Fix requireAuthWrapper logic and service account email detection (#6115)

hsubox76 · web-flow · commit 473deff80d0d · 2023-07-12T11:44:07.000-07:00
diff --git a/firebase-vscode/package-lock.json b/firebase-vscode/package-lock.json
diff --git a/firebase-vscode/package.json b/firebase-vscode/package.json
@@ -3,7 +3,7 @@
   "displayName": "firebase-vscode",
   "publisher": "firebase",
   "description": "VSCode Extension for Firebase",
-  "version": "0.0.23-alpha.3",
+  "version": "0.0.23-alpha.4",
   "engines": {
     "vscode": "^1.69.0"
   },
diff --git a/firebase-vscode/src/cli.ts b/firebase-vscode/src/cli.ts
@@ -18,7 +18,7 @@ import { Account, User } from "../../src/types/auth";
 import { Options } from "../../src/options";
 import { currentOptions, getCommandOptions } from "./options";
 import { setInquirerOptions } from "./stubs/inquirer-stub";
-import { ServiceAccount, ServiceAccountUser } from "../common/types";
+import { ServiceAccount } from "../common/types";
 import { listChannels } from "../../src/hosting/api";
 import { ChannelWithId } from "../common/messaging/types";
 import { pluginLogger } from "./logger-wrapper";
@@ -33,11 +33,26 @@ import { setAccessToken } from "../../src/apiv2";
 async function getServiceAccount() {
   let email = null;
   try {
+    // Empty to make sure no oauth user/token is sent to requireAuth
+    // which would prevent autoAuth() from being reached
     email = (await requireAuth({})) || null;
   } catch (e) {
     pluginLogger.debug('No service account found (this may be normal), requireAuth error output:',
       e.original || e);
+    return null;
   }
+  if (process.env.WORKSPACE_SERVICE_ACCOUNT_EMAIL) {
+    // If Monospace, get service account email using env variable as
+    // the metadata server doesn't currently return the credentials
+    // for the workspace service account. Remove when Monospace is
+    // updated to return credentials through the metadata server.
+    pluginLogger.debug(`Using WORKSPACE_SERVICE_ACCOUNT_EMAIL env `
+      + `variable to get service account email: `
+      + `${process.env.WORKSPACE_SERVICE_ACCOUNT_EMAIL}`);
+    return process.env.WORKSPACE_SERVICE_ACCOUNT_EMAIL;
+  }
+  pluginLogger.debug(`Got service account email through credentials:`
+    + ` ${email}`);
   return email;
 }
 
@@ -50,7 +65,6 @@ async function requireAuthWrapper(showError: boolean = true): Promise<boolean> {
   // Try to get global default from configstore. For some reason this is
   // often overwritten when restarting the extension.
   pluginLogger.debug('requireAuthWrapper');
-  let authFound = false;
   let account = getGlobalDefaultAccount();
   if (!account) {
     // If nothing in configstore top level, grab the first "additionalAccount"
@@ -62,9 +76,6 @@ async function requireAuthWrapper(showError: boolean = true): Promise<boolean> {
       }
     }
   }
-  if (account) {
-    authFound = true;
-  }
   const commandOptions = await getCommandOptions(undefined, {
     ...currentOptions
   });
@@ -77,34 +88,38 @@ async function requireAuthWrapper(showError: boolean = true): Promise<boolean> {
     const serviceAccountEmail = await getServiceAccount();
     // Priority 1: Service account exists and is the current selected user
     if (serviceAccountEmail && currentUser.email === serviceAccountEmail) {
-      await requireAuth(commandOptions);
+      // requireAuth should have been run and apiv2 token should be stored
+      // already due to getServiceAccount() call above.
+      return true;
     } else if (account) {
       // Priority 2: Google login account exists and is the currently selected
       // user
       // Priority 3: Google login account exists and there is no selected user
       // Clear service account access token from memory in apiv2.
       setAccessToken();
-      await requireAuth({...commandOptions, ...account});
+      await requireAuth({ ...commandOptions, ...account });
+      return true;
+    } else if (serviceAccountEmail) {
+      // Priority 4: There is a service account but it's not set as
+      // currentUser for some reason, but there also isn't an oauth account.
+      // requireAuth was already run as part of getServiceAccount() above
+      return true;
     }
+    pluginLogger.debug('No user found (this may be normal)');
+    return false;
   } catch (e) {
-    // No service account or google login found.
     if (showError) {
-      pluginLogger.error('requireAuth error', e.original || e);
+      pluginLogger.error('requireAuth error: ', e.original || e);
       vscode.window.showErrorMessage("Not logged in", {
         modal: true,
         detail: `Log in by clicking "Sign in with Google" in the sidebar.`,
       });
     } else {
-      // If "showError" is false, this may not be an error, just an indication
-      // no one is logged in. Log to "debug".
-      pluginLogger.debug('No user found (this may be normal), requireAuth error output:',
+      pluginLogger.debug('requireAuth error output: ',
         e.original || e);
     }
     return false;
   }
-  // If we reach here, there is either a google account or no error on
-  // requireAuth (which means there is a service account or glogin)
-  return authFound;
 }
 
 export async function getAccounts(): Promise<Array<Account | ServiceAccount>> {
