added logic to create oauth client

vaibhavatlan · vaibhavatlan · commit 857aa76a611a · 2026-01-07T15:49:24.000+05:30
diff --git a/pyatlan/client/aio/oauth_client.py b/pyatlan/client/aio/oauth_client.py
@@ -3,20 +3,25 @@
 
 from __future__ import annotations
 
-from typing import Optional
+from typing import TYPE_CHECKING, List, Optional
 
 from pydantic.v1 import validate_arguments
 
 from pyatlan.client.common import (
     AsyncApiCaller,
+    OAuthClientCreate,
     OAuthClientGet,
     OAuthClientGetAll,
     OAuthClientGetById,
     OAuthClientPurge,
     OAuthClientUpdate,
+    RoleGet,
 )
 from pyatlan.errors import ErrorCode
-from pyatlan.model.oauth_clients import OAuthClient, OAuthClientResponse
+from pyatlan.model.oauth_clients import OAuthClient, OAuthClientCreateResponse, OAuthClientResponse
+
+if TYPE_CHECKING:
+    from pyatlan.client.aio import AsyncAtlanClient
 
 
 class AsyncOAuthClientClient:
@@ -107,3 +112,53 @@ async def purge(self, client_id: str) -> None:
         """
         endpoint, _ = OAuthClientPurge.prepare_request(client_id)
         await self._client._call_api(endpoint)
+
+    async def _fetch_available_roles(self):
+        """
+        Fetch all available roles (workspace and admin-subrole levels).
+
+        :returns: list of AtlanRole objects
+        """
+        filter_str = OAuthClientCreate.build_roles_filter()
+        endpoint, query_params = RoleGet.prepare_request(
+            limit=100,
+            post_filter=filter_str,
+        )
+        raw_json = await self._client._call_api(endpoint, query_params)
+        response = RoleGet.process_response(raw_json)
+        return response.records or []
+
+    @validate_arguments
+    async def create(
+        self,
+        name: str,
+        role: str,
+        description: Optional[str] = None,
+        persona_qns: Optional[List[str]] = None,
+    ) -> OAuthClientCreateResponse:
+        """
+        Create a new OAuth client with the provided settings.
+
+        :param name: human-readable name for the OAuth client (displayed in UI)
+        :param role: role description to assign to the OAuth client (e.g., 'Admin', 'Member',
+                     'Guest', 'Admins (Connections)'). This is matched against available role
+                     descriptions and the corresponding role name is used in the API payload.
+        :param description: optional explanation of the OAuth client
+        :param persona_qns: qualified names of personas to associate with the OAuth client
+        :returns: the created OAuthClientCreateResponse (includes client_id and client_secret)
+        :raises AtlanError: on any API communication issue
+        :raises ValueError: if the specified role description is not found
+        """
+        # Fetch available roles and resolve the user-provided role name
+        available_roles = await self._fetch_available_roles()
+        resolved_role = OAuthClientCreate.resolve_role_name(role, available_roles)
+
+        # Prepare and execute the request
+        endpoint, request_obj = OAuthClientCreate.prepare_request(
+            display_name=name,
+            role=resolved_role,
+            description=description,
+            persona_qns=persona_qns,
+        )
+        raw_json = await self._client._call_api(endpoint, request_obj=request_obj)
+        return OAuthClientCreate.process_response(raw_json)
diff --git a/pyatlan/client/common/__init__.py b/pyatlan/client/common/__init__.py
@@ -99,6 +99,7 @@
 
 # OAuth client shared logic classes
 from .oauth_client import (
+    OAuthClientCreate,
     OAuthClientGet,
     OAuthClientGetAll,
     OAuthClientGetById,
@@ -265,6 +266,7 @@
     "ImpersonateGetUserId",
     "ImpersonateUser",
     # OAuth client shared logic classes
+    "OAuthClientCreate",
     "OAuthClientGet",
     "OAuthClientGetAll",
     "OAuthClientGetById",
diff --git a/pyatlan/client/common/oauth_client.py b/pyatlan/client/common/oauth_client.py
@@ -3,15 +3,22 @@
 
 from __future__ import annotations
 
-from typing import Dict, Optional
+from typing import Dict, List, Optional
 
 from pyatlan.client.constants import (
+    CREATE_OAUTH_CLIENT,
     DELETE_OAUTH_CLIENT,
     GET_OAUTH_CLIENT_BY_ID,
     GET_OAUTH_CLIENTS,
     UPDATE_OAUTH_CLIENT,
 )
-from pyatlan.model.oauth_clients import OAuthClient, OAuthClientResponse
+from pyatlan.model.oauth_clients import (
+    OAuthClient,
+    OAuthClientCreateResponse,
+    OAuthClientRequest,
+    OAuthClientResponse,
+)
+from pyatlan.model.role import AtlanRole
 
 
 class OAuthClientGetAll:
@@ -158,3 +165,91 @@ def prepare_request(client_id: str) -> tuple:
             {"client_id": client_id}
         ).format_path_with_params()
         return endpoint, None
+
+
+class OAuthClientCreate:
+    """Shared logic for creating OAuth clients."""
+
+    @staticmethod
+    def resolve_role_name(role: str, available_roles: List[AtlanRole]) -> str:
+        """
+        Resolve the user-provided role to the actual API role name.
+
+        The user provides a role description (e.g., 'Admin', 'Member', 'Admins (Connections)')
+        and we find the corresponding role name (e.g., '$admin', '$member', '$admin_connections')
+        to send in the API payload.
+
+        :param role: user-provided role description
+        :param available_roles: list of available roles from the API
+        :returns: the actual API role name (e.g., '$admin')
+        :raises ValueError: if the role description is not found
+        """
+        role_lower = role.lower().strip()
+
+        # Build lookup: lowercased description -> role name
+        desc_to_name: Dict[str, str] = {}
+        available_descriptions: List[str] = []
+
+        for r in available_roles:
+            if r.description and r.name:
+                desc_to_name[r.description.lower()] = r.name
+                available_descriptions.append(r.description)
+
+        # Match against description
+        if role_lower in desc_to_name:
+            return desc_to_name[role_lower]
+
+        # No match found - raise error with available descriptions
+        raise ValueError(
+            f"Role '{role}' not found. Available roles: {', '.join(sorted(available_descriptions))}"
+        )
+
+    @staticmethod
+    def build_roles_filter() -> str:
+        """
+        Build the filter string to fetch workspace and admin-subrole level roles.
+
+        :returns: JSON filter string
+        """
+        import json
+
+        return json.dumps(
+            {"$or": [{"level": "workspace"}, {"level": "admin-subrole"}]}
+        )
+
+    @staticmethod
+    def prepare_request(
+        display_name: str,
+        role: str,
+        description: Optional[str] = None,
+        persona_qns: Optional[List[str]] = None,
+    ) -> tuple:
+        """
+        Prepare the request for creating an OAuth client.
+
+        Note: The role should already be resolved to the actual API value
+        (e.g., '$admin') before calling this method.
+
+        :param display_name: human-readable name for the OAuth client
+        :param role: role assigned to the OAuth client (must be the actual API value like '$admin')
+        :param description: optional explanation of the OAuth client
+        :param persona_qns: qualified names of personas to associate with the OAuth client
+        :returns: tuple of (endpoint, request_dict)
+        """
+        request = OAuthClientRequest(
+            display_name=display_name,
+            description=description,
+            role=role,
+            persona_qns=persona_qns,
+        )
+        return CREATE_OAUTH_CLIENT.format_path_with_params(), request
+
+    @staticmethod
+    def process_response(raw_json: Dict) -> OAuthClientCreateResponse:
+        """
+        Process the API response into an OAuthClientCreateResponse.
+
+        :param raw_json: raw response from the API
+        :returns: the created OAuthClientCreateResponse (includes client_secret)
+        """
+        return OAuthClientCreateResponse(**raw_json)
diff --git a/pyatlan/client/constants.py b/pyatlan/client/constants.py
@@ -102,6 +102,9 @@
 GET_OAUTH_CLIENTS = API(
     OAUTH_CLIENTS_API, HTTPMethod.GET, HTTPStatus.OK, endpoint=EndPoint.HERACLES
 )
+CREATE_OAUTH_CLIENT = API(
+    OAUTH_CLIENTS_API, HTTPMethod.POST, HTTPStatus.OK, endpoint=EndPoint.HERACLES
+)
 GET_OAUTH_CLIENT_BY_ID = API(
     OAUTH_CLIENTS_API + "/{client_id}",
     HTTPMethod.GET,
diff --git a/pyatlan/client/oauth_client.py b/pyatlan/client/oauth_client.py
@@ -2,20 +2,25 @@
 # Copyright 2025 Atlan Pte. Ltd.
 from __future__ import annotations
 
-from typing import Optional
+from typing import TYPE_CHECKING, List, Optional
 
 from pydantic.v1 import validate_arguments
 
 from pyatlan.client.common import (
     ApiCaller,
+    OAuthClientCreate,
     OAuthClientGet,
     OAuthClientGetAll,
     OAuthClientGetById,
     OAuthClientPurge,
     OAuthClientUpdate,
+    RoleGet,
 )
 from pyatlan.errors import ErrorCode
-from pyatlan.model.oauth_clients import OAuthClient, OAuthClientResponse
+from pyatlan.model.oauth_clients import OAuthClient, OAuthClientCreateResponse, OAuthClientResponse
+
+if TYPE_CHECKING:
+    from pyatlan.client.atlan import AtlanClient
 
 
 class OAuthClientClient:
@@ -108,3 +113,51 @@ def purge(self, client_id: str) -> None:
         """
         endpoint, _ = OAuthClientPurge.prepare_request(client_id)
         self._client._call_api(endpoint)
+
+    def _fetch_available_roles(self):
+        """
+        Fetch all available roles (workspace and admin-subrole levels).
+
+        :returns: list of AtlanRole objects
+        """
+        filter_str = OAuthClientCreate.build_roles_filter()
+        endpoint, query_params = RoleGet.prepare_request(
+            limit=100,
+            post_filter=filter_str,
+        )
+        raw_json = self._client._call_api(endpoint, query_params)
+        response = RoleGet.process_response(raw_json)
+        return response.records or []
+
+    @validate_arguments
+    def create(
+        self,
+        name: str,
+        role: str,
+        description: Optional[str] = None,
+        persona_qns: Optional[List[str]] = None,
+    ) -> OAuthClientCreateResponse:
+        """
+        Create a new OAuth client with the provided settings.
+
+        :param name: human-readable name for the OAuth client (displayed in UI)
+        :param role: role description to assign to the OAuth client (e.g., 'Admin', 'Member').
+        :param description: optional explanation of the OAuth client
+        :param persona_qns: qualified names of personas to associate with the OAuth client
+        :returns: the created OAuthClientCreateResponse (includes client_id and client_secret)
+        :raises AtlanError: on any API communication issue
+        :raises ValueError: if the specified role description is not found
+        """
+        # Fetch available roles and resolve the user-provided role name
+        available_roles = self._fetch_available_roles()
+        resolved_role = OAuthClientCreate.resolve_role_name(role, available_roles)
+
+        # Prepare and execute the request
+        endpoint, request_obj = OAuthClientCreate.prepare_request(
+            display_name=name,
+            role=resolved_role,
+            description=description,
+            persona_qns=persona_qns,
+        )
+        raw_json = self._client._call_api(endpoint, request_obj=request_obj)
+        return OAuthClientCreate.process_response(raw_json)
diff --git a/pyatlan/model/oauth_clients.py b/pyatlan/model/oauth_clients.py
@@ -6,6 +6,67 @@
 
 from pyatlan.model.core import AtlanObject
 
+class OAuthClientRequest(AtlanObject):
+    """Request object for creating an OAuth client."""
+
+    display_name: str = Field(
+        description="Human-readable name for the OAuth client.",
+    )
+    description: Optional[str] = Field(
+        default=None,
+        description="Explanation of the OAuth client.",
+    )
+    role: str = Field(
+        description="Role assigned to the OAuth client (e.g., '$admin', '$member').",
+    )
+    persona_qns: Optional[List[str]] = Field(
+        default=None,
+        description="Qualified names of personas to associate with the OAuth client.",
+    )
+
+
+class OAuthClientCreateResponse(AtlanObject):
+    """Response object returned when creating an OAuth client (includes client secret)."""
+
+    id: Optional[str] = Field(
+        default=None,
+        description="Unique identifier (GUID) of the OAuth client.",
+    )
+    client_id: Optional[str] = Field(
+        default=None,
+        description="Unique client identifier of the OAuth client.",
+        alias="clientId",
+    )
+    client_secret: Optional[str] = Field(
+        default=None,
+        description="Client secret for the OAuth client (only returned on creation).",
+        alias="clientSecret",
+    )
+    display_name: Optional[str] = Field(
+        default=None,
+        description="Human-readable name provided when creating the OAuth client.",
+        alias="displayName",
+    )
+    description: Optional[str] = Field(
+        default=None,
+        description="Explanation of the OAuth client.",
+    )
+    token_expiry_seconds: Optional[int] = Field(
+        default=None,
+        description="Time in seconds after which the token will expire.",
+        alias="tokenExpirySeconds",
+    )
+    created_at: Optional[str] = Field(
+        default=None,
+        description="Epoch time, in milliseconds, at which the OAuth client was created.",
+        alias="createdAt",
+    )
+    created_by: Optional[str] = Field(
+        default=None,
+        description="User who created the OAuth client.",
+        alias="createdBy",
+    )
+
 
 class OAuthClient(AtlanObject):
     """Represents an OAuth client credential in Atlan."""
