firebase-tools 15.21.0 → 15.22.0

package/lib/appdistribution/yaml_helper.js

@@ -32,7 +32,7 @@ function toYamlTestCases(testCases) {
     }));
 }
 function toYaml(testCases) {
-    return jsYaml.safeDump({ tests: toYamlTestCases(testCases) });
+    return jsYaml.dump({ tests: toYamlTestCases(testCases) });
 }
 function castExists(it, thing) {
     if (it == null) {
@@ -77,7 +77,7 @@ function fromYamlTestCases(appName, yamlTestCases) {
 function fromYaml(appName, yaml) {
     let parsedYaml;
     try {
-        parsedYaml = jsYaml.safeLoad(yaml);
+        parsedYaml = jsYaml.load(yaml);
     }
     catch (err) {
         throw new error_1.FirebaseError(`Failed to parse YAML: ${(0, error_1.getErrMsg)(err)}`);

package/lib/apphosting/secrets/index.js

@@ -4,6 +4,8 @@ exports.toMulti = toMulti;
 exports.serviceAccountsForBackend = serviceAccountsForBackend;
 exports.grantSecretAccess = grantSecretAccess;
 exports.grantEmailsSecretAccess = grantEmailsSecretAccess;
+exports.revokeSecretAccess = revokeSecretAccess;
+exports.revokeEmailsSecretAccess = revokeEmailsSecretAccess;
 exports.upsertSecret = upsertSecret;
 exports.loadSecret = loadSecret;
 exports.fetchSecrets = fetchSecrets;
@@ -117,6 +119,81 @@ async function grantEmailsSecretAccess(projectId, secretNames, emails) {
         utils.logSuccess(`Successfully set IAM bindings on secret ${secretName}.\n`);
     }
 }
+async function revokeSecretAccess(projectId, secretName, accounts) {
+    const bindingsToRevoke = [
+        {
+            role: "roles/secretmanager.secretAccessor",
+            members: [...accounts.buildServiceAccounts, ...accounts.runServiceAccounts].map((sa) => `serviceAccount:${sa}`),
+        },
+        {
+            role: "roles/secretmanager.viewer",
+            members: accounts.buildServiceAccounts.map((sa) => `serviceAccount:${sa}`),
+        },
+    ];
+    await revokeSecretBindings(projectId, secretName, bindingsToRevoke);
+}
+async function revokeEmailsSecretAccess(projectId, secretNames, emails) {
+    const bindingsToRevoke = [
+        {
+            role: "roles/secretmanager.secretAccessor",
+            members: emails.flatMap((email) => [`user:${email}`, `group:${email}`]),
+        },
+    ];
+    for (const secretName of secretNames) {
+        await revokeSecretBindings(projectId, secretName, bindingsToRevoke);
+    }
+}
+async function revokeSecretBindings(projectId, secretName, bindingsToRevoke) {
+    let existingBindings;
+    try {
+        existingBindings = (await gcsm.getIamPolicy({ projectId, name: secretName })).bindings || [];
+    }
+    catch (err) {
+        throw new error_1.FirebaseError(`Failed to get IAM bindings on secret: ${secretName}. Ensure you have the permissions to do so and try again.`, { original: (0, error_1.getError)(err) });
+    }
+    const removalsByRole = new Map();
+    for (const binding of bindingsToRevoke) {
+        let members = removalsByRole.get(binding.role);
+        if (!members) {
+            members = new Set();
+            removalsByRole.set(binding.role, members);
+        }
+        for (const member of binding.members) {
+            members.add(member);
+        }
+    }
+    let updated = false;
+    const bindings = [];
+    for (const binding of existingBindings) {
+        const removals = removalsByRole.get(binding.role);
+        if (!removals || binding.condition) {
+            bindings.push(binding);
+            continue;
+        }
+        const members = binding.members.filter((member) => !removals.has(member));
+        if (members.length !== binding.members.length) {
+            updated = true;
+        }
+        if (members.length) {
+            bindings.push({ ...binding, members });
+        }
+        else {
+            updated = true;
+        }
+    }
+    if (!updated) {
+        utils.logSuccess(`No matching IAM bindings found on secret ${secretName}.\n`);
+        return;
+    }
+    try {
+        await gcsm.setIamPolicy({ projectId, name: secretName }, bindings);
+    }
+    catch (err) {
+        throw new error_1.FirebaseError(`Failed to revoke IAM bindings ${JSON.stringify(bindingsToRevoke)} on secret: ${secretName}. Ensure you have the permissions to do so and try again. ` +
+            "For more information visit https://cloud.google.com/secret-manager/docs/manage-access-to-secrets#required-roles", { original: (0, error_1.getError)(err) });
+    }
+    utils.logSuccess(`Successfully revoked IAM bindings on secret ${secretName}.\n`);
+}
 async function upsertSecret(project, secret, location) {
     let existing;
     try {

package/lib/commands/apphosting-secrets-revokeaccess.js

@@ -0,0 +1,56 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.command = void 0;
+const command_1 = require("../command");
+const projectUtils_1 = require("../projectUtils");
+const error_1 = require("../error");
+const requireAuth_1 = require("../requireAuth");
+const secretManager = require("../gcp/secretManager");
+const requirePermissions_1 = require("../requirePermissions");
+const apphosting = require("../gcp/apphosting");
+const secrets = require("../apphosting/secrets");
+const backend_1 = require("../apphosting/backend");
+exports.command = new command_1.Command("apphosting:secrets:revokeaccess <secretNames>")
+    .description("Revoke service accounts, users, or groups permissions from the provided secret(s). Can pass one or more secrets, separated by a comma")
+    .option("-l, --location <location>", "the location of the backend to revoke secret access from. Cannot be combined with --emails", "-")
+    .option("-b, --backend <backend>", "the name of the backend to revoke secret access from. Cannot be combined with --emails")
+    .option("-e, --emails <emails>", "comma delimited list of user or group emails to revoke secret access from. Cannot be combined with --backend")
+    .before(requireAuth_1.requireAuth)
+    .before(secretManager.ensureApi)
+    .before(apphosting.ensureApiEnabled)
+    .before(requirePermissions_1.requirePermissions, [
+    "secretmanager.secrets.get",
+    "secretmanager.secrets.getIamPolicy",
+    "secretmanager.secrets.setIamPolicy",
+])
+    .action(async (secretNames, options) => {
+    const projectId = (0, projectUtils_1.needProjectId)(options);
+    if (!options.backend && !options.emails) {
+        throw new error_1.FirebaseError("Missing required flag --backend or --emails. See firebase apphosting:secrets:revokeaccess --help for more info");
+    }
+    if (options.backend && options.emails) {
+        throw new error_1.FirebaseError("Cannot specify both --backend and --emails. See firebase apphosting:secrets:revokeaccess --help for more info");
+    }
+    const secretList = secretNames.split(",");
+    for (const secretName of secretList) {
+        const exists = await secretManager.secretExists(projectId, secretName);
+        if (!exists) {
+            throw new error_1.FirebaseError(`Cannot find secret ${secretName}`);
+        }
+    }
+    if (options.emails) {
+        return await secrets.revokeEmailsSecretAccess(projectId, secretList, String(options.emails).split(","));
+    }
+    const projectNumber = await (0, projectUtils_1.needProjectNumber)(options);
+    const backendId = options.backend;
+    const location = options.location;
+    let backend;
+    if (location === "" || location === "-") {
+        backend = await (0, backend_1.getBackendForAmbiguousLocation)(projectId, backendId, "Please select the location of your backend:");
+    }
+    else {
+        backend = await apphosting.getBackend(projectId, location, backendId);
+    }
+    const accounts = secrets.toMulti(await secrets.serviceAccountsForBackend(projectNumber, backend));
+    await Promise.all(secretList.map((secretName) => secrets.revokeSecretAccess(projectId, secretName, accounts)));
+});

package/lib/commands/index.js

@@ -195,6 +195,7 @@ function load(client) {
         client.apphosting.backends.delete = loadCommand("apphosting-backends-delete");
         client.apphosting.secrets = {};
         client.apphosting.secrets.set = loadCommand("apphosting-secrets-set");
+        client.apphosting.secrets.revokeaccess = loadCommand("apphosting-secrets-revokeaccess");
         client.apphosting.secrets.grantaccess = loadCommand("apphosting-secrets-grantaccess");
         client.apphosting.secrets.describe = loadCommand("apphosting-secrets-describe");
         client.apphosting.secrets.access = loadCommand("apphosting-secrets-access");

package/lib/emulator/downloadableEmulatorInfo.json

@@ -44,46 +44,46 @@
         }
     },
     "pubsub": {
-        "version": "0.8.32",
-        "expectedSize": 52942305,
-        "expectedChecksum": "b47a3698985bff5f6aedec04fad9354e",
-        "expectedChecksumSHA256": "476d6492718210837f13e64b5b9f54335469381827bad25eda62e36572e47a82",
-        "remoteUrl": "https://storage.googleapis.com/firebase-preview-drop/emulator/pubsub-emulator-0.8.32.zip",
-        "downloadPathRelativeToCacheDir": "pubsub-emulator-0.8.32.zip",
-        "binaryPathRelativeToCacheDir": "pubsub-emulator-0.8.32/pubsub-emulator/bin/cloud-pubsub-emulator"
+        "version": "0.8.33",
+        "expectedSize": 52948835,
+        "expectedChecksum": "7dc33e0c8bb37948228e49a18375d53b",
+        "expectedChecksumSHA256": "93768f8763d85c37f7f6e0f64d10195abaa088f4ff559b7d9fb8a2fc5520848d",
+        "remoteUrl": "https://storage.googleapis.com/firebase-preview-drop/emulator/pubsub-emulator-0.8.33.zip",
+        "downloadPathRelativeToCacheDir": "pubsub-emulator-0.8.33.zip",
+        "binaryPathRelativeToCacheDir": "pubsub-emulator-0.8.33/pubsub-emulator/bin/cloud-pubsub-emulator"
     },
     "dataconnect": {
         "darwin": {
-            "version": "3.4.11",
-            "expectedSize": 32444112,
-            "expectedChecksum": "b7d6dfb69ff26d5952ad93bbb6b071c9",
-            "expectedChecksumSHA256": "66ef23bd048e7cb93dd7574ab92fbbdc66c82e7b72e38625d7a9f1f8b724532a",
-            "remoteUrl": "https://storage.googleapis.com/firemat-preview-drop/emulator/dataconnect-emulator-macos-amd64-v3.4.11",
-            "downloadPathRelativeToCacheDir": "dataconnect-emulator-3.4.11"
+            "version": "3.4.12",
+            "expectedSize": 29963104,
+            "expectedChecksum": "ee4d81abfba3576c7c6c8082313acfd0",
+            "expectedChecksumSHA256": "8aed1dc6cc8c35ab23fdf10e519e9cf3d93c8a0ccb0ff7d5af3ddc41a4847e3e",
+            "remoteUrl": "https://storage.googleapis.com/firemat-preview-drop/emulator/dataconnect-emulator-macos-amd64-v3.4.12",
+            "downloadPathRelativeToCacheDir": "dataconnect-emulator-3.4.12"
         },
         "darwin_arm64": {
-            "version": "3.4.11",
-            "expectedSize": 30587970,
-            "expectedChecksum": "ab0a05b2441ebdda9e04dc8d4dfd3118",
-            "expectedChecksumSHA256": "f22fa6b588644f112def735591f43f05b8864e5c2c2f2aff4a4e00c435f9f101",
-            "remoteUrl": "https://storage.googleapis.com/firemat-preview-drop/emulator/dataconnect-emulator-macos-arm64-v3.4.11",
-            "downloadPathRelativeToCacheDir": "dataconnect-emulator-3.4.11"
+            "version": "3.4.12",
+            "expectedSize": 29442946,
+            "expectedChecksum": "15a6ee63f48021197df5395455666f29",
+            "expectedChecksumSHA256": "4a3933f55db380f20c478cd1a3cc4da8742da75bdcea589fc6e1f52b18943f48",
+            "remoteUrl": "https://storage.googleapis.com/firemat-preview-drop/emulator/dataconnect-emulator-macos-arm64-v3.4.12",
+            "downloadPathRelativeToCacheDir": "dataconnect-emulator-3.4.12"
         },
         "win32": {
-            "version": "3.4.11",
-            "expectedSize": 32483840,
-            "expectedChecksum": "211210d49b7595e229a2552f56c1d9d3",
-            "expectedChecksumSHA256": "dd88350a2f4fd77ccdc8dcf4b465edc6be08609d7c79a195a57febd9b31db6cd",
-            "remoteUrl": "https://storage.googleapis.com/firemat-preview-drop/emulator/dataconnect-emulator-windows-amd64-v3.4.11",
-            "downloadPathRelativeToCacheDir": "dataconnect-emulator-3.4.11.exe"
+            "version": "3.4.12",
+            "expectedSize": 30456320,
+            "expectedChecksum": "546019a713be28620a3b43d49fc9d4b0",
+            "expectedChecksumSHA256": "ec1de720e173f0a613fbbb51767c0288121aa2f80e45e6bad0f3d2aff12689ec",
+            "remoteUrl": "https://storage.googleapis.com/firemat-preview-drop/emulator/dataconnect-emulator-windows-amd64-v3.4.12",
+            "downloadPathRelativeToCacheDir": "dataconnect-emulator-3.4.12.exe"
         },
         "linux": {
-            "version": "3.4.11",
-            "expectedSize": 31600824,
-            "expectedChecksum": "73385ff19e1324724d01ad1577552fdd",
-            "expectedChecksumSHA256": "28870bff742c78221e7be4940d993189c56fc26f50fc2cc17afcf062c84dc439",
-            "remoteUrl": "https://storage.googleapis.com/firemat-preview-drop/emulator/dataconnect-emulator-linux-amd64-v3.4.11",
-            "downloadPathRelativeToCacheDir": "dataconnect-emulator-3.4.11"
+            "version": "3.4.12",
+            "expectedSize": 29888696,
+            "expectedChecksum": "5ab8da956043a48b43199f07b94ac48c",
+            "expectedChecksumSHA256": "1a420f3d2672627eae2d9b0b6747b833517cfc08f7e80ae3a79389788691b67a",
+            "remoteUrl": "https://storage.googleapis.com/firemat-preview-drop/emulator/dataconnect-emulator-linux-amd64-v3.4.12",
+            "downloadPathRelativeToCacheDir": "dataconnect-emulator-3.4.12"
         }
     }
 }