workos 1.5.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ae5493072c3719c3a6475116ed51d7955e072fb9499a9a40b231482ffd9db082
-  data.tar.gz: 451ba6d7ac9542bf9cda07fe9703035fb8d58d0b1e6b4beceb4b6e7273e3b3f6
+  metadata.gz: 739e4734f5caa4b4c8180e125a206106242fea489c1dccc19f1bc45ad514bc7e
+  data.tar.gz: '029c0a8ef19f9b9b933a73eec53a9770851ea2a338a81060c040b72a06e39189'
 SHA512:
-  metadata.gz: d5a7b8b11117bf140ee16cd1f390cd4c94cb9dba75c5c1668cc558290a2619e016c6e59f47ae2a13d5483e61078d79731bee619643ca6ec9640464b0e96a3d17
-  data.tar.gz: 1534875a20f5410c6b9f9a9680cb9da1ad95247308765a3dc8917f3ffde2c2e1535ae56f022051207f69295d678f621a94b8b9f9ac8ea70812ec3f4108d6edef
+  metadata.gz: 18631e0e0cdc5033b7df32d3ff95e2eeadcd7babd6c3b11063e174006ed3e8abd7769bfe4b0c828967e79b724ce0d8a79243960b5f2922eeb242051b56395b41
+  data.tar.gz: 2a2b2d48b1410ad0fc86943a168d584234fd5c01ca5ee3e3b4b3117f9924ddc4199d55d10d338b1f07daa193edc0144312ec6271a68c65b89ec8fa2243064aa0

data/.rubocop.yml

@@ -9,7 +9,7 @@ Layout/LineLength:
     - 'VCR\.use_cassette'
     - '(\A|\s)/.*?/'
 Metrics/BlockLength:
-  ExcludedMethods: ['describe', 'context']
+  ExcludedMethods: ['describe', 'context', 'before']
 Metrics/MethodLength:
   Max: 15
 Metrics/ModuleLength:

data/.ruby-version

@@ -1 +1 @@
-3.0.1
+3.0.2

data/.semaphore/semaphore.yml

@@ -66,10 +66,10 @@ blocks:
             - sem-version ruby 2.7.3
             - bundle install
             - bundle exec rspec
-        - name: Ruby 3.0.1
+        - name: Ruby 3.0.2
           commands:
             - checkout
-            - sem-version ruby 3.0.1
+            - sem-version ruby 3.0.2
             - bundle install
             - bundle exec rspec
 promotions:

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    workos (1.5.0)
+    workos (2.0.0)
       sorbet-runtime (~> 0.5)
 
 GEM
@@ -60,7 +60,7 @@ GEM
     simplecov_json_formatter (0.1.2)
     sorbet (0.5.6388)
       sorbet-static (= 0.5.6388)
-    sorbet-runtime (0.5.9035)
+    sorbet-runtime (0.5.9300)
     sorbet-static (0.5.6388-universal-darwin-14)
     sorbet-static (0.5.6388-universal-darwin-15)
     sorbet-static (0.5.6388-universal-darwin-16)
@@ -93,4 +93,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   2.2.16
+   2.2.22

data/lib/workos/client.rb

@@ -9,12 +9,9 @@ module WorkOS
 
     sig { returns(Net::HTTP) }
     def client
-      return @client if defined?(@client)
-
-      @client = Net::HTTP.new(WorkOS::API_HOSTNAME, 443)
-      @client.use_ssl = true
-
-      @client
+      Net::HTTP.new(WorkOS::API_HOSTNAME, 443).tap do |http_client|
+        http_client.use_ssl = true
+      end
     end
 
     sig do

data/lib/workos/connection.rb

@@ -21,7 +21,7 @@ module WorkOS
       @name = T.let(raw.name, String)
       @connection_type = T.let(raw.connection_type, String)
       @domains = T.let(raw.domains, Array)
-      @organization_id = T.let(raw.organization_id, String)
+      @organization_id = raw.organization_id
       @state = T.let(raw.state, String)
       @status = T.let(raw.status, String)
       @created_at = T.let(raw.created_at, String)

data/lib/workos/directory.rb

@@ -17,10 +17,10 @@ module WorkOS
 
       @id = T.let(raw.id, String)
       @name = T.let(raw.name, String)
-      @domain = T.let(raw.domain, String)
+      @domain = raw.domain
       @type = T.let(raw.type, String)
       @state = T.let(raw.state, String)
-      @organization_id = T.let(raw.organization_id, String)
+      @organization_id = raw.organization_id
       @created_at = T.let(raw.created_at, String)
       @updated_at = T.let(raw.updated_at, String)
     end

data/lib/workos/directory_sync.rb

@@ -53,6 +53,35 @@ module WorkOS
         )
       end
 
+      # Retrieve directory.
+      #
+      # @param [String] id Directory unique identifier
+      #
+      # @example
+      #   WorkOS::SSO.get_directory(id: 'directory_01FK17DWRHH7APAFXT5B52PV0W')
+      #   => #<WorkOS::Directory:0x00007fb6e4193d20
+      #         @id="directory_01FK17DWRHH7APAFXT5B52PV0W",
+      #         @name="Foo Corp",
+      #         @domain="foo-corp.com",
+      #         @type="okta scim v2.0",
+      #         @state="linked",
+      #         @organization_id="org_01F6Q6TFP7RD2PF6J03ANNWDKV",
+      #         @created_at="2021-10-27T15:55:47.856Z",
+      #         @updated_at="2021-10-27T16:03:43.990Z"
+      #
+      # @return [WorkOS::Directory]
+      sig { params(id: String).returns(WorkOS::Directory) }
+      def get_directory(id:)
+        request = get_request(
+          auth: true,
+          path: "/directories/#{id}",
+        )
+
+        response = execute_request(request: request)
+
+        WorkOS::Directory.new(response.body)
+      end
+
       # Retrieve directory groups.
       #
       # @param [Hash] options An options hash

data/lib/workos/errors.rb

@@ -55,4 +55,8 @@ module WorkOS
   # InvalidRequestError is raised when a request is initiated with invalid
   # parameters.
   class InvalidRequestError < WorkOSError; end
+
+  # SignatureVerificationError is raised when the signature verification for a
+  # webhook fails
+  class SignatureVerificationError < WorkOSError; end
 end

data/lib/workos/organization.rb

@@ -8,7 +8,7 @@ module WorkOS
   class Organization
     extend T::Sig
 
-    attr_accessor :id, :domains, :name, :created_at, :updated_at
+    attr_accessor :id, :domains, :name, :allow_profiles_outside_organization, :created_at, :updated_at
 
     sig { params(json: String).void }
     def initialize(json)
@@ -16,6 +16,7 @@ module WorkOS
 
       @id = T.let(raw.id, String)
       @name = T.let(raw.name, String)
+      @allow_profiles_outside_organization = T.let(raw.allow_profiles_outside_organization, T::Boolean)
       @domains = T.let(raw.domains, Array)
       @created_at = T.let(raw.created_at, String)
       @updated_at = T.let(raw.updated_at, String)
@@ -25,6 +26,7 @@ module WorkOS
       {
         id: id,
         name: name,
+        allow_profiles_outside_organization: allow_profiles_outside_organization,
         domains: domains,
         created_at: created_at,
         updated_at: updated_at,
@@ -44,6 +46,7 @@ module WorkOS
       WorkOS::Types::OrganizationStruct.new(
         id: hash[:id],
         name: hash[:name],
+        allow_profiles_outside_organization: hash[:allow_profiles_outside_organization],
         domains: hash[:domains],
         created_at: hash[:created_at],
         updated_at: hash[:updated_at],

data/lib/workos/organizations.rb

@@ -80,16 +80,23 @@ module WorkOS
       # @param [Array<String>] domains List of domains that belong to the
       #  organization
       # @param [String] name A unique, descriptive name for the organization
+      # @param [Boolean, nil] allow_profiles_outside_organization Whether Connections
+      #  within the Organization allow profiles that are outside of the Organization's configured User Email Domains.
       sig do
         params(
           domains: T::Array[String],
           name: String,
+          allow_profiles_outside_organization: T.nilable(T::Boolean),
         ).returns(WorkOS::Organization)
       end
-      def create_organization(domains:, name:)
+      def create_organization(domains:, name:, allow_profiles_outside_organization: nil)
         request = post_request(
           auth: true,
-          body: { domains: domains, name: name },
+          body: {
+            domains: domains,
+            name: name,
+            allow_profiles_outside_organization: allow_profiles_outside_organization,
+          },
           path: '/organizations',
         )
 
@@ -105,17 +112,24 @@ module WorkOS
       # @param [Array<String>] domains List of domains that belong to the
       #  organization
       # @param [String] name A unique, descriptive name for the organization
+      # @param [Boolean, nil] allow_profiles_outside_organization Whether Connections
+      #  within the Organization allow profiles that are outside of the Organization's configured User Email Domains.
       sig do
         params(
           organization: String,
           domains: T::Array[String],
           name: String,
+          allow_profiles_outside_organization: T.nilable(T::Boolean),
         ).returns(WorkOS::Organization)
       end
-      def update_organization(organization:, domains:, name:)
+      def update_organization(organization:, domains:, name:, allow_profiles_outside_organization: nil)
         request = put_request(
           auth: true,
-          body: { domains: domains, name: name },
+          body: {
+            domains: domains,
+            name: name,
+            allow_profiles_outside_organization: allow_profiles_outside_organization,
+          },
           path: "/organizations/#{organization}",
         )
 

data/lib/workos/profile.rb

@@ -11,9 +11,10 @@ module WorkOS
     extend T::Sig
 
     sig { returns(String) }
-    attr_accessor :id, :email, :first_name, :last_name, :connection_id,
-                  :connection_type, :idp_id, :raw_attributes
+    attr_accessor :id, :email, :first_name, :last_name, :organization_id,
+                  :connection_id, :connection_type, :idp_id, :raw_attributes
 
+    # rubocop:disable Metrics/AbcSize
     sig { params(profile_json: String).void }
     def initialize(profile_json)
       raw = parse_json(profile_json)
@@ -22,11 +23,13 @@ module WorkOS
       @email = T.let(raw.email, String)
       @first_name = raw.first_name
       @last_name = raw.last_name
+      @organization_id = raw.organization_id
       @connection_id = T.let(raw.connection_id, String)
       @connection_type = T.let(raw.connection_type, String)
       @idp_id = raw.idp_id
       @raw_attributes = raw.raw_attributes
     end
+    # rubocop:enable Metrics/AbcSize
 
     sig { returns(String) }
     def full_name
@@ -39,6 +42,7 @@ module WorkOS
         email: email,
         first_name: first_name,
         last_name: last_name,
+        organization_id: organization_id,
         connection_id: connection_id,
         connection_type: connection_type,
         idp_id: idp_id,
@@ -57,6 +61,7 @@ module WorkOS
         email: hash[:email],
         first_name: hash[:first_name],
         last_name: hash[:last_name],
+        organization_id: hash[:organization_id],
         connection_id: hash[:connection_id],
         connection_type: hash[:connection_type],
         idp_id: hash[:idp_id],

data/lib/workos/types/connection_struct.rb

@@ -10,7 +10,7 @@ module WorkOS
       const :name, String
       const :connection_type, String
       const :domains, T::Array[T.untyped]
-      const :organization_id, String
+      const :organization_id, T.nilable(String)
       const :state, String
       const :status, String
       const :created_at, String

data/lib/workos/types/directory_struct.rb

@@ -8,10 +8,10 @@ module WorkOS
     class DirectoryStruct < T::Struct
       const :id, String
       const :name, String
-      const :domain, String
+      const :domain, T.nilable(String)
       const :type, String
       const :state, String
-      const :organization_id, String
+      const :organization_id, T.nilable(String)
       const :created_at, String
       const :updated_at, String
     end

data/lib/workos/types/organization_struct.rb

@@ -8,6 +8,7 @@ module WorkOS
     class OrganizationStruct < T::Struct
       const :id, String
       const :name, String
+      const :allow_profiles_outside_organization, T::Boolean
       const :domains, T::Array[T.untyped]
       const :created_at, String
       const :updated_at, String

data/lib/workos/types/profile_struct.rb

@@ -10,6 +10,7 @@ module WorkOS
       const :email, String
       const :first_name, T.nilable(String)
       const :last_name, T.nilable(String)
+      const :organization_id, T.nilable(String)
       const :connection_id, String
       const :connection_type, String
       const :idp_id, T.nilable(String)

data/lib/workos/types/webhook_struct.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+# typed: strict
+
+module WorkOS
+  module Types
+    # This WebhookStruct acts as a typed interface
+    # for the Webhook class
+    class WebhookStruct < T::Struct
+      const :id, String
+      const :event, String
+      const :data, T::Hash[Symbol, Object]
+    end
+  end
+end

data/lib/workos/types.rb

@@ -15,5 +15,6 @@ module WorkOS
     require_relative 'types/profile_struct'
     require_relative 'types/provider_enum'
     require_relative 'types/directory_user_struct'
+    require_relative 'types/webhook_struct'
   end
 end

data/lib/workos/version.rb

@@ -2,5 +2,5 @@
 # typed: strong
 
 module WorkOS
-  VERSION = '1.5.0'
+  VERSION = '2.0.0'
 end

data/lib/workos/webhook.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+# typed: true
+
+module WorkOS
+  # The Webhook class provides a lightweight wrapper around
+  # a WorkOS Webhook resource. This class is not meant to be instantiated
+  # in user space, and is instantiated internally but exposed.
+  class Webhook
+    extend T::Sig
+
+    attr_accessor :id, :event, :data
+
+    sig { params(json: String).void }
+    def initialize(json)
+      raw = parse_json(json)
+
+      @id = T.let(raw.id, String)
+      @event = T.let(raw.event, String)
+      @data = raw.data
+    end
+
+    def to_json(*)
+      {
+        id: id,
+        event: event,
+        data: data,
+      }
+    end
+
+    private
+
+    sig do
+      params(
+        json_string: String,
+      ).returns(WorkOS::Types::WebhookStruct)
+    end
+    def parse_json(json_string)
+      hash = JSON.parse(json_string, symbolize_names: true)
+
+      WorkOS::Types::WebhookStruct.new(
+        id: hash[:id],
+        event: hash[:event],
+        data: hash[:data],
+      )
+    end
+  end
+end

data/lib/workos/webhooks.rb

@@ -0,0 +1,168 @@
+# frozen_string_literal: true
+# typed: true
+
+require 'openssl'
+
+module WorkOS
+  # The Webhooks module provides convenience methods for working with the WorkOS webhooks.
+  # You'll need to extract the signature header and payload from the webhook request
+  # sig_header = request.headers['WorkOS-Signature']
+  # payload = request.body.read
+  #
+  # The secret is the Webhook Secret from your WorkOS Dashboard
+  # The tolerance is for the timestamp validation
+  #
+  module Webhooks
+    class << self
+      extend T::Sig
+
+      DEFAULT_TOLERANCE = 180
+
+      # Initializes an Event object from a JSON payload
+      # rubocop:disable Layout/LineLength
+      #
+      # @param [String] payload The payload from the webhook sent by WorkOS. This is the RAW_POST_DATA of the request.
+      # @param [String] sig_header The signature from the webhook sent by WorkOS.
+      # @param [String] secret The webhook secret from the WorkOS dashboard.
+      # @param [Integer] tolerance The time tolerance in seconds for the webhook.
+      #
+      # @example
+      #   WorkOS::Webhooks.construct_event(
+      #     payload: "{"id": "wh_123","data":{"id":"directory_user_01FAEAJCR3ZBZ30D8BD1924TVG","state":"active","emails":[{"type":"work","value":"blair@foo-corp.com","primary":true}],"idp_id":"00u1e8mutl6wlH3lL4x7","object":"directory_user","username":"blair@foo-corp.com","last_name":"Lunceford","first_name":"Blair","directory_id":"directory_01F9M7F68PZP8QXP8G7X5QRHS7","raw_attributes":{"name":{"givenName":"Blair","familyName":"Lunceford","middleName":"Elizabeth","honorificPrefix":"Ms."},"title":"Developer Success Engineer","active":true,"emails":[{"type":"work","value":"blair@foo-corp.com","primary":true}],"groups":[],"locale":"en-US","schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"userName":"blair@foo-corp.com","addresses":[{"region":"CO","primary":true,"locality":"Steamboat Springs","postalCode":"80487"}],"externalId":"00u1e8mutl6wlH3lL4x7","displayName":"Blair Lunceford","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"manager":{"value":"2","displayName":"Kathleen Chung"},"division":"Engineering","department":"Customer Success"}}},"event":"dsync.user.created"}",
+      #     sig_header: 't=1626125972272, v1=80f7ab7efadc306eb5797c588cee9410da9be4416782b497bf1e1bf4175fb928',
+      #     secret: 'LJlTiC19GmCKWs8AE0IaOQcos',
+      #   )
+      #
+      #   => #<WorkOS::Webhook:0x00007fa64b980910 @event="dsync.user.created", @data={:id=>"directory_user_01FAEAJCR3ZBZ30D8BD1924TVG", :state=>"active", :emails=>[{:type=>"work", :value=>"blair@foo-corp.com", :primary=>true}], :idp_id=>"00u1e8mutl6wlH3lL4x7", :object=>"directory_user", :username=>"blair@foo-corp.com", :last_name=>"Lunceford", :first_name=>"Blair", :directory_id=>"directory_01F9M7F68PZP8QXP8G7X5QRHS7", :raw_attributes=>{:name=>{:givenName=>"Blair", :familyName=>"Lunceford", :middleName=>"Elizabeth", :honorificPrefix=>"Ms."}, :title=>"Developer Success Engineer", :active=>true, :emails=>[{:type=>"work", :value=>"blair@foo-corp.com", :primary=>true}], :groups=>[], :locale=>"en-US", :schemas=>["urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], :userName=>"blair@foo-corp.com", :addresses=>[{:region=>"CO", :primary=>true, :locality=>"Steamboat Springs", :postalCode=>"80487"}], :externalId=>"00u1e8mutl6wlH3lL4x7", :displayName=>"Blair Lunceford", :"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"=>{:manager=>{:value=>"2", :displayName=>"Kathleen Chung"}, :division=>"Engineering", :department=>"Customer Success"}}}>
+      #
+      # @return [WorkOS::Webhook]
+      # rubocop:enable Layout/LineLength
+      sig do
+        params(
+          payload: String,
+          sig_header: String,
+          secret: String,
+          tolerance: Integer,
+        ).returns(WorkOS::Webhook)
+      end
+      def construct_event(
+        payload:,
+        sig_header:,
+        secret:,
+        tolerance: DEFAULT_TOLERANCE
+      )
+        verify_header(payload: payload, sig_header: sig_header, secret: secret, tolerance: tolerance)
+        WorkOS::Webhook.new(payload)
+      end
+
+      private
+
+      sig do
+        params(
+          payload: String,
+          sig_header: String,
+          secret: String,
+          tolerance: Integer,
+        ).returns(T::Boolean)
+      end
+      # rubocop:disable Metrics/MethodLength
+      def verify_header(
+        payload:,
+        sig_header:,
+        secret:,
+        tolerance: DEFAULT_TOLERANCE
+      )
+        begin
+          timestamp, signature_hash = get_timestamp_and_signature_hash(sig_header: sig_header)
+        rescue StandardError
+          raise WorkOS::SignatureVerificationError.new(
+            message: 'Unable to extract timestamp and signature hash from header',
+          )
+        end
+
+        if signature_hash.empty?
+          raise WorkOS::SignatureVerificationError.new(
+            message: 'No signature hash found with expected scheme v1',
+          )
+        end
+
+        if timestamp < Time.now - tolerance
+          raise WorkOS::SignatureVerificationError.new(
+            message: 'Timestamp outside the tolerance zone',
+          )
+        end
+
+        expected_sig = compute_signature(timestamp: timestamp, payload: payload, secret: secret)
+        unless secure_compare(str_a: expected_sig, str_b: signature_hash)
+          raise WorkOS::SignatureVerificationError.new(
+            message: 'Signature hash does not match the expected signature hash for payload',
+          )
+        end
+
+        true
+      end
+      # rubocop:enable Metrics/MethodLength
+
+      sig do
+        params(
+          sig_header: String,
+        ).returns(T::Array[T.untyped])
+      end
+      def get_timestamp_and_signature_hash(
+        sig_header:
+      )
+        timestamp, signature_hash = sig_header.split(', ')
+
+        if timestamp.nil? || signature_hash.nil?
+          raise WorkOS::SignatureVerificationError.new(
+            message: 'Unable to extract timestamp and signature hash from header',
+          )
+        end
+
+        timestamp = timestamp.sub('t=', '')
+        signature_hash = signature_hash.sub('v1=', '')
+
+        [Time.at(timestamp.to_i), signature_hash]
+      end
+
+      sig do
+        params(
+          timestamp: Time,
+          payload: String,
+          secret: String,
+        ).returns(String)
+      end
+      def compute_signature(
+        timestamp:,
+        payload:,
+        secret:
+      )
+        unhashed_string = "#{timestamp.to_i}.#{payload}"
+        digest = OpenSSL::Digest.new('sha256')
+        OpenSSL::HMAC.hexdigest(digest, secret, unhashed_string)
+      end
+
+      # Constant time string comparison to prevent timing attacks
+      # Code borrowed from ActiveSupport
+      sig do
+        params(
+          str_a: String,
+          str_b: String,
+        ).returns(T::Boolean)
+      end
+      def secure_compare(
+        str_a:,
+        str_b:
+      )
+        return false unless str_a.bytesize == str_b.bytesize
+
+        l = T.unsafe(str_a.unpack("C#{str_a.bytesize}"))
+
+        res = 0
+        str_b.each_byte { |byte| res |= byte ^ l.shift }
+
+        res.zero?
+      end
+    end
+  end
+end

data/lib/workos.rb

@@ -42,11 +42,14 @@ module WorkOS
   autoload :ProfileAndToken, 'workos/profile_and_token'
   autoload :SSO, 'workos/sso'
   autoload :DirectoryUser, 'workos/directory_user'
+  autoload :Webhook, 'workos/webhook'
+  autoload :Webhooks, 'workos/webhooks'
 
   # Errors
   autoload :APIError, 'workos/errors'
   autoload :AuthenticationError, 'workos/errors'
   autoload :InvalidRequestError, 'workos/errors'
+  autoload :SignatureVerificationError, 'workos/errors'
 
   # Remove WORKOS_KEY at some point in the future. Keeping it here now for
   # backwards compatibility.

data/spec/lib/workos/audit_trail_spec.rb

@@ -2,6 +2,8 @@
 # typed: false
 
 describe WorkOS::AuditTrail do
+  it_behaves_like 'client'
+
   describe '.create_event' do
     context 'with valid event payload' do
       let(:valid_event) do