feature/add auth event arc experiment

src/deploy/functions/services/index.ts

@@ -71,7 +71,7 @@
   name: "noop",
   api: "",
   ensureTriggerRegion: noop,
   validateTrigger: noop,
   registerTrigger: noop,
   unregisterTrigger: noop,
   getDefaultRegion: () => Promise.resolve(FALLBACK_DEPLOYMENT_REGION),
@@ -83,7 +83,7 @@
   api: "pubsub.googleapis.com",
   requiredProjectBindings: noopProjectBindings,
   ensureTriggerRegion: noop,
   validateTrigger: noop,
   registerTrigger: noop,
   unregisterTrigger: noop,
   getDefaultRegion: () => Promise.resolve(DEFAULT_GLOBAL_TRIGGER_REGION),
@@ -95,7 +95,7 @@
   api: "storage.googleapis.com",
   requiredProjectBindings: obtainStorageBindings,
   ensureTriggerRegion: ensureStorageTriggerRegion,
   validateTrigger: noop,
   registerTrigger: noop,
   unregisterTrigger: noop,
   getDefaultRegion: ensureStorageDefaultRegion,
@@ -107,7 +107,7 @@
   api: "firebasealerts.googleapis.com",
   requiredProjectBindings: noopProjectBindings,
   ensureTriggerRegion: ensureFirebaseAlertsTriggerRegion,
   validateTrigger: noop,
   registerTrigger: noop,
   unregisterTrigger: noop,
   getDefaultRegion: () => Promise.resolve(DEFAULT_GLOBAL_TRIGGER_REGION),
@@ -123,7 +123,7 @@
   api: "firebasedatabase.googleapis.com",
   requiredProjectBindings: noopProjectBindings,
   ensureTriggerRegion: ensureDatabaseTriggerRegion,
   validateTrigger: noop,
   registerTrigger: noop,
   unregisterTrigger: noop,
   getDefaultRegion: ensureDatabaseDefaultRegion,
@@ -135,7 +135,7 @@
   api: "firebaseremoteconfig.googleapis.com",
   requiredProjectBindings: noopProjectBindings,
   ensureTriggerRegion: ensureRemoteConfigTriggerRegion,
   validateTrigger: noop,
   registerTrigger: noop,
   unregisterTrigger: noop,
   getDefaultRegion: () => Promise.resolve(DEFAULT_GLOBAL_TRIGGER_REGION),
@@ -147,7 +147,7 @@
   api: "testing.googleapis.com",
   requiredProjectBindings: noopProjectBindings,
   ensureTriggerRegion: ensureTestLabTriggerRegion,
   validateTrigger: noop,
   registerTrigger: noop,
   unregisterTrigger: noop,
   getDefaultRegion: () => Promise.resolve(DEFAULT_GLOBAL_TRIGGER_REGION),
@@ -159,7 +159,7 @@
   api: "firestore.googleapis.com",
   requiredProjectBindings: noopProjectBindings,
   ensureTriggerRegion: ensureFirestoreTriggerRegion,
   validateTrigger: noop,
   registerTrigger: noop,
   unregisterTrigger: noop,
   getDefaultRegion: ensureFirestoreDefaultRegion,
@@ -171,7 +171,7 @@
   api: "firebasedataconnect.googleapis.com",
   requiredProjectBindings: noopProjectBindings,
   ensureTriggerRegion: ensureDataConnectTriggerRegion,
   validateTrigger: noop,
   registerTrigger: noop,
   unregisterTrigger: noop,
   getDefaultRegion: ensureDataConnectDefaultRegion,
@@ -207,9 +207,11 @@
   "google.firebase.dataconnect.connector.v1.mutationExecuted": dataconnectService,
   "google.firebase.ailogic.v1.beforeGenerate": aiLogicService,
   "google.firebase.ailogic.v1.afterGenerate": aiLogicService,
+  "google.firebase.auth.user.v2.created": noOpService,
+  "google.firebase.auth.user.v2.deleted": noOpService,
 };
 
 export function serviceForEndpoint(endpoint: backend.Endpoint | build.Endpoint): Service {
   let eventType: string | undefined;
   if ("eventTrigger" in endpoint && endpoint.eventTrigger?.eventType) {
     eventType = endpoint.eventTrigger.eventType;

src/deploy/functions/validate.spec.ts

@@ -9,6 +9,7 @@ import * as secretManager from "../../gcp/secretManager";
 import * as backend from "./backend";
 import { BEFORE_CREATE_EVENT, BEFORE_SIGN_IN_EVENT } from "../../functions/events/v1";
 import { resolveCpuAndConcurrency } from "./prepare";
+import * as experiments from "../../experiments";
 
 describe("validate", () => {
   describe("functionsDirectoryExists", () => {
@@ -494,6 +495,46 @@ describe("validate", () => {
         "The following functions have timeouts that exceed the maximum allowed for their trigger typ",
       );
     });
+
+    it("disallows v2 Auth Eventarc triggers if autheventarc experiment is not enabled", () => {
+      experiments.setEnabled("autheventarc", false);
+      const ep: backend.Endpoint = {
+        ...ENDPOINT_BASE,
+        platform: "gcfv2",
+        eventTrigger: {
+          eventType: "google.firebase.auth.user.v2.created",
+          eventFilters: {},
+          retry: false,
+        },
+      };
+
+      try {
+        expect(() => validate.endpointsAreValid(backend.of(ep))).to.throw(
+          /Cannot deploy Auth Eventarc triggers because the experiment.*autheventarc.*is not enabled/,
+        );
+      } finally {
+        experiments.setEnabled("autheventarc", null);
+      }
+    });
+
+    it("allows v2 Auth Eventarc triggers if autheventarc experiment is enabled", () => {
+      experiments.setEnabled("autheventarc", true);
+      const ep: backend.Endpoint = {
+        ...ENDPOINT_BASE,
+        platform: "gcfv2",
+        eventTrigger: {
+          eventType: "google.firebase.auth.user.v2.created",
+          eventFilters: {},
+          retry: false,
+        },
+      };
+
+      try {
+        expect(() => validate.endpointsAreValid(backend.of(ep))).to.not.throw();
+      } finally {
+        experiments.setEnabled("autheventarc", null);
+      }
+    });
   });
 
   describe("endpointsAreUnqiue", () => {

src/deploy/functions/validate.ts

@@ -10,6 +10,10 @@ import * as fsutils from "../../fsutils";
 import * as backend from "./backend";
 import * as utils from "../../utils";
 import * as secrets from "../../functions/secrets";
+import * as experiments from "../../experiments";
+import { AUTH_EVENTS } from "../../functions/events/v2";
+
+const AUTH_EVENTS_SET = new Set<string>(AUTH_EVENTS);
 
 /**
  * GCF Gen 1 has a max timeout of 540s.
@@ -89,6 +93,11 @@ export function endpointsAreValid(wantBackend: backend.Backend): void {
   validateTimeoutConfig(endpoints);
   for (const ep of endpoints) {
     validateScheduledTimeout(ep);
+    if (backend.isEventTriggered(ep)) {
+      if (AUTH_EVENTS_SET.has(ep.eventTrigger.eventType)) {
+        experiments.assertEnabled("autheventarc", "deploy Auth Eventarc triggers");
+      }
+    }
     const service = serviceForEndpoint(ep);
     if (backend.isBlockingTriggered(ep)) {
       if (service.name === "noop") {

src/experiments.ts

@@ -215,6 +215,13 @@ export const ALL_EXPERIMENTS = experiments({
     default: false,
     public: true,
   },
+  autheventarc: {
+    shortDescription: "Enable experimental Eventarc-based Auth triggers",
+    fullDescription:
+      "Enable support for v2 Eventarc-based Auth triggers (onUserCreated and onUserDeleted)",
+    default: false,
+    public: true,
+  },
 });
 
 export type ExperimentName = keyof typeof ALL_EXPERIMENTS;

src/functions/events/v2.ts

@@ -41,6 +41,11 @@ export const FIREALERTS_EVENT = "google.firebase.firebasealerts.alerts.v1.publis
 
 export const DATACONNECT_EVENT = "google.firebase.dataconnect.connector.v1.mutationExecuted";
 
+export const AUTH_EVENTS = [
+  "google.firebase.auth.user.v2.created",
+  "google.firebase.auth.user.v2.deleted",
+] as const;
+
 export type Event =
   | typeof PUBSUB_PUBLISH_EVENT
   | (typeof STORAGE_EVENTS)[number]
@@ -51,7 +56,8 @@ export type Event =
   | (typeof FIRESTORE_EVENTS)[number]
   | typeof FIREALERTS_EVENT
   | typeof DATACONNECT_EVENT
-  | (typeof AI_LOGIC_EVENTS)[number];
+  | (typeof AI_LOGIC_EVENTS)[number]
+  | (typeof AUTH_EVENTS)[number];
 
 // Why can't auth context be removed? This is map was added to correct a bug where a regex
 // allowed any non-auth type to be converted to any auth type, but we should follow up for why