"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.ensureServiceAgentRoles = exports.mergeBindings = exports.obtainDefaultComputeServiceAgentBindings = exports.obtainPubSubServiceAgentBindings = exports.getDefaultComputeServiceAgent = exports.checkHttpIam = exports.checkServiceAccountIam = exports.EVENTARC_EVENT_RECEIVER_ROLE = exports.RUN_INVOKER_ROLE = exports.SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE = void 0;
const colorette_1 = require("colorette");
const logger_1 = require("../../logger");
const functionsDeployHelper_1 = require("./functionsDeployHelper");
const error_1 = require("../../error");
const functional_1 = require("../../functional");
const iam = require("../../gcp/iam");
const backend = require("./backend");
const track_1 = require("../../track");
const utils = require("../../utils");
const resourceManager_1 = require("../../gcp/resourceManager");
const services_1 = require("./services");
const PERMISSION = "cloudfunctions.functions.setIamPolicy";
exports.SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE = "roles/iam.serviceAccountTokenCreator";
exports.RUN_INVOKER_ROLE = "roles/run.invoker";
exports.EVENTARC_EVENT_RECEIVER_ROLE = "roles/eventarc.eventReceiver";
async function checkServiceAccountIam(projectId) {
    const saEmail = `${projectId}@appspot.gserviceaccount.com`;
    let passed = false;
    try {
        const iamResult = await iam.testResourceIamPermissions("https://iam.googleapis.com", "v1", `projects/${projectId}/serviceAccounts/${saEmail}`, ["iam.serviceAccounts.actAs"]);
        passed = iamResult.passed;
    }
    catch (err) {
        logger_1.logger.debug("[functions] service account IAM check errored, deploy may fail:", err);
        return;
    }
    if (!passed) {
        throw new error_1.FirebaseError(`Missing permissions required for functions deploy. You must have permission ${(0, colorette_1.bold)("iam.serviceAccounts.ActAs")} on service account ${(0, colorette_1.bold)(saEmail)}.\n\n` +
            `To address this error, ask a project Owner to assign your account the "Service Account User" role from this URL:\n\n` +
            `https://console.cloud.google.com/iam-admin/iam?project=${projectId}`);
    }
}
exports.checkServiceAccountIam = checkServiceAccountIam;
async function checkHttpIam(context, options, payload) {
    if (!payload.functions) {
        return;
    }
    const filters = context.filters || (0, functionsDeployHelper_1.getEndpointFilters)(options);
    const wantBackends = Object.values(payload.functions).map(({ wantBackend }) => wantBackend);
    const httpEndpoints = [...(0, functional_1.flattenArray)(wantBackends.map((b) => backend.allEndpoints(b)))]
        .filter(backend.isHttpsTriggered)
        .filter((f) => (0, functionsDeployHelper_1.endpointMatchesAnyFilter)(f, filters));
    const existing = await backend.existingBackend(context);
    const newHttpsEndpoints = httpEndpoints.filter(backend.missingEndpoint(existing));
    if (newHttpsEndpoints.length === 0) {
        return;
    }
    logger_1.logger.debug("[functions] found", newHttpsEndpoints.length, "new HTTP functions, testing setIamPolicy permission...");
    let passed = true;
    try {
        const iamResult = await iam.testIamPermissions(context.projectId, [PERMISSION]);
        passed = iamResult.passed;
    }
    catch (e) {
        logger_1.logger.debug("[functions] failed http create setIamPolicy permission check. deploy may fail:", e);
        return;
    }
    if (!passed) {
        void (0, track_1.track)("Error (User)", "deploy:functions:http_create_missing_iam");
        throw new error_1.FirebaseError(`Missing required permission on project ${(0, colorette_1.bold)(context.projectId)} to deploy new HTTPS functions. The permission ${(0, colorette_1.bold)(PERMISSION)} is required to deploy the following functions:\n\n- ` +
            newHttpsEndpoints.map((func) => func.id).join("\n- ") +
            `\n\nTo address this error, please ask a project Owner to assign your account the "Cloud Functions Admin" role at the following URL:\n\nhttps://console.cloud.google.com/iam-admin/iam?project=${context.projectId}`);
    }
    logger_1.logger.debug("[functions] found setIamPolicy permission, proceeding with deploy");
}
exports.checkHttpIam = checkHttpIam;
function getPubsubServiceAgent(projectNumber) {
    return `service-${projectNumber}@gcp-sa-pubsub.iam.gserviceaccount.com`;
}
function getDefaultComputeServiceAgent(projectNumber) {
    return `${projectNumber}-compute@developer.gserviceaccount.com`;
}
exports.getDefaultComputeServiceAgent = getDefaultComputeServiceAgent;
function reduceEventsToServices(services, endpoint) {
    const service = (0, services_1.serviceForEndpoint)(endpoint);
    if (service.requiredProjectBindings && !services.find((s) => s.name === service.name)) {
        services.push(service);
    }
    return services;
}
function obtainPubSubServiceAgentBindings(projectNumber) {
    const serviceAccountTokenCreatorBinding = {
        role: exports.SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE,
        members: [`serviceAccount:${getPubsubServiceAgent(projectNumber)}`],
    };
    return [serviceAccountTokenCreatorBinding];
}
exports.obtainPubSubServiceAgentBindings = obtainPubSubServiceAgentBindings;
function obtainDefaultComputeServiceAgentBindings(projectNumber) {
    const defaultComputeServiceAgent = `serviceAccount:${getDefaultComputeServiceAgent(projectNumber)}`;
    const runInvokerBinding = {
        role: exports.RUN_INVOKER_ROLE,
        members: [defaultComputeServiceAgent],
    };
    const eventarcEventReceiverBinding = {
        role: exports.EVENTARC_EVENT_RECEIVER_ROLE,
        members: [defaultComputeServiceAgent],
    };
    return [runInvokerBinding, eventarcEventReceiverBinding];
}
exports.obtainDefaultComputeServiceAgentBindings = obtainDefaultComputeServiceAgentBindings;
function mergeBindings(policy, requiredBindings) {
    let updated = false;
    for (const requiredBinding of requiredBindings) {
        const match = policy.bindings.find((b) => b.role === requiredBinding.role);
        if (!match) {
            updated = true;
            policy.bindings.push(requiredBinding);
            continue;
        }
        for (const requiredMember of requiredBinding.members) {
            if (!match.members.find((m) => m === requiredMember)) {
                updated = true;
                match.members.push(requiredMember);
            }
        }
    }
    return updated;
}
exports.mergeBindings = mergeBindings;
function printManualIamConfig(requiredBindings, projectId) {
    utils.logLabeledBullet("functions", "Failed to verify the project has the correct IAM bindings for a successful deployment.", "warn");
    utils.logLabeledBullet("functions", "You can either re-run `firebase deploy` as a project owner or manually run the following set of `gcloud` commands:", "warn");
    for (const binding of requiredBindings) {
        for (const member of binding.members) {
            utils.logLabeledBullet("functions", `\`gcloud projects add-iam-policy-binding ${projectId} ` +
                `--member=${member} ` +
                `--role=${binding.role}\``, "warn");
        }
    }
}
async function ensureServiceAgentRoles(projectId, projectNumber, want, have) {
    const wantServices = backend.allEndpoints(want).reduce(reduceEventsToServices, []);
    const haveServices = backend.allEndpoints(have).reduce(reduceEventsToServices, []);
    const newServices = wantServices.filter((wantS) => !haveServices.find((haveS) => wantS.name === haveS.name));
    if (newServices.length === 0) {
        return;
    }
    const requiredBindingsPromises = [];
    for (const service of newServices) {
        requiredBindingsPromises.push(service.requiredProjectBindings(projectNumber));
    }
    const nestedRequiredBindings = await Promise.all(requiredBindingsPromises);
    const requiredBindings = [...(0, functional_1.flattenArray)(nestedRequiredBindings)];
    if (haveServices.length === 0) {
        requiredBindings.push(...obtainPubSubServiceAgentBindings(projectNumber));
        requiredBindings.push(...obtainDefaultComputeServiceAgentBindings(projectNumber));
    }
    if (requiredBindings.length === 0) {
        return;
    }
    let policy;
    try {
        policy = await (0, resourceManager_1.getIamPolicy)(projectNumber);
    }
    catch (err) {
        printManualIamConfig(requiredBindings, projectId);
        utils.logLabeledBullet("functions", "Could not verify the necessary IAM configuration for the following newly-integrated services: " +
            `${newServices.map((service) => service.api).join(", ")}` +
            ". Deployment may fail.", "warn");
        return;
    }
    const hasUpdatedBindings = mergeBindings(policy, requiredBindings);
    if (!hasUpdatedBindings) {
        return;
    }
    try {
        await (0, resourceManager_1.setIamPolicy)(projectNumber, policy, "bindings");
    }
    catch (err) {
        printManualIamConfig(requiredBindings, projectId);
        throw new error_1.FirebaseError("We failed to modify the IAM policy for the project. The functions " +
            "deployment requires specific roles to be granted to service agents," +
            " otherwise the deployment will fail.", { original: err });
    }
}
exports.ensureServiceAgentRoles = ensureServiceAgentRoles;