firebase · colerogers · Mar 8, 2022 · Feb 17, 2022 · Feb 21, 2022 · Feb 22, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1 @@
+- Adds alerting event provider (#4258).
diff --git a/src/deploy/functions/services/firebaseAlerts.ts b/src/deploy/functions/services/firebaseAlerts.ts
@@ -0,0 +1,49 @@
+import * as backend from "../backend";
+import * as iam from "../../../gcp/iam";
+import { getProjectNumber } from "../../../getProjectNumber";
+import { FirebaseError } from "../../../error";
+
+export const SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE = "roles/iam.serviceAccountTokenCreator";
+
+/**
+ * Finds the required project level IAM bindings for the Pub/Sub service agent
+ * If the user enabled Pub/Sub on or before April 8, 2021, then we must enable the token creator role
+ * @param projectId project identifier
+ * @param existingPolicy the project level IAM policy
+ */
+export async function obtainFirebaseAlertsBindings(
+  projectId: string,
+  existingPolicy: iam.Policy
+): Promise<Array<iam.Binding>> {
+  const projectNumber = await getProjectNumber({ projectId });
+  const pubsubServiceAgent = `serviceAccount:service-${projectNumber}@gcp-sa-pubsub.iam.gserviceaccount.com`;
+  let pubsubBinding = existingPolicy.bindings.find(
+    (b) => b.role === SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE
+  );
+  if (!pubsubBinding) {
+    pubsubBinding = {
+      role: SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE,
+      members: [],
+    };
+  }
+  if (!pubsubBinding.members.find((m) => m === pubsubServiceAgent)) {
+    pubsubBinding.members.push(pubsubServiceAgent);
+  }
+  return [pubsubBinding];
+}
+
+/**
+ * Sets a Firebase Alerts event trigger's region to 'global' since the service is global
+ * @param endpoint the storage endpoint
+ * @param eventTrigger the endpoints event trigger
+ */
+export function ensureFirebaseAlertsTriggerRegion(
+  endpoint: backend.Endpoint & backend.EventTriggered
+): void {
+  if (!endpoint.eventTrigger.region) {
+    endpoint.eventTrigger.region = "global";
+  }
+  if (endpoint.eventTrigger.region !== "global") {
+    throw new FirebaseError("A firebase alerts function must have a 'global' trigger location");
+  }
+}
diff --git a/src/deploy/functions/services/index.ts b/src/deploy/functions/services/index.ts
@@ -2,6 +2,7 @@ import * as backend from "../backend";
 import * as iam from "../../../gcp/iam";
 import * as v2events from "../../../functions/events/v2";
 import { obtainStorageBindings, ensureStorageTriggerRegion } from "./storage";
+import { obtainFirebaseAlertsBindings, ensureFirebaseAlertsTriggerRegion } from "./firebaseAlerts";
 
 const noop = (): Promise<void> => Promise.resolve();
 
@@ -12,7 +13,7 @@ export interface Service {
 
   // dispatch functions
   requiredProjectBindings: ((pId: any, p: any) => Promise<Array<iam.Binding>>) | undefined;
-  ensureTriggerRegion: (ep: backend.Endpoint & backend.EventTriggered) => Promise<void>;
+  ensureTriggerRegion: (ep: backend.Endpoint & backend.EventTriggered) => Promise<void> | void;
 }
 
 /** A noop service object, useful for v1 events */
@@ -30,12 +31,19 @@ export const PubSubService: Service = {
   ensureTriggerRegion: noop,
 };
 /** A storage service object */
-export const StorageService = {
+export const StorageService: Service = {
   name: "storage",
   api: "storage.googleapis.com",
   requiredProjectBindings: obtainStorageBindings,
   ensureTriggerRegion: ensureStorageTriggerRegion,
 };
+/** A firebase alerts service object */
+export const FirebaseAlertsService: Service = {
+  name: "firebasealerts",
+  api: "logging.googleapis.com",
+  requiredProjectBindings: obtainFirebaseAlertsBindings,
+  ensureTriggerRegion: ensureFirebaseAlertsTriggerRegion,
+};
 
 /** Mapping from event type string to service object */
 export const EVENT_SERVICE_MAPPING: Record<v2events.Event, Service> = {
@@ -44,6 +52,7 @@ export const EVENT_SERVICE_MAPPING: Record<v2events.Event, Service> = {
   "google.cloud.storage.object.v1.archived": StorageService,
   "google.cloud.storage.object.v1.deleted": StorageService,
   "google.cloud.storage.object.v1.metadataUpdated": StorageService,
+  "firebase.firebasealerts.alerts.v1.published": FirebaseAlertsService,
 };
 
 /**

diff --git a/src/deploy/functions/triggerRegionHelper.ts b/src/deploy/functions/triggerRegionHelper.ts
@@ -7,7 +7,7 @@ import { serviceForEndpoint } from "./services";
  * @param have the list of function specs we have deployed
  */
 export async function ensureTriggerRegions(want: backend.Backend): Promise<void> {
-  const regionLookups: Array<Promise<void>> = [];
+  const regionLookups: Array<Promise<void> | void> = [];
 
   for (const ep of backend.allEndpoints(want)) {
     if (ep.platform === "gcfv1" || !backend.isEventTriggered(ep)) {

diff --git a/src/functions/events/v2.ts b/src/functions/events/v2.ts
@@ -7,4 +7,9 @@ export const STORAGE_EVENTS = [
   "google.cloud.storage.object.v1.metadataUpdated",
 ] as const;
 
-export type Event = typeof PUBSUB_PUBLISH_EVENT | typeof STORAGE_EVENTS[number];
+export const FIREBASE_ALERTS_PUBLISH_EVENT = "firebase.firebasealerts.alerts.v1.published";
+
+export type Event =
+  | typeof PUBSUB_PUBLISH_EVENT
+  | typeof STORAGE_EVENTS[number]
+  | typeof FIREBASE_ALERTS_PUBLISH_EVENT;
diff --git a/src/test/deploy/functions/services/firebaseAlerts.spec.ts b/src/test/deploy/functions/services/firebaseAlerts.spec.ts
@@ -0,0 +1,120 @@
+import { expect } from "chai";
+import { Endpoint } from "../../../../deploy/functions/backend";
+import * as firebaseAlerts from "../../../../deploy/functions/services/firebaseAlerts";
+import * as getProjectNumber from "../../../../getProjectNumber";
+import * as sinon from "sinon";
+
+describe("obtainFirebaseAlertsBindings", () => {
+  let projectNumberStub: sinon.SinonStub;
+
+  const iamPolicy = {
+    etag: "etag",
+    version: 3,
+    bindings: [
+      {
+        role: "some/role",
+        members: ["someuser"],
+      },
+    ],
+  };
+
+  beforeEach(() => {
+    projectNumberStub = sinon.stub(getProjectNumber, "getProjectNumber").resolves("123456789");
+  });
+
+  afterEach(() => {
+    sinon.verifyAndRestore();
+  });
+
+  it("should add the binding", async () => {
+    const policy = { ...iamPolicy };
+
+    const bindings = await firebaseAlerts.obtainFirebaseAlertsBindings("project", policy);
+
+    expect(bindings.length).to.equal(1);
+    expect(bindings[0]).to.deep.equal({
+      role: firebaseAlerts.SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE,
+      members: ["serviceAccount:service-123456789@gcp-sa-pubsub.iam.gserviceaccount.com"],
+    });
+  });
+
+  it("should add the service agent as a member", async () => {
+    const policy = { ...iamPolicy };
+    policy.bindings = [
+      {
+        role: firebaseAlerts.SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE,
+        members: ["someuser"],
+      },
+    ];
+
+    const bindings = await firebaseAlerts.obtainFirebaseAlertsBindings("project", policy);
+
+    expect(bindings.length).to.equal(1);
+    expect(bindings[0]).to.deep.equal({
+      role: firebaseAlerts.SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE,
+      members: [
+        "someuser",
+        "serviceAccount:service-123456789@gcp-sa-pubsub.iam.gserviceaccount.com",
+      ],
+    });
+  });
+
+  it("should do nothing if we have the binding", async () => {
+    const policy = { ...iamPolicy };
+    policy.bindings = [
+      {
+        role: firebaseAlerts.SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE,
+        members: ["serviceAccount:service-123456789@gcp-sa-pubsub.iam.gserviceaccount.com"],
+      },
+    ];
+
+    const bindings = await firebaseAlerts.obtainFirebaseAlertsBindings("project", policy);
+
+    expect(bindings.length).to.equal(1);
+    expect(bindings[0]).to.deep.equal({
+      role: firebaseAlerts.SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE,
+      members: ["serviceAccount:service-123456789@gcp-sa-pubsub.iam.gserviceaccount.com"],
+    });
+  });
+});
+
+describe("ensureFirebaseAlertsTriggerRegion", () => {
+  const endpoint: Endpoint = {
+    id: "endpoint",
+    region: "us-central1",
+    project: "my-project",
+    eventTrigger: {
+      retry: false,
+      eventType: "firebase.firebasealerts.alerts.v1.published",
+      eventFilters: [],
+    },
+    entryPoint: "",
+    platform: "gcfv2",
+    runtime: "nodejs16",
+  };
+  it("should set the trigger location to global", () => {
+    const ep = { ...endpoint };
+
+    firebaseAlerts.ensureFirebaseAlertsTriggerRegion(ep);
+
+    expect(endpoint.eventTrigger.region).to.eq("global");
+  });
+
+  it("should not error if the trigger location is global", () => {
+    const ep = { ...endpoint };
+    ep.eventTrigger.region = "global";
+
+    firebaseAlerts.ensureFirebaseAlertsTriggerRegion(endpoint);
+
+    expect(endpoint.eventTrigger.region).to.eq("global");
+  });
+
+  it("should error if the trigger location is not global", () => {
+    const ep = { ...endpoint };
+    ep.eventTrigger.region = "us-west1";
+
+    expect(() => firebaseAlerts.ensureFirebaseAlertsTriggerRegion(endpoint)).to.throw(
+      "A firebase alerts function must have a 'global' trigger location"
+    );
+  });
+});