Add functions:secrets:{access, destroy, get} commands. (#4026)

Follow up #4021 to add other management commands for CF3 secrets. Note that `destroy` commands can be improved by making sure we don't accidentally delete secrets versions currently in use (which would immediately break the function!). I'll add these feature in a follow up PR when we finish reviewing the PR w/ `prune` command.
firebase · taeold · Feb 10, 2022 · Jan 27, 2022 · Jan 31, 2022 · Jan 31, 2022
commit 08f22361c1084219df84274f9529dd5767df68b1
diff --git a/src/commands/functions-secrets-access.ts b/src/commands/functions-secrets-access.ts
@@ -0,0 +1,19 @@
+import { Command } from "../command";
+import { logger } from "../logger";
+import { Options } from "../options";
+import { needProjectId } from "../projectUtils";
+import { accessSecretVersion } from "../gcp/secretManager";
+
+export default new Command("functions:secrets:access <KEY>[@version]")
+ .description(
+ "Access secret value given secret and its version. Defaults to accessing the latest version."
+ )
+ .action(async (key: string, options: Options) => {
+ const projectId = needProjectId(options);
+ let [name, version] = key.split("@");
+ if (!version) {
+ version = "latest";
+ }
+ const value = await accessSecretVersion(projectId, name, version);
+ logger.info(value);
+ });
diff --git a/src/commands/functions-secrets-destroy.ts b/src/commands/functions-secrets-destroy.ts
@@ -0,0 +1,51 @@
+import { Command } from "../command";
+import { logger } from "../logger";
+import { Options } from "../options";
+import { needProjectId } from "../projectUtils";
+import {
+ deleteSecret,
+ destroySecretVersion,
+ getSecret,
+ getSecretVersion,
+ listSecretVersions,
+} from "../gcp/secretManager";
+import { promptOnce } from "../prompt";
+import * as secrets from "../functions/secrets";
+
+export default new Command("functions:secrets:destroy <KEY>[@version]")
+ .description("Destroy a secret. Defaults to destroying the latest version.")
+ .withForce("Destroys a secret without confirmation.")
+ .action(async (key: string, options: Options) => {
+ const projectId = needProjectId(options);
+ let [name, version] = key.split("@");
+ if (!version) {
+ version = "latest";
+ }
+ const sv = await getSecretVersion(projectId, name, version);
+ if (!options.force) {
+ const confirm = await promptOnce(
+ {
+ name: "destroy",
+ type: "confirm",
+ default: true,
+ message: `Are you sure you want to destroy ${sv.secret.name}@${sv.versionId}`,
+ },
+ options
+ );
+ if (!confirm) {
+ return;
+ }
+ }
+ await destroySecretVersion(projectId, name, version);
+ logger.info(`Destroyed secret version ${name}@${sv.versionId}`);
+
+ const secret = await getSecret(projectId, name);
+ if (secrets.isFirebaseManaged(secret)) {
+ const versions = await listSecretVersions(projectId, name);
+ if (versions.filter((v) => v.state === "ENABLED").length === 0) {
+ logger.info(`No active secret versions left. Destroying secret ${name}`);
+ // No active secret version. Remove secret resource.
+ await deleteSecret(projectId, name);
+ }
+ }
+ });
diff --git a/src/commands/functions-secrets-get.ts b/src/commands/functions-secrets-get.ts
@@ -0,0 +1,23 @@
+import Table = require("cli-table");
+
+import { Command } from "../command";
+import { logger } from "../logger";
+import { Options } from "../options";
+import { needProjectId } from "../projectUtils";
+import { listSecretVersions } from "../gcp/secretManager";
+
+export default new Command("functions:secrets:get <KEY>")
+ .description("Get metadata for secret and its versions")
+ .action(async (key: string, options: Options) => {
+ const projectId = needProjectId(options);
+ const versions = await listSecretVersions(projectId, key);
+
+ const table = new Table({
+ head: ["Version", "State"],
+ style: { head: ["yellow"] },
+ });
+ for (const version of versions) {
+ table.push([version.versionId, version.state]);
+ }
+ logger.info(table.toString());
+ });
diff --git a/src/commands/index.js b/src/commands/index.js
@@ -109,6 +109,9 @@ module.exports = function (client) {
  client.functions.deletegcfartifacts = loadCommand("functions-deletegcfartifacts");
  }
  client.functions.secrets = {};
+ client.functions.secrets.access = loadCommand("functions-secrets-access");
+ client.functions.secrets.destroy = loadCommand("functions-secrets-destroy");
+ client.functions.secrets.get = loadCommand("functions-secrets-get");
  client.functions.secrets.set = loadCommand("functions-secrets-set");
  client.help = loadCommand("help");
  client.hosting = {};

diff --git a/src/functions/secrets.ts b/src/functions/secrets.ts
@@ -10,7 +10,7 @@ const FIREBASE_MANGED = "firebase-managed";
 /**
  * Returns true if secret is managed by Firebase.
  */
-function isFirebaseManaged(secret: Secret): boolean {
+export function isFirebaseManaged(secret: Secret): boolean {
  return Object.keys(secret.labels || []).includes(FIREBASE_MANGED);
 }
 

diff --git a/src/gcp/secretManager.ts b/src/gcp/secretManager.ts
@@ -48,6 +48,18 @@ interface AddVersionRequest {
  payload: { data: string };
 }
 
+interface SecretVersionResponse {
+ name: string;
+ state: SecretVersionState;
+}
+
+interface AccessSecretVersionResponse {
+ name: string;
+ payload: {
+ data: string;
+ };
+}
+
 const API_VERSION = "v1beta1";
 
 const client = new Client({ urlPrefix: secretManagerOrigin, apiVersion: API_VERSION });
@@ -70,6 +82,37 @@ export async function getSecret(projectId: string, name: string): Promise<Secret
  return secret;
 }
 
+/**
+ * List all secret versions associated with a secret.
+ */
+export async function listSecretVersions(
+ projectId: string,
+ name: string
+): Promise<Required<SecretVersion[]>> {
+ type Response = { versions: SecretVersionResponse[]; nextPageToken?: string };
+ const secrets: Required<SecretVersion[]> = [];
+ const path = `projects/${projectId}/secrets/${name}/versions`;
+
+ let pageToken = "";
+ while (true) {
+ const opts = pageToken == "" ? {} : { queryParams: { pageToken } };
+ const res = await client.get<Response>(path, opts);
+
+ for (const s of res.body.versions) {
+ secrets.push({
+ ...parseSecretVersionResourceName(s.name),
+ state: s.state,
+ });
+ }
+
+ if (!res.body.nextPageToken) {
+ break;
+ }
+ pageToken = res.body.nextPageToken;
+ }
+ return secrets;
+}
+
 /**
  * Returns secret version resource of given name and version in the project.
  */
@@ -78,7 +121,7 @@ export async function getSecretVersion(
  name: string,
  version: string
 ): Promise<Required<SecretVersion>> {
- const getRes = await client.get<{ name: string; state: SecretVersionState }>(
+ const getRes = await client.get<SecretVersionResponse>(
  `projects/${projectId}/secrets/${name}/versions/${version}`
  );
  return {
@@ -87,6 +130,35 @@ export async function getSecretVersion(
  };
 }
 
+/**
+ * Access secret value of a given secret version.
+ */
+export async function accessSecretVersion(
+ projectId: string,
+ name: string,
+ version: string
+): Promise<string> {
+ const res = await client.get<AccessSecretVersionResponse>(
+ `projects/${projectId}/secrets/${name}/versions/${version}:access`
+ );
+ return Buffer.from(res.body.payload.data, "base64").toString();
+}
+
+/**
+ * Change state of secret version to destroyed.
+ */
+export async function destroySecretVersion(
+ projectId: string,
+ name: string,
+ version: string
+): Promise<void> {
+ if (version === "latest") {
+ const sv = await getSecretVersion(projectId, name, "latest");
+ version = sv.versionId;
+ }
+ await client.post(`projects/${projectId}/secrets/${name}/versions/${version}:destroy`);
+}
+
 /**
  * Returns true if secret resource of given name exists on the project.
  */
@@ -179,6 +251,14 @@ export async function patchSecret(
  return parseSecretResourceName(res.body.name);
 }
 
+/**
+ * Delete secret resource.
+ */
+export async function deleteSecret(projectId: string, name: string): Promise<void> {
+ const path = `projects/${projectId}/secrets/${name}`;
+ await client.delete(path);
+}
+
 /**
  * Add new version the payload as value on the given secret.
  */