fix: forbid PatchOp with zero or missing operations

azmeuk · azmeuk · commit 1103415c91bb · 2025-08-18T22:05:21.000+02:00
diff --git a/doc/changelog.rst b/doc/changelog.rst
@@ -9,6 +9,7 @@ Fixed
 - Attributes with ``None`` type are excluded from Schema generation.
 - Allow PATCH operations on resources and extensions root path.
 - Multiple ComplexAttribute do not inherit from MultiValuedComplexAttribute by default. :issue:`72` :issue:`73`
+- Forbid :class:`~scim2_models.PatchOp` with zero ``operations``.
 
 [0.4.2] - 2025-08-05
 --------------------
diff --git a/scim2_models/messages/patch_op.py b/scim2_models/messages/patch_op.py
@@ -218,12 +218,17 @@ def __class_getitem__(
     "Operations", whose value is an array of one or more PATCH operations."""
 
     @model_validator(mode="after")
-    def validate_operations(self) -> Self:
+    def validate_operations(self, info: ValidationInfo) -> Self:
         """Validate operations against resource type metadata if available.
 
         When PatchOp is used with a specific resource type (e.g., PatchOp[User]),
         this validator will automatically check mutability and required constraints.
         """
+        # RFC 7644: The body of an HTTP PATCH request MUST contain the attribute "Operations"
+        scim_ctx = info.context.get("scim") if info.context else None
+        if scim_ctx == Context.RESOURCE_PATCH_REQUEST and self.operations is None:
+            raise ValueError(Error.make_invalid_value_error().detail)
+
         resource_class = _get_resource_class(self)
         if resource_class is None or not self.operations:
             return self
diff --git a/tests/test_patch_op_validation.py b/tests/test_patch_op_validation.py
@@ -497,3 +497,29 @@ def test_remove_specific_value_invalid_field():
     # This should raise ValueError for invalid field name
     with pytest.raises(ValueError, match="no match|did not yield"):
         patch.patch(user)
+
+
+def test_patch_op_operations_attribute_required_in_patch_context():
+    """Test that Operations attribute is required in PATCH request context per RFC 7644."""
+    # Operations attribute must be present in PATCH request context
+    with pytest.raises(ValidationError, match="required value was missing"):
+        PatchOp[User].model_validate(
+            {"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"]},
+            context={"scim": Context.RESOURCE_PATCH_REQUEST},
+        )
+
+    # Operations can be None when not in PATCH request context
+    patch_op = PatchOp[User].model_validate(
+        {"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"]}
+    )
+    assert patch_op.operations is None
+
+    # Operations with at least one operation is valid in PATCH request context
+    patch_op = PatchOp[User].model_validate(
+        {
+            "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+            "operations": [{"op": "add", "path": "userName", "value": "test"}],
+        },
+        context={"scim": Context.RESOURCE_PATCH_REQUEST},
+    )
+    assert len(patch_op.operations) == 1
