firebase-tools 13.35.1 → 14.0.0

package/lib/appdistribution/client.js

@@ -99,6 +99,7 @@ class AppDistributionClient {
         utils.logSuccess("distributed to testers/groups successfully");
     }
     async listTesters(projectName, groupName) {
+        var _a;
         const listTestersResponse = {
             testers: [],
         };
@@ -119,7 +120,7 @@ class AppDistributionClient {
             catch (err) {
                 throw new error_1.FirebaseError(`Client request failed to list testers ${err}`);
             }
-            for (const t of apiResponse.body.testers) {
+            for (const t of (_a = apiResponse.body.testers) !== null && _a !== void 0 ? _a : []) {
                 listTestersResponse.testers.push({
                     name: t.name,
                     displayName: t.displayName,
@@ -159,6 +160,7 @@ class AppDistributionClient {
         return apiResponse.body;
     }
     async listGroups(projectName) {
+        var _a;
         const listGroupsResponse = {
             groups: [],
         };
@@ -170,7 +172,7 @@ class AppDistributionClient {
                 const apiResponse = await client.get(`${projectName}/groups`, {
                     queryParams,
                 });
-                listGroupsResponse.groups.push(...(apiResponse.body.groups || []));
+                listGroupsResponse.groups.push(...((_a = apiResponse.body.groups) !== null && _a !== void 0 ? _a : []));
                 pageToken = apiResponse.body.nextPageToken;
             }
             catch (err) {

package/lib/apphosting/backend.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getBackendForAmbiguousLocation = exports.getBackendForLocation = exports.promptLocation = exports.deleteBackendAndPoll = exports.setDefaultTrafficPolicy = exports.createBackend = exports.ensureAppHostingComputeServiceAccount = exports.createGitRepoLink = exports.doSetup = void 0;
+exports.getBackend = exports.getBackendForAmbiguousLocation = exports.chooseBackends = exports.getBackendForLocation = exports.promptLocation = exports.deleteBackendAndPoll = exports.setDefaultTrafficPolicy = exports.createBackend = exports.ensureAppHostingComputeServiceAccount = exports.createGitRepoLink = exports.doSetup = void 0;
 const clc = require("colorette");
 const poller = require("../operation-poller");
 const apphosting = require("../gcp/apphosting");
@@ -50,7 +50,7 @@ async function awaitTlsReady(url) {
         }
     } while (!ready);
 }
-async function doSetup(projectId, webAppName, location, serviceAccount) {
+async function doSetup(projectId, webAppName, serviceAccount) {
     await Promise.all([
         (0, ensureApiEnabled_1.ensure)(projectId, (0, api_1.developerConnectOrigin)(), "apphosting", true),
         (0, ensureApiEnabled_1.ensure)(projectId, (0, api_1.cloudbuildOrigin)(), "apphosting", true),
@@ -60,14 +60,7 @@ async function doSetup(projectId, webAppName, location, serviceAccount) {
         (0, ensureApiEnabled_1.ensure)(projectId, (0, api_1.iamOrigin)(), "apphosting", true),
     ]);
     await ensureAppHostingComputeServiceAccount(projectId, serviceAccount);
-    const allowedLocations = (await apphosting.listLocations(projectId)).map((loc) => loc.locationId);
-    if (location) {
-        if (!allowedLocations.includes(location)) {
-            throw new error_1.FirebaseError(`Invalid location ${location}. Valid choices are ${allowedLocations.join(", ")}`);
-        }
-    }
-    location =
-        location || (await promptLocation(projectId, "Select a location to host your backend:\n"));
+    const location = await promptLocation(projectId, "Select a primary region to host your backend:\n");
     const gitRepositoryLink = await githubConnections.linkGitHubRepository(projectId, location);
     const rootDir = await (0, prompt_1.promptOnce)({
         name: "rootDir",
@@ -259,10 +252,53 @@ async function getBackendForLocation(projectId, location, backendId) {
     }
 }
 exports.getBackendForLocation = getBackendForLocation;
+async function chooseBackends(projectId, backendId, chooseBackendPrompt, force) {
+    let { unreachable, backends } = await apphosting.listBackends(projectId, "-");
+    if (unreachable && unreachable.length !== 0) {
+        (0, utils_1.logWarning)(`The following locations are currently unreachable: ${unreachable.join(",")}.\n` +
+            "If your backend is in one of these regions, please try again later.");
+    }
+    backends = backends.filter((backend) => apphosting.parseBackendName(backend.name).id === backendId);
+    if (backends.length === 0) {
+        throw new error_1.FirebaseError(`No backend named "${backendId}" found.`);
+    }
+    if (backends.length === 1) {
+        return backends;
+    }
+    if (force) {
+        throw new error_1.FirebaseError(`Force cannot be used because multiple backends were found with ID ${backendId}.`);
+    }
+    const backendsByDisplay = new Map();
+    backends.forEach((backend) => {
+        const { location, id } = apphosting.parseBackendName(backend.name);
+        backendsByDisplay.set(`${id}(${location})`, backend);
+    });
+    const chosenBackendDisplays = await (0, prompt_1.promptOnce)({
+        name: "backend",
+        type: "checkbox",
+        message: chooseBackendPrompt,
+        choices: Array.from(backendsByDisplay.keys(), (name) => {
+            return {
+                checked: false,
+                name: name,
+                value: name,
+            };
+        }),
+    });
+    const chosenBackends = [];
+    chosenBackendDisplays.forEach((backendDisplay) => {
+        const backend = backendsByDisplay.get(backendDisplay);
+        if (backend !== undefined) {
+            chosenBackends.push(backend);
+        }
+    });
+    return chosenBackends;
+}
+exports.chooseBackends = chooseBackends;
 async function getBackendForAmbiguousLocation(projectId, backendId, locationDisambugationPrompt, force) {
     let { unreachable, backends } = await apphosting.listBackends(projectId, "-");
     if (unreachable && unreachable.length !== 0) {
-        (0, utils_1.logWarning)(`The following locations are currently unreachable: ${unreachable}.\n` +
+        (0, utils_1.logWarning)(`The following locations are currently unreachable: ${unreachable.join(", ")}.\n` +
             "If your backend is in one of these regions, please try again later.");
     }
     backends = backends.filter((backend) => apphosting.parseBackendName(backend.name).id === backendId);
@@ -286,3 +322,21 @@ async function getBackendForAmbiguousLocation(projectId, backendId, locationDisa
     return backendsByLocation.get(location);
 }
 exports.getBackendForAmbiguousLocation = getBackendForAmbiguousLocation;
+async function getBackend(projectId, backendId) {
+    let { unreachable, backends } = await apphosting.listBackends(projectId, "-");
+    backends = backends.filter((backend) => apphosting.parseBackendName(backend.name).id === backendId);
+    if (backends.length > 1) {
+        const locations = backends.map((b) => apphosting.parseBackendName(b.name).location);
+        throw new error_1.FirebaseError(`You have multiple backends with the same ${backendId} ID in regions: ${locations.join(", ")}. This is not allowed until we can support more locations. ` +
+            "Please delete and recreate any backends that share an ID with another backend.");
+    }
+    if (backends.length === 1) {
+        return backends[0];
+    }
+    if (unreachable && unreachable.length !== 0) {
+        (0, utils_1.logWarning)(`Backends with the following primary regions are unreachable: ${unreachable.join(", ")}.\n` +
+            "If your backend is in one of these regions, please try again later.");
+    }
+    throw new error_1.FirebaseError(`No backend named ${backendId} found.`);
+}
+exports.getBackend = getBackend;

package/lib/apphosting/config.js

@@ -1,28 +1,29 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.loadConfigToExportSecrets = exports.loadConfigForEnvironment = exports.exportConfig = exports.maybeAddSecretToYaml = exports.upsertEnv = exports.findEnv = exports.store = exports.load = exports.listAppHostingFilesInPath = exports.discoverBackendRoot = exports.APPHOSTING_YAML_FILE_REGEX = exports.APPHOSTING_LOCAL_YAML_FILE = exports.APPHOSTING_BASE_YAML_FILE = void 0;
+exports.suggestedTestKeyName = exports.overrideChosenEnv = exports.maybeGenerateEmulatorYaml = exports.maybeAddSecretToYaml = exports.upsertEnv = exports.findEnv = exports.store = exports.load = exports.listAppHostingFilesInPath = exports.discoverBackendRoot = exports.APPHOSTING_YAML_FILE_REGEX = exports.APPHOSTING_LOCAL_YAML_FILE = exports.APPHOSTING_EMULATORS_YAML_FILE = exports.APPHOSTING_BASE_YAML_FILE = void 0;
 const path_1 = require("path");
 const fs_1 = require("fs");
 const yaml = require("yaml");
+const clc = require("colorette");
 const fs = require("../fsutils");
 const prompt = require("../prompt");
 const dialogs = require("./secrets/dialogs");
 const yaml_1 = require("./yaml");
-const error_1 = require("../error");
-const utils_1 = require("./utils");
-const secrets_1 = require("./secrets");
 const logger_1 = require("../logger");
-const utils_2 = require("../utils");
-const projects_1 = require("../management/projects");
+const csm = require("../gcp/secretManager");
+const error_1 = require("../error");
 exports.APPHOSTING_BASE_YAML_FILE = "apphosting.yaml";
+exports.APPHOSTING_EMULATORS_YAML_FILE = "apphosting.emulator.yaml";
 exports.APPHOSTING_LOCAL_YAML_FILE = "apphosting.local.yaml";
 exports.APPHOSTING_YAML_FILE_REGEX = /^apphosting(\.[a-z0-9_]+)?\.yaml$/;
-const SECRET_CONFIG = "Secret";
-const EXPORTABLE_CONFIG = [SECRET_CONFIG];
 function discoverBackendRoot(cwd) {
     let dir = cwd;
-    while (!fs.fileExistsSync((0, path_1.resolve)(dir, exports.APPHOSTING_BASE_YAML_FILE))) {
-        if (fs.fileExistsSync((0, path_1.resolve)(dir, "firebase.json"))) {
+    while (true) {
+        const files = fs.listFiles(dir);
+        if (files.some((file) => exports.APPHOSTING_YAML_FILE_REGEX.test(file))) {
+            return dir;
+        }
+        if (files.includes("firebase.json")) {
             return null;
         }
         const parent = (0, path_1.dirname)(dir);
@@ -31,7 +32,6 @@ function discoverBackendRoot(cwd) {
         }
         dir = parent;
     }
-    return dir;
 }
 exports.discoverBackendRoot = discoverBackendRoot;
 function listAppHostingFilesInPath(path) {
@@ -42,7 +42,18 @@ function listAppHostingFilesInPath(path) {
 }
 exports.listAppHostingFilesInPath = listAppHostingFilesInPath;
 function load(yamlPath) {
-    const raw = fs.readFile(yamlPath);
+    let raw;
+    try {
+        raw = fs.readFile(yamlPath);
+    }
+    catch (err) {
+        if (err.code !== "ENOENT") {
+            throw new error_1.FirebaseError(`Unexpected error trying to load ${yamlPath}`, {
+                original: (0, error_1.getError)(err),
+            });
+        }
+        return new yaml.Document();
+    }
     return yaml.parseDocument(raw);
 }
 exports.load = load;
@@ -79,13 +90,13 @@ function upsertEnv(document, env) {
     envs.add(envYaml);
 }
 exports.upsertEnv = upsertEnv;
-async function maybeAddSecretToYaml(secretName) {
-    const dynamicDispatch = exports;
+const dynamicDispatch = exports;
+async function maybeAddSecretToYaml(secretName, fileName = exports.APPHOSTING_BASE_YAML_FILE) {
     const backendRoot = dynamicDispatch.discoverBackendRoot(process.cwd());
     let path;
     let projectYaml;
     if (backendRoot) {
-        path = (0, path_1.join)(backendRoot, exports.APPHOSTING_BASE_YAML_FILE);
+        path = (0, path_1.join)(backendRoot, fileName);
         projectYaml = dynamicDispatch.load(path);
     }
     else {
@@ -95,7 +106,7 @@ async function maybeAddSecretToYaml(secretName) {
         return;
     }
     const addToYaml = await prompt.confirm({
-        message: "Would you like to add this secret to apphosting.yaml?",
+        message: `Would you like to add this secret to ${fileName}?`,
         default: true,
     });
     if (!addToYaml) {
@@ -103,12 +114,12 @@ async function maybeAddSecretToYaml(secretName) {
     }
     if (!path) {
         path = await prompt.promptOnce({
-            message: "It looks like you don't have an apphosting.yaml yet. Where would you like to store it?",
+            message: `It looks like you don't have an ${fileName} yet. Where would you like to store it?`,
             default: process.cwd(),
         });
-        path = (0, path_1.join)(path, exports.APPHOSTING_BASE_YAML_FILE);
+        path = (0, path_1.join)(path, fileName);
     }
-    const envName = await dialogs.envVarForSecret(secretName);
+    const envName = await dialogs.envVarForSecret(secretName, fileName === exports.APPHOSTING_EMULATORS_YAML_FILE);
     dynamicDispatch.upsertEnv(projectYaml, {
         variable: envName,
         secret: secretName,
@@ -116,92 +127,110 @@ async function maybeAddSecretToYaml(secretName) {
     dynamicDispatch.store(path, projectYaml);
 }
 exports.maybeAddSecretToYaml = maybeAddSecretToYaml;
-async function exportConfig(cwd, projectRoot, backendRoot, projectId, userGivenConfigFile) {
-    const choices = await prompt.prompt({}, [
-        {
-            type: "checkbox",
-            name: "configurations",
-            message: "What configs would you like to export?",
-            choices: EXPORTABLE_CONFIG,
-        },
-    ]);
-    if (!choices.configurations.includes(SECRET_CONFIG)) {
-        logger_1.logger.info("No configs selected to export");
-        return;
-    }
-    if (!projectId) {
-        const project = await (0, projects_1.getOrPromptProject)({});
-        projectId = project.projectId;
-    }
-    let localAppHostingConfig = yaml_1.AppHostingYamlConfig.empty();
-    const localAppHostingConfigPath = (0, path_1.resolve)(backendRoot, exports.APPHOSTING_LOCAL_YAML_FILE);
-    if (fs.fileExistsSync(localAppHostingConfigPath)) {
-        localAppHostingConfig = await yaml_1.AppHostingYamlConfig.loadFromFile(localAppHostingConfigPath);
-    }
-    const configToExport = await loadConfigToExportSecrets(cwd, userGivenConfigFile);
-    const secretsToExport = Object.entries(configToExport.env)
-        .filter(([, env]) => env.secret)
-        .map(([variable, env]) => {
-        return Object.assign({ variable }, env);
+async function maybeGenerateEmulatorYaml(projectId, repoRoot) {
+    const basePath = dynamicDispatch.discoverBackendRoot(repoRoot) || repoRoot;
+    if (fs.fileExistsSync((0, path_1.join)(basePath, exports.APPHOSTING_EMULATORS_YAML_FILE))) {
+        logger_1.logger.debug("apphosting.emulator.yaml already exists, skipping generation and secrets access prompt");
+        return null;
+    }
+    let baseConfig;
+    try {
+        baseConfig = await yaml_1.AppHostingYamlConfig.loadFromFile((0, path_1.join)(basePath, exports.APPHOSTING_BASE_YAML_FILE));
+    }
+    catch (_a) {
+        baseConfig = yaml_1.AppHostingYamlConfig.empty();
+    }
+    const createFile = await prompt.confirm({
+        message: "The App Hosting emulator uses a file called apphosting.emulator.yaml to override " +
+            "values in apphosting.yaml for local testing. This codebase does not have one, would you like " +
+            "to create it?",
+        default: true,
     });
-    if (!secretsToExport) {
-        logger_1.logger.info("No secrets found to export in the chosen App Hosting config files");
-        return;
-    }
-    const secretMaterial = await (0, secrets_1.fetchSecrets)(projectId, secretsToExport);
-    for (const [key, value] of secretMaterial) {
-        localAppHostingConfig.env[key] = {
-            value,
-            availability: ["RUNTIME"],
-        };
-    }
-    localAppHostingConfig.upsertFile(localAppHostingConfigPath);
-    logger_1.logger.info(`Wrote secrets as environment variables to ${exports.APPHOSTING_LOCAL_YAML_FILE}.`);
-    (0, utils_2.updateOrCreateGitignore)(projectRoot, [exports.APPHOSTING_LOCAL_YAML_FILE]);
-    logger_1.logger.info(`${exports.APPHOSTING_LOCAL_YAML_FILE} has been automatically added to your .gitignore.`);
-}
-exports.exportConfig = exportConfig;
-async function loadConfigForEnvironment(envYamlPath, baseYamlPath) {
-    const envYamlConfig = await yaml_1.AppHostingYamlConfig.loadFromFile(envYamlPath);
-    if (baseYamlPath) {
-        const baseConfig = await yaml_1.AppHostingYamlConfig.loadFromFile(baseYamlPath);
-        baseConfig.merge(envYamlConfig);
-        return baseConfig;
-    }
-    return envYamlConfig;
-}
-exports.loadConfigForEnvironment = loadConfigForEnvironment;
-async function loadConfigToExportSecrets(cwd, userGivenConfigFile) {
-    if (userGivenConfigFile && !exports.APPHOSTING_YAML_FILE_REGEX.test(userGivenConfigFile)) {
-        throw new error_1.FirebaseError("Invalid apphosting yaml config file provided. File must be in format: 'apphosting.yaml' or 'apphosting.<environment>.yaml'");
-    }
-    const allConfigs = getValidConfigs(cwd);
-    let userGivenConfigFilePath;
-    if (userGivenConfigFile) {
-        if (!allConfigs.has(userGivenConfigFile)) {
-            throw new error_1.FirebaseError(`The provided app hosting config file "${userGivenConfigFile}" does not exist`);
+    if (!createFile) {
+        return (0, yaml_1.toEnvList)(baseConfig.env);
+    }
+    const newEnv = await dynamicDispatch.overrideChosenEnv(projectId, baseConfig.env || {});
+    const envList = Object.entries(newEnv);
+    if (envList.length) {
+        const newYaml = new yaml.Document();
+        for (const [variable, env] of envList) {
+            dynamicDispatch.upsertEnv(newYaml, Object.assign({ variable }, env));
         }
-        userGivenConfigFilePath = allConfigs.get(userGivenConfigFile);
+        dynamicDispatch.store((0, path_1.join)(basePath, exports.APPHOSTING_EMULATORS_YAML_FILE), newYaml);
     }
     else {
-        userGivenConfigFilePath = await (0, utils_1.promptForAppHostingYaml)(allConfigs, "Which environment would you like to export secrets from Secret Manager for?");
-    }
-    if (userGivenConfigFile === exports.APPHOSTING_BASE_YAML_FILE) {
-        return yaml_1.AppHostingYamlConfig.loadFromFile(allConfigs.get(exports.APPHOSTING_BASE_YAML_FILE));
+        const sample = "env:\n" +
+            "#- variable: ENV_VAR_NAME\n" +
+            "#  value: plaintext value\n" +
+            "#- variable: SECRET_ENV_VAR_NAME\n" +
+            "#  secret: cloud-secret-manager-id\n";
+        (0, fs_1.writeFileSync)((0, path_1.join)(basePath, exports.APPHOSTING_EMULATORS_YAML_FILE), sample);
+    }
+    return (0, yaml_1.toEnvList)(Object.assign(Object.assign({}, baseConfig.env), newEnv));
+}
+exports.maybeGenerateEmulatorYaml = maybeGenerateEmulatorYaml;
+async function overrideChosenEnv(projectId, env) {
+    const names = Object.keys(env);
+    if (!names.length) {
+        return {};
+    }
+    const toOverwrite = await prompt.promptOnce({
+        type: "checkbox",
+        message: "Which environment variables would you like to override?",
+        choices: names.map((name) => {
+            return { name };
+        }),
+    });
+    if (!projectId && toOverwrite.some((name) => "secret" in env[name])) {
+        throw new error_1.FirebaseError(`Need a project ID to overwrite a secret. Either use ${clc.bold("firebase use")} or pass the ${clc.bold("--project")} flag`);
+    }
+    const newEnv = {};
+    for (const name of toOverwrite) {
+        if ("value" in env[name]) {
+            const newValue = await prompt.promptOnce({
+                type: "input",
+                message: `What new value would you like for plaintext ${name}?`,
+            });
+            newEnv[name] = { variable: name, value: newValue };
+            continue;
+        }
+        let secretRef;
+        let action = "pick-new";
+        while (action === "pick-new") {
+            secretRef = await prompt.promptOnce({
+                type: "input",
+                message: `What would you like to name the secret reference for ${name}?`,
+                default: suggestedTestKeyName(name),
+            });
+            if (await csm.secretExists(projectId, secretRef)) {
+                action = await prompt.promptOnce({
+                    type: "list",
+                    message: "This secret reference already exists, would you like to reuse it or create a new one?",
+                    choices: [
+                        { name: "Reuse it", value: "reuse" },
+                        { name: "Create a new one", value: "pick-new" },
+                    ],
+                });
+            }
+            else {
+                action = "create";
+            }
+        }
+        newEnv[name] = { variable: name, secret: secretRef };
+        if (action === "reuse") {
+            continue;
+        }
+        const secretValue = await prompt.promptOnce({
+            type: "password",
+            message: `What new value would you like for secret ${name} [input is hidden]?`,
+        });
+        await csm.createSecret(projectId, secretRef, { [csm.FIREBASE_MANAGED]: "apphosting" });
+        await csm.addVersion(projectId, secretRef, secretValue);
     }
-    const baseFilePath = allConfigs.get(exports.APPHOSTING_BASE_YAML_FILE);
-    return await loadConfigForEnvironment(userGivenConfigFilePath, baseFilePath);
+    return newEnv;
 }
-exports.loadConfigToExportSecrets = loadConfigToExportSecrets;
-function getValidConfigs(cwd) {
-    const appHostingConfigPaths = listAppHostingFilesInPath(cwd).filter((path) => !path.endsWith(exports.APPHOSTING_LOCAL_YAML_FILE));
-    if (appHostingConfigPaths.length === 0) {
-        throw new error_1.FirebaseError("No apphosting.*.yaml configs found");
-    }
-    const fileNameToPathMap = new Map();
-    for (const path of appHostingConfigPaths) {
-        const fileName = (0, path_1.basename)(path);
-        fileNameToPathMap.set(fileName, path);
-    }
-    return fileNameToPathMap;
+exports.overrideChosenEnv = overrideChosenEnv;
+function suggestedTestKeyName(variable) {
+    return "test-" + variable.replace(/_/g, "-").toLowerCase();
 }
+exports.suggestedTestKeyName = suggestedTestKeyName;

package/lib/apphosting/rollout.js

@@ -17,18 +17,12 @@ const apphostingPollerOptions = {
     maxBackoff: 10000,
 };
 const GIT_COMMIT_SHA_REGEX = /^(?:[0-9a-f]{40}|[0-9a-f]{7})$/;
-async function createRollout(backendId, projectId, location, branch, commit, force) {
-    let backend;
-    if (location === "-" || location === "") {
-        backend = await (0, backend_1.getBackendForAmbiguousLocation)(projectId, backendId, "Please select the location of the backend you'd like to roll out:", force);
-        location = apphosting.parseBackendName(backend.name).location;
-    }
-    else {
-        backend = await (0, backend_1.getBackendForLocation)(projectId, location, backendId);
-    }
+async function createRollout(backendId, projectId, branch, commit, force) {
+    const backend = await (0, backend_1.getBackend)(projectId, backendId);
     if (!backend.codebase.repository) {
         throw new error_1.FirebaseError(`Backend ${backendId} is misconfigured due to missing a connected repository. You can delete and recreate your backend using 'firebase apphosting:backends:delete' and 'firebase apphosting:backends:create'.`);
     }
+    const { location } = apphosting.parseBackendName(backend.name);
     const { repoLink, owner, repo, readToken } = await (0, devConnect_1.getRepoDetailsFromBackend)(projectId, location, backend.codebase.repository);
     let targetCommit;
     if (branch) {

package/lib/apphosting/secrets/dialogs.js

@@ -143,8 +143,11 @@ function toUpperSnakeCase(key) {
         .replace(/([a-z])([A-Z])/g, "$1_$2")
         .toUpperCase();
 }
-async function envVarForSecret(secret) {
-    const upper = toUpperSnakeCase(secret);
+async function envVarForSecret(secret, trimTestPrefix = false) {
+    let upper = toUpperSnakeCase(secret);
+    if (trimTestPrefix && upper.startsWith("TEST_")) {
+        upper = upper.substring("TEST_".length);
+    }
     if (upper === secret) {
         try {
             env.validateKey(secret);

package/lib/apphosting/secrets/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getSecretNameParts = exports.fetchSecrets = exports.upsertSecret = exports.grantSecretAccess = exports.serviceAccountsForBackend = exports.toMulti = void 0;
+exports.getSecretNameParts = exports.fetchSecrets = exports.upsertSecret = exports.grantEmailsSecretAccess = exports.grantSecretAccess = exports.serviceAccountsForBackend = exports.toMulti = void 0;
 const error_1 = require("../../error");
 const gcsm = require("../../gcp/secretManager");
 const gcb = require("../../gcp/cloudbuild");
@@ -57,16 +57,58 @@ async function grantSecretAccess(projectId, projectNumber, secretName, accounts)
     catch (err) {
         throw new error_1.FirebaseError(`Failed to get IAM bindings on secret: ${secretName}. Ensure you have the permissions to do so and try again.`, { original: (0, error_1.getError)(err) });
     }
+    const updatedBindings = existingBindings.concat(newBindings);
     try {
-        const updatedBindings = existingBindings.concat(newBindings);
         await gcsm.setIamPolicy({ projectId, name: secretName }, updatedBindings);
     }
     catch (err) {
-        throw new error_1.FirebaseError(`Failed to set IAM bindings ${JSON.stringify(newBindings)} on secret: ${secretName}. Ensure you have the permissions to do so and try again.`, { original: (0, error_1.getError)(err) });
+        throw new error_1.FirebaseError(`Failed to set IAM bindings ${JSON.stringify(newBindings)} on secret: ${secretName}. Ensure you have the permissions to do so and try again. ` +
+            "For more information visit https://cloud.google.com/secret-manager/docs/manage-access-to-secrets#required-roles", { original: (0, error_1.getError)(err) });
     }
     utils.logSuccess(`Successfully set IAM bindings on secret ${secretName}.\n`);
 }
 exports.grantSecretAccess = grantSecretAccess;
+async function grantEmailsSecretAccess(projectId, secretNames, emails) {
+    const typeGuesses = Object.fromEntries(emails.map((email) => [email, "user"]));
+    for (const secretName of secretNames) {
+        let existingBindings;
+        try {
+            existingBindings = (await gcsm.getIamPolicy({ projectId, name: secretName })).bindings || [];
+        }
+        catch (err) {
+            throw new error_1.FirebaseError(`Failed to get IAM bindings on secret: ${secretName}. Ensure you have the permissions to do so and try again. ` +
+                "For more information visit https://cloud.google.com/secret-manager/docs/manage-access-to-secrets#required-roles", { original: (0, error_1.getError)(err) });
+        }
+        do {
+            try {
+                const newBindings = [
+                    {
+                        role: "roles/secretmanager.secretAccessor",
+                        members: Object.entries(typeGuesses).map(([email, type]) => `${type}:${email}`),
+                    },
+                ];
+                const updatedBindings = existingBindings.concat(newBindings);
+                await gcsm.setIamPolicy({ projectId, name: secretName }, updatedBindings);
+                break;
+            }
+            catch (err) {
+                if (!(err instanceof error_1.FirebaseError)) {
+                    throw new error_1.FirebaseError(`Unexpected error updating IAM bindings on secret: ${secretName}`, {
+                        original: (0, error_1.getError)(err),
+                    });
+                }
+                const match = /Principal (.*) is of type "([^"]+)"/.exec(err.message);
+                if (!match) {
+                    throw new error_1.FirebaseError(`Failed to set IAM bindings on secret: ${secretName}. Ensure you have the permissions to do so and try again.`, { original: (0, error_1.getError)(err) });
+                }
+                typeGuesses[match[1]] = match[2];
+                continue;
+            }
+        } while (true);
+        utils.logSuccess(`Successfully set IAM bindings on secret ${secretName}.\n`);
+    }
+}
+exports.grantEmailsSecretAccess = grantEmailsSecretAccess;
 async function upsertSecret(project, secret, location) {
     var _a, _b, _c, _d;
     let existing;

package/lib/apphosting/yaml.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AppHostingYamlConfig = void 0;
+exports.toEnvList = exports.toEnvMap = exports.AppHostingYamlConfig = void 0;
 const path_1 = require("path");
 const utils_1 = require("../utils");
 const config_1 = require("./config");
@@ -23,7 +23,7 @@ class AppHostingYamlConfig {
         config.filename = path.basename(filePath);
         const loadedAppHostingYaml = (_a = (await (0, utils_1.wrappedSafeLoad)(file.source))) !== null && _a !== void 0 ? _a : {};
         if (loadedAppHostingYaml.env) {
-            config.env = parseEnv(loadedAppHostingYaml.env);
+            config.env = toEnvMap(loadedAppHostingYaml.env);
         }
         return config;
     }
@@ -31,12 +31,13 @@ class AppHostingYamlConfig {
         return new AppHostingYamlConfig();
     }
     merge(other, allowSecretsToBecomePlaintext = true) {
+        var _a;
         if (!allowSecretsToBecomePlaintext) {
             const wereSecrets = Object.entries(this.env)
                 .filter(([, env]) => env.secret)
                 .map(([key]) => key);
             if (wereSecrets.some((key) => { var _a; return (_a = other.env[key]) === null || _a === void 0 ? void 0 : _a.value; })) {
-                throw new error_1.FirebaseError(`Cannot convert secret to plaintext in ${other.filename ? other.filename : "apphosting yaml"}`);
+                throw new error_1.FirebaseError(`Cannot convert secret to plaintext in ${(_a = other.filename) !== null && _a !== void 0 ? _a : "apphosting yaml"}`);
             }
         }
         this.env = Object.assign(Object.assign({}, this.env), other.env);
@@ -47,13 +48,23 @@ class AppHostingYamlConfig {
             const file = await (0, utils_1.readFileFromDirectory)((0, path_1.dirname)(filePath), (0, path_1.basename)(filePath));
             yamlConfigToWrite = await (0, utils_1.wrappedSafeLoad)(file.source);
         }
-        yamlConfigToWrite.env = Object.entries(this.env).map(([variable, env]) => {
-            return Object.assign({ variable }, env);
-        });
+        yamlConfigToWrite.env = toEnvList(this.env);
         (0, config_1.store)(filePath, yaml.parseDocument(jsYaml.dump(yamlConfigToWrite)));
     }
 }
 exports.AppHostingYamlConfig = AppHostingYamlConfig;
-function parseEnv(envs) {
-    return Object.fromEntries(envs.map((env) => [env.variable, env]));
+function toEnvMap(envs) {
+    return Object.fromEntries(envs.map((env) => {
+        const variable = env.variable;
+        const tmp = Object.assign({}, env);
+        delete env.variable;
+        return [variable, tmp];
+    }));
+}
+exports.toEnvMap = toEnvMap;
+function toEnvList(envs) {
+    return Object.entries(envs).map(([variable, env]) => {
+        return Object.assign(Object.assign({}, env), { variable });
+    });
 }
+exports.toEnvList = toEnvList;

package/lib/commands/appdistribution-groups-create.js

@@ -7,7 +7,7 @@ const requireAuth_1 = require("../requireAuth");
 const client_1 = require("../appdistribution/client");
 const options_parser_util_1 = require("../appdistribution/options-parser-util");
 exports.command = new command_1.Command("appdistribution:groups:create <displayName> [alias]")
-    .description("create group in project")
+    .description("create an App Distribution group")
     .alias("appdistribution:group:create")
     .before(requireAuth_1.requireAuth)
     .action(async (displayName, alias, options) => {

package/lib/commands/appdistribution-groups-delete.js

@@ -8,7 +8,7 @@ const error_1 = require("../error");
 const client_1 = require("../appdistribution/client");
 const options_parser_util_1 = require("../appdistribution/options-parser-util");
 exports.command = new command_1.Command("appdistribution:groups:delete <alias>")
-    .description("delete group from a project")
+    .description("delete an App Distribution group")
     .alias("appdistribution:group:delete")
     .before(requireAuth_1.requireAuth)
     .action(async (alias, options) => {

package/lib/commands/appdistribution-groups-list.js

@@ -11,7 +11,7 @@ const requireAuth_1 = require("../requireAuth");
 const utils = require("../utils");
 const Table = require("cli-table3");
 exports.command = new command_1.Command("appdistribution:groups:list")
-    .description("list groups in project")
+    .description("list App Distribution groups")
     .alias("appdistribution:group:list")
     .before(requireAuth_1.requireAuth)
     .action(async (options) => {

package/lib/commands/appdistribution-testers-add.js

@@ -7,7 +7,7 @@ const requireAuth_1 = require("../requireAuth");
 const client_1 = require("../appdistribution/client");
 const options_parser_util_1 = require("../appdistribution/options-parser-util");
 exports.command = new command_1.Command("appdistribution:testers:add [emails...]")
-    .description("add testers to project (and possibly group)")
+    .description("add testers to project (and App Distribution group, if specified via flag)")
     .option("--file <file>", "a path to a file containing a list of tester emails to be added")
     .option("--group-alias <group-alias>", "if specified, the testers are also added to the group identified by this alias")
     .before(requireAuth_1.requireAuth)