Nenhuma descrição
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.

secretsUtils.js 3.1KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960
  1. "use strict";
  2. Object.defineProperty(exports, "__esModule", { value: true });
  3. exports.prettySecretName = exports.getSecretLabels = exports.getActiveSecrets = exports.getManagedSecrets = exports.grantFirexServiceAgentSecretAdminRole = exports.usesSecrets = exports.ensureSecretManagerApiEnabled = exports.SECRET_ROLE = exports.SECRET_LABEL = void 0;
  4. const getProjectNumber_1 = require("../getProjectNumber");
  5. const utils = require("../utils");
  6. const ensureApiEnabled_1 = require("../ensureApiEnabled");
  7. const projectUtils_1 = require("../projectUtils");
  8. const types_1 = require("./types");
  9. const secretManagerApi = require("../gcp/secretManager");
  10. const logger_1 = require("../logger");
  11. exports.SECRET_LABEL = "firebase-extensions-managed";
  12. exports.SECRET_ROLE = "secretmanager.secretAccessor";
  13. async function ensureSecretManagerApiEnabled(options) {
  14. const projectId = (0, projectUtils_1.needProjectId)(options);
  15. return await (0, ensureApiEnabled_1.ensure)(projectId, "secretmanager.googleapis.com", "extensions", options.markdown);
  16. }
  17. exports.ensureSecretManagerApiEnabled = ensureSecretManagerApiEnabled;
  18. function usesSecrets(spec) {
  19. return spec.params && !!spec.params.find((p) => p.type === types_1.ParamType.SECRET);
  20. }
  21. exports.usesSecrets = usesSecrets;
  22. async function grantFirexServiceAgentSecretAdminRole(secret) {
  23. const projectNumber = await (0, getProjectNumber_1.getProjectNumber)({ projectId: secret.projectId });
  24. const firexSaProjectId = utils.envOverride("FIREBASE_EXTENSIONS_SA_PROJECT_ID", "gcp-sa-firebasemods");
  25. const saEmail = `service-${projectNumber}@${firexSaProjectId}.iam.gserviceaccount.com`;
  26. return secretManagerApi.ensureServiceAgentRole(secret, [saEmail], "roles/secretmanager.admin");
  27. }
  28. exports.grantFirexServiceAgentSecretAdminRole = grantFirexServiceAgentSecretAdminRole;
  29. async function getManagedSecrets(instance) {
  30. return (await Promise.all(getActiveSecrets(instance.config.source.spec, instance.config.params).map(async (secretResourceName) => {
  31. const secret = secretManagerApi.parseSecretResourceName(secretResourceName);
  32. const labels = (await secretManagerApi.getSecret(secret.projectId, secret.name)).labels;
  33. if (labels && labels[exports.SECRET_LABEL]) {
  34. return secretResourceName;
  35. }
  36. return Promise.resolve("");
  37. }))).filter((secretId) => !!secretId);
  38. }
  39. exports.getManagedSecrets = getManagedSecrets;
  40. function getActiveSecrets(spec, params) {
  41. return spec.params
  42. .map((p) => (p.type === types_1.ParamType.SECRET ? params[p.param] : ""))
  43. .filter((pv) => !!pv);
  44. }
  45. exports.getActiveSecrets = getActiveSecrets;
  46. function getSecretLabels(instanceId) {
  47. const labels = {};
  48. labels[exports.SECRET_LABEL] = instanceId;
  49. return labels;
  50. }
  51. exports.getSecretLabels = getSecretLabels;
  52. function prettySecretName(secretResourceName) {
  53. const nameTokens = secretResourceName.split("/");
  54. if (nameTokens.length !== 4 && nameTokens.length !== 6) {
  55. logger_1.logger.debug(`unable to parse secret secretResourceName: ${secretResourceName}`);
  56. return secretResourceName;
  57. }
  58. return nameTokens.slice(0, 4).join("/");
  59. }
  60. exports.prettySecretName = prettySecretName;