From 597566af342ec255319fd6dd8b17d70619f535dc Mon Sep 17 00:00:00 2001 From: Bassam Ojeil Date: Mon, 17 Jun 2019 16:50:12 -0700 Subject: [PATCH 1/3] Defines Auth multi-tenancy references in index.d.ts. --- src/index.d.ts | 203 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 197 insertions(+), 6 deletions(-) diff --git a/src/index.d.ts b/src/index.d.ts index 3cd8de1a19..7d3450d33e 100755 --- a/src/index.d.ts +++ b/src/index.d.ts @@ -602,6 +602,10 @@ declare namespace admin.auth { * resets, password or email updates, etc). */ tokensValidAfterTime?: string; + + /** + * The user's tenant identifier if available. + */ tenantId?: string | null; /** @@ -727,6 +731,10 @@ declare namespace admin.auth { * `"google.com"`, `"twitter.com"`, or `"custom"`. */ sign_in_provider: string; + + /** + * The user's tenant ID if available. + */ tenant?: string; [key: string]: any; }; @@ -952,6 +960,11 @@ declare namespace admin.auth { * The buffer of bytes representing the user’s password salt. */ passwordSalt?: Buffer; + + /** + * The identifier of the tenant where user is to be imported to. + * When not provided, the user is uploaded to the default parent project. + */ tenantId?: string | null; } @@ -1051,31 +1064,128 @@ declare namespace admin.auth { type TenantType = 'lightweight' | 'full_service'; + /** + * Interface representing a tenant configuration. + * + * Multi-tenancy support requires Google Cloud's Identity Platform + * (GCIP). To learn more about GCIP, including pricing and features, + * see the [GCIP documentation](https://cloud.google.com/identity-platform) + * + * Before multi-tenancy can be used on a Google Cloud Identity Platform project, + * tenants must be allowed on that project via the Cloud Console UI. + * + * A tenant configuration provides information such as the type of tenant (lightweight or + * full service), display name, tenant identifier and email authentication configuration. + * For OIDC/SAML provider configuration management, `TenantAwareAuth` instances should + * be used instead. When configuring these providers, note that tenants will inherit + * whitelisted domains and authenticated redirect URIs of their parent project. + * + * All other settings of a tenant will also be inherited. These will need to be managed + * from the Cloud Console UI. + */ interface Tenant { + + /** + * The current tenant identifier. + */ tenantId: string; + + /** + * The current tenant type: `lightweight` or `full_service`. + * Tenants that use separare billing and quota will require their own project and + * must be defined as `full_service`. + * `full_service` tenants may be subject to quota creation limits. + * For additional project quota increases, refer to + * [project quota requests](https://support.google.com/cloud/answer/6330231?hl=en). + * In addition, deleted `full_service` tenants may take 30 days after deletion + * before they are completely removed. + */ type?: admin.auth.TenantType; + + /** + * The current tenant display name. + */ displayName?: string; + + /** + * The current email sign in provider configuration. + */ emailSignInConfig?: { + + /** + * Whether email provider is enabled. + */ enabled: boolean; + + /** + * Whether password is required for email sign-in. When not required, + * email sign-in can be performed with password or via email link sign-in. + */ passwordRequired?: boolean }; + + /** + * @return A JSON-serializable representation of this object. + */ toJSON(): Object; } + /** + * Interface representing the properties to update on the provided tenant. + */ interface UpdateTenantRequest { - displayName: string; + + /** + * The tenant display name. + */ + displayName?: string; + + /** + * The email sign in configuration. + */ emailSignInConfig?: { + + /** + * Whether email provider is enabled. + */ enabled: boolean; + + /** + * Whether password is required for email sign-in. When not required, + * email sign-in can be performed with password or via email link sign-in. + */ passwordRequired?: boolean; }; } + /** + * Interface representing the properties to set on a new tenant to be created. + */ interface CreateTenantRequest extends UpdateTenantRequest { + + /** + * The newly created tenant type. This can be `lightweight` or `full_service`. + */ type: admin.auth.TenantType; } + /** + * Interface representing the object returned from a + * {@link https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth#listTenants `listTenants()`} + * operation. + * Contains the list of tenants for the current batch and the next page token if available. + */ interface ListTenantsResult { + + /** + * The list of {@link admin.auth.Tenant `Tenant`} objects for the + * current downloaded batch. + */ tenants: admin.auth.Tenant[]; + + /** + * The next page token if available. This is needed for the next batch download. + */ pageToken?: string; } @@ -1743,7 +1853,7 @@ declare namespace admin.auth { * * SAML and OIDC provider support requires Google Cloud's Identity Platform * (GCIP). To learn more about GCIP, including pricing and features, - * see the [GCIP documentation](https://cloud.google.com/identity-cp). + * see the [GCIP documentation](https://cloud.google.com/identity-platform). * * @param options The provider config filter to apply. * @return A promise that resolves with the list of provider configs meeting the @@ -1761,7 +1871,7 @@ declare namespace admin.auth { * * SAML and OIDC provider support requires Google Cloud's Identity Platform * (GCIP). To learn more about GCIP, including pricing and features, - * see the [GCIP documentation](https://cloud.google.com/identity-cp). + * see the [GCIP documentation](https://cloud.google.com/identity-platform). * * @param providerId The provider ID corresponding to the provider * config to return. @@ -1777,7 +1887,7 @@ declare namespace admin.auth { * * SAML and OIDC provider support requires Google Cloud's Identity Platform * (GCIP). To learn more about GCIP, including pricing and features, - * see the [GCIP documentation](https://cloud.google.com/identity-cp). + * see the [GCIP documentation](https://cloud.google.com/identity-platform). * * @param providerId The provider ID corresponding to the provider * config to delete. @@ -1793,7 +1903,7 @@ declare namespace admin.auth { * * SAML and OIDC provider support requires Google Cloud's Identity Platform * (GCIP). To learn more about GCIP, including pricing and features, - * see the [GCIP documentation](https://cloud.google.com/identity-cp). + * see the [GCIP documentation](https://cloud.google.com/identity-platform). * * @param providerId The provider ID corresponding to the provider * config to update. @@ -1810,7 +1920,7 @@ declare namespace admin.auth { * * SAML and OIDC provider support requires Google Cloud's Identity Platform * (GCIP). To learn more about GCIP, including pricing and features, - * see the [GCIP documentation](https://cloud.google.com/identity-cp). + * see the [GCIP documentation](https://cloud.google.com/identity-platform). * * @param config The provider configuration to create. * @return A promise that resolves with the created provider configuration. @@ -1820,18 +1930,99 @@ declare namespace admin.auth { ): Promise; } + /** + * Tenant aware `Auth` interface used for managing user, configuring SAML/OIDC providers, + * generating email links for password reset, email verification, etc for specific tenants. + * + * Multi-tenancy support requires Google Cloud's Identity Platform + * (GCIP). To learn more about GCIP, including pricing and features, + * see the [GCIP documentation](https://cloud.google.com/identity-platform) + * + * Each tenant contains its own identity providers, settings and sets of users. + * Using `TenantAwareAuth`, users for a specific tenant and corresponding OIDC/SAML + * configurations can also be managed, ID tokens for users signed in to a specific tenant + * can be verified, and email action links can also be generated for users belonging the + * current tenant. + * + * `TenantAwareAuth` instances for a specific `tenantId` can be instantiated by calling + * `auth.forTenant(tenantId)`. + */ interface TenantAwareAuth extends BaseAuth { + + /** + * The current tenant identifier corresponding to this `TenantAwareAuth` instance. + */ tenantId: string; } interface Auth extends admin.auth.BaseAuth { app: admin.app.App; + /** + * @param tenantId The tenant ID whose `TenantAwareAuth` instance is to be returned. + * + * @return The `TenantAwareAuth` instance corresponding to this tenant identifier. + */ forTenant(tenantId: string): admin.auth.TenantAwareAuth; + + /** + * Gets the tenant configuration for the tenant corresponding to a given `tenantId`. + * + * @param tenantId The tenant identifier corresponding to the tenant whose data to fetch. + * + * @return A promise fulfilled with the tenant configuration to the provided `tenantId`. + */ getTenant(tenantId: string): Promise; + + /** + * Retrieves a list of tenants (single batch only) with a size of `maxResults` + * starting from the offset as specified by `pageToken`. This is used to + * retrieve all the tenants of a specified project in batches. + * + * @param maxResults The page size, 1000 if undefined. This is also + * the maximum allowed limit. + * @param pageToken The next page token. If not specified, returns + * tenants starting without any offset. + * + * @return A promise that resolves with + * the current batch of downloaded tenants and the next page token. + */ listTenants(maxResults?: number, pageToken?: string): Promise; + + /** + * Deletes an existing tenant. + * + * @param tenantId The `tenantId` corresponding to the tenant to delete. + * + * @return An empty promise fulfilled once the tenant has been deleted. + */ deleteTenant(tenantId: string): Promise; + + /** + * Creates a new tenant. + * When creating new tenants, tenants that use separare billing and quota will require their + * own project and must be defined as `full_service`. + * + * @param tenantOptions The properties to set on the new tenant configuration to be created. + * + * @return A promise fulfilled with the tenant configuration corresponding to the newly + * created tenant. + */ createTenant(tenantOptions: admin.auth.CreateTenantRequest): Promise; + + /** + * Updates an existing tenant configuration. + * + * Tenant types cannot be modified after creation. + * If a tenant type needs to be changed after creation, a new tenant with the expected + * type needs to be created and the users/configurations of existing tenant copied to the + * new tenant. + * + * @param tenantId The `tenantId` corresponding to the tenant to delete. + * @param tenantOptions The properties to update on the provided tenant. + * + * @return A promise fulfilled with the update tenant data. + */ updateTenant(tenantId: string, tenantOptions: admin.auth.UpdateTenantRequest): Promise; } } From 5f629299b606f31da7395969a8a8c73b7ccc99ee Mon Sep 17 00:00:00 2001 From: Bassam Ojeil Date: Wed, 19 Jun 2019 01:08:23 -0700 Subject: [PATCH 2/3] Addresses review comments. --- src/index.d.ts | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/index.d.ts b/src/index.d.ts index 7d3450d33e..5627cb43ca 100755 --- a/src/index.d.ts +++ b/src/index.d.ts @@ -963,7 +963,10 @@ declare namespace admin.auth { /** * The identifier of the tenant where user is to be imported to. - * When not provided, the user is uploaded to the default parent project. + * When not provided in an `admin.auth.Auth` context, the user is uploaded to + * the default parent project. + * When not provided in an `admin.auth.TenantAwareAuth` context, the user is uploaded + * to the tenant corresponding to that `TenantAwareAuth` instance's tenant ID. */ tenantId?: string | null; } @@ -1951,6 +1954,8 @@ declare namespace admin.auth { /** * The current tenant identifier corresponding to this `TenantAwareAuth` instance. + * All calls to the user management APIs, OIDC/SAML provider management APIs, email link + * generation APIs, etc will only be applied within the scope of this tenant. */ tenantId: string; } From c05b846303efe66dfb57b22c298ceff7e8bbd205 Mon Sep 17 00:00:00 2001 From: Bassam Ojeil Date: Thu, 20 Jun 2019 14:58:29 -0700 Subject: [PATCH 3/3] Addresses review comments. --- src/index.d.ts | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/src/index.d.ts b/src/index.d.ts index 5627cb43ca..3082fa7e9d 100755 --- a/src/index.d.ts +++ b/src/index.d.ts @@ -604,7 +604,7 @@ declare namespace admin.auth { tokensValidAfterTime?: string; /** - * The user's tenant identifier if available. + * The ID of the tenant the user belongs to, if available. */ tenantId?: string | null; @@ -733,7 +733,7 @@ declare namespace admin.auth { sign_in_provider: string; /** - * The user's tenant ID if available. + * The ID of the tenant the user belongs to, if available. */ tenant?: string; [key: string]: any; @@ -1080,7 +1080,8 @@ declare namespace admin.auth { * A tenant configuration provides information such as the type of tenant (lightweight or * full service), display name, tenant identifier and email authentication configuration. * For OIDC/SAML provider configuration management, `TenantAwareAuth` instances should - * be used instead. When configuring these providers, note that tenants will inherit + * be used instead of a `Tenant` to retrieve the list of configured IdPs on a tenant. + * When configuring these providers, note that tenants will inherit * whitelisted domains and authenticated redirect URIs of their parent project. * * All other settings of a tenant will also be inherited. These will need to be managed @@ -1089,13 +1090,13 @@ declare namespace admin.auth { interface Tenant { /** - * The current tenant identifier. + * The tenant identifier. */ tenantId: string; /** - * The current tenant type: `lightweight` or `full_service`. - * Tenants that use separare billing and quota will require their own project and + * The tenant type: `lightweight` or `full_service`. + * Tenants that use separate billing and quota will require their own project and * must be defined as `full_service`. * `full_service` tenants may be subject to quota creation limits. * For additional project quota increases, refer to @@ -1106,12 +1107,12 @@ declare namespace admin.auth { type?: admin.auth.TenantType; /** - * The current tenant display name. + * The tenant display name. */ displayName?: string; /** - * The current email sign in provider configuration. + * The email sign in provider configuration. */ emailSignInConfig?: { @@ -1162,7 +1163,7 @@ declare namespace admin.auth { } /** - * Interface representing the properties to set on a new tenant to be created. + * Interface representing the properties to set on a new tenant. */ interface CreateTenantRequest extends UpdateTenantRequest { @@ -1181,8 +1182,7 @@ declare namespace admin.auth { interface ListTenantsResult { /** - * The list of {@link admin.auth.Tenant `Tenant`} objects for the - * current downloaded batch. + * The list of {@link admin.auth.Tenant `Tenant`} objects for the downloaded batch. */ tenants: admin.auth.Tenant[]; @@ -1238,7 +1238,7 @@ declare namespace admin.auth { displayName: string; /** - * Whether the current provider configuration is enabled or disabled. A user + * Whether the provider configuration is enabled or disabled. A user * cannot sign in using a disabled provider. */ enabled: boolean; @@ -1934,7 +1934,7 @@ declare namespace admin.auth { } /** - * Tenant aware `Auth` interface used for managing user, configuring SAML/OIDC providers, + * Tenant-aware `Auth` interface used for managing users, configuring SAML/OIDC providers, * generating email links for password reset, email verification, etc for specific tenants. * * Multi-tenancy support requires Google Cloud's Identity Platform @@ -1944,8 +1944,8 @@ declare namespace admin.auth { * Each tenant contains its own identity providers, settings and sets of users. * Using `TenantAwareAuth`, users for a specific tenant and corresponding OIDC/SAML * configurations can also be managed, ID tokens for users signed in to a specific tenant - * can be verified, and email action links can also be generated for users belonging the - * current tenant. + * can be verified, and email action links can also be generated for users belonging to the + * tenant. * * `TenantAwareAuth` instances for a specific `tenantId` can be instantiated by calling * `auth.forTenant(tenantId)`. @@ -1953,7 +1953,7 @@ declare namespace admin.auth { interface TenantAwareAuth extends BaseAuth { /** - * The current tenant identifier corresponding to this `TenantAwareAuth` instance. + * The tenant identifier corresponding to this `TenantAwareAuth` instance. * All calls to the user management APIs, OIDC/SAML provider management APIs, email link * generation APIs, etc will only be applied within the scope of this tenant. */ @@ -1990,7 +1990,7 @@ declare namespace admin.auth { * tenants starting without any offset. * * @return A promise that resolves with - * the current batch of downloaded tenants and the next page token. + * a batch of downloaded tenants and the next page token. */ listTenants(maxResults?: number, pageToken?: string): Promise; @@ -2005,7 +2005,7 @@ declare namespace admin.auth { /** * Creates a new tenant. - * When creating new tenants, tenants that use separare billing and quota will require their + * When creating new tenants, tenants that use separate billing and quota will require their * own project and must be defined as `full_service`. * * @param tenantOptions The properties to set on the new tenant configuration to be created.