From 1ec8b5446e376d69a3d2abc74ab4e3e127b99d70 Mon Sep 17 00:00:00 2001
From: Paul Kraft <pauljohanneskraft@users.noreply.github.com>
Date: Sun, 10 Nov 2024 17:36:59 -0800
Subject: [PATCH] Introduce default and privileged service accounts

---
 functions/src/functions/blocking.ts   | 6 +++---
 functions/src/functions/enrollUser.ts | 5 ++++-
 functions/src/functions/helpers.ts    | 7 ++++---
 functions/src/functions/onSchedule.ts | 8 ++++----
 4 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/functions/src/functions/blocking.ts b/functions/src/functions/blocking.ts
index 4b0d3b1b..1ffc7b5d 100644
--- a/functions/src/functions/blocking.ts
+++ b/functions/src/functions/blocking.ts
@@ -12,11 +12,11 @@ import {
   beforeUserCreated,
   beforeUserSignedIn,
 } from 'firebase-functions/v2/identity'
-import { serviceAccount } from './helpers.js'
+import { privilegedServiceAccount } from './helpers.js'
 import { getServiceFactory } from '../services/factory/getServiceFactory.js'
 
 export const beforeUserCreatedFunction = beforeUserCreated(
-  { serviceAccount: serviceAccount },
+  { serviceAccount: privilegedServiceAccount },
   async (event) => {
     const userId = event.data.uid
 
@@ -70,7 +70,7 @@ export const beforeUserCreatedFunction = beforeUserCreated(
 )
 
 export const beforeUserSignedInFunction = beforeUserSignedIn(
-  { serviceAccount: serviceAccount },
+  { serviceAccount: privilegedServiceAccount },
   async (event) => {
     try {
       const userService = getServiceFactory().user()
diff --git a/functions/src/functions/enrollUser.ts b/functions/src/functions/enrollUser.ts
index 70e81bae..a7602de0 100644
--- a/functions/src/functions/enrollUser.ts
+++ b/functions/src/functions/enrollUser.ts
@@ -8,7 +8,7 @@
 
 import { enrollUserInputSchema } from '@stanfordbdhg/engagehf-models'
 import { https, logger } from 'firebase-functions'
-import { validatedOnCall } from './helpers.js'
+import { privilegedServiceAccount, validatedOnCall } from './helpers.js'
 import { getServiceFactory } from '../services/factory/getServiceFactory.js'
 
 export const enrollUser = validatedOnCall(
@@ -39,4 +39,7 @@ export const enrollUser = validatedOnCall(
 
     logger.debug(`setupUser: User '${userId}' enrollment triggers finished`)
   },
+  {
+    serviceAccount: privilegedServiceAccount,
+  },
 )
diff --git a/functions/src/functions/helpers.ts b/functions/src/functions/helpers.ts
index ec213eb1..ac8dbdbc 100644
--- a/functions/src/functions/helpers.ts
+++ b/functions/src/functions/helpers.ts
@@ -18,7 +18,8 @@ import {
 } from 'firebase-functions/v2/https'
 import { z } from 'zod'
 
-export const serviceAccount = `cloudfunctionsserviceaccount@${process.env.GCLOUD_PROJECT}.iam.gserviceaccount.com`
+export const privilegedServiceAccount = `cloudfunctionsserviceaccount@${process.env.GCLOUD_PROJECT}.iam.gserviceaccount.com`
+export const defaultServiceAccount = `limited-cloudfunctions-sa@${process.env.GCLOUD_PROJECT}.iam.gserviceaccount.com`
 
 export function validatedOnCall<Schema extends z.ZodTypeAny, Return>(
   name: string,
@@ -26,7 +27,7 @@ export function validatedOnCall<Schema extends z.ZodTypeAny, Return>(
   handler: (request: CallableRequest<z.output<Schema>>) => Promise<Return>,
   options: CallableOptions = {
     invoker: 'public',
-    serviceAccount: serviceAccount,
+    serviceAccount: defaultServiceAccount,
   },
 ): CallableFunction<z.input<Schema>, Promise<Return>> {
   return onCall(options, async (request) => {
@@ -62,7 +63,7 @@ export function validatedOnRequest<Schema extends z.ZodTypeAny>(
   ) => void | Promise<void>,
   options: https.HttpsOptions = {
     invoker: 'public',
-    serviceAccount: serviceAccount,
+    serviceAccount: defaultServiceAccount,
   },
 ): https.HttpsFunction {
   return onRequest(options, async (request, response) => {
diff --git a/functions/src/functions/onSchedule.ts b/functions/src/functions/onSchedule.ts
index 37dac6cc..45424b2a 100644
--- a/functions/src/functions/onSchedule.ts
+++ b/functions/src/functions/onSchedule.ts
@@ -7,14 +7,14 @@
 //
 
 import { onSchedule } from 'firebase-functions/v2/scheduler'
-import { serviceAccount } from './helpers.js'
+import { defaultServiceAccount } from './helpers.js'
 import { getServiceFactory } from '../services/factory/getServiceFactory.js'
 
 export const onScheduleEveryMorning = onSchedule(
   {
     schedule: '0 8 * * *',
     timeZone: 'America/Los_Angeles',
-    serviceAccount: serviceAccount,
+    serviceAccount: defaultServiceAccount,
   },
   async () => getServiceFactory().trigger().everyMorning(),
 )
@@ -23,7 +23,7 @@ export const onScheduleEvery15Minutes = onSchedule(
   {
     schedule: '*/15 * * * *',
     timeZone: 'America/Los_Angeles',
-    serviceAccount: serviceAccount,
+    serviceAccount: defaultServiceAccount,
   },
   async () => getServiceFactory().trigger().every15Minutes(),
 )
@@ -32,7 +32,7 @@ export const onScheduleUpdateMedicationRecommendations = onSchedule(
   {
     schedule: '0 0 * * *',
     timeZone: 'America/Los_Angeles',
-    serviceAccount: serviceAccount,
+    serviceAccount: defaultServiceAccount,
   },
   async () =>
     getServiceFactory().trigger().updateRecommendationsForAllPatients(),