set = loadCommand("functions-config-set");
     client.functions.config.unset = loadCommand("functions-config-unset");
@@ -104,6 +102,12 @@ module.exports = function (client) {
     if (previews.deletegcfartifacts) {
         client.functions.deletegcfartifacts = loadCommand("functions-deletegcfartifacts");
     }
+    client.functions.secrets = {};
+    client.functions.secrets.access = loadCommand("functions-secrets-access");
+    client.functions.secrets.destroy = loadCommand("functions-secrets-destroy");
+    client.functions.secrets.get = loadCommand("functions-secrets-get");
+    client.functions.secrets.prune = loadCommand("functions-secrets-prune");
+    client.functions.secrets.set = loadCommand("functions-secrets-set");
     client.help = loadCommand("help");
     client.hosting = {};
     client.hosting.channel = {};

package/lib/commands/login.js

@@ -12,7 +12,7 @@ const auth = require("../auth");
 const utils_1 = require("../utils");
 module.exports = new command_1.Command("login")
     .description("log the CLI into Firebase")
-    .option("--no-localhost", "copy and paste a code instead of starting a local server for authentication")
+    .option("--no-localhost", "login from a device without an accessible localhost")
     .option("--reauth", "force reauthentication even if already logged in")
     .action(async (options) => {
     if (options.nonInteractive) {

package/lib/deploy/functions/backend.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.compareFunctions = exports.missingEndpoint = exports.hasEndpoint = exports.regionalEndpoints = exports.matchingBackend = exports.someEndpoint = exports.allEndpoints = exports.checkAvailability = exports.existingBackend = exports.scheduleIdForFunction = exports.functionName = exports.isEmptyBackend = exports.of = exports.empty = exports.isTaskQueueTriggered = exports.isScheduleTriggered = exports.isEventTriggered = exports.isHttpsTriggered = exports.SCHEDULED_FUNCTION_LABEL = exports.MIN_MEMORY_FOR_CONCURRENCY = exports.DEFAULT_MEMORY = exports.memoryOptionDisplayName = exports.endpointTriggerType = void 0;
+exports.compareFunctions = exports.missingEndpoint = exports.hasEndpoint = exports.regionalEndpoints = exports.matchingBackend = exports.findEndpoint = exports.someEndpoint = exports.allEndpoints = exports.checkAvailability = exports.existingBackend = exports.scheduleIdForFunction = exports.functionName = exports.isEmptyBackend = exports.of = exports.empty = exports.isTaskQueueTriggered = exports.isScheduleTriggered = exports.isEventTriggered = exports.isHttpsTriggered = exports.SCHEDULED_FUNCTION_LABEL = exports.MIN_MEMORY_FOR_CONCURRENCY = exports.DEFAULT_MEMORY = exports.memoryOptionDisplayName = exports.endpointTriggerType = void 0;
 const gcf = require("../../gcp/cloudfunctions");
 const gcfV2 = require("../../gcp/cloudfunctionsv2");
 const utils = require("../../utils");
@@ -186,6 +186,14 @@ function someEndpoint(backend, predicate) {
     return false;
 }
 exports.someEndpoint = someEndpoint;
+function findEndpoint(backend, predicate) {
+    for (const endpoints of Object.values(backend.endpoints)) {
+        const endpoint = Object.values(endpoints).find(predicate);
+        if (endpoint)
+            return endpoint;
+    }
+}
+exports.findEndpoint = findEndpoint;
 function matchingBackend(backend, predicate) {
     const filtered = Object.assign({}, empty());
     for (const endpoint of allEndpoints(backend)) {

package/lib/deploy/functions/ensure.js

@@ -0,0 +1,112 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secretAccess = exports.maybeEnableAR = exports.cloudBuildEnabled = exports.defaultServiceAccount = void 0;
+const clc = require("cli-color");
+const ensureApiEnabled_1 = require("../../ensureApiEnabled");
+const error_1 = require("../../error");
+const utils_1 = require("../../utils");
+const secretManager_1 = require("../../gcp/secretManager");
+const previews_1 = require("../../previews");
+const projects_1 = require("../../management/projects");
+const functional_1 = require("../../functional");
+const track = require("../../track");
+const backend = require("./backend");
+const ensureApiEnabled = require("../../ensureApiEnabled");
+const FAQ_URL = "https://firebase.google.com/support/faq#functions-runtime";
+const CLOUD_BUILD_API = "cloudbuild.googleapis.com";
+async function defaultServiceAccount(e) {
+    const metadata = await (0, projects_1.getFirebaseProject)(e.project);
+    if (e.platform === "gcfv1") {
+        return `${metadata.projectId}@appspot.gserviceaccount.com`;
+    }
+    else if (e.platform === "gcfv2") {
+        return `${metadata.projectNumber}-compute@developer.gserviceaccount.com`;
+    }
+    (0, functional_1.assertExhaustive)(e.platform);
+}
+exports.defaultServiceAccount = defaultServiceAccount;
+function nodeBillingError(projectId) {
+    track("functions_runtime_notices", "nodejs10_billing_error");
+    return new error_1.FirebaseError(`Cloud Functions deployment requires the pay-as-you-go (Blaze) billing plan. To upgrade your project, visit the following URL:
+      
+https://console.firebase.google.com/project/${projectId}/usage/details
+
+For additional information about this requirement, see Firebase FAQs:
+
+${FAQ_URL}`, { exit: 1 });
+}
+function nodePermissionError(projectId) {
+    track("functions_runtime_notices", "nodejs10_permission_error");
+    return new error_1.FirebaseError(`Cloud Functions deployment requires the Cloud Build API to be enabled. The current credentials do not have permission to enable APIs for project ${clc.bold(projectId)}.
+
+Please ask a project owner to visit the following URL to enable Cloud Build:
+
+https://console.cloud.google.com/apis/library/cloudbuild.googleapis.com?project=${projectId}
+
+For additional information about this requirement, see Firebase FAQs:
+${FAQ_URL}
+`);
+}
+function isPermissionError(e) {
+    var _a, _b, _c;
+    return ((_c = (_b = (_a = e.context) === null || _a === void 0 ? void 0 : _a.body) === null || _b === void 0 ? void 0 : _b.error) === null || _c === void 0 ? void 0 : _c.status) === "PERMISSION_DENIED";
+}
+async function cloudBuildEnabled(projectId) {
+    try {
+        await (0, ensureApiEnabled_1.ensure)(projectId, CLOUD_BUILD_API, "functions");
+    }
+    catch (e) {
+        if ((0, error_1.isBillingError)(e)) {
+            throw nodeBillingError(projectId);
+        }
+        else if (isPermissionError(e)) {
+            throw nodePermissionError(projectId);
+        }
+        throw e;
+    }
+}
+exports.cloudBuildEnabled = cloudBuildEnabled;
+async function maybeEnableAR(projectId) {
+    if (!previews_1.previews.artifactregistry) {
+        return ensureApiEnabled.check(projectId, "artifactregistry.googleapis.com", "functions", true);
+    }
+    await ensureApiEnabled.ensure(projectId, "artifactregistry.googleapis.com", "functions");
+    return true;
+}
+exports.maybeEnableAR = maybeEnableAR;
+async function secretsToServiceAccounts(b) {
+    const secretsToSa = {};
+    for (const e of backend.allEndpoints(b)) {
+        const sa = e.serviceAccountEmail || (await module.exports.defaultServiceAccount(e));
+        for (const s of e.secretEnvironmentVariables || []) {
+            const serviceAccounts = secretsToSa[s.secret] || new Set();
+            serviceAccounts.add(sa);
+            secretsToSa[s.secret] = serviceAccounts;
+        }
+    }
+    return secretsToSa;
+}
+async function secretAccess(projectId, wantBackend, haveBackend) {
+    var _a, _b;
+    const ensureAccess = async (secret, serviceAccounts) => {
+        (0, utils_1.logLabeledBullet)("functions", `ensuring ${clc.bold(serviceAccounts.join(", "))} access to secret ${clc.bold(secret)}.`);
+        await (0, secretManager_1.ensureServiceAgentRole)({ name: secret, projectId }, serviceAccounts, "roles/secretmanager.secretAccessor");
+        (0, utils_1.logLabeledSuccess)("functions", `ensured ${clc.bold(serviceAccounts.join(", "))} access to ${clc.bold(secret)}.`);
+    };
+    const wantSecrets = await secretsToServiceAccounts(wantBackend);
+    const haveSecrets = await secretsToServiceAccounts(haveBackend);
+    for (const [secret, serviceAccounts] of Object.entries(haveSecrets)) {
+        for (const serviceAccount of serviceAccounts) {
+            (_a = wantSecrets[secret]) === null || _a === void 0 ? void 0 : _a.delete(serviceAccount);
+        }
+        if (((_b = wantSecrets[secret]) === null || _b === void 0 ? void 0 : _b.size) == 0) {
+            delete wantSecrets[secret];
+        }
+    }
+    const ensure = [];
+    for (const [secret, serviceAccounts] of Object.entries(wantSecrets)) {
+        ensure.push(ensureAccess(secret, Array.from(serviceAccounts)));
+    }
+    await Promise.all(ensure);
+}
+exports.secretAccess = secretAccess;

package/lib/deploy/functions/ensureCloudBuildEnabled.js

@@ -1,50 +1 @@
 "use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ensureCloudBuildEnabled = void 0;
-const cli_color_1 = require("cli-color");
-const track = require("../../track");
-const ensureApiEnabled_1 = require("../../ensureApiEnabled");
-const error_1 = require("../../error");
-const FAQ_URL = "https://firebase.google.com/support/faq#functions-runtime";
-const CLOUD_BUILD_API = "cloudbuild.googleapis.com";
-function nodeBillingError(projectId) {
-    track("functions_runtime_notices", "nodejs10_billing_error");
-    return new error_1.FirebaseError(`Cloud Functions deployment requires the pay-as-you-go (Blaze) billing plan. To upgrade your project, visit the following URL:
-      
-https://console.firebase.google.com/project/${projectId}/usage/details
-
-For additional information about this requirement, see Firebase FAQs:
-
-${FAQ_URL}`, { exit: 1 });
-}
-function nodePermissionError(projectId) {
-    track("functions_runtime_notices", "nodejs10_permission_error");
-    return new error_1.FirebaseError(`Cloud Functions deployment requires the Cloud Build API to be enabled. The current credentials do not have permission to enable APIs for project ${(0, cli_color_1.bold)(projectId)}.
-
-Please ask a project owner to visit the following URL to enable Cloud Build:
-
-https://console.cloud.google.com/apis/library/cloudbuild.googleapis.com?project=${projectId}
-
-For additional information about this requirement, see Firebase FAQs:
-${FAQ_URL}
-`);
-}
-function isPermissionError(e) {
-    var _a, _b, _c;
-    return ((_c = (_b = (_a = e.context) === null || _a === void 0 ? void 0 : _a.body) === null || _b === void 0 ? void 0 : _b.error) === null || _c === void 0 ? void 0 : _c.status) === "PERMISSION_DENIED";
-}
-async function ensureCloudBuildEnabled(projectId) {
-    try {
-        await (0, ensureApiEnabled_1.ensure)(projectId, CLOUD_BUILD_API, "functions");
-    }
-    catch (e) {
-        if ((0, error_1.isBillingError)(e)) {
-            throw nodeBillingError(projectId);
-        }
-        else if (isPermissionError(e)) {
-            throw nodePermissionError(projectId);
-        }
-        throw e;
-    }
-}
-exports.ensureCloudBuildEnabled = ensureCloudBuildEnabled;

package/lib/deploy/functions/prepare.js

@@ -2,20 +2,19 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.inferDetailsFromExisting = exports.prepare = void 0;
 const clc = require("cli-color");
-const ensureCloudBuildEnabled_1 = require("./ensureCloudBuildEnabled");
-const functionsDeployHelper_1 = require("./functionsDeployHelper");
-const utils_1 = require("../../utils");
-const prepareFunctionsUpload_1 = require("./prepareFunctionsUpload");
-const prompts_1 = require("./prompts");
 const backend = require("./backend");
 const ensureApiEnabled = require("../../ensureApiEnabled");
 const functionsConfig = require("../../functionsConfig");
 const functionsEnv = require("../../functions/env");
-const previews_1 = require("../../previews");
-const projectUtils_1 = require("../../projectUtils");
-const track_1 = require("../../track");
 const runtimes = require("./runtimes");
 const validate = require("./validate");
+const ensure = require("./ensure");
+const functionsDeployHelper_1 = require("./functionsDeployHelper");
+const utils_1 = require("../../utils");
+const prepareFunctionsUpload_1 = require("./prepareFunctionsUpload");
+const prompts_1 = require("./prompts");
+const projectUtils_1 = require("../../projectUtils");
+const track_1 = require("../../track");
 const logger_1 = require("../../logger");
 const triggerRegionHelper_1 = require("./triggerRegionHelper");
 const checkIam_1 = require("./checkIam");
@@ -24,14 +23,7 @@ function hasUserConfig(config) {
     return Object.keys(config).length > 1;
 }
 function hasDotenv(opts) {
-    return previews_1.previews.dotenv && functionsEnv.hasUserEnvs(opts);
-}
-async function maybeEnableAR(projectId) {
-    if (!previews_1.previews.artifactregistry) {
-        return ensureApiEnabled.check(projectId, "artifactregistry.googleapis.com", "functions", true);
-    }
-    await ensureApiEnabled.ensure(projectId, "artifactregistry.googleapis.com", "functions");
-    return true;
+    return functionsEnv.hasUserEnvs(opts);
 }
 async function prepare(context, options, payload) {
     const projectId = (0, projectUtils_1.needProjectId)(options);
@@ -54,8 +46,8 @@ async function prepare(context, options, payload) {
     const checkAPIsEnabled = await Promise.all([
         ensureApiEnabled.ensure(projectId, "cloudfunctions.googleapis.com", "functions"),
         ensureApiEnabled.check(projectId, "runtimeconfig.googleapis.com", "runtimeconfig", true),
-        (0, ensureCloudBuildEnabled_1.ensureCloudBuildEnabled)(projectId),
-        maybeEnableAR(projectId),
+        ensure.cloudBuildEnabled(projectId),
+        ensure.maybeEnableAR(projectId),
     ]);
     context.runtimeConfigEnabled = checkAPIsEnabled[1];
     context.artifactRegistryEnabled = checkAPIsEnabled[3];
@@ -125,6 +117,8 @@ async function prepare(context, options, payload) {
     await (0, prompts_1.promptForFailurePolicies)(options, matchingBackend, haveBackend);
     await (0, prompts_1.promptForMinInstances)(options, matchingBackend, haveBackend);
     await backend.checkAvailability(context, wantBackend);
+    await validate.secretsAreValid(projectId, matchingBackend);
+    await ensure.secretAccess(projectId, matchingBackend, haveBackend);
 }
 exports.prepare = prepare;
 function inferDetailsFromExisting(want, have, usedDotenv) {