Support auth emulator via FIREBASE_AUTH_EMULATOR_HOST

muru · muru · commit 80e4d07b34a8 · 2021-02-24T21:05:45.000+09:00
Modeled on firebase/firebase-admin-go#414
diff --git a/firebase_admin/_auth_client.py b/firebase_admin/_auth_client.py
@@ -14,8 +14,12 @@
 
 """Firebase auth client sub module."""
 
+import os
 import time
 
+from google.oauth2 import credentials
+from google.auth.exceptions import DefaultCredentialsError
+
 import firebase_admin
 from firebase_admin import _auth_providers
 from firebase_admin import _auth_utils
@@ -25,6 +29,8 @@
 from firebase_admin import _user_import
 from firebase_admin import _user_mgt
 
+_EMULATOR_HOST_ENV_VAR = 'FIREBASE_AUTH_EMULATOR_HOST'
+_DEFAULT_AUTH_URL = 'https://identitytoolkit.googleapis.com'
 
 class Client:
     """Firebase Authentication client scoped to a specific tenant."""
@@ -36,17 +42,45 @@ def __init__(self, app, tenant_id=None):
             2. set the project ID explicitly via Firebase App options, or
             3. set the project ID via the GOOGLE_CLOUD_PROJECT environment variable.""")
 
-        credential = app.credential.get_credential()
+        credential = None
         version_header = 'Python/Admin/{0}'.format(firebase_admin.__version__)
+        # Non-default endpoint URLs for emulator support are set in this dict later.
+        id_toolkit_endpoints = {}
+
+        # If an emulator is present, check that the given value matches the expected format and set
+        # endpoint URLs to use the emulator. Also set a fake authorization token.
+        emulator_host = os.environ.get(_EMULATOR_HOST_ENV_VAR)
+        if emulator_host:
+            if '//' in emulator_host:
+                raise ValueError(
+                    'Invalid {0}: "{1}". It must follow format "host:port".'.format(
+                        _EMULATOR_HOST_ENV_VAR, emulator_host))
+            base_url = 'http://{0}/identitytoolkit.googleapis.com'.format(emulator_host)
+            id_toolkit_endpoints['v1'] = base_url + '/v1'
+            id_toolkit_endpoints['v2beta1'] = base_url + '/v2beta1'
+
+        try:
+            # Use credentials if provided
+            credential = app.credential.get_credential()
+        except DefaultCredentialsError as credential_error:
+            # The emulator can make do with fake credentials
+            if emulator_host:
+                credential = credentials.Credentials(token='owner')
+            else:
+                # Not emulated, no credential, raise
+                raise credential_error
+
         http_client = _http_client.JsonHttpClient(
             credential=credential, headers={'X-Client-Version': version_header})
 
         self._tenant_id = tenant_id
-        self._token_generator = _token_gen.TokenGenerator(app, http_client)
+        self._token_generator = _token_gen.TokenGenerator(
+            app, http_client, id_toolkit_endpoints.get('v1'))
         self._token_verifier = _token_gen.TokenVerifier(app)
-        self._user_manager = _user_mgt.UserManager(http_client, app.project_id, tenant_id)
+        self._user_manager = _user_mgt.UserManager(
+            http_client, app.project_id, tenant_id, id_toolkit_endpoints.get('v1'))
         self._provider_manager = _auth_providers.ProviderConfigClient(
-            http_client, app.project_id, tenant_id)
+            http_client, app.project_id, tenant_id, id_toolkit_endpoints.get('v2beta1'))
 
     @property
     def tenant_id(self):
diff --git a/firebase_admin/_auth_providers.py b/firebase_admin/_auth_providers.py
@@ -166,9 +166,11 @@ class ProviderConfigClient:
 
     PROVIDER_CONFIG_URL = 'https://identitytoolkit.googleapis.com/v2beta1'
 
-    def __init__(self, http_client, project_id, tenant_id=None):
+    def __init__(self, http_client, project_id, tenant_id=None, provider_config_url=None):
         self.http_client = http_client
-        self.base_url = '{0}/projects/{1}'.format(self.PROVIDER_CONFIG_URL, project_id)
+        if not provider_config_url:
+            provider_config_url = self.PROVIDER_CONFIG_URL
+        self.base_url = '{0}/projects/{1}'.format(provider_config_url, project_id)
         if tenant_id:
             self.base_url += '/tenants/{0}'.format(tenant_id)
 
diff --git a/firebase_admin/_token_gen.py b/firebase_admin/_token_gen.py
@@ -84,11 +84,13 @@ class TokenGenerator:
 
     ID_TOOLKIT_URL = 'https://identitytoolkit.googleapis.com/v1'
 
-    def __init__(self, app, http_client):
+    def __init__(self, app, http_client, id_toolkit_url=None):
         self.app = app
         self.http_client = http_client
         self.request = transport.requests.Request()
-        self.base_url = '{0}/projects/{1}'.format(self.ID_TOOLKIT_URL, app.project_id)
+        if not id_toolkit_url:
+            id_toolkit_url = self.ID_TOOLKIT_URL
+        self.base_url = '{0}/projects/{1}'.format(id_toolkit_url, app.project_id)
         self._signing_provider = None
 
     def _init_signing_provider(self):
diff --git a/firebase_admin/_user_mgt.py b/firebase_admin/_user_mgt.py
@@ -573,9 +573,11 @@ class UserManager:
 
     ID_TOOLKIT_URL = 'https://identitytoolkit.googleapis.com/v1'
 
-    def __init__(self, http_client, project_id, tenant_id=None):
+    def __init__(self, http_client, project_id, tenant_id=None, id_toolkit_url=None):
         self.http_client = http_client
-        self.base_url = '{0}/projects/{1}'.format(self.ID_TOOLKIT_URL, project_id)
+        if not id_toolkit_url:
+            id_toolkit_url = self.ID_TOOLKIT_URL
+        self.base_url = '{0}/projects/{1}'.format(id_toolkit_url, project_id)
         if tenant_id:
             self.base_url += '/tenants/{0}'.format(tenant_id)
 
