feat: implement PATCH checks

Author: azmeuk

doc/changelog.rst

@@ -1,6 +1,13 @@
 Changelog
 =========
 
+[0.1.15] - Unreleased
+---------------------
+
+Added
+^^^^^
+- Implement PATCH checks.
+
 [0.1.14] - 2025-03-28
 ---------------------
 

scim2_tester/resource.py

@@ -1,12 +1,20 @@
+from typing import Any
+
 from scim2_models import Mutability
+from scim2_models import PatchOp
+from scim2_models import PatchOperation
 from scim2_models import Resource
 from scim2_models import ResourceType
+from scim2_models import Returned
+from scim2_models import SearchRequest
 
 from scim2_tester.filling import fill_with_random_values
 from scim2_tester.utils import CheckConfig
 from scim2_tester.utils import CheckResult
 from scim2_tester.utils import Status
 from scim2_tester.utils import checker
+from scim2_tester.utils import should_test_filters
+from scim2_tester.utils import should_test_patch
 
 
 def model_from_resource_type(
@@ -125,6 +133,328 @@ def check_object_deletion(conf: CheckConfig, obj: type[Resource]) -> CheckResult
     )
 
 
+@checker
+def check_object_modification(conf: CheckConfig, obj: Resource) -> CheckResult:
+    """Test basic PATCH operations (add, remove, replace) on SCIM resources.
+
+    As described in RFC7644 §3.5.2 <https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.2>`,
+    PATCH operations allow clients to modify existing resources by adding, removing,
+    or replacing values.
+
+    This test verifies:
+    - Successful PATCH operations return 200 or 204 as per RFC7644 §3.5.2
+    - Replace operation works on existing attributes
+
+    :param conf: The check configuration containing the SCIM client
+    :param obj: The resource object to test PATCH operations on
+    :returns: The result of the check operation
+    """
+    if not should_test_patch(conf):
+        return CheckResult(
+            conf,
+            status=Status.SUCCESS,
+            reason="PATCH operations not supported by server (patch.supported=false)",
+        )
+
+    # Find writable fields for testing
+    writable_fields = [
+        field_name
+        for field_name in type(obj).model_fields.keys()
+        if obj.get_field_annotation(field_name, Mutability) == Mutability.read_write
+        and obj.get_field_annotation(field_name, Returned) != Returned.never
+    ]
+
+    if not writable_fields:
+        return CheckResult(
+            conf,
+            status=Status.SUCCESS,
+            reason="No writable fields available for PATCH testing",
+        )
+
+    # Simple replace operation on first writable field
+    # Use a more appropriate test value based on the field name
+    field_to_test = writable_fields[0]
+    test_value: Any
+    if field_to_test == "displayName":
+        test_value = "PATCH Test User"
+    elif field_to_test == "userName":
+        test_value = "patch_test_user"
+    elif field_to_test == "active":
+        test_value = True
+    else:
+        test_value = "PATCH_TEST_VALUE"
+
+    patch_ops = PatchOp[type(obj)](
+        operations=[PatchOperation(op="replace", path=field_to_test, value=test_value)]
+    )
+
+    try:
+        response = conf.client.modify(
+            type(obj),
+            obj.id,
+            patch_ops,
+            expected_status_codes=conf.expected_status_codes or [200, 204, 400],
+            raise_scim_errors=False,
+        )
+
+        if hasattr(response, "status") and response.status == "400":
+            return CheckResult(
+                conf,
+                status=Status.ERROR,
+                reason=f"PATCH operation returned error: {response.detail}",
+                data=response,
+            )
+
+        return CheckResult(
+            conf,
+            status=Status.SUCCESS,
+            reason=f"Successful PATCH operation on {type(obj).__name__} with id {obj.id}",
+            data=response,
+        )
+    except Exception as e:
+        return CheckResult(
+            conf,
+            status=Status.ERROR,
+            reason=f"PATCH operation failed: {e}",
+            data=e,
+        )
+
+
+@checker
+def check_patch_mutability_errors(conf: CheckConfig, obj: Resource) -> CheckResult:
+    """Test PATCH operations respect attribute mutability constraints.
+
+    According to RFC7643 §2.2 <https://datatracker.ietf.org/doc/html/rfc7643#section-2.2>`,
+    attributes have mutability characteristics (readOnly, readWrite, immutable, writeOnly).
+    RFC7644 §3.5.2 states that PATCH operations must respect these constraints.
+
+    This test verifies that:
+    - Modifying readOnly attributes returns 400 with scimType='mutability' per RFC7644 §3.12
+
+    :param conf: The check configuration containing the SCIM client
+    :param obj: The resource object to test mutability constraints on
+    :returns: The result of the check operation
+    """
+    if not should_test_patch(conf):
+        return CheckResult(
+            conf,
+            status=Status.SUCCESS,
+            reason="PATCH mutability tests skipped (patch.supported=false)",
+        )
+
+    # Test modifying readOnly attribute (like 'id')
+    readonly_fields = [
+        field_name
+        for field_name in type(obj).model_fields.keys()
+        if obj.get_field_annotation(field_name, Mutability) == Mutability.read_only
+    ]
+
+    if not readonly_fields:
+        return CheckResult(
+            conf,
+            status=Status.SUCCESS,
+            reason="No readOnly fields available for mutability testing",
+        )
+
+    readonly_field = readonly_fields[0]  # Usually 'id'
+    # Create patch operations without client-side validation to test server behavior
+    patch_ops = {
+        "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+        "Operations": [
+            {"op": "replace", "path": readonly_field, "value": "SHOULD_FAIL"}
+        ],
+    }
+
+    try:
+        response = conf.client.modify(
+            type(obj),
+            obj.id,
+            patch_ops,
+            expected_status_codes=[400],
+            raise_scim_errors=False,
+        )
+
+        if hasattr(response, "status") and response.status == "400":
+            return CheckResult(
+                conf,
+                status=Status.SUCCESS,
+                reason=f"Correctly rejected modification of readOnly attribute '{readonly_field}'",
+                data=response,
+            )
+        elif hasattr(response, "scim_type") and response.scim_type == "mutability":
+            return CheckResult(
+                conf,
+                status=Status.SUCCESS,
+                reason=f"Correctly rejected modification of readOnly attribute '{readonly_field}' with mutability error",
+                data=response,
+            )
+        elif hasattr(response, "scim_type") and response.scim_type == "invalidValue":
+            return CheckResult(
+                conf,
+                status=Status.SUCCESS,
+                reason=f"Correctly rejected modification of readOnly attribute '{readonly_field}' with invalidValue error",
+                data=response,
+            )
+        elif response.__class__.__name__ == "Error":
+            return CheckResult(
+                conf,
+                status=Status.SUCCESS,
+                reason=f"Correctly rejected modification of readOnly attribute '{readonly_field}' (Error response)",
+                data=response,
+            )
+        else:
+            return CheckResult(
+                conf,
+                status=Status.ERROR,
+                reason=f"Expected 400 error for readOnly attribute '{readonly_field}', got: {type(response).__name__}",
+                data=response,
+            )
+    except Exception as e:
+        # ValidationError from Pydantic is also a valid rejection of the mutability violation
+        if "mutability" in str(e).lower() or "modification is not compatible" in str(e):
+            return CheckResult(
+                conf,
+                status=Status.SUCCESS,
+                reason=f"Correctly rejected modification of readOnly attribute '{readonly_field}' (client-side validation)",
+                data=e,
+            )
+        else:
+            return CheckResult(
+                conf,
+                status=Status.ERROR,
+                reason=f"Expected rejection of readOnly attribute '{readonly_field}', got unexpected error: {e}",
+                data=e,
+            )
+
+
+@checker
+def check_patch_syntax_errors(conf: CheckConfig, obj: Resource) -> CheckResult:
+    """Test PATCH operations with invalid syntax return proper errors.
+
+    As specified in RFC7644 §3.5.2 <https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.2>`,
+    PATCH operations must include proper syntax and required attributes.
+    RFC7644 §3.12 defines specific error codes for various PATCH failures.
+
+    This test verifies:
+    - Missing path for remove operation returns 400 with scimType='noTarget' per RFC7644 §3.12
+
+    :param conf: The check configuration containing the SCIM client
+    :param obj: The resource object to test syntax errors on
+    :returns: The result of the check operation
+    """
+    if not should_test_patch(conf):
+        return CheckResult(
+            conf,
+            status=Status.SUCCESS,
+            reason="PATCH syntax tests skipped (patch.supported=false)",
+        )
+
+    # Test: Remove operation without path - use raw dict to bypass client validation
+    patch_ops = {
+        "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+        "Operations": [
+            {"op": "remove"}  # Missing path
+        ],
+    }
+
+    try:
+        response = conf.client.modify(
+            type(obj),
+            obj.id,
+            patch_ops,
+            expected_status_codes=[400],
+            raise_scim_errors=False,
+        )
+
+        if hasattr(response, "status") and response.status == "400":
+            return CheckResult(
+                conf,
+                status=Status.SUCCESS,
+                reason="Correctly rejected remove operation without path",
+                data=response,
+            )
+        elif hasattr(response, "scim_type") and response.scim_type == "noTarget":
+            return CheckResult(
+                conf,
+                status=Status.SUCCESS,
+                reason="Correctly rejected remove operation without path (noTarget error)",
+                data=response,
+            )
+        elif response.__class__.__name__ == "Error":
+            return CheckResult(
+                conf,
+                status=Status.SUCCESS,
+                reason="Correctly rejected remove operation without path (Error response)",
+                data=response,
+            )
+        else:
+            return CheckResult(
+                conf,
+                status=Status.ERROR,
+                reason=f"Expected 400 error for remove without path, got: {type(response).__name__}",
+                data=response,
+            )
+    except Exception as e:
+        return CheckResult(
+            conf,
+            status=Status.ERROR,
+            reason=f"Expected rejection of remove without path, got: {e}",
+            data=e,
+        )
+
+
+@checker
+def check_filter_operations(conf: CheckConfig, obj: Resource) -> CheckResult:
+    """Test filter operations if supported by the server.
+
+    As described in RFC7644 §3.4.2 <https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2>`,
+    filtering allows clients to request a subset of resources by specifying filter criteria.
+    Filters use the syntax defined in RFC7644 §3.4.2.2.
+
+    This test verifies:
+    - Basic equality filters work as per RFC7644 §3.4.2.2
+
+    :param conf: The check configuration containing the SCIM client
+    :param obj: The resource object to test filter operations on
+    :returns: The result of the check operation
+    """
+    if not should_test_filters(conf):
+        return CheckResult(
+            conf,
+            status=Status.SUCCESS,
+            reason="Filter operations not supported by server (filter.supported=false)",
+        )
+
+    # Test simple equality filter using query with SearchRequest
+    try:
+        search_request = SearchRequest(filter=f'id eq "{obj.id}"')
+        response = conf.client.query(
+            type(obj), search_request=search_request, expected_status_codes=[200]
+        )
+
+        if len(response.resources) != 1:
+            return CheckResult(
+                conf,
+                status=Status.ERROR,
+                reason=f"Equality filter returned {len(response.resources)} results, expected 1",
+                data=response,
+            )
+    except Exception as e:
+        return CheckResult(
+            conf,
+            status=Status.ERROR,
+            reason=f"Filter operation failed: {e}",
+            data=e,
+        )
+
+    return CheckResult(
+        conf,
+        status=Status.SUCCESS,
+        reason="Filter operations working correctly",
+        data=response,
+    )
+
+
 def check_resource_type(
     conf: CheckConfig,
     resource_type: ResourceType,
@@ -161,6 +491,11 @@ def check_resource_type(
         result = check_object_query_without_id(conf, created_obj)
         results.append(result)
 
+        # Test filter operations if supported (RFC7644 §3.4.2)
+        if should_test_filters(conf):
+            result = check_filter_operations(conf, created_obj)
+            results.append(result)
+
         field_names = [
             field_name
             for field_name in model.model_fields.keys()
@@ -172,6 +507,17 @@ def check_resource_type(
         result = check_object_replacement(conf, created_obj)
         results.append(result)
 
+        # Test PATCH operations if supported (RFC7644 §3.5.2)
+        if should_test_patch(conf):
+            result = check_object_modification(conf, created_obj)
+            results.append(result)
+
+            result = check_patch_mutability_errors(conf, created_obj)
+            results.append(result)
+
+            result = check_patch_syntax_errors(conf, created_obj)
+            results.append(result)
+
         result = check_object_deletion(conf, created_obj)
         results.append(result)