Merge branch 'main' into renovate/actions-setup-python-6.x

Author: omercnet

.github/workflows/ci.yml

@@ -31,7 +31,7 @@ jobs:
           - macos-latest
           - windows-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
       - name: Setup python for test ${{ matrix.py }}
@@ -64,7 +64,7 @@ jobs:
     env:
       COVERAGE_FILE: "coverage"
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         id: download
@@ -92,7 +92,7 @@ jobs:
     name: gitleaks
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
       - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9

.github/workflows/python-publish.yaml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: Setup
         uses: descope/.github/.github/actions/python/poetry/setup@main
         with:

.pre-commit-config.yaml

@@ -52,7 +52,7 @@ repos:
       - id: tox-ini-fmt
         args: ["-p", "type"]
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.29.1
+    rev: v8.30.0
     hooks:
       - id: gitleaks
   - repo: local

README.md

@@ -975,16 +975,18 @@ descope_client.mgmt.role.create(
     name="My Role",
     description="Optional description to briefly explain what this role allows.",
     permission_names=["My Updated Permission"],
-    tenant_id="Optionally scope this role for this specific tenant. If left empty, the role will be available to all tenants."
+    tenant_id="Optionally scope this role for this specific tenant. If left empty, the role will be available to all tenants.",
+    private=False  # Optional, marks this role as private role
 )
 
 # Update will override all fields as is. Use carefully.
 descope_client.mgmt.role.update(
     name="My Role",
     new_name="My Updated Role",
     description="A revised description",
-    permission_names=["My Updated Permission", "Another Permission"]
-    tenant_id="The tenant ID to which this role is associated, leave empty, if role is a global one"
+    permission_names=["My Updated Permission", "Another Permission"],
+    tenant_id="The tenant ID to which this role is associated, leave empty, if role is a global one",
+    private=True  # Optional, marks this role as private role
 )
 
 # Role deletion cannot be undone. Use carefully.

descope/management/authz.py

@@ -181,7 +181,7 @@ def create_relations(
                     "tenants": ["t1", "t2"],
                     "roles": ["r1", "r2"],
                     "text": "full-text-search",
-                    "statuses": ["enabled|disabled|invited"],
+                    "statuses": ["enabled|disabled|invited|expired"],
                     "ssoOnly": True|False,
                     "withTestUser": True|False,
                     "customAttributes": {

descope/management/common.py

@@ -1,5 +1,5 @@
 from enum import Enum
-from typing import List, Optional
+from typing import Dict, List, Optional, Any
 
 
 class SessionExpirationUnit(Enum):
@@ -15,6 +15,51 @@ class TenantAuthType(Enum):
     OIDC = "oidc"
 
 
+class SSOSetupSuiteSettingsDisabledFeatures:
+    def __init__(
+        self,
+        saml: bool = False,
+        oidc: bool = False,
+        scim: bool = False,
+        sso_domains: bool = False,
+        group_mapping: bool = False,
+    ):
+        self.saml = saml
+        self.oidc = oidc
+        self.scim = scim
+        self.sso_domains = sso_domains
+        self.group_mapping = group_mapping
+
+    def to_dict(self) -> Dict[str, bool]:
+        return {
+            "saml": self.saml,
+            "oidc": self.oidc,
+            "scim": self.scim,
+            "ssoDomains": self.sso_domains,
+            "groupMapping": self.group_mapping,
+        }
+
+
+class SSOSetupSuiteSettings:
+    def __init__(
+        self,
+        enabled: bool,
+        style_id: Optional[str] = None,
+        disabled_features: Optional[SSOSetupSuiteSettingsDisabledFeatures] = None,
+    ):
+        self.enabled = enabled
+        self.style_id = style_id
+        self.disabled_features = disabled_features
+
+    def to_dict(self) -> Dict[str, Any]:
+        result: Dict[str, Any] = {"enabled": self.enabled}
+        if self.style_id is not None:
+            result["styleId"] = self.style_id
+        if self.disabled_features is not None:
+            result["disabledFeatures"] = self.disabled_features.to_dict()
+        return result
+
+
 class AccessType(Enum):
     OFFLINE = "offline"
     ONLINE = "online"

descope/management/role.py

@@ -14,6 +14,7 @@ def create(
         permission_names: Optional[List[str]] = None,
         tenant_id: Optional[str] = None,
         default: Optional[bool] = None,
+        private: Optional[bool] = None,
     ):
         """
         Create a new role.
@@ -24,6 +25,7 @@ def create(
         permission_names (List[str]): Optional list of names of permissions this role grants.
         tenant_id (str): Optional tenant ID to create the role in.
         default (bool): Optional marks this role as default role.
+        private (bool): Optional marks this role as private role.
 
         Raise:
         AuthException: raised if creation operation fails
@@ -38,6 +40,7 @@ def create(
                 "permissionNames": permission_names,
                 "tenantId": tenant_id,
                 "default": default,
+                "private": private,
             },
         )
 
@@ -49,6 +52,7 @@ def update(
         permission_names: Optional[List[str]] = None,
         tenant_id: Optional[str] = None,
         default: Optional[bool] = None,
+        private: Optional[bool] = None,
     ):
         """
         Update an existing role with the given various fields. IMPORTANT: All parameters are used as overrides
@@ -61,6 +65,7 @@ def update(
         permission_names (List[str]): Optional list of names of permissions this role grants.
         tenant_id (str): Optional tenant ID to update the role in.
         default (bool): Optional marks this role as default role.
+        private (bool): Optional marks this role as private role.
 
         Raise:
         AuthException: raised if update operation fails
@@ -75,6 +80,7 @@ def update(
                 "permissionNames": permission_names,
                 "tenantId": tenant_id,
                 "default": default,
+                "private": private,
             },
         )
 

descope/management/sso_settings.py

@@ -123,6 +123,7 @@ def __init__(
         attribute_mapping: Optional[AttributeMapping] = None,
         role_mappings: Optional[List[RoleMapping]] = None,
         default_sso_roles: Optional[List[str]] = None,
+        idp_additional_certs: Optional[List[str]] = None,
         # NOTICE - the following fields should be overridden only in case of SSO migration, otherwise, do not modify these fields
         sp_acs_url: Optional[str] = None,
         sp_entity_id: Optional[str] = None,
@@ -133,6 +134,7 @@ def __init__(
         self.attribute_mapping = attribute_mapping
         self.role_mappings = role_mappings
         self.default_sso_roles = default_sso_roles
+        self.idp_additional_certs = idp_additional_certs
         self.sp_acs_url = sp_acs_url
         self.sp_entity_id = sp_entity_id
 
@@ -174,7 +176,7 @@ def load_settings(
         Return value (dict):
         Containing the loaded SSO settings information.
         Return dict in the format:
-             {"tenant": {"id": "T2AAAA", "name": "myTenantName", "selfProvisioningDomains": [], "customAttributes": {}, "authType": "saml", "domains": ["lulu", "kuku"]}, "saml": {"idpEntityId": "", "idpSSOUrl": "", "idpCertificate": "", "idpMetadataUrl": "https://dummy.com/metadata", "spEntityId": "", "spACSUrl": "", "spCertificate": "", "attributeMapping": {"name": "name", "email": "email", "username": "", "phoneNumber": "phone", "group": "", "givenName": "", "middleName": "", "familyName": "", "picture": "", "customAttributes": {}}, "groupsMapping": [], "redirectUrl": ""}, "oidc": {"name": "", "clientId": "", "clientSecret": "", "redirectUrl": "", "authUrl": "", "tokenUrl": "", "userDataUrl": "", "scope": [], "JWKsUrl": "", "userAttrMapping": {"loginId": "sub", "username": "", "name": "name", "email": "email", "phoneNumber": "phone_number", "verifiedEmail": "email_verified", "verifiedPhone": "phone_number_verified", "picture": "picture", "givenName": "given_name", "middleName": "middle_name", "familyName": "family_name"}, "manageProviderTokens": False, "callbackDomain": "", "prompt": [], "grantType": "authorization_code", "issuer": ""}}
+             {"tenant": {"id": "T2AAAA", "name": "myTenantName", "selfProvisioningDomains": [], "customAttributes": {}, "authType": "saml", "domains": ["lulu", "kuku"]}, "saml": {"idpEntityId": "", "idpSSOUrl": "", "idpCertificate": "", "idpAdditionalCertificates": [], "idpMetadataUrl": "https://dummy.com/metadata", "spEntityId": "", "spACSUrl": "", "spCertificate": "", "attributeMapping": {"name": "name", "email": "email", "username": "", "phoneNumber": "phone", "group": "", "givenName": "", "middleName": "", "familyName": "", "picture": "", "customAttributes": {}}, "groupsMapping": [], "redirectUrl": ""}, "oidc": {"name": "", "clientId": "", "clientSecret": "", "redirectUrl": "", "authUrl": "", "tokenUrl": "", "userDataUrl": "", "scope": [], "JWKsUrl": "", "userAttrMapping": {"loginId": "sub", "username": "", "name": "name", "email": "email", "phoneNumber": "phone_number", "verifiedEmail": "email_verified", "verifiedPhone": "phone_number_verified", "picture": "picture", "givenName": "given_name", "middleName": "middle_name", "familyName": "family_name"}, "manageProviderTokens": False, "callbackDomain": "", "prompt": [], "grantType": "authorization_code", "issuer": ""}}
 
         Raise:
         AuthException: raised if load configuration operation fails
@@ -537,6 +539,7 @@ def _compose_configure_saml_settings_body(
                 "idpUrl": settings.idp_url,
                 "entityId": settings.idp_entity_id,
                 "idpCert": settings.idp_cert,
+                "idpAdditionalCerts": settings.idp_additional_certs,
                 "spACSUrl": settings.sp_acs_url,
                 "spEntityId": settings.sp_entity_id,
                 "attributeMapping": attr_mapping,

descope/management/tenant.py

@@ -1,7 +1,12 @@
 from typing import Any, List, Optional
 
 from descope._http_base import HTTPBase
-from descope.management.common import MgmtV1, SessionExpirationUnit, TenantAuthType
+from descope.management.common import (
+    MgmtV1,
+    SessionExpirationUnit,
+    SSOSetupSuiteSettings,
+    TenantAuthType,
+)
 
 
 class Tenant(HTTPBase):
@@ -109,6 +114,7 @@ def update_settings(
         inactivity_time: Optional[int] = None,
         inactivity_time_unit: Optional[SessionExpirationUnit] = None,
         JITDisabled: Optional[bool] = None,
+        sso_setup_suite_settings: Optional[SSOSetupSuiteSettings] = None,
     ):
         """
         Update an existing tenant's session settings.
@@ -120,15 +126,16 @@ def update_settings(
             auth_type (Optional[TenantAuthType]): Authentication type for the tenant.
             session_settings_enabled (Optional[bool]): Whether session settings are enabled.
             refresh_token_expiration (Optional[int]): Expiration time for refresh tokens.
-            refresh_token_expiration_unit (Optional[SessionExiprationUnit]): Unit for refresh token expiration.
+            refresh_token_expiration_unit (Optional[SessionExpirationUnit]): Unit for refresh token expiration.
             session_token_expiration (Optional[int]): Expiration time for session tokens.
-            session_token_expiration_unit (Optional[SessionExiprationUnit]): Unit for session token expiration.
+            session_token_expiration_unit (Optional[SessionExpirationUnit]): Unit for session token expiration.
             stepup_token_expiration (Optional[int]): Expiration time for step-up tokens.
-            stepup_token_expiration_unit (Optional[SessionExiprationUnit]): Unit for step-up token expiration.
+            stepup_token_expiration_unit (Optional[SessionExpirationUnit]): Unit for step-up token expiration.
             enable_inactivity (Optional[bool]): Whether inactivity timeout is enabled.
             inactivity_time (Optional[int]): Inactivity timeout duration.
-            inactivity_time_unit (Optional[SessionExiprationUnit]): Unit for inactivity timeout.
+            inactivity_time_unit (Optional[SessionExpirationUnit]): Unit for inactivity timeout.
             JITDisabled (Optional[bool]): Whether JIT is disabled.
+            sso_setup_suite_settings (Optional[SSOSetupSuiteSettings]): SSO Setup Suite configuration.
 
         Raise:
             AuthException: raised if update operation fails
@@ -149,6 +156,9 @@ def update_settings(
             "inactivityTime": inactivity_time,
             "inactivityTimeUnit": inactivity_time_unit,
             "JITDisabled": JITDisabled,
+            "ssoSetupSuiteSettings": (
+                sso_setup_suite_settings.to_dict() if sso_setup_suite_settings else None
+            ),
         }
 
         body = {k: v for k, v in body.items() if v is not None}
@@ -215,7 +225,7 @@ def load_settings(
              "sessionTokenExpiration":<int>, "sessionTokenExpirationUnit":<str>,
              "stepupTokenExpiration":<int>, "stepupTokenExpirationUnit":<str>,
              "enableInactivity":<bool>, "inactivityTime":<int>, "inactivityTimeUnit":<str>,
-             "JITDisabled":<bool> }
+             "JITDisabled":<bool>, "ssoSetupSuiteSettings":<dict> }
         Containing the loaded tenant session settings.
 
         Raise:

descope/management/user.py

@@ -438,7 +438,7 @@ def patch(
         picture (str): Optional url for user picture
         custom_attributes (dict): Optional, set the different custom attributes values of the keys that were previously configured in Descope console app
         sso_app_ids (List[str]): Optional, list of SSO applications IDs to be associated with the user.
-        status (str): Optional status field. Can be one of: "enabled", "disabled", "invited".
+        status (str): Optional status field. Can be one of: "enabled", "disabled", "invited", "expired".
         test (bool, optional): Set to True to update a test user. Defaults to False.
 
         Return value (dict):
@@ -449,11 +449,16 @@ def patch(
         Raise:
         AuthException: raised if patch operation fails
         """
-        if status is not None and status not in ["enabled", "disabled", "invited"]:
+        if status is not None and status not in [
+            "enabled",
+            "disabled",
+            "invited",
+            "expired",
+        ]:
             raise AuthException(
                 400,
                 ERROR_TYPE_INVALID_ARGUMENT,
-                f"Invalid status value: {status}. Must be one of: enabled, disabled, invited",
+                f"Invalid status value: {status}. Must be one of: enabled, disabled, invited, expired",
             )
         response = self._http.patch(
             MgmtV1.user_patch_path,
@@ -506,11 +511,12 @@ def patch_batch(
                 "enabled",
                 "disabled",
                 "invited",
+                "expired",
             ]:
                 raise AuthException(
                     400,
                     ERROR_TYPE_INVALID_ARGUMENT,
-                    f"Invalid status value: {user.status} for user {user.login_id}. Must be one of: enabled, disabled, invited",
+                    f"Invalid status value: {user.status} for user {user.login_id}. Must be one of: enabled, disabled, invited, expired",
                 )
 
         response = self._http.patch(
@@ -728,7 +734,7 @@ def search_all(
         test_users_only (bool): Optional filter only test users.
         with_test_user (bool): Optional include test users in search.
         custom_attributes (dict): Optional search for a attribute with a given value
-        statuses (List[str]): Optional list of statuses to search for ("enabled", "disabled", "invited")
+        statuses (List[str]): Optional list of statuses to search for ("enabled", "disabled", "invited", "expired")
         emails (List[str]): Optional list of emails to search for
         phones (List[str]): Optional list of phones to search for
         sso_app_ids (List[str]): Optional list of SSO application IDs to filter by
@@ -850,7 +856,7 @@ def search_all_test_users(
         limit (int): Optional limit of the number of users returned. Leave empty for default.
         page (int): Optional pagination control. Pages start at 0 and must be non-negative.
         custom_attributes (dict): Optional search for a attribute with a given value
-        statuses (List[str]): Optional list of statuses to search for ("enabled", "disabled", "invited")
+        statuses (List[str]): Optional list of statuses to search for ("enabled", "disabled", "invited", "expired")
         emails (List[str]): Optional list of emails to search for
         phones (List[str]): Optional list of phones to search for
         sso_app_ids (List[str]): Optional list of SSO application IDs to filter by