Add User Roles for Consumer RBAC support (#290)

* Add User Roles for Consumer RBAC support

* Fix missing vals

---------

Co-authored-by: Stytch Codegen Bot <[email protected]>
Co-authored-by: Brandon Gier <[email protected]>

Author: 3 people

stytch/b2b/api/sso_saml.py

@@ -126,6 +126,7 @@ def update_connection(
         alternative_acs_url: Optional[str] = None,
         idp_initiated_auth_disabled: Optional[bool] = None,
         saml_encryption_private_key: Optional[str] = None,
+        allow_gateway_callback: Optional[bool] = None,
         method_options: Optional[UpdateConnectionRequestOptions] = None,
     ) -> UpdateConnectionResponse:
         """Updates an existing SAML connection.
@@ -159,6 +160,7 @@ def update_connection(
           - alternative_acs_url: An alternative URL to use for the `AssertionConsumerServiceURL` in SP initiated SAML AuthNRequests. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Note that you will be responsible for proxying requests sent to the Alternative ACS URL to Stytch. Read our [SSO migration guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations) for more info.
           - idp_initiated_auth_disabled: Determines whether IDP initiated auth is allowed for a given SAML connection. Defaults to false (IDP Initiated Auth is enabled).
           - saml_encryption_private_key: A PKCS1 format RSA private key used to decrypt encrypted SAML assertions. Only PKCS1 format (starting with "-----BEGIN RSA PRIVATE KEY-----") is supported.
+          - allow_gateway_callback: (no documentation yet)
         """  # noqa
         headers: Dict[str, str] = {}
         if method_options is not None:
@@ -201,6 +203,8 @@ def update_connection(
             data["idp_initiated_auth_disabled"] = idp_initiated_auth_disabled
         if saml_encryption_private_key is not None:
             data["saml_encryption_private_key"] = saml_encryption_private_key
+        if allow_gateway_callback is not None:
+            data["allow_gateway_callback"] = allow_gateway_callback
 
         url = self.api_base.url_for(
             "/v1/b2b/sso/saml/{organization_id}/connections/{connection_id}", data
@@ -230,6 +234,7 @@ async def update_connection_async(
         alternative_acs_url: Optional[str] = None,
         idp_initiated_auth_disabled: Optional[bool] = None,
         saml_encryption_private_key: Optional[str] = None,
+        allow_gateway_callback: Optional[bool] = None,
         method_options: Optional[UpdateConnectionRequestOptions] = None,
     ) -> UpdateConnectionResponse:
         """Updates an existing SAML connection.
@@ -263,6 +268,7 @@ async def update_connection_async(
           - alternative_acs_url: An alternative URL to use for the `AssertionConsumerServiceURL` in SP initiated SAML AuthNRequests. This value can be used when you wish to migrate an existing SAML integration to Stytch with zero downtime. Note that you will be responsible for proxying requests sent to the Alternative ACS URL to Stytch. Read our [SSO migration guide](https://stytch.com/docs/b2b/guides/migrations/additional-migration-considerations) for more info.
           - idp_initiated_auth_disabled: Determines whether IDP initiated auth is allowed for a given SAML connection. Defaults to false (IDP Initiated Auth is enabled).
           - saml_encryption_private_key: A PKCS1 format RSA private key used to decrypt encrypted SAML assertions. Only PKCS1 format (starting with "-----BEGIN RSA PRIVATE KEY-----") is supported.
+          - allow_gateway_callback: (no documentation yet)
         """  # noqa
         headers: Dict[str, str] = {}
         if method_options is not None:
@@ -305,6 +311,8 @@ async def update_connection_async(
             data["idp_initiated_auth_disabled"] = idp_initiated_auth_disabled
         if saml_encryption_private_key is not None:
             data["saml_encryption_private_key"] = saml_encryption_private_key
+        if allow_gateway_callback is not None:
+            data["allow_gateway_callback"] = allow_gateway_callback
 
         url = self.api_base.url_for(
             "/v1/b2b/sso/saml/{organization_id}/connections/{connection_id}", data

stytch/b2b/models/sso.py

@@ -206,6 +206,7 @@ class SAMLConnection(pydantic.BaseModel):
     nameid_format: str
     alternative_acs_url: str
     idp_initiated_auth_disabled: bool
+    allow_gateway_callback: bool
     attribute_mapping: Optional[Dict[str, Any]] = None
 
 

stytch/consumer/api/users.py

@@ -6,7 +6,7 @@
 
 from __future__ import annotations
 
-from typing import Any, AsyncGenerator, Dict, Generator, Optional, Union
+from typing import Any, AsyncGenerator, Dict, Generator, List, Optional, Union
 
 from stytch.consumer.models.attribute import Attributes
 from stytch.consumer.models.users import (
@@ -43,6 +43,7 @@ def __init__(
 
     def create(
         self,
+        roles: List[str],
         email: Optional[str] = None,
         name: Optional[Union[Name, Dict[str, Any]]] = None,
         attributes: Optional[Union[Attributes, Dict[str, Any]]] = None,
@@ -55,6 +56,8 @@ def create(
         """Add a User to Stytch. A `user_id` is returned in the response that can then be used to perform other operations within Stytch. An `email` or a `phone_number` is required.
 
         Fields:
+          - roles: Roles to explicitly assign to this User.
+           See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment.
           - email: The email address of the end user.
           - name: The name of the user. Each field in the name object is optional.
           - attributes: (no documentation yet)
@@ -69,7 +72,9 @@ def create(
           - external_id: An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters.
         """  # noqa
         headers: Dict[str, str] = {}
-        data: Dict[str, Any] = {}
+        data: Dict[str, Any] = {
+            "roles": roles,
+        }
         if email is not None:
             data["email"] = email
         if name is not None:
@@ -95,6 +100,7 @@ def create(
 
     async def create_async(
         self,
+        roles: List[str],
         email: Optional[str] = None,
         name: Optional[Name] = None,
         attributes: Optional[Attributes] = None,
@@ -107,6 +113,8 @@ async def create_async(
         """Add a User to Stytch. A `user_id` is returned in the response that can then be used to perform other operations within Stytch. An `email` or a `phone_number` is required.
 
         Fields:
+          - roles: Roles to explicitly assign to this User.
+           See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment.
           - email: The email address of the end user.
           - name: The name of the user. Each field in the name object is optional.
           - attributes: (no documentation yet)
@@ -121,7 +129,9 @@ async def create_async(
           - external_id: An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters.
         """  # noqa
         headers: Dict[str, str] = {}
-        data: Dict[str, Any] = {}
+        data: Dict[str, Any] = {
+            "roles": roles,
+        }
         if email is not None:
             data["email"] = email
         if name is not None:
@@ -263,6 +273,7 @@ def update(
         trusted_metadata: Optional[Dict[str, Any]] = None,
         untrusted_metadata: Optional[Dict[str, Any]] = None,
         external_id: Optional[str] = None,
+        roles: Optional[List[str]] = None,
     ) -> UpdateResponse:
         """Update a User's attributes.
 
@@ -275,6 +286,8 @@ def update(
           - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details.
           - untrusted_metadata: The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details.
           - external_id: An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters.
+          - roles: Roles to explicitly assign to this User.
+           See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment.
         """  # noqa
         headers: Dict[str, str] = {}
         data: Dict[str, Any] = {
@@ -292,6 +305,8 @@ def update(
             data["untrusted_metadata"] = untrusted_metadata
         if external_id is not None:
             data["external_id"] = external_id
+        if roles is not None:
+            data["roles"] = roles
 
         url = self.api_base.url_for("/v1/users/{user_id}", data)
         res = self.sync_client.put(url, data, headers)
@@ -305,6 +320,7 @@ async def update_async(
         trusted_metadata: Optional[Dict[str, Any]] = None,
         untrusted_metadata: Optional[Dict[str, Any]] = None,
         external_id: Optional[str] = None,
+        roles: Optional[List[str]] = None,
     ) -> UpdateResponse:
         """Update a User's attributes.
 
@@ -317,6 +333,8 @@ async def update_async(
           - trusted_metadata: The `trusted_metadata` field contains an arbitrary JSON object of application-specific data. See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details.
           - untrusted_metadata: The `untrusted_metadata` field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](https://stytch.com/docs/api/metadata) reference for complete field behavior details.
           - external_id: An identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters.
+          - roles: Roles to explicitly assign to this User.
+           See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment.
         """  # noqa
         headers: Dict[str, str] = {}
         data: Dict[str, Any] = {
@@ -334,6 +352,8 @@ async def update_async(
             data["untrusted_metadata"] = untrusted_metadata
         if external_id is not None:
             data["external_id"] = external_id
+        if roles is not None:
+            data["roles"] = roles
 
         url = self.api_base.url_for("/v1/users/{user_id}", data)
         res = await self.async_client.put(url, data, headers)

stytch/consumer/models/users.py

@@ -201,6 +201,8 @@ class User(pydantic.BaseModel):
       - crypto_wallets: An array contains a list of all crypto wallets for a given User in the Stytch API.
       - biometric_registrations: An array that contains a list of all biometric registrations for a given User in the Stytch API.
       - is_locked: (no documentation yet)
+      - roles: Roles assigned to this User.
+       See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment.
       - name: The name of the User. Each field in the `name` object is optional.
       - created_at: The timestamp of the User's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
       - password: The password object is returned for users with a password.
@@ -221,6 +223,7 @@ class User(pydantic.BaseModel):
     crypto_wallets: List[CryptoWallet]
     biometric_registrations: List[BiometricRegistration]
     is_locked: bool
+    roles: List[str]
     name: Optional[Name] = None
     created_at: Optional[datetime.datetime] = None
     password: Optional[Password] = None
@@ -378,6 +381,8 @@ class GetResponse(ResponseBase):
       - crypto_wallets: An array contains a list of all crypto wallets for a given User in the Stytch API.
       - biometric_registrations: An array that contains a list of all biometric registrations for a given User in the Stytch API.
       - is_locked: (no documentation yet)
+      - roles: Roles assigned to this User.
+       See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment.
       - name: The name of the User. Each field in the `name` object is optional.
       - created_at: The timestamp of the User's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
       - password: The password object is returned for users with a password.
@@ -398,6 +403,7 @@ class GetResponse(ResponseBase):
     crypto_wallets: List[CryptoWallet]
     biometric_registrations: List[BiometricRegistration]
     is_locked: bool
+    roles: List[str]
     name: Optional[Name] = None
     created_at: Optional[datetime.datetime] = None
     password: Optional[Password] = None

stytch/core/api_base.py

@@ -11,7 +11,9 @@ def __init__(self, base_url: str) -> None:
     def url_for(self, route: str, data: Dict[str, Any]) -> str:
         url = urllib.parse.urljoin(self.base_url, route)
         # URL-encode path parameters to handle special characters like + in email addresses
-        encoded_data = {key: urllib.parse.quote(str(value), safe='') for key, value in data.items()}
+        encoded_data = {
+            key: urllib.parse.quote(str(value), safe="") for key, value in data.items()
+        }
         return url.format(**encoded_data)
 
     def route_with_sub_url(self, sub_url: str, route: Optional[str] = None) -> str:

stytch/version.py

@@ -1 +1 @@
-__version__ = "13.20.1"
+__version__ = "13.21.0"

test/integration_base.py

@@ -104,7 +104,9 @@ def _get_temporary_user(
         test_user = self.__get_temporary_test_user()
         if create:
             if via_magic_link:
-                users_resp = self.b2c_client.users.create(email=test_user.email)
+                users_resp = self.b2c_client.users.create(
+                    roles=[], email=test_user.email
+                )
                 user_id = users_resp.user_id
             else:
                 pw_resp = self.b2c_client.passwords.create(
@@ -125,7 +127,7 @@ async def _get_temporary_user_async(
         if create:
             if via_magic_link:
                 users_resp = await self.b2c_client.users.create_async(
-                    email=test_user.email
+                    roles=[], email=test_user.email
                 )
                 user_id = users_resp.user_id
             else:

test/test_integration.py

@@ -194,7 +194,7 @@ def test_users(self) -> None:
         api = self.b2c_client.users
 
         with self._get_temporary_user(create=False) as user:
-            create_resp = api.create(email=user.email)
+            create_resp = api.create(roles=[], email=user.email)
             self.assertTrue(create_resp.is_success)
             self.assertTrue(api.search(limit=10).is_success)
             self.assertTrue(

test/test_integration_async.py

@@ -267,7 +267,7 @@ async def test_users_async(self) -> None:
         api = self.b2c_client.users
 
         async with self._get_temporary_user_async(create=False) as user:
-            create_resp = await api.create_async(email=user.email)
+            create_resp = await api.create_async(roles=[], email=user.email)
             self.assertTrue(create_resp.is_success)
             self.assertTrue((await api.search_async(limit=10)).is_success)
             self.assertTrue(