diff --git a/tests/test_authorization.py b/tests/test_authorization.py index dd00bd53..cc6feddc 100644 --- a/tests/test_authorization.py +++ b/tests/test_authorization.py @@ -1,6 +1,7 @@ from typing import Union import pytest +from tests.utils.fixtures.mock_organization_role import MockOrganizationRole from tests.utils.fixtures.mock_permission import MockPermission from tests.utils.list_resource import list_response_of from tests.utils.syncify import syncify @@ -170,3 +171,168 @@ def test_delete_permission(self, capture_and_mock_http_client_request): assert request_kwargs["url"].endswith( "/authorization/permissions/documents:read" ) + + # --- Organization Role fixtures --- + + @pytest.fixture + def mock_organization_role(self): + return MockOrganizationRole(id="role_01ABC").dict() + + @pytest.fixture + def mock_organization_roles(self): + return { + "data": [MockOrganizationRole(id=f"role_{i}").dict() for i in range(5)], + "object": "list", + } + + # --- Organization Role tests --- + + def test_create_organization_role( + self, mock_organization_role, capture_and_mock_http_client_request + ): + request_kwargs = capture_and_mock_http_client_request( + self.http_client, mock_organization_role, 201 + ) + + role = syncify( + self.authorization.create_organization_role( + "org_01EHT88Z8J8795GZNQ4ZP1J81T", + slug="admin", + name="Admin", + ) + ) + + assert role.id == "role_01ABC" + assert role.type == "OrganizationRole" + assert request_kwargs["method"] == "post" + assert request_kwargs["url"].endswith( + "/authorization/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/roles" + ) + assert request_kwargs["json"] == {"slug": "admin", "name": "Admin"} + + def test_list_organization_roles( + self, mock_organization_roles, capture_and_mock_http_client_request + ): + request_kwargs = capture_and_mock_http_client_request( + self.http_client, mock_organization_roles, 200 + ) + + roles_response = syncify( + self.authorization.list_organization_roles("org_01EHT88Z8J8795GZNQ4ZP1J81T") + ) + + assert request_kwargs["method"] == "get" + assert request_kwargs["url"].endswith( + "/authorization/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/roles" + ) + assert len(roles_response.data) == 5 + + def test_get_organization_role( + self, mock_organization_role, capture_and_mock_http_client_request + ): + request_kwargs = capture_and_mock_http_client_request( + self.http_client, mock_organization_role, 200 + ) + + role = syncify( + self.authorization.get_organization_role( + "org_01EHT88Z8J8795GZNQ4ZP1J81T", "admin" + ) + ) + + assert role.id == "role_01ABC" + assert request_kwargs["method"] == "get" + assert request_kwargs["url"].endswith( + "/authorization/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/roles/admin" + ) + + def test_update_organization_role( + self, mock_organization_role, capture_and_mock_http_client_request + ): + request_kwargs = capture_and_mock_http_client_request( + self.http_client, mock_organization_role, 200 + ) + + role = syncify( + self.authorization.update_organization_role( + "org_01EHT88Z8J8795GZNQ4ZP1J81T", + "admin", + name="Super Admin", + ) + ) + + assert role.id == "role_01ABC" + assert request_kwargs["method"] == "patch" + assert request_kwargs["url"].endswith( + "/authorization/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/roles/admin" + ) + assert request_kwargs["json"] == {"name": "Super Admin"} + + def test_set_organization_role_permissions( + self, mock_organization_role, capture_and_mock_http_client_request + ): + request_kwargs = capture_and_mock_http_client_request( + self.http_client, mock_organization_role, 200 + ) + + role = syncify( + self.authorization.set_organization_role_permissions( + "org_01EHT88Z8J8795GZNQ4ZP1J81T", + "admin", + permissions=["documents:read", "documents:write"], + ) + ) + + assert role.id == "role_01ABC" + assert request_kwargs["method"] == "put" + assert request_kwargs["url"].endswith( + "/authorization/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/roles/admin/permissions" + ) + assert request_kwargs["json"] == { + "permissions": ["documents:read", "documents:write"] + } + + def test_add_organization_role_permission( + self, mock_organization_role, capture_and_mock_http_client_request + ): + request_kwargs = capture_and_mock_http_client_request( + self.http_client, mock_organization_role, 200 + ) + + role = syncify( + self.authorization.add_organization_role_permission( + "org_01EHT88Z8J8795GZNQ4ZP1J81T", + "admin", + permission_slug="documents:read", + ) + ) + + assert role.id == "role_01ABC" + assert request_kwargs["method"] == "post" + assert request_kwargs["url"].endswith( + "/authorization/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/roles/admin/permissions" + ) + assert request_kwargs["json"] == {"slug": "documents:read"} + + def test_remove_organization_role_permission( + self, capture_and_mock_http_client_request + ): + request_kwargs = capture_and_mock_http_client_request( + self.http_client, + 202, + headers={"content-type": "text/plain; charset=utf-8"}, + ) + + response = syncify( + self.authorization.remove_organization_role_permission( + "org_01EHT88Z8J8795GZNQ4ZP1J81T", + "admin", + permission_slug="documents:read", + ) + ) + + assert response is None + assert request_kwargs["method"] == "delete" + assert request_kwargs["url"].endswith( + "/authorization/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/roles/admin/permissions/documents:read" + ) diff --git a/tests/utils/fixtures/mock_organization_role.py b/tests/utils/fixtures/mock_organization_role.py new file mode 100644 index 00000000..f2b5ac8c --- /dev/null +++ b/tests/utils/fixtures/mock_organization_role.py @@ -0,0 +1,24 @@ +import datetime + +from workos.types.authorization.organization_role import OrganizationRole + + +class MockOrganizationRole(OrganizationRole): + def __init__( + self, + id: str, + organization_id: str = "org_01EHT88Z8J8795GZNQ4ZP1J81T", + ): + now = datetime.datetime.now().isoformat() + super().__init__( + object="role", + id=id, + organization_id=organization_id, + name="Admin", + slug="admin", + description="Organization admin role", + permissions=["documents:read", "documents:write"], + type="OrganizationRole", + created_at=now, + updated_at=now, + ) diff --git a/workos/authorization.py b/workos/authorization.py index 9fb0985f..2805652b 100644 --- a/workos/authorization.py +++ b/workos/authorization.py @@ -1,5 +1,9 @@ -from typing import Any, Dict, Optional, Protocol +from typing import Any, Dict, Optional, Protocol, Sequence +from workos.types.authorization.organization_role import ( + OrganizationRole, + OrganizationRoleList, +) from workos.types.authorization.permission import Permission from workos.types.list_resource import ( ListArgs, @@ -16,6 +20,7 @@ REQUEST_METHOD_GET, REQUEST_METHOD_PATCH, REQUEST_METHOD_POST, + REQUEST_METHOD_PUT, ) AUTHORIZATION_PERMISSIONS_PATH = "authorization/permissions" @@ -62,6 +67,58 @@ def update_permission( def delete_permission(self, slug: str) -> SyncOrAsync[None]: ... + # Organization Roles + + def create_organization_role( + self, + organization_id: str, + *, + slug: str, + name: str, + description: Optional[str] = None, + ) -> SyncOrAsync[OrganizationRole]: ... + + def list_organization_roles( + self, organization_id: str + ) -> SyncOrAsync[OrganizationRoleList]: ... + + def get_organization_role( + self, organization_id: str, slug: str + ) -> SyncOrAsync[OrganizationRole]: ... + + def update_organization_role( + self, + organization_id: str, + slug: str, + *, + name: Optional[str] = None, + description: Optional[str] = None, + ) -> SyncOrAsync[OrganizationRole]: ... + + def set_organization_role_permissions( + self, + organization_id: str, + slug: str, + *, + permissions: Sequence[str], + ) -> SyncOrAsync[OrganizationRole]: ... + + def add_organization_role_permission( + self, + organization_id: str, + slug: str, + *, + permission_slug: str, + ) -> SyncOrAsync[OrganizationRole]: ... + + def remove_organization_role_permission( + self, + organization_id: str, + slug: str, + *, + permission_slug: str, + ) -> SyncOrAsync[None]: ... + class Authorization(AuthorizationModule): _http_client: SyncHTTPClient @@ -150,6 +207,110 @@ def delete_permission(self, slug: str) -> None: method=REQUEST_METHOD_DELETE, ) + # Organization Roles + + def create_organization_role( + self, + organization_id: str, + *, + slug: str, + name: str, + description: Optional[str] = None, + ) -> OrganizationRole: + json: Dict[str, Any] = {"slug": slug, "name": name} + if description is not None: + json["description"] = description + + response = self._http_client.request( + f"authorization/organizations/{organization_id}/roles", + method=REQUEST_METHOD_POST, + json=json, + ) + + return OrganizationRole.model_validate(response) + + def list_organization_roles(self, organization_id: str) -> OrganizationRoleList: + response = self._http_client.request( + f"authorization/organizations/{organization_id}/roles", + method=REQUEST_METHOD_GET, + ) + + return OrganizationRoleList.model_validate(response) + + def get_organization_role( + self, organization_id: str, slug: str + ) -> OrganizationRole: + response = self._http_client.request( + f"authorization/organizations/{organization_id}/roles/{slug}", + method=REQUEST_METHOD_GET, + ) + + return OrganizationRole.model_validate(response) + + def update_organization_role( + self, + organization_id: str, + slug: str, + *, + name: Optional[str] = None, + description: Optional[str] = None, + ) -> OrganizationRole: + json: Dict[str, Any] = {} + if name is not None: + json["name"] = name + if description is not None: + json["description"] = description + + response = self._http_client.request( + f"authorization/organizations/{organization_id}/roles/{slug}", + method=REQUEST_METHOD_PATCH, + json=json, + ) + + return OrganizationRole.model_validate(response) + + def set_organization_role_permissions( + self, + organization_id: str, + slug: str, + *, + permissions: Sequence[str], + ) -> OrganizationRole: + response = self._http_client.request( + f"authorization/organizations/{organization_id}/roles/{slug}/permissions", + method=REQUEST_METHOD_PUT, + json={"permissions": list(permissions)}, + ) + + return OrganizationRole.model_validate(response) + + def add_organization_role_permission( + self, + organization_id: str, + slug: str, + *, + permission_slug: str, + ) -> OrganizationRole: + response = self._http_client.request( + f"authorization/organizations/{organization_id}/roles/{slug}/permissions", + method=REQUEST_METHOD_POST, + json={"slug": permission_slug}, + ) + + return OrganizationRole.model_validate(response) + + def remove_organization_role_permission( + self, + organization_id: str, + slug: str, + *, + permission_slug: str, + ) -> None: + self._http_client.request( + f"authorization/organizations/{organization_id}/roles/{slug}/permissions/{permission_slug}", + method=REQUEST_METHOD_DELETE, + ) + class AsyncAuthorization(AuthorizationModule): _http_client: AsyncHTTPClient @@ -237,3 +398,109 @@ async def delete_permission(self, slug: str) -> None: f"{AUTHORIZATION_PERMISSIONS_PATH}/{slug}", method=REQUEST_METHOD_DELETE, ) + + # Organization Roles + + async def create_organization_role( + self, + organization_id: str, + *, + slug: str, + name: str, + description: Optional[str] = None, + ) -> OrganizationRole: + json: Dict[str, Any] = {"slug": slug, "name": name} + if description is not None: + json["description"] = description + + response = await self._http_client.request( + f"authorization/organizations/{organization_id}/roles", + method=REQUEST_METHOD_POST, + json=json, + ) + + return OrganizationRole.model_validate(response) + + async def list_organization_roles( + self, organization_id: str + ) -> OrganizationRoleList: + response = await self._http_client.request( + f"authorization/organizations/{organization_id}/roles", + method=REQUEST_METHOD_GET, + ) + + return OrganizationRoleList.model_validate(response) + + async def get_organization_role( + self, organization_id: str, slug: str + ) -> OrganizationRole: + response = await self._http_client.request( + f"authorization/organizations/{organization_id}/roles/{slug}", + method=REQUEST_METHOD_GET, + ) + + return OrganizationRole.model_validate(response) + + async def update_organization_role( + self, + organization_id: str, + slug: str, + *, + name: Optional[str] = None, + description: Optional[str] = None, + ) -> OrganizationRole: + json: Dict[str, Any] = {} + if name is not None: + json["name"] = name + if description is not None: + json["description"] = description + + response = await self._http_client.request( + f"authorization/organizations/{organization_id}/roles/{slug}", + method=REQUEST_METHOD_PATCH, + json=json, + ) + + return OrganizationRole.model_validate(response) + + async def set_organization_role_permissions( + self, + organization_id: str, + slug: str, + *, + permissions: Sequence[str], + ) -> OrganizationRole: + response = await self._http_client.request( + f"authorization/organizations/{organization_id}/roles/{slug}/permissions", + method=REQUEST_METHOD_PUT, + json={"permissions": list(permissions)}, + ) + + return OrganizationRole.model_validate(response) + + async def add_organization_role_permission( + self, + organization_id: str, + slug: str, + *, + permission_slug: str, + ) -> OrganizationRole: + response = await self._http_client.request( + f"authorization/organizations/{organization_id}/roles/{slug}/permissions", + method=REQUEST_METHOD_POST, + json={"slug": permission_slug}, + ) + + return OrganizationRole.model_validate(response) + + async def remove_organization_role_permission( + self, + organization_id: str, + slug: str, + *, + permission_slug: str, + ) -> None: + await self._http_client.request( + f"authorization/organizations/{organization_id}/roles/{slug}/permissions/{permission_slug}", + method=REQUEST_METHOD_DELETE, + ) diff --git a/workos/types/authorization/__init__.py b/workos/types/authorization/__init__.py index 19893511..93dfa580 100644 --- a/workos/types/authorization/__init__.py +++ b/workos/types/authorization/__init__.py @@ -1,3 +1,7 @@ +from workos.types.authorization.organization_role import ( + OrganizationRole as OrganizationRole, + OrganizationRoleList as OrganizationRoleList, +) from workos.types.authorization.permission import ( Permission as Permission, ) diff --git a/workos/types/authorization/organization_role.py b/workos/types/authorization/organization_role.py new file mode 100644 index 00000000..5214d428 --- /dev/null +++ b/workos/types/authorization/organization_role.py @@ -0,0 +1,21 @@ +from typing import Literal, Optional, Sequence + +from workos.types.workos_model import WorkOSModel + + +class OrganizationRole(WorkOSModel): + object: Literal["role"] + id: str + organization_id: str + name: str + slug: str + description: Optional[str] = None + permissions: Sequence[str] + type: Literal["OrganizationRole"] + created_at: str + updated_at: str + + +class OrganizationRoleList(WorkOSModel): + object: Literal["list"] + data: Sequence[OrganizationRole]