Follow password policy for Cloud SQL temporary user (#8971)

* feat: Use secure password for Cloud SQL temporary user

The temporary password generated for the Cloud SQL superuser now includes at least one uppercase letter, one lowercase letter, one number, and one special character to meet security best practices.

Also includes a unit test for the new password generation function and fixes for the ESLint configuration to allow tests to run.

* Pr cleanup

* revert package.json

* use crypto

* changelog

* More crypto

* fencepost

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

Author: joehan

CHANGELOG.md

@@ -1,4 +1,5 @@
-- Updated untime config deprecation warning to no longer shows for v1 functions that only use default Firebase config. (#8963)
+- Updated runtime config deprecation warning to no longer shows for v1 functions that only use default Firebase config. (#8963)
+- Fixed an issue where 'dataconnect:migrate' would use an invalid temporary password when connecting to enterprise plus CloudSQL instances.
 - Updated Data Connect emulator to v2.11.1, which:
   - [added] Add an app watch that collects embedded GQL into the connector folder.
   - [fixed] Handle foreign key constraint error as FailedPrecondition.

src/gcp/cloudsql/connect.ts

@@ -155,7 +155,7 @@ export async function executeSqlCmdsAsSuperUser(
   const projectId = needProjectId(options);
   // 1. Create a temporary builtin user
   const superuser = "firebasesuperuser";
-  const temporaryPassword = utils.generateId(20);
+  const temporaryPassword = utils.generatePassword(20);
   await cloudSqlAdminClient.createUser(
     projectId,
     instanceId,

src/utils.spec.ts

@@ -491,6 +491,19 @@ describe("utils", () => {
     });
   });
 
+  describe("generatePassword", () => {
+    it("should generate a password with the correct properties", () => {
+      for (let i = 0; i < 100; i++) {
+        const pw = utils.generatePassword(20);
+        expect(pw.length).to.equal(20);
+        expect(pw).to.match(/[a-z]/);
+        expect(pw).to.match(/[A-Z]/);
+        expect(pw).to.match(/[0-9]/);
+        expect(pw).to.match(/[!@#$%^&*()_+~`|}{[\]:;?><,./-=]/);
+      }
+    });
+  });
+
   describe("deepEqual", () => {
     it("should return true for identical primitives", () => {
       expect(utils.deepEqual(1, 1)).to.be.true;

src/utils.ts

@@ -3,6 +3,7 @@ import * as tty from "tty";
 import * as path from "node:path";
 import * as yaml from "yaml";
 import { Socket } from "node:net";
+import * as crypto from "node:crypto";
 
 import * as _ from "lodash";
 import * as url from "url";
@@ -855,6 +856,36 @@ export function generateId(n = 6): string {
   return id;
 }
 
+/**
+ * Generate a password meeting the following criterias:
+ *  - At least one lowercase, one uppercase, one number, and one special character.
+ */
+export function generatePassword(n = 20): string {
+  const lower = "abcdefghijklmnopqrstuvwxyz";
+  const upper = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+  const numbers = "0123456789";
+  const special = "!@#$%^&*()_+~`|}{[]:;?><,./-=";
+  const all = lower + upper + numbers + special;
+
+  let pw = "";
+  pw += lower[crypto.randomInt(lower.length)];
+  pw += upper[crypto.randomInt(upper.length)];
+  pw += numbers[crypto.randomInt(numbers.length)];
+  pw += special[crypto.randomInt(special.length)];
+
+  for (let i = 4; i < n; i++) {
+    pw += all[crypto.randomInt(all.length)];
+  }
+
+  // Shuffle the password to randomize character order using Fisher-Yates shuffle
+  const pwArray = pw.split("");
+  for (let i = pwArray.length - 1; i > 0; i--) {
+    const j = crypto.randomInt(i);
+    [pwArray[i], pwArray[j]] = [pwArray[j], pwArray[i]];
+  }
+  return pwArray.join("");
+}
+
 /**
  * Reads a secret value from either a file or a prompt.
  * If dataFile is falsy and this is a tty, uses prompty. Otherwise reads from dataFile.