You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
53 lines
2.5 KiB
53 lines
2.5 KiB
"use strict";
|
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
exports.ensureNecessaryV2ApisAndRoles = exports.checkSpecForV2Functions = void 0;
|
|
const getProjectNumber_1 = require("../../getProjectNumber");
|
|
const resourceManager = require("../../gcp/resourceManager");
|
|
const logger_1 = require("../../logger");
|
|
const error_1 = require("../../error");
|
|
const ensureApiEnabled_1 = require("../../ensureApiEnabled");
|
|
const planner = require("./planner");
|
|
const projectUtils_1 = require("../../projectUtils");
|
|
const SERVICE_AGENT_ROLE = "roles/eventarc.eventReceiver";
|
|
async function checkSpecForV2Functions(i) {
|
|
const extensionSpec = await planner.getExtensionSpec(i);
|
|
return extensionSpec.resources.some((r) => r.type === "firebaseextensions.v1beta.v2function");
|
|
}
|
|
exports.checkSpecForV2Functions = checkSpecForV2Functions;
|
|
async function ensureNecessaryV2ApisAndRoles(options) {
|
|
const projectId = (0, projectUtils_1.needProjectId)(options);
|
|
await (0, ensureApiEnabled_1.ensure)(projectId, "compute.googleapis.com", "extensions", options.markdown);
|
|
await ensureComputeP4SARole(projectId);
|
|
}
|
|
exports.ensureNecessaryV2ApisAndRoles = ensureNecessaryV2ApisAndRoles;
|
|
async function ensureComputeP4SARole(projectId) {
|
|
const projectNumber = await (0, getProjectNumber_1.getProjectNumber)({ projectId });
|
|
const saEmail = `${projectNumber}-compute@developer.gserviceaccount.com`;
|
|
let policy;
|
|
try {
|
|
policy = await resourceManager.getIamPolicy(projectId);
|
|
}
|
|
catch (e) {
|
|
if (e instanceof error_1.FirebaseError && e.status === 403) {
|
|
throw new error_1.FirebaseError("Unable to get project IAM policy, permission denied (403). Please " +
|
|
"make sure you have sufficient project privileges or if this is a brand new project " +
|
|
"try again in a few minutes.");
|
|
}
|
|
throw e;
|
|
}
|
|
if (policy.bindings.find((b) => b.role === SERVICE_AGENT_ROLE && b.members.includes("serviceAccount:" + saEmail))) {
|
|
logger_1.logger.debug("Compute Service API Agent IAM policy OK");
|
|
return true;
|
|
}
|
|
else {
|
|
logger_1.logger.debug("Firebase Extensions Service Agent is missing a required IAM role " +
|
|
"`Firebase Extensions API Service Agent`.");
|
|
policy.bindings.push({
|
|
role: SERVICE_AGENT_ROLE,
|
|
members: ["serviceAccount:" + saEmail],
|
|
});
|
|
await resourceManager.setIamPolicy(projectId, policy, "bindings");
|
|
logger_1.logger.debug("Compute Service API Agent IAM policy updated successfully");
|
|
return true;
|
|
}
|
|
}
|