firebase-tools 13.33.0 → 13.35.0

package/lib/gcp/cloudsql/permissions_setup.js

@@ -0,0 +1,215 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.brownfieldSqlSetup = exports.setupBrownfieldAsGreenfield = exports.getSchemaMetadata = exports.greenFieldSchemaSetup = exports.setupSQLPermissions = exports.checkSQLRoleIsGranted = exports.fdcSqlRoleMap = exports.SchemaSetupStatus = void 0;
+const permissions_1 = require("./permissions");
+const cloudsqladmin_1 = require("./cloudsqladmin");
+const connect_1 = require("./connect");
+const logger_1 = require("../../logger");
+const prompt_1 = require("../../prompt");
+const clc = require("colorette");
+const error_1 = require("../../error");
+const projectUtils_1 = require("../../projectUtils");
+const connect_2 = require("./connect");
+const lodash_1 = require("lodash");
+const connect_3 = require("./connect");
+var SchemaSetupStatus;
+(function (SchemaSetupStatus) {
+    SchemaSetupStatus["NotSetup"] = "not-setup";
+    SchemaSetupStatus["GreenField"] = "greenfield";
+    SchemaSetupStatus["BrownField"] = "brownfield";
+    SchemaSetupStatus["NotFound"] = "not-found";
+})(SchemaSetupStatus = exports.SchemaSetupStatus || (exports.SchemaSetupStatus = {}));
+exports.fdcSqlRoleMap = {
+    owner: permissions_1.firebaseowner,
+    writer: permissions_1.firebasewriter,
+    reader: permissions_1.firebasereader,
+};
+async function checkSQLRoleIsGranted(options, instanceId, databaseId, grantedRole, granteeRole) {
+    const checkCmd = `
+    DO $$
+    DECLARE
+        role_count INTEGER;
+    BEGIN
+        -- Count the number of rows matching the criteria
+        SELECT COUNT(*)
+        INTO role_count
+        FROM
+          pg_auth_members m
+        JOIN
+          pg_roles grantee ON grantee.oid = m.member
+        JOIN
+          pg_roles granted ON granted.oid = m.roleid
+        JOIN
+          pg_roles grantor ON grantor.oid = m.grantor
+        WHERE
+          granted.rolname = '${grantedRole}'
+          AND grantee.rolname = '${granteeRole}';
+
+        -- If no rows were found, raise an exception
+        IF role_count = 0 THEN
+            RAISE EXCEPTION 'Role "%", is not granted to role "%".', '${grantedRole}', '${granteeRole}';
+        END IF;
+    END $$;
+`;
+    try {
+        await (0, connect_2.executeSqlCmdsAsIamUser)(options, instanceId, databaseId, [checkCmd], true);
+        return true;
+    }
+    catch (e) {
+        if (e instanceof error_1.FirebaseError && e.message.includes("not granted to role")) {
+            return false;
+        }
+        logger_1.logger.error(`Role Check Failed: ${e}`);
+        throw e;
+    }
+}
+exports.checkSQLRoleIsGranted = checkSQLRoleIsGranted;
+async function setupSQLPermissions(instanceId, databaseId, schemaInfo, options, silent = false) {
+    const schema = schemaInfo.name;
+    logger_1.logger.info(`Detected schema "${schema}" setup status is ${schemaInfo.setupStatus}. Running setup...`);
+    const userIsCSQLAdmin = await (0, cloudsqladmin_1.iamUserIsCSQLAdmin)(options);
+    if (!userIsCSQLAdmin) {
+        throw new error_1.FirebaseError(`Missing required IAM permission to setup SQL schemas. SQL schema setup requires 'roles/cloudsql.admin' or an equivalent role.`);
+    }
+    await (0, connect_1.setupIAMUsers)(instanceId, databaseId, options);
+    let runGreenfieldSetup = false;
+    if (schemaInfo.setupStatus === SchemaSetupStatus.GreenField) {
+        runGreenfieldSetup = true;
+        logger_1.logger.info(`Database ${databaseId} has already been setup as greenfield project. Rerunning setup to repair any missing permissions.`);
+    }
+    if (schemaInfo.tables.length === 0) {
+        runGreenfieldSetup = true;
+        logger_1.logger.info(`Found no tables in schema "${schema}", assuming greenfield project.`);
+    }
+    if (runGreenfieldSetup) {
+        const greenfieldSetupCmds = await greenFieldSchemaSetup(instanceId, databaseId, schema, options);
+        await (0, connect_2.executeSqlCmdsAsSuperUser)(options, instanceId, databaseId, greenfieldSetupCmds, silent, true);
+        logger_1.logger.info(clc.green("Database setup complete."));
+        return SchemaSetupStatus.GreenField;
+    }
+    if (options.nonInteractive || options.force) {
+        throw new error_1.FirebaseError(`Schema "${schema}" isn't set up and can only be set up in interactive mode.`);
+    }
+    const currentTablesOwners = [...new Set(schemaInfo.tables.map((t) => t.owner))];
+    logger_1.logger.info(`We found some existing object owners [${currentTablesOwners.join(", ")}] in your cloudsql "${schema}" schema.`);
+    const shouldSetupGreenfield = await (0, prompt_1.confirm)({
+        message: clc.yellow("Would you like FDC to handle SQL migrations for you moving forward?\n" +
+            `This means we will transfer schema and tables ownership to ${(0, permissions_1.firebaseowner)(databaseId, schema)}\n` +
+            "Note: your existing migration tools/roles may lose access."),
+        default: false,
+    });
+    if (shouldSetupGreenfield) {
+        await setupBrownfieldAsGreenfield(instanceId, databaseId, schemaInfo, options, silent);
+        logger_1.logger.info(clc.green("Database setup complete."));
+        logger_1.logger.info(clc.yellow("IMPORTANT: please uncomment 'schemaValidation: \"COMPATIBLE\"' in your dataconnect.yaml file to avoid dropping any existing tables by mistake."));
+        return SchemaSetupStatus.GreenField;
+    }
+    else {
+        logger_1.logger.info(clc.yellow("Setting up database in brownfield mode.\n" +
+            `Note: SQL migrations can't be done through ${clc.bold("firebase dataconnect:sql:migrate")} in this mode.`));
+        await brownfieldSqlSetup(instanceId, databaseId, schemaInfo, options, silent);
+        logger_1.logger.info(clc.green("Brownfield database setup complete."));
+        return SchemaSetupStatus.BrownField;
+    }
+}
+exports.setupSQLPermissions = setupSQLPermissions;
+async function greenFieldSchemaSetup(instanceId, databaseId, schema, options) {
+    const revokes = [];
+    if (await checkSQLRoleIsGranted(options, instanceId, databaseId, "cloudsqlsuperuser", (0, permissions_1.firebaseowner)(databaseId))) {
+        logger_1.logger.warn("Detected cloudsqlsuperuser was previously given to firebase owner, revoking to improve database security.");
+        revokes.push(`REVOKE "cloudsqlsuperuser" FROM "${(0, permissions_1.firebaseowner)(databaseId)}"`);
+    }
+    const user = (await (0, connect_2.getIAMUser)(options)).user;
+    const projectNumber = await (0, projectUtils_1.needProjectNumber)(options);
+    const { user: fdcP4SAUser } = (0, connect_3.toDatabaseUser)((0, connect_3.getDataConnectP4SA)(projectNumber));
+    const sqlRoleSetupCmds = (0, lodash_1.concat)(revokes, [`CREATE SCHEMA IF NOT EXISTS "${schema}"`], (0, permissions_1.ownerRolePermissions)(databaseId, permissions_1.FIREBASE_SUPER_USER, schema), (0, permissions_1.writerRolePermissions)(databaseId, permissions_1.FIREBASE_SUPER_USER, schema), (0, permissions_1.readerRolePermissions)(databaseId, permissions_1.FIREBASE_SUPER_USER, schema), `GRANT "${(0, permissions_1.firebaseowner)(databaseId, schema)}" TO "${user}"`, `GRANT "${(0, permissions_1.firebasewriter)(databaseId, schema)}" TO "${fdcP4SAUser}"`, (0, permissions_1.defaultPermissions)(databaseId, schema, (0, permissions_1.firebaseowner)(databaseId, schema)));
+    return sqlRoleSetupCmds;
+}
+exports.greenFieldSchemaSetup = greenFieldSchemaSetup;
+async function getSchemaMetadata(instanceId, databaseId, schema, options) {
+    const checkSchemaExists = await (0, connect_2.executeSqlCmdsAsIamUser)(options, instanceId, databaseId, [
+        `SELECT pg_get_userbyid(nspowner) 
+          FROM pg_namespace 
+          WHERE nspname = '${schema}';`,
+    ], true);
+    if (!checkSchemaExists[0].rows[0]) {
+        return {
+            name: schema,
+            owner: null,
+            setupStatus: SchemaSetupStatus.NotFound,
+            tables: [],
+        };
+    }
+    const schemaOwner = checkSchemaExists[0].rows[0].pg_get_userbyid;
+    const cmd = `SELECT tablename, tableowner FROM pg_tables WHERE schemaname='${schema}'`;
+    const res = await (0, connect_2.executeSqlCmdsAsIamUser)(options, instanceId, databaseId, [cmd], true);
+    const tables = res[0].rows.map((row) => {
+        return {
+            name: row.tablename,
+            owner: row.tableowner,
+        };
+    });
+    const checkRoleExists = async (role) => {
+        const cmd = [`SELECT to_regrole('"${role}"') IS NOT NULL AS exists;`];
+        const result = await (0, connect_2.executeSqlCmdsAsIamUser)(options, instanceId, databaseId, cmd, true);
+        return result[0].rows[0].exists;
+    };
+    let setupStatus;
+    if (!(await checkRoleExists((0, permissions_1.firebasewriter)(databaseId, schema)))) {
+        setupStatus = SchemaSetupStatus.NotSetup;
+    }
+    else if (tables.every((table) => table.owner === (0, permissions_1.firebaseowner)(databaseId, schema)) &&
+        schemaOwner === (0, permissions_1.firebaseowner)(databaseId, schema)) {
+        setupStatus = SchemaSetupStatus.GreenField;
+    }
+    else {
+        setupStatus = SchemaSetupStatus.BrownField;
+    }
+    return {
+        name: schema,
+        owner: schemaOwner,
+        setupStatus,
+        tables: tables,
+    };
+}
+exports.getSchemaMetadata = getSchemaMetadata;
+async function setupBrownfieldAsGreenfield(instanceId, databaseId, schemaInfo, options, silent = false) {
+    const schema = schemaInfo.name;
+    const firebaseOwnerRole = (0, permissions_1.firebaseowner)(databaseId, schema);
+    const nonFirebasetablesOwners = [...new Set(schemaInfo.tables.map((t) => t.owner))].filter((owner) => owner !== firebaseOwnerRole);
+    const grantOwnersToSuperuserCmds = nonFirebasetablesOwners.map((owner) => `GRANT "${owner}" TO "${permissions_1.FIREBASE_SUPER_USER}"`);
+    const revokeOwnersFromSuperuserCmds = nonFirebasetablesOwners.map((owner) => `REVOKE "${owner}" FROM "${permissions_1.FIREBASE_SUPER_USER}"`);
+    const greenfieldSetupCmds = await greenFieldSchemaSetup(instanceId, databaseId, schema, options);
+    const grantCmds = nonFirebasetablesOwners.map((owner) => `GRANT "${(0, permissions_1.firebasewriter)(databaseId, schema)}" TO "${owner}"`);
+    const alterTableCmds = schemaInfo.tables.map((table) => `ALTER TABLE "${schema}"."${table.name}" OWNER TO "${firebaseOwnerRole}";`);
+    const setupCmds = [
+        ...grantOwnersToSuperuserCmds,
+        ...greenfieldSetupCmds,
+        ...grantCmds,
+        ...alterTableCmds,
+        ...revokeOwnersFromSuperuserCmds,
+    ];
+    await (0, connect_2.executeSqlCmdsAsSuperUser)(options, instanceId, databaseId, setupCmds, silent, true);
+}
+exports.setupBrownfieldAsGreenfield = setupBrownfieldAsGreenfield;
+async function brownfieldSqlSetup(instanceId, databaseId, schemaInfo, options, silent = false) {
+    const schema = schemaInfo.name;
+    const uniqueTablesOwners = [...new Set(schemaInfo.tables.map((t) => t.owner))];
+    const grantOwnersToFirebasesuperuser = uniqueTablesOwners.map((owner) => `GRANT "${owner}" TO "${permissions_1.FIREBASE_SUPER_USER}"`);
+    const revokeOwnersFromFirebasesuperuser = uniqueTablesOwners.map((owner) => `REVOKE "${owner}" FROM "${permissions_1.FIREBASE_SUPER_USER}"`);
+    const iamUser = (await (0, connect_2.getIAMUser)(options)).user;
+    const projectNumber = await (0, projectUtils_1.needProjectNumber)(options);
+    const { user: fdcP4SAUser } = (0, connect_3.toDatabaseUser)((0, connect_3.getDataConnectP4SA)(projectNumber));
+    const firebaseDefaultPermissions = uniqueTablesOwners.flatMap((owner) => (0, permissions_1.defaultPermissions)(databaseId, schema, owner));
+    const brownfieldSetupCmds = [
+        ...grantOwnersToFirebasesuperuser,
+        ...(0, permissions_1.writerRolePermissions)(databaseId, permissions_1.FIREBASE_SUPER_USER, schema),
+        ...(0, permissions_1.readerRolePermissions)(databaseId, permissions_1.FIREBASE_SUPER_USER, schema),
+        `GRANT "${(0, permissions_1.firebasewriter)(databaseId, schema)}" TO "${iamUser}"`,
+        `GRANT "${(0, permissions_1.firebasewriter)(databaseId, schema)}" TO "${fdcP4SAUser}"`,
+        ...firebaseDefaultPermissions,
+        ...revokeOwnersFromFirebasesuperuser,
+    ];
+    await (0, connect_2.executeSqlCmdsAsSuperUser)(options, instanceId, databaseId, brownfieldSetupCmds, silent, true);
+}
+exports.brownfieldSqlSetup = brownfieldSqlSetup;

package/lib/init/features/dataconnect/index.js

@@ -59,7 +59,7 @@ async function doSetup(setup, config) {
         await sdk.doSetup(setup, config);
     }
     else {
-        (0, utils_1.logBullet)(`If you'd like to add the generated SDK to your app your, run ${clc.bold("firebase init dataconnect:sdk")}`);
+        (0, utils_1.logBullet)(`If you'd like to add the generated SDK to your app later, run ${clc.bold("firebase init dataconnect:sdk")}`);
     }
     if (setup.projectId && !isBillingEnabled) {
         (0, utils_1.logBullet)((0, freeTrial_1.upgradeInstructions)(setup.projectId));

package/lib/init/features/dataconnect/sdk.js

@@ -14,6 +14,7 @@ const dataconnectEmulator_1 = require("../../../emulator/dataconnectEmulator");
 const error_1 = require("../../../error");
 const lodash_1 = require("lodash");
 const utils_1 = require("../../../utils");
+const auth_1 = require("../../../auth");
 exports.FDC_APP_FOLDER = "_FDC_APP_FOLDER";
 async function doSetup(setup, config) {
     const sdkInfo = await askQuestions(setup, config);
@@ -78,12 +79,13 @@ async function askQuestions(setup, config) {
     const newConnectorYaml = await generateSdkYaml(targetPlatform, connectorYaml, connectorInfo.directory, appDir);
     if (targetPlatform === types_1.Platform.WEB) {
         const unusedFrameworks = fileUtils_1.SUPPORTED_FRAMEWORKS.filter((framework) => { var _a; return !((_a = newConnectorYaml.generate) === null || _a === void 0 ? void 0 : _a.javascriptSdk[framework]); });
+        const hasFrameworkEnabled = unusedFrameworks.length < fileUtils_1.SUPPORTED_FRAMEWORKS.length;
         if (unusedFrameworks.length > 0) {
             const additionalFrameworks = await (0, prompt_1.prompt)(setup, [
                 {
                     type: "checkbox",
                     name: "fdcFrameworks",
-                    message: "Which framework would you like to generate SDKs for? " +
+                    message: `Which ${hasFrameworkEnabled && "additional "}frameworks would you like to generate SDKs for? ` +
                         "Press Space to select features, then Enter to confirm your choices.",
                     choices: unusedFrameworks.map((frameworkStr) => ({
                         value: frameworkStr,
@@ -125,6 +127,7 @@ async function generateSdkYaml(targetPlatform, connectorYaml, connectorDir, appD
         if (packageJson) {
             const frameworksUsed = (0, fileUtils_1.getFrameworksFromPackageJson)(packageJson);
             for (const framework of frameworksUsed) {
+                (0, utils_1.logBullet)(`Detected ${framework} app. Enabling ${framework} generated SDKs.`);
                 javascriptSdk[framework] = true;
             }
         }
@@ -155,17 +158,34 @@ async function generateSdkYaml(targetPlatform, connectorYaml, connectorDir, appD
 }
 exports.generateSdkYaml = generateSdkYaml;
 async function actuate(sdkInfo) {
-    var _a;
+    var _a, _b;
     const connectorYamlPath = `${sdkInfo.connectorInfo.directory}/connector.yaml`;
     fs.writeFileSync(connectorYamlPath, sdkInfo.connectorYamlContents, "utf8");
     (0, utils_1.logBullet)(`Wrote new config to ${connectorYamlPath}`);
+    const account = (0, auth_1.getGlobalDefaultAccount)();
     await dataconnectEmulator_1.DataConnectEmulator.generate({
         configDir: sdkInfo.connectorInfo.directory,
         connectorId: sdkInfo.connectorInfo.connectorYaml.connectorId,
+        account,
     });
     (0, utils_1.logBullet)(`Generated SDK code for ${sdkInfo.connectorInfo.connectorYaml.connectorId}`);
     if (((_a = sdkInfo.connectorInfo.connectorYaml.generate) === null || _a === void 0 ? void 0 : _a.swiftSdk) && sdkInfo.displayIOSWarning) {
-        (0, utils_1.logBullet)(clc.bold("Please follow the instructions here to add your generated sdk to your XCode project:\n\thttps://firebase.google.com/docs/data-connect/gp/ios-sdk#set-client"));
+        (0, utils_1.logBullet)(clc.bold("Please follow the instructions here to add your generated sdk to your XCode project:\n\thttps://firebase.google.com/docs/data-connect/ios-sdk#set-client"));
+    }
+    if ((_b = sdkInfo.connectorInfo.connectorYaml.generate) === null || _b === void 0 ? void 0 : _b.javascriptSdk) {
+        for (const framework of fileUtils_1.SUPPORTED_FRAMEWORKS) {
+            if (sdkInfo.connectorInfo.connectorYaml.generate.javascriptSdk[framework]) {
+                logInfoForFramework(framework);
+            }
+        }
     }
 }
 exports.actuate = actuate;
+function logInfoForFramework(framework) {
+    if (framework === "react") {
+        (0, utils_1.logBullet)("Visit https://firebase.google.com/docs/data-connect/web-sdk#react for more information on how to set up React Generated SDKs for Firebase Data Connect");
+    }
+    else if (framework === "angular") {
+        (0, utils_1.logBullet)("Run `npm i --save @angular/fire @tanstack-query-firebase/angular @tanstack/angular-query-experimental` to install angular sdk dependencies.\nVisit https://github.com/invertase/tanstack-query-firebase/tree/main/packages/angular for more information on how to set up Angular Generated SDKs for Firebase Data Connect");
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "firebase-tools",
-  "version": "13.33.0",
+  "version": "13.35.0",
   "description": "Command-Line Interface for Firebase",
   "main": "./lib/index.js",
   "bin": {

package/templates/init/dataconnect/connector.yaml

@@ -8,7 +8,7 @@ connectorId: __connectorId__
 #     packageJsonDir: < Optional. Path to your Javascript app's package.json>
 #   swiftSdk:
 #     outputDir: <Path where you want the generated SDK to be written to, relative to this file>
-#     package: "firebasegen/default"
+#     package: DefaultConnector
 #   kotlinSdk:
 #     outputDir: <Path where you want the generated SDK to be written to, relative to this file>
 #     package: connectors.default