fga pt3

Author: swaroopAkkineniWorkos

src/workos/authorization.py

@@ -3,6 +3,7 @@
 from pydantic import TypeAdapter
 from typing_extensions import TypedDict
 
+from workos.types.authorization.access_evaluation import AccessEvaluation
 from workos.types.authorization.environment_role import (
     EnvironmentRole,
     EnvironmentRoleList,
@@ -44,6 +45,18 @@ class ParentResourceByExternalId(TypedDict):
 
 ParentResource = Union[ParentResourceById, ParentResourceByExternalId]
 
+
+class CheckResourceById(TypedDict):
+    resource_id: str
+
+
+class CheckResourceByExternalId(TypedDict):
+    resource_type: str
+    external_id: str
+
+
+CheckResource = Union[CheckResourceById, CheckResourceByExternalId]
+
 _role_adapter: TypeAdapter[Role] = TypeAdapter(Role)
 
 
@@ -206,6 +219,16 @@ def delete_resource(
         cascade_delete: Optional[bool] = None,
     ) -> SyncOrAsync[None]: ...
 
+    # Access Evaluation
+
+    def check(
+        self,
+        organization_membership_id: str,
+        *,
+        resource: CheckResource,
+        relation: str,
+    ) -> SyncOrAsync[AccessEvaluation]: ...
+
 
 class Authorization(AuthorizationModule):
     _http_client: SyncHTTPClient
@@ -522,8 +545,8 @@ def create_resource(
 
     def update_resource(
         self,
-        *,
         resource_id: str,
+        *,
         name: Optional[str] = None,
         description: Optional[str] = None,
     ) -> Resource:
@@ -543,8 +566,8 @@ def update_resource(
 
     def delete_resource(
         self,
-        *,
         resource_id: str,
+        *,
         cascade_delete: Optional[bool] = None,
     ) -> None:
         if cascade_delete is not None:
@@ -558,6 +581,28 @@ def delete_resource(
                 method=REQUEST_METHOD_DELETE,
             )
 
+    # Access Evaluation
+
+    def check(
+        self,
+        organization_membership_id: str,
+        *,
+        resource: CheckResource,
+        relation: str,
+    ) -> AccessEvaluation:
+        json: Dict[str, Any] = {
+            "resource": resource,
+            "relation": relation,
+        }
+
+        response = self._http_client.request(
+            f"authorization/organization_memberships/{organization_membership_id}/check",
+            method=REQUEST_METHOD_POST,
+            json=json,
+        )
+
+        return AccessEvaluation.model_validate(response)
+
 
 class AsyncAuthorization(AuthorizationModule):
     _http_client: AsyncHTTPClient
@@ -909,3 +954,25 @@ async def delete_resource(
                 f"{AUTHORIZATION_RESOURCES_PATH}/{resource_id}",
                 method=REQUEST_METHOD_DELETE,
             )
+
+    # Access Evaluation
+
+    async def check(
+        self,
+        organization_membership_id: str,
+        *,
+        resource: CheckResource,
+        relation: str,
+    ) -> AccessEvaluation:
+        json: Dict[str, Any] = {
+            "resource": resource,
+            "relation": relation,
+        }
+
+        response = await self._http_client.request(
+            f"authorization/organization_memberships/{organization_membership_id}/check",
+            method=REQUEST_METHOD_POST,
+            json=json,
+        )
+
+        return AccessEvaluation.model_validate(response)

tests/test_authorization_check.py

@@ -0,0 +1,110 @@
+from typing import Union
+
+import pytest
+from tests.utils.syncify import syncify
+from workos.authorization import AsyncAuthorization, Authorization
+
+
+@pytest.mark.sync_and_async(Authorization, AsyncAuthorization)
+class TestAuthorizationCheck:
+    @pytest.fixture(autouse=True)
+    def setup(self, module_instance: Union[Authorization, AsyncAuthorization]):
+        self.http_client = module_instance._http_client
+        self.authorization = module_instance
+
+    # --- check: authorized result ---
+
+    def test_check_authorized(self, capture_and_mock_http_client_request):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, {"authorized": True}, 200
+        )
+
+        result = syncify(
+            self.authorization.check(
+                "om_01ABC123",
+                resource={"resource_id": "res_01ABC"},
+                relation="viewer",
+            )
+        )
+
+        assert result.authorized is True
+        assert request_kwargs["method"] == "post"
+
+    # --- check: unauthorized result ---
+
+    def test_check_unauthorized(self, capture_and_mock_http_client_request):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, {"authorized": False}, 200
+        )
+
+        result = syncify(
+            self.authorization.check(
+                "om_01ABC123",
+                resource={"resource_id": "res_01ABC"},
+                relation="editor",
+            )
+        )
+
+        assert result.authorized is False
+        assert request_kwargs["method"] == "post"
+
+    # --- check: resource by internal ID ---
+
+    def test_check_resource_by_internal_id(self, capture_and_mock_http_client_request):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, {"authorized": True}, 200
+        )
+
+        syncify(
+            self.authorization.check(
+                "om_01ABC123",
+                resource={"resource_id": "res_01ABC"},
+                relation="viewer",
+            )
+        )
+
+        assert request_kwargs["json"] == {
+            "resource": {"resource_id": "res_01ABC"},
+            "relation": "viewer",
+        }
+
+    # --- check: resource by external ID ---
+
+    def test_check_resource_by_external_id(self, capture_and_mock_http_client_request):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, {"authorized": True}, 200
+        )
+
+        syncify(
+            self.authorization.check(
+                "om_01ABC123",
+                resource={"resource_type": "document", "external_id": "my-doc-456"},
+                relation="editor",
+            )
+        )
+
+        assert request_kwargs["json"] == {
+            "resource": {"resource_type": "document", "external_id": "my-doc-456"},
+            "relation": "editor",
+        }
+
+    # --- check: URL construction ---
+
+    def test_check_url_contains_org_membership_id(
+        self, capture_and_mock_http_client_request
+    ):
+        request_kwargs = capture_and_mock_http_client_request(
+            self.http_client, {"authorized": True}, 200
+        )
+
+        syncify(
+            self.authorization.check(
+                "om_01MEMBERSHIP",
+                resource={"resource_id": "res_01ABC"},
+                relation="viewer",
+            )
+        )
+
+        assert request_kwargs["url"].endswith(
+            "/authorization/organization_memberships/om_01MEMBERSHIP/check"
+        )

tests/test_authorization_resource_crud.py

@@ -42,17 +42,23 @@ def test_create_resource_required_fields_only(
 
         resource = syncify(
             self.authorization.create_resource(
-                resource_type="document",
+                resource_type_slug="document",
                 organization_id="org_01EHT88Z8J8795GZNQ4ZP1J81T",
+                external_id="ext_123",
+                name="Test Resource",
+                parent={"parent_resource_id": "res_01PARENT"},
             )
         )
 
         assert resource.id == "res_01ABC"
         assert request_kwargs["method"] == "post"
         assert request_kwargs["url"].endswith("/authorization/resources")
         assert request_kwargs["json"] == {
-            "resource_type": "document",
+            "resource_type_slug": "document",
             "organization_id": "org_01EHT88Z8J8795GZNQ4ZP1J81T",
+            "external_id": "ext_123",
+            "name": "Test Resource",
+            "parent_resource_id": "res_01PARENT",
         }
 
     def test_create_resource_with_all_optional_fields(
@@ -64,20 +70,22 @@ def test_create_resource_with_all_optional_fields(
 
         syncify(
             self.authorization.create_resource(
-                resource_type="document",
+                resource_type_slug="document",
                 organization_id="org_01EHT88Z8J8795GZNQ4ZP1J81T",
                 external_id="ext_123",
-                meta={"key": "value"},
-                parent={"resource_id": "res_01PARENT"},
+                name="Test Resource",
+                parent={"parent_resource_id": "res_01PARENT"},
+                description="A test resource",
             )
         )
 
         assert request_kwargs["json"] == {
-            "resource_type": "document",
+            "resource_type_slug": "document",
             "organization_id": "org_01EHT88Z8J8795GZNQ4ZP1J81T",
             "external_id": "ext_123",
-            "meta": {"key": "value"},
-            "parent": {"resource_id": "res_01PARENT"},
+            "name": "Test Resource",
+            "parent_resource_id": "res_01PARENT",
+            "description": "A test resource",
         }
 
     def test_create_resource_with_parent_by_id(
@@ -89,13 +97,15 @@ def test_create_resource_with_parent_by_id(
 
         syncify(
             self.authorization.create_resource(
-                resource_type="document",
+                resource_type_slug="document",
                 organization_id="org_01EHT88Z8J8795GZNQ4ZP1J81T",
-                parent={"resource_id": "res_01PARENT"},
+                external_id="ext_123",
+                name="Test Resource",
+                parent={"parent_resource_id": "res_01PARENT"},
             )
         )
 
-        assert request_kwargs["json"]["parent"] == {"resource_id": "res_01PARENT"}
+        assert request_kwargs["json"]["parent_resource_id"] == "res_01PARENT"
 
     def test_create_resource_with_parent_by_external_id(
         self, mock_resource, capture_and_mock_http_client_request
@@ -106,25 +116,23 @@ def test_create_resource_with_parent_by_external_id(
 
         syncify(
             self.authorization.create_resource(
-                resource_type="document",
+                resource_type_slug="document",
                 organization_id="org_01EHT88Z8J8795GZNQ4ZP1J81T",
+                external_id="ext_123",
+                name="Test Resource",
                 parent={
-                    "organization_id": "org_01EHT88Z8J8795GZNQ4ZP1J81T",
-                    "resource_type": "folder",
-                    "external_id": "ext_parent_456",
+                    "parent_resource_external_id": "ext_parent_456",
+                    "parent_resource_type_slug": "folder",
                 },
             )
         )
 
-        assert request_kwargs["json"]["parent"] == {
-            "organization_id": "org_01EHT88Z8J8795GZNQ4ZP1J81T",
-            "resource_type": "folder",
-            "external_id": "ext_parent_456",
-        }
+        assert request_kwargs["json"]["parent_resource_external_id"] == "ext_parent_456"
+        assert request_kwargs["json"]["parent_resource_type_slug"] == "folder"
 
     # --- update_resource ---
 
-    def test_update_resource_with_meta(
+    def test_update_resource_with_name_and_description(
         self, mock_resource, capture_and_mock_http_client_request
     ):
         request_kwargs = capture_and_mock_http_client_request(
@@ -134,16 +142,20 @@ def test_update_resource_with_meta(
         resource = syncify(
             self.authorization.update_resource(
                 "res_01ABC",
-                meta={"updated_key": "updated_value"},
+                name="Updated Name",
+                description="Updated description",
             )
         )
 
         assert resource.id == "res_01ABC"
         assert request_kwargs["method"] == "patch"
         assert request_kwargs["url"].endswith("/authorization/resources/res_01ABC")
-        assert request_kwargs["json"] == {"meta": {"updated_key": "updated_value"}}
+        assert request_kwargs["json"] == {
+            "name": "Updated Name",
+            "description": "Updated description",
+        }
 
-    def test_update_resource_without_meta(
+    def test_update_resource_without_optional_fields(
         self, mock_resource, capture_and_mock_http_client_request
     ):
         request_kwargs = capture_and_mock_http_client_request(