configure firebase CLI (firebase-tools)

Author: kswenson

Diff for: .firebaserc

@@ -0,0 +1,5 @@
+{
+  "projects": {
+    "default": "collaborative-learning-ec215"
+  }
+}

Diff for: README.md

@@ -48,13 +48,31 @@ To deploy a production release:
 1. Push production to GitHub
 1. Use https://github.com/concord-consortium/collaborative-learning/releases to create a new release tag
 
-### Debugging
+## Deploying database rules:
+
+### Requirements:
+
+ * You should install the firebase CLI via: `npm install -g firebase-tools`
+ * You shouuld be logged in to firebase: `firebase login`
+
+You deploy firebase functions and rules directly from the working directory using
+the `firebase deploy` command. You can see `firebase deploy help` for more info.
+
+See which project you have access to and which you are currently using via: `firebase projects:list`
+
+### To deploy database rules:
+```
+$ npm run deploy:firestore:rules    # deploys firestore rules
+$ npm run deploy:firebase:rules     # deploys firebase (real-time-database) rules
+```
+
+## Debugging
 
 To enable per component debugging set the "debug" localstorage key with one or more of the following:
 
 - `canvas` this will show the document key over the canvas, useful for looking up documents in Firebase
 
-### Testing
+## Testing
 
 Run `npm test` to run all Jest tests.
 
@@ -66,19 +84,19 @@ Along with `dev`, `test`, `authed` and `demo` modes the app has a `qa` mode.  QA
 2. qaClear - either "all", "class" or "offering".  When this parameter is present the QA database is cleared at the level requested based on the user parameters.
    This is useful to clear data between automated QA runs.  When complete the app will display `<span className="qa-clear">QA Cleared: OK</span>`.
 
-###To run Cypress integration tests:
+### To run Cypress integration tests:
 - `npm run test:local`
 - `npm run test:dev`
 - `npm run test:branch` (requires change in environments.json to add the branch name)
 - `npm run test:master`
 - `npm run test:production`
 
-## Additional notes about configuration
+### Additional notes about configuration
 
 You can also temporarily overwrite any configuration option using env variables with `CYPRESS_` prefix. E.g.:
 - `CYPRESS_baseUrl=https://collaborative-learning.concord.org/branch/fix-data-attributes npm run test:dev`
 
-## Writing tests, workflow and patterns
+### Writing tests, workflow and patterns
 
 1. Tests should not depend on other tests.
 2. Take a look at `cypress/support/commands.js`. This file implements LARA-specific helpers that will make test

Diff for: database.rules.json

@@ -0,0 +1,76 @@
+{
+  "rules": {
+    "test": {
+      ".read": "auth !== null",
+      ".write": "auth !== null"
+    },
+    "dev": {
+      ".read": "auth !== null",
+      ".write": "auth !== null"
+    },
+    "demo": {
+      ".read": "auth !== null",
+      ".write": "auth !== null"
+    },
+    "qa": {
+      ".read": "auth !== null",
+      ".write": "auth !== null"
+    },
+    "authed": {
+      "portals": {
+        "learn_concord_org": {
+          "classes": {
+            "$class_hash": {
+              ".read": "auth != null && auth.class_hash == $class_hash",
+              ".write": "auth != null && auth.class_hash == $class_hash",
+              "users": {
+                "$user_id": {
+                  "latestGroupId": {
+                    ".read": "auth !== null",
+                    ".write": "auth !== null"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "learn_staging_concord_org": {
+          "classes": {
+            "$class_hash": {
+              ".read": "auth != null && auth.class_hash == $class_hash",
+              ".write": "auth != null && auth.class_hash == $class_hash",
+              "users": {
+                "$user_id": {
+                  "latestGroupId": {
+                    ".read": "auth !== null",
+                    ".write": "auth !== null"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "authed-copy": {
+      "portals": {
+        "learn_concord_org": {
+          "classes": {
+            "$class_hash": {
+              ".read": "auth != null && auth.class_hash == $class_hash",
+              ".write": "auth != null && auth.class_hash == $class_hash"
+            }
+          }
+        },
+        "learn_staging_concord_org": {
+          "classes": {
+            "$class_hash": {
+              ".read": "auth != null && auth.class_hash == $class_hash",
+              ".write": "auth != null && auth.class_hash == $class_hash"
+            }
+          }
+        }
+      }
+    }
+  }
+}

Diff for: firebase.json

@@ -0,0 +1,20 @@
+{
+  "database": {
+    "rules": "database.rules.json"
+  },
+  "firestore": {
+    "rules": "firestore.rules",
+    "indexes": "firestore.indexes.json"
+  },
+  "emulators": {
+    "firestore": {
+      "port": 8088
+    },
+    "database": {
+      "port": 9000
+    },
+    "ui": {
+      "enabled": true
+    }
+  }
+}

Diff for: firestore.indexes.json

@@ -0,0 +1,19 @@
+{
+  "indexes": [
+    {
+      "collectionGroup": "docs",
+      "queryScope": "COLLECTION_GROUP",
+      "fields": [
+        {
+          "fieldPath": "classes",
+          "arrayConfig": "CONTAINS"
+        },
+        {
+          "fieldPath": "problem",
+          "order": "ASCENDING"
+        }
+      ]
+    }
+  ],
+  "fieldOverrides": []
+}

Diff for: firestore.rules

@@ -0,0 +1,91 @@
+// NOTE: to deploy only these rules run
+// `npm run deploy:firestore:rules`
+
+rules_version = '2';
+service cloud.firestore {
+  match /databases/{database}/documents {
+
+    function isAuthed() {
+      return request.auth != null;
+    }
+
+    // function hasClass() {
+    //   return isAuthed() && request.auth.token.class_hash != null;
+    // }
+
+    // function hasClassHash(classHash) {
+    //   return request.auth.token.class_hash == classHash;
+    // }
+
+    function hasRole(role) {
+      return isAuthed() && request.auth.token.user_type == role;
+    }
+
+    function hasUserId() {
+      return isAuthed() && request.auth.token.platform_user_id != null;
+    }
+
+    // function matchUserId(userId) {
+    //   return hasUserId() && string(request.auth.token.platform_user_id) == userId;
+    // }
+
+    function matchFirebaseUserId(userId) {
+      return isAuthed() && request.auth.uid == userId;
+    }
+
+    function isAuthedTeacher() {
+      return hasUserId() && hasRole("teacher");
+    }
+
+    function docMatchUserId() {
+      return isAuthed() &&
+        string(request.auth.token.platform_user_id) == resource.data.uid;
+    }
+
+    function classInClasses() {
+      return isAuthed() && request.auth.token.class_hash in resource.data.classes;
+    }
+
+    //
+    // portal-authenticated secure access rules
+    //
+    match /authed/{portal} {
+      allow read, write: if isAuthedTeacher();
+
+        match /mcsupports/{docId} {
+          // any portal-authenticated teacher can create supports
+          allow create: if isAuthedTeacher();
+          // teachers can only update/delete their own supports
+          allow update, delete: if docMatchUserId();
+          // teachers and students in appropriate classes can read supports
+          allow read: if docMatchUserId() || classInClasses();
+        }
+    }
+
+    //
+    // non-portal-authenticated/dev/demo/qa/test rules
+    //
+    match /demo/{demoName}/{restOfPath=**} {
+      allow read, write: if isAuthed();
+    }
+
+    match /dev/{userId}/{restOfPath=**} {
+      allow read: if isAuthed();
+      // users can only write to their own folders
+      allow write: if matchFirebaseUserId(userId);
+    }
+
+    match /qa/{userId}/{restOfPath=**} {
+      allow read: if isAuthed();
+      // users can only write to their own folders
+      allow write: if matchFirebaseUserId(userId);
+    }
+
+    match /test/{userId}/{restOfPath=**} {
+      allow read: if isAuthed();
+      // users can only write to their own folders
+      allow write: if matchFirebaseUserId(userId);
+    }
+
+  }
+}

Diff for: package.json

@@ -42,6 +42,8 @@
     "build:debug": "npm-run-all lint clean build:webpack",
     "build:webpack": "cross-env NODE_OPTIONS=--max_old_space_size=4096 webpack --mode production",
     "clean": "rimraf dist",
+    "deploy:database:rules": "firebase deploy --only database",
+    "deploy:firestore:rules": "firebase deploy --only firestore:rules",
     "lint": "eslint \"./src/**/*.{js,json,jsx,ts,tsx}\"",
     "lint:build": "eslint -c \".eslintrc.build.js\" \"./src/**/*.{js,json,jsx,ts,tsx}\"",
     "lint:fix": "eslint --fix \"./src/**/*.{js,json,jsx,ts,tsx}\"",