Add authorization organization roles support (#549)

* Add authorization organization roles support

Add CRUD operations for organization roles including create, list, get,
update, set/add/remove permissions on the authorization module.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* format

* Add authorization environment roles support (#550)

* Add authorization environment roles support

Add CRUD operations for environment roles including create, list, get,
update, set/add permissions on the authorization module.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Use Role union type for list/get organization role endpoints

The list and get organization role endpoints can return both
EnvironmentRole and OrganizationRole types. This aligns the
Python SDK return types with the Node SDK.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add authorization event and webhook types (#551)

* Add authorization event and webhook types

Add event and webhook types for organization_role (created, updated,
deleted) and permission (created, updated, deleted) to support
authorization-related event streaming and webhook delivery.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Distinct type for organization role events

* mypy

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: csrbarber

tests/test_authorization.py

@@ -1,6 +1,8 @@
 from typing import Union
 
 import pytest
+from tests.utils.fixtures.mock_environment_role import MockEnvironmentRole
+from tests.utils.fixtures.mock_organization_role import MockOrganizationRole
 from tests.utils.fixtures.mock_permission import MockPermission
 from tests.utils.list_resource import list_response_of
 from tests.utils.syncify import syncify
@@ -170,3 +172,278 @@ def test_delete_permission(self, capture_and_mock_http_client_request):
         assert request_kwargs["url"].endswith(
             "/authorization/permissions/documents:read"
         )
+
+    # --- Organization Role fixtures ---
+
+    @pytest.fixture
+    def mock_organization_role(self):
+        return MockOrganizationRole(id="role_01ABC").dict()
+
+    @pytest.fixture
+    def mock_organization_roles(self):
+        return {
+            "data": [MockOrganizationRole(id=f"role_{i}").dict() for i in range(5)],
+            "object": "list",
+        }
+
+    # --- Organization Role tests ---
+
+    def test_create_organization_role(
+        self, mock_organization_role, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_organization_role, 201
+        )
+
+        role = syncify(
+            self.authorization.create_organization_role(
+                "org_01EHT88Z8J8795GZNQ4ZP1J81T",
+                slug="admin",
+                name="Admin",
+            )
+        )
+
+        assert role.id == "role_01ABC"
+        assert role.type == "OrganizationRole"
+        assert request_kwargs["method"] == "post"
+        assert request_kwargs["url"].endswith(
+            "/authorization/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/roles"
+        )
+        assert request_kwargs["json"] == {"slug": "admin", "name": "Admin"}
+
+    def test_list_organization_roles(
+        self, mock_organization_roles, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_organization_roles, 200
+        )
+
+        roles_response = syncify(
+            self.authorization.list_organization_roles("org_01EHT88Z8J8795GZNQ4ZP1J81T")
+        )
+
+        assert request_kwargs["method"] == "get"
+        assert request_kwargs["url"].endswith(
+            "/authorization/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/roles"
+        )
+        assert len(roles_response.data) == 5
+
+    def test_get_organization_role(
+        self, mock_organization_role, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_organization_role, 200
+        )
+
+        role = syncify(
+            self.authorization.get_organization_role(
+                "org_01EHT88Z8J8795GZNQ4ZP1J81T", "admin"
+            )
+        )
+
+        assert role.id == "role_01ABC"
+        assert request_kwargs["method"] == "get"
+        assert request_kwargs["url"].endswith(
+            "/authorization/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/roles/admin"
+        )
+
+    def test_update_organization_role(
+        self, mock_organization_role, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_organization_role, 200
+        )
+
+        role = syncify(
+            self.authorization.update_organization_role(
+                "org_01EHT88Z8J8795GZNQ4ZP1J81T",
+                "admin",
+                name="Super Admin",
+            )
+        )
+
+        assert role.id == "role_01ABC"
+        assert request_kwargs["method"] == "patch"
+        assert request_kwargs["url"].endswith(
+            "/authorization/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/roles/admin"
+        )
+        assert request_kwargs["json"] == {"name": "Super Admin"}
+
+    def test_set_organization_role_permissions(
+        self, mock_organization_role, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_organization_role, 200
+        )
+
+        role = syncify(
+            self.authorization.set_organization_role_permissions(
+                "org_01EHT88Z8J8795GZNQ4ZP1J81T",
+                "admin",
+                permissions=["documents:read", "documents:write"],
+            )
+        )
+
+        assert role.id == "role_01ABC"
+        assert request_kwargs["method"] == "put"
+        assert request_kwargs["url"].endswith(
+            "/authorization/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/roles/admin/permissions"
+        )
+        assert request_kwargs["json"] == {
+            "permissions": ["documents:read", "documents:write"]
+        }
+
+    def test_add_organization_role_permission(
+        self, mock_organization_role, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_organization_role, 200
+        )
+
+        role = syncify(
+            self.authorization.add_organization_role_permission(
+                "org_01EHT88Z8J8795GZNQ4ZP1J81T",
+                "admin",
+                permission_slug="documents:read",
+            )
+        )
+
+        assert role.id == "role_01ABC"
+        assert request_kwargs["method"] == "post"
+        assert request_kwargs["url"].endswith(
+            "/authorization/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/roles/admin/permissions"
+        )
+        assert request_kwargs["json"] == {"slug": "documents:read"}
+
+    def test_remove_organization_role_permission(
+        self, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client,
+            202,
+            headers={"content-type": "text/plain; charset=utf-8"},
+        )
+
+        response = syncify(
+            self.authorization.remove_organization_role_permission(
+                "org_01EHT88Z8J8795GZNQ4ZP1J81T",
+                "admin",
+                permission_slug="documents:read",
+            )
+        )
+
+        assert response is None
+        assert request_kwargs["method"] == "delete"
+        assert request_kwargs["url"].endswith(
+            "/authorization/organizations/org_01EHT88Z8J8795GZNQ4ZP1J81T/roles/admin/permissions/documents:read"
+        )
+
+    # --- Environment Role fixtures ---
+
+    @pytest.fixture
+    def mock_environment_role(self):
+        return MockEnvironmentRole(id="role_01DEF").dict()
+
+    @pytest.fixture
+    def mock_environment_roles(self):
+        return {
+            "data": [MockEnvironmentRole(id=f"role_{i}").dict() for i in range(5)],
+            "object": "list",
+        }
+
+    # --- Environment Role tests ---
+
+    def test_create_environment_role(
+        self, mock_environment_role, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_environment_role, 201
+        )
+
+        role = syncify(
+            self.authorization.create_environment_role(slug="member", name="Member")
+        )
+
+        assert role.id == "role_01DEF"
+        assert role.type == "EnvironmentRole"
+        assert request_kwargs["method"] == "post"
+        assert request_kwargs["url"].endswith("/authorization/roles")
+        assert request_kwargs["json"] == {"slug": "member", "name": "Member"}
+
+    def test_list_environment_roles(
+        self, mock_environment_roles, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_environment_roles, 200
+        )
+
+        roles_response = syncify(self.authorization.list_environment_roles())
+
+        assert request_kwargs["method"] == "get"
+        assert request_kwargs["url"].endswith("/authorization/roles")
+        assert len(roles_response.data) == 5
+
+    def test_get_environment_role(
+        self, mock_environment_role, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_environment_role, 200
+        )
+
+        role = syncify(self.authorization.get_environment_role("member"))
+
+        assert role.id == "role_01DEF"
+        assert request_kwargs["method"] == "get"
+        assert request_kwargs["url"].endswith("/authorization/roles/member")
+
+    def test_update_environment_role(
+        self, mock_environment_role, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_environment_role, 200
+        )
+
+        role = syncify(
+            self.authorization.update_environment_role("member", name="Updated Member")
+        )
+
+        assert role.id == "role_01DEF"
+        assert request_kwargs["method"] == "patch"
+        assert request_kwargs["url"].endswith("/authorization/roles/member")
+        assert request_kwargs["json"] == {"name": "Updated Member"}
+
+    def test_set_environment_role_permissions(
+        self, mock_environment_role, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_environment_role, 200
+        )
+
+        role = syncify(
+            self.authorization.set_environment_role_permissions(
+                "member", permissions=["documents:read"]
+            )
+        )
+
+        assert role.id == "role_01DEF"
+        assert request_kwargs["method"] == "put"
+        assert request_kwargs["url"].endswith("/authorization/roles/member/permissions")
+        assert request_kwargs["json"] == {"permissions": ["documents:read"]}
+
+    def test_add_environment_role_permission(
+        self, mock_environment_role, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, mock_environment_role, 200
+        )
+
+        role = syncify(
+            self.authorization.add_environment_role_permission(
+                "member", permission_slug="documents:read"
+            )
+        )
+
+        assert role.id == "role_01DEF"
+        assert request_kwargs["method"] == "post"
+        assert request_kwargs["url"].endswith("/authorization/roles/member/permissions")
+        assert request_kwargs["json"] == {"slug": "documents:read"}

tests/utils/fixtures/mock_environment_role.py

@@ -0,0 +1,19 @@
+import datetime
+
+from workos.types.authorization.environment_role import EnvironmentRole
+
+
+class MockEnvironmentRole(EnvironmentRole):
+    def __init__(self, id: str):
+        now = datetime.datetime.now().isoformat()
+        super().__init__(
+            object="role",
+            id=id,
+            name="Member",
+            slug="member",
+            description="Default environment member role",
+            permissions=["documents:read"],
+            type="EnvironmentRole",
+            created_at=now,
+            updated_at=now,
+        )

tests/utils/fixtures/mock_organization_role.py

@@ -0,0 +1,24 @@
+import datetime
+
+from workos.types.authorization.organization_role import OrganizationRole
+
+
+class MockOrganizationRole(OrganizationRole):
+    def __init__(
+        self,
+        id: str,
+        organization_id: str = "org_01EHT88Z8J8795GZNQ4ZP1J81T",
+    ):
+        now = datetime.datetime.now().isoformat()
+        super().__init__(
+            object="role",
+            id=id,
+            organization_id=organization_id,
+            name="Admin",
+            slug="admin",
+            description="Organization admin role",
+            permissions=["documents:read", "documents:write"],
+            type="OrganizationRole",
+            created_at=now,
+            updated_at=now,
+        )