firebase
diff --git a/‎firebase_admin/multi_factor_config_mgt.py
Lines changed: 223 additions & 0 deletions b/‎firebase_admin/multi_factor_config_mgt.py
Lines changed: 223 additions & 0 deletions
diff --git a/‎firebase_admin/tenant_mgt.py
Lines changed: 31 additions & 7 deletions b/‎firebase_admin/tenant_mgt.py
Lines changed: 31 additions & 7 deletions
@@ -0,0 +1,223 @@
+# Copyright 2023 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Firebase multifactor configuration management module.
+
+This module contains functions for managing various multifactor configurations at
+the project and tenant level.
+"""
+from enum import Enum
+
+__all__ = [
+    'validate_keys',
+    'MultiFactorServerConfig',
+    'TOTPProviderConfig',
+    'ProviderConfig',
+    'MultiFactorConfig',
+]
+
+
+def validate_keys(keys, valid_keys, config_name):
+    for key in keys:
+        if key not in valid_keys:
+            raise ValueError(
+                '"{0}" is not a valid "{1}" parameter.'.format(
+                    key, config_name))
+
+
+class MultiFactorServerConfig:
+    """Represents multi factor configuration response received from the server and
+    converts it to user format.
+    """
+
+    def __init__(self, data):
+        if not isinstance(data, dict):
+            raise ValueError(
+                'Invalid data argument in MultiFactorConfig constructor: {0}'.format(data))
+        self._data = data
+
+    @property
+    def provider_configs(self):
+        data = self._data.get('providerConfigs', None)
+        if data is not None:
+            return [self.ProviderConfigServerConfig(d) for d in data]
+        return None
+
+    class ProviderConfigServerConfig:
+        """Represents provider configuration response received from the server and converts
+        it to user format.
+        """
+
+        def __init__(self, data):
+            if not isinstance(data, dict):
+                raise ValueError(
+                    'Invalid data argument in ProviderConfig constructor: {0}'.format(data))
+            self._data = data
+
+        @property
+        def state(self):
+            return self._data.get('state', None)
+
+        @property
+        def totp_provider_config(self):
+            data = self._data.get('totpProviderConfig', None)
+            if data is not None:
+                return self.TOTPProviderServerConfig(data)
+            return None
+
+        class TOTPProviderServerConfig:
+            """Represents TOTP provider configuration response received from the server and converts
+            it to user format.
+            """
+
+            def __init__(self, data):
+                if not isinstance(data, dict):
+                    raise ValueError(
+                        'Invalid data argument in TOTPProviderConfig constructor: {0}'.format(data))
+                self._data = data
+
+            @property
+            def adjacent_intervals(self):
+                return self._data.get('adjacentIntervals', None)
+
+
+class TOTPProviderConfig:
+    """Represents a TOTP Provider Configuration to be specified for a tenant or project."""
+
+    def __init__(self, adjacent_intervals: int = None):
+        self.adjacent_intervals: int = adjacent_intervals
+
+    def to_dict(self) -> dict:
+        data = {}
+        if self.adjacent_intervals is not None:
+            data['adjacentIntervals'] = self.adjacent_intervals
+        return data
+
+    def validate(self):
+        """Validates a given totp_provider_config object.
+
+        Raises:
+            ValueError: In case of an unsuccessful validation.
+        """
+        validate_keys(
+            keys=vars(self).keys(),
+            valid_keys={'adjacent_intervals'},
+            config_name='TOTPProviderConfig')
+        if self.adjacent_intervals is not None:
+            # Because bool types get converted to int here
+            # pylint: disable=C0123
+            if type(self.adjacent_intervals) is not int:
+                raise ValueError(
+                    'totp_provider_config.adjacent_intervals must be an integer between'
+                    ' 1 and 10 (inclusive).')
+            if not 1 <= self.adjacent_intervals <= 10:
+                raise ValueError(
+                    'totp_provider_config.adjacent_intervals must be an integer between'
+                    ' 1 and 10 (inclusive).')
+
+    def build_server_request(self):
+        self.validate()
+        return self.to_dict()
+
+
+class ProviderConfig:
+    """Represents a provider configuration for tenant or project.
+    Currently only TOTP can be configured"""
+
+    class State(Enum):
+        ENABLED = 'ENABLED'
+        DISABLED = 'DISABLED'
+
+    def __init__(self,
+                 state: State = None,
+                 totp_provider_config: TOTPProviderConfig = None):
+        self.state: self.State = state
+        self.totp_provider_config: TOTPProviderConfig = totp_provider_config
+
+    def to_dict(self) -> dict:
+        data = {}
+        if self.state:
+            data['state'] = self.state.value
+        if self.totp_provider_config:
+            data['totpProviderConfig'] = self.totp_provider_config.to_dict()
+        return data
+
+    def validate(self):
+        """Validates a provider_config object.
+
+        Raises:
+            ValueError: In case of an unsuccessful validation.
+        """
+        validate_keys(
+            keys=vars(self).keys(),
+            valid_keys={
+                'state',
+                'totp_provider_config'},
+            config_name='ProviderConfig')
+        if self.state is None:
+            raise ValueError('provider_config.state must be defined.')
+        if not isinstance(self.state, ProviderConfig.State):
+            raise ValueError(
+                'provider_config.state must be of type ProviderConfig.State.')
+        if self.totp_provider_config is None:
+            raise ValueError(
+                'provider_config.totp_provider_config must be defined.')
+        if not isinstance(self.totp_provider_config, TOTPProviderConfig):
+            raise ValueError(
+                'provider_configs.totp_provider_config must be of type TOTPProviderConfig.')
+
+    def build_server_request(self):
+        self.validate()
+        return self.to_dict()
+
+
+class MultiFactorConfig:
+    """Represents a multi factor configuration for tenant or project
+    """
+
+    def __init__(self,
+                 provider_configs: list[ProviderConfig] = None):
+        self.provider_configs: list[ProviderConfig] = provider_configs
+
+    def to_dict(self) -> dict:
+        data = {}
+        if self.provider_configs is not None:
+            data['providerConfigs'] = [d.to_dict()
+                                       for d in self.provider_configs]
+        return data
+
+    def validate(self):
+        """Validates a given multi_factor_config object.
+
+        Raises:
+            ValueError: In case of an unsuccessful validation.
+        """
+        validate_keys(
+            keys=vars(self).keys(),
+            valid_keys={'provider_configs'},
+            config_name='MultiFactorConfig')
+        if self.provider_configs is None:
+            raise ValueError(
+                'multi_factor_config.provider_configs must be specified')
+        if not isinstance(self.provider_configs, list) or not self.provider_configs:
+            raise ValueError(
+                'provider_configs must be an array of type ProviderConfigs.')
+        for provider_config in self.provider_configs:
+            if not isinstance(provider_config, ProviderConfig):
+                raise ValueError(
+                    'provider_configs must be an array of type ProviderConfigs.')
+            provider_config.validate()
+
+    def build_server_request(self):
+        self.validate()
+        return self.to_dict()
@@ -28,6 +28,7 @@
 from firebase_admin import _auth_utils
 from firebase_admin import _http_client
 from firebase_admin import _utils
+from firebase_admin.multi_factor_config_mgt import MultiFactorConfig, MultiFactorServerConfig
 
 
 _TENANT_MGT_ATTRIBUTE = '_tenant_mgt'
@@ -91,7 +92,8 @@ def get_tenant(tenant_id, app=None):
 
 
 def create_tenant(
-        display_name, allow_password_sign_up=None, enable_email_link_sign_in=None, app=None):
+        display_name, allow_password_sign_up=None, enable_email_link_sign_in=None,
+        multi_factor_config: MultiFactorConfig = None, app=None):
     """Creates a new tenant from the given options.
 
     Args:
@@ -101,6 +103,7 @@ def create_tenant(
             provider (optional).
         enable_email_link_sign_in: A boolean indicating whether to enable or disable email link
             sign-in (optional). Disabling this makes the password required for email sign-in.
+        multi_factor_config : A multi factor configuration to add to the tenant (optional).
         app: An App instance (optional).
 
     Returns:
@@ -113,12 +116,13 @@ def create_tenant(
     tenant_mgt_service = _get_tenant_mgt_service(app)
     return tenant_mgt_service.create_tenant(
         display_name=display_name, allow_password_sign_up=allow_password_sign_up,
-        enable_email_link_sign_in=enable_email_link_sign_in)
+        enable_email_link_sign_in=enable_email_link_sign_in,
+        multi_factor_config=multi_factor_config,)
 
 
 def update_tenant(
         tenant_id, display_name=None, allow_password_sign_up=None, enable_email_link_sign_in=None,
-        app=None):
+        multi_factor_config: MultiFactorConfig = None, app=None):
     """Updates an existing tenant with the given options.
 
     Args:
@@ -128,6 +132,7 @@ def update_tenant(
             provider.
         enable_email_link_sign_in: A boolean indicating whether to enable or disable email link
             sign-in. Disabling this makes the password required for email sign-in.
+        multi_factor_config : A multi factor configuration to update for the tenant (optional).
         app: An App instance (optional).
 
     Returns:
@@ -141,7 +146,8 @@ def update_tenant(
     tenant_mgt_service = _get_tenant_mgt_service(app)
     return tenant_mgt_service.update_tenant(
         tenant_id, display_name=display_name, allow_password_sign_up=allow_password_sign_up,
-        enable_email_link_sign_in=enable_email_link_sign_in)
+        enable_email_link_sign_in=enable_email_link_sign_in,
+        multi_factor_config=multi_factor_config)
 
 
 def delete_tenant(tenant_id, app=None):
@@ -228,6 +234,13 @@ def allow_password_sign_up(self):
     def enable_email_link_sign_in(self):
         return self._data.get('enableEmailLinkSignin', False)
 
+    @property
+    def multi_factor_config(self):
+        data = self._data.get('mfaConfig', None)
+        if data is not None:
+            return MultiFactorServerConfig(data)
+        return None
+
 
 class _TenantManagementService:
     """Firebase tenant management service."""
@@ -272,7 +285,8 @@ def get_tenant(self, tenant_id):
             return Tenant(body)
 
     def create_tenant(
-            self, display_name, allow_password_sign_up=None, enable_email_link_sign_in=None):
+            self, display_name, allow_password_sign_up=None, enable_email_link_sign_in=None,
+            multi_factor_config: MultiFactorConfig = None):
         """Creates a new tenant from the given parameters."""
 
         payload = {'displayName': _validate_display_name(display_name)}
@@ -282,7 +296,11 @@ def create_tenant(
         if enable_email_link_sign_in is not None:
             payload['enableEmailLinkSignin'] = _auth_utils.validate_boolean(
                 enable_email_link_sign_in, 'enableEmailLinkSignin')
-
+        if multi_factor_config is not None:
+            if not isinstance(multi_factor_config, MultiFactorConfig):
+                raise ValueError(
+                    'multi_factor_config must be of type MultiFactorConfig.')
+            payload['mfaConfig'] = multi_factor_config.build_server_request()
         try:
             body = self.client.body('post', '/tenants', json=payload)
         except requests.exceptions.RequestException as error:
@@ -292,7 +310,8 @@ def create_tenant(
 
     def update_tenant(
             self, tenant_id, display_name=None, allow_password_sign_up=None,
-            enable_email_link_sign_in=None):
+            enable_email_link_sign_in=None,
+            multi_factor_config: MultiFactorConfig = None):
         """Updates the specified tenant with the given parameters."""
         if not isinstance(tenant_id, str) or not tenant_id:
             raise ValueError('Tenant ID must be a non-empty string.')
@@ -306,6 +325,11 @@ def update_tenant(
         if enable_email_link_sign_in is not None:
             payload['enableEmailLinkSignin'] = _auth_utils.validate_boolean(
                 enable_email_link_sign_in, 'enableEmailLinkSignin')
+        if multi_factor_config is not None:
+            if not isinstance(multi_factor_config, MultiFactorConfig):
+                raise ValueError(
+                    'multi_factor_config must be of type MultiFactorConfig.')
+            payload['mfaConfig'] = multi_factor_config.build_server_request()
 
         if not payload:
             raise ValueError('At least one parameter must be specified for update.')