Add roles to SSO profile and directory user (#411)

* Add roles to profile and directory user

* Separate authz attributes

* Move up primary email to public

* Move primary email to the bottom

* Adjust test

Author: kendallstrautman

lib/workos/directory_user.rb

@@ -8,7 +8,7 @@ class DirectoryUser < DeprecatedHashWrapper
     include HashProvider
 
     attr_accessor :id, :idp_id, :email, :emails, :first_name, :last_name, :job_title, :username, :state,
-                  :groups, :role, :custom_attributes, :raw_attributes, :directory_id, :organization_id,
+                  :groups, :role, :roles, :custom_attributes, :raw_attributes, :directory_id, :organization_id,
                   :created_at, :updated_at
 
     # rubocop:disable Metrics/AbcSize
@@ -37,6 +37,7 @@ def initialize(json)
       @state = hash[:state]
       @groups = hash[:groups]
       @role = hash[:role]
+      @roles = hash[:roles]
       @custom_attributes = hash[:custom_attributes]
       @raw_attributes = hash[:raw_attributes]
       @created_at = hash[:created_at]
@@ -47,6 +48,13 @@ def initialize(json)
     # rubocop:enable Metrics/AbcSize
 
     def to_json(*)
+      base_attributes.
+        merge(authorization_attributes)
+    end
+
+    private
+
+    def base_attributes
       {
         id: id,
         directory_id: directory_id,
@@ -60,14 +68,22 @@ def to_json(*)
         username: username,
         state: state,
         groups: groups,
-        role: role,
         custom_attributes: custom_attributes,
         raw_attributes: raw_attributes,
         created_at: created_at,
         updated_at: updated_at,
       }
     end
 
+    def authorization_attributes
+      {
+        role: role,
+        roles: roles,
+      }
+    end
+
+    public
+
     # @deprecated Will be removed in a future major version. Use {#email} instead.
     def primary_email
       primary_email = (emails || []).find { |email| email[:primary] }

lib/workos/profile.rb

@@ -9,7 +9,7 @@ module WorkOS
   class Profile
     include HashProvider
 
-    attr_accessor :id, :email, :first_name, :last_name, :role, :groups, :organization_id,
+    attr_accessor :id, :email, :first_name, :last_name, :role, :roles, :groups, :organization_id,
                   :connection_id, :connection_type, :idp_id, :custom_attributes, :raw_attributes
 
     # rubocop:disable Metrics/AbcSize
@@ -21,6 +21,7 @@ def initialize(profile_json)
       @first_name = hash[:first_name]
       @last_name = hash[:last_name]
       @role = hash[:role]
+      @roles = hash[:roles]
       @groups = hash[:groups]
       @organization_id = hash[:organization_id]
       @connection_id = hash[:connection_id]
@@ -42,6 +43,7 @@ def to_json(*)
         first_name: first_name,
         last_name: last_name,
         role: role,
+        roles: roles,
         groups: groups,
         organization_id: organization_id,
         connection_id: connection_id,

spec/lib/workos/directory_user_spec.rb

@@ -37,13 +37,23 @@
       it 'returns no role' do
         user = WorkOS::DirectoryUser.new('{"object":"directory_user","id":"directory_user_01FAZYNPC8M0HRYTKFP2GNX852","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","idp_id":"6092c280a3f1e19ef6d8cef8","username":"[email protected]","emails":[{"primary":true,"value":"[email protected]"}, {"primary":false,"value":"[email protected]"}],"first_name":"Bob","last_name":"Gingerich","job_title":"Developer Success Engineer","state":"active","raw_attributes":{},"custom_attributes":{},"groups":[],"created_at":"2022-05-13T17:45:31.732Z", "updated_at":"2022-07-13T17:45:42.618Z"}')
         expect(user.role).to eq(nil)
+        expect(user.roles).to eq(nil)
       end
     end
 
-    context 'with a role' do
-      it 'returns the role slug' do
-        user = WorkOS::DirectoryUser.new('{"object":"directory_user","id":"directory_user_01FAZYNPC8M0HRYTKFP2GNX852","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","idp_id":"6092c280a3f1e19ef6d8cef8","username":"[email protected]","emails":[{"primary":true,"value":"[email protected]"}, {"primary":false,"value":"[email protected]"}],"first_name":"Bob","last_name":"Gingerich","job_title":"Developer Success Engineer","state":"active","raw_attributes":{},"custom_attributes":{},"groups":[],"role":{"slug":"member"},"created_at":"2022-05-13T17:45:31.732Z", "updated_at":"2022-07-13T17:45:42.618Z"}')
+    context 'with a single role' do
+      it 'returns the highest priority role slug and roles array' do
+        user = WorkOS::DirectoryUser.new('{"object":"directory_user","id":"directory_user_01FAZYNPC8M0HRYTKFP2GNX852","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","idp_id":"6092c280a3f1e19ef6d8cef8","username":"[email protected]","emails":[{"primary":true,"value":"[email protected]"}, {"primary":false,"value":"[email protected]"}],"first_name":"Bob","last_name":"Gingerich","job_title":"Developer Success Engineer","state":"active","raw_attributes":{},"custom_attributes":{},"groups":[],"role":{"slug":"member"},"roles":[{"slug":"member"}],"created_at":"2022-05-13T17:45:31.732Z", "updated_at":"2022-07-13T17:45:42.618Z"}')
         expect(user.role).to eq({ slug: 'member' })
+        expect(user.roles).to eq([{ slug: 'member' }])
+      end
+    end
+
+    context 'with multiple roles' do
+      it 'returns the highest priority role slug and roles array' do
+        user = WorkOS::DirectoryUser.new('{"object":"directory_user","id":"directory_user_01FAZYNPC8M0HRYTKFP2GNX852","directory_id":"directory_01FAZYMST676QMTFN1DDJZZX87","idp_id":"6092c280a3f1e19ef6d8cef8","username":"[email protected]","emails":[{"primary":true,"value":"[email protected]"}, {"primary":false,"value":"[email protected]"}],"first_name":"Bob","last_name":"Gingerich","job_title":"Developer Success Engineer","state":"active","raw_attributes":{},"custom_attributes":{},"groups":[],"role":{"slug":"admin"},"roles":[{"slug":"member"}, {"slug":"admin"}],"created_at":"2022-05-13T17:45:31.732Z", "updated_at":"2022-07-13T17:45:42.618Z"}')
+        expect(user.role).to eq({ slug: 'admin' })
+        expect(user.roles).to eq([{ slug: 'member' }, { slug: 'admin' }])
       end
     end
   end

spec/lib/workos/sso_spec.rb

@@ -305,6 +305,9 @@
           role: {
             slug: 'member',
           },
+          roles: [{
+            slug: 'member',
+          }],
           groups: nil,
           organization_id: 'org_01FG53X8636WSNW2WEKB2C31ZB',
           custom_attributes: {},
@@ -380,6 +383,9 @@
           role: {
             slug: 'admin',
           },
+          roles: [{
+            slug: 'admin',
+          }],
           groups: %w[Admins Developers],
           organization_id: 'org_01FG53X8636WSNW2WEKB2C31ZB',
           custom_attributes: {

spec/support/fixtures/vcr_cassettes/directory_sync/get_user.yml

@@ -1 +1 @@
-{"profile":{"object":"profile","id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"[email protected]","first_name":"WorkOS","organization_id":"org_01FG53X8636WSNW2WEKB2C31ZB","connection_id":"conn_01EMH8WAK20T42N2NBMNBCYHAG","connection_type":"OktaSAML","last_name":"Demo","role":{"slug": "admin"},"groups":["Admins","Developers"],"idp_id":"00u1klkowm8EGah2H357","custom_attributes":{"license": "professional"},"raw_attributes":{"id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"[email protected]","first_name":"WorkOS","last_name":"Demo","groups":["Admins","Developers"],"idp_id":"00u1klkowm8EGah2H357","license": "professional"}},"access_token":"01DVX6QBS3EG6FHY2ESAA5Q65X"}
+{"profile":{"object":"profile","id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"[email protected]","first_name":"WorkOS","organization_id":"org_01FG53X8636WSNW2WEKB2C31ZB","connection_id":"conn_01EMH8WAK20T42N2NBMNBCYHAG","connection_type":"OktaSAML","last_name":"Demo","role":{"slug": "admin"},"roles":[{"slug": "admin"}],"groups":["Admins","Developers"],"idp_id":"00u1klkowm8EGah2H357","custom_attributes":{"license": "professional"},"raw_attributes":{"id":"prof_01DRA1XNSJDZ19A31F183ECQW5","email":"[email protected]","first_name":"WorkOS","last_name":"Demo","groups":["Admins","Developers"],"idp_id":"00u1klkowm8EGah2H357","license": "professional"}},"access_token":"01DVX6QBS3EG6FHY2ESAA5Q65X"}