Support auth emulator via FIREBASE_AUTH_EMULATOR_HOST

muru · muru · commit d53bb41b13cc · 2021-02-06T06:00:06.000+09:00
Modeled on firebase/firebase-admin-go#414
diff --git a/firebase_admin/_auth_client.py b/firebase_admin/_auth_client.py
@@ -14,6 +14,7 @@
 
 """Firebase auth client sub module."""
 
+import os
 import time
 
 import firebase_admin
@@ -25,6 +26,8 @@
 from firebase_admin import _user_import
 from firebase_admin import _user_mgt
 
+_EMULATOR_HOST_ENV_VAR = 'FIREBASE_AUTH_EMULATOR_HOST'
+_DEFAULT_AUTH_URL = 'https://identitytoolkit.googleapis.com'
 
 class Client:
     """Firebase Authentication client scoped to a specific tenant."""
@@ -36,17 +39,42 @@ def __init__(self, app, tenant_id=None):
             2. set the project ID explicitly via Firebase App options, or
             3. set the project ID via the GOOGLE_CLOUD_PROJECT environment variable.""")
 
-        credential = app.credential.get_credential()
+        credential = None
         version_header = 'Python/Admin/{0}'.format(firebase_admin.__version__)
+        http_headers = {'X-Client-Version': version_header}
+        # None lets us fallback to default endpoint URLs if an emulator isn't present.
+        id_toolkit_endpoints = {
+            "v1": None,
+            "v2beta1": None,
+        }
+
+        # If an emulator is present, check that the given value matches the expected format and set
+        # endpoint URLs to use the emulator. Also set a fake authorization token.
+        emulator_host = os.environ.get(_EMULATOR_HOST_ENV_VAR)
+        if emulator_host:
+            if '//' in emulator_host:
+                raise ValueError(
+                    'Invalid {0}: "{1}". It must follow format "host:port".'.format(
+                        _EMULATOR_HOST_ENV_VAR, emulator_host))
+            # Used instead of credential
+            http_headers["Authorization"] = "Bearer owner"
+            base_url = "http://{0}/identitytoolkit.googleapis.com".format(emulator_host)
+            id_toolkit_endpoints["v1"] = base_url + "/v1"
+            id_toolkit_endpoints["v2beta1"] = base_url + "/v2beta1"
+        else:
+            credential = app.credential.get_credential()
+
         http_client = _http_client.JsonHttpClient(
-            credential=credential, headers={'X-Client-Version': version_header})
+            credential=credential, headers=http_headers)
 
         self._tenant_id = tenant_id
-        self._token_generator = _token_gen.TokenGenerator(app, http_client)
+        self._token_generator = _token_gen.TokenGenerator(
+            app, http_client, id_toolkit_endpoints["v1"])
         self._token_verifier = _token_gen.TokenVerifier(app)
-        self._user_manager = _user_mgt.UserManager(http_client, app.project_id, tenant_id)
+        self._user_manager = _user_mgt.UserManager(
+            http_client, app.project_id, tenant_id, id_toolkit_endpoints["v1"])
         self._provider_manager = _auth_providers.ProviderConfigClient(
-            http_client, app.project_id, tenant_id)
+            http_client, app.project_id, tenant_id, id_toolkit_endpoints["v2beta1"])
 
     @property
     def tenant_id(self):
diff --git a/firebase_admin/_auth_providers.py b/firebase_admin/_auth_providers.py
@@ -166,9 +166,11 @@ class ProviderConfigClient:
 
     PROVIDER_CONFIG_URL = 'https://identitytoolkit.googleapis.com/v2beta1'
 
-    def __init__(self, http_client, project_id, tenant_id=None):
+    def __init__(self, http_client, project_id, tenant_id=None, provider_config_url=None):
         self.http_client = http_client
-        self.base_url = '{0}/projects/{1}'.format(self.PROVIDER_CONFIG_URL, project_id)
+        if not provider_config_url:
+            provider_config_url = self.PROVIDER_CONFIG_URL
+        self.base_url = '{0}/projects/{1}'.format(provider_config_url, project_id)
         if tenant_id:
             self.base_url += '/tenants/{0}'.format(tenant_id)
 
diff --git a/firebase_admin/_token_gen.py b/firebase_admin/_token_gen.py
@@ -84,11 +84,13 @@ class TokenGenerator:
 
     ID_TOOLKIT_URL = 'https://identitytoolkit.googleapis.com/v1'
 
-    def __init__(self, app, http_client):
+    def __init__(self, app, http_client, id_toolkit_url=None):
         self.app = app
         self.http_client = http_client
         self.request = transport.requests.Request()
-        self.base_url = '{0}/projects/{1}'.format(self.ID_TOOLKIT_URL, app.project_id)
+        if not id_toolkit_url:
+            id_toolkit_url = self.ID_TOOLKIT_URL
+        self.base_url = '{0}/projects/{1}'.format(id_toolkit_url, app.project_id)
         self._signing_provider = None
 
     def _init_signing_provider(self):
diff --git a/firebase_admin/_user_mgt.py b/firebase_admin/_user_mgt.py
@@ -573,9 +573,11 @@ class UserManager:
 
     ID_TOOLKIT_URL = 'https://identitytoolkit.googleapis.com/v1'
 
-    def __init__(self, http_client, project_id, tenant_id=None):
+    def __init__(self, http_client, project_id, tenant_id=None, id_toolkit_url=None):
         self.http_client = http_client
-        self.base_url = '{0}/projects/{1}'.format(self.ID_TOOLKIT_URL, project_id)
+        if not id_toolkit_url:
+            id_toolkit_url = self.ID_TOOLKIT_URL
+        self.base_url = '{0}/projects/{1}'.format(id_toolkit_url, project_id)
         if tenant_id:
             self.base_url += '/tenants/{0}'.format(tenant_id)
 
