feat(auth): Multi-tenancy support for Google Cloud Identity Platform #628
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Starts defining multi-tenancy APIs. This includes: - Defining type definitions. - Adding tenantId to UserRecord and UserImportBuilder. - Adding new errors associated with tenant operations. - Defines the Tenant object. As the changes are quite large. This will be split into multiple PRs. * Minor fixes and tweaks. * Addresses comments from review. * Addresses review comments.
* Defines BaseFirebaseAuthRequestHandler class for sending Auth requests related to user management APIs and SAML/OIDC config mgmt APIs, link generation, etc. Defines FirebaseAuthRequestHandler which extends the base class for project level only calls and which will also be extended to include tenant mgmt APIs. Defines FirebaseTenantRequestHandler which extends the base class for tenant level only calls. Unit tests have been modified to run tests on both subclasses. * Addresses review comments. * Comment clean up. * Address more comments.
* Defines TenantAwareAuth and its user management APIs, email action link APIs, OIDC/SAML provider config mgmt APIs. * Throws error when tenantId is provided in createUser and updateUser Auth API requests. Adds detailed tenant mismatch error for uploadAccount on tenant Id mismatch for TenantAwareAuth. * Addresses comments. * Added missing mapping to client error of MISSING_DISPLAY_NAME error.
* Defines tenant management API on AuthRequestHandler. * Adds unit test for confirming an error is thrown on createTenant request with no type. * Address review comments.
* Adds tenant management APIs to developer facing Auth instance. This includes getTenant, deleteTenant, listTenants, createTenant and updateTenant. This expects TenantServerResponse to be returned for createTenant and updateTenant. Expected results have not been confirmed. A followup PR will add integration tests for the above. * Addresses review comments. Adds missing backend errors. * Addresses review comments.
* Adds integration tests for tenant management APIs. These tests are skipped by default as multi-tenancy is a paid feature on Google Cloud Identity Platform. To run these tests, --testMultiTenancy flag has to be added. Adds default email provider config when backend Auth server returns undefined for emailSignInConfig. * Updates listTenants integration test.
* Defines Auth multi-tenancy references in index.d.ts. * Addresses review comments.
…xt: (#584) * Adds basic integration tests for the following in multi-tenancy context: - User management - Custom claims - Import users - List users - Token revocation - Email link generation (skipped due to backend bug) - OIDC/SAML management APIs. * Removes email link sign-in generation test for now.
All tenants are now created in lightweight state by default.
* Defines the TenantManager class and its underlying methods. Adds unit tests for this new class. Unit tests were copied from the exising auth.spec.ts file.
- Enables email action link generation tests after backend bug was fixed. - Adds email link sign-in test case. - Fixes issues with nested multi-tenancy tests not being skipped when they are supposed to.
wuyanna
reviewed
Aug 21, 2019
test/unit/auth/tenant.spec.ts
Outdated
| const serverRequestCopy: TenantServerResponse = deepCopy(serverRequest); | ||
| it('should return the expected object representation of a tenant', () => { | ||
| expect(new Tenant(serverRequestCopy).toJSON()).to.deep.equal({ | ||
| tenantId: 'TENANT_ID', |
wuyanna
reviewed
Aug 21, 2019
test/unit/auth/tenant.spec.ts
Outdated
| it('should return the expected object representation of a tenant', () => { | ||
| expect(new Tenant(serverRequestCopy).toJSON()).to.deep.equal({ | ||
| tenantId: 'TENANT_ID', | ||
| displayName: 'TENANT_DISPLAY_NAME', |
wuyanna
reviewed
Aug 21, 2019
| @@ -66,6 +66,7 @@ describe('UserImportBuilder', () => { | |||
| }, | |||
| ], | |||
| customClaims: {admin: true}, | |||
| tenantId: 'TENANT_ID', | |||
wuyanna
reviewed
Aug 21, 2019
test/unit/auth/user-record.spec.ts
Outdated
| }); | ||
|
|
||
| it('should return expected tenantId', () => { | ||
| const resp = deepCopy(getValidUserResponse('TENANT_ID')); |
wuyanna
reviewed
Aug 21, 2019
test/unit/auth/user-record.spec.ts
Outdated
| expect(() => { | ||
| const resp = deepCopy(getValidUserResponse('TENANT_ID')); | ||
| const tenantUserRecord = new UserRecord(resp); | ||
| (tenantUserRecord as any).tenantId = 'OTHER_TENANT_ID'; |
wuyanna
approved these changes
Aug 21, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge all changes to master.
RELEASE NOTE: Added multi-tenancy support to the authentication service (Google Cloud Identity Platform project required). Tenant related APIs are exposed via
tenantManager()on theadmin.authinterface.RELEASE NOTE: Added tenant management APIs
authForTenant(),getTenant(),listTenants(),deleteTenant(),createTenant()andupdateTenant()to the newly definedTenantManager.RELEASE NOTE: Defined
TenantAwareAuthinterface retrieved viaTenantManager#authForTenant()for managing users, configuring SAML/OIDC providers, generating email links for password reset, email verification, etc for specific tenants.