Set Access Control for HTTP Functions (v2) (#935)

* adding invoker to v2 http functions

* fix format

* change invoker to always turn into an array, add error handling

* fix trigger annotated in v2 and change v1 to only put invoker array in trigger annotated

* changing invoker type for better type completion

Author: colerogers

spec/common/encoding.spec.ts

@@ -0,0 +1,36 @@
+import { expect } from 'chai';
+import { convertInvoker } from '../../src/common/encoding';
+
+describe('convertInvoker', () => {
+  it('should raise an error on mixing public and service accounts', () => {
+    expect(() => convertInvoker(['public', 'service-account@'])).to.throw;
+  });
+
+  it('should raise an error on mixing private and service accounts', () => {
+    expect(() => convertInvoker(['private', 'service-account@'])).to.throw;
+  });
+
+  it('should return the correct public invoker', () => {
+    const invoker = convertInvoker('public');
+
+    expect(invoker).to.deep.equal(['public']);
+  });
+
+  it('should return the correct private invoker', () => {
+    const invoker = convertInvoker('private');
+
+    expect(invoker).to.deep.equal(['private']);
+  });
+
+  it('should return the correct scalar invoker', () => {
+    const invoker = convertInvoker('service-account@');
+
+    expect(invoker).to.deep.equal(['service-account@']);
+  });
+
+  it('should return the correct array invoker', () => {
+    const invoker = convertInvoker(['service-account1@', 'service-account2@']);
+
+    expect(invoker).to.deep.equal(['service-account1@', 'service-account2@']);
+  });
+});

spec/v2/providers/https.spec.ts

@@ -90,6 +90,7 @@ describe('onRequest', () => {
       {
         ...FULL_OPTIONS,
         region: ['us-west1', 'us-central1'],
+        invoker: ['service-account1@', 'service-account2@'],
       },
       (req, res) => {
         res.send(200);
@@ -101,6 +102,7 @@ describe('onRequest', () => {
         allowInsecure: false,
       },
       regions: ['us-west1', 'us-central1'],
+      invoker: ['service-account1@', 'service-account2@'],
     });
   });
 
@@ -109,12 +111,14 @@ describe('onRequest', () => {
       concurrency: 20,
       region: 'europe-west1',
       minInstances: 1,
+      invoker: 'public',
     });
 
     const result = https.onRequest(
       {
         region: ['us-west1', 'us-central1'],
         minInstances: 3,
+        invoker: 'private',
       },
       (req, res) => {
         res.send(200);
@@ -131,6 +135,7 @@ describe('onRequest', () => {
       minInstances: 3,
       regions: ['us-west1', 'us-central1'],
       labels: {},
+      invoker: ['private'],
     });
   });
 

src/common/encoding.ts

@@ -64,3 +64,20 @@ export function serviceAccountFromShorthand(
     );
   }
 }
+
+export function convertInvoker(invoker: string | string[]): string[] {
+  if (typeof invoker === 'string') {
+    invoker = [invoker];
+  }
+
+  if (
+    invoker.length > 1 &&
+    invoker.find((inv) => inv === 'public' || inv === 'private')
+  ) {
+    throw new Error(
+      "Invalid option for invoker. Cannot have 'public' or 'private' in an array of service accounts"
+    );
+  }
+
+  return invoker;
+}

src/v1/cloud-functions.ts

@@ -27,7 +27,6 @@ import {
   DEFAULT_FAILURE_POLICY,
   DeploymentOptions,
   FailurePolicy,
-  Invoker,
   Schedule,
 } from './function-configuration';
 export { Request, Response };
@@ -37,6 +36,7 @@ import {
   Duration,
   durationFromSeconds,
   serviceAccountFromShorthand,
+  convertInvoker,
 } from '../common/encoding';
 
 /** @hidden */
@@ -279,7 +279,7 @@ export interface TriggerAnnotated {
     vpcConnectorEgressSettings?: string;
     serviceAccountEmail?: string;
     ingressSettings?: string;
-    invoker?: Invoker | Invoker[];
+    invoker?: string[];
   };
 }
 
@@ -499,8 +499,7 @@ export function optionsToTrigger(options: DeploymentOptions) {
     'ingressSettings',
     'vpcConnectorEgressSettings',
     'vpcConnector',
-    'labels',
-    'invoker'
+    'labels'
   );
   convertIfPresent(
     trigger,
@@ -543,6 +542,7 @@ export function optionsToTrigger(options: DeploymentOptions) {
     'serviceAccount',
     serviceAccountFromShorthand
   );
+  convertIfPresent(trigger, options, 'invoker', 'invoker', convertInvoker);
 
   return trigger;
 }

src/v1/function-configuration.ts

@@ -98,11 +98,6 @@ export const DEFAULT_FAILURE_POLICY: FailurePolicy = {
 
 export const MAX_NUMBER_USER_LABELS = 58;
 
-/**
- * Invoker access control type for https functions.
- */
-export type Invoker = 'public' | 'private' | string;
-
 export interface RuntimeOptions {
   /**
    * Which platform should host the backend. Valid options are "gcfv1"
@@ -165,7 +160,7 @@ export interface RuntimeOptions {
   /**
    * Invoker to set access control on https functions.
    */
-  invoker?: Invoker | Invoker[];
+  invoker?: 'public' | 'private' | string | string[];
 }
 
 export interface DeploymentOptions extends RuntimeOptions {

src/v2/core.ts

@@ -40,6 +40,7 @@ export interface TriggerAnnotation {
   vpcConnectorEgressSettings?: string;
   serviceAccountEmail?: string;
   ingressSettings?: string;
+  invoker?: string[];
 
   // TODO: schedule
 }

src/v2/options.ts

@@ -23,6 +23,7 @@
 import {
   durationFromSeconds,
   serviceAccountFromShorthand,
+  convertInvoker,
 } from '../common/encoding';
 import { convertIfPresent, copyIfPresent } from '../common/encoding';
 import * as logger from '../logger';
@@ -182,6 +183,11 @@ export interface GlobalOptions {
    * User labels to set on the function.
    */
   labels?: Record<string, string>;
+
+  /**
+   * Invoker to set access control on https functions.
+   */
+  invoker?: 'public' | 'private' | string | string[];
 }
 
 let globalOptions: GlobalOptions | undefined;
@@ -270,6 +276,7 @@ export function optionsToTriggerAnnotations(
       return retry ? { retry: true } : null;
     }
   );
+  convertIfPresent(annotation, opts, 'invoker', 'invoker', convertInvoker);
 
   return annotation;
 }