feat: implement additional tests on the core resources

Author: azmeuk

scim2_tester/checker.py

@@ -4,9 +4,9 @@
 
 from scim2_tester.checkers import random_url
 from scim2_tester.checkers import resource_type_tests
-from scim2_tester.checkers import resource_types_endpoint
-from scim2_tester.checkers import schemas_endpoint
 from scim2_tester.checkers import service_provider_config_endpoint
+from scim2_tester.checkers.resource_types import _resource_types_endpoint
+from scim2_tester.checkers.schemas import _schemas_endpoint
 from scim2_tester.utils import CheckConfig
 from scim2_tester.utils import CheckContext
 from scim2_tester.utils import CheckResult
@@ -80,7 +80,7 @@ def check_server(
     if result_spc.status != Status.SKIPPED and not client.service_provider_config:
         client.service_provider_config = result_spc.data
 
-    results_resource_types = resource_types_endpoint(context)
+    results_resource_types = _resource_types_endpoint(context)
     results.extend(results_resource_types)
     if not client.resource_types:
         # Find first non-skipped result with data
@@ -89,7 +89,7 @@ def check_server(
                 client.resource_types = rt_result.data
                 break
 
-    results_schemas = schemas_endpoint(context)
+    results_schemas = _schemas_endpoint(context)
     results.extend(results_schemas)
     if not client.resource_models:
         # Find first non-skipped result with data

scim2_tester/checkers/__init__.py

@@ -20,24 +20,30 @@
 from .resource_types import access_invalid_resource_type
 from .resource_types import query_all_resource_types
 from .resource_types import query_resource_type_by_id
-from .resource_types import resource_types_endpoint
+from .resource_types import resource_types_endpoint_methods
+from .resource_types import resource_types_schema_validation
 from .schemas import access_invalid_schema
+from .schemas import access_schema_by_id
+from .schemas import core_schemas_validation
 from .schemas import query_all_schemas
-from .schemas import query_schema_by_id
-from .schemas import schemas_endpoint
+from .schemas import schemas_endpoint_methods
 from .service_provider_config import service_provider_config_endpoint
+from .service_provider_config import service_provider_config_endpoint_methods
 
 __all__ = [
     # Discovery checkers
     "service_provider_config_endpoint",
-    "resource_types_endpoint",
+    "service_provider_config_endpoint_methods",
+    "resource_types_endpoint_methods",
+    "resource_types_schema_validation",
     "query_all_resource_types",
     "query_resource_type_by_id",
     "access_invalid_resource_type",
-    "schemas_endpoint",
+    "schemas_endpoint_methods",
     "query_all_schemas",
-    "query_schema_by_id",
+    "access_schema_by_id",
     "access_invalid_schema",
+    "core_schemas_validation",
     # CRUD checkers
     "object_creation",
     "object_query",

scim2_tester/checkers/_discovery_utils.py

@@ -0,0 +1,62 @@
+"""Utility functions for discovery endpoint testing."""
+
+from scim2_client import SCIMClientError
+
+from ..utils import CheckContext
+from ..utils import CheckResult
+from ..utils import Status
+
+
+def _test_discovery_endpoint_methods(
+    context: CheckContext, endpoint: str
+) -> list[CheckResult]:
+    """Test that unsupported HTTP methods return 405 Method Not Allowed.
+
+    Tests that POST, PUT, PATCH, and DELETE methods on the specified discovery
+    endpoint correctly return HTTP 405 Method Not Allowed status, as only GET is supported.
+
+    **Status:**
+
+    - :attr:`~scim2_tester.Status.SUCCESS`: All unsupported methods return 405 status
+    - :attr:`~scim2_tester.Status.ERROR`: One or more methods return unexpected status
+
+    .. pull-quote:: :rfc:`RFC 7644 Section 4 - Discovery <7644#section-4>`
+
+       Discovery endpoints only support GET method. Other HTTP methods
+       should return appropriate error responses.
+    """
+    results = []
+    methods = ["POST", "PUT", "PATCH", "DELETE"]
+
+    for method in methods:
+        try:
+            # Use underlying httpx client to test different HTTP methods
+            response = context.client.client.request(
+                method=method,
+                url=endpoint,
+            )
+            if response.status_code == 405:
+                results.append(
+                    CheckResult(
+                        status=Status.SUCCESS,
+                        reason=f"{method} {endpoint} correctly returned 405 Method Not Allowed",
+                        data=response,
+                    )
+                )
+            else:
+                results.append(
+                    CheckResult(
+                        status=Status.ERROR,
+                        reason=f"{method} {endpoint} returned {response.status_code} instead of 405",
+                        data=response,
+                    )
+                )
+        except SCIMClientError as e:
+            results.append(
+                CheckResult(
+                    status=Status.ERROR,
+                    reason=f"{method} {endpoint} failed: {str(e)}",
+                )
+            )
+
+    return results

scim2_tester/checkers/resource_types.py

@@ -1,15 +1,18 @@
 import uuid
 
+from scim2_client import SCIMClientError
 from scim2_models import Error
 from scim2_models import ResourceType
+from scim2_models import Schema
 
 from ..utils import CheckContext
 from ..utils import CheckResult
 from ..utils import Status
 from ..utils import checker
+from ._discovery_utils import _test_discovery_endpoint_methods
 
 
-def resource_types_endpoint(context: CheckContext) -> list[CheckResult]:
+def _resource_types_endpoint(context: CheckContext) -> list[CheckResult]:
     """Orchestrate validation of the ResourceTypes discovery endpoint.
 
     Runs comprehensive tests on the ``/ResourceTypes`` endpoint including listing
@@ -28,12 +31,6 @@ def resource_types_endpoint(context: CheckContext) -> list[CheckResult]:
 
        "Service providers MUST provide this endpoint."
 
-    .. todo::
-
-        - Check POST/PUT/PATCH/DELETE on the endpoint
-        - Check that query parameters are ignored
-        - Check that a 403 response is returned if a filter is passed
-        - Check that the `schema` attribute exists and is available.
     """
     resource_types_result = query_all_resource_types(context)
     results = [resource_types_result]
@@ -42,11 +39,89 @@ def resource_types_endpoint(context: CheckContext) -> list[CheckResult]:
         for resource_type in resource_types_result.data:
             results.append(query_resource_type_by_id(context, resource_type))
 
+        # Validate that all ResourceType schemas are accessible
+        results.extend(resource_types_schema_validation(context))
+
     results.append(access_invalid_resource_type(context))
 
     return results
 
 
+@checker("discovery", "resource-types")
+def resource_types_endpoint_methods(
+    context: CheckContext,
+) -> list[CheckResult]:
+    """Validate that unsupported HTTP methods return 405 Method Not Allowed.
+
+    Tests that POST, PUT, PATCH, and DELETE methods on the ``/ResourceTypes``
+    endpoint correctly return HTTP 405 Method Not Allowed status, as only GET is supported.
+
+    **Status:**
+
+    - :attr:`~scim2_tester.Status.SUCCESS`: All unsupported methods return 405 status
+    - :attr:`~scim2_tester.Status.ERROR`: One or more methods return unexpected status
+
+    .. pull-quote:: :rfc:`RFC 7644 Section 4 - Discovery <7644#section-4>`
+
+       "An HTTP GET to this endpoint is used to discover the types of resources
+       available on a SCIM service provider."
+
+       Only GET method is specified, other methods should return appropriate errors.
+    """
+    return _test_discovery_endpoint_methods(context, "/ResourceTypes")
+
+
+@checker("discovery", "resource-types")
+def resource_types_schema_validation(
+    context: CheckContext,
+) -> list[CheckResult]:
+    """Validate that ResourceType schemas exist and are accessible.
+
+    Tests that all :class:`~scim2_models.ResourceType` objects returned by the
+    ``/ResourceTypes`` endpoint reference valid schemas that can be retrieved
+    from the ``/Schemas`` endpoint.
+
+    **Status:**
+
+    - :attr:`~scim2_tester.Status.SUCCESS`: All ResourceType schemas are accessible
+    - :attr:`~scim2_tester.Status.ERROR`: One or more ResourceType schemas are missing or inaccessible
+
+    .. pull-quote:: :rfc:`RFC 7644 Section 4 - Discovery <7644#section-4>`
+
+       "Each resource type defines the endpoint, the core schema URI that defines
+       the resource, and any supported schema extensions."
+    """
+    response = context.client.query(
+        ResourceType, expected_status_codes=context.conf.expected_status_codes or [200]
+    )
+
+    results = []
+    for resource_type in response.resources:
+        schema_id = resource_type.schema_
+        try:
+            schema_response = context.client.query(
+                Schema,
+                schema_id,
+                expected_status_codes=context.conf.expected_status_codes or [200],
+            )
+            results.append(
+                CheckResult(
+                    status=Status.SUCCESS,
+                    reason=f"ResourceType '{resource_type.name}' schema '{schema_id}' is accessible",
+                    data=schema_response,
+                )
+            )
+        except SCIMClientError as e:
+            results.append(
+                CheckResult(
+                    status=Status.ERROR,
+                    reason=f"ResourceType '{resource_type.name}' schema '{schema_id}' is not accessible: {str(e)}",
+                )
+            )
+
+    return results
+
+
 @checker("discovery", "resource-types")
 def query_all_resource_types(context: CheckContext) -> CheckResult:
     """Validate retrieval of all available resource types.