firebase-tools 13.5.2 → 13.6.1

package/lib/{init/features/apphosting → apphosting}/index.js

@@ -3,31 +3,33 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.orchestrateRollout = exports.setDefaultTrafficPolicy = exports.createBackend = exports.doSetup = void 0;
 const clc = require("colorette");
 const repo = require("./repo");
-const poller = require("../../../operation-poller");
-const apphosting = require("../../../gcp/apphosting");
-const utils_1 = require("../../../utils");
-const api_1 = require("../../../api");
-const apphosting_1 = require("../../../gcp/apphosting");
-const resourceManager_1 = require("../../../gcp/resourceManager");
-const iam_1 = require("../../../gcp/iam");
-const error_1 = require("../../../error");
-const prompt_1 = require("../../../prompt");
+const poller = require("../operation-poller");
+const apphosting = require("../gcp/apphosting");
+const githubConnections = require("./githubConnections");
+const utils_1 = require("../utils");
+const api_1 = require("../api");
+const apphosting_1 = require("../gcp/apphosting");
+const resourceManager_1 = require("../gcp/resourceManager");
+const iam = require("../gcp/iam");
+const error_1 = require("../error");
+const prompt_1 = require("../prompt");
 const constants_1 = require("./constants");
-const ensureApiEnabled_1 = require("../../../ensureApiEnabled");
-const deploymentTool = require("../../../deploymentTool");
+const ensureApiEnabled_1 = require("../ensureApiEnabled");
+const deploymentTool = require("../deploymentTool");
 const DEFAULT_COMPUTE_SERVICE_ACCOUNT_NAME = "firebase-app-hosting-compute";
 const apphostingPollerOptions = {
-    apiOrigin: api_1.apphostingOrigin,
+    apiOrigin: (0, api_1.apphostingOrigin)(),
     apiVersion: apphosting_1.API_VERSION,
     masterTimeout: 25 * 60 * 1000,
     maxBackoff: 10000,
 };
-async function doSetup(projectId, location, serviceAccount) {
+async function doSetup(projectId, location, serviceAccount, withDevConnect) {
     await Promise.all([
-        (0, ensureApiEnabled_1.ensure)(projectId, api_1.cloudbuildOrigin, "apphosting", true),
-        (0, ensureApiEnabled_1.ensure)(projectId, api_1.secretManagerOrigin, "apphosting", true),
-        (0, ensureApiEnabled_1.ensure)(projectId, api_1.cloudRunApiOrigin, "apphosting", true),
-        (0, ensureApiEnabled_1.ensure)(projectId, api_1.artifactRegistryDomain, "apphosting", true),
+        ...(withDevConnect ? [(0, ensureApiEnabled_1.ensure)(projectId, (0, api_1.developerConnectOrigin)(), "apphosting", true)] : []),
+        (0, ensureApiEnabled_1.ensure)(projectId, (0, api_1.cloudbuildOrigin)(), "apphosting", true),
+        (0, ensureApiEnabled_1.ensure)(projectId, (0, api_1.secretManagerOrigin)(), "apphosting", true),
+        (0, ensureApiEnabled_1.ensure)(projectId, (0, api_1.cloudRunApiOrigin)(), "apphosting", true),
+        (0, ensureApiEnabled_1.ensure)(projectId, (0, api_1.artifactRegistryDomain)(), "apphosting", true),
     ]);
     const allowedLocations = (await apphosting.listLocations(projectId)).map((loc) => loc.locationId);
     if (location) {
@@ -53,8 +55,10 @@ async function doSetup(projectId, location, serviceAccount) {
         default: "my-web-app",
         message: "Create a name for your backend [1-30 characters]",
     });
-    const cloudBuildConnRepo = await repo.linkGitHubRepository(projectId, location);
-    const backend = await createBackend(projectId, location, backendId, cloudBuildConnRepo, serviceAccount);
+    const gitRepositoryConnection = withDevConnect
+        ? await githubConnections.linkGitHubRepository(projectId, location)
+        : await repo.linkGitHubRepository(projectId, location);
+    const backend = await createBackend(projectId, location, backendId, gitRepositoryConnection, serviceAccount);
     const branch = await (0, prompt_1.promptOnce)({
         name: "branch",
         type: "input",
@@ -111,9 +115,9 @@ async function createBackend(projectId, location, backendId, repository, service
             rootDirectory: "/",
         },
         labels: deploymentTool.labels(),
-        computeServiceAccount: serviceAccount || defaultServiceAccount,
+        serviceAccount: serviceAccount || defaultServiceAccount,
     };
-    delete backendReqBody.computeServiceAccount;
+    delete backendReqBody.serviceAccount;
     async function createBackendAndPoll() {
         const op = await apphosting.createBackend(projectId, location, backendReqBody, backendId);
         return await poller.pollOperation(Object.assign(Object.assign({}, apphostingPollerOptions), { pollerName: `create-${projectId}-${location}-${backendId}`, operationResourceName: op.name }));
@@ -137,7 +141,7 @@ async function createBackend(projectId, location, backendId, repository, service
 exports.createBackend = createBackend;
 async function provisionDefaultComputeServiceAccount(projectId) {
     try {
-        await (0, iam_1.createServiceAccount)(projectId, DEFAULT_COMPUTE_SERVICE_ACCOUNT_NAME, "Firebase App Hosting compute service account", "Default service account used to run builds and deploys for Firebase App Hosting");
+        await iam.createServiceAccount(projectId, DEFAULT_COMPUTE_SERVICE_ACCOUNT_NAME, "Firebase App Hosting compute service account", "Default service account used to run builds and deploys for Firebase App Hosting");
     }
     catch (err) {
         if (err.status !== 409) {

package/lib/{init/features/apphosting → apphosting}/repo.js

@@ -1,15 +1,15 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.fetchAllRepositories = exports.listAppHostingConnections = exports.getOrCreateRepository = exports.getOrCreateConnection = exports.createConnection = exports.linkGitHubRepository = exports.parseConnectionName = void 0;
+exports.fetchAllRepositories = exports.listAppHostingConnections = exports.getOrCreateRepository = exports.getOrCreateConnection = exports.createConnection = exports.getOrCreateOauthConnection = exports.linkGitHubRepository = exports.parseConnectionName = void 0;
 const clc = require("colorette");
-const gcb = require("../../../gcp/cloudbuild");
-const rm = require("../../../gcp/resourceManager");
-const poller = require("../../../operation-poller");
-const utils = require("../../../utils");
-const api_1 = require("../../../api");
-const error_1 = require("../../../error");
-const prompt_1 = require("../../../prompt");
-const getProjectNumber_1 = require("../../../getProjectNumber");
+const gcb = require("../gcp/cloudbuild");
+const rm = require("../gcp/resourceManager");
+const poller = require("../operation-poller");
+const utils = require("../utils");
+const api_1 = require("../api");
+const error_1 = require("../error");
+const prompt_1 = require("../prompt");
+const getProjectNumber_1 = require("../getProjectNumber");
 const fuzzy = require("fuzzy");
 const inquirer = require("inquirer");
 const APPHOSTING_CONN_PATTERN = /.+\/apphosting-github-conn-.+$/;
@@ -29,7 +29,7 @@ function parseConnectionName(name) {
 }
 exports.parseConnectionName = parseConnectionName;
 const gcbPollerOptions = {
-    apiOrigin: api_1.cloudbuildOrigin,
+    apiOrigin: (0, api_1.cloudbuildOrigin)(),
     apiVersion: "v2",
     masterTimeout: 25 * 60 * 1000,
     maxBackoff: 10000,
@@ -56,7 +56,6 @@ async function linkGitHubRepository(projectId, location) {
     const oauthConn = await getOrCreateOauthConnection(projectId, location);
     const existingConns = await listAppHostingConnections(projectId);
     if (existingConns.length === 0) {
-        await ensureSecretManagerAdminGrant(projectId);
         existingConns.push(await createFullyInstalledConnection(projectId, location, generateConnectionId(), oauthConn));
     }
     let repoRemoteUri;
@@ -99,7 +98,19 @@ async function createFullyInstalledConnection(projectId, location, connectionId,
     return conn;
 }
 async function getOrCreateOauthConnection(projectId, location) {
-    let conn = await getOrCreateConnection(projectId, location, APPHOSTING_OAUTH_CONN_NAME);
+    let conn;
+    try {
+        conn = await gcb.getConnection(projectId, location, APPHOSTING_OAUTH_CONN_NAME);
+    }
+    catch (err) {
+        if (err.status === 404) {
+            await ensureSecretManagerAdminGrant(projectId);
+            conn = await createConnection(projectId, location, APPHOSTING_OAUTH_CONN_NAME);
+        }
+        else {
+            throw err;
+        }
+    }
     while (conn.installationState.stage === "PENDING_USER_OAUTH") {
         utils.logBullet("You must authorize the Cloud Build GitHub app.");
         utils.logBullet("Sign in to GitHub and authorize Cloud Build GitHub app:");
@@ -115,6 +126,7 @@ async function getOrCreateOauthConnection(projectId, location) {
     }
     return conn;
 }
+exports.getOrCreateOauthConnection = getOrCreateOauthConnection;
 async function promptRepositoryUri(projectId, connections) {
     const { repos, remoteUriToConnection } = await fetchAllRepositories(projectId, connections);
     const remoteUri = await (0, prompt_1.promptOnce)({
@@ -146,7 +158,7 @@ async function promptRepositoryUri(projectId, connections) {
 }
 async function ensureSecretManagerAdminGrant(projectId) {
     const projectNumber = await (0, getProjectNumber_1.getProjectNumber)({ projectId });
-    const cbsaEmail = gcb.serviceAgentEmail(projectNumber);
+    const cbsaEmail = gcb.getDefaultServiceAgent(projectNumber);
     const alreadyGranted = await rm.serviceAccountHasRoles(projectId, cbsaEmail, ["roles/secretmanager.admin"], true);
     if (alreadyGranted) {
         return;

package/lib/apphosting/secrets/dialogs.js

@@ -0,0 +1,169 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.envVarForSecret = exports.selectBackendServiceAccounts = exports.GRANT_ACCESS_IN_FUTURE = exports.WARN_NO_BACKENDS = exports.selectFromMetadata = exports.tableForBackends = exports.serviceAccountDisplay = exports.toMetadata = void 0;
+const clc = require("colorette");
+const Table = require("cli-table");
+const _1 = require(".");
+const apphosting = require("../../gcp/apphosting");
+const prompt = require("../../prompt");
+const utils = require("../../utils");
+const logger_1 = require("../../logger");
+const env = require("../../functions/env");
+function toMetadata(projectNumber, backends) {
+    const metadata = [];
+    for (const backend of backends) {
+        const [, , , location, , id] = backend.name.split("/");
+        metadata.push(Object.assign({ location, id }, (0, _1.serviceAccountsForBackend)(projectNumber, backend)));
+    }
+    return metadata.sort((left, right) => {
+        const cmplocation = left.location.localeCompare(right.location);
+        if (cmplocation) {
+            return cmplocation;
+        }
+        return left.id.localeCompare(right.id);
+    });
+}
+exports.toMetadata = toMetadata;
+function serviceAccountDisplay(metadata) {
+    if (sameServiceAccount(metadata)) {
+        return metadata.runServiceAccount;
+    }
+    return `${metadata.buildServiceAccount}, ${metadata.runServiceAccount}`;
+}
+exports.serviceAccountDisplay = serviceAccountDisplay;
+function sameServiceAccount(metadata) {
+    return metadata.buildServiceAccount === metadata.runServiceAccount;
+}
+const matchesServiceAccounts = (target) => (test) => {
+    return (target.buildServiceAccount === test.buildServiceAccount &&
+        target.runServiceAccount === test.runServiceAccount);
+};
+function tableForBackends(metadata) {
+    const headers = [
+        "location",
+        "backend",
+        metadata.every(sameServiceAccount) ? "service account" : "service accounts",
+    ];
+    const rows = metadata.map((m) => [m.location, m.id, serviceAccountDisplay(m)]);
+    return [headers, rows];
+}
+exports.tableForBackends = tableForBackends;
+function selectFromMetadata(input, selected) {
+    const buildAccounts = new Set();
+    const runAccounts = new Set();
+    for (const sa of selected) {
+        if (input.find((m) => m.buildServiceAccount === sa)) {
+            buildAccounts.add(sa);
+        }
+        else {
+            runAccounts.add(sa);
+        }
+    }
+    return {
+        buildServiceAccounts: [...buildAccounts],
+        runServiceAccounts: [...runAccounts],
+    };
+}
+exports.selectFromMetadata = selectFromMetadata;
+exports.WARN_NO_BACKENDS = "To use this secret, your backend's service account must have secret accessor permission. " +
+    "It does not look like you have a backend yet. After creating a backend, grant access with " +
+    clc.bold("firebase apphosting:secrets:grantAccess");
+exports.GRANT_ACCESS_IN_FUTURE = `To grant access in the future, run ${clc.bold("firebase apphosting:secrets:grantaccess")}`;
+async function selectBackendServiceAccounts(projectNumber, projectId, options) {
+    const listBackends = await apphosting.listBackends(projectId, "-");
+    if (listBackends.unreachable.length) {
+        utils.logLabeledWarning("apphosting", `Could not reach location(s) ${listBackends.unreachable.join(", ")}. You may need to run ` +
+            `${clc.bold("firebase apphosting:secrets:grantAccess")} at a later time if you have backends in these locations`);
+    }
+    if (!listBackends.backends.length) {
+        utils.logLabeledWarning("apphosting", exports.WARN_NO_BACKENDS);
+        return { buildServiceAccounts: [], runServiceAccounts: [] };
+    }
+    if (listBackends.backends.length === 1) {
+        const grant = await prompt.confirm({
+            nonInteractive: options.nonInteractive,
+            default: true,
+            message: "To use this secret, your backend's service account must have secret accessor permission. Would you like to grant it now?",
+        });
+        if (grant) {
+            return (0, _1.toMulti)((0, _1.serviceAccountsForBackend)(projectNumber, listBackends.backends[0]));
+        }
+        utils.logLabeledBullet("apphosting", exports.GRANT_ACCESS_IN_FUTURE);
+        return { buildServiceAccounts: [], runServiceAccounts: [] };
+    }
+    const metadata = toMetadata(projectNumber, listBackends.backends);
+    if (metadata.every(matchesServiceAccounts(metadata[0]))) {
+        utils.logLabeledBullet("apphosting", "To use this secret, your backend's service account must have secret accessor permission. All of your backends use " +
+            (sameServiceAccount(metadata[0]) ? "service account " : "service accounts ") +
+            serviceAccountDisplay(metadata[0]) +
+            ". Granting access to one backend will grant access to all backends.");
+        const grant = await prompt.confirm({
+            nonInteractive: options.nonInteractive,
+            default: true,
+            message: "Would you like to grant it now?",
+        });
+        if (grant) {
+            return selectFromMetadata(metadata, [
+                metadata[0].buildServiceAccount,
+                metadata[0].runServiceAccount,
+            ]);
+        }
+        utils.logLabeledBullet("apphosting", exports.GRANT_ACCESS_IN_FUTURE);
+        return { buildServiceAccounts: [], runServiceAccounts: [] };
+    }
+    utils.logLabeledBullet("apphosting", "To use this secret, your backend's service account must have secret accessor permission. Your backends use the following service accounts:");
+    const tableData = tableForBackends(metadata);
+    const table = new Table({
+        head: tableData[0],
+        style: { head: ["green"] },
+        rows: tableData[1],
+    });
+    logger_1.logger.info(table.toString());
+    const allAccounts = metadata.reduce((accum, row) => {
+        accum.add(row.buildServiceAccount);
+        accum.add(row.runServiceAccount);
+        return accum;
+    }, new Set());
+    const chosen = await prompt.promptOnce({
+        type: "checkbox",
+        message: "Which service accounts would you like to grant access? " +
+            "Press Space to select accounts, then Enter to confirm your choices.",
+        choices: [...allAccounts.values()].sort(),
+    });
+    if (!chosen.length) {
+        utils.logLabeledBullet("apphosting", exports.GRANT_ACCESS_IN_FUTURE);
+    }
+    return selectFromMetadata(metadata, chosen);
+}
+exports.selectBackendServiceAccounts = selectBackendServiceAccounts;
+function toUpperSnakeCase(key) {
+    return key
+        .replace(/[.-]/g, "_")
+        .replace(/([a-z])([A-Z])/g, "$1_$2")
+        .toUpperCase();
+}
+async function envVarForSecret(secret) {
+    const upper = toUpperSnakeCase(secret);
+    if (upper === secret) {
+        try {
+            env.validateKey(secret);
+            return secret;
+        }
+        catch (_a) {
+        }
+    }
+    do {
+        const test = await prompt.promptOnce({
+            message: "What environment variable name would you like to use?",
+            default: upper,
+        });
+        try {
+            env.validateKey(test);
+            return test;
+        }
+        catch (err) {
+            utils.logLabeledError("apphosting", err.message);
+        }
+    } while (true);
+}
+exports.envVarForSecret = envVarForSecret;

package/lib/apphosting/secrets/index.js

@@ -0,0 +1,98 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.upsertSecret = exports.grantSecretAccess = exports.serviceAccountsForBackend = exports.toMulti = void 0;
+const error_1 = require("../../error");
+const gcsm = require("../../gcp/secretManager");
+const gcb = require("../../gcp/cloudbuild");
+const gce = require("../../gcp/computeEngine");
+const secretManager_1 = require("../../gcp/secretManager");
+const secretManager_2 = require("../../gcp/secretManager");
+const utils = require("../../utils");
+const prompt = require("../../prompt");
+function toMulti(accounts) {
+    const m = {
+        buildServiceAccounts: [accounts.buildServiceAccount],
+        runServiceAccounts: [],
+    };
+    if (accounts.buildServiceAccount !== accounts.runServiceAccount) {
+        m.runServiceAccounts.push(accounts.runServiceAccount);
+    }
+    return m;
+}
+exports.toMulti = toMulti;
+function serviceAccountsForBackend(projectNumber, backend) {
+    if (backend.serviceAccount) {
+        return {
+            buildServiceAccount: backend.serviceAccount,
+            runServiceAccount: backend.serviceAccount,
+        };
+    }
+    return {
+        buildServiceAccount: gcb.getDefaultServiceAccount(projectNumber),
+        runServiceAccount: gce.getDefaultServiceAccount(projectNumber),
+    };
+}
+exports.serviceAccountsForBackend = serviceAccountsForBackend;
+async function grantSecretAccess(projectId, secretName, accounts) {
+    const newBindings = [
+        {
+            role: "roles/secretmanager.secretAccessor",
+            members: [...accounts.buildServiceAccounts, ...accounts.runServiceAccounts].map((sa) => `serviceAccount:${sa}`),
+        },
+        {
+            role: "roles/secretmanager.viewer",
+            members: accounts.buildServiceAccounts.map((sa) => `serviceAccount:${sa}`),
+        },
+    ];
+    let existingBindings;
+    try {
+        existingBindings = (await gcsm.getIamPolicy({ projectId, name: secretName })).bindings || [];
+    }
+    catch (err) {
+        throw new error_1.FirebaseError(`Failed to get IAM bindings on secret: ${secretName}. Ensure you have the permissions to do so and try again.`, { original: err });
+    }
+    try {
+        const updatedBindings = existingBindings.concat(newBindings);
+        await gcsm.setIamPolicy({ projectId, name: secretName }, updatedBindings);
+    }
+    catch (err) {
+        throw new error_1.FirebaseError(`Failed to set IAM bindings ${JSON.stringify(newBindings)} on secret: ${secretName}. Ensure you have the permissions to do so and try again.`, { original: err });
+    }
+    utils.logSuccess(`Successfully set IAM bindings on secret ${secretName}.\n`);
+}
+exports.grantSecretAccess = grantSecretAccess;
+async function upsertSecret(project, secret, location) {
+    var _a, _b, _c, _d;
+    let existing;
+    try {
+        existing = await gcsm.getSecret(project, secret);
+    }
+    catch (err) {
+        if (err.status !== 404) {
+            throw new error_1.FirebaseError("Unexpected error loading secret", { original: err });
+        }
+        await gcsm.createSecret(project, secret, gcsm.labels("apphosting"), location);
+        return true;
+    }
+    const replication = (_a = existing.replication) === null || _a === void 0 ? void 0 : _a.userManaged;
+    if (location &&
+        (((_b = replication === null || replication === void 0 ? void 0 : replication.replicas) === null || _b === void 0 ? void 0 : _b.length) !== 1 || ((_d = (_c = replication === null || replication === void 0 ? void 0 : replication.replicas) === null || _c === void 0 ? void 0 : _c[0]) === null || _d === void 0 ? void 0 : _d.location) !== location)) {
+        utils.logLabeledError("apphosting", "Secret replication policies cannot be changed after creation");
+        return null;
+    }
+    if ((0, secretManager_2.isFunctionsManaged)(existing)) {
+        utils.logLabeledWarning("apphosting", `Cloud Functions for Firebase currently manages versions of ${secret}. Continuing will disable ` +
+            "automatic deletion of old versions.");
+        const stopTracking = await prompt.confirm({
+            message: "Do you wish to continue?",
+            default: false,
+        });
+        if (!stopTracking) {
+            return null;
+        }
+        delete existing.labels[secretManager_1.FIREBASE_MANAGED];
+        await gcsm.patchSecret(project, secret, existing.labels);
+    }
+    return false;
+}
+exports.upsertSecret = upsertSecret;

package/lib/auth.js

@@ -172,10 +172,10 @@ function queryParamString(args) {
     return tokens.join("&");
 }
 function getLoginUrl(callbackUrl, userHint) {
-    return (api_1.authOrigin +
+    return ((0, api_1.authOrigin)() +
         "/o/oauth2/auth?" +
         queryParamString({
-            client_id: api_1.clientId,
+            client_id: (0, api_1.clientId)(),
             scope: SCOPES.join(" "),
             response_type: "code",
             state: _nonce,
@@ -186,8 +186,8 @@ function getLoginUrl(callbackUrl, userHint) {
 async function getTokensFromAuthorizationCode(code, callbackUrl, verifier) {
     const params = {
         code: code,
-        client_id: api_1.clientId,
-        client_secret: api_1.clientSecret,
+        client_id: (0, api_1.clientId)(),
+        client_secret: (0, api_1.clientSecret)(),
         redirect_uri: callbackUrl,
         grant_type: "authorization_code",
     };
@@ -196,7 +196,7 @@ async function getTokensFromAuthorizationCode(code, callbackUrl, verifier) {
     }
     let res;
     try {
-        const client = new apiv2.Client({ urlPrefix: api_1.authOrigin, auth: false });
+        const client = new apiv2.Client({ urlPrefix: (0, api_1.authOrigin)(), auth: false });
         const form = new FormData();
         for (const [k, v] of Object.entries(params)) {
             form.append(k, v);
@@ -229,20 +229,20 @@ async function getTokensFromAuthorizationCode(code, callbackUrl, verifier) {
 }
 const GITHUB_SCOPES = ["read:user", "repo", "public_repo"];
 function getGithubLoginUrl(callbackUrl) {
-    return (api_1.githubOrigin +
+    return ((0, api_1.githubOrigin)() +
         "/login/oauth/authorize?" +
         queryParamString({
-            client_id: api_1.githubClientId,
+            client_id: (0, api_1.githubClientId)(),
             state: _nonce,
             redirect_uri: callbackUrl,
             scope: GITHUB_SCOPES.join(" "),
         }));
 }
 async function getGithubTokensFromAuthorizationCode(code, callbackUrl) {
-    const client = new apiv2.Client({ urlPrefix: api_1.githubOrigin, auth: false });
+    const client = new apiv2.Client({ urlPrefix: (0, api_1.githubOrigin)(), auth: false });
     const data = {
-        client_id: api_1.githubClientId,
-        client_secret: api_1.githubClientSecret,
+        client_id: (0, api_1.githubClientId)(),
+        client_secret: (0, api_1.githubClientSecret)(),
         code,
         redirect_uri: callbackUrl,
         state: _nonce,
@@ -276,7 +276,7 @@ function urlsafeBase64(base64string) {
 async function loginRemotely() {
     var _a;
     const authProxyClient = new apiv2.Client({
-        urlPrefix: api_1.authProxyOrigin,
+        urlPrefix: (0, api_1.authProxyOrigin)(),
         auth: false,
     });
     const sessionId = (0, uuid_1.v4)();
@@ -285,7 +285,7 @@ async function loginRemotely() {
     const attestToken = (_a = (await authProxyClient.post("/attest", {
         session_id: sessionId,
     })).body) === null || _a === void 0 ? void 0 : _a.token;
-    const loginUrl = `${api_1.authProxyOrigin}/login?code_challenge=${codeChallenge}&session=${sessionId}&attest=${attestToken}`;
+    const loginUrl = `${(0, api_1.authProxyOrigin)()}/login?code_challenge=${codeChallenge}&session=${sessionId}&attest=${attestToken}`;
     logger_1.logger.info();
     logger_1.logger.info("To sign in to the Firebase CLI:");
     logger_1.logger.info();
@@ -304,7 +304,7 @@ async function loginRemotely() {
         message: "Enter authorization code:",
     });
     try {
-        const tokens = await getTokensFromAuthorizationCode(code, `${api_1.authProxyOrigin}/complete`, codeVerifier);
+        const tokens = await getTokensFromAuthorizationCode(code, `${(0, api_1.authProxyOrigin)()}/complete`, codeVerifier);
         void (0, track_1.trackGA4)("login", { method: "google_remote" });
         return {
             user: jwt.decode(tokens.id_token, { json: true }),
@@ -457,11 +457,11 @@ async function refreshTokens(refreshToken, authScopes) {
     var _a, _b;
     logger_1.logger.debug("> refreshing access token with scopes:", JSON.stringify(authScopes));
     try {
-        const client = new apiv2.Client({ urlPrefix: api_1.googleOrigin, auth: false });
+        const client = new apiv2.Client({ urlPrefix: (0, api_1.googleOrigin)(), auth: false });
         const data = {
             refresh_token: refreshToken,
-            client_id: api_1.clientId,
-            client_secret: api_1.clientSecret,
+            client_id: (0, api_1.clientId)(),
+            client_secret: (0, api_1.clientSecret)(),
             grant_type: "refresh_token",
             scope: (authScopes || []).join(" "),
         };
@@ -528,7 +528,7 @@ async function logout(refreshToken) {
     }
     logoutCurrentSession(refreshToken);
     try {
-        const client = new apiv2.Client({ urlPrefix: api_1.authOrigin, auth: false });
+        const client = new apiv2.Client({ urlPrefix: (0, api_1.authOrigin)(), auth: false });
         await client.get("/o/oauth2/revoke", { queryParams: { token: refreshToken } });
     }
     catch (thrown) {

package/lib/commands/apphosting-backends-create.js

@@ -4,17 +4,19 @@ exports.command = void 0;
 const command_1 = require("../command");
 const projectUtils_1 = require("../projectUtils");
 const requireInteractive_1 = require("../requireInteractive");
-const apphosting_1 = require("../init/features/apphosting");
+const apphosting_1 = require("../apphosting");
 const apphosting_2 = require("../gcp/apphosting");
 exports.command = new command_1.Command("apphosting:backends:create")
     .description("create a backend in a Firebase project")
     .option("-l, --location <location>", "specify the region of the backend", "")
     .option("-s, --service-account <serviceAccount>", "specify the service account used to run the server", "")
+    .option("-w, --with-dev-connect", "use the Developer Connect flow insetad of Cloud Build Repositories (testing)", false)
     .before(apphosting_2.ensureApiEnabled)
     .before(requireInteractive_1.default)
     .action(async (options) => {
     const projectId = (0, projectUtils_1.needProjectId)(options);
     const location = options.location;
     const serviceAccount = options.serviceAccount;
-    await (0, apphosting_1.doSetup)(projectId, location, serviceAccount);
+    const withDevConnect = options.withDevConnect;
+    await (0, apphosting_1.doSetup)(projectId, location, serviceAccount, withDevConnect);
 });

package/lib/commands/apphosting-backends-delete.js

@@ -5,7 +5,7 @@ const command_1 = require("../command");
 const projectUtils_1 = require("../projectUtils");
 const error_1 = require("../error");
 const prompt_1 = require("../prompt");
-const constants_1 = require("../init/features/apphosting/constants");
+const constants_1 = require("../apphosting/constants");
 const utils = require("../utils");
 const apphosting = require("../gcp/apphosting");
 const apphosting_backends_list_1 = require("./apphosting-backends-list");

package/lib/commands/apphosting-secrets-describe.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.command = void 0;
+const command_1 = require("../command");
+const projectUtils_1 = require("../projectUtils");
+const logger_1 = require("../logger");
+const requireAuth_1 = require("../requireAuth");
+const secretManager_1 = require("../gcp/secretManager");
+const secretManager = require("../gcp/secretManager");
+const requirePermissions_1 = require("../requirePermissions");
+const Table = require("cli-table");
+exports.command = new command_1.Command("apphosting:secrets:describe <secretName>")
+    .description("Get metadata for secret and its versions.")
+    .before(requireAuth_1.requireAuth)
+    .before(secretManager.ensureApi)
+    .before(requirePermissions_1.requirePermissions, ["secretmanager.secrets.get"])
+    .action(async (secretName, options) => {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const versions = await (0, secretManager_1.listSecretVersions)(projectId, secretName);
+    const table = new Table({
+        head: ["Name", "Version", "Status", "Create Time"],
+        style: { head: ["yellow"] },
+    });
+    for (const version of versions) {
+        table.push([secretName, version.versionId, version.state, version.createTime]);
+    }
+    logger_1.logger.info(table.toString());
+    return { secrets: versions };
+});

package/lib/commands/apphosting-secrets-grantaccess.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.command = void 0;
+const command_1 = require("../command");
+const projectUtils_1 = require("../projectUtils");
+const error_1 = require("../error");
+const requireAuth_1 = require("../requireAuth");
+const secretManager = require("../gcp/secretManager");
+const requirePermissions_1 = require("../requirePermissions");
+const apphosting = require("../gcp/apphosting");
+const secrets = require("../apphosting/secrets");
+exports.command = new command_1.Command("apphosting:secrets:grantaccess <secretName>")
+    .description("grant service accounts permissions to the provided secret")
+    .option("-l, --location <location>", "app backend location")
+    .option("-b, --backend <backend>", "app backend name")
+    .before(requireAuth_1.requireAuth)
+    .before(secretManager.ensureApi)
+    .before(apphosting.ensureApiEnabled)
+    .before(requirePermissions_1.requirePermissions, [
+    "secretmanager.secrets.create",
+    "secretmanager.secrets.get",
+    "secretmanager.secrets.update",
+    "secretmanager.versions.add",
+    "secretmanager.secrets.getIamPolicy",
+    "secretmanager.secrets.setIamPolicy",
+])
+    .action(async (secretName, options) => {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const projectNumber = await (0, projectUtils_1.needProjectNumber)(options);
+    if (!options.location) {
+        throw new error_1.FirebaseError("Missing required flag --location. See firebase apphosting:secrets:grantaccess --help for more info");
+    }
+    const location = options.location;
+    if (!options.backend) {
+        throw new error_1.FirebaseError("Missing required flag --backend. See firebase apphosting:secrets:grantaccess --help for more info");
+    }
+    const exists = await secretManager.secretExists(projectId, secretName);
+    if (!exists) {
+        throw new error_1.FirebaseError(`Cannot find secret ${secretName}`);
+    }
+    const backendId = options.backend;
+    const backend = await apphosting.getBackend(projectId, location, backendId);
+    const accounts = secrets.toMulti(secrets.serviceAccountsForBackend(projectNumber, backend));
+    await secrets.grantSecretAccess(projectId, secretName, accounts);
+});