firebase-tools: EvaluationException when using crosss-service security rule with Emulator

[REQUIRED] Environment info

firebase-tools: 11.16.1

Platform: Windows

[REQUIRED] Test case

Use cross-service security rule (i.e. firestore.get()) in storage.rules:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /courses/{courseId}/files/{fileName} {
      allow get: if firestore.get(/databases/(default)/documents/courses/$(courseId)).data.users[request.auth.uid].exists;
    }
  }
}

Add the following document to Emulator’s Firestore at courses/course1:

{
  users: {
    user1: { exists: true }
  }
}

[REQUIRED] Steps to reproduce

Download file from storage using the JavaScript client SDK:

    const storage = getStorage();
    const fileRef = ref(storage, 'courses/4VnY71FQeT6XDAGNDjSSX/files/foo.txt');
    const url = await getDownloadURL(fileRef);
    const response = await fetch(url);

[REQUIRED] Expected behavior

Based on this announcement: https://firebase.blog/posts/2022/09/announcing-cross-service-security-rules, I expected cross-service security rules to be supported automatically for firebase-tools@11.10.0 and above.

[REQUIRED] Actual behavior

firestore.get() inside the storage rules results in this exception, so the security rule never allows the request:

  com.google.firebase.rules.runtime.common.EvaluationException: Error: C:\Users\...\storage.rules line [5], column [31]. Service call error. Function: [firestore.get], Argument: [path_value {
  segments {
    simple: "databases"
  }
  segments {
    simple: "(default)"
  }
  segments {
    simple: "documents"
  }
  segments {
    simple: "courses"
  }
  segments {
    simple: "4VnY71FQeT6XDAGNDjSSX"
  }
}
].

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 6
  • Comments: 16 (3 by maintainers)

Most upvoted comments

I was able to reproduce the bug. The exception occurs if the Firestore document contains a field with a value of null. If there are no fields with a value of null, everything works as expected.

@sam-gc I created this repo for you to reproduce: https://github.com/examind-ai/firebase-tools-cross-service-rules

Follow the instructions in README and you’ll experience the EvaluationException. It’s due to having this deletedAt: null value in the Firestore document: https://github.com/examind-ai/firebase-tools-cross-service-rules/blob/2af68b07df15b796d78174314f813d4102e75420/hosting/src/App.tsx#L28

Remove that one line of code and run the application again and the exception will not occur.

Here’s a video demo using the sample repository linked above:

https://user-images.githubusercontent.com/504505/206770238-b513abca-2d0f-40f4-b98b-4775a263a166.mp4

Don’t ask me how long it took me to figure this out 😖

+11
johnnyoshika on Dec 9, 2022

The issue should be fixed by the linked PR. Keep an eye out for the changelog note in a future release!

+3
sam-gc on Dec 16, 2022

@johnnyoshika thank you so much for digging deep to try to find out the missing piece. I will take a look as soon as I can, but hopefully with this repro it will be a straightforward fix!

+2
sam-gc on Dec 9, 2022
Read more comments on GitHub
← firebase-tools: Errors when trying to deploy cloud functions
firebase-tools: expose worker idle timeout options as per GCP emulator →