Configure apptesting (#8879)

Add system to ensure apptesting is properly configured
This change is inside of `firebase init apptesting`

Author: jakeouellette

CHANGELOG.md

@@ -1,3 +1,4 @@
 - Added a deprecation warning for functions.config() to stderr on deploy and all functions:config commands. (#8808)
 - Added analytics to track runtime config usage in functions deployments (#8870).
 - Fixed issue where `__name__` fields with DESCENDING order were incorrectly filtered from index listings, causing duplicate index issues (#7629) and deployment conflicts (#8859). The fix now preserves `__name__` fields with explicit DESCENDING order while filtering out implicit ASCENDING `__name__` fields.
+- Add service account and service enablement to `firebase init apptesting`

package.json

@@ -26,6 +26,7 @@
     "mocha": "nyc mocha 'src/**/*.spec.{ts,js}'",
     "prepare": "npm run clean && npm run build:publish",
     "test": "npm run lint:quiet && npm run test:compile && npm run mocha",
+    "test:apptesting": "npm run lint:quiet && npm run test:compile && nyc mocha 'src/apptesting/*.spec.{ts,js}'",
     "test:client-integration": "bash ./scripts/client-integration-tests/run.sh",
     "test:compile": "tsc --project tsconfig.compile.json",
     "test:management": "npm run lint:quiet && npm run test:compile && nyc mocha 'src/management/*.spec.{ts,js}'",

src/apptesting/ensureProjectConfigured.spec.ts

@@ -0,0 +1,144 @@
+import * as sinon from "sinon";
+import { expect } from "chai";
+import * as ensureApiEnabled from "../ensureApiEnabled";
+import * as iam from "../gcp/iam";
+import * as rm from "../gcp/resourceManager";
+import * as prompt from "../prompt";
+import * as utils from "../utils";
+import { FirebaseError } from "../error";
+import * as apptesting from "./ensureProjectConfigured";
+
+describe("ensureProjectConfigured", () => {
+  const sandbox: sinon.SinonSandbox = sinon.createSandbox();
+
+  let serviceAccountHasRolesStub: sinon.SinonStub;
+  let confirmStub: sinon.SinonStub;
+  let ensureApiEnabledStub: sinon.SinonStub;
+  let createServiceAccountStub: sinon.SinonStub;
+  let addServiceAccountToRolesStub: sinon.SinonStub;
+  let logWarningStub: sinon.SinonStub;
+
+  beforeEach(() => {
+    serviceAccountHasRolesStub = sandbox.stub(rm, "serviceAccountHasRoles");
+    confirmStub = sandbox.stub(prompt, "confirm");
+    ensureApiEnabledStub = sandbox.stub(ensureApiEnabled, "ensure");
+    createServiceAccountStub = sandbox.stub(iam, "createServiceAccount");
+    addServiceAccountToRolesStub = sandbox.stub(rm, "addServiceAccountToRoles");
+    logWarningStub = sandbox.stub(utils, "logWarning");
+  });
+
+  afterEach(() => {
+    sandbox.verifyAndRestore();
+  });
+
+  const projectId = "test-project";
+  const serviceAccount = "firebaseapptesting-test-runner@test-project.iam.gserviceaccount.com";
+  const TEST_RUNNER_ROLE = "roles/firebaseapptesting.testRunner";
+
+  it("should ensure all necessary APIs are enabled", async () => {
+    serviceAccountHasRolesStub.resolves(true);
+    ensureApiEnabledStub.resolves();
+
+    await apptesting.ensureProjectConfigured(projectId);
+
+    expect(ensureApiEnabledStub).to.be.calledThrice;
+    expect(ensureApiEnabledStub).to.be.calledWith(projectId, sinon.match.any, "storage", false);
+    expect(ensureApiEnabledStub).to.be.calledWith(projectId, sinon.match.any, "run", false);
+    expect(ensureApiEnabledStub).to.be.calledWith(
+      projectId,
+      sinon.match.any,
+      "artifactregistry",
+      false,
+    );
+  });
+
+  it("should do nothing if service account is already configured", async () => {
+    ensureApiEnabledStub.resolves();
+    serviceAccountHasRolesStub.resolves(true);
+
+    await apptesting.ensureProjectConfigured(projectId);
+
+    expect(serviceAccountHasRolesStub).to.be.calledWith(
+      projectId,
+      serviceAccount,
+      [TEST_RUNNER_ROLE],
+      true,
+    );
+    expect(confirmStub).to.not.have.been.called;
+    expect(createServiceAccountStub).to.not.have.been.called;
+    expect(addServiceAccountToRolesStub).to.not.have.been.called;
+  });
+
+  it("should provision service account if user confirms", async () => {
+    ensureApiEnabledStub.resolves();
+    serviceAccountHasRolesStub.resolves(false);
+    confirmStub.resolves(true);
+    createServiceAccountStub.resolves();
+    addServiceAccountToRolesStub.resolves();
+
+    await apptesting.ensureProjectConfigured(projectId);
+
+    expect(serviceAccountHasRolesStub).to.be.calledWith(
+      projectId,
+      serviceAccount,
+      [TEST_RUNNER_ROLE],
+      true,
+    );
+    expect(confirmStub).to.be.calledOnce;
+    expect(createServiceAccountStub).to.be.calledWith(
+      projectId,
+      "firebaseapptesting-test-runner",
+      sinon.match.string,
+      sinon.match.string,
+    );
+    expect(addServiceAccountToRolesStub).to.be.calledWith(
+      projectId,
+      serviceAccount,
+      [TEST_RUNNER_ROLE],
+      true,
+    );
+  });
+
+  it("should throw error if user denies service account creation", async () => {
+    ensureApiEnabledStub.resolves();
+    serviceAccountHasRolesStub.resolves(false);
+    confirmStub.resolves(false);
+
+    await expect(apptesting.ensureProjectConfigured(projectId)).to.be.rejectedWith(
+      FirebaseError,
+      /Firebase App Testing requires a service account/,
+    );
+
+    expect(confirmStub).to.be.calledOnce;
+    expect(createServiceAccountStub).to.not.have.been.called;
+    expect(addServiceAccountToRolesStub).to.not.have.been.called;
+  });
+
+  it("should handle service account already exists error", async () => {
+    ensureApiEnabledStub.resolves();
+    serviceAccountHasRolesStub.resolves(false);
+    confirmStub.resolves(true);
+    createServiceAccountStub.rejects(new FirebaseError("Already exists", { status: 409 }));
+    addServiceAccountToRolesStub.resolves();
+
+    await apptesting.ensureProjectConfigured(projectId);
+
+    expect(createServiceAccountStub).to.be.calledOnce;
+    expect(addServiceAccountToRolesStub).to.be.calledOnce;
+  });
+
+  it("should handle addServiceAccountToRoles 400 error", async () => {
+    ensureApiEnabledStub.resolves();
+    serviceAccountHasRolesStub.resolves(false);
+    confirmStub.resolves(true);
+    createServiceAccountStub.resolves();
+    addServiceAccountToRolesStub.rejects(new FirebaseError("Bad request", { status: 400 }));
+
+    await apptesting.ensureProjectConfigured(projectId);
+
+    expect(addServiceAccountToRolesStub).to.be.calledOnce;
+    expect(logWarningStub).to.be.calledWith(
+      `Your App Testing runner service account, "${serviceAccount}", is still being provisioned in the background. If you encounter an error, please try again after a few moments.`,
+    );
+  });
+});

src/apptesting/ensureProjectConfigured.ts

@@ -0,0 +1,77 @@
+import { addServiceAccountToRoles, serviceAccountHasRoles } from "../gcp/resourceManager";
+import { ensure } from "../ensureApiEnabled";
+import { appTestingOrigin } from "../api";
+import { logBullet, logWarning } from "../utils";
+import { FirebaseError, getErrStatus } from "../error";
+import * as iam from "../gcp/iam";
+import { confirm } from "../prompt";
+
+const TEST_RUNNER_ROLE = "roles/firebaseapptesting.testRunner";
+const TEST_RUNNER_SERVICE_ACCOUNT_NAME = "firebaseapptesting-test-runner";
+
+export async function ensureProjectConfigured(projectId: string) {
+  await ensure(projectId, appTestingOrigin(), "storage", false);
+  await ensure(projectId, appTestingOrigin(), "run", false);
+  await ensure(projectId, appTestingOrigin(), "artifactregistry", false);
+  const serviceAccount = runnerServiceAccount(projectId);
+
+  const serviceAccountExistsAndIsRunner = await serviceAccountHasRoles(
+    projectId,
+    serviceAccount,
+    [TEST_RUNNER_ROLE],
+    true,
+  );
+  if (!serviceAccountExistsAndIsRunner) {
+    const grant = await confirm(
+      `Firebase App Testing runs tests in Cloud Run using a service account, provision an account, "${serviceAccount}", with the role "${TEST_RUNNER_ROLE}"?`,
+    );
+    if (!grant) {
+      logBullet(
+        "You, or your project administrator, should run the following command to grant the required role:\n\n" +
+          `\tgcloud projects add-iam-policy-binding ${projectId} \\\n` +
+          `\t  --member="serviceAccount:${serviceAccount}" \\\n` +
+          `\t  --role="${TEST_RUNNER_ROLE}"\n`,
+      );
+      throw new FirebaseError(
+        `Firebase App Testing requires a service account named "${serviceAccount}" with the "${TEST_RUNNER_ROLE}" role to execute tests using Cloud Run`,
+      );
+    }
+    await provisionServiceAccount(projectId, serviceAccount);
+  }
+}
+
+async function provisionServiceAccount(projectId: string, serviceAccount: string): Promise<void> {
+  try {
+    await iam.createServiceAccount(
+      projectId,
+      TEST_RUNNER_SERVICE_ACCOUNT_NAME,
+      "Service Account used in Cloud Run, responsible for running tests",
+      "Firebase App Testing Test Runner",
+    );
+  } catch (err: unknown) {
+    // 409 Already Exists errors can safely be ignored.
+    if (getErrStatus(err) !== 409) {
+      throw err;
+    }
+  }
+  try {
+    await addServiceAccountToRoles(
+      projectId,
+      serviceAccount,
+      [TEST_RUNNER_ROLE],
+      /* skipAccountLookup= */ true,
+    );
+  } catch (err: unknown) {
+    if (getErrStatus(err) === 400) {
+      logWarning(
+        `Your App Testing runner service account, "${serviceAccount}", is still being provisioned in the background. If you encounter an error, please try again after a few moments.`,
+      );
+    } else {
+      throw err;
+    }
+  }
+}
+
+function runnerServiceAccount(projectId: string): string {
+  return `${TEST_RUNNER_SERVICE_ACCOUNT_NAME}@${projectId}.iam.gserviceaccount.com`;
+}

src/commands/init.ts

@@ -112,7 +112,7 @@ if (isEnabled("genkit")) {
 if (isEnabled("apptesting")) {
   choices.push({
     value: "apptesting",
-    name: "App Testing: create a smoke test",
+    name: "App Testing: create a smoke test, enable Cloud APIs (storage, run, & artifactregistry), and add a service account.",
     checked: false,
   });
 }

src/ensureApiEnabled.spec.ts

@@ -2,7 +2,6 @@ import { expect } from "chai";
 import * as nock from "nock";
 import * as sinon from "sinon";
 import { configstore } from "./configstore";
-
 import { check, ensure, POLL_SETTINGS } from "./ensureApiEnabled";
 
 const FAKE_PROJECT_ID = "my_project";

src/init/features/apptesting/index.ts

@@ -3,6 +3,7 @@ import { Setup } from "../..";
 import { input } from "../../../prompt";
 import { Config } from "../../../config";
 import { readTemplateSync } from "../../../templates";
+import { ensureProjectConfigured } from "../../../apptesting/ensureProjectConfigured";
 
 const SMOKE_TEST_YAML_TEMPLATE = readTemplateSync("init/apptesting/smoke_test.yaml");
 
@@ -23,6 +24,9 @@ export async function askQuestions(setup: Setup): Promise<void> {
         })),
     },
   };
+  if (setup.projectId) {
+    await ensureProjectConfigured(setup.projectId);
+  }
 }
 
 // Writes App Testing product specific configuration info.