PR comments

averikitsch · averikitsch · commit eff522c74cb1 · 2020-10-13T16:31:26.000-07:00
diff --git a/run/idp-sql/README.md b/run/idp-sql/README.md
@@ -18,6 +18,7 @@ For more details on how to work with this sample read the [Google Cloud Run Node
 * **knex** + **pg**: A postgreSQL query builder library
 * **handlebars.js**: Template engine
 * **google-auth-library-nodejs**: Access [compute metadata server](https://cloud.google.com/compute/docs/storing-retrieving-metadata) for project ID
+* **Firebase JavaScript SDK**: client-side library for authentication flow
 
 ## Environment Variables
 
diff --git a/run/idp-sql/app.js b/run/idp-sql/app.js
@@ -77,7 +77,7 @@ app.get('/', getTrace, async (req, res) => {
   } catch (err) {
     const message = "Error while connecting to the Cloud SQL database. " +
       "Check that your username and password are correct, that the Cloud SQL " +
-      "proxy is running (locally), and that the database/table exits and is " +
+      "proxy is running (locally), and that the database/table exists and is " +
       `ready for use: ${err}`;
     logger.error({message, traceId: req.traceId});
     res
diff --git a/run/idp-sql/app.json b/run/idp-sql/app.json
@@ -2,8 +2,7 @@
   "name": "idp-sql",
   "env": {
     "DB_PASSWORD": {
-      "description": "postgreSQL password",
-      "value": "password1234"
+      "description": "postgreSQL password"
     },
     "CLOUD_SQL_INSTANCE_NAME": {
       "description": "Cloud SQL instance name",
diff --git a/run/idp-sql/cloud-run-button-script.sh b/run/idp-sql/cloud-run-button-script.sh
@@ -12,8 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-export _SECRET_NAME="vote-sql-secrets"
-export _SERVICE_ACCOUNT="vote-indentity"
+export SECRET_NAME="idp-sql-secrets"
+export SERVICE_ACCOUNT="idp-sql-indentity"
 
 gcloud config set project $GOOGLE_CLOUD_PROJECT
 
@@ -22,7 +22,7 @@ gcloud services enable sqladmin.googleapis.com secretmanager.googleapis.com
 
 gcloud sql instances describe ${CLOUD_SQL_INSTANCE_NAME}
 if [ $? -eq 1 ]; then
-  echo "Create Cloud SQL instance with postgreSQL database ..."
+  echo "Create Cloud SQL instance with postgreSQL database (this might take a few minutes)..."
   gcloud sql instances create ${CLOUD_SQL_INSTANCE_NAME} \
       --database-version=POSTGRES_12 \
       --region=${GOOGLE_CLOUD_REGION} \
@@ -36,29 +36,29 @@ sed -i "s/REGION/$GOOGLE_CLOUD_REGION/" postgres-secrets.json
 sed -i "s/PASSWORD_SECRET/$DB_PASSWORD/" postgres-secrets.json
 sed -i "s/INSTANCE/$CLOUD_SQL_INSTANCE_NAME/" postgres-secrets.json
 
-gcloud secrets describe ${_SECRET_NAME}
+gcloud secrets describe ${SECRET_NAME}
 if [ $? -eq 1 ]; then
   echo "Creating secret ..."
-  gcloud secrets create ${_SECRET_NAME} \
+  gcloud secrets create ${SECRET_NAME} \
       --replication-policy="automatic"
 fi
 echo "Adding secret version ..."
-gcloud secrets versions add ${_SECRET_NAME} --data-file=postgres-secrets.json
+gcloud secrets versions add ${SECRET_NAME} --data-file=postgres-secrets.json
 
 # Create service account
-gcloud iam service-accounts create ${_SERVICE_ACCOUNT}
+gcloud iam service-accounts create ${SERVICE_ACCOUNT}
 # Allow service account to access secret
-gcloud secrets add-iam-policy-binding ${_SECRET_NAME} \
-  --member serviceAccount:${_SERVICE_ACCOUNT}@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com \
+gcloud secrets add-iam-policy-binding ${SECRET_NAME} \
+  --member serviceAccount:${SERVICE_ACCOUNT}@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com \
   --role roles/secretmanager.secretAccessor
   # Allow service account to access Cloud SQL
 gcloud projects add-iam-policy-binding $GOOGLE_CLOUD_PROJECT \
-   --member serviceAccount:${_SERVICE_ACCOUNT}@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com \
+   --member serviceAccount:${SERVICE_ACCOUNT}@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com \
    --role roles/cloudsql.client
 
 gcloud run services update ${K_SERVICE} \
     --platform managed \
     --region ${GOOGLE_CLOUD_REGION} \
-    --service-account ${_SERVICE_ACCOUNT}@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com \
+    --service-account ${SERVICE_ACCOUNT}@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com \
     --add-cloudsql-instances ${GOOGLE_CLOUD_PROJECT}:${GOOGLE_CLOUD_REGION}:${CLOUD_SQL_INSTANCE_NAME} \
-    --set-env-vars CLOUD_SQL_CREDENTIALS_SECRET=projects/${GOOGLE_CLOUD_PROJECT}/secrets/${_SECRET_NAME}/versions/latest
+    --update-env-vars CLOUD_SQL_CREDENTIALS_SECRET=projects/${GOOGLE_CLOUD_PROJECT}/secrets/${SECRET_NAME}/versions/latest
diff --git a/run/idp-sql/cloud-sql.js b/run/idp-sql/cloud-sql.js
@@ -34,6 +34,12 @@ const config = {
 }
 
 // [START run_user_auth_sql_connect]
+/**
+* Connect to the Cloud SQL instance through UNIX Sockets
+*
+* @param {object} credConfig The Cloud SQL connection configuration from Secret Manager
+* @returns {object} Knex's PostgreSQL client
+*/
 const connectWithUnixSockets = async (credConfig) => {
   const dbSocketPath = process.env.DB_SOCKET_PATH || "/cloudsql"
   // Establish a connection to the database
diff --git a/run/idp-sql/middleware.js b/run/idp-sql/middleware.js
@@ -12,10 +12,10 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-const admin = require('firebase-admin');
-const { logger } = require('./logging');
+const { logger } = require('./logging'); // Import winston logger instance
 
 // [START run_user_auth_jwt]
+const admin = require('firebase-admin');
 // Extract and verify Id Token from header
 const authenticateJWT = (req, res, next) => {
   const authHeader = req.headers.authorization;
diff --git a/run/idp-sql/package.json b/run/idp-sql/package.json
@@ -21,6 +21,7 @@
     "@google-cloud/secret-manager": "^3.1.0",
     "express": "^4.16.2",
     "firebase-admin": "^9.1.0",
+    "gcp-metadata": "^4.2.0",
     "google-auth-library": "^6.1.1",
     "handlebars": "^4.7.6",
     "knex": "^0.21.0",
diff --git a/run/idp-sql/secrets.js b/run/idp-sql/secrets.js
@@ -13,15 +13,16 @@
 // limitations under the License.
 
 const { logger } = require('./logging');
-const {SecretManagerServiceClient} = require('@google-cloud/secret-manager');
 
 // CLOUD_SQL_CREDENTIALS_SECRET is the resource ID of the secret, passed in by environment variable.
 // Format: projects/PROJECT_ID/secrets/SECRET_ID/versions/VERSION
 const {CLOUD_SQL_CREDENTIALS_SECRET} = process.env;
 
-let client;
 
 // [START run_user_auth_secrets]
+const {SecretManagerServiceClient} = require('@google-cloud/secret-manager');
+let client;
+
 async function getSecrets(secretName) {
   if (!client) client = new SecretManagerServiceClient();
   try {
@@ -34,7 +35,7 @@ async function getSecrets(secretName) {
 }
 // [END run_user_auth_secrets]
 
-// Load the secret from Secret Manager
+// Load the Cloud SQL config from Secret Manager
 async function getCredConfig() {
   if (CLOUD_SQL_CREDENTIALS_SECRET) {
     const secrets = await getSecrets(CLOUD_SQL_CREDENTIALS_SECRET);
diff --git a/run/idp-sql/static/firebase.js b/run/idp-sql/static/firebase.js
@@ -62,7 +62,7 @@ async function vote(team) {
           'Content-Type': 'application/x-www-form-urlencoded',
           'Authorization': `Bearer ${token}`
         },
-        body: 'team=' + team,
+        body: 'team=' + team, // send application data (vote)
       });
       if (response.ok) {
         const text = await response.text();
