firebase-tools 11.3.0 → 11.4.2

package/lib/functional.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.partition = exports.assertExhaustive = exports.zipIn = exports.zip = exports.reduceFlat = exports.flatten = exports.flattenArray = exports.flattenObject = void 0;
+exports.nullsafeVisitor = exports.mapObject = exports.partition = exports.assertExhaustive = exports.zipIn = exports.zip = exports.reduceFlat = exports.flatten = exports.flattenArray = exports.flattenObject = void 0;
 function* flattenObject(obj) {
     function* helper(path, obj) {
         for (const [k, v] of Object.entries(obj)) {
@@ -63,3 +63,18 @@ function partition(arr, callbackFn) {
     }, [[], []]);
 }
 exports.partition = partition;
+function mapObject(input, transform) {
+    const result = {};
+    for (const [k, v] of Object.entries(input)) {
+        result[k] = transform(v);
+    }
+    return result;
+}
+exports.mapObject = mapObject;
+const nullsafeVisitor = (func, ...rest) => (first) => {
+    if (first === null) {
+        return null;
+    }
+    return func(first, ...rest);
+};
+exports.nullsafeVisitor = nullsafeVisitor;

package/lib/functions/env.js

@@ -51,6 +51,17 @@ const ESCAPE_SEQUENCES_TO_CHARACTERS = {
     "\\'": "'",
     '\\"': '"',
 };
+const ALL_ESCAPE_SEQUENCES_RE = /\\[nrtv\\'"]/g;
+const CHARACTERS_TO_ESCAPE_SEQUENCES = {
+    "\n": "\\n",
+    "\r": "\\r",
+    "\t": "\\t",
+    "\v": "\\v",
+    "\\": "\\\\",
+    "'": "\\'",
+    '"': '\\"',
+};
+const ALL_ESCAPABLE_CHARACTERS_RE = /[\n\r\t\v\\'"]/g;
 function parse(data) {
     const envs = {};
     const errors = [];
@@ -63,7 +74,7 @@ function parse(data) {
         if ((quotesMatch = /^(["'])(.*)\1$/ms.exec(v)) != null) {
             v = quotesMatch[2];
             if (quotesMatch[1] === '"') {
-                v = v.replace(/\\[nrtv\\'"]/g, (match) => ESCAPE_SEQUENCES_TO_CHARACTERS[match]);
+                v = v.replace(ALL_ESCAPE_SEQUENCES_RE, (match) => ESCAPE_SEQUENCES_TO_CHARACTERS[match]);
             }
         }
         envs[k] = v;
@@ -146,9 +157,43 @@ function hasUserEnvs({ functionsSource, projectId, projectAlias, isEmulator, })
 }
 exports.hasUserEnvs = hasUserEnvs;
 function writeUserEnvs(toWrite, envOpts) {
-    throw new error_1.FirebaseError("Persisting user-defined parameters to .env files is not yet implemented.");
+    if (Object.keys(toWrite).length === 0) {
+        return;
+    }
+    const { functionsSource, projectId, projectAlias, isEmulator } = envOpts;
+    let envFiles = findEnvfiles(functionsSource, projectId, projectAlias, isEmulator);
+    if (envFiles.length === 0) {
+        envFiles = [createEnvFile(envOpts)];
+    }
+    const currentEnvs = loadUserEnvs(envOpts);
+    for (const k of Object.keys(toWrite)) {
+        validateKey(k);
+        if (currentEnvs.hasOwnProperty(k)) {
+            throw new error_1.FirebaseError(`Attempted to write param-defined key ${k} to .env files, but it was already defined.`);
+        }
+    }
+    const mostSpecificEnv = path.join(functionsSource, envFiles[envFiles.length - 1]);
+    (0, utils_1.logBullet)(clc.cyan.bold("functions: ") + `Writing new parameter values to disk: ${mostSpecificEnv}`);
+    for (const k of Object.keys(toWrite)) {
+        fs.appendFileSync(mostSpecificEnv, formatUserEnvForWrite(k, toWrite[k]));
+    }
 }
 exports.writeUserEnvs = writeUserEnvs;
+function createEnvFile(envOpts) {
+    const fileToWrite = envOpts.isEmulator
+        ? FUNCTIONS_EMULATOR_DOTENV
+        : `.env.${envOpts.projectAlias || envOpts.projectId}`;
+    logger_1.logger.debug(`Creating ${fileToWrite}...`);
+    fs.writeFileSync(path.join(envOpts.functionsSource, fileToWrite), "", { flag: "wx" });
+    return fileToWrite;
+}
+function formatUserEnvForWrite(key, value) {
+    const escapedValue = value.replace(ALL_ESCAPABLE_CHARACTERS_RE, (match) => CHARACTERS_TO_ESCAPE_SEQUENCES[match]);
+    if (escapedValue !== value) {
+        return `${key}="${escapedValue}"\n`;
+    }
+    return `${key}=${escapedValue}\n`;
+}
 function loadUserEnvs({ functionsSource, projectId, projectAlias, isEmulator, }) {
     var _a;
     const envFiles = findEnvfiles(functionsSource, projectId, projectAlias, isEmulator);

package/lib/gcp/cloudfunctions.js

@@ -255,18 +255,20 @@ function endpointFromFunction(gcfFunction) {
     if (securityLevel) {
         endpoint.securityLevel = securityLevel;
     }
-    proto.copyIfPresent(endpoint, gcfFunction, "serviceAccountEmail", "availableMemoryMb", "minInstances", "maxInstances", "ingressSettings", "labels", "environmentVariables", "secretEnvironmentVariables", "sourceUploadUrl");
-    proto.renameIfPresent(endpoint, gcfFunction, "timeoutSeconds", "timeout", proto.secondsFromDuration);
+    proto.copyIfPresent(endpoint, gcfFunction, "minInstances", "maxInstances", "ingressSettings", "labels", "environmentVariables", "secretEnvironmentVariables", "sourceUploadUrl");
+    proto.renameIfPresent(endpoint, gcfFunction, "serviceAccount", "serviceAccountEmail");
+    proto.convertIfPresent(endpoint, gcfFunction, "availableMemoryMb", (raw) => raw);
+    proto.convertIfPresent(endpoint, gcfFunction, "timeoutSeconds", "timeout", (dur) => dur === null ? null : proto.secondsFromDuration(dur));
     if (gcfFunction.vpcConnector) {
         endpoint.vpc = { connector: gcfFunction.vpcConnector };
-        proto.renameIfPresent(endpoint.vpc, gcfFunction, "egressSettings", "vpcConnectorEgressSettings");
+        proto.convertIfPresent(endpoint.vpc, gcfFunction, "egressSettings", "vpcConnectorEgressSettings", (raw) => raw);
     }
     endpoint.codebase = ((_g = gcfFunction.labels) === null || _g === void 0 ? void 0 : _g[exports.CODEBASE_LABEL]) || projectConfig.DEFAULT_CODEBASE;
     return endpoint;
 }
 exports.endpointFromFunction = endpointFromFunction;
 function functionFromEndpoint(endpoint, sourceUploadUrl) {
-    var _a;
+    var _a, _b;
     if (endpoint.platform !== "gcfv1") {
         throw new error_1.FirebaseError("Trying to create a v1 CloudFunction with v2 API. This should never happen");
     }
@@ -281,8 +283,13 @@ function functionFromEndpoint(endpoint, sourceUploadUrl) {
         runtime: endpoint.runtime,
         dockerRegistry: "ARTIFACT_REGISTRY",
     };
-    proto.copyIfPresent(gcfFunction, endpoint, "labels");
+    if (typeof endpoint.labels !== "undefined") {
+        gcfFunction.labels = Object.assign({}, endpoint.labels);
+    }
     if (backend.isEventTriggered(endpoint)) {
+        if (!((_a = endpoint.eventTrigger.eventFilters) === null || _a === void 0 ? void 0 : _a.resource)) {
+            throw new error_1.FirebaseError("Cannot create v1 function from an eventTrigger without a resource");
+        }
         gcfFunction.eventTrigger = {
             eventType: endpoint.eventTrigger.eventType,
             resource: endpoint.eventTrigger.eventFilters.resource,
@@ -316,18 +323,24 @@ function functionFromEndpoint(endpoint, sourceUploadUrl) {
             gcfFunction.httpsTrigger.securityLevel = endpoint.securityLevel;
         }
     }
-    proto.copyIfPresent(gcfFunction, endpoint, "serviceAccountEmail", "availableMemoryMb", "minInstances", "maxInstances", "ingressSettings", "environmentVariables", "secretEnvironmentVariables");
-    proto.renameIfPresent(gcfFunction, endpoint, "timeout", "timeoutSeconds", proto.durationFromSeconds);
+    proto.copyIfPresent(gcfFunction, endpoint, "minInstances", "maxInstances", "ingressSettings", "environmentVariables", "secretEnvironmentVariables");
+    proto.renameIfPresent(gcfFunction, endpoint, "serviceAccountEmail", "serviceAccount");
+    proto.convertIfPresent(gcfFunction, endpoint, "availableMemoryMb", (mem) => mem);
+    proto.convertIfPresent(gcfFunction, endpoint, "timeout", "timeoutSeconds", (sec) => sec ? proto.durationFromSeconds(sec) : null);
     if (endpoint.vpc) {
         proto.renameIfPresent(gcfFunction, endpoint.vpc, "vpcConnector", "connector");
         proto.renameIfPresent(gcfFunction, endpoint.vpc, "vpcConnectorEgressSettings", "egressSettings");
     }
+    else if (endpoint.vpc === null) {
+        gcfFunction.vpcConnector = null;
+        gcfFunction.vpcConnectorEgressSettings = null;
+    }
     const codebase = endpoint.codebase || projectConfig.DEFAULT_CODEBASE;
     if (codebase !== projectConfig.DEFAULT_CODEBASE) {
         gcfFunction.labels = Object.assign(Object.assign({}, gcfFunction.labels), { [exports.CODEBASE_LABEL]: codebase });
     }
     else {
-        (_a = gcfFunction.labels) === null || _a === void 0 ? true : delete _a[exports.CODEBASE_LABEL];
+        (_b = gcfFunction.labels) === null || _b === void 0 ? true : delete _b[exports.CODEBASE_LABEL];
     }
     return gcfFunction;
 }

package/lib/gcp/cloudfunctionsv2.js

@@ -161,7 +161,7 @@ async function deleteFunction(cloudFunction) {
 }
 exports.deleteFunction = deleteFunction;
 function functionFromEndpoint(endpoint, source) {
-    var _a;
+    var _a, _b;
     if (endpoint.platform !== "gcfv2") {
         throw new error_1.FirebaseError("Trying to create a v2 CloudFunction with v1 API. This should never happen");
     }
@@ -182,7 +182,8 @@ function functionFromEndpoint(endpoint, source) {
         serviceConfig: {},
     };
     proto.copyIfPresent(gcfFunction, endpoint, "labels");
-    proto.copyIfPresent(gcfFunction.serviceConfig, endpoint, "environmentVariables", "secretEnvironmentVariables", "serviceAccountEmail", "ingressSettings", "timeoutSeconds");
+    proto.copyIfPresent(gcfFunction.serviceConfig, endpoint, "environmentVariables", "secretEnvironmentVariables", "ingressSettings", "timeoutSeconds");
+    proto.renameIfPresent(gcfFunction.serviceConfig, endpoint, "serviceAccountEmail", "serviceAccount");
     const mem = endpoint.availableMemoryMb || backend.DEFAULT_MEMORY;
     gcfFunction.serviceConfig.availableMemory = mem > 1024 ? `${mem / 1024}Gi` : `${mem}Mi`;
     proto.renameIfPresent(gcfFunction.serviceConfig, endpoint, "minInstanceCount", "minInstances");
@@ -191,11 +192,19 @@ function functionFromEndpoint(endpoint, source) {
         proto.renameIfPresent(gcfFunction.serviceConfig, endpoint.vpc, "vpcConnector", "connector");
         proto.renameIfPresent(gcfFunction.serviceConfig, endpoint.vpc, "vpcConnectorEgressSettings", "egressSettings");
     }
+    else if (endpoint.vpc === null) {
+        gcfFunction.serviceConfig.vpcConnector = null;
+        gcfFunction.serviceConfig.vpcConnectorEgressSettings = null;
+    }
     if (backend.isEventTriggered(endpoint)) {
         gcfFunction.eventTrigger = {
             eventType: endpoint.eventTrigger.eventType,
         };
         if (gcfFunction.eventTrigger.eventType === v2_1.PUBSUB_PUBLISH_EVENT) {
+            if (!((_a = endpoint.eventTrigger.eventFilters) === null || _a === void 0 ? void 0 : _a.topic)) {
+                throw new error_1.FirebaseError("Error: Pub/Sub event trigger is missing topic: " +
+                    JSON.stringify(endpoint.eventTrigger, null, 2));
+            }
             gcfFunction.eventTrigger.pubsubTopic = endpoint.eventTrigger.eventFilters.topic;
             gcfFunction.eventTrigger.eventFilters = [];
             for (const [attribute, value] of Object.entries(endpoint.eventTrigger.eventFilters)) {
@@ -206,7 +215,7 @@ function functionFromEndpoint(endpoint, source) {
         }
         else {
             gcfFunction.eventTrigger.eventFilters = [];
-            for (const [attribute, value] of Object.entries(endpoint.eventTrigger.eventFilters)) {
+            for (const [attribute, value] of Object.entries(endpoint.eventTrigger.eventFilters || {})) {
                 gcfFunction.eventTrigger.eventFilters.push({ attribute, value });
             }
             for (const [attribute, value] of Object.entries(endpoint.eventTrigger.eventFilterPathPatterns || {})) {
@@ -241,7 +250,7 @@ function functionFromEndpoint(endpoint, source) {
         gcfFunction.labels = Object.assign(Object.assign({}, gcfFunction.labels), { [exports.CODEBASE_LABEL]: codebase });
     }
     else {
-        (_a = gcfFunction.labels) === null || _a === void 0 ? true : delete _a[exports.CODEBASE_LABEL];
+        (_b = gcfFunction.labels) === null || _b === void 0 ? true : delete _b[exports.CODEBASE_LABEL];
     }
     return gcfFunction;
 }
@@ -273,29 +282,33 @@ function endpointFromFunction(gcfFunction) {
         };
     }
     else if (gcfFunction.eventTrigger) {
-        trigger = {
-            eventTrigger: {
-                eventType: gcfFunction.eventTrigger.eventType,
-                eventFilters: {},
-                retry: false,
-            },
-        };
+        const eventFilters = {};
+        const eventFilterPathPatterns = {};
         if (gcfFunction.eventTrigger.pubsubTopic) {
-            trigger.eventTrigger.eventFilters.topic = gcfFunction.eventTrigger.pubsubTopic;
+            eventFilters.topic = gcfFunction.eventTrigger.pubsubTopic;
         }
         else {
             for (const eventFilter of gcfFunction.eventTrigger.eventFilters || []) {
                 if (eventFilter.operator === "match-path-pattern") {
-                    if (!trigger.eventTrigger.eventFilterPathPatterns) {
-                        trigger.eventTrigger.eventFilterPathPatterns = {};
-                    }
-                    trigger.eventTrigger.eventFilterPathPatterns[eventFilter.attribute] = eventFilter.value;
+                    eventFilterPathPatterns[eventFilter.attribute] = eventFilter.value;
                 }
                 else {
-                    trigger.eventTrigger.eventFilters[eventFilter.attribute] = eventFilter.value;
+                    eventFilters[eventFilter.attribute] = eventFilter.value;
                 }
             }
         }
+        trigger = {
+            eventTrigger: {
+                eventType: gcfFunction.eventTrigger.eventType,
+                retry: false,
+            },
+        };
+        if (Object.keys(eventFilters).length) {
+            trigger.eventTrigger.eventFilters = eventFilters;
+        }
+        if (Object.keys(eventFilterPathPatterns).length) {
+            trigger.eventTrigger.eventFilterPathPatterns = eventFilterPathPatterns;
+        }
         proto.copyIfPresent(trigger.eventTrigger, gcfFunction.eventTrigger, "channel");
         proto.renameIfPresent(trigger.eventTrigger, gcfFunction.eventTrigger, "region", "triggerRegion");
     }
@@ -308,8 +321,19 @@ function endpointFromFunction(gcfFunction) {
     const endpoint = Object.assign(Object.assign({ platform: "gcfv2", id,
         project,
         region }, trigger), { entryPoint: gcfFunction.buildConfig.entryPoint, runtime: gcfFunction.buildConfig.runtime, uri: gcfFunction.serviceConfig.uri });
-    proto.copyIfPresent(endpoint, gcfFunction.serviceConfig, "serviceAccountEmail", "ingressSettings", "environmentVariables", "secretEnvironmentVariables", "timeoutSeconds");
-    proto.renameIfPresent(endpoint, gcfFunction.serviceConfig, "availableMemoryMb", "availableMemory", mebibytes);
+    proto.copyIfPresent(endpoint, gcfFunction.serviceConfig, "ingressSettings", "environmentVariables", "secretEnvironmentVariables", "timeoutSeconds");
+    proto.renameIfPresent(endpoint, gcfFunction.serviceConfig, "serviceAccount", "serviceAccountEmail");
+    proto.convertIfPresent(endpoint, gcfFunction.serviceConfig, "availableMemoryMb", "availableMemory", (prod) => {
+        if (prod === null) {
+            logger_1.logger.debug("Prod should always return a valid memory amount");
+            return prod;
+        }
+        const mem = mebibytes(prod);
+        if (!backend.isValidMemoryOption(mem)) {
+            logger_1.logger.warn("Converting a function to an endpoint with an invalid memory option", mem);
+        }
+        return mem;
+    });
     proto.renameIfPresent(endpoint, gcfFunction.serviceConfig, "minInstances", "minInstanceCount");
     proto.renameIfPresent(endpoint, gcfFunction.serviceConfig, "maxInstances", "maxInstanceCount");
     proto.copyIfPresent(endpoint, gcfFunction, "labels");

package/lib/gcp/cloudscheduler.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.jobFromEndpoint = exports.createOrReplaceJob = exports.updateJob = exports.getJob = exports.deleteJob = exports.createJob = exports.assertValidJob = void 0;
+exports.jobFromEndpoint = exports.topicNameForEndpoint = exports.jobNameForEndpoint = exports.createOrReplaceJob = exports.updateJob = exports.getJob = exports.deleteJob = exports.createJob = void 0;
 const _ = require("lodash");
 const error_1 = require("../error");
 const logger_1 = require("../logger");
@@ -11,13 +11,6 @@ const proto = require("./proto");
 const functional_1 = require("../functional");
 const VERSION = "v1beta1";
 const DEFAULT_TIME_ZONE = "America/Los_Angeles";
-function assertValidJob(job) {
-    proto.assertOneOf("Scheduler Job", job, "target", "httpTarget", "pubsubTarget");
-    if (job.httpTarget) {
-        proto.assertOneOf("Scheduler Job", job.httpTarget, "httpTarget.authorizationHeader", "oauthToken", "odicToken");
-    }
-}
-exports.assertValidJob = assertValidJob;
 const apiClient = new apiv2_1.Client({ urlPrefix: api_1.cloudschedulerOrigin, apiVersion: VERSION });
 function createJob(job) {
     const strippedName = job.name.substring(0, job.name.lastIndexOf("/"));
@@ -76,14 +69,22 @@ function isIdentical(job, otherJob) {
         job.timeZone === otherJob.timeZone &&
         _.isEqual(job.retryConfig, otherJob.retryConfig));
 }
+function jobNameForEndpoint(endpoint, appEngineLocation) {
+    const id = backend.scheduleIdForFunction(endpoint);
+    return `projects/${endpoint.project}/locations/${appEngineLocation}/jobs/${id}`;
+}
+exports.jobNameForEndpoint = jobNameForEndpoint;
+function topicNameForEndpoint(endpoint) {
+    const id = backend.scheduleIdForFunction(endpoint);
+    return `projects/${endpoint.project}/topics/${id}`;
+}
+exports.topicNameForEndpoint = topicNameForEndpoint;
 function jobFromEndpoint(endpoint, appEngineLocation) {
     const job = {};
     if (endpoint.platform === "gcfv1") {
-        const id = backend.scheduleIdForFunction(endpoint);
-        const region = appEngineLocation;
-        job.name = `projects/${endpoint.project}/locations/${region}/jobs/${id}`;
+        job.name = jobNameForEndpoint(endpoint, appEngineLocation);
         job.pubsubTarget = {
-            topicName: `projects/${endpoint.project}/topics/${id}`,
+            topicName: topicNameForEndpoint(endpoint),
             attributes: {
                 scheduled: "true",
             },
@@ -95,7 +96,18 @@ function jobFromEndpoint(endpoint, appEngineLocation) {
     else {
         (0, functional_1.assertExhaustive)(endpoint.platform);
     }
-    proto.copyIfPresent(job, endpoint.scheduleTrigger, "schedule", "retryConfig", "timeZone");
+    if (!endpoint.scheduleTrigger.schedule) {
+        throw new error_1.FirebaseError("Cannot create a scheduler job without a schedule:" + JSON.stringify(endpoint));
+    }
+    job.schedule = endpoint.scheduleTrigger.schedule;
+    job.timeZone = endpoint.scheduleTrigger.timeZone || DEFAULT_TIME_ZONE;
+    if (endpoint.scheduleTrigger.retryConfig) {
+        job.retryConfig = {};
+        proto.copyIfPresent(job.retryConfig, endpoint.scheduleTrigger.retryConfig, "maxDoublings", "retryCount");
+        proto.convertIfPresent(job.retryConfig, endpoint.scheduleTrigger.retryConfig, "maxBackoffDuration", "maxBackoffSeconds", (0, functional_1.nullsafeVisitor)(proto.durationFromSeconds));
+        proto.convertIfPresent(job.retryConfig, endpoint.scheduleTrigger.retryConfig, "minBackoffDuration", "minBackoffSeconds", (0, functional_1.nullsafeVisitor)(proto.durationFromSeconds));
+        proto.convertIfPresent(job.retryConfig, endpoint.scheduleTrigger.retryConfig, "maxRetryDuration", "maxRetrySeconds", (0, functional_1.nullsafeVisitor)(proto.durationFromSeconds));
+    }
     return job;
 }
 exports.jobFromEndpoint = jobFromEndpoint;

package/lib/gcp/cloudtasks.js

@@ -4,6 +4,7 @@ exports.queueFromEndpoint = exports.queueNameForEndpoint = exports.setEnqueuer =
 const proto = require("./proto");
 const apiv2_1 = require("../apiv2");
 const api_1 = require("../api");
+const functional_1 = require("../functional");
 const API_VERSION = "v2";
 const client = new apiv2_1.Client({
     urlPrefix: api_1.cloudTasksOrigin,
@@ -136,9 +137,9 @@ function queueFromEndpoint(endpoint) {
     }
     if (endpoint.taskQueueTrigger.retryConfig) {
         proto.copyIfPresent(queue.retryConfig, endpoint.taskQueueTrigger.retryConfig, "maxAttempts", "maxDoublings");
-        proto.renameIfPresent(queue.retryConfig, endpoint.taskQueueTrigger.retryConfig, "maxRetryDuration", "maxRetrySeconds", proto.durationFromSeconds);
-        proto.renameIfPresent(queue.retryConfig, endpoint.taskQueueTrigger.retryConfig, "maxBackoff", "maxBackoffSeconds", proto.durationFromSeconds);
-        proto.renameIfPresent(queue.retryConfig, endpoint.taskQueueTrigger.retryConfig, "minBackoff", "minBackoffSeconds", proto.durationFromSeconds);
+        proto.convertIfPresent(queue.retryConfig, endpoint.taskQueueTrigger.retryConfig, "maxRetryDuration", "maxRetrySeconds", (0, functional_1.nullsafeVisitor)(proto.durationFromSeconds));
+        proto.convertIfPresent(queue.retryConfig, endpoint.taskQueueTrigger.retryConfig, "maxBackoff", "maxBackoffSeconds", (0, functional_1.nullsafeVisitor)(proto.durationFromSeconds));
+        proto.convertIfPresent(queue.retryConfig, endpoint.taskQueueTrigger.retryConfig, "minBackoff", "minBackoffSeconds", (0, functional_1.nullsafeVisitor)(proto.durationFromSeconds));
     }
     return queue;
 }

package/lib/gcp/iam.js

@@ -2,11 +2,9 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.testIamPermissions = exports.testResourceIamPermissions = exports.getRole = exports.deleteServiceAccount = exports.createServiceAccountKey = exports.getServiceAccount = exports.createServiceAccount = void 0;
 const api_1 = require("../api");
-const lodash_1 = require("lodash");
 const logger_1 = require("../logger");
 const apiv2_1 = require("../apiv2");
-const API_VERSION = "v1";
-const apiClient = new apiv2_1.Client({ urlPrefix: api_1.iamOrigin, apiVersion: API_VERSION });
+const apiClient = new apiv2_1.Client({ urlPrefix: api_1.iamOrigin, apiVersion: "v1" });
 async function createServiceAccount(projectId, accountId, description, displayName) {
     const response = await apiClient.post(`/projects/${projectId}/serviceAccounts`, {
         accountId,
@@ -31,8 +29,8 @@ async function createServiceAccountKey(projectId, serviceAccountName) {
     return response.body;
 }
 exports.createServiceAccountKey = createServiceAccountKey;
-function deleteServiceAccount(projectId, accountEmail) {
-    return apiClient.delete(`/projects/${projectId}/serviceAccounts/${accountEmail}`, {
+async function deleteServiceAccount(projectId, accountEmail) {
+    await apiClient.delete(`/projects/${projectId}/serviceAccounts/${accountEmail}`, {
         resolveOnHTTPError: true,
     });
 }
@@ -44,25 +42,30 @@ async function getRole(role) {
     return response.body;
 }
 exports.getRole = getRole;
-async function testResourceIamPermissions(origin, apiVersion, resourceName, permissions) {
+async function testResourceIamPermissions(origin, apiVersion, resourceName, permissions, quotaUser = "") {
     const localClient = new apiv2_1.Client({ urlPrefix: origin, apiVersion });
     if (process.env.FIREBASE_SKIP_INFORMATIONAL_IAM) {
-        logger_1.logger.debug("[iam] skipping informational check of permissions", JSON.stringify(permissions), "on resource", resourceName);
-        return { allowed: permissions, missing: [], passed: true };
+        logger_1.logger.debug(`[iam] skipping informational check of permissions ${JSON.stringify(permissions)} on resource ${resourceName}`);
+        return { allowed: Array.from(permissions).sort(), missing: [], passed: true };
+    }
+    const headers = {};
+    if (quotaUser) {
+        headers["x-goog-quota-user"] = quotaUser;
+    }
+    const response = await localClient.post(`/${resourceName}:testIamPermissions`, { permissions }, { headers });
+    const allowed = new Set(response.body.permissions || []);
+    const missing = new Set(permissions);
+    for (const p of allowed) {
+        missing.delete(p);
     }
-    const response = await localClient.post(`/${resourceName}:testIamPermissions`, {
-        permissions,
-    });
-    const allowed = (response.body.permissions || []).sort();
-    const missing = (0, lodash_1.difference)(permissions, allowed);
     return {
-        allowed,
-        missing,
-        passed: missing.length === 0,
+        allowed: Array.from(allowed).sort(),
+        missing: Array.from(missing).sort(),
+        passed: missing.size === 0,
     };
 }
 exports.testResourceIamPermissions = testResourceIamPermissions;
 async function testIamPermissions(projectId, permissions) {
-    return testResourceIamPermissions(api_1.resourceManagerOrigin, "v1", `projects/${projectId}`, permissions);
+    return testResourceIamPermissions(api_1.resourceManagerOrigin, "v1", `projects/${projectId}`, permissions, `projects/${projectId}`);
 }
 exports.testIamPermissions = testIamPermissions;

package/lib/gcp/proto.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.formatServiceAccount = exports.getInvokerMembers = exports.fieldMasks = exports.renameIfPresent = exports.copyIfPresent = exports.assertOneOf = exports.durationFromSeconds = exports.secondsFromDuration = void 0;
+exports.formatServiceAccount = exports.getInvokerMembers = exports.fieldMasks = exports.renameIfPresent = exports.convertIfPresent = exports.copyIfPresent = exports.assertOneOf = exports.durationFromSeconds = exports.secondsFromDuration = void 0;
 const error_1 = require("../error");
 function secondsFromDuration(d) {
     return +d.slice(0, d.length - 1);
@@ -32,13 +32,25 @@ function copyIfPresent(dest, src, ...fields) {
     }
 }
 exports.copyIfPresent = copyIfPresent;
-function renameIfPresent(dest, src, destField, srcField, converter = (from) => {
-    return from;
-}) {
-    if (!Object.prototype.hasOwnProperty.call(src, srcField)) {
+function convertIfPresent(...args) {
+    if (args.length === 4) {
+        const [dest, src, key, converter] = args;
+        if (Object.prototype.hasOwnProperty.call(src, key)) {
+            dest[key] = converter(src[key]);
+        }
+        return;
+    }
+    const [dest, src, destKey, srcKey, converter] = args;
+    if (Object.prototype.hasOwnProperty.call(src, srcKey)) {
+        dest[destKey] = converter(src[srcKey]);
+    }
+}
+exports.convertIfPresent = convertIfPresent;
+function renameIfPresent(dest, src, destKey, srcKey) {
+    if (!Object.prototype.hasOwnProperty.call(src, srcKey)) {
         return;
     }
-    dest[destField] = converter(src[srcField]);
+    dest[destKey] = src[srcKey];
 }
 exports.renameIfPresent = renameIfPresent;
 function fieldMasks(object, ...doNotRecurseIn) {

package/lib/gcp/resourceManager.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.addServiceAccountToRoles = exports.setIamPolicy = exports.getIamPolicy = exports.firebaseRoles = void 0;
+exports.serviceAccountHasRoles = exports.addServiceAccountToRoles = exports.setIamPolicy = exports.getIamPolicy = exports.firebaseRoles = void 0;
 const lodash_1 = require("lodash");
 const api_1 = require("../api");
 const apiv2_1 = require("../apiv2");
@@ -26,9 +26,11 @@ async function setIamPolicy(projectIdOrNumber, newPolicy, updateMask = "") {
     return response.body;
 }
 exports.setIamPolicy = setIamPolicy;
-async function addServiceAccountToRoles(projectId, serviceAccountName, roles) {
+async function addServiceAccountToRoles(projectId, serviceAccountName, roles, skipAccountLookup = false) {
     const [{ name: fullServiceAccountName }, projectPolicy] = await Promise.all([
-        (0, iam_1.getServiceAccount)(projectId, serviceAccountName),
+        skipAccountLookup
+            ? Promise.resolve({ name: serviceAccountName })
+            : (0, iam_1.getServiceAccount)(projectId, serviceAccountName),
         getIamPolicy(projectId),
     ]);
     const newMemberName = `serviceAccount:${fullServiceAccountName.split("/").pop()}`;
@@ -49,3 +51,23 @@ async function addServiceAccountToRoles(projectId, serviceAccountName, roles) {
     return setIamPolicy(projectId, projectPolicy, "bindings");
 }
 exports.addServiceAccountToRoles = addServiceAccountToRoles;
+async function serviceAccountHasRoles(projectId, serviceAccountName, roles, skipAccountLookup = false) {
+    const [{ name: fullServiceAccountName }, projectPolicy] = await Promise.all([
+        skipAccountLookup
+            ? Promise.resolve({ name: serviceAccountName })
+            : (0, iam_1.getServiceAccount)(projectId, serviceAccountName),
+        getIamPolicy(projectId),
+    ]);
+    const memberName = `serviceAccount:${fullServiceAccountName.split("/").pop()}`;
+    for (const roleName of roles) {
+        const binding = projectPolicy.bindings.find((b) => b.role === roleName);
+        if (!binding) {
+            return false;
+        }
+        if (!binding.members.includes(memberName)) {
+            return false;
+        }
+    }
+    return true;
+}
+exports.serviceAccountHasRoles = serviceAccountHasRoles;

package/lib/index.js

@@ -9,7 +9,7 @@ program.version(pkg.version);
 program.option("-P, --project <alias_or_project_id>", "the Firebase project to use for this command");
 program.option("--account <email>", "the Google account to use for authorization");
 program.option("-j, --json", "output JSON instead of text, also triggers non-interactive mode");
-program.option("--token <token>", "supply an auth token for this command");
+program.option("--token <token>", "DEPRECATED - will be removed in a future major version - supply an auth token for this command");
 program.option("--non-interactive", "error out of the command instead of waiting for prompts");
 program.option("-i, --interactive", "force prompts to be displayed");
 program.option("--debug", "print verbose debug output and keep a debug log file");

package/lib/previews.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.previews = void 0;
 const lodash_1 = require("lodash");
 const configstore_1 = require("./configstore");
-exports.previews = Object.assign({ rtdbrules: false, ext: false, extdev: false, rtdbmanagement: false, golang: false, deletegcfartifacts: false, emulatoruisnapshot: false, frameworkawareness: false, functionsparams: false }, configstore_1.configstore.get("previews"));
+exports.previews = Object.assign({ rtdbrules: false, ext: false, extdev: false, rtdbmanagement: false, golang: false, deletegcfartifacts: false, emulatoruisnapshot: false, frameworkawareness: false, functionsparams: false, crossservicerules: false }, configstore_1.configstore.get("previews"));
 if (process.env.FIREBASE_CLI_PREVIEWS) {
     process.env.FIREBASE_CLI_PREVIEWS.split(",").forEach((feature) => {
         if ((0, lodash_1.has)(exports.previews, feature)) {

package/lib/rc.js

@@ -136,15 +136,9 @@ class RC {
     requireTarget(project, type, name) {
         const target = this.target(project, type, name);
         if (!target.length) {
-            throw new error_1.FirebaseError("Deploy target " +
-                clc.bold(name) +
-                " not configured for project " +
-                clc.bold(project) +
-                ". Configure with:\n\n  firebase target:apply " +
-                type +
-                " " +
-                name +
-                " <resources...>");
+            throw new error_1.FirebaseError(`Deploy target ${clc.bold(name)} not configured for project ${clc.bold(project)}. Configure with:
+
+  firebase target:apply ${type} ${name} <resources...>`);
         }
         return target;
     }

package/lib/requireAuth.js

@@ -32,9 +32,13 @@ async function requireAuth(options) {
     let tokenOpt = utils.getInheritedOption(options, "token");
     if (tokenOpt) {
         logger_1.logger.debug("> authorizing via --token option");
+        utils.logWarning("Authenticating with `--token` is deprecated and will be removed in a future major version of `firebase-tools`. " +
+            "Instead, use a service account key with `GOOGLE_APPLICATION_CREDENTIALS`: https://cloud.google.com/docs/authentication/getting-started");
     }
     else if (process.env.FIREBASE_TOKEN) {
         logger_1.logger.debug("> authorizing via FIREBASE_TOKEN environment variable");
+        utils.logWarning("Authenticating with `FIREBASE_TOKEN` is deprecated and will be removed in a future major version of `firebase-tools`. " +
+            "Instead, use a service account key with `GOOGLE_APPLICATION_CREDENTIALS`: https://cloud.google.com/docs/authentication/getting-started");
     }
     else if (user) {
         logger_1.logger.debug(`> authorizing via signed-in user (${user.email})`);