feat(auth): Add tenant operations, tenant-aware user operations, and provider config operations

CONTRIBUTING.md

@@ -141,8 +141,17 @@ Authentication Admin` role at
 [Google Cloud Platform Console / IAM & admin](https://console.cloud.google.com/iam-admin). This is
 required to ensure that exported user records contain the password hashes of the user accounts.
 Also obtain the web API key of the project from the "Settings > General" page, and save it as
-`integration_apikey.txt` at the root of the codebase. Now run the following command to invoke the
-integration test suite:
+`integration_apikey.txt` at the root of the codebase.
+
+Some of the integration tests require an
+[Identity Platform](https://cloud.google.com/identity-platform/) project with multi-tenancy
+[enabled](https://cloud.google.com/identity-platform/docs/multi-tenancy-quickstart#enabling_multi-tenancy).
+An existing Firebase project can be upgraded to an Identity Platform project without losing any
+functionality via the
+[Identity Platform Marketplace Page](https://console.cloud.google.com/customer-identity). Note that
+charges may be incurred for active users beyond the Identity Platform free tier.
+
+Now run the following command to invoke the integration test suite:
 
 ```
 mvn verify
@@ -153,14 +162,14 @@ tests, specify the `-DskipUTs` flag.
 
 ### Generating API Docs
 
-Invoke the [Maven Javadoc plugin](https://maven.apache.org/plugins/maven-javadoc-plugin/) as 
+Invoke the [Maven Javadoc plugin](https://maven.apache.org/plugins/maven-javadoc-plugin/) as
 follows to generate API docs for all packages in the codebase:
 
 ```
 mvn javadoc:javadoc
 ```
 
-This will generate the API docs, and place them in the `target/site/apidocs` directory. 
+This will generate the API docs, and place them in the `target/site/apidocs` directory.
 
 To generate API docs for only the public APIs (i.e. ones that are not marked with `@hide` tags),
 you need to trigger the `devsite-apidocs` Maven profile. This profile uses Maven Javadoc plugin

checkstyle.xml

@@ -42,15 +42,15 @@
     <module name="FileTabCharacter">
         <property name="eachLine" value="true"/>
     </module>
-    
+
     <module name="SuppressionCommentFilter">
       <property name="offCommentFormat" value="CSOFF\: ([\w\|]+)"/>
       <property name="onCommentFormat" value="CSON\: ([\w\|]+)"/>
       <property name="checkFormat" value="$1"/>
     </module>
 
-    <module name="TreeWalker">   
-        <module name="FileContentsHolder"/>     
+    <module name="TreeWalker">
+        <module name="FileContentsHolder"/>
         <module name="OuterTypeFilename"/>
         <module name="IllegalTokenText">
             <property name="tokens" value="STRING_LITERAL, CHAR_LITERAL"/>
@@ -229,6 +229,9 @@
             <property name="allowedAnnotations" value="Override, Test"/>
             <property name="allowThrowsTagsForSubclasses" value="true"/>
             <property name="allowMissingJavadoc" value="true"/>
+            <!-- Setting this property helps avoid some strange errors. For more information, see -->
+            <!-- https://stackoverflow.com/questions/27938039/unable-to-get-class-information-for-checkstyle. -->
+            <property name="suppressLoadErrors" value="true"/>
         </module>
         <module name="MethodName">
             <property name="format" value="^[a-z][a-z0-9][a-zA-Z0-9_]*$"/>

src/main/java/com/google/firebase/auth/FirebaseToken.java

@@ -42,6 +42,15 @@ public String getUid() {
     return (String) claims.get("sub");
   }
 
+  /** Returns the tenant ID for the this token. */
+  public String getTenantId() {
+    Map<String, Object> firebase = (Map<String, Object>) claims.get("firebase");
+    if (firebase == null) {
+      return null;
+    }
+    return (String) firebase.get("tenant");
+  }
+
   /** Returns the Issuer for the this token. */
   public String getIssuer() {
     return (String) claims.get("iss");
@@ -57,14 +66,14 @@ public String getPicture() {
     return (String) claims.get("picture");
   }
 
-  /** 
+  /**
    * Returns the e-mail address for this user, or {@code null} if it's unavailable.
    */
   public String getEmail() {
     return (String) claims.get("email");
   }
 
-  /** 
+  /**
    * Indicates if the email address returned by {@link #getEmail()} has been verified as good.
    */
   public boolean isEmailVerified() {

src/main/java/com/google/firebase/auth/FirebaseTokenUtils.java

@@ -30,6 +30,7 @@
 import com.google.firebase.ImplFirebaseTrampolines;
 import com.google.firebase.auth.internal.CryptoSigners;
 import com.google.firebase.auth.internal.FirebaseTokenFactory;
+import com.google.firebase.internal.Nullable;
 
 import java.io.IOException;
 
@@ -52,11 +53,17 @@ final class FirebaseTokenUtils {
   private FirebaseTokenUtils() { }
 
   static FirebaseTokenFactory createTokenFactory(FirebaseApp firebaseApp, Clock clock) {
+    return createTokenFactory(firebaseApp, clock, null);
+  }
+
+  static FirebaseTokenFactory createTokenFactory(
+      FirebaseApp firebaseApp, Clock clock, @Nullable String tenantId) {
     try {
       return new FirebaseTokenFactory(
           firebaseApp.getOptions().getJsonFactory(),
           clock,
-          CryptoSigners.getCryptoSigner(firebaseApp));
+          CryptoSigners.getCryptoSigner(firebaseApp),
+          tenantId);
     } catch (IOException e) {
       throw new IllegalStateException(
           "Failed to initialize FirebaseTokenFactory. Make sure to initialize the SDK "
@@ -68,6 +75,11 @@ static FirebaseTokenFactory createTokenFactory(FirebaseApp firebaseApp, Clock cl
   }
 
   static FirebaseTokenVerifierImpl createIdTokenVerifier(FirebaseApp app, Clock clock) {
+    return createIdTokenVerifier(app, clock, null);
+  }
+
+  static FirebaseTokenVerifierImpl createIdTokenVerifier(
+      FirebaseApp app, Clock clock, @Nullable String tenantId) {
     String projectId = ImplFirebaseTrampolines.getProjectId(app);
     checkState(!Strings.isNullOrEmpty(projectId),
         "Must initialize FirebaseApp with a project ID to call verifyIdToken()");
@@ -82,6 +94,7 @@ static FirebaseTokenVerifierImpl createIdTokenVerifier(FirebaseApp app, Clock cl
         .setJsonFactory(app.getOptions().getJsonFactory())
         .setPublicKeysManager(publicKeysManager)
         .setIdTokenVerifier(idTokenVerifier)
+        .setTenantId(tenantId)
         .build();
   }
 

src/main/java/com/google/firebase/auth/FirebaseTokenVerifierImpl.java

@@ -28,6 +28,7 @@
 import com.google.api.client.util.ArrayMap;
 import com.google.common.base.Joiner;
 import com.google.common.base.Strings;
+import com.google.firebase.internal.Nullable;
 import java.io.IOException;
 import java.math.BigDecimal;
 import java.security.GeneralSecurityException;
@@ -45,6 +46,7 @@ final class FirebaseTokenVerifierImpl implements FirebaseTokenVerifier {
       "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit";
   private static final String ERROR_INVALID_CREDENTIAL = "ERROR_INVALID_CREDENTIAL";
   private static final String ERROR_RUNTIME_EXCEPTION = "ERROR_RUNTIME_EXCEPTION";
+  static final String TENANT_ID_MISMATCH_ERROR = "tenant-id-mismatch";
 
   private final JsonFactory jsonFactory;
   private final GooglePublicKeysManager publicKeysManager;
@@ -53,6 +55,7 @@ final class FirebaseTokenVerifierImpl implements FirebaseTokenVerifier {
   private final String shortName;
   private final String articledShortName;
   private final String docUrl;
+  private final String tenantId;
 
   private FirebaseTokenVerifierImpl(Builder builder) {
     this.jsonFactory = checkNotNull(builder.jsonFactory);
@@ -65,6 +68,7 @@ private FirebaseTokenVerifierImpl(Builder builder) {
     this.shortName = builder.shortName;
     this.articledShortName = prefixWithIndefiniteArticle(this.shortName);
     this.docUrl = builder.docUrl;
+    this.tenantId = Strings.nullToEmpty(builder.tenantId);
   }
 
   /**
@@ -90,7 +94,9 @@ public FirebaseToken verifyToken(String token) throws FirebaseAuthException {
     IdToken idToken = parse(token);
     checkContents(idToken);
     checkSignature(idToken);
-    return new FirebaseToken(idToken.getPayload());
+    FirebaseToken firebaseToken = new FirebaseToken(idToken.getPayload());
+    checkTenantId(firebaseToken);
+    return firebaseToken;
   }
 
   GooglePublicKeysManager getPublicKeysManager() {
@@ -278,6 +284,18 @@ private boolean containsLegacyUidField(IdToken.Payload payload) {
     return false;
   }
 
+  private void checkTenantId(final FirebaseToken firebaseToken) throws FirebaseAuthException {
+    String tokenTenantId = Strings.nullToEmpty(firebaseToken.getTenantId());
+    if (!this.tenantId.equals(tokenTenantId)) {
+      throw new FirebaseAuthException(
+          TENANT_ID_MISMATCH_ERROR,
+          String.format(
+            "The tenant ID ('%s') of the token did not match the expected value ('%s')",
+            tokenTenantId,
+            tenantId));
+    }
+  }
+
   static Builder builder() {
     return new Builder();
   }
@@ -290,6 +308,7 @@ static final class Builder {
     private String shortName;
     private IdTokenVerifier idTokenVerifier;
     private String docUrl;
+    private String tenantId;
 
     private Builder() { }
 
@@ -323,6 +342,11 @@ Builder setDocUrl(String docUrl) {
       return this;
     }
 
+    Builder setTenantId(@Nullable String tenantId) {
+      this.tenantId = tenantId;
+      return this;
+    }
+
     FirebaseTokenVerifierImpl build() {
       return new FirebaseTokenVerifierImpl(this);
     }