Add support for secrets in the App Hosting emulator

CHANGELOG.md

@@ -1,3 +1,4 @@
+- App Hosting emulator can now load secret env vars. (#8305)
 - Fix webframeworks deployments when using multiple hosting sites in `firebase.json`. (#8314)
 - Add a new command to setup a cleanup policy for functions artifacts. (#8268)
 - Support 3rd party builders for Angular. (#7557)

src/apphosting/config.spec.ts

@@ -244,51 +244,32 @@
     let loadFromFileStub: sinon.SinonStub;
     let baseAppHostingYaml: AppHostingYamlConfig;
     let stagingAppHostingYaml: AppHostingYamlConfig;
+    let baseEnv: Record<string, Omit<config.Env, "variable">>;
+    let stagingEnv: Record<string, Omit<config.Env, "variable">>;
 
     beforeEach(() => {
+      baseEnv = {
+        ENV_1: { value: "base_env_1" },
+        ENV_3: { value: "base_env_3" },
+        SECRET_1: { secret: "base_secret_1" },
+        SECRET_2: { secret: "base_secret_2" },
+        SECRET_3: { secret: "base_secret_3" },
+      };
       baseAppHostingYaml = AppHostingYamlConfig.empty();
-      baseAppHostingYaml.addEnvironmentVariable({
-        variable: "ENV_1",
-        value: "base_env_1",
-      });
-      baseAppHostingYaml.addEnvironmentVariable({
-        variable: "ENV_3",
-        value: "base_env_3",
-      });
-      baseAppHostingYaml.addSecret({
-        variable: "SECRET_1",
-        secret: "base_secret_1",
-      });
-      baseAppHostingYaml.addSecret({
-        variable: "SECRET_2",
-        secret: "base_secret_2",
-      });
-      baseAppHostingYaml.addSecret({
-        variable: "SECRET_3",
-        secret: "base_secret_3",
-      });
+      baseAppHostingYaml.env = { ...baseEnv };
 
+      stagingEnv = {
+        ENV_1: { value: "staging_env_1" },
+        ENV_2: { value: "staging_env_2" },
+        SECRET_1: { secret: "staging_secret_1" },
+        SECRET_2: { secret: "staging_secret_2" },
+      };
       stagingAppHostingYaml = AppHostingYamlConfig.empty();
-      stagingAppHostingYaml.addEnvironmentVariable({
-        variable: "ENV_1",
-        value: "staging_env_1",
-      });
-      stagingAppHostingYaml.addEnvironmentVariable({
-        variable: "ENV_2",
-        value: "staging_env_2",
-      });
-      stagingAppHostingYaml.addSecret({
-        variable: "SECRET_1",
-        secret: "staging_secret_1",
-      });
-      stagingAppHostingYaml.addSecret({
-        variable: "SECRET_2",
-        secret: "staging_secret_2",
-      });
+      stagingAppHostingYaml.env = { ...stagingEnv };
 
       loadFromFileStub = sinon.stub(AppHostingYamlConfig, "loadFromFile");
       loadFromFileStub.callsFake(async (filePath) => {
         if (filePath?.includes("apphosting.staging.yaml")) {
           return Promise.resolve(stagingAppHostingYaml);
         }
         return Promise.resolve(baseAppHostingYaml);
@@ -304,39 +285,15 @@
         "/parent/cwd/apphosting.staging.yaml",
         "/parent/cwd/apphosting.yaml",
       );
-      expect(JSON.stringify(resultingConfig.environmentVariables)).to.equal(
-        JSON.stringify([
-          { variable: "ENV_1", value: "staging_env_1" },
-          { variable: "ENV_3", value: "base_env_3" },
-          { variable: "ENV_2", value: "staging_env_2" },
-        ]),
-      );
-
-      expect(JSON.stringify(resultingConfig.secrets)).to.equal(
-        JSON.stringify([
-          { variable: "SECRET_1", secret: "staging_secret_1" },
-          { variable: "SECRET_2", secret: "staging_secret_2" },
-          { variable: "SECRET_3", secret: "base_secret_3" },
-        ]),
-      );
+      expect(resultingConfig.env).to.deep.equal({
+        ...baseEnv,
+        ...stagingEnv,
+      });
     });
 
     it("returns appropriate config if only base file was selected", async () => {
       const resultingConfig = await config.loadConfigForEnvironment("/parent/cwd/apphosting.yaml");
-      expect(JSON.stringify(resultingConfig.environmentVariables)).to.equal(
-        JSON.stringify([
-          { variable: "ENV_1", value: "base_env_1" },
-          { variable: "ENV_3", value: "base_env_3" },
-        ]),
-      );
-
-      expect(JSON.stringify(resultingConfig.secrets)).to.equal(
-        JSON.stringify([
-          { variable: "SECRET_1", secret: "base_secret_1" },
-          { variable: "SECRET_2", secret: "base_secret_2" },
-          { variable: "SECRET_3", secret: "base_secret_3" },
-        ]),
-      );
+      expect(resultingConfig.env).to.deep.equal(baseEnv);
     });
   });
 });

src/apphosting/config.ts

@@ -196,7 +196,7 @@
   projectId?: string,
   userGivenConfigFile?: string,
 ): Promise<void> {
   const choices = await prompt.prompt({}, [
     {
       type: "checkbox",
       name: "configurations",
@@ -209,7 +209,7 @@
    * TODO: Update when supporting additional configurations. Currently only
    * Secrets are exportable.
    */
   if (!choices.configurations.includes(SECRET_CONFIG)) {
     logger.info("No configs selected to export");
     return;
   }
@@ -227,24 +227,26 @@
   }
 
   const configToExport = await loadConfigToExportSecrets(cwd, userGivenConfigFile);
-  const secretsToExport = configToExport.secrets;
+  const secretsToExport = Object.entries(configToExport.env)
+    .filter(([, env]) => env.secret)
+    .map(([variable, env]) => {
+      return { variable, ...env };
+    });
   if (!secretsToExport) {
     logger.info("No secrets found to export in the chosen App Hosting config files");
     return;
   }
 
   const secretMaterial = await fetchSecrets(projectId, secretsToExport);
   for (const [key, value] of secretMaterial) {
-    localAppHostingConfig.addEnvironmentVariable({
-      variable: key,
-      value: value,
+    localAppHostingConfig.env[key] = {
+      value,
       availability: ["RUNTIME"],
-    });
+    };
   }
 
   // remove secrets to avoid confusion as they are not read anyways.
-  localAppHostingConfig.clearSecrets();
   localAppHostingConfig.upsertFile(localAppHostingConfigPath);
   logger.info(`Wrote secrets as environment variables to ${APPHOSTING_LOCAL_YAML_FILE}.`);
 
   updateOrCreateGitignore(projectRoot, [APPHOSTING_LOCAL_YAML_FILE]);
@@ -301,7 +303,7 @@
       );
     }
 
     userGivenConfigFilePath = allConfigs.get(userGivenConfigFile)!;
   } else {
     userGivenConfigFilePath = await promptForAppHostingYaml(
       allConfigs,
@@ -310,10 +312,10 @@
   }
 
   if (userGivenConfigFile === APPHOSTING_BASE_YAML_FILE) {
     return AppHostingYamlConfig.loadFromFile(allConfigs.get(APPHOSTING_BASE_YAML_FILE)!);
   }
 
   const baseFilePath = allConfigs.get(APPHOSTING_BASE_YAML_FILE)!;
   return await loadConfigForEnvironment(userGivenConfigFilePath, baseFilePath);
 }
 

src/apphosting/yaml.spec.ts

@@ -1,195 +1,52 @@
 import { expect } from "chai";
 import { AppHostingYamlConfig } from "./yaml";
 
-describe("yaml", () => {
-  describe("environment variables", () => {
-    let apphostingYaml: AppHostingYamlConfig;
-    beforeEach(() => {
-      apphostingYaml = AppHostingYamlConfig.empty();
-    });
-
-    it("adds environment variables and retrieves them correctly", () => {
-      apphostingYaml.addEnvironmentVariable({
-        variable: "TEST_1",
-        value: "value_1",
-      });
-
-      apphostingYaml.addEnvironmentVariable({
-        variable: "TEST_2",
-        value: "value_2",
-      });
-
-      expect(JSON.stringify(apphostingYaml.environmentVariables)).to.equal(
-        JSON.stringify([
-          {
-            variable: "TEST_1",
-            value: "value_1",
-          },
-          {
-            variable: "TEST_2",
-            value: "value_2",
-          },
-        ]),
-      );
-    });
-
-    it("overwrites stored environment variable if another is added with same name", () => {
-      apphostingYaml.addEnvironmentVariable({
-        variable: "TEST",
-        value: "value",
-      });
-
-      apphostingYaml.addEnvironmentVariable({
-        variable: "TEST",
-        value: "overwritten_value",
-      });
-
-      expect(JSON.stringify(apphostingYaml.environmentVariables)).to.equal(
-        JSON.stringify([{ variable: "TEST", value: "overwritten_value" }]),
-      );
+describe("merge", () => {
+  it("merges incoming apphosting yaml config with precendence", () => {
+    const apphostingYaml = AppHostingYamlConfig.empty();
+    apphostingYaml.env = {
+      ENV_1: { value: "env_1" },
+      ENV_2: { value: "env_2" },
+      SECRET: { secret: "secret_1" },
+    };
+
+    const incomingAppHostingYaml = AppHostingYamlConfig.empty();
+    incomingAppHostingYaml.env = {
+      ENV_1: { value: "incoming_env_1" },
+      ENV_3: { value: "incoming_env_3" },
+      SECRET_2: { value: "incoming_secret_2" },
+    };
+
+    apphostingYaml.merge(incomingAppHostingYaml);
+    expect(apphostingYaml.env).to.deep.equal({
+      ENV_1: { value: "incoming_env_1" },
+      ENV_2: { value: "env_2" },
+      ENV_3: { value: "incoming_env_3" },
+      SECRET: { secret: "secret_1" },
+      SECRET_2: { value: "incoming_secret_2" },
     });
   });
 
-  describe("secrets", () => {
-    let apphostingYaml: AppHostingYamlConfig;
-    beforeEach(() => {
-      apphostingYaml = AppHostingYamlConfig.empty();
-    });
-
-    it("adds environment variables and retrieves them correctly", () => {
-      apphostingYaml.addSecret({
-        variable: "TEST_1",
-        secret: "value_1",
-      });
-
-      apphostingYaml.addSecret({
-        variable: "TEST_2",
-        secret: "value_2",
-      });
-
-      expect(JSON.stringify(apphostingYaml.secrets)).to.equal(
-        JSON.stringify([
-          {
-            variable: "TEST_1",
-            secret: "value_1",
-          },
-          {
-            variable: "TEST_2",
-            secret: "value_2",
-          },
-        ]),
-      );
-    });
-
-    it("overwrites stored environment variable if another is added with same name", () => {
-      apphostingYaml.addSecret({
-        variable: "TEST",
-        secret: "value",
-      });
-
-      apphostingYaml.addSecret({
-        variable: "TEST",
-        secret: "overwritten_value",
-      });
-
-      expect(JSON.stringify(apphostingYaml.secrets)).to.equal(
-        JSON.stringify([{ variable: "TEST", secret: "overwritten_value" }]),
-      );
-    });
-
-    it("should clear secrets when clearSecrets is called", () => {
-      apphostingYaml.addSecret({
-        variable: "TEST",
-        secret: "value",
-      });
-
-      apphostingYaml.addSecret({
-        variable: "TEST",
-        secret: "overwritten_value",
-      });
-
-      apphostingYaml.clearSecrets();
-      expect(JSON.stringify(apphostingYaml.secrets)).to.equal(JSON.stringify([]));
-    });
-  });
-
-  describe("merge", () => {
-    let apphostingYaml: AppHostingYamlConfig;
-    beforeEach(() => {
-      apphostingYaml = AppHostingYamlConfig.empty();
-    });
-
-    it("merges incoming apphosting yaml config with precendence", () => {
-      apphostingYaml.addEnvironmentVariable({
-        variable: "ENV_1",
-        value: "env_1",
-      });
-      apphostingYaml.addEnvironmentVariable({
-        variable: "ENV_2",
-        value: "env_2",
-      });
-      apphostingYaml.addSecret({
-        variable: "SECRET_1",
-        secret: "secret_1",
-      });
-      apphostingYaml.addSecret({
-        variable: "SECRET_2",
-        secret: "secret_2",
-      });
-
-      const incomingAppHostingYaml = AppHostingYamlConfig.empty();
-      incomingAppHostingYaml.addEnvironmentVariable({
-        variable: "ENV_1",
-        value: "incoming_env_1",
-      });
-      incomingAppHostingYaml.addEnvironmentVariable({
-        variable: "ENV_3",
-        value: "incoming_env_3",
-      });
-      incomingAppHostingYaml.addSecret({
-        variable: "SECRET_2",
-        secret: "incoming_secret_1",
-      });
-      incomingAppHostingYaml.addSecret({
-        variable: "SECRET_3",
-        secret: "incoming_secret_3",
-      });
-
-      apphostingYaml.merge(incomingAppHostingYaml);
-
-      expect(JSON.stringify(apphostingYaml.environmentVariables)).to.equal(
-        JSON.stringify([
-          {
-            variable: "ENV_1",
-            value: "incoming_env_1",
-          },
-          {
-            variable: "ENV_2",
-            value: "env_2",
-          },
-          {
-            variable: "ENV_3",
-            value: "incoming_env_3",
-          },
-        ]),
-      );
-
-      expect(JSON.stringify(apphostingYaml.secrets)).to.equal(
-        JSON.stringify([
-          {
-            variable: "SECRET_1",
-            secret: "secret_1",
-          },
-          {
-            variable: "SECRET_2",
-            secret: "incoming_secret_1",
-          },
-          {
-            variable: "SECRET_3",
-            secret: "incoming_secret_3",
-          },
-        ]),
-      );
+  it("conditionally allows secrets to become plaintext", () => {
+    const apphostingYaml = AppHostingYamlConfig.empty();
+    apphostingYaml.env = {
+      API_KEY: { secret: "api_key" },
+    };
+
+    const incomingYaml = AppHostingYamlConfig.empty();
+    incomingYaml.env = {
+      API_KEY: { value: "plaintext" },
+    };
+
+    expect(() =>
+      apphostingYaml.merge(incomingYaml, /* alllowSecretsToBecomePlaintext */ false),
+    ).to.throw("Cannot convert secret to plaintext in apphosting yaml");
+
+    expect(() =>
+      apphostingYaml.merge(incomingYaml, /* alllowSecretsToBecomePlaintext */ true),
+    ).to.not.throw();
+    expect(apphostingYaml.env).to.deep.equal({
+      API_KEY: { value: "plaintext" },
     });
   });
 });