Fix Storage Emulator rules resource evaluation

CHANGELOG.md

@@ -2,3 +2,4 @@
 - Fixes arg order for `firebase emulators:start --only storage` (#4195).
 - Fixes bug where environment variable for gen 2 functions weren't updated on deploy (#4209).
 - Fixes an issue in the storage emulator where a file upload would trigger functions with a metadata update handler (#4213).
+- Fixes Storage Emulator rules resource evaluation (#4214).

scripts/storage-emulator-integration/storage.rules

@@ -2,7 +2,8 @@ rules_version = '2';
 service firebase.storage {
   match /b/{bucket}/o {
     match /{allPaths=**} {
-      allow read, write: if request.auth != null;
+      allow read, create, update: if request.auth != null;
+      allow delete: if request.auth != null && resource.contentType != 'text/plain';
     }
 
     match /public/{allPaths=**} {

scripts/storage-emulator-integration/tests.ts

@@ -1187,30 +1187,46 @@ describe("Storage emulator", () => {
         });
       });
 
-      it("#delete()", async () => {
-        const downloadUrl = await page.evaluate((filename) => {
-          return firebase.storage().ref(filename).getDownloadURL();
-        }, filename);
+      describe("deleteFile", () => {
+        it("should delete file", async () => {
+          await page.evaluate((filename) => {
+            return firebase.storage().ref(filename).delete();
+          }, filename);
 
-        expect(downloadUrl).to.be.not.null;
+          const error = await page.evaluate((filename) => {
+            return new Promise((resolve) => {
+              firebase
+                .storage()
+                .ref(filename)
+                .getDownloadURL()
+                .catch((err) => {
+                  resolve(err.message);
+                });
+            });
+          }, filename);
 
-        await page.evaluate((filename) => {
-          return firebase.storage().ref(filename).delete();
-        }, filename);
+          expect(error).to.contain("does not exist.");
+        });
 
-        const error = await page.evaluate((filename) => {
-          return new Promise((resolve) => {
-            firebase
-              .storage()
-              .ref(filename)
-              .getDownloadURL()
-              .catch((err) => {
-                resolve(err.message);
-              });
-          });
-        }, filename);
+        it("should not delete file when security rule on resource object disallows it", async () => {
+          await page.evaluate((filename) => {
+            firebase.storage().ref(filename).updateMetadata({ contentType: "text/plain" });
+          }, filename);
+
+          const error = await page.evaluate((filename) => {
+            return new Promise((resolve) => {
+              firebase
+                .storage()
+                .ref(filename)
+                .delete()
+                .catch((err) => {
+                  resolve(err.message);
+                });
+            });
+          }, filename);
 
-        expect(error).to.contain("does not exist.");
+          expect(error).to.contain("does not have permission to access");
+        });
       });
     });
 

src/emulator/storage/apis/firebase.ts

@@ -591,16 +591,21 @@ export function createFirebaseEndpoints(emulator: StorageEmulator): Router {
   firebaseStorageAPI.delete("/b/:bucketId/o/:objectId", async (req, res) => {
     const decodedObjectId = decodeURIComponent(req.params.objectId);
     const operationPath = ["b", req.params.bucketId, "o", decodedObjectId].join("/");
+    const md = storageLayer.getMetadata(req.params.bucketId, decodedObjectId);
+
+    const rulesFiles: { before?: RulesResourceMetadata } = {};
+
+    if (md) {
+      rulesFiles.before = md.asRulesResource();
+    }
 
     if (
       !(await isPermitted({
         ruleset: emulator.rules,
         method: RulesetOperationMethod.DELETE,
         path: operationPath,
         authorization: req.header("authorization"),
-        file: {
-          // TODO load before metadata
-        },
+        file: rulesFiles,
       }))
     ) {
       return res.status(403).json({
@@ -611,8 +616,6 @@ export function createFirebaseEndpoints(emulator: StorageEmulator): Router {
       });
     }
 
-    const md = storageLayer.getMetadata(req.params.bucketId, decodedObjectId);
-
     if (!md) {
       res.sendStatus(404);
       return;