Keine Beschreibung
Du kannst nicht mehr als 25 Themen auswählen Themen müssen mit entweder einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.

iam.js 3.3KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071
  1. "use strict";
  2. Object.defineProperty(exports, "__esModule", { value: true });
  3. exports.testIamPermissions = exports.testResourceIamPermissions = exports.getRole = exports.deleteServiceAccount = exports.createServiceAccountKey = exports.getServiceAccount = exports.createServiceAccount = void 0;
  4. const api_1 = require("../api");
  5. const logger_1 = require("../logger");
  6. const apiv2_1 = require("../apiv2");
  7. const apiClient = new apiv2_1.Client({ urlPrefix: api_1.iamOrigin, apiVersion: "v1" });
  8. async function createServiceAccount(projectId, accountId, description, displayName) {
  9. const response = await apiClient.post(`/projects/${projectId}/serviceAccounts`, {
  10. accountId,
  11. serviceAccount: {
  12. displayName,
  13. description,
  14. },
  15. }, { skipLog: { resBody: true } });
  16. return response.body;
  17. }
  18. exports.createServiceAccount = createServiceAccount;
  19. async function getServiceAccount(projectId, serviceAccountName) {
  20. const response = await apiClient.get(`/projects/${projectId}/serviceAccounts/${serviceAccountName}@${projectId}.iam.gserviceaccount.com`);
  21. return response.body;
  22. }
  23. exports.getServiceAccount = getServiceAccount;
  24. async function createServiceAccountKey(projectId, serviceAccountName) {
  25. const response = await apiClient.post(`/projects/${projectId}/serviceAccounts/${serviceAccountName}@${projectId}.iam.gserviceaccount.com/keys`, {
  26. keyAlgorithm: "KEY_ALG_UNSPECIFIED",
  27. privateKeyType: "TYPE_GOOGLE_CREDENTIALS_FILE",
  28. });
  29. return response.body;
  30. }
  31. exports.createServiceAccountKey = createServiceAccountKey;
  32. async function deleteServiceAccount(projectId, accountEmail) {
  33. await apiClient.delete(`/projects/${projectId}/serviceAccounts/${accountEmail}`, {
  34. resolveOnHTTPError: true,
  35. });
  36. }
  37. exports.deleteServiceAccount = deleteServiceAccount;
  38. async function getRole(role) {
  39. const response = await apiClient.get(`/roles/${role}`, {
  40. retryCodes: [500, 503],
  41. });
  42. return response.body;
  43. }
  44. exports.getRole = getRole;
  45. async function testResourceIamPermissions(origin, apiVersion, resourceName, permissions, quotaUser = "") {
  46. const localClient = new apiv2_1.Client({ urlPrefix: origin, apiVersion });
  47. if (process.env.FIREBASE_SKIP_INFORMATIONAL_IAM) {
  48. logger_1.logger.debug(`[iam] skipping informational check of permissions ${JSON.stringify(permissions)} on resource ${resourceName}`);
  49. return { allowed: Array.from(permissions).sort(), missing: [], passed: true };
  50. }
  51. const headers = {};
  52. if (quotaUser) {
  53. headers["x-goog-quota-user"] = quotaUser;
  54. }
  55. const response = await localClient.post(`/${resourceName}:testIamPermissions`, { permissions }, { headers });
  56. const allowed = new Set(response.body.permissions || []);
  57. const missing = new Set(permissions);
  58. for (const p of allowed) {
  59. missing.delete(p);
  60. }
  61. return {
  62. allowed: Array.from(allowed).sort(),
  63. missing: Array.from(missing).sort(),
  64. passed: missing.size === 0,
  65. };
  66. }
  67. exports.testResourceIamPermissions = testResourceIamPermissions;
  68. async function testIamPermissions(projectId, permissions) {
  69. return testResourceIamPermissions(api_1.resourceManagerOrigin, "v1", `projects/${projectId}`, permissions, `projects/${projectId}`);
  70. }
  71. exports.testIamPermissions = testIamPermissions;