firestore.rules

service cloud.firestore {
  match /databases/{database}/documents {    
    function getUserData() {
      return get(/databases/$(database)/documents/users/$(request.auth.uid)).data
    }
    match /tenants/{tenantId} {
        function isSignedIn() {
          return request.auth != null;
        }  
        function isUserInTenant(rsc) {
          return rsc.data.users.hasAny([request.auth.uid]);
        }
        allow read: if isSignedIn() && getUserData() != null && isUserInTenant(resource); 
    }
  }
}

package.json

{
  "devDependencies": {
    "@firebase/testing": "^0.7.10",
    "mocha": "^6.1.3"
  }
}

test.js

const firebase = require("@firebase/testing");
const fs = require("fs");

const projectId = "firestore-emulator-example";
const coverageUrl = `http://localhost:8080/emulator/v1/projects/${projectId}:ruleCoverage.html`;

const rules = fs.readFileSync("firestore.rules", "utf8");

after(async () => {
  await Promise.all(firebase.apps().map(app => app.delete()));
  console.log(`rule coverage information: ${coverageUrl}`);
});

it("query for tenants with a given organization number", async () => {
  await firebase.loadFirestoreRules({ projectId, rules });

  const admin = firebase.initializeAdminApp({ projectId }).firestore();
  await admin.collection("users").doc("alice").set({});

  const alice = firebase.initializeTestApp({
    projectId,
    auth: { uid: "alice" }
  }).firestore();

  await firebase.assertSucceeds(
    alice
      .collection("tenants")
      .where("organizationNumber", "==", 10)
      .where("users", "array-contains", "alice")
      .get()
  );
});