Add blocking trigger type

CHANGELOG.md

@@ -5,3 +5,4 @@
 - Fixes issue with importing Storage Emulator data exported prior to v10.3.0 (#4358).
 - Adds ergonomic improvements to CF3 secret commands to automatically redeploy functions and delete unused secrets (#4130).
 - Fixes issue with alpha users setting timeouts (#4381)
+- Adds a blocking trigger type (#4395).

src/deploy/functions/backend.ts

@@ -131,6 +131,17 @@ export interface TaskQueueTriggered {
   taskQueueTrigger: TaskQueueTrigger;
 }
 
+export interface BlockingTrigger {
+  eventType: string;
+  accessToken?: boolean;
+  idToken?: boolean;
+  refreshToken?: boolean;
+}
+
+export interface BlockingTriggered {
+  blockingTrigger: BlockingTrigger;
+}
+
 /** A user-friendly string for the kind of trigger of an endpoint. */
 export function endpointTriggerType(endpoint: Endpoint): string {
   if (isScheduleTriggered(endpoint)) {
@@ -143,6 +154,8 @@ export function endpointTriggerType(endpoint: Endpoint): string {
     return endpoint.eventTrigger.eventType;
   } else if (isTaskQueueTriggered(endpoint)) {
     return "taskQueue";
+  } else if (isBlockingTriggered(endpoint)) {
+    return "blocking";
   } else {
     throw new Error("Unexpected trigger type for endpoint " + JSON.stringify(endpoint));
   }
@@ -227,7 +240,8 @@ export type Triggered =
   | CallableTriggered
   | EventTriggered
   | ScheduleTriggered
-  | TaskQueueTriggered;
+  | TaskQueueTriggered
+  | BlockingTriggered;
 
 /** Whether something has an HttpsTrigger */
 export function isHttpsTriggered(triggered: Triggered): triggered is HttpsTriggered {
@@ -254,6 +268,11 @@ export function isTaskQueueTriggered(triggered: Triggered): triggered is TaskQue
   return {}.hasOwnProperty.call(triggered, "taskQueueTrigger");
 }
 
+/** Whether something has a BlockingTrigger */
+export function isBlockingTriggered(triggered: Triggered): triggered is BlockingTriggered {
+  return {}.hasOwnProperty.call(triggered, "blockingTrigger");
+}
+
 /**
  * An endpoint that serves traffic to a stack of services.
  * For now, this is always a Cloud Function. Future iterations may use complex
@@ -285,6 +304,16 @@ export interface RequiredAPI {
   api: string;
 }
 
+interface ResourceOptions {
+  identityPlatform?: {
+    // auth blocking trigger options at the resource level
+    // these are set as the OR of each auth blocking trigger
+    accessToken: boolean;
+    idToken: boolean;
+    refreshToken: boolean;
+  };
+}
+
 /** An API agnostic definition of an entire deployment a customer has or wants. */
 export interface Backend {
   /**
@@ -294,6 +323,7 @@ export interface Backend {
   environmentVariables: EnvironmentVariables;
   // region -> id -> Endpoint
   endpoints: Record<string, Record<string, Endpoint>>;
+  resourceOptions: ResourceOptions;
 }
 
 /**
@@ -306,6 +336,7 @@ export function empty(): Backend {
     requiredAPIs: [],
     endpoints: {},
     environmentVariables: {},
+    resourceOptions: {},
   };
 }
 

src/deploy/functions/prepare.ts

@@ -20,6 +20,7 @@ import { ensureTriggerRegions } from "./triggerRegionHelper";
 import { ensureServiceAgentRoles } from "./checkIam";
 import { FirebaseError } from "../../error";
 import { normalizeAndValidate } from "../../functions/projectConfig";
+import { serviceForEndpoint } from "./services";
 
 function hasUserConfig(config: Record<string, unknown>): boolean {
   // "firebase" key is always going to exist in runtime config.
@@ -186,6 +187,7 @@ export function inferDetailsFromExisting(
   usedDotenv: boolean
 ): void {
   for (const wantE of backend.allEndpoints(want)) {
+    serviceForEndpoint(wantE).copyResourceOptionsToEndpoint(wantE as any, want);
     const haveE = have.endpoints[wantE.region]?.[wantE.id];
     if (!haveE) {
       continue;

src/deploy/functions/release/fabricator.ts

@@ -21,6 +21,7 @@ import * as reporter from "./reporter";
 import * as run from "../../../gcp/run";
 import * as scheduler from "../../../gcp/cloudscheduler";
 import * as utils from "../../../utils";
+import * as authBlocking from "../services/authBlocking";
 
 // TODO: Tune this for better performance.
 const gcfV1PollerOptions: Omit<poller.OperationPollerOptions, "operationResourceName"> = {
@@ -54,6 +55,7 @@ export interface FabricatorArgs {
 const rethrowAs =
   <T>(endpoint: backend.Endpoint, op: reporter.OperationType) =>
   (err: unknown): T => {
+    logger.error((err as Error).message);
     throw new reporter.DeploymentError(endpoint, op, err);
   };
 
@@ -164,7 +166,7 @@ export class Fabricator {
       assertExhaustive(endpoint.platform);
     }
 
-    await this.setTrigger(endpoint);
+    await this.setTrigger(endpoint, false);
   }
 
   async updateEndpoint(update: planner.EndpointUpdate, scraper: SourceTokenScraper): Promise<void> {
@@ -183,7 +185,7 @@ export class Fabricator {
       assertExhaustive(update.endpoint.platform);
     }
 
-    await this.setTrigger(update.endpoint);
+    await this.setTrigger(update.endpoint, true);
   }
 
   async deleteEndpoint(endpoint: backend.Endpoint): Promise<void> {
@@ -248,6 +250,13 @@ export class Fabricator {
           })
           .catch(rethrowAs(endpoint, "set invoker"));
       }
+    } else if (backend.isBlockingTriggered(endpoint)) {
+      // set invoker to all users
+      await this.executor
+        .run(async () => {
+          await gcf.setInvokerCreate(endpoint.project, backend.functionName(endpoint), ["public"]);
+        })
+        .catch(rethrowAs(endpoint, "set invoker"));
     }
   }
 
@@ -317,6 +326,11 @@ export class Fabricator {
           })
           .catch(rethrowAs(endpoint, "set invoker"));
       }
+    } else if (backend.isBlockingTriggered(endpoint)) {
+      // set invoker to all users
+      await this.executor
+        .run(() => run.setInvokerCreate(endpoint.project, serviceName, ["public"]))
+        .catch(rethrowAs(endpoint, "set invoker"));
     }
 
     const mem = endpoint.availableMemoryMb || backend.DEFAULT_MEMORY;
@@ -354,6 +368,8 @@ export class Fabricator {
       invoker = endpoint.httpsTrigger.invoker;
     } else if (backend.isTaskQueueTriggered(endpoint)) {
       invoker = endpoint.taskQueueTrigger.invoker;
+    } else if (backend.isBlockingTriggered(endpoint)) {
+      invoker = ["public"];
     }
     if (invoker) {
       await this.executor
@@ -395,6 +411,8 @@ export class Fabricator {
       invoker = endpoint.httpsTrigger.invoker;
     } else if (backend.isTaskQueueTriggered(endpoint)) {
       invoker = endpoint.taskQueueTrigger.invoker;
+    } else if (backend.isBlockingTriggered(endpoint)) {
+      invoker = ["public"];
     }
     if (invoker) {
       await this.executor
@@ -460,7 +478,7 @@ export class Fabricator {
 
   // Set/Delete trigger is responsible for wiring up a function with any trigger not owned
   // by the GCF API. This includes schedules, task queues, and blocking function triggers.
-  async setTrigger(endpoint: backend.Endpoint): Promise<void> {
+  async setTrigger(endpoint: backend.Endpoint, update: boolean): Promise<void> {
     if (backend.isScheduleTriggered(endpoint)) {
       if (endpoint.platform === "gcfv1") {
         await this.upsertScheduleV1(endpoint);
@@ -472,6 +490,8 @@ export class Fabricator {
       assertExhaustive(endpoint.platform);
     } else if (backend.isTaskQueueTriggered(endpoint)) {
       await this.upsertTaskQueue(endpoint);
+    } else if (backend.isBlockingTriggered(endpoint)) {
+      await this.registerBlockingTrigger(endpoint, update);
     }
   }
 
@@ -487,6 +507,8 @@ export class Fabricator {
       assertExhaustive(endpoint.platform);
     } else if (backend.isTaskQueueTriggered(endpoint)) {
       await this.disableTaskQueue(endpoint);
+    } else if (backend.isBlockingTriggered(endpoint)) {
+      await this.unregisterBlockingTrigger(endpoint);
     }
   }
 
@@ -519,6 +541,15 @@ export class Fabricator {
     }
   }
 
+  async registerBlockingTrigger(
+    endpoint: backend.Endpoint & backend.BlockingTriggered,
+    update: boolean
+  ): Promise<void> {
+    await this.executor
+      .run(() => authBlocking.registerAuthBlockingTriggerToIdentityPlatform(endpoint, update))
+      .catch(rethrowAs(endpoint, "register blocking trigger"));
+  }
+
   async deleteScheduleV1(endpoint: backend.Endpoint & backend.ScheduleTriggered): Promise<void> {
     const job = scheduler.jobFromEndpoint(endpoint, this.appEngineLocation);
     await this.executor
@@ -546,6 +577,14 @@ export class Fabricator {
       .catch(rethrowAs(endpoint, "disable task queue"));
   }
 
+  async unregisterBlockingTrigger(
+    endpoint: backend.Endpoint & backend.BlockingTriggered
+  ): Promise<void> {
+    await this.executor
+      .run(() => authBlocking.unregisterAuthBlockingTriggerFromIdentityPlatform(endpoint))
+      .catch(rethrowAs(endpoint, "unregister blocking trigger"));
+  }
+
   logOpStart(op: string, endpoint: backend.Endpoint): void {
     const runtime = getHumanFriendlyRuntimeName(endpoint.runtime);
     const label = helper.getFunctionLabel(endpoint);

src/deploy/functions/release/planner.ts

@@ -234,6 +234,8 @@ export function checkForIllegalUpdate(want: backend.Endpoint, have: backend.Endp
       return "a scheduled";
     } else if (backend.isTaskQueueTriggered(e)) {
       return "a task queue";
+    } else if (backend.isBlockingTriggered(e)) {
+      return "a blocking";
     }
     // Unfortunately TypeScript isn't like Scala and I can't prove to it
     // that all cases have been handled

src/deploy/functions/release/reporter.ts

@@ -28,7 +28,9 @@ export type OperationType =
   | "create topic"
   | "delete topic"
   | "set invoker"
-  | "set concurrency";
+  | "set concurrency"
+  | "register blocking trigger"
+  | "unregister blocking trigger";
 
 /** An error with a deployment phase. */
 export class DeploymentError extends Error {
@@ -245,5 +247,9 @@ export function triggerTag(endpoint: backend.Endpoint): string {
     return `${prefix}.https`;
   }
 
+  if (backend.isBlockingTriggered(endpoint)) {
+    return `${prefix}.blocking`;
+  }
+
   return endpoint.eventTrigger.eventType;
 }

src/deploy/functions/runtimes/discovery/v1alpha1.ts

@@ -10,6 +10,7 @@ export type ManifestEndpoint = backend.ServiceConfiguration &
   Partial<backend.CallableTriggered> &
   Partial<backend.EventTriggered> &
   Partial<backend.TaskQueueTriggered> &
+  Partial<backend.BlockingTriggered> &
   Partial<backend.ScheduleTriggered> & {
     region?: string[];
     entryPoint: string;
@@ -93,6 +94,7 @@ function parseEndpoints(
     eventTrigger: "object",
     scheduleTrigger: "object",
     taskQueueTrigger: "object",
+    blockingTrigger: "object",
   });
   let triggerCount = 0;
   if (ep.httpsTrigger) {
@@ -110,6 +112,9 @@ function parseEndpoints(
   if (ep.taskQueueTrigger) {
     triggerCount++;
   }
+  if (ep.blockingTrigger) {
+    triggerCount++;
+  }
   if (!triggerCount) {
     throw new FirebaseError("Expected trigger in endpoint " + id);
   }
@@ -180,6 +185,15 @@ function parseEndpoints(
         });
       }
       triggered = { taskQueueTrigger: ep.taskQueueTrigger };
+    } else if (backend.isBlockingTriggered(ep)) {
+      requireKeys(prefix + ".blockingTrigger", ep.blockingTrigger, "eventType");
+      assertKeyTypes(prefix + ".blockingTrigger", ep.blockingTrigger, {
+        eventType: "string",
+        accessToken: "boolean",
+        idToken: "boolean",
+        refreshToken: "boolean",
+      });
+      triggered = { blockingTrigger: ep.blockingTrigger };
     } else {
       throw new FirebaseError(
         `Do not recognize trigger type for endpoint ${id}. Try upgrading ` +

src/deploy/functions/runtimes/node/parseTriggers.ts

@@ -68,6 +68,12 @@ export interface TriggerAnnotation {
     };
     invoker?: string[];
   };
+  blockingTrigger?: {
+    eventType: string;
+    accessToken?: boolean;
+    idToken?: boolean;
+    refreshToken?: boolean;
+  };
   failurePolicy?: {};
   schedule?: ScheduleAnnotation;
   timeZone?: string;
@@ -180,7 +186,10 @@ export function addResourcesToBackend(
 
     // +!! is 1 for truthy values and 0 for falsy values
     const triggerCount =
-      +!!annotation.httpsTrigger + +!!annotation.eventTrigger + +!!annotation.taskQueueTrigger;
+      +!!annotation.httpsTrigger +
+      +!!annotation.eventTrigger +
+      +!!annotation.taskQueueTrigger +
+      +!!annotation.blockingTrigger;
     if (triggerCount !== 1) {
       throw new FirebaseError(
         "Unexpected annotation generated by the Firebase Functions SDK. This should never happen."
@@ -211,6 +220,19 @@ export function addResourcesToBackend(
         reason: "Needed for scheduled functions.",
       });
       triggered = { scheduleTrigger: annotation.schedule };
+    } else if (annotation.blockingTrigger) {
+      want.requiredAPIs.push({
+        api: "identityplatform.googleapis.com",
+        reason: "Needed for auth blocking functions.",
+      });
+      triggered = {
+        blockingTrigger: {
+          eventType: annotation.blockingTrigger!.eventType,
+          accessToken: annotation.blockingTrigger.accessToken || false,
+          idToken: annotation.blockingTrigger.idToken || false,
+          refreshToken: annotation.blockingTrigger.refreshToken || false,
+        },
+      };
     } else {
       triggered = {
         eventTrigger: {