Add revoke grant option to dataconnect:sql

src/commands/dataconnect-sql-grant.ts

@@ -17,12 +17,18 @@
   .option(
     "-E, --email <email>",
     "The email of the user or service account we would like to grant the role to.",
+  ).option(
+    "-D, --revoke",
+    "Revokes the granted permission",
+    false
   )
   .before(requirePermissions, ["firebasedataconnect.services.list"])
   .before(requireAuth)
   .action(async (serviceId: string, options: Options) => {
     const role = options.role as string;
     const email = options.email as string;
+    const revokeRole = options.revoke as boolean
+
     if (!role) {
       throw new FirebaseError(
         "-R, --role <role> is required. Run the command with -h for more info.",
@@ -42,6 +48,6 @@
     await ensureApis(projectId);
     const serviceInfo = await pickService(projectId, options.config, serviceId);
 
-    await grantRoleToUserInSchema(options, serviceInfo.schema);
+    await grantRoleToUserInSchema(options, serviceInfo.schema, revokeRole);
     return { projectId, serviceId };
   });

src/dataconnect/schemaMigration.ts

@@ -27,7 +27,7 @@
 import * as experiments from "../experiments";
 import * as errors from "./errors";
 
 export async function diffSchema(
   schema: Schema,
   schemaValidation?: SchemaValidation,
 ): Promise<Diff[]> {
@@ -56,8 +56,8 @@
     } else {
       logLabeledSuccess("dataconnect", `Database schema is compatible.`);
     }
   } catch (err: any) {
     if (err?.status !== 400) {
       throw err;
     }
     const invalidConnectors = errors.getInvalidConnectors(err);
@@ -85,8 +85,8 @@
       logLabeledBullet("dataconnect", `generating schema changes, including optional changes...`);
       await upsertSchema(schema, /** validateOnly=*/ true);
       logLabeledSuccess("dataconnect", `no additional optional changes`);
     } catch (err: any) {
       if (err?.status !== 400) {
         throw err;
       }
       const incompatible = errors.getIncompatibleSchemaError(err);
@@ -108,7 +108,7 @@
   return diffs;
 }
 
 export async function migrateSchema(args: {
   options: Options;
   schema: Schema;
   /** true for `dataconnect:sql:migrate`, false for `deploy` */
@@ -135,8 +135,8 @@
   try {
     await upsertSchema(schema, validateOnly);
     logger.debug(`Database schema was up to date for ${instanceId}:${databaseId}`);
   } catch (err: any) {
     if (err?.status !== 400) {
       throw err;
     }
     // Parse and handle failed precondition errors, then retry.
@@ -188,8 +188,8 @@
     setSchemaValidationMode(schema, validationMode);
     try {
       await upsertSchema(schema, validateOnly);
     } catch (err: any) {
       if (err.status !== 400) {
         throw err;
       }
       // Parse and handle failed precondition errors, then retry.
@@ -224,7 +224,7 @@
   return diffs;
 }
 
-export async function grantRoleToUserInSchema(options: Options, schema: Schema) {
+export async function grantRoleToUserInSchema(options: Options, schema: Schema, revokeRole: boolean) {
   const role = options.role as string;
   const email = options.email as string;
 
@@ -237,7 +237,7 @@
   const userIsCSQLAdmin = await iamUserIsCSQLAdmin(options);
   if (!userIsCSQLAdmin) {
     throw new FirebaseError(
-      `Only users with 'roles/cloudsql.admin' can grant SQL roles. If you do not have this role, ask your database administrator to run this command or manually grant ${fdcSqlRole} to ${user}`,
+      `Only users with 'roles/cloudsql.admin' can grant/revoke SQL roles. If you do not have this role, ask your database administrator to run this command or manually grant ${fdcSqlRole} to ${user}`,
     );
   }
 
@@ -247,12 +247,17 @@
   // Upsert user account into the database.
   await cloudSqlAdminClient.createUser(projectId, instanceId, mode, user);
 
+  let cmd = `GRANT "${fdcSqlRole}" TO "${user}"`
+  if (revokeRole) {
+    cmd = `REVOKE "${fdcSqlRole}" FROM "${user}"`
+  }
+
   // Grant the role to the user.
   await executeSqlCmdsAsSuperUser(
     options,
     instanceId,
     databaseId,
-    /** cmds= */ [`GRANT "${fdcSqlRole}" TO "${user}"`],
+    /** cmds= */ [cmd],
     /** silent= */ false,
   );
 }