diff --git a/tests/test_authorization.py b/tests/test_authorization.py index a4d0b1a8..cd78a3e2 100644 --- a/tests/test_authorization.py +++ b/tests/test_authorization.py @@ -1,6 +1,7 @@ from typing import Union import pytest +from tests.utils.fixtures.mock_environment_role import MockEnvironmentRole from tests.utils.fixtures.mock_organization_role import MockOrganizationRole from tests.utils.fixtures.mock_permission import MockPermission from tests.utils.list_resource import list_response_of @@ -218,9 +219,7 @@ def test_list_organization_roles( ) roles_response = syncify( - self.authorization.list_organization_roles( - "org_01EHT88Z8J8795GZNQ4ZP1J81T" - ) + self.authorization.list_organization_roles("org_01EHT88Z8J8795GZNQ4ZP1J81T") ) assert request_kwargs["method"] == "get" @@ -338,3 +337,113 @@ def test_remove_organization_role_permission( assert request_kwargs["url"].endswith( "/authorization/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/roles/admin/permissions/documents:read" ) + + # --- Environment Role fixtures --- + + @pytest.fixture + def mock_environment_role(self): + return MockEnvironmentRole(id="role_01DEF").dict() + + @pytest.fixture + def mock_environment_roles(self): + return { + "data": [MockEnvironmentRole(id=f"role_{i}").dict() for i in range(5)], + "object": "list", + } + + # --- Environment Role tests --- + + def test_create_environment_role( + self, mock_environment_role, capture_and_mock_http_client_request + ): + request_kwargs = capture_and_mock_http_client_request( + self.http_client, mock_environment_role, 201 + ) + + role = syncify( + self.authorization.create_environment_role(slug="member", name="Member") + ) + + assert role.id == "role_01DEF" + assert role.type == "EnvironmentRole" + assert request_kwargs["method"] == "post" + assert request_kwargs["url"].endswith("/authorization/roles") + assert request_kwargs["json"] == {"slug": "member", "name": "Member"} + + def test_list_environment_roles( + self, mock_environment_roles, capture_and_mock_http_client_request + ): + request_kwargs = capture_and_mock_http_client_request( + self.http_client, mock_environment_roles, 200 + ) + + roles_response = syncify(self.authorization.list_environment_roles()) + + assert request_kwargs["method"] == "get" + assert request_kwargs["url"].endswith("/authorization/roles") + assert len(roles_response.data) == 5 + + def test_get_environment_role( + self, mock_environment_role, capture_and_mock_http_client_request + ): + request_kwargs = capture_and_mock_http_client_request( + self.http_client, mock_environment_role, 200 + ) + + role = syncify(self.authorization.get_environment_role("member")) + + assert role.id == "role_01DEF" + assert request_kwargs["method"] == "get" + assert request_kwargs["url"].endswith("/authorization/roles/member") + + def test_update_environment_role( + self, mock_environment_role, capture_and_mock_http_client_request + ): + request_kwargs = capture_and_mock_http_client_request( + self.http_client, mock_environment_role, 200 + ) + + role = syncify( + self.authorization.update_environment_role("member", name="Updated Member") + ) + + assert role.id == "role_01DEF" + assert request_kwargs["method"] == "patch" + assert request_kwargs["url"].endswith("/authorization/roles/member") + assert request_kwargs["json"] == {"name": "Updated Member"} + + def test_set_environment_role_permissions( + self, mock_environment_role, capture_and_mock_http_client_request + ): + request_kwargs = capture_and_mock_http_client_request( + self.http_client, mock_environment_role, 200 + ) + + role = syncify( + self.authorization.set_environment_role_permissions( + "member", permissions=["documents:read"] + ) + ) + + assert role.id == "role_01DEF" + assert request_kwargs["method"] == "put" + assert request_kwargs["url"].endswith("/authorization/roles/member/permissions") + assert request_kwargs["json"] == {"permissions": ["documents:read"]} + + def test_add_environment_role_permission( + self, mock_environment_role, capture_and_mock_http_client_request + ): + request_kwargs = capture_and_mock_http_client_request( + self.http_client, mock_environment_role, 200 + ) + + role = syncify( + self.authorization.add_environment_role_permission( + "member", permission_slug="documents:read" + ) + ) + + assert role.id == "role_01DEF" + assert request_kwargs["method"] == "post" + assert request_kwargs["url"].endswith("/authorization/roles/member/permissions") + assert request_kwargs["json"] == {"slug": "documents:read"} diff --git a/tests/utils/fixtures/mock_environment_role.py b/tests/utils/fixtures/mock_environment_role.py new file mode 100644 index 00000000..6063f3ff --- /dev/null +++ b/tests/utils/fixtures/mock_environment_role.py @@ -0,0 +1,19 @@ +import datetime + +from workos.types.authorization.environment_role import EnvironmentRole + + +class MockEnvironmentRole(EnvironmentRole): + def __init__(self, id: str): + now = datetime.datetime.now().isoformat() + super().__init__( + object="role", + id=id, + name="Member", + slug="member", + description="Default environment member role", + permissions=["documents:read"], + type="EnvironmentRole", + created_at=now, + updated_at=now, + ) diff --git a/workos/authorization.py b/workos/authorization.py index 2805652b..eb4cbfe8 100644 --- a/workos/authorization.py +++ b/workos/authorization.py @@ -1,10 +1,17 @@ -from typing import Any, Dict, Optional, Protocol, Sequence +from typing import Any, Dict, Optional, Protocol, Sequence, Union +from pydantic import TypeAdapter + +from workos.types.authorization.environment_role import ( + EnvironmentRole, + EnvironmentRoleList, +) from workos.types.authorization.organization_role import ( OrganizationRole, OrganizationRoleList, ) from workos.types.authorization.permission import Permission +from workos.types.authorization.role import Role, RoleList from workos.types.list_resource import ( ListArgs, ListMetadata, @@ -25,6 +32,8 @@ AUTHORIZATION_PERMISSIONS_PATH = "authorization/permissions" +_role_adapter: TypeAdapter[Role] = TypeAdapter(Role) + class PermissionListFilters(ListArgs, total=False): pass @@ -80,11 +89,11 @@ def create_organization_role( def list_organization_roles( self, organization_id: str - ) -> SyncOrAsync[OrganizationRoleList]: ... + ) -> SyncOrAsync[RoleList]: ... def get_organization_role( self, organization_id: str, slug: str - ) -> SyncOrAsync[OrganizationRole]: ... + ) -> SyncOrAsync[Role]: ... def update_organization_role( self, @@ -119,6 +128,42 @@ def remove_organization_role_permission( permission_slug: str, ) -> SyncOrAsync[None]: ... + # Environment Roles + + def create_environment_role( + self, + *, + slug: str, + name: str, + description: Optional[str] = None, + ) -> SyncOrAsync[EnvironmentRole]: ... + + def list_environment_roles(self) -> SyncOrAsync[EnvironmentRoleList]: ... + + def get_environment_role(self, slug: str) -> SyncOrAsync[EnvironmentRole]: ... + + def update_environment_role( + self, + slug: str, + *, + name: Optional[str] = None, + description: Optional[str] = None, + ) -> SyncOrAsync[EnvironmentRole]: ... + + def set_environment_role_permissions( + self, + slug: str, + *, + permissions: Sequence[str], + ) -> SyncOrAsync[EnvironmentRole]: ... + + def add_environment_role_permission( + self, + slug: str, + *, + permission_slug: str, + ) -> SyncOrAsync[EnvironmentRole]: ... + class Authorization(AuthorizationModule): _http_client: SyncHTTPClient @@ -229,23 +274,21 @@ def create_organization_role( return OrganizationRole.model_validate(response) - def list_organization_roles(self, organization_id: str) -> OrganizationRoleList: + def list_organization_roles(self, organization_id: str) -> RoleList: response = self._http_client.request( f"authorization/organizations/{organization_id}/roles", method=REQUEST_METHOD_GET, ) - return OrganizationRoleList.model_validate(response) + return RoleList.model_validate(response) - def get_organization_role( - self, organization_id: str, slug: str - ) -> OrganizationRole: + def get_organization_role(self, organization_id: str, slug: str) -> Role: response = self._http_client.request( f"authorization/organizations/{organization_id}/roles/{slug}", method=REQUEST_METHOD_GET, ) - return OrganizationRole.model_validate(response) + return _role_adapter.validate_python(response) def update_organization_role( self, @@ -311,6 +354,92 @@ def remove_organization_role_permission( method=REQUEST_METHOD_DELETE, ) + # Environment Roles + + def create_environment_role( + self, + *, + slug: str, + name: str, + description: Optional[str] = None, + ) -> EnvironmentRole: + json: Dict[str, Any] = {"slug": slug, "name": name} + if description is not None: + json["description"] = description + + response = self._http_client.request( + "authorization/roles", + method=REQUEST_METHOD_POST, + json=json, + ) + + return EnvironmentRole.model_validate(response) + + def list_environment_roles(self) -> EnvironmentRoleList: + response = self._http_client.request( + "authorization/roles", + method=REQUEST_METHOD_GET, + ) + + return EnvironmentRoleList.model_validate(response) + + def get_environment_role(self, slug: str) -> EnvironmentRole: + response = self._http_client.request( + f"authorization/roles/{slug}", + method=REQUEST_METHOD_GET, + ) + + return EnvironmentRole.model_validate(response) + + def update_environment_role( + self, + slug: str, + *, + name: Optional[str] = None, + description: Optional[str] = None, + ) -> EnvironmentRole: + json: Dict[str, Any] = {} + if name is not None: + json["name"] = name + if description is not None: + json["description"] = description + + response = self._http_client.request( + f"authorization/roles/{slug}", + method=REQUEST_METHOD_PATCH, + json=json, + ) + + return EnvironmentRole.model_validate(response) + + def set_environment_role_permissions( + self, + slug: str, + *, + permissions: Sequence[str], + ) -> EnvironmentRole: + response = self._http_client.request( + f"authorization/roles/{slug}/permissions", + method=REQUEST_METHOD_PUT, + json={"permissions": list(permissions)}, + ) + + return EnvironmentRole.model_validate(response) + + def add_environment_role_permission( + self, + slug: str, + *, + permission_slug: str, + ) -> EnvironmentRole: + response = self._http_client.request( + f"authorization/roles/{slug}/permissions", + method=REQUEST_METHOD_POST, + json={"slug": permission_slug}, + ) + + return EnvironmentRole.model_validate(response) + class AsyncAuthorization(AuthorizationModule): _http_client: AsyncHTTPClient @@ -421,25 +550,21 @@ async def create_organization_role( return OrganizationRole.model_validate(response) - async def list_organization_roles( - self, organization_id: str - ) -> OrganizationRoleList: + async def list_organization_roles(self, organization_id: str) -> RoleList: response = await self._http_client.request( f"authorization/organizations/{organization_id}/roles", method=REQUEST_METHOD_GET, ) - return OrganizationRoleList.model_validate(response) + return RoleList.model_validate(response) - async def get_organization_role( - self, organization_id: str, slug: str - ) -> OrganizationRole: + async def get_organization_role(self, organization_id: str, slug: str) -> Role: response = await self._http_client.request( f"authorization/organizations/{organization_id}/roles/{slug}", method=REQUEST_METHOD_GET, ) - return OrganizationRole.model_validate(response) + return _role_adapter.validate_python(response) async def update_organization_role( self, @@ -504,3 +629,89 @@ async def remove_organization_role_permission( f"authorization/organizations/{organization_id}/roles/{slug}/permissions/{permission_slug}", method=REQUEST_METHOD_DELETE, ) + + # Environment Roles + + async def create_environment_role( + self, + *, + slug: str, + name: str, + description: Optional[str] = None, + ) -> EnvironmentRole: + json: Dict[str, Any] = {"slug": slug, "name": name} + if description is not None: + json["description"] = description + + response = await self._http_client.request( + "authorization/roles", + method=REQUEST_METHOD_POST, + json=json, + ) + + return EnvironmentRole.model_validate(response) + + async def list_environment_roles(self) -> EnvironmentRoleList: + response = await self._http_client.request( + "authorization/roles", + method=REQUEST_METHOD_GET, + ) + + return EnvironmentRoleList.model_validate(response) + + async def get_environment_role(self, slug: str) -> EnvironmentRole: + response = await self._http_client.request( + f"authorization/roles/{slug}", + method=REQUEST_METHOD_GET, + ) + + return EnvironmentRole.model_validate(response) + + async def update_environment_role( + self, + slug: str, + *, + name: Optional[str] = None, + description: Optional[str] = None, + ) -> EnvironmentRole: + json: Dict[str, Any] = {} + if name is not None: + json["name"] = name + if description is not None: + json["description"] = description + + response = await self._http_client.request( + f"authorization/roles/{slug}", + method=REQUEST_METHOD_PATCH, + json=json, + ) + + return EnvironmentRole.model_validate(response) + + async def set_environment_role_permissions( + self, + slug: str, + *, + permissions: Sequence[str], + ) -> EnvironmentRole: + response = await self._http_client.request( + f"authorization/roles/{slug}/permissions", + method=REQUEST_METHOD_PUT, + json={"permissions": list(permissions)}, + ) + + return EnvironmentRole.model_validate(response) + + async def add_environment_role_permission( + self, + slug: str, + *, + permission_slug: str, + ) -> EnvironmentRole: + response = await self._http_client.request( + f"authorization/roles/{slug}/permissions", + method=REQUEST_METHOD_POST, + json={"slug": permission_slug}, + ) + + return EnvironmentRole.model_validate(response) diff --git a/workos/types/authorization/__init__.py b/workos/types/authorization/__init__.py index 93dfa580..33cde309 100644 --- a/workos/types/authorization/__init__.py +++ b/workos/types/authorization/__init__.py @@ -1,7 +1,16 @@ +from workos.types.authorization.environment_role import ( + EnvironmentRole as EnvironmentRole, + EnvironmentRoleList as EnvironmentRoleList, +) from workos.types.authorization.organization_role import ( OrganizationRole as OrganizationRole, + OrganizationRoleEvent as OrganizationRoleEvent, OrganizationRoleList as OrganizationRoleList, ) from workos.types.authorization.permission import ( Permission as Permission, ) +from workos.types.authorization.role import ( + Role as Role, + RoleList as RoleList, +) diff --git a/workos/types/authorization/environment_role.py b/workos/types/authorization/environment_role.py new file mode 100644 index 00000000..a73d8ed5 --- /dev/null +++ b/workos/types/authorization/environment_role.py @@ -0,0 +1,20 @@ +from typing import Literal, Optional, Sequence + +from workos.types.workos_model import WorkOSModel + + +class EnvironmentRole(WorkOSModel): + object: Literal["role"] + id: str + name: str + slug: str + description: Optional[str] = None + permissions: Sequence[str] + type: Literal["EnvironmentRole"] + created_at: str + updated_at: str + + +class EnvironmentRoleList(WorkOSModel): + object: Literal["list"] + data: Sequence[EnvironmentRole] diff --git a/workos/types/authorization/organization_role.py b/workos/types/authorization/organization_role.py index 5214d428..2e343ad6 100644 --- a/workos/types/authorization/organization_role.py +++ b/workos/types/authorization/organization_role.py @@ -6,7 +6,6 @@ class OrganizationRole(WorkOSModel): object: Literal["role"] id: str - organization_id: str name: str slug: str description: Optional[str] = None @@ -16,6 +15,20 @@ class OrganizationRole(WorkOSModel): updated_at: str +class OrganizationRoleEvent(WorkOSModel): + """Organization role type for Events API responses.""" + + object: Literal["organization_role"] + organization_id: str + slug: str + name: str + description: Optional[str] = None + resource_type_slug: str + permissions: Sequence[str] + created_at: str + updated_at: str + + class OrganizationRoleList(WorkOSModel): object: Literal["list"] data: Sequence[OrganizationRole] diff --git a/workos/types/authorization/role.py b/workos/types/authorization/role.py new file mode 100644 index 00000000..7ea6f747 --- /dev/null +++ b/workos/types/authorization/role.py @@ -0,0 +1,18 @@ +from typing import Literal, Sequence, Union + +from pydantic import Field +from typing_extensions import Annotated + +from workos.types.authorization.environment_role import EnvironmentRole +from workos.types.authorization.organization_role import OrganizationRole +from workos.types.workos_model import WorkOSModel + +Role = Annotated[ + Union[EnvironmentRole, OrganizationRole], + Field(discriminator="type"), +] + + +class RoleList(WorkOSModel): + object: Literal["list"] + data: Sequence[Role] diff --git a/workos/types/events/event.py b/workos/types/events/event.py index 6df63091..fa5bd63f 100644 --- a/workos/types/events/event.py +++ b/workos/types/events/event.py @@ -32,6 +32,8 @@ from workos.types.events.directory_user_with_previous_attributes import ( DirectoryUserWithPreviousAttributes, ) +from workos.types.authorization.organization_role import OrganizationRoleEvent +from workos.types.authorization.permission import Permission from workos.types.events.event_model import EventModel from workos.types.events.organization_domain_verification_failed_payload import ( OrganizationDomainVerificationFailedPayload, @@ -225,6 +227,18 @@ class OrganizationMembershipUpdatedEvent(EventModel[OrganizationMembership]): event: Literal["organization_membership.updated"] +class OrganizationRoleCreatedEvent(EventModel[OrganizationRoleEvent]): + event: Literal["organization_role.created"] + + +class OrganizationRoleUpdatedEvent(EventModel[OrganizationRoleEvent]): + event: Literal["organization_role.updated"] + + +class OrganizationRoleDeletedEvent(EventModel[OrganizationRoleEvent]): + event: Literal["organization_role.deleted"] + + class PasswordResetCreatedEvent(EventModel[PasswordResetCommon]): event: Literal["password_reset.created"] @@ -233,6 +247,18 @@ class PasswordResetSucceededEvent(EventModel[PasswordResetCommon]): event: Literal["password_reset.succeeded"] +class PermissionCreatedEvent(EventModel[Permission]): + event: Literal["permission.created"] + + +class PermissionUpdatedEvent(EventModel[Permission]): + event: Literal["permission.updated"] + + +class PermissionDeletedEvent(EventModel[Permission]): + event: Literal["permission.deleted"] + + class RoleCreatedEvent(EventModel[EventRole]): event: Literal["role.created"] @@ -302,8 +328,14 @@ class UserUpdatedEvent(EventModel[User]): OrganizationMembershipCreatedEvent, OrganizationMembershipDeletedEvent, OrganizationMembershipUpdatedEvent, + OrganizationRoleCreatedEvent, + OrganizationRoleUpdatedEvent, + OrganizationRoleDeletedEvent, PasswordResetCreatedEvent, PasswordResetSucceededEvent, + PermissionCreatedEvent, + PermissionUpdatedEvent, + PermissionDeletedEvent, RoleCreatedEvent, RoleDeletedEvent, RoleUpdatedEvent, diff --git a/workos/types/events/event_model.py b/workos/types/events/event_model.py index 24443a52..dec276ae 100644 --- a/workos/types/events/event_model.py +++ b/workos/types/events/event_model.py @@ -38,6 +38,11 @@ from workos.types.events.session_created_payload import SessionCreatedPayload from workos.types.organizations.organization_common import OrganizationCommon from workos.types.organization_domains import OrganizationDomain +from workos.types.authorization.organization_role import ( + OrganizationRole, + OrganizationRoleEvent, +) +from workos.types.authorization.permission import Permission from workos.types.roles.role import EventRole from workos.types.sso.connection import Connection from workos.types.user_management.email_verification import ( @@ -79,7 +84,10 @@ OrganizationDomain, OrganizationDomainVerificationFailedPayload, OrganizationMembership, + OrganizationRole, + OrganizationRoleEvent, PasswordResetCommon, + Permission, SessionCreatedPayload, User, ) diff --git a/workos/types/events/event_type.py b/workos/types/events/event_type.py index 79856e54..8ba263e3 100644 --- a/workos/types/events/event_type.py +++ b/workos/types/events/event_type.py @@ -44,8 +44,14 @@ "organization_membership.created", "organization_membership.deleted", "organization_membership.updated", + "organization_role.created", + "organization_role.updated", + "organization_role.deleted", "password_reset.created", "password_reset.succeeded", + "permission.created", + "permission.updated", + "permission.deleted", "role.created", "role.deleted", "role.updated", diff --git a/workos/types/webhooks/webhook.py b/workos/types/webhooks/webhook.py index afe9e9ff..3a4c21b3 100644 --- a/workos/types/webhooks/webhook.py +++ b/workos/types/webhooks/webhook.py @@ -37,6 +37,8 @@ OrganizationDomainVerificationFailedPayload, ) from workos.types.events.session_created_payload import SessionCreatedPayload +from workos.types.authorization.organization_role import OrganizationRole +from workos.types.authorization.permission import Permission from workos.types.organization_domains import OrganizationDomain from workos.types.organizations.organization_common import OrganizationCommon from workos.types.roles.role import EventRole @@ -231,6 +233,18 @@ class OrganizationMembershipUpdatedWebhook(WebhookModel[OrganizationMembership]) event: Literal["organization_membership.updated"] +class OrganizationRoleCreatedWebhook(WebhookModel[OrganizationRole]): + event: Literal["organization_role.created"] + + +class OrganizationRoleUpdatedWebhook(WebhookModel[OrganizationRole]): + event: Literal["organization_role.updated"] + + +class OrganizationRoleDeletedWebhook(WebhookModel[OrganizationRole]): + event: Literal["organization_role.deleted"] + + class PasswordResetCreatedWebhook(WebhookModel[PasswordResetCommon]): event: Literal["password_reset.created"] @@ -239,6 +253,18 @@ class PasswordResetSucceededWebhook(WebhookModel[PasswordResetCommon]): event: Literal["password_reset.succeeded"] +class PermissionCreatedWebhook(WebhookModel[Permission]): + event: Literal["permission.created"] + + +class PermissionUpdatedWebhook(WebhookModel[Permission]): + event: Literal["permission.updated"] + + +class PermissionDeletedWebhook(WebhookModel[Permission]): + event: Literal["permission.deleted"] + + class RoleCreatedWebhook(WebhookModel[EventRole]): event: Literal["role.created"] @@ -308,8 +334,14 @@ class UserUpdatedWebhook(WebhookModel[User]): OrganizationMembershipCreatedWebhook, OrganizationMembershipDeletedWebhook, OrganizationMembershipUpdatedWebhook, + OrganizationRoleCreatedWebhook, + OrganizationRoleUpdatedWebhook, + OrganizationRoleDeletedWebhook, PasswordResetCreatedWebhook, PasswordResetSucceededWebhook, + PermissionCreatedWebhook, + PermissionUpdatedWebhook, + PermissionDeletedWebhook, RoleCreatedWebhook, RoleDeletedWebhook, RoleUpdatedWebhook,