firebase-tools 10.1.5 → 10.2.2

package/lib/commands/ext-update.js

@@ -25,15 +25,6 @@ const previews_1 = require("../previews");
 marked.setOptions({
     renderer: new TerminalRenderer(),
 });
-function isValidUpdate(existingSourceOrigin, newSourceOrigin) {
-    if (existingSourceOrigin === extensionsHelper_1.SourceOrigin.PUBLISHED_EXTENSION) {
-        return [extensionsHelper_1.SourceOrigin.PUBLISHED_EXTENSION, extensionsHelper_1.SourceOrigin.PUBLISHED_EXTENSION_VERSION].includes(newSourceOrigin);
-    }
-    else if (existingSourceOrigin === extensionsHelper_1.SourceOrigin.LOCAL) {
-        return [extensionsHelper_1.SourceOrigin.LOCAL, extensionsHelper_1.SourceOrigin.URL].includes(newSourceOrigin);
-    }
-    return false;
-}
 exports.default = new command_1.Command("ext:update <extensionInstanceId> [updateSource]")
     .description(previews_1.previews.extdev
     ? "update an existing extension instance to the latest version or from a local or URL source"
@@ -44,6 +35,7 @@ exports.default = new command_1.Command("ext:update <extensionInstanceId> [updat
 ])
     .before(extensionsHelper_1.ensureExtensionsApiEnabled)
     .before(checkMinRequiredVersion_1.checkMinRequiredVersion, "extMinVersion")
+    .before(extensionsHelper_1.diagnoseAndFixProject)
     .withForce()
     .option("--params <paramsFile>", "name of params variables file with .env format.")
     .action(async (instanceId, updateSource, options) => {
@@ -191,3 +183,12 @@ exports.default = new command_1.Command("ext:update <extensionInstanceId> [updat
         throw err;
     }
 });
+function isValidUpdate(existingSourceOrigin, newSourceOrigin) {
+    if (existingSourceOrigin === extensionsHelper_1.SourceOrigin.PUBLISHED_EXTENSION) {
+        return [extensionsHelper_1.SourceOrigin.PUBLISHED_EXTENSION, extensionsHelper_1.SourceOrigin.PUBLISHED_EXTENSION_VERSION].includes(newSourceOrigin);
+    }
+    else if (existingSourceOrigin === extensionsHelper_1.SourceOrigin.LOCAL) {
+        return [extensionsHelper_1.SourceOrigin.LOCAL, extensionsHelper_1.SourceOrigin.URL].includes(newSourceOrigin);
+    }
+    return false;
+}

package/lib/commands/functions-config-clone.js

@@ -38,7 +38,7 @@ exports.default = new command_1.Command("functions:config:clone")
     else if (options.only && options.except) {
         throw new error_1.FirebaseError("Cannot use both --only and --except at the same time.");
     }
-    let only = [];
+    let only;
     let except = [];
     if (options.only) {
         only = options.only.split(",");

package/lib/commands/functions-config-export.js

@@ -96,7 +96,7 @@ exports.default = new command_1.Command("functions:config:export")
             throw new error_1.FirebaseError("Exceeded max attempts to fix invalid config keys.");
         }
         const errMsg = configExport.hydrateEnvs(pInfos, prefix);
-        if (errMsg.length == 0) {
+        if (errMsg.length === 0) {
             break;
         }
         prefix = await promptForPrefix(errMsg);

package/lib/commands/functions-secrets-access.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const command_1 = require("../command");
+const logger_1 = require("../logger");
+const projectUtils_1 = require("../projectUtils");
+const secretManager_1 = require("../gcp/secretManager");
+exports.default = new command_1.Command("functions:secrets:access <KEY>[@version]")
+    .description("Access secret value given secret and its version. Defaults to accessing the latest version.")
+    .action(async (key, options) => {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    let [name, version] = key.split("@");
+    if (!version) {
+        version = "latest";
+    }
+    const value = await (0, secretManager_1.accessSecretVersion)(projectId, name, version);
+    logger_1.logger.info(value);
+});

package/lib/commands/functions-secrets-destroy.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const command_1 = require("../command");
+const logger_1 = require("../logger");
+const projectUtils_1 = require("../projectUtils");
+const secretManager_1 = require("../gcp/secretManager");
+const prompt_1 = require("../prompt");
+const secrets = require("../functions/secrets");
+exports.default = new command_1.Command("functions:secrets:destroy <KEY>[@version]")
+    .description("Destroy a secret. Defaults to destroying the latest version.")
+    .withForce("Destroys a secret without confirmation.")
+    .action(async (key, options) => {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    let [name, version] = key.split("@");
+    if (!version) {
+        version = "latest";
+    }
+    const sv = await (0, secretManager_1.getSecretVersion)(projectId, name, version);
+    if (!options.force) {
+        const confirm = await (0, prompt_1.promptOnce)({
+            name: "destroy",
+            type: "confirm",
+            default: true,
+            message: `Are you sure you want to destroy ${sv.secret.name}@${sv.versionId}`,
+        }, options);
+        if (!confirm) {
+            return;
+        }
+    }
+    await (0, secretManager_1.destroySecretVersion)(projectId, name, version);
+    logger_1.logger.info(`Destroyed secret version ${name}@${sv.versionId}`);
+    const secret = await (0, secretManager_1.getSecret)(projectId, name);
+    if (secrets.isFirebaseManaged(secret)) {
+        const versions = await (0, secretManager_1.listSecretVersions)(projectId, name);
+        if (versions.filter((v) => v.state === "ENABLED").length === 0) {
+            logger_1.logger.info(`No active secret versions left. Destroying secret ${name}`);
+            await (0, secretManager_1.deleteSecret)(projectId, name);
+        }
+    }
+});

package/lib/commands/functions-secrets-get.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const Table = require("cli-table");
+const command_1 = require("../command");
+const logger_1 = require("../logger");
+const projectUtils_1 = require("../projectUtils");
+const secretManager_1 = require("../gcp/secretManager");
+exports.default = new command_1.Command("functions:secrets:get <KEY>")
+    .description("Get metadata for secret and its versions")
+    .action(async (key, options) => {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const versions = await (0, secretManager_1.listSecretVersions)(projectId, key);
+    const table = new Table({
+        head: ["Version", "State"],
+        style: { head: ["yellow"] },
+    });
+    for (const version of versions) {
+        table.push([version.versionId, version.state]);
+    }
+    logger_1.logger.info(table.toString());
+});

package/lib/commands/functions-secrets-prune.js

@@ -0,0 +1,50 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const backend = require("../deploy/functions/backend");
+const command_1 = require("../command");
+const projectUtils_1 = require("../projectUtils");
+const secrets_1 = require("../functions/secrets");
+const requirePermissions_1 = require("../requirePermissions");
+const deploymentTool_1 = require("../deploymentTool");
+const utils_1 = require("../utils");
+const prompt_1 = require("../prompt");
+const secretManager_1 = require("../gcp/secretManager");
+exports.default = new command_1.Command("functions:secrets:prune")
+    .description("Destroys unused secrets")
+    .before(requirePermissions_1.requirePermissions, [
+    "cloudfunctions.functions.list",
+    "secretmanager.secrets.list",
+    "secretmanager.versions.list",
+    "secretmanager.versions.destroy",
+])
+    .action(async (options) => {
+    const projectNumber = await (0, projectUtils_1.needProjectNumber)(options);
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    (0, utils_1.logBullet)("Loading secrets...");
+    const haveBackend = await backend.existingBackend({ projectId });
+    const haveEndpoints = backend
+        .allEndpoints(haveBackend)
+        .filter((e) => (0, deploymentTool_1.isFirebaseManaged)(e.labels || []));
+    const pruned = await (0, secrets_1.pruneSecrets)({ projectNumber, projectId }, haveEndpoints);
+    if (pruned.length === 0) {
+        (0, utils_1.logBullet)("All secrets are in use. Nothing to prune today.");
+        return;
+    }
+    (0, utils_1.logBullet)(`Found ${pruned.length} unused active secret versions:\n\t` +
+        pruned.map((sv) => `${sv.secret}@${sv.version}`).join("\n\t"));
+    const confirm = await (0, prompt_1.promptOnce)({
+        name: "destroy",
+        type: "confirm",
+        default: true,
+        message: `Do you want to destroy unused secret versions?`,
+    }, options);
+    if (!confirm) {
+        (0, utils_1.logBullet)("Run the following commands to destroy each unused secret version:\n\t" +
+            pruned
+                .map((sv) => `firebase functions:secrets:destroy ${sv.secret}@${sv.version}`)
+                .join("\n\t"));
+        return;
+    }
+    await Promise.all(pruned.map((sv) => (0, secretManager_1.destroySecretVersion)(projectId, sv.secret, sv.version)));
+    (0, utils_1.logSuccess)("Destroyed all unused secrets!");
+});

package/lib/commands/functions-secrets-set.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tty = require("tty");
+const fs = require("fs");
+const clc = require("cli-color");
+const secrets_1 = require("../functions/secrets");
+const command_1 = require("../command");
+const requirePermissions_1 = require("../requirePermissions");
+const prompt_1 = require("../prompt");
+const utils_1 = require("../utils");
+const projectUtils_1 = require("../projectUtils");
+const secretManager_1 = require("../gcp/secretManager");
+exports.default = new command_1.Command("functions:secrets:set <KEY>")
+    .description("Create or update a secret for use in Cloud Functions for Firebase")
+    .withForce("Does not ensure input keys are valid or upgrade existing secrets to have Firebase manage them.")
+    .before(requirePermissions_1.requirePermissions, [
+    "secretmanager.secrets.create",
+    "secretmanager.secrets.get",
+    "secretmanager.secrets.update",
+    "secretmanager.versions.add",
+])
+    .option("--data-file <dataFile>", 'File path from which to read secret data. Set to "-" to read the secret data from stdin.')
+    .action(async (unvalidatedKey, options) => {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const key = await (0, secrets_1.ensureValidKey)(unvalidatedKey, options);
+    const secret = await (0, secrets_1.ensureSecret)(projectId, key, options);
+    let secretValue;
+    if ((!options.dataFile || options.dataFile === "-") && tty.isatty(0)) {
+        secretValue = await (0, prompt_1.promptOnce)({
+            name: key,
+            type: "password",
+            message: `Enter a value for ${key}`,
+        });
+    }
+    else {
+        let dataFile = 0;
+        if (options.dataFile && options.dataFile !== "-") {
+            dataFile = options.dataFile;
+        }
+        secretValue = fs.readFileSync(dataFile, "utf-8");
+    }
+    const secretVersion = await (0, secretManager_1.addVersion)(projectId, key, secretValue);
+    (0, utils_1.logSuccess)(`Created a new secret version ${(0, secretManager_1.toSecretVersionResourceName)(secretVersion)}`);
+    (0, utils_1.logBullet)("Please deploy your functions for the change to take effect by running:\n\t" +
+        clc.bold("firebase deploy --only functions"));
+});

package/lib/commands/hosting-clone.js

@@ -32,8 +32,8 @@ exports.default = new command_1.Command("hosting:clone <source> <targetChannel>"
     if (sourceChannelId) {
         sourceChannelId = (0, api_1.normalizeName)(sourceChannelId);
     }
-    const equalSiteIds = sourceSiteId == targetSiteId;
-    const equalChannelIds = sourceChannelId == targetChannelId;
+    const equalSiteIds = sourceSiteId === targetSiteId;
+    const equalChannelIds = sourceChannelId === targetChannelId;
     if (equalSiteIds && equalChannelIds) {
         throw new error_1.FirebaseError(`Source and destination cannot be equal. Please pick a different source or desination.`);
     }
@@ -67,7 +67,7 @@ exports.default = new command_1.Command("hosting:clone <source> <targetChannel>"
         }
     }
     const currentTargetVersionName = (_d = (_c = tChannel.release) === null || _c === void 0 ? void 0 : _c.version) === null || _d === void 0 ? void 0 : _d.name;
-    if (equalSiteIds && sourceVersionName == currentTargetVersionName) {
+    if (equalSiteIds && sourceVersionName === currentTargetVersionName) {
         utils.logSuccess(`Channels ${(0, cli_color_1.bold)(sourceChannelId)} and ${(0, cli_color_1.bold)(targetChannel)} are serving identical versions. No need to clone.`);
         return;
     }

package/lib/commands/index.js

@@ -91,9 +91,7 @@ module.exports = function (client) {
     client.functions = {};
     client.functions.config = {};
     client.functions.config.clone = loadCommand("functions-config-clone");
-    if (previews.dotenv) {
-        client.functions.config.export = loadCommand("functions-config-export");
-    }
+    client.functions.config.export = loadCommand("functions-config-export");
     client.functions.config.get = loadCommand("functions-config-get");
     client.functions.config.set = loadCommand("functions-config-set");
     client.functions.config.unset = loadCommand("functions-config-unset");
@@ -104,6 +102,12 @@ module.exports = function (client) {
     if (previews.deletegcfartifacts) {
         client.functions.deletegcfartifacts = loadCommand("functions-deletegcfartifacts");
     }
+    client.functions.secrets = {};
+    client.functions.secrets.access = loadCommand("functions-secrets-access");
+    client.functions.secrets.destroy = loadCommand("functions-secrets-destroy");
+    client.functions.secrets.get = loadCommand("functions-secrets-get");
+    client.functions.secrets.prune = loadCommand("functions-secrets-prune");
+    client.functions.secrets.set = loadCommand("functions-secrets-set");
     client.help = loadCommand("help");
     client.hosting = {};
     client.hosting.channel = {};

package/lib/commands/login.js

@@ -12,7 +12,7 @@ const auth = require("../auth");
 const utils_1 = require("../utils");
 module.exports = new command_1.Command("login")
     .description("log the CLI into Firebase")
-    .option("--no-localhost", "copy and paste a code instead of starting a local server for authentication")
+    .option("--no-localhost", "login from a device without an accessible localhost")
     .option("--reauth", "force reauthentication even if already logged in")
     .action(async (options) => {
     if (options.nonInteractive) {

package/lib/commands/remoteconfig-get.js

@@ -15,7 +15,7 @@ const error_1 = require("../error");
 const tableHead = ["Entry Name", "Value"];
 const MAX_DISPLAY_ITEMS = 20;
 function checkValidOptionalNumber(versionNumber) {
-    if (!versionNumber || typeof Number(versionNumber) == "number") {
+    if (!versionNumber || typeof Number(versionNumber) === "number") {
         return versionNumber;
     }
     throw new error_1.FirebaseError(`Could not interpret "${versionNumber}" as a valid number.`);

package/lib/deploy/extensions/deploymentSummary.js

@@ -7,8 +7,8 @@ const humanReadable = (dep) => `${clc.bold(dep.instanceId)} (${dep.ref ? `${refs
 exports.humanReadable = humanReadable;
 const humanReadableUpdate = (from, to) => {
     var _a, _b, _c, _d, _e;
-    if (((_a = from.ref) === null || _a === void 0 ? void 0 : _a.publisherId) == ((_b = to.ref) === null || _b === void 0 ? void 0 : _b.publisherId) &&
-        ((_c = from.ref) === null || _c === void 0 ? void 0 : _c.extensionId) == ((_d = to.ref) === null || _d === void 0 ? void 0 : _d.extensionId)) {
+    if (((_a = from.ref) === null || _a === void 0 ? void 0 : _a.publisherId) === ((_b = to.ref) === null || _b === void 0 ? void 0 : _b.publisherId) &&
+        ((_c = from.ref) === null || _c === void 0 ? void 0 : _c.extensionId) === ((_d = to.ref) === null || _d === void 0 ? void 0 : _d.extensionId)) {
         return `\t${clc.bold(from.instanceId)} (${refs.toExtensionVersionRef(from.ref)} => ${(_e = to.ref) === null || _e === void 0 ? void 0 : _e.version})`;
     }
     else {
@@ -28,7 +28,7 @@ exports.createsSummary = createsSummary;
 function updatesSummary(toUpdate, have) {
     const instancesToUpdate = toUpdate
         .map((to) => {
-        const from = have.find((exists) => exists.instanceId == to.instanceId);
+        const from = have.find((exists) => exists.instanceId === to.instanceId);
         return humanReadableUpdate(from, to);
     })
         .join("\n");

package/lib/deploy/extensions/params.js

@@ -13,6 +13,9 @@ function readParams(args) {
         `${args.instanceId}.env.${args.projectNumber}`,
         `${args.instanceId}.env.${args.projectId}`,
     ];
+    if (args.checkLocal) {
+        filesToCheck.push(`${args.instanceId}.env.local`);
+    }
     let noFilesFound = true;
     const combinedParams = {};
     for (const fileToCheck of filesToCheck) {

package/lib/deploy/extensions/planner.js

@@ -58,6 +58,7 @@ async function want(args) {
                 projectId: args.projectId,
                 projectNumber: args.projectNumber,
                 aliases: args.aliases,
+                checkLocal: args.checkLocal,
             });
             const autoPopulatedParams = await (0, extensionsHelper_1.getFirebaseProjectParams)(args.projectId);
             const subbedParams = (0, extensionsHelper_1.substituteParams)(params, autoPopulatedParams);
@@ -80,7 +81,7 @@ async function want(args) {
 }
 exports.want = want;
 async function resolveVersion(ref) {
-    if (!ref.version || ref.version == "latest") {
+    if (!ref.version || ref.version === "latest") {
         return "latest";
     }
     const extensionRef = refs.toExtensionRef(ref);

package/lib/deploy/extensions/tasks.js

@@ -5,7 +5,7 @@ const clc = require("cli-color");
 const extensionsApi = require("../../extensions/extensionsApi");
 const refs = require("../../extensions/refs");
 const utils = require("../../utils");
-const isRetryable = (err) => err.status == 429 || err.status == 409;
+const isRetryable = (err) => err.status === 429 || err.status === 409;
 function extensionsDeploymentHandler(errorHandler) {
     return async (task) => {
         var _a, _b, _c, _d;

package/lib/deploy/functions/backend.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.compareFunctions = exports.missingEndpoint = exports.hasEndpoint = exports.regionalEndpoints = exports.matchingBackend = exports.someEndpoint = exports.allEndpoints = exports.checkAvailability = exports.existingBackend = exports.scheduleIdForFunction = exports.functionName = exports.isEmptyBackend = exports.of = exports.empty = exports.isTaskQueueTriggered = exports.isScheduleTriggered = exports.isEventTriggered = exports.isHttpsTriggered = exports.SCHEDULED_FUNCTION_LABEL = exports.MIN_MEMORY_FOR_CONCURRENCY = exports.DEFAULT_MEMORY = exports.memoryOptionDisplayName = exports.endpointTriggerType = void 0;
+exports.compareFunctions = exports.missingEndpoint = exports.hasEndpoint = exports.regionalEndpoints = exports.matchingBackend = exports.findEndpoint = exports.someEndpoint = exports.allEndpoints = exports.checkAvailability = exports.existingBackend = exports.scheduleIdForFunction = exports.functionName = exports.isEmptyBackend = exports.of = exports.empty = exports.isTaskQueueTriggered = exports.isScheduleTriggered = exports.isEventTriggered = exports.isCallableTriggered = exports.isHttpsTriggered = exports.SCHEDULED_FUNCTION_LABEL = exports.MIN_MEMORY_FOR_CONCURRENCY = exports.DEFAULT_MEMORY = exports.memoryOptionDisplayName = exports.endpointTriggerType = void 0;
 const gcf = require("../../gcp/cloudfunctions");
 const gcfV2 = require("../../gcp/cloudfunctionsv2");
 const utils = require("../../utils");
@@ -13,6 +13,9 @@ function endpointTriggerType(endpoint) {
     else if (isHttpsTriggered(endpoint)) {
         return "https";
     }
+    else if (isCallableTriggered(endpoint)) {
+        return "callable";
+    }
     else if (isEventTriggered(endpoint)) {
         return endpoint.eventTrigger.eventType;
     }
@@ -43,6 +46,10 @@ function isHttpsTriggered(triggered) {
     return {}.hasOwnProperty.call(triggered, "httpsTrigger");
 }
 exports.isHttpsTriggered = isHttpsTriggered;
+function isCallableTriggered(triggered) {
+    return {}.hasOwnProperty.call(triggered, "callableTrigger");
+}
+exports.isCallableTriggered = isCallableTriggered;
 function isEventTriggered(triggered) {
     return {}.hasOwnProperty.call(triggered, "eventTrigger");
 }
@@ -57,7 +64,7 @@ function isTaskQueueTriggered(triggered) {
 exports.isTaskQueueTriggered = isTaskQueueTriggered;
 function empty() {
     return {
-        requiredAPIs: {},
+        requiredAPIs: [],
         endpoints: {},
         environmentVariables: {},
     };
@@ -76,7 +83,7 @@ function of(...endpoints) {
 }
 exports.of = of;
 function isEmptyBackend(backend) {
-    return (Object.keys(backend.requiredAPIs).length == 0 && Object.keys(backend.endpoints).length === 0);
+    return (Object.keys(backend.requiredAPIs).length === 0 && Object.keys(backend.endpoints).length === 0);
 }
 exports.isEmptyBackend = isEmptyBackend;
 function functionName(cloudFunction) {
@@ -140,7 +147,7 @@ async function checkAvailability(context, want) {
     const gcfV1Regions = new Set();
     const gcfV2Regions = new Set();
     for (const ep of allEndpoints(want)) {
-        if (ep.platform == "gcfv1") {
+        if (ep.platform === "gcfv1") {
             gcfV1Regions.add(ep.region);
         }
         else {
@@ -186,6 +193,14 @@ function someEndpoint(backend, predicate) {
     return false;
 }
 exports.someEndpoint = someEndpoint;
+function findEndpoint(backend, predicate) {
+    for (const endpoints of Object.values(backend.endpoints)) {
+        const endpoint = Object.values(endpoints).find(predicate);
+        if (endpoint)
+            return endpoint;
+    }
+}
+exports.findEndpoint = findEndpoint;
 function matchingBackend(backend, predicate) {
     const filtered = Object.assign({}, empty());
     for (const endpoint of allEndpoints(backend)) {
@@ -211,7 +226,7 @@ const missingEndpoint = (backend) => (endpoint) => {
 };
 exports.missingEndpoint = missingEndpoint;
 function compareFunctions(left, right) {
-    if (left.platform != right.platform) {
+    if (left.platform !== right.platform) {
         return right.platform < left.platform ? -1 : 1;
     }
     if (left.region < right.region) {

package/lib/deploy/functions/checkIam.js

@@ -52,7 +52,7 @@ async function checkHttpIam(context, options, payload) {
         return;
     }
     if (!passed) {
-        track("Error (User)", "deploy:functions:http_create_missing_iam");
+        void track("Error (User)", "deploy:functions:http_create_missing_iam");
         throw new error_1.FirebaseError(`Missing required permission on project ${(0, cli_color_1.bold)(context.projectId)} to deploy new HTTPS functions. The permission ${(0, cli_color_1.bold)(PERMISSION)} is required to deploy the following functions:\n\n- ` +
             newHttpsEndpoints.map((func) => func.id).join("\n- ") +
             `\n\nTo address this error, please ask a project Owner to assign your account the "Cloud Functions Admin" role at the following URL:\n\nhttps://console.cloud.google.com/iam-admin/iam?project=${context.projectId}`);

package/lib/deploy/functions/containerCleaner.js

@@ -71,7 +71,7 @@ async function cleanupBuildImages(haveFunctions, deletedFunctions, cleaners = {}
         let message = "Unhandled error cleaning up build images. This could result in a small monthly bill if not corrected. ";
         message +=
             "You can attempt to delete these images by redeploying or you can delete them manually at";
-        if (failedDomains.size == 1) {
+        if (failedDomains.size === 1) {
             message += " " + failedDomains.values().next().value;
         }
         else {
@@ -205,7 +205,7 @@ async function listGcfPaths(projectId, locations, dockerHelpers = {}) {
         .map((results) => results.children)
         .reduce((acc, val) => [...acc, ...val], [])
         .filter((loc) => locationsSet.has(loc));
-    if (failedSubdomains.length == subdomains.size) {
+    if (failedSubdomains.length === subdomains.size) {
         throw new error_1.FirebaseError("Failed to search all subdomains.");
     }
     else if (failedSubdomains.length > 0) {
@@ -237,7 +237,7 @@ async function deleteGcfArtifacts(projectId, locations, dockerHelpers = {}) {
         }
     });
     await Promise.all(deleteLocations);
-    if (failedSubdomains.length == subdomains.size) {
+    if (failedSubdomains.length === subdomains.size) {
         throw new error_1.FirebaseError("Failed to search all subdomains.");
     }
     else if (failedSubdomains.length > 0) {

package/lib/deploy/functions/ensure.js

@@ -0,0 +1,112 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secretAccess = exports.maybeEnableAR = exports.cloudBuildEnabled = exports.defaultServiceAccount = void 0;
+const clc = require("cli-color");
+const ensureApiEnabled_1 = require("../../ensureApiEnabled");
+const error_1 = require("../../error");
+const utils_1 = require("../../utils");
+const secretManager_1 = require("../../gcp/secretManager");
+const previews_1 = require("../../previews");
+const projects_1 = require("../../management/projects");
+const functional_1 = require("../../functional");
+const track = require("../../track");
+const backend = require("./backend");
+const ensureApiEnabled = require("../../ensureApiEnabled");
+const FAQ_URL = "https://firebase.google.com/support/faq#functions-runtime";
+const CLOUD_BUILD_API = "cloudbuild.googleapis.com";
+async function defaultServiceAccount(e) {
+    const metadata = await (0, projects_1.getFirebaseProject)(e.project);
+    if (e.platform === "gcfv1") {
+        return `${metadata.projectId}@appspot.gserviceaccount.com`;
+    }
+    else if (e.platform === "gcfv2") {
+        return `${metadata.projectNumber}-compute@developer.gserviceaccount.com`;
+    }
+    (0, functional_1.assertExhaustive)(e.platform);
+}
+exports.defaultServiceAccount = defaultServiceAccount;
+function nodeBillingError(projectId) {
+    void track("functions_runtime_notices", "nodejs10_billing_error");
+    return new error_1.FirebaseError(`Cloud Functions deployment requires the pay-as-you-go (Blaze) billing plan. To upgrade your project, visit the following URL:
+      
+https://console.firebase.google.com/project/${projectId}/usage/details
+
+For additional information about this requirement, see Firebase FAQs:
+
+${FAQ_URL}`, { exit: 1 });
+}
+function nodePermissionError(projectId) {
+    void track("functions_runtime_notices", "nodejs10_permission_error");
+    return new error_1.FirebaseError(`Cloud Functions deployment requires the Cloud Build API to be enabled. The current credentials do not have permission to enable APIs for project ${clc.bold(projectId)}.
+
+Please ask a project owner to visit the following URL to enable Cloud Build:
+
+https://console.cloud.google.com/apis/library/cloudbuild.googleapis.com?project=${projectId}
+
+For additional information about this requirement, see Firebase FAQs:
+${FAQ_URL}
+`);
+}
+function isPermissionError(e) {
+    var _a, _b, _c;
+    return ((_c = (_b = (_a = e.context) === null || _a === void 0 ? void 0 : _a.body) === null || _b === void 0 ? void 0 : _b.error) === null || _c === void 0 ? void 0 : _c.status) === "PERMISSION_DENIED";
+}
+async function cloudBuildEnabled(projectId) {
+    try {
+        await (0, ensureApiEnabled_1.ensure)(projectId, CLOUD_BUILD_API, "functions");
+    }
+    catch (e) {
+        if ((0, error_1.isBillingError)(e)) {
+            throw nodeBillingError(projectId);
+        }
+        else if (isPermissionError(e)) {
+            throw nodePermissionError(projectId);
+        }
+        throw e;
+    }
+}
+exports.cloudBuildEnabled = cloudBuildEnabled;
+async function maybeEnableAR(projectId) {
+    if (!previews_1.previews.artifactregistry) {
+        return ensureApiEnabled.check(projectId, "artifactregistry.googleapis.com", "functions", true);
+    }
+    await ensureApiEnabled.ensure(projectId, "artifactregistry.googleapis.com", "functions");
+    return true;
+}
+exports.maybeEnableAR = maybeEnableAR;
+async function secretsToServiceAccounts(b) {
+    const secretsToSa = {};
+    for (const e of backend.allEndpoints(b)) {
+        const sa = e.serviceAccountEmail || (await module.exports.defaultServiceAccount(e));
+        for (const s of e.secretEnvironmentVariables || []) {
+            const serviceAccounts = secretsToSa[s.secret] || new Set();
+            serviceAccounts.add(sa);
+            secretsToSa[s.secret] = serviceAccounts;
+        }
+    }
+    return secretsToSa;
+}
+async function secretAccess(projectId, wantBackend, haveBackend) {
+    var _a, _b;
+    const ensureAccess = async (secret, serviceAccounts) => {
+        (0, utils_1.logLabeledBullet)("functions", `ensuring ${clc.bold(serviceAccounts.join(", "))} access to secret ${clc.bold(secret)}.`);
+        await (0, secretManager_1.ensureServiceAgentRole)({ name: secret, projectId }, serviceAccounts, "roles/secretmanager.secretAccessor");
+        (0, utils_1.logLabeledSuccess)("functions", `ensured ${clc.bold(serviceAccounts.join(", "))} access to ${clc.bold(secret)}.`);
+    };
+    const wantSecrets = await secretsToServiceAccounts(wantBackend);
+    const haveSecrets = await secretsToServiceAccounts(haveBackend);
+    for (const [secret, serviceAccounts] of Object.entries(haveSecrets)) {
+        for (const serviceAccount of serviceAccounts) {
+            (_a = wantSecrets[secret]) === null || _a === void 0 ? void 0 : _a.delete(serviceAccount);
+        }
+        if (((_b = wantSecrets[secret]) === null || _b === void 0 ? void 0 : _b.size) === 0) {
+            delete wantSecrets[secret];
+        }
+    }
+    const ensure = [];
+    for (const [secret, serviceAccounts] of Object.entries(wantSecrets)) {
+        ensure.push(ensureAccess(secret, Array.from(serviceAccounts)));
+    }
+    await Promise.all(ensure);
+}
+exports.secretAccess = secretAccess;

package/lib/deploy/functions/ensureCloudBuildEnabled.js

@@ -1,50 +1 @@
 "use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ensureCloudBuildEnabled = void 0;
-const cli_color_1 = require("cli-color");
-const track = require("../../track");
-const ensureApiEnabled_1 = require("../../ensureApiEnabled");
-const error_1 = require("../../error");
-const FAQ_URL = "https://firebase.google.com/support/faq#functions-runtime";
-const CLOUD_BUILD_API = "cloudbuild.googleapis.com";
-function nodeBillingError(projectId) {
-    track("functions_runtime_notices", "nodejs10_billing_error");
-    return new error_1.FirebaseError(`Cloud Functions deployment requires the pay-as-you-go (Blaze) billing plan. To upgrade your project, visit the following URL:
-      
-https://console.firebase.google.com/project/${projectId}/usage/details
-
-For additional information about this requirement, see Firebase FAQs:
-
-${FAQ_URL}`, { exit: 1 });
-}
-function nodePermissionError(projectId) {
-    track("functions_runtime_notices", "nodejs10_permission_error");
-    return new error_1.FirebaseError(`Cloud Functions deployment requires the Cloud Build API to be enabled. The current credentials do not have permission to enable APIs for project ${(0, cli_color_1.bold)(projectId)}.
-
-Please ask a project owner to visit the following URL to enable Cloud Build:
-
-https://console.cloud.google.com/apis/library/cloudbuild.googleapis.com?project=${projectId}
-
-For additional information about this requirement, see Firebase FAQs:
-${FAQ_URL}
-`);
-}
-function isPermissionError(e) {
-    var _a, _b, _c;
-    return ((_c = (_b = (_a = e.context) === null || _a === void 0 ? void 0 : _a.body) === null || _b === void 0 ? void 0 : _b.error) === null || _c === void 0 ? void 0 : _c.status) === "PERMISSION_DENIED";
-}
-async function ensureCloudBuildEnabled(projectId) {
-    try {
-        await (0, ensureApiEnabled_1.ensure)(projectId, CLOUD_BUILD_API, "functions");
-    }
-    catch (e) {
-        if ((0, error_1.isBillingError)(e)) {
-            throw nodeBillingError(projectId);
-        }
-        else if (isPermissionError(e)) {
-            throw nodePermissionError(projectId);
-        }
-        throw e;
-    }
-}
-exports.ensureCloudBuildEnabled = ensureCloudBuildEnabled;