Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes source token expiration by token refresh #5198

Merged
merged 10 commits into from Nov 4, 2022
Merged

Fixes source token expiration by token refresh #5198

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
236446f
refresh source token
blidd-google Oct 31, 2022
08f87c0
add changelog entry
blidd-google Oct 31, 2022
6409aba
check if token is expired right before deploy call
blidd-google Nov 1, 2022
0935361
use Date lib, rename states & remove enums
blidd-google Nov 3, 2022
af6a82d
clean up, revert timer changes
blidd-google Nov 3, 2022
f3b4729
more descriptive error message
blidd-google Nov 3, 2022
101425e
update error msg
blidd-google Nov 3, 2022
303bc30
add type guard to token states
blidd-google Nov 4, 2022
3c5f2a8
Merge branch 'master' into bl-refresh-src-token
blidd-google Nov 4, 2022
493e215
Update CHANGELOG.md
blidd-google Nov 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Expand Up @@ -3,3 +3,4 @@
- Changes `superstatic` dependency to `v8`, addressing Hosting emulator issues on Windows.
- Fixes internal library that was not being correctly published.
- Adds `--disable-triggers` flag to RTDB write commands.
- Fixes source token expiration issue by acquiring new source token upon expiration.
7 changes: 5 additions & 2 deletions src/deploy/functions/release/fabricator.ts
View file
Open in desktop
Expand Up @@ -210,9 +210,11 @@ export class Fabricator {
if (apiFunction.httpsTrigger) {
apiFunction.httpsTrigger.securityLevel = "SECURE_ALWAYS";
}
apiFunction.sourceToken = await scraper.tokenPromise();
// apiFunction.sourceToken = await scraper.tokenPromise();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit - stray comment?

const resultFunction = await this.functionExecutor
.run(async () => {
// try to get the source token right before deploying
apiFunction.sourceToken = await scraper.getToken();
const op: { name: string } = await gcf.createFunction(apiFunction);
return poller.pollOperation<gcf.CloudFunction>({
...gcfV1PollerOptions,
Expand Down Expand Up @@ -374,9 +376,10 @@ export class Fabricator {
throw new Error("Precondition failed");
}
const apiFunction = gcf.functionFromEndpoint(endpoint, sourceUrl);
apiFunction.sourceToken = await scraper.tokenPromise();

const resultFunction = await this.functionExecutor
.run(async () => {
apiFunction.sourceToken = await scraper.getToken();
const op: { name: string } = await gcf.updateFunction(apiFunction);
return await poller.pollOperation<gcf.CloudFunction>({
...gcfV1PollerOptions,
Expand Down
43 changes: 32 additions & 11 deletions src/deploy/functions/release/sourceTokenScraper.ts
View file
Open in desktop
@@ -1,28 +1,47 @@
import { FirebaseError } from "../../../error";
import { logger } from "../../../logger";

type TokenFetchState = "NONE" | "FETCHING" | "VALID";

/**
* GCF v1 deploys support reusing a build between function deploys.
* This class will return a resolved promise for its first call to tokenPromise()
* and then will always return a promise that is resolved by the poller function.
*/
export class SourceTokenScraper {
private firstCall = true;
private resolve!: (token: string) => void;
private tokenValidDurationMs;
private resolve!: (token?: string) => void;
private promise: Promise<string | undefined>;
private expiry: number | undefined;
private fetchState: TokenFetchState;

constructor() {
constructor(validDurationMs = 1500000) {
this.tokenValidDurationMs = validDurationMs;
this.promise = new Promise((resolve) => (this.resolve = resolve));
this.fetchState = "NONE";
}

async getToken(): Promise<string | undefined> {
if (this.fetchState === "NONE") {
this.fetchState = "FETCHING";
return undefined;
} else if (this.fetchState === "FETCHING") {
return this.promise; // wait until we get a source token
} else if (this.fetchState === "VALID") {
if (this.isTokenExpired()) {
this.fetchState = "FETCHING";
this.promise = new Promise((resolve) => (this.resolve = resolve));
return undefined;
}
return this.promise;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we throw an error here instead of silently succeeding? Can see argument for either.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By throwing an error, do you mean throwing an error and then catching it in an enclosing try { await getToken(); ... } catch (expiredErr) {...} block, and then retrying?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean that in theory we should never reach this codepath - fetchState can only be in one of three states, and we have if condition for all of them. So we could throw (which could happen if we misunderstood this code for somee reason) or just return the promise (which might leave the CLI in an undefined state). I have slight preference for the former.

}
}

// Token Promise will return undefined for the first caller
// (because we presume it's this function's source token we'll scrape)
// and then returns the promise generated from the first function's onCall
tokenPromise(): Promise<string | undefined> {
if (this.firstCall) {
this.firstCall = false;
return Promise.resolve(undefined);
isTokenExpired(): boolean {
if (this.expiry === undefined) {
throw new FirebaseError("failed to check expiry: no token exists");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This error message makes sense to you and me but won't to almost all users trying to deploy their function.

I think this is a good example of a user facing error message - describe the situation in coarsely and suggest next steps:

firebase-tools/src/deploy/functions/prepareFunctionsUpload.ts

Lines 36 to 40 in 2ebefe2

throw new FirebaseError(
"Cloud Runtime Config is currently experiencing issues, " +
"which is preventing your functions from being deployed. " +
"Please wait a few minutes and then try to deploy your functions again." +
"\nRun `firebase deploy --except functions` if you want to continue deploying the rest of your project."

In our case, hitting this if statement should never happen and would be considered a bug. Maybe we can suggest that they file a issue.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah gotcha. working on a more descriptive message.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

throw new FirebaseError(
        "Your deployment is checking the expiration of a source token that has not yet been polled. " +
          "Hitting this case should never happen and should be considered a bug. " +
          "Please file an issue at https://github.com/firebase/firebase-tools/issues " + 
          "and try deploying your functions again."
      );

What about something like this?

}
return this.promise;
return Date.now() >= this.expiry;
}

get poller() {
Expand All @@ -32,6 +51,8 @@ export class SourceTokenScraper {
op.metadata?.target?.split("/") || [];
logger.debug(`Got source token ${op.metadata?.sourceToken} for region ${region as string}`);
this.resolve(op.metadata?.sourceToken);
this.fetchState = "VALID";
this.expiry = Date.now() + this.tokenValidDurationMs;
}
};
}
Expand Down
63 changes: 56 additions & 7 deletions src/test/deploy/functions/release/sourceTokenScraper.spec.ts
View file
Open in desktop
Expand Up @@ -2,23 +2,23 @@ import { expect } from "chai";

import { SourceTokenScraper } from "../../../../deploy/functions/release/sourceTokenScraper";

describe("SourcTokenScraper", () => {
describe("SourceTokenScraper", () => {
it("immediately provides the first result", async () => {
const scraper = new SourceTokenScraper();
await expect(scraper.tokenPromise()).to.eventually.be.undefined;
await expect(scraper.getToken()).to.eventually.be.undefined;
});

it("provides results after the firt operation completes", async () => {
it("provides results after the first operation completes", async () => {
const scraper = new SourceTokenScraper();
// First result comes right away;
await expect(scraper.tokenPromise()).to.eventually.be.undefined;
await expect(scraper.getToken()).to.eventually.be.undefined;

let gotResult = false;
const timeout = new Promise((resolve, reject) => {
setTimeout(() => reject(new Error("Timeout")), 10);
});
const getResult = (async () => {
await scraper.tokenPromise();
await scraper.getToken();
gotResult = true;
})();
await expect(Promise.race([getResult, timeout])).to.be.rejectedWith("Timeout");
Expand All @@ -31,14 +31,63 @@ describe("SourcTokenScraper", () => {
it("provides tokens from an operation", async () => {
const scraper = new SourceTokenScraper();
// First result comes right away
await expect(scraper.tokenPromise()).to.eventually.be.undefined;
await expect(scraper.getToken()).to.eventually.be.undefined;

scraper.poller({
metadata: {
sourceToken: "magic token",
target: "projects/p/locations/l/functions/f",
},
});
await expect(scraper.tokenPromise()).to.eventually.equal("magic token");
await expect(scraper.getToken()).to.eventually.equal("magic token");
});

it("refreshes token after timer expires", async () => {
const scraper = new SourceTokenScraper(10);
await expect(scraper.getToken()).to.eventually.be.undefined;
scraper.poller({
metadata: {
sourceToken: "magic token",
target: "projects/p/locations/l/functions/f",
},
});
await expect(scraper.getToken()).to.eventually.equal("magic token");
const timeout = (duration: number): Promise<void> => {
return new Promise<void>((resolve) => setTimeout(resolve, duration));
};
await timeout(50);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the future, try to instrument code without sleeping in your test. You can inject a clock for example.

await expect(scraper.getToken()).to.eventually.be.undefined;
scraper.poller({
metadata: {
sourceToken: "magic token #2",
target: "projects/p/locations/l/functions/f",
},
});
await expect(scraper.getToken()).to.eventually.equal("magic token #2");
});

it("concurrent requests for source token", async () => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice test!!

const scraper = new SourceTokenScraper();

const promises = [];
for (let i = 0; i < 3; i++) {
promises.push(scraper.getToken());
}
scraper.poller({
metadata: {
sourceToken: "magic token",
target: "projects/p/locations/l/functions/f",
},
});

let successes = 0;
const tokens = await Promise.all(promises);
for (const tok of tokens) {
if (tok === "magic token") {
successes++;
}
}
expect(tokens.includes(undefined)).to.be.true;
expect(successes).to.equal(2);
});
});