fix(functions): Refresh credentials before enqueueing task

This change addresses an issue where enqueueing a task from a Cloud Function would fail with a InvalidArgumentError error. This was caused by uninitialized credentials being used to in the task payload.

The fix explicitly refreshes the credential before accessing the credential, ensuring a valid token or service account email is used in the in the task payload.

This also includes a correction for an f-string typo in the Authorization header construction.

Author: google-labs-jules[bot]

firebase_admin/functions.py

@@ -22,8 +22,9 @@
 from base64 import b64encode
 from typing import Any, Optional, Dict
 from dataclasses import dataclass
-from google.auth.compute_engine import Credentials as ComputeEngineCredentials
 
+from google.auth.compute_engine import Credentials as ComputeEngineCredentials
+from google.auth.transport import requests as google_auth_requests
 import requests
 import firebase_admin
 from firebase_admin import App
@@ -289,10 +290,10 @@ def _update_task_payload(self, task: Task, resource: Resource, extension_id: str
         # Meaning that it's credential should be a Compute Engine Credential.
         if _Validators.is_non_empty_string(extension_id) and \
             isinstance(self._credential, ComputeEngineCredentials):
-
+            self._credential.refresh(google_auth_requests.Request())
             id_token = self._credential.token
             task.http_request['headers'] = \
-                {**task.http_request['headers'], 'Authorization': f'Bearer ${id_token}'}
+                {**task.http_request['headers'], 'Authorization': f'Bearer {id_token}'}
             # Delete oidc token
             del task.http_request['oidc_token']
         else:

tests/test_functions.py

@@ -17,6 +17,7 @@
 from datetime import datetime, timedelta, timezone
 import json
 import time
+from unittest import mock
 import pytest
 
 import firebase_admin
@@ -152,6 +153,37 @@ def test_task_delete(self):
         expected_metrics_header = _utils.get_metrics_header() + ' mock-cred-metric-tag'
         assert recorder[0].headers['x-goog-api-client'] == expected_metrics_header
 
+    @mock.patch('firebase_admin.functions.isinstance')
+    def test_task_enqueue_with_extension_refreshes_credential(self, mock_isinstance):
+        # Force the code to take the ComputeEngineCredentials path
+        mock_isinstance.return_value = True
+
+        # Create a custom response with the extension ID in the resource name
+        resource_name = (
+            'projects/test-project/locations/us-central1/queues/'
+            'ext-test-extension-id-test-function-name/tasks'
+        )
+        extension_response = json.dumps({'name': resource_name + '/test-task-id'})
+
+        # Instrument the service and get the underlying credential mock
+        functions_service, recorder = self._instrument_functions_service(payload=extension_response)
+        mock_credential = functions_service._credential
+        mock_credential.token = 'mock-id-token'
+        mock_credential.refresh = mock.MagicMock()
+
+        # Create a TaskQueue with an extension ID
+        queue = functions_service.task_queue('test-function-name', 'test-extension-id')
+
+        # Enqueue a task
+        queue.enqueue(_DEFAULT_DATA)
+
+        # Assert that the credential was refreshed
+        mock_credential.refresh.assert_called_once()
+
+        # Assert that the correct token was used in the header
+        assert len(recorder) == 1
+        assert recorder[0].headers['Authorization'] == 'Bearer mock-id-token'
+
 class TestTaskQueueOptions:
 
     _DEFAULT_TASK_OPTS = {'schedule_delay_seconds': None, 'schedule_time': None, \