securityRules() methods to release rulesets cannot be used on clean project

[wvanderdeijl]

Describe your environment

• Operating System version: MacOS 11.2.3
• Firebase SDK version: 9.4.2
• Firebase Product: securityRules
• Node.js version: 14.15.4
• NPM version: 6.14.10

Describe the problem

The securityRules within firebase-admin offer a number of methods to change the security rules of your firebase project. However, they fail with an error "Requested entity was not found." when invoked on a freshly created project. The problem resolves itself if you create an initial set of rules through the console or CLI.

Requested entity was not found.

Steps to reproduce:

We are creating our projects through infrastructure as code (terraform) and create an AppEngine that way (to enable firestore) and then enable the firebaserules.googleapis.com service. We then try to programmatically deploy rules (as there is no terraform support for rules) using firebase-admin:

app.securityRules().releaseFirestoreRulesetFromSource(requested.rules);

Relevant Code:

I feel the problem lies in

firebase-admin-node/src/security-rules/security-rules-api-client-internal.ts

Line 165 in 2f6da89

public updateRelease(name: string, rulesetName: string): Promise<Release> {

That always does a PATCH assuming a ruleset already exists.

All the methods in firebase-admin.securityRules to change the ruleset eventually end up in that updateRelease method.

If I look at the source code of firebase-tools you can see it has a method to first create a release: https://github.com/firebase/firebase-tools/blob/1633f4fccbbc1bcbc6216fe13b8e888c8940bde4/src/gcp/rules.ts#L232

It would be nice if firebase-admin detects that no rules release exists yet, and create one first using a POST, before attempting the PATCH. Alternative would be to catch the "Requested entity was not found" error, then do a POST followed by a retry of the PATCH.

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[hiranya911]

I believe the release resource is created automatically upon enabling Firestore. But this happens asynchronously, and therefore there's no guarantee as to when it will be available.

@rachelmyers do you have any insights on this? Does it make sense for the SDK to try and create the release if an update fails?

[wvanderdeijl]

We are enabling the appengine.googleapis.com, firestore.googleapis.com and firebaserules.googleapis.com services on the project through terraform. I have tried to build my own workaround to first do a POST to the releases to create the initial release (much like firebase-tools does). To detect if a release already existed I was trying to use the methods from firebase-admin securityRules tools, but they throw an error on getting an empty object {} when listing the existing releases. That’s the error I am catching now to then first create a release through the REST API before attempting again to use the firebase-admin securityRules tools. Those tools are much more convenient than trying to figure out to update the rules via the REST API as that does not seem to be documented.

[rachelmyers]

Thanks for your patience on this. How to terraform Firebase projects is an interesting case.

In the immediate term, if you enable both APIs, firestore.googleapis.com and firebaserules.googleapis.com, and then create the first release via the CLI (or API, as you did) that should work. The initial release is normally created when the project is provisioned; before we change updateRelease I want to make sure we're not going to miss something else from provisioning, and leave people in an incomplete state. Did creating the first release via the API work out?

And I can also work on getting the Rules API documented. 📝