firebase-tools 13.15.4 → 13.17.0

package/lib/gcp/cloudsql/connect.js

@@ -1,15 +1,17 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.firebaseowner = exports.setupIAMUser = exports.execute = void 0;
+exports.toDatabaseUser = exports.setupIAMUsers = exports.getIAMUser = exports.getDataConnectP4SA = exports.executeSqlCmdsAsSuperUser = exports.executeSqlCmdsAsIamUser = exports.execute = void 0;
 const pg = require("pg");
 const cloud_sql_connector_1 = require("@google-cloud/cloud-sql-connector");
 const requireAuth_1 = require("../../requireAuth");
 const projectUtils_1 = require("../../projectUtils");
+const api_1 = require("../../api");
 const cloudSqlAdminClient = require("./cloudsqladmin");
 const utils = require("../../utils");
 const logger_1 = require("../../logger");
 const error_1 = require("../../error");
 const fbToolsAuthClient_1 = require("./fbToolsAuthClient");
+const permissions_1 = require("./permissions");
 async function execute(sqlStatements, opts) {
     const logFn = opts.silent ? logger_1.logger.debug : logger_1.logger.info;
     const instance = await cloudSqlAdminClient.getInstance(opts.projectId, opts.instanceId);
@@ -74,52 +76,61 @@ async function execute(sqlStatements, opts) {
     connector.close();
 }
 exports.execute = execute;
-async function setupIAMUser(instanceId, databaseId, options) {
+async function executeSqlCmdsAsIamUser(options, instanceId, databaseId, cmds, silent = false) {
     const projectId = (0, projectUtils_1.needProjectId)(options);
+    const { user: iamUser } = await getIAMUser(options);
+    return await execute(cmds, {
+        projectId,
+        instanceId,
+        databaseId,
+        username: iamUser,
+        silent: silent,
+    });
+}
+exports.executeSqlCmdsAsIamUser = executeSqlCmdsAsIamUser;
+async function executeSqlCmdsAsSuperUser(options, instanceId, databaseId, cmds, silent = false) {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const superuser = "firebasesuperuser";
+    const temporaryPassword = utils.generateId(20);
+    await cloudSqlAdminClient.createUser(projectId, instanceId, "BUILT_IN", superuser, temporaryPassword);
+    return await execute([`SET ROLE = cloudsqlsuperuser`, ...cmds], {
+        projectId,
+        instanceId,
+        databaseId,
+        username: superuser,
+        password: temporaryPassword,
+        silent: silent,
+    });
+}
+exports.executeSqlCmdsAsSuperUser = executeSqlCmdsAsSuperUser;
+function getDataConnectP4SA(projectNumber) {
+    return `service-${projectNumber}@${(0, api_1.dataconnectP4SADomain)()}`;
+}
+exports.getDataConnectP4SA = getDataConnectP4SA;
+async function getIAMUser(options) {
     const account = await (0, requireAuth_1.requireAuth)(options);
     if (!account) {
         throw new error_1.FirebaseError("No account to set up! Run `firebase login` or set Application Default Credentials");
     }
-    const setupUser = "firebasesuperuser";
-    const temporaryPassword = utils.generateId(20);
-    await cloudSqlAdminClient.createUser(projectId, instanceId, "BUILT_IN", setupUser, temporaryPassword);
-    const { user, mode } = toDatabaseUser(account);
+    return toDatabaseUser(account);
+}
+exports.getIAMUser = getIAMUser;
+async function setupIAMUsers(instanceId, databaseId, options) {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const { user, mode } = await getIAMUser(options);
     await cloudSqlAdminClient.createUser(projectId, instanceId, mode, user);
+    const projectNumber = await (0, projectUtils_1.needProjectNumber)(options);
+    const { user: fdcP4SAUser, mode: fdcP4SAmode } = toDatabaseUser(getDataConnectP4SA(projectNumber));
+    await cloudSqlAdminClient.createUser(projectId, instanceId, fdcP4SAmode, fdcP4SAUser);
+    await (0, permissions_1.setupSQLPermissions)(instanceId, databaseId, options, true);
     const grants = [
-        `do
-      $$
-      begin
-        if not exists (select FROM pg_catalog.pg_roles
-          WHERE  rolname = '${firebaseowner(databaseId)}') then
-          CREATE ROLE "${firebaseowner(databaseId)}" WITH ADMIN "${setupUser}";
-        end if;
-      end
-      $$
-      ;`,
-        `GRANT ALL PRIVILEGES ON DATABASE "${databaseId}" TO "${firebaseowner(databaseId)}"`,
-        `GRANT cloudsqlsuperuser TO "${firebaseowner(databaseId)}"`,
-        `GRANT "${firebaseowner(databaseId)}" TO "${setupUser}"`,
-        `GRANT "${firebaseowner(databaseId)}" TO "${user}"`,
-        `ALTER SCHEMA public OWNER TO "${firebaseowner(databaseId)}"`,
-        `GRANT USAGE ON SCHEMA "public" TO PUBLIC`,
-        `GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA "public" TO PUBLIC`,
-        `GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA "public" TO PUBLIC`,
+        `GRANT "${(0, permissions_1.firebaseowner)(databaseId)}" TO "${user}"`,
+        `GRANT "${(0, permissions_1.firebasewriter)(databaseId)}" TO "${fdcP4SAUser}"`,
     ];
-    await execute(grants, {
-        projectId,
-        instanceId,
-        databaseId,
-        username: setupUser,
-        password: temporaryPassword,
-        silent: true,
-    });
+    await executeSqlCmdsAsSuperUser(options, instanceId, databaseId, grants, true);
     return user;
 }
-exports.setupIAMUser = setupIAMUser;
-function firebaseowner(databaseId) {
-    return `firebaseowner_${databaseId}_public`;
-}
-exports.firebaseowner = firebaseowner;
+exports.setupIAMUsers = setupIAMUsers;
 function toDatabaseUser(account) {
     let mode = "CLOUD_IAM_USER";
     let user = account;
@@ -129,3 +140,4 @@ function toDatabaseUser(account) {
     }
     return { user, mode };
 }
+exports.toDatabaseUser = toDatabaseUser;

package/lib/gcp/cloudsql/permissions.js

@@ -0,0 +1,160 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setupSQLPermissions = exports.iamUserIsCSQLAdmin = exports.checkSQLRoleIsGranted = exports.firebasewriter = exports.firebasereader = exports.firebaseowner = void 0;
+const projectUtils_1 = require("../../projectUtils");
+const connect_1 = require("./connect");
+const iam_1 = require("../iam");
+const logger_1 = require("../../logger");
+const lodash_1 = require("lodash");
+const error_1 = require("../../error");
+function firebaseowner(databaseId) {
+    return `firebaseowner_${databaseId}_public`;
+}
+exports.firebaseowner = firebaseowner;
+function firebasereader(databaseId) {
+    return `firebasereader_${databaseId}_public`;
+}
+exports.firebasereader = firebasereader;
+function firebasewriter(databaseId) {
+    return `firebasewriter_${databaseId}_public`;
+}
+exports.firebasewriter = firebasewriter;
+async function checkSQLRoleIsGranted(options, instanceId, databaseId, grantedRole, granteeRole) {
+    const checkCmd = `
+    DO $$
+    DECLARE
+        role_count INTEGER;
+    BEGIN
+        -- Count the number of rows matching the criteria
+        SELECT COUNT(*)
+        INTO role_count
+        FROM
+          pg_auth_members m
+        JOIN
+          pg_roles grantee ON grantee.oid = m.member
+        JOIN
+          pg_roles granted ON granted.oid = m.roleid
+        JOIN
+          pg_roles grantor ON grantor.oid = m.grantor
+        WHERE
+          granted.rolname = '${grantedRole}'
+          AND grantee.rolname = '${granteeRole}';
+
+        -- If no rows were found, raise an exception
+        IF role_count = 0 THEN
+            RAISE EXCEPTION 'Role "%", is not granted to role "%".', '${grantedRole}', '${granteeRole}';
+        END IF;
+    END $$;
+`;
+    try {
+        await (0, connect_1.executeSqlCmdsAsIamUser)(options, instanceId, databaseId, [checkCmd], true);
+        return true;
+    }
+    catch (e) {
+        if (e instanceof error_1.FirebaseError && e.message.includes("not granted to role")) {
+            return false;
+        }
+        logger_1.logger.error(`Role Check Failed: ${e}`);
+        throw e;
+    }
+}
+exports.checkSQLRoleIsGranted = checkSQLRoleIsGranted;
+async function iamUserIsCSQLAdmin(options) {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const requiredPermissions = [
+        "cloudsql.instances.connect",
+        "cloudsql.instances.get",
+        "cloudsql.users.create",
+        "cloudsql.users.update",
+    ];
+    try {
+        const iamResult = await (0, iam_1.testIamPermissions)(projectId, requiredPermissions);
+        return iamResult.passed;
+    }
+    catch (err) {
+        logger_1.logger.debug(`[iam] error while checking permissions, command may fail: ${err}`);
+        return false;
+    }
+}
+exports.iamUserIsCSQLAdmin = iamUserIsCSQLAdmin;
+function ownerRolePermissions(databaseId, superuser, schema) {
+    const firebaseOwnerRole = firebaseowner(databaseId);
+    return [
+        `do
+      $$
+      begin
+        if not exists (select FROM pg_catalog.pg_roles
+          WHERE  rolname = '${firebaseOwnerRole}') then
+          CREATE ROLE "${firebaseOwnerRole}" WITH ADMIN "${superuser}";
+        end if;
+      end
+      $$
+    ;`,
+        `GRANT "${firebaseOwnerRole}" TO "cloudsqlsuperuser"`,
+        `ALTER SCHEMA "${schema}" OWNER TO "${firebaseOwnerRole}"`,
+        `GRANT USAGE ON SCHEMA "${schema}" TO "${firebaseOwnerRole}"`,
+        `GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA "${schema}" TO "${firebaseOwnerRole}"`,
+        `GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA "${schema}" TO "${firebaseOwnerRole}"`,
+    ];
+}
+function writerRolePermissions(databaseId, superuser, schema) {
+    const firebaseWriterRole = firebasewriter(databaseId);
+    return [
+        `do
+      $$
+      begin
+        if not exists (select FROM pg_catalog.pg_roles
+          WHERE  rolname = '${firebaseWriterRole}') then
+          CREATE ROLE "${firebaseWriterRole}" WITH ADMIN "${superuser}";
+        end if;
+      end
+      $$
+    ;`,
+        `GRANT "${firebaseWriterRole}" TO "cloudsqlsuperuser"`,
+        `GRANT USAGE ON SCHEMA "${schema}" TO "${firebaseWriterRole}"`,
+        `GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE ON ALL TABLES IN SCHEMA "${schema}" TO "${firebaseWriterRole}"`,
+        `GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA "${schema}" TO "${firebaseWriterRole}"`,
+        `GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA "${schema}" TO "${firebaseWriterRole}"`,
+        `SET ROLE = '${firebaseowner(databaseId)}';`,
+        `ALTER DEFAULT PRIVILEGES IN SCHEMA "${schema}" GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE ON TABLES TO "${firebaseWriterRole}";`,
+        `ALTER DEFAULT PRIVILEGES IN SCHEMA "${schema}" GRANT USAGE ON SEQUENCES TO "${firebaseWriterRole}";`,
+        `ALTER DEFAULT PRIVILEGES IN SCHEMA "${schema}" GRANT EXECUTE ON FUNCTIONS TO "${firebaseWriterRole}"`,
+        `SET ROLE = cloudsqlsuperuser`,
+    ];
+}
+function readerRolePermissions(databaseId, superuser, schema) {
+    const firebaseReaderRole = firebasereader(databaseId);
+    return [
+        `do
+      $$
+      begin
+        if not exists (select FROM pg_catalog.pg_roles
+          WHERE  rolname = '${firebaseReaderRole}') then
+          CREATE ROLE "${firebaseReaderRole}" WITH ADMIN "${superuser}";
+        end if;
+      end
+      $$
+    ;`,
+        `GRANT "${firebaseReaderRole}" TO "cloudsqlsuperuser"`,
+        `GRANT USAGE ON SCHEMA "${schema}" TO "${firebaseReaderRole}"`,
+        `GRANT SELECT ON ALL TABLES IN SCHEMA "${schema}" TO "${firebaseReaderRole}"`,
+        `GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA "${schema}" TO "${firebaseReaderRole}"`,
+        `GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA "${schema}" TO "${firebaseReaderRole}"`,
+        `SET ROLE = '${firebaseowner(databaseId)}';`,
+        `ALTER DEFAULT PRIVILEGES IN SCHEMA "${schema}" GRANT SELECT ON TABLES TO "${firebaseReaderRole}";`,
+        `ALTER DEFAULT PRIVILEGES IN SCHEMA "${schema}" GRANT SELECT, USAGE ON SEQUENCES TO "${firebaseReaderRole}";`,
+        `ALTER DEFAULT PRIVILEGES IN SCHEMA "${schema}" GRANT EXECUTE ON FUNCTIONS TO "${firebaseReaderRole}"`,
+        `SET ROLE = cloudsqlsuperuser`,
+    ];
+}
+async function setupSQLPermissions(instanceId, databaseId, options, silent = false) {
+    const superuser = "firebasesuperuser";
+    const revokes = [];
+    if (await checkSQLRoleIsGranted(options, instanceId, databaseId, "cloudsqlsuperuser", firebaseowner(databaseId))) {
+        logger_1.logger.warn("Detected cloudsqlsuperuser was previously given to firebase owner, revoking to improve database security.");
+        revokes.push(`REVOKE "cloudsqlsuperuser" FROM "${firebaseowner(databaseId)}"`);
+    }
+    const sqlRoleSetupCmds = (0, lodash_1.concat)(revokes, [`CREATE SCHEMA IF NOT EXISTS "public"`], ownerRolePermissions(databaseId, superuser, "public"), writerRolePermissions(databaseId, superuser, "public"), readerRolePermissions(databaseId, superuser, "public"));
+    return (0, connect_1.executeSqlCmdsAsSuperUser)(options, instanceId, databaseId, sqlRoleSetupCmds, silent);
+}
+exports.setupSQLPermissions = setupSQLPermissions;

package/lib/init/features/dataconnect/index.js

@@ -179,13 +179,16 @@ async function promptForService(setup, info) {
                         info.schemaGql = choice.schema.source.files;
                     }
                     info.cloudSqlDatabase = (_d = (_c = choice.schema.primaryDatasource.postgresql) === null || _c === void 0 ? void 0 : _c.database) !== null && _d !== void 0 ? _d : "";
-                    const connectors = await (0, client_1.listConnectors)(choice.service.name);
+                    const connectors = await (0, client_1.listConnectors)(choice.service.name, [
+                        "connectors.name",
+                        "connectors.source.files",
+                    ]);
                     if (connectors.length) {
                         info.connectors = connectors.map((c) => {
                             const id = c.name.split("/").pop();
                             return {
                                 id,
-                                path: `./${id}`,
+                                path: connectors.length === 1 ? "./connector" : `./${id}`,
                                 files: c.source.files || [],
                             };
                         });

package/lib/utils.js

@@ -589,6 +589,14 @@ function readSecretValue(prompt, dataFile) {
     if (dataFile && dataFile !== "-") {
         input = dataFile;
     }
-    return Promise.resolve(fs.readFileSync(input, "utf-8"));
+    try {
+        return Promise.resolve(fs.readFileSync(input, "utf-8"));
+    }
+    catch (e) {
+        if (e.code === "ENOENT") {
+            throw new error_1.FirebaseError(`File not found: ${input}`, { original: e });
+        }
+        throw e;
+    }
 }
 exports.readSecretValue = readSecretValue;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "firebase-tools",
-  "version": "13.15.4",
+  "version": "13.17.0",
   "description": "Command-Line Interface for Firebase",
   "main": "./lib/index.js",
   "bin": {

package/schema/firebase-config.json

@@ -357,6 +357,18 @@
         "emulators": {
             "additionalProperties": false,
             "properties": {
+                "apphosting": {
+                    "additionalProperties": false,
+                    "properties": {
+                        "host": {
+                            "type": "string"
+                        },
+                        "port": {
+                            "type": "number"
+                        }
+                    },
+                    "type": "object"
+                },
                 "auth": {
                     "additionalProperties": false,
                     "properties": {
@@ -500,6 +512,18 @@
                     },
                     "type": "object"
                 },
+                "tasks": {
+                    "additionalProperties": false,
+                    "properties": {
+                        "host": {
+                            "type": "string"
+                        },
+                        "port": {
+                            "type": "number"
+                        }
+                    },
+                    "type": "object"
+                },
                 "ui": {
                     "additionalProperties": false,
                     "properties": {