-
Notifications
You must be signed in to change notification settings - Fork 1.6k
/
Copy pathgenerate_access_token.sh
executable file
·93 lines (79 loc) · 3.14 KB
/
generate_access_token.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/bin/bash
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This script generates access tokens that are needed to make admin API
# calls to the Firebase Console.
#
# The script takes three arguments:
# - GHA_SECRET: The password for decrypting GitHub secrets.
# - SERVICE_ACCOUNT: The path to the encrypted service account secret.
# - OUTPUT: The path to file where generated access token will be stored.
#
# This script uses Google's Swift Auth Client Library.
# - https://github.com/googleapis/google-auth-library-swift
#
# Generated tokens are `JSON` in the form:
# {
# "token_type":"Bearer",
# "expires_in":3599,
# "access_token":"1234567890ABCDEFG"
# }
GHA_SECRET="$1" # Pass in `local_dev` if the SERVICE_ACCOUNT does not to be decrypted.
SERVICE_ACCOUNT="$2"
OUTPUT="$3"
echo "GHA_SECRET: ***"
echo "SERVICE_ACCOUNT: ${SERVICE_ACCOUNT}"
echo "OUTPUT: ${OUTPUT}"
if [[ ! -f $SERVICE_ACCOUNT ]]; then
echo ERROR: Cannot find encrypted secret at $SERVICE_ACCOUNT, aborting.
exit 1
fi
if [[ ! -f $OUTPUT ]]; then
echo ERROR: Cannot find $OUTPUT, aborting.
exit 1
fi
# The access token is generated using a downloaded Service Account JSON file from a
# Firebase Project. This can be downloaded from Firebase console under 'Project Settings'.
#
# The following stores the decrypted service account JSON file in `$HOME/.credentials/` and points
# the GOOGLE_APPLICATION_CREDENTIALS env var to it.
SERVICE_ACCOUNT_FILE=$(basename $SERVICE_ACCOUNT .gpg)
echo "Creating ~/.credentials/ directory"
mkdir -p ~/.credentials/
if [[ $GHA_SECRET == "local_dev" ]]; then
echo "Local Development Mode"
echo "Copying ${SERVICE_ACCOUNT_FILE} to ~/.credentials/"
cp $SERVICE_ACCOUNT ~/.credentials/
else
echo "Decrypting ${SERVICE_ACCOUNT_FILE}.gpg"
scripts/decrypt_gha_secret.sh $SERVICE_ACCOUNT ~/.credentials/$SERVICE_ACCOUNT_FILE "$GHA_SECRET"
fi
echo "GOOGLE_APPLICATION_CREDENTIALS=${HOME}/.credentials/${SERVICE_ACCOUNT_FILE}" >> $GITHUB_ENV
export GOOGLE_APPLICATION_CREDENTIALS="${HOME}/.credentials/${SERVICE_ACCOUNT_FILE}"
# Clone Google's Swift Auth Client Library and use it to generate a token.
# The generated token is piped to the specified OUTPUT file.
git clone https://github.com/googleapis/google-auth-library-swift.git
cd google-auth-library-swift
make -f Makefile
# Prepend OUTPUT path with ../ since we cd'd into `google-auth-library-swift`.
swift run TokenSource > ../$OUTPUT
# Remove cloned Swift Auth Client Library.
cd ..
rm -rf google-auth-library-swift
if grep -q "access_token" $OUTPUT; then
echo "Token successfully generated and placed at ${OUTPUT}"
else
echo "ERROR: $(cat $OUTPUT)"
exit 1
fi