Add caching for API enablement (#8766)

* Add caching for API enablement

* Update src/ensureApiEnabled.ts

Co-authored-by: Daniel Lee <[email protected]>

* Use a constant

---------

Co-authored-by: Daniel Lee <[email protected]>

Author: joehan

CHANGELOG.md

@@ -1,2 +1,3 @@
 - Updated the Data Connect emulator to use pglite 0.3.x and Postgres 17, which fixes some crashes related to wire protocol inconsistencies. (#8679, #8658)
 - Fixed an issue where the IAM enablement for GenKit monitoring would try to change an invalid service account. (#8756)
+- Added caching to API enablement checks to reduce burn of `serviceusage.googleapis.com` quota.

src/ensureApiEnabled.spec.ts

@@ -1,22 +1,42 @@
 import { expect } from "chai";
 import * as nock from "nock";
+import * as sinon from "sinon";
+import { configstore } from "./configstore";
 
 import { check, ensure, POLL_SETTINGS } from "./ensureApiEnabled";
 
 const FAKE_PROJECT_ID = "my_project";
 const FAKE_API = "myapi.googleapis.com";
+const FAKE_CACHE: Record<string, Record<string, boolean>> = {
+  my_project: { "myapi.googleapis.com": true },
+};
 
 describe("ensureApiEnabled", () => {
   describe("check", () => {
+    const sandbox = sinon.createSandbox();
+    let configstoreGetMock: sinon.SinonStub;
+    let configstoreSetMock: sinon.SinonStub;
     before(() => {
       nock.disableNetConnect();
     });
 
     after(() => {
       nock.enableNetConnect();
     });
+
+    beforeEach(() => {
+      configstoreGetMock = sandbox.stub(configstore, "get");
+      configstoreSetMock = sandbox.stub(configstore, "set");
+    });
+
+    afterEach(() => {
+      sandbox.restore();
+    });
+
     for (const prefix of ["", "https://", "http://"]) {
       it("should call the API to check if it's enabled", async () => {
+        configstoreGetMock.returns(undefined);
+        configstoreSetMock.returns(undefined);
         nock("https://serviceusage.googleapis.com")
           .get(`/v1/projects/${FAKE_PROJECT_ID}/services/${FAKE_API}`)
           .matchHeader("x-goog-quota-user", `projects/${FAKE_PROJECT_ID}`)
@@ -25,9 +45,12 @@ describe("ensureApiEnabled", () => {
         await check(FAKE_PROJECT_ID, prefix + FAKE_API, "", true);
 
         expect(nock.isDone()).to.be.true;
+        expect(configstoreSetMock.calledWith(FAKE_PROJECT_ID, FAKE_API));
       });
 
       it("should return the value from the API", async () => {
+        configstoreGetMock.returns(undefined);
+        configstoreSetMock.returns(undefined);
         nock("https://serviceusage.googleapis.com")
           .get(`/v1/projects/${FAKE_PROJECT_ID}/services/${FAKE_API}`)
           .matchHeader("x-goog-quota-user", `projects/${FAKE_PROJECT_ID}`)
@@ -44,26 +67,41 @@ describe("ensureApiEnabled", () => {
 
         await expect(check(FAKE_PROJECT_ID, prefix + FAKE_API, "", true)).to.eventually.be.false;
       });
+      it("should skip the API call if the enablement is saved in the cache", async () => {
+        configstoreGetMock.returns(FAKE_CACHE);
+        configstoreSetMock.returns(undefined);
+
+        await expect(check(FAKE_PROJECT_ID, prefix + FAKE_API, "", true)).to.eventually.be.true;
+      });
     }
   });
 
   describe("ensure", () => {
+    const sandbox = sinon.createSandbox();
+    let configstoreGetMock: sinon.SinonStub;
+    let configstoreSetMock: sinon.SinonStub;
     const originalPollInterval = POLL_SETTINGS.pollInterval;
     const originalPollsBeforeRetry = POLL_SETTINGS.pollsBeforeRetry;
     beforeEach(() => {
       nock.disableNetConnect();
       POLL_SETTINGS.pollInterval = 0;
       POLL_SETTINGS.pollsBeforeRetry = 0; // Zero means "one check".
+
+      configstoreGetMock = sandbox.stub(configstore, "get");
+      configstoreSetMock = sandbox.stub(configstore, "set");
     });
 
     afterEach(() => {
       nock.enableNetConnect();
       POLL_SETTINGS.pollInterval = originalPollInterval;
       POLL_SETTINGS.pollsBeforeRetry = originalPollsBeforeRetry;
+      sandbox.restore();
     });
 
     for (const prefix of ["", "https://", "http://"]) {
       it("should verify that the API is enabled, and stop if it is", async () => {
+        configstoreGetMock.returns(undefined);
+        configstoreSetMock.returns(undefined);
         nock("https://serviceusage.googleapis.com")
           .get(`/v1/projects/${FAKE_PROJECT_ID}/services/${FAKE_API}`)
           .matchHeader("x-goog-quota-user", `projects/${FAKE_PROJECT_ID}`)
@@ -73,7 +111,16 @@ describe("ensureApiEnabled", () => {
         await expect(ensure(FAKE_PROJECT_ID, prefix + FAKE_API, "", true)).to.not.be.rejected;
       });
 
+      it("should verify that the API is enabled (in the cache), and stop if it is", async () => {
+        configstoreGetMock.returns(FAKE_CACHE);
+        configstoreSetMock.returns(undefined);
+
+        await expect(ensure(FAKE_PROJECT_ID, prefix + FAKE_API, "", true)).to.not.be.rejected;
+      });
+
       it("should attempt to enable the API if it is not enabled", async () => {
+        configstoreGetMock.returns(undefined);
+        configstoreSetMock.returns(undefined);
         nock("https://serviceusage.googleapis.com")
           .get(`/v1/projects/${FAKE_PROJECT_ID}/services/${FAKE_API}`)
           .matchHeader("x-goog-quota-user", `projects/${FAKE_PROJECT_ID}`)
@@ -94,9 +141,12 @@ describe("ensureApiEnabled", () => {
         await expect(ensure(FAKE_PROJECT_ID, prefix + FAKE_API, "", true)).to.not.be.rejected;
 
         expect(nock.isDone()).to.be.true;
+        expect(configstoreSetMock.calledWith(FAKE_PROJECT_ID, FAKE_API));
       });
 
       it("should retry enabling the API if it does not enable in time", async () => {
+        configstoreGetMock.returns(undefined);
+        configstoreSetMock.returns(undefined);
         nock("https://serviceusage.googleapis.com")
           .get(`/v1/projects/${FAKE_PROJECT_ID}/services/${FAKE_API}`)
           .matchHeader("x-goog-quota-user", `projects/${FAKE_PROJECT_ID}`)

src/ensureApiEnabled.ts

@@ -6,6 +6,7 @@ import { Client } from "./apiv2";
 import * as utils from "./utils";
 import { FirebaseError, isBillingError } from "./error";
 import { logger } from "./logger";
+import { configstore } from "./configstore";
 
 export const POLL_SETTINGS = {
   pollInterval: 10000,
@@ -31,6 +32,9 @@ export async function check(
   silent = false,
 ): Promise<boolean> {
   const apiName = apiUri.startsWith("http") ? new URL(apiUri).hostname : apiUri;
+  if (checkAPIEnablementCache(projectId, apiName)) {
+    return true;
+  }
   const res = await apiClient.get<{ state: string }>(`/projects/${projectId}/services/${apiName}`, {
     headers: { "x-goog-quota-user": `projects/${projectId}` },
     skipLog: { resBody: true },
@@ -39,6 +43,9 @@ export async function check(
   if (isEnabled && !silent) {
     utils.logLabeledSuccess(prefix, `required API ${bold(apiName)} is enabled`);
   }
+  if (isEnabled) {
+    cacheEnabledAPI(projectId, apiName);
+  }
   return isEnabled;
 }
 
@@ -65,6 +72,7 @@ async function enable(projectId: string, apiName: string): Promise<void> {
         skipLog: { resBody: true },
       },
     );
+    cacheEnabledAPI(projectId, apiName);
   } catch (err: any) {
     if (isBillingError(err)) {
       throw new FirebaseError(`Your project ${bold(
@@ -200,3 +208,34 @@ export async function bestEffortEnsure(
 export function enableApiURI(projectId: string, apiName: string): string {
   return `https://console.cloud.google.com/apis/library/${apiName}?project=${projectId}`;
 }
+
+/**
+ * To reduce serviceusage quota burn, we cache API enablement status in configstore.
+ * Once we see that an API is enabled, we skip future checks. This is safe, because:
+ * A - It's rare to disable APIs
+ * B - If the API actually is disabled, the user gets a clear error message with a link to enable it.
+ *
+ * We intentionally do not cache when we see an API is not enabled - some users need to have admins enable APIS,
+ * so we expect APIs to get enabled out of band frequently.
+ */
+
+const API_ENABLEMENT_CACHE_KEY = "apiEnablementCache";
+function checkAPIEnablementCache(projectId: string, apiName: string): boolean {
+  const cache = configstore.get(API_ENABLEMENT_CACHE_KEY) as Record<
+    string,
+    Record<string, boolean>
+  >;
+  return !!cache?.[projectId]?.[apiName];
+}
+
+function cacheEnabledAPI(projectId: string, apiName: string) {
+  const cache = (configstore.get(API_ENABLEMENT_CACHE_KEY) || {}) as Record<
+    string,
+    Record<string, true>
+  >;
+  if (!cache[projectId]) {
+    cache[projectId] = {};
+  }
+  cache[projectId][apiName] = true;
+  configstore.set(API_ENABLEMENT_CACHE_KEY, cache);
+}