feat(auth): Added support for creating tenant-scoped custom tokens (#228)

* feat(auth): Added support for creating tenant-scoped custom tokens

* fix: Cleaned up the test code

Author: hiranya911

FirebaseAdmin/FirebaseAdmin.Tests/Auth/CustomTokenTest.cs

@@ -0,0 +1,145 @@
+// Copyright 2020, Google Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+using FirebaseAdmin.Auth.Jwt.Tests;
+using Google.Apis.Auth.OAuth2;
+using Xunit;
+
+namespace FirebaseAdmin.Auth
+{
+    public class CustomTokenTest : IDisposable
+    {
+        public static readonly IEnumerable<object[]> TestConfigs = new List<object[]>()
+        {
+            new object[] { FirebaseAuthTestConfig.DefaultInstance },
+            new object[] { TenantAwareFirebaseAuthTestConfig.DefaultInstance },
+        };
+
+        [Theory]
+        [MemberData(nameof(TestConfigs))]
+        public async Task CreateCustomToken(TestConfig config)
+        {
+            var token = await config.CreateAuth().CreateCustomTokenAsync("user1");
+
+            config.AssertCustomToken(token, "user1");
+        }
+
+        [Theory]
+        [MemberData(nameof(TestConfigs))]
+        public async Task CreateCustomTokenWithClaims(TestConfig config)
+        {
+            var developerClaims = new Dictionary<string, object>()
+            {
+                { "admin", true },
+                { "package", "gold" },
+                { "magicNumber", 42L },
+            };
+
+            var token = await config.CreateAuth().CreateCustomTokenAsync("user2", developerClaims);
+
+            config.AssertCustomToken(token, "user2", developerClaims);
+        }
+
+        [Theory]
+        [MemberData(nameof(TestConfigs))]
+        public async Task CreateCustomTokenCancel(TestConfig config)
+        {
+            var canceller = new CancellationTokenSource();
+            canceller.Cancel();
+            var auth = config.CreateAuth();
+
+            await Assert.ThrowsAsync<OperationCanceledException>(
+                () => auth.CreateCustomTokenAsync("user1", canceller.Token));
+        }
+
+        [Theory]
+        [MemberData(nameof(TestConfigs))]
+        public async Task CreateCustomTokenInvalidCredential(TestConfig config)
+        {
+            var options = new AppOptions
+            {
+                Credential = GoogleCredential.FromAccessToken("test-token"),
+                ProjectId = "project1",
+            };
+            var auth = config.CreateAuth(options);
+
+            var ex = await Assert.ThrowsAsync<InvalidOperationException>(
+                () => auth.CreateCustomTokenAsync("user1"));
+
+            var errorMessage = "Failed to determine service account ID. Make sure to initialize the SDK "
+                + "with service account credentials or specify a service account "
+                + "ID with iam.serviceAccounts.signBlob permission. Please refer to "
+                + "https://firebase.google.com/docs/auth/admin/create-custom-tokens for "
+                + "more details on creating custom tokens.";
+            Assert.Equal(errorMessage, ex.Message);
+        }
+
+        public void Dispose()
+        {
+            FirebaseApp.DeleteAll();
+        }
+
+        public abstract class TestConfig
+        {
+            protected static readonly AppOptions DefaultOptions = new AppOptions
+            {
+                Credential = GoogleCredential.FromFile("./resources/service_account.json"),
+            };
+
+            internal abstract CustomTokenVerifier TokenVerifier { get; }
+
+            internal abstract AbstractFirebaseAuth CreateAuth(AppOptions options = null);
+
+            internal void AssertCustomToken(
+                string token, string uid, Dictionary<string, object> claims = null)
+            {
+                this.TokenVerifier.Verify(token, uid, claims);
+            }
+        }
+
+        private sealed class FirebaseAuthTestConfig : TestConfig
+        {
+            internal static readonly FirebaseAuthTestConfig DefaultInstance =
+                new FirebaseAuthTestConfig();
+
+            internal override CustomTokenVerifier TokenVerifier =>
+                CustomTokenVerifier.FromDefaultServiceAccount();
+
+            internal override AbstractFirebaseAuth CreateAuth(AppOptions options = null)
+            {
+                FirebaseApp.Create(options ?? DefaultOptions);
+                return FirebaseAuth.DefaultInstance;
+            }
+        }
+
+        private sealed class TenantAwareFirebaseAuthTestConfig : TestConfig
+        {
+            internal static readonly TenantAwareFirebaseAuthTestConfig DefaultInstance =
+                new TenantAwareFirebaseAuthTestConfig();
+
+            internal override CustomTokenVerifier TokenVerifier =>
+                CustomTokenVerifier.FromDefaultServiceAccount("tenant1");
+
+            internal override AbstractFirebaseAuth CreateAuth(AppOptions options = null)
+            {
+                FirebaseApp.Create(options ?? DefaultOptions);
+                return FirebaseAuth.DefaultInstance.TenantManager.AuthForTenant("tenant1");
+            }
+        }
+    }
+}

FirebaseAdmin/FirebaseAdmin.Tests/Auth/FirebaseAuthTest.cs

@@ -14,13 +14,8 @@
 
 using System;
 using System.Collections.Generic;
-using System.IO;
-using System.Security.Cryptography;
-using System.Security.Cryptography.X509Certificates;
 using System.Text;
-using System.Threading;
 using System.Threading.Tasks;
-using FirebaseAdmin.Auth.Jwt;
 using Google.Apis.Auth.OAuth2;
 using Xunit;
 
@@ -62,10 +57,11 @@ public void GetAuth()
         public async Task UseAfterDelete()
         {
             var app = FirebaseApp.Create(new AppOptions() { Credential = MockCredential });
-            FirebaseAuth auth = FirebaseAuth.DefaultInstance;
+            var auth = FirebaseAuth.DefaultInstance;
+
             app.Delete();
-            await Assert.ThrowsAsync<InvalidOperationException>(
-                async () => await auth.CreateCustomTokenAsync("user"));
+
+            Assert.Throws<InvalidOperationException>(() => auth.TokenFactory);
             await Assert.ThrowsAsync<InvalidOperationException>(
                 async () => await auth.VerifyIdTokenAsync("user"));
             await Assert.ThrowsAsync<InvalidOperationException>(
@@ -76,55 +72,13 @@ await Assert.ThrowsAsync<InvalidOperationException>(
         }
 
         [Fact]
-        public async Task CreateCustomToken()
-        {
-            var cred = GoogleCredential.FromFile("./resources/service_account.json");
-            FirebaseApp.Create(new AppOptions() { Credential = cred });
-            var token = await FirebaseAuth.DefaultInstance.CreateCustomTokenAsync("user1");
-            VerifyCustomToken(token, "user1", null);
-        }
-
-        [Fact]
-        public async Task CreateCustomTokenWithClaims()
-        {
-            var cred = GoogleCredential.FromFile("./resources/service_account.json");
-            FirebaseApp.Create(new AppOptions() { Credential = cred });
-            var developerClaims = new Dictionary<string, object>()
-            {
-                { "admin", true },
-                { "package", "gold" },
-                { "magicNumber", 42L },
-            };
-            var token = await FirebaseAuth.DefaultInstance.CreateCustomTokenAsync(
-                "user2", developerClaims);
-            VerifyCustomToken(token, "user2", developerClaims);
-        }
-
-        [Fact]
-        public async Task CreateCustomTokenCancel()
+        public void NoTenantId()
         {
-            var cred = GoogleCredential.FromFile("./resources/service_account.json");
-            FirebaseApp.Create(new AppOptions() { Credential = cred });
-            var canceller = new CancellationTokenSource();
-            canceller.Cancel();
-            await Assert.ThrowsAsync<OperationCanceledException>(
-                async () => await FirebaseAuth.DefaultInstance.CreateCustomTokenAsync(
-                    "user1", canceller.Token));
-        }
+            var app = FirebaseApp.Create(new AppOptions() { Credential = MockCredential });
 
-        [Fact]
-        public async Task CreateCustomTokenInvalidCredential()
-        {
-            FirebaseApp.Create(new AppOptions() { Credential = MockCredential });
-            var ex = await Assert.ThrowsAsync<InvalidOperationException>(
-                async () => await FirebaseAuth.DefaultInstance.CreateCustomTokenAsync("user1"));
+            FirebaseAuth auth = FirebaseAuth.DefaultInstance;
 
-            var errorMessage = "Failed to determine service account ID. Make sure to initialize the SDK "
-                + "with service account credentials or specify a service account "
-                + "ID with iam.serviceAccounts.signBlob permission. Please refer to "
-                + "https://firebase.google.com/docs/auth/admin/create-custom-tokens for "
-                + "more details on creating custom tokens.";
-            Assert.Equal(errorMessage, ex.Message);
+            Assert.Null(auth.TokenFactory.TenantId);
         }
 
         [Fact]
@@ -162,37 +116,5 @@ public void Dispose()
         {
             FirebaseApp.DeleteAll();
         }
-
-        private static void VerifyCustomToken(string token, string uid, Dictionary<string, object> claims)
-        {
-            string[] segments = token.Split(".");
-            Assert.Equal(3, segments.Length);
-
-            var payload = JwtUtils.Decode<FirebaseTokenFactory.CustomTokenPayload>(segments[1]);
-            Assert.Equal("[email protected]", payload.Issuer);
-            Assert.Equal("[email protected]", payload.Subject);
-            Assert.Equal(uid, payload.Uid);
-            if (claims == null)
-            {
-                Assert.Null(payload.Claims);
-            }
-            else
-            {
-                Assert.Equal(claims.Count, payload.Claims.Count);
-                foreach (var entry in claims)
-                {
-                    object value;
-                    Assert.True(payload.Claims.TryGetValue(entry.Key, out value));
-                    Assert.Equal(entry.Value, value);
-                }
-            }
-
-            var x509cert = new X509Certificate2(File.ReadAllBytes("./resources/public_cert.pem"));
-            var rsa = (RSA)x509cert.PublicKey.Key;
-            var tokenData = Encoding.UTF8.GetBytes(segments[0] + "." + segments[1]);
-            var signature = JwtUtils.Base64DecodeToBytes(segments[2]);
-            var verified = rsa.VerifyData(tokenData, signature, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
-            Assert.True(verified);
-        }
     }
 }

FirebaseAdmin/FirebaseAdmin.Tests/Auth/Jwt/CustomTokenVerifier.cs

@@ -0,0 +1,107 @@
+// Copyright 2020, Google Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System.Collections.Generic;
+using System.IO;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
+using Xunit;
+
+namespace FirebaseAdmin.Auth.Jwt.Tests
+{
+    internal abstract class CustomTokenVerifier
+    {
+        private const string ClientEmail = "[email protected]";
+
+        private static readonly byte[] PublicKey =
+            File.ReadAllBytes("./resources/public_cert.pem");
+
+        private readonly string issuer;
+        private readonly string tenantId;
+
+        internal CustomTokenVerifier(string issuer, string tenantId = null)
+        {
+            this.issuer = issuer;
+            this.tenantId = tenantId;
+        }
+
+        internal static CustomTokenVerifier FromDefaultServiceAccount(string tenantId = null)
+        {
+            return new RSACustomTokenVerifier(ClientEmail, PublicKey, tenantId);
+        }
+
+        internal void Verify(string token, string uid, IDictionary<string, object> claims = null)
+        {
+            string[] segments = token.Split(".");
+            Assert.Equal(3, segments.Length);
+
+            var payload = JwtUtils.Decode<FirebaseTokenFactory.CustomTokenPayload>(segments[1]);
+            Assert.Equal(this.issuer, payload.Issuer);
+            Assert.Equal(this.issuer, payload.Subject);
+            Assert.Equal(uid, payload.Uid);
+            if (claims == null)
+            {
+                Assert.Null(payload.Claims);
+            }
+            else
+            {
+                Assert.Equal(claims.Count, payload.Claims.Count);
+                foreach (var entry in claims)
+                {
+                    object value;
+                    Assert.True(payload.Claims.TryGetValue(entry.Key, out value));
+                    Assert.Equal(entry.Value, value);
+                }
+            }
+
+            if (this.tenantId == null)
+            {
+                Assert.Null(payload.TenantId);
+            }
+            else
+            {
+                Assert.Equal(this.tenantId, payload.TenantId);
+            }
+
+            this.AssertSignature($"{segments[0]}.{segments[1]}", segments[2]);
+        }
+
+        protected abstract void AssertSignature(string tokenData, string signature);
+
+        private sealed class RSACustomTokenVerifier : CustomTokenVerifier
+        {
+            private readonly RSA rsa;
+
+            internal RSACustomTokenVerifier(string issuer, byte[] publicKey, string tenantId)
+            : base(issuer, tenantId)
+            {
+                var x509cert = new X509Certificate2(publicKey);
+                this.rsa = (RSA)x509cert.PublicKey.Key;
+            }
+
+            protected override void AssertSignature(string tokenData, string signature)
+            {
+                var tokenDataBytes = Encoding.UTF8.GetBytes(tokenData);
+                var signatureBytes = JwtUtils.Base64DecodeToBytes(signature);
+                var verified = this.rsa.VerifyData(
+                    tokenDataBytes,
+                    signatureBytes,
+                    HashAlgorithmName.SHA256,
+                    RSASignaturePadding.Pkcs1);
+                Assert.True(verified);
+            }
+        }
+    }
+}