diff --git a/authentik/providers/scim/clients/groups.py b/authentik/providers/scim/clients/groups.py index 38cce8d204d3..ed94e294db6b 100644 --- a/authentik/providers/scim/clients/groups.py +++ b/authentik/providers/scim/clients/groups.py @@ -27,6 +27,7 @@ ) from authentik.providers.scim.clients.schema import Group as SCIMGroupSchema from authentik.providers.scim.models import ( + SCIMCompatibilityMode, SCIMMapping, SCIMProvider, SCIMProviderGroup, @@ -127,6 +128,34 @@ def update(self, group: Group, connection: SCIMProviderGroup): def _update_patch( self, group: Group, scim_group: SCIMGroupSchema, connection: SCIMProviderGroup + ): + """Apply provider-specific PATCH requests""" + match connection.provider.compatibility_mode: + case SCIMCompatibilityMode.AWS: + self._update_patch_aws(group, scim_group, connection) + case _: + self._update_patch_general(group, scim_group, connection) + return self.patch_compare_users(group) + + def _update_patch_aws( + self, group: Group, scim_group: SCIMGroupSchema, connection: SCIMProviderGroup + ): + """Run PATCH requests for supported attributes""" + group_dict = scim_group.model_dump(mode="json", exclude_unset=True) + self._patch_chunked( + connection.scim_id, + *[ + PatchOperation( + op=PatchOp.replace, + path=attr, + value=group_dict[attr], + ) + for attr in ("displayName", "externalId") + ], + ) + + def _update_patch_general( + self, group: Group, scim_group: SCIMGroupSchema, connection: SCIMProviderGroup ): """Update a group via PATCH request""" # Patch group's attributes instead of replacing it and re-adding users if we can @@ -147,7 +176,6 @@ def _update_patch( exclude_none=True, ), ) - return self.patch_compare_users(group) def _update_put(self, group: Group, scim_group: SCIMGroupSchema, connection: SCIMProviderGroup): """Update a group via PUT request"""