Force HTTPS in newly created v1 functions (#3923)

CHANGELOG.md

@@ -1,2 +1,3 @@
 - Corrects a bug where containers in Artifact Registry would not be deleted if a function has an upper case character in its name
 - Fixes issue where providing the `--project` flag during `init` would not be recognized with a default project already set. (#3870)
+- New HTTPS functions only allow secure traffic.

src/deploy/functions/release/fabricator.ts

@@ -205,6 +205,12 @@ export class Fabricator {
       throw new Error("Precondition failed");
     }
     const apiFunction = gcf.functionFromEndpoint(endpoint, this.sourceUrl);
+    // As a general security practice and way to smooth out the upgrade path
+    // for GCF gen 2, we are enforcing that all new GCFv1 deploys will require
+    // HTTPS
+    if (apiFunction.httpsTrigger) {
+      apiFunction.httpsTrigger.securityLevel = "SECURE_ALWAYS";
+    }
     apiFunction.sourceToken = await scraper.tokenPromise();
     const resultFunction = await this.functionExecutor
       .run(async () => {

src/test/deploy/functions/release/fabricator.spec.ts

@@ -136,6 +136,20 @@ describe("Fabricator", () => {
       ).to.be.rejectedWith(reporter.DeploymentError, "set invoker");
     });
 
+    it("enforces SECURE_ALWAYS HTTPS policies", async () => {
+      gcf.createFunction.resolves({ name: "op", type: "create", done: false });
+      poller.pollOperation.resolves();
+      gcf.setInvokerCreate.resolves();
+      const ep = endpoint();
+
+      await fab.createV1Function(ep, new scraper.SourceTokenScraper());
+      expect(gcf.createFunction).to.have.been.calledWithMatch({
+        httpsTrigger: {
+          securityLevel: "SECURE_ALWAYS",
+        },
+      });
+    });
+
     it("sets invoker by default", async () => {
       gcf.createFunction.resolves({ name: "op", type: "create", done: false });
       poller.pollOperation.resolves();