Tenant-scoped user management operations (#431)

* Adding tenant_mgt.auth_for_tenant() API

* Added more tenant-aware user mgt tests

* Full test coverage for tenant-aware user mgt APIs

* Updated docstring to fix lint error

* Removed unused var; Fixing lint error

Author: hiranya911

firebase_admin/auth.py

@@ -523,12 +523,13 @@ def generate_sign_in_with_email_link(email, action_code_settings, app=None):
         email, action_code_settings=action_code_settings)
 
 
+# TODO: Rename to public type Client
 class _AuthService:
     """Firebase Authentication service."""
 
     ID_TOOLKIT_URL = 'https://identitytoolkit.googleapis.com/v1/projects/'
 
-    def __init__(self, app):
+    def __init__(self, app, tenant_id=None):
         credential = app.credential.get_credential()
         version_header = 'Python/Admin/{0}'.format(firebase_admin.__version__)
 
@@ -538,12 +539,21 @@ def __init__(self, app):
             2. set the project ID explicitly via Firebase App options, or
             3. set the project ID via the GOOGLE_CLOUD_PROJECT environment variable.""")
 
-        client = _http_client.JsonHttpClient(
-            credential=credential, base_url=self.ID_TOOLKIT_URL + app.project_id,
+        url_path = app.project_id
+        if tenant_id:
+            url_path += '/tenants/{0}'.format(tenant_id)
+
+        http_client = _http_client.JsonHttpClient(
+            credential=credential, base_url=self.ID_TOOLKIT_URL + url_path,
             headers={'X-Client-Version': version_header})
-        self._token_generator = _token_gen.TokenGenerator(app, client)
+        self._tenant_id = tenant_id
+        self._token_generator = _token_gen.TokenGenerator(app, http_client)
         self._token_verifier = _token_gen.TokenVerifier(app)
-        self._user_manager = _user_mgt.UserManager(client)
+        self._user_manager = _user_mgt.UserManager(http_client)
+
+    @property
+    def tenant_id(self):
+        return self._tenant_id
 
     def create_custom_token(self, uid, developer_claims=None):
         return self._token_generator.create_custom_token(uid, developer_claims)

firebase_admin/tenant_mgt.py

@@ -18,9 +18,12 @@
 Google Cloud Identity Platform (GCIP) instance.
 """
 
+import threading
+
 import requests
 
 import firebase_admin
+from firebase_admin import auth
 from firebase_admin import _auth_utils
 from firebase_admin import _http_client
 from firebase_admin import _utils
@@ -35,6 +38,7 @@
     'Tenant',
     'TenantNotFoundError',
 
+    'auth_for_tenant',
     'create_tenant',
     'delete_tenant',
     'get_tenant',
@@ -45,6 +49,23 @@
 TenantNotFoundError = _auth_utils.TenantNotFoundError
 
 
+def auth_for_tenant(tenant_id, app=None):
+    """Gets an Auth Client instance scoped to the given tenant ID.
+
+    Args:
+        tenant_id: A tenant ID string.
+        app: An App instance (optional).
+
+    Returns:
+        _AuthService: An _AuthService object.
+
+    Raises:
+        ValueError: If the tenant ID is None, empty or not a string.
+    """
+    tenant_mgt_service = _get_tenant_mgt_service(app)
+    return tenant_mgt_service.auth_for_tenant(tenant_id)
+
+
 def get_tenant(tenant_id, app=None):
     """Gets the tenant corresponding to the given ``tenant_id``.
 
@@ -211,8 +232,25 @@ def __init__(self, app):
         credential = app.credential.get_credential()
         version_header = 'Python/Admin/{0}'.format(firebase_admin.__version__)
         base_url = '{0}/projects/{1}'.format(self.TENANT_MGT_URL, app.project_id)
+        self.app = app
         self.client = _http_client.JsonHttpClient(
             credential=credential, base_url=base_url, headers={'X-Client-Version': version_header})
+        self.tenant_clients = {}
+        self.lock = threading.RLock()
+
+    def auth_for_tenant(self, tenant_id):
+        """Gets an Auth Client instance scoped to the given tenant ID."""
+        if not isinstance(tenant_id, str) or not tenant_id:
+            raise ValueError(
+                'Invalid tenant ID: {0}. Tenant ID must be a non-empty string.'.format(tenant_id))
+
+        with self.lock:
+            if tenant_id in self.tenant_clients:
+                return self.tenant_clients[tenant_id]
+
+            client = auth._AuthService(self.app, tenant_id=tenant_id) # pylint: disable=protected-access
+            self.tenant_clients[tenant_id] = client
+            return  client
 
     def get_tenant(self, tenant_id):
         """Gets the tenant corresponding to the given ``tenant_id``."""