firebase-tools 13.33.0 → 13.35.0

package/lib/functions/artifacts.js

@@ -0,0 +1,104 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hasCleanupOptOut = exports.hasSameCleanupPolicy = exports.setCleanupPolicy = exports.optOutRepository = exports.updateRepository = exports.generateCleanupPolicy = exports.parseDaysFromPolicy = exports.daysToSeconds = exports.findExistingPolicy = exports.makeRepoPath = exports.OPT_OUT_LABEL_KEY = exports.CLEANUP_POLICY_ID = exports.GCF_REPO_ID = void 0;
+const artifactregistry = require("../gcp/artifactregistry");
+const error_1 = require("../error");
+exports.GCF_REPO_ID = "gcf-artifacts";
+exports.CLEANUP_POLICY_ID = "firebase-functions-cleanup";
+exports.OPT_OUT_LABEL_KEY = "firebase-functions-cleanup-opted-out";
+const SECONDS_IN_DAY = 24 * 60 * 60;
+function makeRepoPath(projectId, location, repoName = exports.GCF_REPO_ID) {
+    return `projects/${projectId}/locations/${location}/repositories/${repoName}`;
+}
+exports.makeRepoPath = makeRepoPath;
+function findExistingPolicy(repository) {
+    var _a;
+    return (_a = repository === null || repository === void 0 ? void 0 : repository.cleanupPolicies) === null || _a === void 0 ? void 0 : _a[exports.CLEANUP_POLICY_ID];
+}
+exports.findExistingPolicy = findExistingPolicy;
+function daysToSeconds(days) {
+    const seconds = days * SECONDS_IN_DAY;
+    return `${seconds}s`;
+}
+exports.daysToSeconds = daysToSeconds;
+function parseDaysFromPolicy(olderThan) {
+    const match = olderThan.match(/^(\d+)s$/);
+    if (match && match[1]) {
+        const seconds = parseInt(match[1], 10);
+        return Math.floor(seconds / SECONDS_IN_DAY);
+    }
+    return;
+}
+exports.parseDaysFromPolicy = parseDaysFromPolicy;
+function generateCleanupPolicy(daysToKeep) {
+    return {
+        [exports.CLEANUP_POLICY_ID]: {
+            id: exports.CLEANUP_POLICY_ID,
+            condition: {
+                tagState: "ANY",
+                olderThan: daysToSeconds(daysToKeep),
+            },
+            action: "DELETE",
+        },
+    };
+}
+exports.generateCleanupPolicy = generateCleanupPolicy;
+async function updateRepository(repo) {
+    try {
+        await artifactregistry.updateRepository(repo);
+    }
+    catch (err) {
+        if (err.status === 403) {
+            throw new error_1.FirebaseError(`You don't have permission to update this repository.\n` +
+                `To update repository settings, ask your administrator to grant you the ` +
+                `Artifact Registry Administrator (roles/artifactregistry.admin) IAM role on the repository project.`, { original: err, exit: 1 });
+        }
+        else {
+            throw new error_1.FirebaseError("Failed to update artifact registry repository", {
+                original: err,
+            });
+        }
+    }
+}
+exports.updateRepository = updateRepository;
+async function optOutRepository(repository) {
+    const policies = Object.assign({}, repository.cleanupPolicies);
+    if (exports.CLEANUP_POLICY_ID in policies) {
+        delete policies[exports.CLEANUP_POLICY_ID];
+    }
+    const update = {
+        name: repository.name,
+        labels: Object.assign(Object.assign({}, repository.labels), { [exports.OPT_OUT_LABEL_KEY]: "true" }),
+        cleanupPolicies: policies,
+    };
+    await exports.updateRepository(update);
+}
+exports.optOutRepository = optOutRepository;
+async function setCleanupPolicy(repository, daysToKeep) {
+    const labels = Object.assign({}, repository.labels);
+    delete labels[exports.OPT_OUT_LABEL_KEY];
+    const update = {
+        name: repository.name,
+        cleanupPolicies: Object.assign(Object.assign({}, repository.cleanupPolicies), generateCleanupPolicy(daysToKeep)),
+        labels,
+    };
+    await exports.updateRepository(update);
+}
+exports.setCleanupPolicy = setCleanupPolicy;
+function hasSameCleanupPolicy(repository, daysToKeep) {
+    var _a, _b;
+    const existingPolicy = findExistingPolicy(repository);
+    if (!existingPolicy) {
+        return false;
+    }
+    if (((_a = existingPolicy.condition) === null || _a === void 0 ? void 0 : _a.tagState) !== "ANY" || !((_b = existingPolicy.condition) === null || _b === void 0 ? void 0 : _b.olderThan)) {
+        return false;
+    }
+    const existingSeconds = parseDaysFromPolicy(existingPolicy.condition.olderThan);
+    return existingSeconds === daysToKeep;
+}
+exports.hasSameCleanupPolicy = hasSameCleanupPolicy;
+function hasCleanupOptOut(repo) {
+    return !!(repo.labels && repo.labels[exports.OPT_OUT_LABEL_KEY] === "true");
+}
+exports.hasCleanupOptOut = hasCleanupOptOut;

package/lib/gcp/artifactregistry.js

@@ -1,16 +1,41 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.deletePackage = exports.API_VERSION = void 0;
+exports.updateRepository = exports.getRepository = exports.deletePackage = exports.ensureApiEnabled = exports.API_VERSION = void 0;
 const apiv2_1 = require("../apiv2");
 const api_1 = require("../api");
-exports.API_VERSION = "v1beta2";
+const metaprogramming_1 = require("../metaprogramming");
+const api = require("../ensureApiEnabled");
+const proto = require("./proto");
+exports.API_VERSION = "v1";
 const client = new apiv2_1.Client({
     urlPrefix: (0, api_1.artifactRegistryDomain)(),
     auth: true,
     apiVersion: exports.API_VERSION,
 });
+function ensureApiEnabled(projectId) {
+    return api.ensure(projectId, (0, api_1.artifactRegistryDomain)(), "artifactregistry", true);
+}
+exports.ensureApiEnabled = ensureApiEnabled;
+(0, metaprogramming_1.assertImplements)();
 async function deletePackage(name) {
     const res = await client.delete(name);
     return res.body;
 }
 exports.deletePackage = deletePackage;
+async function getRepository(repoPath) {
+    const res = await client.get(repoPath);
+    return res.body;
+}
+exports.getRepository = getRepository;
+async function updateRepository(repo) {
+    const updateMask = proto.fieldMasks(repo, "cleanupPolicies", "labels");
+    if (updateMask.length === 0) {
+        const res = await client.get(repo.name);
+        return res.body;
+    }
+    const res = await client.patch(`/${repo.name}`, repo, {
+        queryParams: { updateMask: updateMask.join(",") },
+    });
+    return res.body;
+}
+exports.updateRepository = updateRepository;

package/lib/gcp/cloudsql/cloudsqladmin.js

@@ -1,9 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.listUsers = exports.deleteUser = exports.getUser = exports.createUser = exports.deleteDatabase = exports.createDatabase = exports.getDatabase = exports.listDatabases = exports.updateInstanceForDataConnect = exports.createInstance = exports.instanceConsoleLink = exports.getInstance = exports.listInstances = void 0;
+exports.listUsers = exports.deleteUser = exports.getUser = exports.createUser = exports.deleteDatabase = exports.createDatabase = exports.getDatabase = exports.listDatabases = exports.updateInstanceForDataConnect = exports.createInstance = exports.instanceConsoleLink = exports.getInstance = exports.listInstances = exports.iamUserIsCSQLAdmin = void 0;
 const apiv2_1 = require("../../apiv2");
 const api_1 = require("../../api");
 const operationPoller = require("../../operation-poller");
+const projectUtils_1 = require("../../projectUtils");
+const logger_1 = require("../../logger");
+const iam_1 = require("../iam");
 const error_1 = require("../../error");
 const API_VERSION = "v1";
 const client = new apiv2_1.Client({
@@ -11,6 +14,24 @@ const client = new apiv2_1.Client({
     auth: true,
     apiVersion: API_VERSION,
 });
+async function iamUserIsCSQLAdmin(options) {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const requiredPermissions = [
+        "cloudsql.instances.connect",
+        "cloudsql.instances.get",
+        "cloudsql.users.create",
+        "cloudsql.users.update",
+    ];
+    try {
+        const iamResult = await (0, iam_1.testIamPermissions)(projectId, requiredPermissions);
+        return iamResult.passed;
+    }
+    catch (err) {
+        logger_1.logger.debug(`[iam] error while checking permissions, command may fail: ${err}`);
+        return false;
+    }
+}
+exports.iamUserIsCSQLAdmin = iamUserIsCSQLAdmin;
 async function listInstances(projectId) {
     var _a;
     const res = await client.get(`projects/${projectId}/instances`);

package/lib/gcp/cloudsql/connect.js

@@ -11,7 +11,6 @@ const utils = require("../../utils");
 const logger_1 = require("../../logger");
 const error_1 = require("../../error");
 const fbToolsAuthClient_1 = require("./fbToolsAuthClient");
-const permissions_1 = require("./permissions");
 async function execute(sqlStatements, opts) {
     const logFn = opts.silent ? logger_1.logger.debug : logger_1.logger.info;
     const instance = await cloudSqlAdminClient.getInstance(opts.projectId, opts.instanceId);
@@ -60,23 +59,35 @@ async function execute(sqlStatements, opts) {
             break;
         }
     }
+    const cleanUpFn = async () => {
+        conn.release();
+        await pool.end();
+        connector.close();
+    };
     const conn = await pool.connect();
+    const results = [];
     logFn(`Logged in as ${opts.username}`);
+    if (opts.transaction) {
+        sqlStatements.unshift("BEGIN;");
+        sqlStatements.push("COMMIT;");
+    }
     for (const s of sqlStatements) {
         logFn(`Executing: '${s}'`);
         try {
-            await conn.query(s);
+            results.push(await conn.query(s));
         }
         catch (err) {
+            logFn(`Rolling back transaction due to error ${err}}`);
+            await conn.query("ROLLBACK;");
+            await cleanUpFn();
             throw new error_1.FirebaseError(`Error executing ${err}`);
         }
     }
-    conn.release();
-    await pool.end();
-    connector.close();
+    await cleanUpFn();
+    return results;
 }
 exports.execute = execute;
-async function executeSqlCmdsAsIamUser(options, instanceId, databaseId, cmds, silent = false) {
+async function executeSqlCmdsAsIamUser(options, instanceId, databaseId, cmds, silent = false, transaction = false) {
     const projectId = (0, projectUtils_1.needProjectId)(options);
     const { user: iamUser } = await getIAMUser(options);
     return await execute(cmds, {
@@ -85,21 +96,23 @@ async function executeSqlCmdsAsIamUser(options, instanceId, databaseId, cmds, si
         databaseId,
         username: iamUser,
         silent: silent,
+        transaction: transaction,
     });
 }
 exports.executeSqlCmdsAsIamUser = executeSqlCmdsAsIamUser;
-async function executeSqlCmdsAsSuperUser(options, instanceId, databaseId, cmds, silent = false) {
+async function executeSqlCmdsAsSuperUser(options, instanceId, databaseId, cmds, silent = false, transaction = false) {
     const projectId = (0, projectUtils_1.needProjectId)(options);
     const superuser = "firebasesuperuser";
     const temporaryPassword = utils.generateId(20);
     await cloudSqlAdminClient.createUser(projectId, instanceId, "BUILT_IN", superuser, temporaryPassword);
-    return await execute([`SET ROLE = cloudsqlsuperuser`, ...cmds], {
+    return await execute([`SET ROLE = '${superuser}'`, ...cmds], {
         projectId,
         instanceId,
         databaseId,
         username: superuser,
         password: temporaryPassword,
         silent: silent,
+        transaction: transaction,
     });
 }
 exports.executeSqlCmdsAsSuperUser = executeSqlCmdsAsSuperUser;
@@ -122,12 +135,6 @@ async function setupIAMUsers(instanceId, databaseId, options) {
     const projectNumber = await (0, projectUtils_1.needProjectNumber)(options);
     const { user: fdcP4SAUser, mode: fdcP4SAmode } = toDatabaseUser(getDataConnectP4SA(projectNumber));
     await cloudSqlAdminClient.createUser(projectId, instanceId, fdcP4SAmode, fdcP4SAUser);
-    await (0, permissions_1.setupSQLPermissions)(instanceId, databaseId, options, true);
-    const grants = [
-        `GRANT "${(0, permissions_1.firebaseowner)(databaseId)}" TO "${user}"`,
-        `GRANT "${(0, permissions_1.firebasewriter)(databaseId)}" TO "${fdcP4SAUser}"`,
-    ];
-    await executeSqlCmdsAsSuperUser(options, instanceId, databaseId, grants, true);
     return user;
 }
 exports.setupIAMUsers = setupIAMUsers;

package/lib/gcp/cloudsql/permissions.js

@@ -1,89 +1,22 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.setupSQLPermissions = exports.iamUserIsCSQLAdmin = exports.checkSQLRoleIsGranted = exports.fdcSqlRoleMap = exports.firebasewriter = exports.firebasereader = exports.firebaseowner = void 0;
-const projectUtils_1 = require("../../projectUtils");
-const connect_1 = require("./connect");
-const iam_1 = require("../iam");
-const logger_1 = require("../../logger");
-const lodash_1 = require("lodash");
-const error_1 = require("../../error");
-function firebaseowner(databaseId) {
-    return `firebaseowner_${databaseId}_public`;
+exports.defaultPermissions = exports.readerRolePermissions = exports.writerRolePermissions = exports.ownerRolePermissions = exports.firebasewriter = exports.firebasereader = exports.firebaseowner = exports.FIREBASE_SUPER_USER = exports.DEFAULT_SCHEMA = void 0;
+exports.DEFAULT_SCHEMA = "public";
+exports.FIREBASE_SUPER_USER = "firebasesuperuser";
+function firebaseowner(databaseId, schema = exports.DEFAULT_SCHEMA) {
+    return `firebaseowner_${databaseId}_${schema}`;
 }
 exports.firebaseowner = firebaseowner;
-function firebasereader(databaseId) {
-    return `firebasereader_${databaseId}_public`;
+function firebasereader(databaseId, schema = exports.DEFAULT_SCHEMA) {
+    return `firebasereader_${databaseId}_${schema}`;
 }
 exports.firebasereader = firebasereader;
-function firebasewriter(databaseId) {
-    return `firebasewriter_${databaseId}_public`;
+function firebasewriter(databaseId, schema = exports.DEFAULT_SCHEMA) {
+    return `firebasewriter_${databaseId}_${schema}`;
 }
 exports.firebasewriter = firebasewriter;
-exports.fdcSqlRoleMap = {
-    owner: firebaseowner,
-    writer: firebasewriter,
-    reader: firebasereader,
-};
-async function checkSQLRoleIsGranted(options, instanceId, databaseId, grantedRole, granteeRole) {
-    const checkCmd = `
-    DO $$
-    DECLARE
-        role_count INTEGER;
-    BEGIN
-        -- Count the number of rows matching the criteria
-        SELECT COUNT(*)
-        INTO role_count
-        FROM
-          pg_auth_members m
-        JOIN
-          pg_roles grantee ON grantee.oid = m.member
-        JOIN
-          pg_roles granted ON granted.oid = m.roleid
-        JOIN
-          pg_roles grantor ON grantor.oid = m.grantor
-        WHERE
-          granted.rolname = '${grantedRole}'
-          AND grantee.rolname = '${granteeRole}';
-
-        -- If no rows were found, raise an exception
-        IF role_count = 0 THEN
-            RAISE EXCEPTION 'Role "%", is not granted to role "%".', '${grantedRole}', '${granteeRole}';
-        END IF;
-    END $$;
-`;
-    try {
-        await (0, connect_1.executeSqlCmdsAsIamUser)(options, instanceId, databaseId, [checkCmd], true);
-        return true;
-    }
-    catch (e) {
-        if (e instanceof error_1.FirebaseError && e.message.includes("not granted to role")) {
-            return false;
-        }
-        logger_1.logger.error(`Role Check Failed: ${e}`);
-        throw e;
-    }
-}
-exports.checkSQLRoleIsGranted = checkSQLRoleIsGranted;
-async function iamUserIsCSQLAdmin(options) {
-    const projectId = (0, projectUtils_1.needProjectId)(options);
-    const requiredPermissions = [
-        "cloudsql.instances.connect",
-        "cloudsql.instances.get",
-        "cloudsql.users.create",
-        "cloudsql.users.update",
-    ];
-    try {
-        const iamResult = await (0, iam_1.testIamPermissions)(projectId, requiredPermissions);
-        return iamResult.passed;
-    }
-    catch (err) {
-        logger_1.logger.debug(`[iam] error while checking permissions, command may fail: ${err}`);
-        return false;
-    }
-}
-exports.iamUserIsCSQLAdmin = iamUserIsCSQLAdmin;
 function ownerRolePermissions(databaseId, superuser, schema) {
-    const firebaseOwnerRole = firebaseowner(databaseId);
+    const firebaseOwnerRole = firebaseowner(databaseId, schema);
     return [
         `do
       $$
@@ -102,8 +35,9 @@ function ownerRolePermissions(databaseId, superuser, schema) {
         `GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA "${schema}" TO "${firebaseOwnerRole}"`,
     ];
 }
+exports.ownerRolePermissions = ownerRolePermissions;
 function writerRolePermissions(databaseId, superuser, schema) {
-    const firebaseWriterRole = firebasewriter(databaseId);
+    const firebaseWriterRole = firebasewriter(databaseId, schema);
     return [
         `do
       $$
@@ -120,15 +54,11 @@ function writerRolePermissions(databaseId, superuser, schema) {
         `GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE ON ALL TABLES IN SCHEMA "${schema}" TO "${firebaseWriterRole}"`,
         `GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA "${schema}" TO "${firebaseWriterRole}"`,
         `GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA "${schema}" TO "${firebaseWriterRole}"`,
-        `SET ROLE = '${firebaseowner(databaseId)}';`,
-        `ALTER DEFAULT PRIVILEGES IN SCHEMA "${schema}" GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE ON TABLES TO "${firebaseWriterRole}";`,
-        `ALTER DEFAULT PRIVILEGES IN SCHEMA "${schema}" GRANT USAGE ON SEQUENCES TO "${firebaseWriterRole}";`,
-        `ALTER DEFAULT PRIVILEGES IN SCHEMA "${schema}" GRANT EXECUTE ON FUNCTIONS TO "${firebaseWriterRole}"`,
-        `SET ROLE = cloudsqlsuperuser`,
     ];
 }
+exports.writerRolePermissions = writerRolePermissions;
 function readerRolePermissions(databaseId, superuser, schema) {
-    const firebaseReaderRole = firebasereader(databaseId);
+    const firebaseReaderRole = firebasereader(databaseId, schema);
     return [
         `do
       $$
@@ -145,21 +75,37 @@ function readerRolePermissions(databaseId, superuser, schema) {
         `GRANT SELECT ON ALL TABLES IN SCHEMA "${schema}" TO "${firebaseReaderRole}"`,
         `GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA "${schema}" TO "${firebaseReaderRole}"`,
         `GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA "${schema}" TO "${firebaseReaderRole}"`,
-        `SET ROLE = '${firebaseowner(databaseId)}';`,
-        `ALTER DEFAULT PRIVILEGES IN SCHEMA "${schema}" GRANT SELECT ON TABLES TO "${firebaseReaderRole}";`,
-        `ALTER DEFAULT PRIVILEGES IN SCHEMA "${schema}" GRANT SELECT, USAGE ON SEQUENCES TO "${firebaseReaderRole}";`,
-        `ALTER DEFAULT PRIVILEGES IN SCHEMA "${schema}" GRANT EXECUTE ON FUNCTIONS TO "${firebaseReaderRole}"`,
-        `SET ROLE = cloudsqlsuperuser`,
     ];
 }
-async function setupSQLPermissions(instanceId, databaseId, options, silent = false) {
-    const superuser = "firebasesuperuser";
-    const revokes = [];
-    if (await checkSQLRoleIsGranted(options, instanceId, databaseId, "cloudsqlsuperuser", firebaseowner(databaseId))) {
-        logger_1.logger.warn("Detected cloudsqlsuperuser was previously given to firebase owner, revoking to improve database security.");
-        revokes.push(`REVOKE "cloudsqlsuperuser" FROM "${firebaseowner(databaseId)}"`);
-    }
-    const sqlRoleSetupCmds = (0, lodash_1.concat)(revokes, [`CREATE SCHEMA IF NOT EXISTS "public"`], ownerRolePermissions(databaseId, superuser, "public"), writerRolePermissions(databaseId, superuser, "public"), readerRolePermissions(databaseId, superuser, "public"));
-    return (0, connect_1.executeSqlCmdsAsSuperUser)(options, instanceId, databaseId, sqlRoleSetupCmds, silent);
+exports.readerRolePermissions = readerRolePermissions;
+function defaultPermissions(databaseId, schema, ownerRole) {
+    const firebaseWriterRole = firebasewriter(databaseId, schema);
+    const firebaseReaderRole = firebasereader(databaseId, schema);
+    return [
+        `ALTER DEFAULT PRIVILEGES
+      FOR ROLE "${ownerRole}"
+      IN SCHEMA "${schema}"
+      GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE ON TABLES TO "${firebaseWriterRole}";`,
+        `ALTER DEFAULT PRIVILEGES
+      FOR ROLE "${ownerRole}"
+      IN SCHEMA "${schema}"
+      GRANT USAGE ON SEQUENCES TO "${firebaseWriterRole}";`,
+        `ALTER DEFAULT PRIVILEGES
+      FOR ROLE "${ownerRole}"
+      IN SCHEMA "${schema}"
+      GRANT EXECUTE ON FUNCTIONS TO "${firebaseWriterRole}";`,
+        `ALTER DEFAULT PRIVILEGES
+      FOR ROLE "${ownerRole}"
+      IN SCHEMA "${schema}"
+      GRANT SELECT ON TABLES TO "${firebaseReaderRole}";`,
+        `ALTER DEFAULT PRIVILEGES
+      FOR ROLE "${ownerRole}"
+      IN SCHEMA "${schema}"
+      GRANT USAGE ON SEQUENCES TO "${firebaseReaderRole}";`,
+        `ALTER DEFAULT PRIVILEGES
+      FOR ROLE "${ownerRole}"
+      IN SCHEMA "${schema}"
+      GRANT EXECUTE ON FUNCTIONS TO "${firebaseReaderRole}";`,
+    ];
 }
-exports.setupSQLPermissions = setupSQLPermissions;
+exports.defaultPermissions = defaultPermissions;