Add blocking trigger type

CHANGELOG.md

@@ -5,4 +5,5 @@
 - Improves support for prerelease versions in `ext:dev:publish` (#4244).
 - Fixes console error on large uploads to Storage Emulator (#4407).
 - Fixes cross-platform incompatibility with Storage Emulator exports (#4411).
+- Fixes issue where function deployment errored on projects without secrets (#4425).
 - Adds a blocking trigger type (#4395).

src/deploy/functions/prepare.ts

@@ -181,13 +181,36 @@ export async function prepare(
   inferDetailsFromExisting(wantBackend, haveBackend, usedDotenv);
   await ensureTriggerRegions(wantBackend);
   validate.endpointsAreValid(wantBackend);
+  inferBlockingDetails(wantBackend);
 
   payload.functions = { wantBackend: wantBackend, haveBackend: haveBackend };
 
-  await ensureServiceAgentRoles(projectNumber, wantBackend, haveBackend);
-  inferDetailsFromExisting(wantBackend, haveBackend, usedDotenv);
-  inferBlockingDetails(wantBackend);
-  await ensureTriggerRegions(wantBackend);
+  // ===Phase 4. Enable APIs required by the deploying backend.
+
+  // Enable required APIs. This may come implicitly from triggers (e.g. scheduled triggers
+  // require cloudscheudler and, in v1, require pub/sub), or can eventually come from
+  // explicit dependencies.
+  await Promise.all(
+    Object.values(wantBackend.requiredAPIs).map(({ api }) => {
+      return ensureApiEnabled.ensure(projectId, api, "functions", /* silent=*/ false);
+    })
+  );
+  // Note: Some of these are premium APIs that require billing to be enabled.
+  // We'd eventually have to add special error handling for billing APIs, but
+  // enableCloudBuild is called above and has this special casing already.
+  if (backend.someEndpoint(wantBackend, (e) => e.platform === "gcfv2")) {
+    const V2_APIS = [
+      "artifactregistry.googleapis.com",
+      "run.googleapis.com",
+      "eventarc.googleapis.com",
+      "pubsub.googleapis.com",
+      "storage.googleapis.com",
+    ];
+    const enablements = V2_APIS.map((api) => {
+      return ensureApiEnabled.ensure(context.projectId, api, "functions");
+    });
+    await Promise.all(enablements);
+  }
 
   // ===Phase 5. Ask for user prompts for things might warrant user attentions.
   // We limit the scope endpoints being deployed.

src/deploy/functions/release/fabricator.ts

@@ -67,15 +67,13 @@ export class Fabricator {
   sourceUrl: string | undefined;
   storage: Record<string, gcfV2.StorageSource> | undefined;
   appEngineLocation: string;
-  triggerQueue: Promise<void>;
 
   constructor(args: FabricatorArgs) {
     this.executor = args.executor;
     this.functionExecutor = args.functionExecutor;
     this.sourceUrl = args.sourceUrl;
     this.storage = args.storage;
     this.appEngineLocation = args.appEngineLocation;
-    this.triggerQueue = Promise.resolve();
   }
 
   async applyPlan(plan: planner.DeploymentPlan): Promise<reporter.Summary> {
@@ -169,7 +167,7 @@ export class Fabricator {
       assertExhaustive(endpoint.platform);
     }
 
-    await this.setTrigger(endpoint, false);
+    await this.setTrigger(endpoint);
   }
 
   async updateEndpoint(update: planner.EndpointUpdate, scraper: SourceTokenScraper): Promise<void> {
@@ -188,7 +186,7 @@ export class Fabricator {
       assertExhaustive(update.endpoint.platform);
     }
 
-    await this.setTrigger(update.endpoint, true);
+    await this.setTrigger(update.endpoint);
   }
 
   async deleteEndpoint(endpoint: backend.Endpoint): Promise<void> {
@@ -493,7 +491,7 @@ export class Fabricator {
 
   // Set/Delete trigger is responsible for wiring up a function with any trigger not owned
   // by the GCF API. This includes schedules, task queues, and blocking function triggers.
-  async setTrigger(endpoint: backend.Endpoint, update: boolean): Promise<void> {
+  async setTrigger(endpoint: backend.Endpoint): Promise<void> {
     if (backend.isScheduleTriggered(endpoint)) {
       if (endpoint.platform === "gcfv1") {
         await this.upsertScheduleV1(endpoint);
@@ -506,7 +504,7 @@ export class Fabricator {
     } else if (backend.isTaskQueueTriggered(endpoint)) {
       await this.upsertTaskQueue(endpoint);
     } else if (backend.isBlockingTriggered(endpoint)) {
-      await this.registerBlockingTrigger(endpoint, update);
+      await this.registerBlockingTrigger(endpoint);
     }
   }
 
@@ -557,15 +555,11 @@ export class Fabricator {
   }
 
   async registerBlockingTrigger(
-    endpoint: backend.Endpoint & backend.BlockingTriggered,
-    update: boolean
+    endpoint: backend.Endpoint & backend.BlockingTriggered
   ): Promise<void> {
-    this.triggerQueue = this.triggerQueue.then(async () => {
-      await this.executor
-        .run(() => services.serviceForEndpoint(endpoint).registerTrigger(endpoint, update))
-        .catch(rethrowAs(endpoint, "register blocking trigger"));
-    });
-    return this.triggerQueue;
+    await this.executor
+      .run(() => services.serviceForEndpoint(endpoint).registerTrigger(endpoint))
+      .catch(rethrowAs(endpoint, "register blocking trigger"));
   }
 
   async deleteScheduleV1(endpoint: backend.Endpoint & backend.ScheduleTriggered): Promise<void> {
@@ -598,12 +592,9 @@ export class Fabricator {
   async unregisterBlockingTrigger(
     endpoint: backend.Endpoint & backend.BlockingTriggered
   ): Promise<void> {
-    this.triggerQueue = this.triggerQueue.then(async () => {
-      await this.executor
-        .run(() => services.serviceForEndpoint(endpoint).unregisterTrigger(endpoint))
-        .catch(rethrowAs(endpoint, "unregister blocking trigger"));
-    });
-    return this.triggerQueue;
+    await this.executor
+      .run(() => services.serviceForEndpoint(endpoint).unregisterTrigger(endpoint))
+      .catch(rethrowAs(endpoint, "unregister blocking trigger"));
   }
 
   logOpStart(op: string, endpoint: backend.Endpoint): void {

src/deploy/functions/services/auth.ts

@@ -3,122 +3,148 @@ import * as identityPlatform from "../../../gcp/identityPlatform";
 import * as events from "../../../functions/events";
 import { FirebaseError } from "../../../error";
 import { cloneDeep } from "../../../utils";
+import { Name, noop, Service } from "./index";
 
-/**
- * Ensure that at most one blocking function of that type exists and merges identity platform options on our backend to deploy.
- * @param endpoint the Auth Blocking endpoint
- * @param wantBackend the backend we are deploying
- */
-export function validateBlockingTrigger(
-  endpoint: backend.Endpoint & backend.BlockingTriggered,
-  wantBackend: backend.Backend
-): void {
-  const blockingEndpoints = backend
-    .allEndpoints(wantBackend)
-    .filter((ep) => backend.isBlockingTriggered(ep)) as (backend.Endpoint &
-    backend.BlockingTriggered)[];
-  if (
-    blockingEndpoints.find(
-      (ep) =>
-        ep.blockingTrigger.eventType === endpoint.blockingTrigger.eventType && ep.id !== endpoint.id
-    )
-  ) {
-    throw new FirebaseError(
-      `Can only create at most one Auth Blocking Trigger for ${endpoint.blockingTrigger.eventType} events`
-    );
+export class AuthBlockingService implements Service {
+  name: Name;
+  api: string;
+  triggerQueue: Promise<void>;
+  unregisterQueue: Promise<void>;
+
+  constructor() {
+    this.name = "authblocking";
+    this.api = "identitytoolkit.googleapis.com";
+    this.triggerQueue = Promise.resolve();
+    this.unregisterQueue = Promise.resolve();
+    this.ensureTriggerRegion = noop;
   }
-}
 
-function configChanged(
-  newConfig: identityPlatform.BlockingFunctionsConfig,
-  config: identityPlatform.BlockingFunctionsConfig
-) {
-  if (
-    newConfig.triggers?.beforeCreate?.functionUri !== config.triggers?.beforeCreate?.functionUri ||
-    newConfig.triggers?.beforeSignIn?.functionUri !== config.triggers?.beforeSignIn?.functionUri
-  ) {
-    return true;
+  ensureTriggerRegion: (ep: backend.Endpoint & backend.EventTriggered) => Promise<void>;
+
+  /**
+   * Ensure that at most one blocking function of that type exists and merges identity platform options on our backend to deploy.
+   * @param endpoint the Auth Blocking endpoint
+   * @param wantBackend the backend we are deploying
+   */
+  validateTrigger(
+    endpoint: backend.Endpoint & backend.BlockingTriggered,
+    wantBackend: backend.Backend
+  ): void {
+    const blockingEndpoints = backend
+      .allEndpoints(wantBackend)
+      .filter((ep) => backend.isBlockingTriggered(ep)) as (backend.Endpoint &
+      backend.BlockingTriggered)[];
+    if (
+      blockingEndpoints.find(
+        (ep) =>
+          ep.blockingTrigger.eventType === endpoint.blockingTrigger.eventType &&
+          ep.id !== endpoint.id
+      )
+    ) {
+      throw new FirebaseError(
+        `Can only create at most one Auth Blocking Trigger for ${endpoint.blockingTrigger.eventType} events`
+      );
+    }
   }
-  if (
-    !!newConfig.forwardInboundCredentials?.accessToken !==
-      !!config.forwardInboundCredentials?.accessToken ||
-    !!newConfig.forwardInboundCredentials?.idToken !==
-      !!config.forwardInboundCredentials?.idToken ||
-    !!newConfig.forwardInboundCredentials?.refreshToken !==
-      !!config.forwardInboundCredentials?.refreshToken
+
+  private configChanged(
+    newConfig: identityPlatform.BlockingFunctionsConfig,
+    config: identityPlatform.BlockingFunctionsConfig
   ) {
-    return true;
+    if (
+      newConfig.triggers?.beforeCreate?.functionUri !==
+        config.triggers?.beforeCreate?.functionUri ||
+      newConfig.triggers?.beforeSignIn?.functionUri !== config.triggers?.beforeSignIn?.functionUri
+    ) {
+      return true;
+    }
+    if (
+      !!newConfig.forwardInboundCredentials?.accessToken !==
+        !!config.forwardInboundCredentials?.accessToken ||
+      !!newConfig.forwardInboundCredentials?.idToken !==
+        !!config.forwardInboundCredentials?.idToken ||
+      !!newConfig.forwardInboundCredentials?.refreshToken !==
+        !!config.forwardInboundCredentials?.refreshToken
+    ) {
+      return true;
+    }
+    return false;
   }
-  return false;
-}
 
-/**
- * Registers the auth blocking trigger to identity platform. On updates, we don't touch the options.
- * @param endpoint the blocking endpoint
- * @param update if this registration is an update
- */
-export async function registerBlockingTrigger(
-  endpoint: backend.Endpoint & backend.BlockingTriggered,
-  update: boolean
-): Promise<void> {
-  const newBlockingConfig = await identityPlatform.getBlockingFunctionsConfig(endpoint.project);
-  const oldBlockingConfig = cloneDeep(newBlockingConfig);
+  private async registerTriggerLocked(
+    endpoint: backend.Endpoint & backend.BlockingTriggered
+  ): Promise<void> {
+    const newBlockingConfig = await identityPlatform.getBlockingFunctionsConfig(endpoint.project);
+    const oldBlockingConfig = cloneDeep(newBlockingConfig);
 
-  if (endpoint.blockingTrigger.eventType === events.v1.BEFORE_CREATE_EVENT) {
-    newBlockingConfig.triggers = {
-      ...newBlockingConfig.triggers,
-      beforeCreate: {
-        functionUri: endpoint.uri!,
-      },
-    };
-  } else {
-    newBlockingConfig.triggers = {
-      ...newBlockingConfig.triggers,
-      beforeSignIn: {
-        functionUri: endpoint.uri!,
-      },
-    };
-  }
+    if (endpoint.blockingTrigger.eventType === events.v1.BEFORE_CREATE_EVENT) {
+      newBlockingConfig.triggers = {
+        ...newBlockingConfig.triggers,
+        beforeCreate: {
+          functionUri: endpoint.uri!,
+        },
+      };
+    } else {
+      newBlockingConfig.triggers = {
+        ...newBlockingConfig.triggers,
+        beforeSignIn: {
+          functionUri: endpoint.uri!,
+        },
+      };
+    }
 
-  if (!update) {
     newBlockingConfig.forwardInboundCredentials = {
       idToken: endpoint.blockingTrigger.options?.idToken || false,
       accessToken: endpoint.blockingTrigger.options?.accessToken || false,
       refreshToken: endpoint.blockingTrigger.options?.refreshToken || false,
     };
+
+    if (!this.configChanged(newBlockingConfig, oldBlockingConfig)) {
+      return;
+    }
+
+    await identityPlatform.setBlockingFunctionsConfig(endpoint.project, newBlockingConfig);
   }
 
-  if (!configChanged(newBlockingConfig, oldBlockingConfig)) {
-    return;
+  /**
+   * Registers the auth blocking trigger to identity platform.
+   * @param ep the blocking endpoint
+   */
+  registerTrigger(ep: backend.Endpoint & backend.BlockingTriggered): Promise<void> {
+    this.triggerQueue = this.triggerQueue.then(() => this.registerTriggerLocked(ep));
+    return this.triggerQueue;
   }
 
-  await identityPlatform.setBlockingFunctionsConfig(endpoint.project, newBlockingConfig);
-}
+  private async unregisterTriggerLocked(
+    endpoint: backend.Endpoint & backend.BlockingTriggered
+  ): Promise<void> {
+    const blockingConfig = await identityPlatform.getBlockingFunctionsConfig(endpoint.project);
+    if (
+      endpoint.uri !== blockingConfig.triggers?.beforeCreate?.functionUri &&
+      endpoint.uri !== blockingConfig.triggers?.beforeSignIn?.functionUri
+    ) {
+      return;
+    }
 
-/**
- * Un-registers the auth blocking trigger from identity platform. If the endpoint uri is not on the resource, we do nothing.
- * @param endpoint the blocking endpoint
- */
-export async function unregisterBlockingTrigger(
-  endpoint: backend.Endpoint & backend.BlockingTriggered
-): Promise<void> {
-  const blockingConfig = await identityPlatform.getBlockingFunctionsConfig(endpoint.project);
-  if (
-    endpoint.uri !== blockingConfig.triggers?.beforeCreate?.functionUri &&
-    endpoint.uri !== blockingConfig.triggers?.beforeSignIn?.functionUri
-  ) {
-    return;
-  }
+    // There is a possibility that the user changed the registration on identity platform,
+    // to prevent 400 errors on every create and/or sign in on the app, we will treat
+    // the blockingConfig as the source of truth and only delete matching uri's.
+    if (endpoint.uri === blockingConfig.triggers?.beforeCreate?.functionUri) {
+      delete blockingConfig.triggers?.beforeCreate;
+    }
+    if (endpoint.uri === blockingConfig.triggers?.beforeSignIn?.functionUri) {
+      delete blockingConfig.triggers?.beforeSignIn;
+    }
 
-  // There is a possibility that the user changed the registration on identity platform,
-  // to prevent 400 errors on every create and/or sign in on the app, we will treat
-  // the blockingConfig as the source of truth and only delete matching uri's.
-  if (endpoint.uri === blockingConfig.triggers?.beforeCreate?.functionUri) {
-    delete blockingConfig.triggers?.beforeCreate;
-  }
-  if (endpoint.uri === blockingConfig.triggers?.beforeSignIn?.functionUri) {
-    delete blockingConfig.triggers?.beforeSignIn;
+    await identityPlatform.setBlockingFunctionsConfig(endpoint.project, blockingConfig);
   }
 
-  await identityPlatform.setBlockingFunctionsConfig(endpoint.project, blockingConfig);
+  /**
+   * Un-registers the auth blocking trigger from identity platform. If the endpoint uri is not on the resource, we do nothing.
+   * @param ep the blocking endpoint
+   */
+  unregisterTrigger(ep: backend.Endpoint & backend.BlockingTriggered): Promise<void> {
+    this.triggerQueue = this.triggerQueue.then(() => this.unregisterTriggerLocked(ep));
+    return this.triggerQueue;
+  }
 }